Filters used in CAS Client configuration
Following states the filters used in the CAS Client integration and the purpose of each filter..
The
CasAuthenticationEntryPoint will redirect the user's browser to the CAS server.After the user's browser redirects to CAS, they will be prompted for their username and password.
(or
AuthenticationHandler if using CAS 3.0) discussed above to decide whether the username and password is valid.Upon successful login, CAS will redirect the user's browser back to the original service. It will also include a
ticket parameter,Back in the service web application, the
CasAuthenticationFilter is always listening for requests.The processing filter will construct a UsernamePasswordAuthenticationTokenrepresenting the service ticket. This authentication request will then be handed to the configured
AuthenticationManager. The AuthenticationManager implementation will be the ProviderManager, which is in turn configured with the CasAuthenticationProvider. The
CasAuthenticationProvider only responds to UsernamePasswordAuthenticationTokens containing the CAS-specific principal (such asCasAuthenticationFilter.CAS_STATEFUL_IDENTIFIER) and CasAuthenticationTokens CasAuthenticationProvider will validate the service ticket using a TicketValidator implementationBack on the CAS server, the validation request will be received. If the presented service ticket matches the service URL the ticket was issued to, CAS will provide an affirmative response in XML indicating the username.
The
Cas20TicketValidator will parse the XML received from the CAS server. It will return to the CasAuthenticationProvider aTicketResponse, which includes the username (mandatoryCasAuthenticationProvider will next request a AuthenticationUserDetailsService to load the GrantedAuthority objects Control then returns to
CasAuthenticationFilter, which places the created CasAuthenticationToken in the security context.Configuration of CAS Client
This section describes how to setup Spring Security to authenticate Service Tickets.
The
service must equal a URL that will be monitored by the CasAuthenticationFilter<bean id="serviceProperties" class="org.springframework.security.cas.ServiceProperties"> <property name="service" value="https://localhost:8443/cas-sample/j_spring_cas_security_check"/> <property name="sendRenew" value="false"/> </bean>
The following beans should be configured to commence the CAS authentication process
<security:http entry-point-ref="casEntryPoint"> ... <security:custom-filter position="CAS_FILTER" ref="casFilter" /> </security:http> <bean id="casFilter" class="org.springframework.security.cas.web.CasAuthenticationFilter"> <property name="authenticationManager" ref="authenticationManager"/> </bean> <bean id="casEntryPoint" class="org.springframework.security.cas.web.CasAuthenticationEntryPoint"> <property name="loginUrl" value="https://localhost:9443/cas/login"/> <property name="serviceProperties" ref="serviceProperties"/> </bean>
Next you need to add a
CasAuthenticationProvider and its collaborators:<security:authentication-manager alias="authenticationManager"> <security:authentication-provider ref="casAuthenticationProvider" /> </security:authentication-manager> <bean id="casAuthenticationProvider" class="org.springframework.security.cas.authentication.CasAuthenticationProvider"> <property name="authenticationUserDetailsService"> <bean class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper"> <constructor-arg ref="userService" /> </bean> </property> <property name="serviceProperties" ref="serviceProperties" /> <property name="ticketValidator"> <bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator"> <constructor-arg index="0" value="https://localhost:9443/cas" /> </bean> </property> <property name="key" value="an_id_for_this_auth_provider_only"/> </bean> <security:user-service id="userService"> <security:user name="joe" password="joe" authorities="ROLE_USER" /> ... </security:user-service>
No comments:
Post a Comment