Announcement Announcement Module
Collapse
No announcement yet.
How to integrate CAS + Spring Security + Spring Integration Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • How to integrate CAS + Spring Security + Spring Integration

    Hello,

    I consider following architecture: web application running on Tomcat 6, users are authenticated and authorized through Spring Security 3 and CAS (Central Authentication Service). From web application users call remotely standalone application through Spring Integration 2 and JMS broker. I want such calls to be authenticated and authorized by CAS too.

    My questions are:
    1. Is there such architecture possible?
    2. How are user credentials (or security context) passed to remote application?
    3. How should be Spring Security filter chain configured there?

    Thanks for any opinion,

    Vladimir

  • #2
    100 viewers in 10 days, no opinion
    Maybe this is a topic also about the architecture. I copied it to the Architecture forum.

    Comment


    • #3
      The questions you need to ask yourself to determine if you can use CAS for authentication should be independent of the technologies you use. The question I would ask is can the CAS protocol be used? First ensure that the client of the service can obtain a proxy ticket. You will also want to validate that it can specify the proxy ticket (i.e. specify it as an http parameter). You will also want to ensure the service can accept http parameters (i.e. ticket=PT-1-sadfjlDFj) and that the service can make an https connection to the CAS server. If you can validate these things, then you should be able to authenticate with CAS.

      Comment


      • #4
        Thanks for good questions.

        Originally posted by rwinch View Post
        The questions you need to ask yourself to determine if you can use CAS for authentication should be independent of the technologies you use. The question I would ask is can the CAS protocol be used?
        I hope so. All my applications I have mentioned, will be applications running in Spring application contexts with Spring Security configuration.

        Originally posted by rwinch View Post
        First ensure that the client of the service can obtain a proxy ticket. You will also want to validate that it can specify the proxy ticket (i.e. specify it as an http parameter) ... If you can validate these things, then you should be able to authenticate with CAS.
        I want to rely upon CAS client library which should manage to communicate over HTTP. I also know that service can be authenticated in CAS stateless mode. And Spring Integration channels can use Spring Security as well. That is all my knowledge.

        My first problem is that I have no experience with proxy configuration you wrote about. I have read about CAS 2 principles here. But there are few examples around.

        Comment


        • #5
          Are you trying to obtain a proxy ticket or consume a proxy ticket? Support for authenticating with Proxy Tickets is a known enhancement with Spring Security CAS support. I have just about wrapped up a fix within a branch of git. In the branch you will find some changes to Spring Security Web, Spring Security CAS, a sample application that demonstrates proxy ticket authentication, full integration tests, and and update to the CAS documentation that talks about proxy ticket authentication. You can either read directly from docs/manual/src/docbook/cas-auth-provider.xml or generate the manual using gradle. The doc is still a bit rough, so if you have feedback I would be glad to hear it.

          PS: If you want to understand CAS proxy ticket authentication I recommend the Proxy CAS Walkthrough.

          Comment


          • #6
            Thanks for resources.

            Originally posted by rwinch View Post
            The doc is still a bit rough, so if you have feedback I would be glad to hear it.
            The documentation on the CAS is getting better and better. Good job.

            Originally posted by rwinch View Post
            Are you trying to obtain a proxy ticket or consume a proxy ticket?
            I feel I should be clearer here. First, please, see Spring Integration security:

            ... The interceptor requires that a valid SecurityContext has been established by authenticating with Spring Security. See the Spring Security reference documentation for details.
            I don't know how to obtain the SecurityContext. Have you any idea?
            I'm going to sketch some picture in order we would talk more concrete.

            Vladimir

            Comment


            • #7
              I have finalized the CAS documentation and sample for the 3.1.0-RC2 version of Spring Security. The doc and the sample both include how to authenticate a proxy ticket and how to use proxy tickets to authenticate to stateless clients. The branch has been removed since all of the changes now exist in master. If you look in the Spring Security Reference you should be able to figure out how to get a SecurityContext
              Last edited by Rob Winch; Apr 18th, 2011, 09:56 AM.

              Comment


              • #8
                Here is attached the picture which depicts my idea. The red arrows are Spring Security communications. The Inbound endpoint should handle secured calls. I hope the channel endpoint is powerful enough for that. It could be implemented by Message Handler Chain consisting of three parts:
                1. Transformer which transforms JMS message.
                2. Filter/filters which handle Spring Security.
                3. Service Activator which activates service.
                For now I simply imagine that filters in the chain can do the same work like Spring Security filters do. Originally I thought that the filters would be implemented by Spring Security filters, but they handle ServletRequest and ServletResponse. It seems to be needless complication. Therefore I considered to use original CAS client library.

                Rob, do you think that it can work?

                Vladimir

                Comment


                • #9
                  With new version of the Spring forum the attached picture from my previous post has lost
                  Never mind. Here is a better one:
                  Attachment
                  (Eh, File Upload Manager has shrunk it.)
                  Attached Files
                  Last edited by harasta; May 12th, 2011, 12:12 PM.

                  Comment

                  Working...
                  X