|
@@ -51,7 +51,12 @@
|
|
|
two types of services: standard services and proxy services. A proxy
|
|
two types of services: standard services and proxy services. A proxy
|
|
|
service is able to request resources from other services on behalf of
|
|
service is able to request resources from other services on behalf of
|
|
|
the user. This will be explained more fully later.</para>
|
|
the user. This will be explained more fully later.</para>
|
|
|
-
|
|
|
|
|
|
|
+
|
|
|
|
|
+<!--
|
|
|
|
|
+ <section xml:id="cas-sequence">
|
|
|
|
|
+ <title>Spring Security and CAS Interaction Sequence</title>
|
|
|
|
|
+
|
|
|
|
|
+ TODO: Needs reviewed
|
|
|
<para>The basic interaction between a web browser, CAS server and a
|
|
<para>The basic interaction between a web browser, CAS server and a
|
|
|
Spring Security-secured service is as follows:</para>
|
|
Spring Security-secured service is as follows:</para>
|
|
|
|
|
|
|
@@ -251,201 +256,15 @@
|
|
|
you can relax as Spring Security classes hide much of the complexity.
|
|
you can relax as Spring Security classes hide much of the complexity.
|
|
|
Let's now look at how this is configured</para>
|
|
Let's now look at how this is configured</para>
|
|
|
</section>
|
|
</section>
|
|
|
-
|
|
|
|
|
- <section xml:id="cas-server"><info><title>Optional CAS Server Setup</title></info>
|
|
|
|
|
-
|
|
|
|
|
-
|
|
|
|
|
- <para>Spring Security can even act as the backend which a CAS version
|
|
|
|
|
- 2.0 or 3.0 server utilises. The configuration approach is described
|
|
|
|
|
- below. Of course, if you have an existing CAS environment you might
|
|
|
|
|
- just like to use it instead.</para>
|
|
|
|
|
-
|
|
|
|
|
- <section xml:id="cas-server-2"><info><title>CAS Version 2.0</title></info>
|
|
|
|
|
-
|
|
|
|
|
-
|
|
|
|
|
- <para>As mentioned above, Spring Security includes a
|
|
|
|
|
- <literal>PasswordHandler</literal> that bridges your existing
|
|
|
|
|
- <literal>AuthenticationManager</literal> into CAS 2.0. You do not
|
|
|
|
|
- need to use this <literal>PasswordHandler</literal> to use Spring
|
|
|
|
|
- Security on the client side (any CAS
|
|
|
|
|
- <literal>PasswordHandler</literal> will do).</para>
|
|
|
|
|
-
|
|
|
|
|
- <para>To install, you will need to download and extract the CAS
|
|
|
|
|
- server archive. We used version 2.0.12. There will be a
|
|
|
|
|
- <literal>/web</literal> directory in the root of the deployment.
|
|
|
|
|
- Copy an <literal>applicationContext.xml</literal> containing your
|
|
|
|
|
- <literal>AuthenticationManager</literal> as well as the
|
|
|
|
|
- <literal>CasPasswordHandler</literal> into the
|
|
|
|
|
- <literal>/web/WEB-INF</literal> directory. A sample
|
|
|
|
|
- <literal>applicationContext.xml</literal> is included below:</para>
|
|
|
|
|
-
|
|
|
|
|
- <programlisting>
|
|
|
|
|
-<bean id="inMemoryDaoImpl" class="org.springframework.security.userdetails.memory.InMemoryDaoImpl">
|
|
|
|
|
-<property name="userMap">
|
|
|
|
|
-<value>
|
|
|
|
|
- rod=koala,ROLES_IGNORED_BY_CAS
|
|
|
|
|
- dianne=emu,ROLES_IGNORED_BY_CAS
|
|
|
|
|
- scott=wombat,ROLES_IGNORED_BY_CAS
|
|
|
|
|
- peter=opal,disabled,ROLES_IGNORED_BY_CAS
|
|
|
|
|
-</value>
|
|
|
|
|
-</property>
|
|
|
|
|
-</bean>
|
|
|
|
|
-
|
|
|
|
|
-<bean id="daoAuthenticationProvider"
|
|
|
|
|
- class="org.springframework.security.providers.dao.DaoAuthenticationProvider">
|
|
|
|
|
-<property name="userDetailsService"><ref bean="inMemoryDaoImpl"/></property>
|
|
|
|
|
-</bean>
|
|
|
|
|
-
|
|
|
|
|
-<bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager">
|
|
|
|
|
-<property name="providers">
|
|
|
|
|
-<list>
|
|
|
|
|
- <ref bean="daoAuthenticationProvider"/>
|
|
|
|
|
-</list>
|
|
|
|
|
-</property>
|
|
|
|
|
-</bean>
|
|
|
|
|
-
|
|
|
|
|
-<bean id="casPasswordHandler" class="org.springframework.security.adapters.cas.CasPasswordHandler">
|
|
|
|
|
-<property name="authenticationManager"><ref bean="authenticationManager"/></property>
|
|
|
|
|
-</bean>
|
|
|
|
|
-
|
|
|
|
|
- </programlisting>
|
|
|
|
|
-
|
|
|
|
|
- <para>Note the granted authorities are ignored by CAS because it has
|
|
|
|
|
- no way of communicating the granted authorities to calling
|
|
|
|
|
- applications. CAS is only concerned with username and passwords (and
|
|
|
|
|
- the enabled/disabled status).</para>
|
|
|
|
|
-
|
|
|
|
|
- <para>Next you will need to edit the existing
|
|
|
|
|
- <literal>/web/WEB-INF/web.xml</literal> file. Add (or edit in the
|
|
|
|
|
- case of the <literal>authHandler</literal> property) the following
|
|
|
|
|
- lines:</para>
|
|
|
|
|
-
|
|
|
|
|
- <para><programlisting>
|
|
|
|
|
-
|
|
|
|
|
-<context-param>
|
|
|
|
|
-<param-name>edu.yale.its.tp.cas.authHandler</param-name>
|
|
|
|
|
-<param-value>org.springframework.security.adapters.cas.CasPasswordHandlerProxy</param-value>
|
|
|
|
|
-</context-param>
|
|
|
|
|
-
|
|
|
|
|
-<context-param>
|
|
|
|
|
-<param-name>contextConfigLocation</param-name>
|
|
|
|
|
-<param-value>/WEB-INF/applicationContext.xml</param-value>
|
|
|
|
|
-</context-param>
|
|
|
|
|
-
|
|
|
|
|
-<listener>
|
|
|
|
|
-<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
|
|
|
|
|
-</listener>
|
|
|
|
|
-
|
|
|
|
|
- </programlisting></para>
|
|
|
|
|
-
|
|
|
|
|
- <para>Copy the <literal>spring.jar</literal> and
|
|
|
|
|
- <literal>acegi-security.jar</literal> files into
|
|
|
|
|
- <literal>/web/WEB-INF/lib</literal>. Now use the <literal>ant
|
|
|
|
|
- dist</literal> task in the <literal>build.xml</literal> in the root
|
|
|
|
|
- of the directory structure. This will create
|
|
|
|
|
- <literal>/lib/cas.war</literal>, which is ready for deployment to
|
|
|
|
|
- your servlet container.</para>
|
|
|
|
|
-
|
|
|
|
|
- <para>Note CAS heavily relies on HTTPS. You can't even test the
|
|
|
|
|
- system without an HTTPS certificate. Whilst you should refer to your
|
|
|
|
|
- web container's documentation on setting up HTTPS, if you need some
|
|
|
|
|
- additional help or a test certificate you might like to check the
|
|
|
|
|
- <literal>samples/contacts/etc/ssl</literal> directory</para>
|
|
|
|
|
- </section>
|
|
|
|
|
-
|
|
|
|
|
- <section xml:id="cas-server-3"><info><title>CAS Version 3.0</title></info>
|
|
|
|
|
-
|
|
|
|
|
-
|
|
|
|
|
- <para>As mentioned above, Spring Security includes an
|
|
|
|
|
- <literal>AuthenticationHandler</literal> that bridges your existing
|
|
|
|
|
- <literal>AuthenticationManager</literal> into CAS 3.0. You do not
|
|
|
|
|
- need to use this <literal>AuthenticationHandler</literal> to use
|
|
|
|
|
- Spring Security on the client side (any CAS
|
|
|
|
|
- <literal>AuthenticationHandler</literal> will do).</para>
|
|
|
|
|
-
|
|
|
|
|
- <para>To install, you will need to download and extract the CAS
|
|
|
|
|
- server archive. We used version 3.0.4. There will be a
|
|
|
|
|
- <literal>/webapp</literal> directory in the root of the deployment.
|
|
|
|
|
- Edit the an <literal>deployerConfigContext.xml</literal> so that it
|
|
|
|
|
- contains your <literal>AuthenticationManager</literal> as well as
|
|
|
|
|
- the <literal>CasAuthenticationHandler</literal>. A sample
|
|
|
|
|
- <literal>applicationContext.xml</literal> is included below:</para>
|
|
|
|
|
-
|
|
|
|
|
- <programlisting>
|
|
|
|
|
-<?xml version="1.0" encoding="UTF-8"?>
|
|
|
|
|
-<!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans.dtd">
|
|
|
|
|
-<beans>
|
|
|
|
|
- <bean
|
|
|
|
|
- id="authenticationManager"
|
|
|
|
|
- class="org.jasig.cas.authentication.AuthenticationManagerImpl">
|
|
|
|
|
- <property name="credentialsToPrincipalResolvers">
|
|
|
|
|
- <list>
|
|
|
|
|
- <bean class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" />
|
|
|
|
|
- <bean class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" />
|
|
|
|
|
- </list>
|
|
|
|
|
- </property>
|
|
|
|
|
-
|
|
|
|
|
- <property name="authenticationHandlers">
|
|
|
|
|
- <list>
|
|
|
|
|
- <bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" />
|
|
|
|
|
- <bean class="org.springframework.security.adapters.cas3.CasAuthenticationHandler">
|
|
|
|
|
- <property name="authenticationManager" ref="authenticationManager" />
|
|
|
|
|
- </bean>
|
|
|
|
|
- </list>
|
|
|
|
|
- </property>
|
|
|
|
|
- </bean>
|
|
|
|
|
-
|
|
|
|
|
-
|
|
|
|
|
- <bean id="inMemoryDaoImpl" class="org.springframework.security.userdetails.memory.InMemoryDaoImpl">
|
|
|
|
|
- <property name="userMap">
|
|
|
|
|
- <value>
|
|
|
|
|
- rod=koala,ROLES_IGNORED_BY_CAS
|
|
|
|
|
- dianne=emu,ROLES_IGNORED_BY_CAS
|
|
|
|
|
- scott=wombat,ROLES_IGNORED_BY_CAS
|
|
|
|
|
- peter=opal,disabled,ROLES_IGNORED_BY_CAS
|
|
|
|
|
- </value>
|
|
|
|
|
- </property>
|
|
|
|
|
- </bean>
|
|
|
|
|
-
|
|
|
|
|
- <bean id="daoAuthenticationProvider"
|
|
|
|
|
- class="org.springframework.security.providers.dao.DaoAuthenticationProvider">
|
|
|
|
|
- <property name="userDetailsService"><ref bean="inMemoryDaoImpl"/></property>
|
|
|
|
|
- </bean>
|
|
|
|
|
-
|
|
|
|
|
- <bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager">
|
|
|
|
|
- <property name="providers">
|
|
|
|
|
- <list>
|
|
|
|
|
- <ref bean="daoAuthenticationProvider"/>
|
|
|
|
|
- </list>
|
|
|
|
|
- </property>
|
|
|
|
|
- </bean>
|
|
|
|
|
-</beans>
|
|
|
|
|
-
|
|
|
|
|
- </programlisting>
|
|
|
|
|
-
|
|
|
|
|
- <para>Note the granted authorities are ignored by CAS because it has
|
|
|
|
|
- no way of communicating the granted authorities to calling
|
|
|
|
|
- applications. CAS is only concerned with username and passwords (and
|
|
|
|
|
- the enabled/disabled status).</para>
|
|
|
|
|
-
|
|
|
|
|
- <para>Copy <literal>acegi-security.jar</literal> and
|
|
|
|
|
- <literal>acegi-security-cas.jar</literal> files into
|
|
|
|
|
- <literal>/localPlugins/lib</literal>. Now use the <literal>ant
|
|
|
|
|
- war</literal> task in the <literal>build.xml</literal> in the
|
|
|
|
|
- /localPlugins directory. This will create
|
|
|
|
|
- <literal>/localPlugins/target/cas.war</literal>, which is ready for
|
|
|
|
|
- deployment to your servlet container.</para>
|
|
|
|
|
-
|
|
|
|
|
- <para>Note CAS heavily relies on HTTPS. You can't even test the
|
|
|
|
|
- system without an HTTPS certificate. Whilst you should refer to your
|
|
|
|
|
- web container's documentation on setting up HTTPS, if you need some
|
|
|
|
|
- additional help or a test certificate you might like to check the
|
|
|
|
|
- CAS documentation on setting up SSL:
|
|
|
|
|
- <literal>http://www.ja-sig.org/products/cas/server/ssl/index.html</literal></para>
|
|
|
|
|
- </section>
|
|
|
|
|
|
|
+-->
|
|
|
</section>
|
|
</section>
|
|
|
|
|
|
|
|
- <section xml:id="cas-client"><info><title>Configuration of CAS Client</title></info>
|
|
|
|
|
|
|
+ <section xml:id="cas-client">
|
|
|
|
|
+ <info><title>Configuration of CAS Client</title></info>
|
|
|
|
|
+
|
|
|
|
|
+ <para>
|
|
|
|
|
+ TODO: This section needs to be reviewed following CAS client updates for Spring Security 2.0
|
|
|
|
|
+ </para>
|
|
|
|
|
|
|
|
|
|
|
|
|
<para>The web application side of CAS is made easy due to Spring
|
|
<para>The web application side of CAS is made easy due to Spring
|
|
@@ -622,8 +441,8 @@
|
|
|
settings and can be deployed to see CAS in operation</para>
|
|
settings and can be deployed to see CAS in operation</para>
|
|
|
</section>
|
|
</section>
|
|
|
|
|
|
|
|
- <section xml:id="cas-advanced"><info><title>Advanced Issues</title></info>
|
|
|
|
|
-
|
|
|
|
|
|
|
+ <section xml:id="cas-advanced">
|
|
|
|
|
+ <info><title>Advanced Issues</title></info>
|
|
|
|
|
|
|
|
<para>The <literal>CasAuthenticationProvider</literal> distinguishes
|
|
<para>The <literal>CasAuthenticationProvider</literal> distinguishes
|
|
|
between stateful and stateless clients. A stateful client is
|
|
between stateful and stateless clients. A stateful client is
|
Luke Taylor