Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

updated documentation to document CAS3 support

This commit is contained in:
Scott Battaglia 2006-03-28 15:45:18 +00:00
parent 9a8fdcd269
commit 24160c1870
1 changed files with 139 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

159
doc/docbook/acegi.xml
View File

@ -982,7 +982,7 @@ public aspect DomainObjectInstanceSecurityAspect implements InitializingBean {
for commencing a form-based authentication,
<literal>BasicProcessingFilterEntryPoint</literal> for commencing a
HTTP Basic authentication process, and
<literal>CasProcessingFilterEntryPoint</literal> for commencing a Yale
<literal>CasProcessingFilterEntryPoint</literal> for commencing a JA-SIG
Central Authentication Service (CAS) login. The
<literal>AuthenticationProcessingFilterEntryPoint</literal> and
<literal>CasProcessingFilterEntryPoint</literal> have optional
@ -1147,7 +1147,7 @@ public aspect DomainObjectInstanceSecurityAspect implements InitializingBean {
<listitem>
<para><literal>CasAuthenticationToken</literal> is used to
represent a successful Yale Central Authentication Service (CAS)
represent a successful JA-SIG Central Authentication Service (CAS)
authentication. This is discussed further in the CAS
section.</para>
</listitem>
@ -1311,7 +1311,7 @@ public aspect DomainObjectInstanceSecurityAspect implements InitializingBean {
<listitem>
<para><literal>CasAuthenticationProvider</literal> is able to
authenticate Yale Central Authentication Service (CAS) tickets.
authenticate JA-SIG Central Authentication Service (CAS) tickets.
This is discussed further in the CAS Single Sign On
section.</para>
</listitem>
@ -2616,7 +2616,7 @@ public boolean supports(Class clazz);</programlisting></para>
Another approach (commonly use with web services) is HTTP Basic
Authentication, which allows clients to use HTTP headers to present
authentication information to the Acegi Security System for Spring.
Alternatively, you can also use Yale Central Authentication Service
Alternatively, you can also use JA-SIG Central Authentication Service
(CAS) for enterprise-wide single sign on. The final (and generally
unrecommended) approach is via Container Adapters, which allow
supported web containers to perform the authentication themselves.
@ -3560,13 +3560,13 @@ $CATALINA_HOME/bin/startup.sh</programlisting></para>
</sect1>
<sect1 id="security-cas">
<title>Yale Central Authentication Service (CAS) Single Sign On</title>
<title>JA-SIG Central Authentication Service (CAS) Single Sign On</title>
<sect2 id="security-cas-overview">
<title>Overview</title>
<para>Yale University produces an enterprise-wide single sign on
system known as CAS. Unlike other initiatives, Yale's Central
<para>JA-SIG produces an enterprise-wide single sign on
system known as CAS. Unlike other initiatives, JA-SIG's Central
Authentication Service is open source, widely used, simple to
understand, platform independent, and supports proxy capabilities. The
Acegi Security System for Spring fully supports CAS, and provides an
@ -3575,7 +3575,7 @@ $CATALINA_HOME/bin/startup.sh</programlisting></para>
enterprise-wide CAS server.</para>
<para>You can learn more about CAS at
<literal>http://www.yale.edu/tp/auth/</literal>. You will need to
<literal>http://www.ja-sig.org/products/cas/</literal>. You will need to
visit this URL to download the CAS Server files. Whilst the Acegi
Security System for Spring includes two CAS libraries in the
"-with-dependencies" ZIP file, you will still need the CAS Java Server
@ -3589,22 +3589,25 @@ $CATALINA_HOME/bin/startup.sh</programlisting></para>
<para>Whilst the CAS web site above contains two documents that detail
the architecture of CAS, we present the general overview again here
within the context of the Acegi Security System for Spring. The
following refers to CAS 2.0, being the version of CAS that Acegi
Security System for Spring supports.</para>
following refers to both CAS 2.0 (produced by Yale) and CAS 3.0
(produced by JA-SIG), being the versions of CAS that Acegi Security
System for Spring supports.</para>
<para>Somewhere in your enterprise you will need to setup a CAS
server. The CAS server is simply a standard WAR file, so there isn't
anything difficult about setting up your server. Inside the WAR file
you will customise the login and other single sign on pages displayed
to users. You will also need to specify in the web.xml a
<literal>PasswordHandler</literal>. The
to users.</para>
<para>If you are deploying CAS 2.0, you will also need to specify in
the web.xml a <literal>PasswordHandler</literal>. The
<literal>PasswordHandler</literal> has a simple method that returns a
boolean as to whether a given username and password is valid. Your
<literal>PasswordHandler</literal> implementation will need to link
into some type of backend authentication repository, such as an LDAP
server or database.</para>
<para>If you are already running an existing CAS server instance, you
<para>If you are already running an existing CAS 2.0 server instance, you
will have already established a <literal>PasswordHandler</literal>. If
you do not already have a <literal>PasswordHandler</literal>, you
might prefer to use the Acegi Security System for Spring
@ -3617,6 +3620,32 @@ $CATALINA_HOME/bin/startup.sh</programlisting></para>
will function as a CAS client successfully irrespective of the
<literal>PasswordHandler</literal> you've chosen for your CAS
server.</para>
<para>If you are deploying CAS 3.0, you will also need to specify an
<literal>AuthenticationHandler</literal> in the
deployerConfigContext.xml included with CAS. The
<literal>AuthenticationHandler</literal> has a simple method that
returns a boolean as to whether a given set of Credentials is valid.
Your <literal>AuthenticationHandler</literal> implementation will need
to link into some type of backend authentication repository, such as an
LDAP server or database. CAS itself includes numerous
<literal>AuthenticationHandler</literal>s out of the box to assist with
this.</para>
<para>If you are already running an existing CAS 3.0 server instance,
you will have already established an
<literal>AuthenticationHandler</literal>. If you do not already have an
<literal>AuthenticationHandler</literal>, you might prefer to use the
Acegi Security System for Spring
<literal>CasAuthenticationHandler</literal> class. This class delegates
through to the standard Acegi Security
<literal>AuthenticationManager</literal>, enabling you to use a security
configuration you might already have in place. You do not need to use
the <literal>CasAuthenticationHandler</literal> class on your CAS server
if you do not wish. The Acegi Security System for Spring will function
as a CAS client successfully irrespective of the
<literal>AuthenticationHandler</literal> you've chosen for your CAS
server.</para>
<para>Apart from the CAS server itself, the other key player is of
course the secure web applications deployed throughout your
@ -3626,7 +3655,7 @@ $CATALINA_HOME/bin/startup.sh</programlisting></para>
the user. This will be explained more fully later.</para>
<para>Services can be developed in a large variety of languages, due
to CAS 2.0's very light XML-based protocol. The Yale CAS home page
to CAS 2.0's very light XML-based protocol. The JA-SIG CAS home page
contains a clients archive which demonstrates CAS clients in Java,
Active Server Pages, Perl, Python and others. Naturally, Java support
is very strong given the CAS server is written in Java. You do not
@ -3675,8 +3704,10 @@ $CATALINA_HOME/bin/startup.sh</programlisting></para>
session cookie which indicates they've previously logged on, they
will not be prompted to login again (there is an exception to this
procedure, which we'll cover later). CAS will use the
<literal>PasswordHandler</literal> discussed above to decide
whether the username and password is valid.</para>
<literal>PasswordHandler</literal> (or
<literal>AuthenticationHandler</literal> if using CAS 3.0)
discussed above to decide whether the username and password is
valid.</para>
</listitem>
<listitem>
@ -3833,12 +3864,12 @@ $CATALINA_HOME/bin/startup.sh</programlisting></para>
configured.</para>
</sect2>
<sect2 id="security-cas-install-server">
<title>CAS Server Installation (Optional)</title>
<sect2 id="security-cas-2-install-server">
<title>CAS 2.0 Server Installation (Optional)</title>
<para>As mentioned above, the Acegi Security System for Spring
includes a <literal>PasswordHandler</literal> that bridges your
existing <literal>AuthenticationManager</literal> into CAS. You do not
existing <literal>AuthenticationManager</literal> into CAS 2.0. You do not
need to use this <literal>PasswordHandler</literal> to use Acegi
Security on the client side (any CAS
<literal>PasswordHandler</literal> will do).</para>
@ -3924,6 +3955,94 @@ $CATALINA_HOME/bin/startup.sh</programlisting></para>
additional help or a test certificate you might like to check the
<literal>samples/contacts/etc/ssl</literal> directory.</para>
</sect2>
<sect2 id="security-cas-3-install-server">
<title>CAS 3.0 Server Installation (Optional)</title>
<para>As mentioned above, the Acegi Security System for Spring
includes an <literal>AuthenticationHandler</literal> that bridges your
existing <literal>AuthenticationManager</literal> into CAS 3.0. You do not
need to use this <literal>AuthenticationHandler</literal> to use Acegi
Security on the client side (any CAS
<literal>AuthenticationHandler</literal> will do).</para>
<para>To install, you will need to download and extract the CAS server
archive. We used version 3.0.4. There will be a
<literal>/webapp</literal> directory in the root of the deployment. Edit the
an <literal>deployerConfigContext.xml</literal> so that it contains your
<literal>AuthenticationManager</literal> as well as the
<literal>CasAuthenticationHandler</literal>. A sample
<literal>applicationContext.xml</literal> is included below:</para>
<programlisting><![CDATA[
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans.dtd">
<beans>
<bean
id="authenticationManager"
class="org.jasig.cas.authentication.AuthenticationManagerImpl">
<property name="credentialsToPrincipalResolvers">
<list>
<bean class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" />
<bean class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" />
</list>
</property>
<property name="authenticationHandlers">
<list>
<bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" />
<bean class="org.acegisecurity.adapters.cas3.CasAuthenticationHandler">
<property name="authenticationManager" ref="acegiAuthenticationManager" />
</bean>
</list>
</property>
</bean>
<bean id="inMemoryDaoImpl" class="org.acegisecurity.userdetails.memory.InMemoryDaoImpl">
<property name="userMap">
<value>
marissa=koala,ROLES_IGNORED_BY_CAS
dianne=emu,ROLES_IGNORED_BY_CAS
scott=wombat,ROLES_IGNORED_BY_CAS
peter=opal,disabled,ROLES_IGNORED_BY_CAS
</value>
</property>
</bean>
<bean id="daoAuthenticationProvider" class="org.acegisecurity.providers.dao.DaoAuthenticationProvider">
<property name="userDetailsService"><ref bean="inMemoryDaoImpl"/></property>
</bean>
<bean id="acegiAuthenticationManager" class="org.acegisecurity.providers.ProviderManager">
<property name="providers">
<list>
<ref bean="daoAuthenticationProvider"/>
</list>
</property>
</bean>
</beans>
]]>
</programlisting>
<para>Note the granted authorities are ignored by CAS because it has
no way of communicating the granted authorities to calling
applications. CAS is only concerned with username and passwords (and
the enabled/disabled status).</para>
<para>Copy the <literal>acegi-security.jar</literal> file into
<literal>/localPlugins/lib</literal>. Now use the <literal>ant
war</literal> task in the <literal>build.xml</literal> in the /localPlugins
directory. This will create
<literal>/localPlugins/target/cas.war</literal>, which is ready for deployment to your
servlet container.</para>
<para>Note CAS heavily relies on HTTPS. You can't even test the system
without a HTTPS certificate. Whilst you should refer to your web
container's documentation on setting up HTTPS, if you need some
additional help or a test certificate you might like to check the
CAS documentation on setting up SSL:
<literal>http://www.ja-sig.org/products/cas/server/ssl/index.html</literal>
</para>
</sect2>
<sect2 id="security-cas-install-client">
<title>CAS Acegi Security System Client Installation</title>
@ -5439,7 +5558,7 @@ INSERT INTO acl_permission VALUES (null, 6, 'scott', 1);</programlisting></para>
<literal><literal>acegi-security-sample-contacts-ca.war</literal></literal>
is configured to use a Container Adapter. Finally,
<literal>acegi-security-sample-contacts-cas.war</literal> is designed to
work with a Yale CAS server. If you're just wanting to see how the
work with a JA-SIG CAS server. If you're just wanting to see how the
sample application works, please use
<literal><literal>acegi-security-sample-contacts-filter.war</literal></literal>
as it does not require special configuration of your container. This is