Announcement Announcement Module
Collapse
No announcement yet.
Spring Security with custom CAS login page Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Spring Security with custom CAS login page

    Is it possible to integrate CAS with Spring Security, while continuing to use a custom login page? If yes, are there any examples, documents, etc. that demonstrate how to do this? Thanks.
    Last edited by abking; Jul 25th, 2010, 07:25 PM.

  • #2
    I'm confused, because the point of CAS is to perform authentication outside of your application across multiple services - are you somehow using it differently?

    Comment


    • #3
      Originally posted by pmularien View Post
      I'm confused, because the point of CAS is to perform authentication outside of your application across multiple services - are you somehow using it differently?
      No, I'm not using it differently; I'm using CAS to centrally authenticate my application which is comprised of a web tier and a (restful web) service tier. Originally, I was having each component manage it's own authentication with Spring. I found the answer to my original post here.

      Since my original post, I've gotten CAS to "work" and I have the following additional questions:
      1. How do you configure CAS/Spring to perform a single log out? With just Spring all that was needed was a link to j_spring_security_logout.
      2. How do you populate a principal's attributes from a database?
      3. How can authorization be managed in CAS/Spring?
      Last edited by abking; Jul 22nd, 2010, 01:00 AM.

      Comment


      • #4
        Originally posted by abking View Post
        How do you configure CAS/Spring to perform a single log out? With just Spring all that was needed was a link to j_spring_security_logout.
        See https://jira.springsource.org/browse/SEC-748 (ensure to read the comments)
        Originally posted by abking View Post
        How do you populate a principal's attributes from a database?
        CasAuthenticationProvider uses an implementation of AuthenticationUserDetailsService to acquire the UserDetails. You will have to wire your own implementation.

        Originally posted by abking View Post
        How can authorization be managed in CAS/Spring?
        I'm not sure I understand this question. Authorization should be the same since CAS only does authentication.

        Comment


        • #5
          So, in order to add single sign-out and population of the principal's attributes, I believe I need to add the following respectively. But I'm unclear on where I need to add these configurations. Do I add them to the applicationContexts of all the applications using CAS or the applicationContext of the CAS server?

          Code:
          <bean id="casSingleSignOutFilter" class="org.jasig.cas.client.session.SingleSignOutFilter">
                 <sec:custom-filter before="CAS_PROCESSING_FILTER"/>
          </bean>
          Code:
          <bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager">
                  <property name="providers">
                      <list>
                          <ref bean="casAuthenticationProvider"/>
                      </list>
                  </property>
              </bean>
          
          <bean id="casAuthenticationProvider" class="org.springframework.security.providers.cas.CasAuthenticationProvider">
                  <property name="userDetailsService" ref="myUserDetailsServiceImpl"/>
                  <property name="serviceProperties" ref="serviceProperties"/>
                  <property name="ticketValidator">
                      <bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
                          <constructor-arg index="0" value="https://localhost:5543/cas"/>
                      </bean>
                  </property>
              </bean>
          Originally posted by rwinch View Post
          I'm not sure I understand this question. Authorization should be the same since CAS only does authentication.
          As I understand it, CAS does not provide role based authorization like spring security, so I am curious how I can achieve something similar with CAS. The only way I could think of was by getting the principal's details, specifically the principal's roles, during a request and then programatically determining if they have sufficient authorization. I hope my explanation clarifies my question. Thanks.
          Last edited by abking; Jul 23rd, 2010, 12:10 AM.

          Comment


          • #6
            CAS by default just tells your application who someone is, and thereafter things are the same as a normal Spring Security application. Usually the application will load the roles itself immediately following the authentication and store them in the security context, where they are accessed as normal by the security interceptor infrastructure.

            So Getting the principal's roles "during a request" and "programatically determining if they have sufficient authorization" have nothing to do with whether you are using CAS. In a normal application all you should have to do is provide the implementation for loading the UserDetails (including the roles) as Rob described and configure your access restricitions.

            The main question is how you want to load the role information and where from, but that's up to you. CAS can also be set up to send attributes with the user validation response, allowing some information to be centralized if required. And presumably the SAML support also allows this, but I haven't used that yet. It all depends on whether the role information you require in an application is based on shared information (e.g. country, organizational role, department) or whether it is application-specific (or a mix of the two).

            Comment


            • #7
              Originally posted by Luke Taylor View Post
              CAS by default just tells your application who someone is, and thereafter things are the same as a normal Spring Security application.
              I was under the impression that Spring Security absolved itself of ALL security matters and simply redirected to CAS -- as a result of this misunderstanding, I was throughly confused as to how things are supposed to be configured. Thanks for the clarification.

              Comment

              Working...
              X