From b8490bddb281cea0824b95c390bdbbcfeca9aba1 Mon Sep 17 00:00:00 2001 From: Luke Taylor Date: Sun, 13 Apr 2008 12:02:16 +0000 Subject: [PATCH] SEC-762: Updated CAS configuration from sample app --- src/docbkx/cas-auth-provider.xml | 175 ++++++++++++------------------- 1 file changed, 66 insertions(+), 109 deletions(-) diff --git a/src/docbkx/cas-auth-provider.xml b/src/docbkx/cas-auth-provider.xml index 13bfe0c829..e817886b3c 100644 --- a/src/docbkx/cas-auth-provider.xml +++ b/src/docbkx/cas-auth-provider.xml @@ -1,8 +1,10 @@ -CAS Authentication + + CAS Authentication
- Overview + Overview JA-SIG produces an enterprise-wide single sign on system known as CAS. Unlike other initiatives, JA-SIG's Central Authentication @@ -261,26 +263,21 @@
Configuration of CAS Client - - - TODO: This section needs to be reviewed following CAS client updates for Spring Security 2.0 - - The web application side of CAS is made easy due to Spring Security. It is assumed you already know the basics of using Spring - Security, so these are not covered again below. Only the CAS-specific - beans are mentioned. + Security, so these are not covered again below. We'll assume a namespace + based configuration is being used and add in the CAS beans as required. + You will need to add a ServiceProperties bean to your application context. This represents your service: - - -<bean id="serviceProperties" class="org.springframework.security.ui.cas.ServiceProperties"> - <property name="service" value="https://localhost:8443/contacts-cas/j_spring_cas_security_check"/> - <property name="sendRenew"><value>false</value></property> -</bean> + + + + ]]> The service must equal a URL that will be @@ -294,44 +291,37 @@ The following beans should be configured to commence the CAS authentication process: - -<bean id="casProcessingFilter" class="org.springframework.security.ui.cas.CasProcessingFilter"> - <property name="authenticationManager" ref="authenticationManager"/> - <property name="authenticationFailureUrl" value="/casfailed.jsp"/> - <property name="defaultTargetUrl" value="/"/> - <property name="filterProcessesUrl" value="/j_spring_cas_security_check"/> -</bean> - -<bean id="exceptionTranslationFilter" class="org.springframework.security.ui.ExceptionTranslationFilter"> - <property name="authenticationEntryPoint" ref="casProcessingFilterEntryPoint"/> -</bean> - -<bean id="casProcessingFilterEntryPoint" - class="org.springframework.security.ui.cas.CasProcessingFilterEntryPoint"> - <property name="loginUrl" value="https://localhost:8443/cas/login"/> - <property name="serviceProperties" ref="serviceProperties"/> -</bean> + + + + + + + + + + + + + +]]> - - You will also need to add the CasProcessingFilter to web.xml: - - -<filter> - <filter-name>casProcessingFilter</filter-name> - <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> -</filter> - -<filter-mapping> - <filter-name>casProcessingFilter</filter-name> - <url-pattern>/*</url-pattern> -</filter-mapping> - + + + The CasProcessingFilterEntryPoint should be selected to + drive authentication using entry-point-ref. + + The CasProcessingFilter has very similar properties to the AuthenticationProcessingFilter (used for form-based logins). Each property is - self-explanatory. + self-explanatory. Note that we've also used the namespace syntax + for setting up an alias to the authentication mnager, since the + CasProcessingFilter needs a reference to it. For CAS to operate, the ExceptionTranslationFilter must have its @@ -343,70 +333,35 @@ which provides the URL to the enterprise's CAS login server. This is where the user's browser will be redirected. - Next you need to add an AuthenticationManager - that uses CasAuthenticationProvider and its - collaborators: - - -<bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager"> -<property name="providers"> -<list> - <ref bean="casAuthenticationProvider"/> -</list> -</property> -</bean> - -<bean id="casAuthenticationProvider" - class="org.springframework.security.providers.cas.CasAuthenticationProvider"> -<property name="casAuthoritiesPopulator"><ref bean="casAuthoritiesPopulator"/></property> -<property name="casProxyDecider"><ref bean="casProxyDecider"/></property> -<property name="ticketValidator"><ref bean="casProxyTicketValidator"/></property> -<property name="statelessTicketCache"><ref bean="statelessTicketCache"/></property> -<property name="key"><value>my_password_for_this_auth_provider_only</value></property> -</bean> - -<bean id="casProxyTicketValidator" - class="org.springframework.security.providers.cas.ticketvalidator.CasProxyTicketValidator"> -<property name="casValidate"><value>https://localhost:8443/cas/proxyValidate</value></property> -<property name="proxyCallbackUrl"><value>https://localhost:8443/contacts-cas/casProxy/receptor</value></property> -<property name="serviceProperties"><ref bean="serviceProperties"/></property> -<!-- <property name="trustStore"><value>/some/path/to/your/lib/security/cacerts</value></property> --> -</bean> - -<bean id="cacheManager" class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean"> -<property name="configLocation"> -<value>classpath:/ehcache-failsafe.xml</value> -</property> -</bean> - -<bean id="ticketCacheBackend" class="org.springframework.cache.ehcache.EhCacheFactoryBean"> -<property name="cacheManager"> -<ref local="cacheManager"/> -</property> -<property name="cacheName"> -<value>ticketCache</value> -</property> -</bean> - -<bean id="statelessTicketCache" class="org.springframework.security.providers.cas.cache.EhCacheBasedTicketCache"> -<property name="cache"><ref local="ticketCacheBackend"/></property> -</bean> - -<bean id="casAuthoritiesPopulator" - class="org.springframework.security.providers.cas.populator.DaoCasAuthoritiesPopulator"> -<property name="userDetailsService"><ref bean="inMemoryDaoImpl"/></property> -</bean> - -<bean id="casProxyDecider" class="org.springframework.security.providers.cas.proxy.RejectProxyTickets"/> - - + Next you need to add a CasAuthenticationProvider and its + collaborators: + + + + + + + + + + + + + + + ... + ]]> + + The CasAuthenticationProvider uses a UserDetailsService + instance to load the authorities for a user, once they have been authentiated by CAS. We've shown a simple + in-memory setup here. + The beans are all reasonable self-explanatory if you refer back - to the "How CAS Works" section. Careful readers might notice one - surprise: the statelessTicketCache property of the - CasAuthenticationProvider. This is discussed in - detail in the "Advanced CAS Usage" section. - + to the "How CAS Works" section. +
+ \ No newline at end of file