|
@@ -17,13 +17,13 @@
|
|
|
<title>How CAS Works</title>
|
|
<title>How CAS Works</title>
|
|
|
</info>
|
|
</info>
|
|
|
<para>Whilst the CAS web site contains documents that detail the architecture of CAS, we present
|
|
<para>Whilst the CAS web site contains documents that detail the architecture of CAS, we present
|
|
|
- the general overview again here within the context of Spring Security. Spring Security 2.0
|
|
|
|
|
- supports CAS 3. At the time of writing, the CAS server was at version 3.2.</para>
|
|
|
|
|
|
|
+ the general overview again here within the context of Spring Security. Spring Security 3.0
|
|
|
|
|
+ supports CAS 3. At the time of writing, the CAS server was at version 3.3.</para>
|
|
|
<para>Somewhere in your enterprise you will need to setup a CAS server. The CAS server is simply
|
|
<para>Somewhere in your enterprise you will need to setup a CAS server. The CAS server is simply
|
|
|
a standard WAR file, so there isn't anything difficult about setting up your server. Inside
|
|
a standard WAR file, so there isn't anything difficult about setting up your server. Inside
|
|
|
the WAR file you will customise the login and other single sign on pages displayed to
|
|
the WAR file you will customise the login and other single sign on pages displayed to
|
|
|
users.</para>
|
|
users.</para>
|
|
|
- <para>When deploying a CAS 3.2 server, you will also need to specify an
|
|
|
|
|
|
|
+ <para>When deploying a CAS 3.3 server, you will also need to specify an
|
|
|
<literal>AuthenticationHandler</literal> in the
|
|
<literal>AuthenticationHandler</literal> in the
|
|
|
<filename>deployerConfigContext.xml</filename> included with CAS. The
|
|
<filename>deployerConfigContext.xml</filename> included with CAS. The
|
|
|
<literal>AuthenticationHandler</literal> has a simple method that returns a boolean as to
|
|
<literal>AuthenticationHandler</literal> has a simple method that returns a boolean as to
|
|
@@ -251,8 +251,8 @@
|
|
|
<para>The web application side of CAS is made easy due to Spring Security. It is assumed you
|
|
<para>The web application side of CAS is made easy due to Spring Security. It is assumed you
|
|
|
already know the basics of using Spring Security, so these are not covered again below. We'll
|
|
already know the basics of using Spring Security, so these are not covered again below. We'll
|
|
|
assume a namespace based configuration is being used and add in the CAS beans as required. </para>
|
|
assume a namespace based configuration is being used and add in the CAS beans as required. </para>
|
|
|
- <para>You will need to add a <literal>ServiceProperties</literal> bean to your application
|
|
|
|
|
- context. This represents your service:</para>
|
|
|
|
|
|
|
+ <para>You will need to add a <classname>ServiceProperties</classname> bean to your application
|
|
|
|
|
+ context. This represents your CAS service:</para>
|
|
|
<para>
|
|
<para>
|
|
|
<programlisting><![CDATA[
|
|
<programlisting><![CDATA[
|
|
|
<bean id="serviceProperties"
|
|
<bean id="serviceProperties"
|
|
@@ -273,11 +273,7 @@
|
|
|
(assuming you're using a namespace configuration):</para>
|
|
(assuming you're using a namespace configuration):</para>
|
|
|
<para>
|
|
<para>
|
|
|
<programlisting><![CDATA[
|
|
<programlisting><![CDATA[
|
|
|
-<security:authentication-manager alias="authenticationManager">
|
|
|
|
|
- ...
|
|
|
|
|
-</security:authentication-manager>
|
|
|
|
|
-
|
|
|
|
|
-<security:http>
|
|
|
|
|
|
|
+<security:http entry-point-ref="casEntryPoint">
|
|
|
...
|
|
...
|
|
|
<custom-filter position="FORM_LOGIN_FILTER" ref="myFilter" />
|
|
<custom-filter position="FORM_LOGIN_FILTER" ref="myFilter" />
|
|
|
</security:http>
|
|
</security:http>
|
|
@@ -285,8 +281,6 @@
|
|
|
<bean id="casFilter"
|
|
<bean id="casFilter"
|
|
|
class="org.springframework.security.cas.web.CasAuthenticationFilter">
|
|
class="org.springframework.security.cas.web.CasAuthenticationFilter">
|
|
|
<property name="authenticationManager" ref="authenticationManager"/>
|
|
<property name="authenticationManager" ref="authenticationManager"/>
|
|
|
- <property name="authenticationFailureUrl" value="/casfailed.jsp"/>
|
|
|
|
|
- <property name="defaultTargetUrl" value="/"/>
|
|
|
|
|
</bean>
|
|
</bean>
|
|
|
|
|
|
|
|
<bean id="casEntryPoint"
|
|
<bean id="casEntryPoint"
|
|
@@ -295,27 +289,27 @@
|
|
|
<property name="serviceProperties" ref="serviceProperties"/>
|
|
<property name="serviceProperties" ref="serviceProperties"/>
|
|
|
</bean>
|
|
</bean>
|
|
|
]]>
|
|
]]>
|
|
|
-
|
|
|
|
|
</programlisting>
|
|
</programlisting>
|
|
|
</para>
|
|
</para>
|
|
|
<para> The <classname>CasAuthenticationEntryPoint</classname> should be selected to drive
|
|
<para> The <classname>CasAuthenticationEntryPoint</classname> should be selected to drive
|
|
|
authentication using <link xlink:href="ns-entry-point-ref"
|
|
authentication using <link xlink:href="ns-entry-point-ref"
|
|
|
><literal>entry-point-ref</literal></link>. </para>
|
|
><literal>entry-point-ref</literal></link>. </para>
|
|
|
- <para>The <literal>CasAuthenticationFilter</literal> has very similar properties to the
|
|
|
|
|
- <literal>UsernamePasswordAuthenticationFilter</literal> (used for form-based logins). Each
|
|
|
|
|
- property is self-explanatory. Note that we've also used the namespace syntax for setting up an
|
|
|
|
|
- alias to the authentication manager, since the <literal>CasAuthenticationFilter</literal>
|
|
|
|
|
- needs a reference to it.</para>
|
|
|
|
|
|
|
+ <para>The <classname>CasAuthenticationFilter</classname> has very similar properties to the
|
|
|
|
|
+ <classname>UsernamePasswordAuthenticationFilter</classname> (used for form-based logins).
|
|
|
|
|
+ </para>
|
|
|
<para>For CAS to operate, the <classname>ExceptionTranslationFilter</classname> must have its
|
|
<para>For CAS to operate, the <classname>ExceptionTranslationFilter</classname> must have its
|
|
|
<literal>authenticationEntryPoint</literal> property set to the
|
|
<literal>authenticationEntryPoint</literal> property set to the
|
|
|
- <literal>CasAuthenticationEntryPoint</literal> bean.</para>
|
|
|
|
|
- <para>The <literal>CasAuthenticationEntryPoint</literal> must refer to the
|
|
|
|
|
- <literal>ServiceProperties</literal> bean (discussed above), which provides the URL to the
|
|
|
|
|
|
|
+ <classname>CasAuthenticationEntryPoint</classname> bean.</para>
|
|
|
|
|
+ <para>The <classname>CasAuthenticationEntryPoint</classname> must refer to the
|
|
|
|
|
+ <classname>ServiceProperties</classname> bean (discussed above), which provides the URL to the
|
|
|
enterprise's CAS login server. This is where the user's browser will be redirected.</para>
|
|
enterprise's CAS login server. This is where the user's browser will be redirected.</para>
|
|
|
<para>Next you need to add a <literal>CasAuthenticationProvider</literal> and its collaborators: <programlisting><
Luke Taylor