|
@@ -1,8 +1,10 @@
|
|
|
-<chapter xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="cas"><info><title>CAS Authentication</title></info>
|
|
|
|
|
|
|
+<chapter xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="cas"
|
|
|
|
|
+ xmlns:xlink="http://www.w3.org/1999/xlink">
|
|
|
|
|
|
|
|
|
|
+ <title>CAS Authentication</title>
|
|
|
|
|
|
|
|
<section xml:id="cas-overview">
|
|
<section xml:id="cas-overview">
|
|
|
- <info><title>Overview</title></info>
|
|
|
|
|
|
|
+ <title>Overview</title>
|
|
|
|
|
|
|
|
<para>JA-SIG produces an enterprise-wide single sign on system known
|
|
<para>JA-SIG produces an enterprise-wide single sign on system known
|
|
|
as CAS. Unlike other initiatives, JA-SIG's Central Authentication
|
|
as CAS. Unlike other initiatives, JA-SIG's Central Authentication
|
|
@@ -261,26 +263,21 @@
|
|
|
|
|
|
|
|
<section xml:id="cas-client">
|
|
<section xml:id="cas-client">
|
|
|
<info><title>Configuration of CAS Client</title></info>
|
|
<info><title>Configuration of CAS Client</title></info>
|
|
|
-
|
|
|
|
|
- <para>
|
|
|
|
|
- TODO: This section needs to be reviewed following CAS client updates for Spring Security 2.0
|
|
|
|
|
- </para>
|
|
|
|
|
-
|
|
|
|
|
|
|
|
|
|
<para>The web application side of CAS is made easy due to Spring
|
|
<para>The web application side of CAS is made easy due to Spring
|
|
|
Security. It is assumed you already know the basics of using Spring
|
|
Security. It is assumed you already know the basics of using Spring
|
|
|
- Security, so these are not covered again below. Only the CAS-specific
|
|
|
|
|
- beans are mentioned.</para>
|
|
|
|
|
|
|
+ Security, so these are not covered again below. We'll assume a namespace
|
|
|
|
|
+ based configuration is being used and add in the CAS beans as required.
|
|
|
|
|
+ </para>
|
|
|
|
|
|
|
|
<para>You will need to add a <literal>ServiceProperties</literal> bean
|
|
<para>You will need to add a <literal>ServiceProperties</literal> bean
|
|
|
to your application context. This represents your service:</para>
|
|
to your application context. This represents your service:</para>
|
|
|
|
|
|
|
|
- <para><programlisting>
|
|
|
|
|
-
|
|
|
|
|
-<bean id="serviceProperties" class="org.springframework.security.ui.cas.ServiceProperties">
|
|
|
|
|
- <property name="service" value="https://localhost:8443/contacts-cas/j_spring_cas_security_check"/>
|
|
|
|
|
- <property name="sendRenew"><value>false</value></property>
|
|
|
|
|
-</bean>
|
|
|
|
|
|
|
+ <para><programlisting><![CDATA[
|
|
|
|
|
+ <bean id="serviceProperties" class="org.springframework.security.ui.cas.ServiceProperties">
|
|
|
|
|
+ <property name="service" value="https://localhost:8443/cas-sample/j_spring_cas_security_check"/>
|
|
|
|
|
+ <property name="sendRenew" value="false"/>
|
|
|
|
|
+ </bean>]]>
|
|
|
</programlisting></para>
|
|
</programlisting></para>
|
|
|
|
|
|
|
|
<para>The <literal>service</literal> must equal a URL that will be
|
|
<para>The <literal>service</literal> must equal a URL that will be
|
|
@@ -294,44 +291,37 @@
|
|
|
<para>The following beans should be configured to commence the CAS
|
|
<para>The following beans should be configured to commence the CAS
|
|
|
authentication process:</para>
|
|
authentication process:</para>
|
|
|
|
|
|
|
|
- <para><programlisting>
|
|
|
|
|
-<bean id="casProcessingFilter" class="org.springframework.security.ui.cas.CasProcessingFilter">
|
|
|
|
|
- <property name="authenticationManager" ref="authenticationManager"/>
|
|
|
|
|
- <property name="authenticationFailureUrl" value="/casfailed.jsp"/>
|
|
|
|
|
- <property name="defaultTargetUrl" value="/"/>
|
|
|
|
|
- <property name="filterProcessesUrl" value="/j_spring_cas_security_check"/>
|
|
|
|
|
-</bean>
|
|
|
|
|
-
|
|
|
|
|
-<bean id="exceptionTranslationFilter" class="org.springframework.security.ui.ExceptionTranslationFilter">
|
|
|
|
|
- <property name="authenticationEntryPoint" ref="casProcessingFilterEntryPoint"/>
|
|
|
|
|
-</bean>
|
|
|
|
|
-
|
|
|
|
|
-<bean id="casProcessingFilterEntryPoint"
|
|
|
|
|
- class="org.springframework.security.ui.cas.CasProcessingFilterEntryPoint">
|
|
|
|
|
- <property name="loginUrl" value="https://localhost:8443/cas/login"/>
|
|
|
|
|
- <property name="serviceProperties" ref="serviceProperties"/>
|
|
|
|
|
-</bean>
|
|
|
|
|
|
|
+ <para><programlisting><![CDATA[
|
|
|
|
|
+<security:authentication-manager alias="authenticationManager"/>
|
|
|
|
|
+
|
|
|
|
|
+<bean id="casProcessingFilter" class="org.springframework.security.ui.cas.CasProcessingFilter">
|
|
|
|
|
+ <security:custom-filter after="CAS_PROCESSING_FILTER"/>
|
|
|
|
|
+ <property name="authenticationManager" ref="authenticationManager"/>
|
|
|
|
|
+ <property name="authenticationFailureUrl" value="/casfailed.jsp"/>
|
|
|
|
|
+ <property name="defaultTargetUrl" value="/"/>
|
|
|
|
|
+</bean>
|
|
|
|
|
+
|
|
|
|
|
+<bean id="casProcessingFilterEntryPoint"
|
|
|
|
|
+ class="org.springframework.security.ui.cas.CasProcessingFilterEntryPoint">
|
|
|
|
|
+ <property name="loginUrl" value="https://localhost:9443/cas/login"/>
|
|
|
|
|
+ <property name="serviceProperties" ref="serviceProperties"/>
|
|
|
|
|
+</bean>
|
|
|
|
|
+]]>
|
|
|
|
|
|
|
|
</programlisting></para>
|
|
</programlisting></para>
|
|
|
-
|
|
|
|
|
- <para>You will also need to add the <literal>CasProcessingFilter</literal> to web.xml:</para>
|
|
|
|
|
-
|
|
|
|
|
- <para><programlisting>
|
|
|
|
|
-<filter>
|
|
|
|
|
- <filter-name>casProcessingFilter</filter-name>
|
|
|
|
|
- <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
|
|
|
|
|
-</filter>
|
|
|
|
|
-
|
|
|
|
|
-<filter-mapping>
|
|
|
|
|
- <filter-name>casProcessingFilter</filter-name>
|
|
|
|
|
- <url-pattern>/*</url-pattern>
|
|
|
|
|
-</filter-mapping>
|
|
|
|
|
- </programlisting></para>
|
|
|
|
|
|
|
+
|
|
|
|
|
+ <para>
|
|
|
|
|
+ The <classname>CasProcessingFilterEntryPoint</classname> should be selected to
|
|
|
|
|
+ drive authentication using <link xlink:href="ns-entry-point-ref"><literal>entry-point-ref</literal></link>.
|
|
|
|
|
+
|
|
|
|
|
+ </para>
|
|
|
|
|
|
|
|
<para>The <literal>CasProcessingFilter</literal> has very similar
|
|
<para>The <literal>CasProcessingFilter</literal> has very similar
|
|
|
properties to the <literal>AuthenticationProcessingFilter</literal>
|
|
properties to the <literal>AuthenticationProcessingFilter</literal>
|
|
|
(used for form-based logins). Each property is
|
|
(used for form-based logins). Each property is
|
|
|
- self-explanatory.</para>
|
|
|
|
|
|
|
+ self-explanatory. Note that we've also used the namespace syntax
|
|
|
|
|
+ for setting up an alias to the authentication mnager, since the
|
|
|
|
|
+ <literal>CasProcessingFilter</literal> needs a reference to it.</para>
|
|
|
|
|
|
|
|
<para>For CAS to operate, the
|
|
<para>For CAS to operate, the
|
|
|
<literal>ExceptionTranslationFilter</literal> must have its
|
|
<literal>ExceptionTranslationFilter</literal> must have its
|
|
@@ -343,70 +333,35 @@
|
|
|
which provides the URL to the enterprise's CAS login server. This is
|
|
which provides the URL to the enterprise's CAS login server. This is
|
|
|
where the user's browser will be redirected.</para>
|
|
where the user's browser will be redirected.</para>
|
|
|
|
|
|
|
|
- <para>Next you need to add an <literal>AuthenticationManager</literal>
|
|
|
|
|
- that uses <literal>CasAuthenticationProvider</literal> and its
|
|
|
|
|
- collaborators:</para>
|
|
|
|
|
-
|
|
|
|
|
- <para><programlisting>
|
|
|
|
|
-<bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager">
|
|
|
|
|
-<property name="providers">
|
|
|
|
|
-<list>
|
|
|
|
|
- <ref bean="casAuthenticationProvider"/>
|
|
|
|
|
-</list>
|
|
|
|
|
-</property>
|
|
|
|
|
-</bean>
|
|
|
|
|
-
|
|
|
|
|
-<bean id="casAuthenticationProvider"
|
|
|
|
|
- class="org.springframework.security.providers.cas.CasAuthenticationProvider">
|
|
|
|
|
-<property name="casAuthoritiesPopulator"><ref bean="casAuthoritiesPopulator"/></property>
|
|
|
|
|
-<property name="casProxyDecider"><ref bean="casProxyDecider"/></property>
|
|
|
|
|
-<property name="ticketValidator"><ref bean="casProxyTicketValidator"/></property>
|
|
|
|
|
-<property name="statelessTicketCache"><ref bean="statelessTicketCache"/></property>
|
|
|
|
|
-<property name="key"><value>my_password_for_this_auth_provider_only</value></property>
|
|
|
|
|
-</bean>
|
|
|
|
|
-
|
|
|
|
|
-<bean id="casProxyTicketValidator"
|
|
|
|
|
- class="org.springframework.security.providers.cas.ticketvalidator.CasProxyTicketValidator">
|
|
|
|
|
-<property name="casValidate"><value>https://localhost:8443/cas/proxyValidate</value></property>
|
|
|
|
|
-<property name="proxyCallbackUrl"><value>https://localhost:8443/contacts-cas/casProxy/receptor</value></property>
|
|
|
|
|
-<property name="serviceProperties"><ref bean="serviceProperties"/></property>
|
|
|
|
|
-<!-- <property name="trustStore"><value>/some/path/to/your/lib/security/cacerts</value></property> -->
|
|
|
|
|
-</bean>
|
|
|
|
|
-
|
|
|
|
|
-<bean id="cacheManager" class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean">
|
|
|
|
|
-<property name="configLocation">
|
|
|
|
|
-<value>classpath:/ehcache-failsafe.xml</value>
|
|
|
|
|
-</property>
|
|
|
|
|
-</bean>
|
|
|
|
|
-
|
|
|
|
|
-<bean id="ticketCacheBackend" class="org.springframework.cache.ehcache.EhCacheFactoryBean">
|
|
|
|
|
-<property name="cacheManager">
|
|
|
|
|
-<ref local="cacheManager"/>
|
|
|
|
|
-</property>
|
|
|
|
|
-<property name="cacheName">
|
|
|
|
|
-<value>ticketCache</value>
|
|
|
|
|
-</property>
|
|
|
|
|
-</bean>
|
|
|
|
|
-
|
|
|
|
|
-<bean id="statelessTicketCache" class="org.springframework.security.providers.cas.cache.EhCacheBasedTicketCache">
|
|
|
|
|
-<property name="cache"><ref local="ticketCacheBackend"/></property>
|
|
|
|
|
-</bean>
|
|
|
|
|
-
|
|
|
|
|
-<bean id="casAuthoritiesPopulator"
|
|
|
|
|
- class="org.springframework.security.providers.cas.populator.DaoCasAuthoritiesPopulator">
|
|
|
|
|
-<property name="userDetailsService"><ref bean="inMemoryDaoImpl"/></property>
|
|
|
|
|
-</bean>
|
|
|
|
|
-
|
|
|
|
|
-<bean id="casProxyDecider" class="org.springframework.security.providers.cas.proxy.RejectProxyTickets"/>
|
|
|
|
|
-
|
|
|
|
|
- </programlisting></para>
|
|
|
|
|
|
|
+ <para>Next you need to add a <literal>CasAuthenticationProvider</literal> and its
|
|
|
|
|
+ collaborators:
|
|
|
|
|
+ <programlisting><![CDATA[
|
|
|
|
|
+ <bean id="casAuthenticationProvider" class="org.springframework.security.providers.cas.CasAuthenticationProvider">
|
|
|
|
|
+ <security:custom-authentication-provider />
|
|
|
|
|
+ <property name="userDetailsService" ref="userService"/>
|
|
|
|
|
+ <property name="serviceProperties" ref="serviceProperties" />
|
|
|
|
|
+ <property name="ticketValidator">
|
|
|
|
|
+ <bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
|
|
|
|
|
+ <constructor-arg index="0" value="https://localhost:9443/cas" />
|
|
|
|
|
+ </bean>
|
|
|
|
|
+ </property>
|
|
|
|
|
+ <property name="key" value="an_id_for_this_auth_provider_only"/>
|
|
|
|
|
+ </bean>
|
|
|
|
|
+
|
|
|
|
|
+ <security:user-service id="userService">
|
|
|
|
|
+ <security:user name="joe" password="joe" authorities="ROLE_USER" />
|
|
|
|
|
+ ...
|
|
|
|
|
+ </security:user-service>]]>
|
|
|
|
|
+ </programlisting>
|
|
|
|
|
+ The <classname>CasAuthenticationProvider</classname> uses a <interfacename>UserDetailsService</interfacename>
|
|
|
|
|
+ instance to load the authorities for a user, once they have been authentiated by CAS. We've shown a simple
|
|
|
|
|
+ in-memory setup here.
|
|
|
|
|
+ </para>
|
|
|
|
|
|
|
|
<para>The beans are all reasonable self-explanatory if you refer back
|
|
<para>The beans are all reasonable self-explanatory if you refer back
|
|
|
- to the "How CAS Works" section. Careful readers might notice one
|
|
|
|
|
- surprise: the <literal>statelessTicketCache</literal> property of the
|
|
|
|
|
- <literal>CasAuthenticationProvider</literal>. This is discussed in
|
|
|
|
|
- detail in the "Advanced CAS Usage" section.</para>
|
|
|
|
|
-
|
|
|
|
|
|
|
+ to the "How CAS Works" section.</para>
|
|
|
|
|
+ </section>
|
|
|
|
|
+<!--
|
|
|
<para>Note the <literal>CasProxyTicketValidator</literal> has a
|
|
<para>Note the <literal>CasProxyTicketValidator</literal> has a
|
|
|
remarked out <literal>trustStore</literal> property. This property
|
|
remarked out <literal>trustStore</literal> property. This property
|
|
|
might be helpful if you experience HTTPS certificate issues. Also note
|
|
might be helpful if you experience HTTPS certificate issues. Also note
|
|
@@ -501,5 +456,7 @@
|
|
|
|
|
|
|
|
<para>It is hoped you find CAS integration easy and useful with Spring
|
|
<para>It is hoped you find CAS integration easy and useful with Spring
|
|
|
Security classes. Welcome to enterprise-wide single sign on!</para>
|
|
Security classes. Welcome to enterprise-wide single sign on!</para>
|
|
|
|
|
+
|
|
|
</section>
|
|
</section>
|
|
|
|
|
+-->
|
|
|
</chapter>
|
|
</chapter>
|
Luke Taylor