SEC-762: Updated CAS configuration from sample app

This commit is contained in:
Luke Taylor 2008-04-13 12:02:16 +00:00
parent da72a7dc00
commit b8490bddb2

View File

@ -1,8 +1,10 @@
<chapter xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="cas"><info><title>CAS Authentication</title></info> <chapter xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="cas"
xmlns:xlink="http://www.w3.org/1999/xlink">
<title>CAS Authentication</title>
<section xml:id="cas-overview"> <section xml:id="cas-overview">
<info><title>Overview</title></info> <title>Overview</title>
<para>JA-SIG produces an enterprise-wide single sign on system known <para>JA-SIG produces an enterprise-wide single sign on system known
as CAS. Unlike other initiatives, JA-SIG's Central Authentication as CAS. Unlike other initiatives, JA-SIG's Central Authentication
@ -262,25 +264,20 @@
<section xml:id="cas-client"> <section xml:id="cas-client">
<info><title>Configuration of CAS Client</title></info> <info><title>Configuration of CAS Client</title></info>
<para>
TODO: This section needs to be reviewed following CAS client updates for Spring Security 2.0
</para>
<para>The web application side of CAS is made easy due to Spring <para>The web application side of CAS is made easy due to Spring
Security. It is assumed you already know the basics of using Spring Security. It is assumed you already know the basics of using Spring
Security, so these are not covered again below. Only the CAS-specific Security, so these are not covered again below. We'll assume a namespace
beans are mentioned.</para> based configuration is being used and add in the CAS beans as required.
</para>
<para>You will need to add a <literal>ServiceProperties</literal> bean <para>You will need to add a <literal>ServiceProperties</literal> bean
to your application context. This represents your service:</para> to your application context. This represents your service:</para>
<para><programlisting> <para><programlisting><![CDATA[
<bean id="serviceProperties" class="org.springframework.security.ui.cas.ServiceProperties">
&lt;bean id="serviceProperties" class="org.springframework.security.ui.cas.ServiceProperties"&gt; <property name="service" value="https://localhost:8443/cas-sample/j_spring_cas_security_check"/>
&lt;property name="service" value="https://localhost:8443/contacts-cas/j_spring_cas_security_check"/&gt; <property name="sendRenew" value="false"/>
&lt;property name="sendRenew"&gt;&lt;value&gt;false&lt;/value&gt;&lt;/property&gt; </bean>]]>
&lt;/bean&gt;
</programlisting></para> </programlisting></para>
<para>The <literal>service</literal> must equal a URL that will be <para>The <literal>service</literal> must equal a URL that will be
@ -294,44 +291,37 @@
<para>The following beans should be configured to commence the CAS <para>The following beans should be configured to commence the CAS
authentication process:</para> authentication process:</para>
<para><programlisting> <para><programlisting><![CDATA[
&lt;bean id="casProcessingFilter" class="org.springframework.security.ui.cas.CasProcessingFilter"&gt; <security:authentication-manager alias="authenticationManager"/>
&lt;property name="authenticationManager" ref="authenticationManager"/&gt;
&lt;property name="authenticationFailureUrl" value="/casfailed.jsp"/&gt;
&lt;property name="defaultTargetUrl" value="/"/&gt;
&lt;property name="filterProcessesUrl" value="/j_spring_cas_security_check"/&gt;
&lt;/bean&gt;
&lt;bean id="exceptionTranslationFilter" class="org.springframework.security.ui.ExceptionTranslationFilter"&gt; <bean id="casProcessingFilter" class="org.springframework.security.ui.cas.CasProcessingFilter">
&lt;property name="authenticationEntryPoint" ref="casProcessingFilterEntryPoint"/&gt; <security:custom-filter after="CAS_PROCESSING_FILTER"/>
&lt;/bean&gt; <property name="authenticationManager" ref="authenticationManager"/>
<property name="authenticationFailureUrl" value="/casfailed.jsp"/>
<property name="defaultTargetUrl" value="/"/>
</bean>
&lt;bean id="casProcessingFilterEntryPoint" <bean id="casProcessingFilterEntryPoint"
class="org.springframework.security.ui.cas.CasProcessingFilterEntryPoint"&gt; class="org.springframework.security.ui.cas.CasProcessingFilterEntryPoint">
&lt;property name="loginUrl" value="https://localhost:8443/cas/login"/&gt; <property name="loginUrl" value="https://localhost:9443/cas/login"/>
&lt;property name="serviceProperties" ref="serviceProperties"/&gt; <property name="serviceProperties" ref="serviceProperties"/>
&lt;/bean&gt; </bean>
]]>
</programlisting></para> </programlisting></para>
<para>You will also need to add the <literal>CasProcessingFilter</literal> to web.xml:</para> <para>
The <classname>CasProcessingFilterEntryPoint</classname> should be selected to
drive authentication using <link xlink:href="ns-entry-point-ref"><literal>entry-point-ref</literal></link>.
<para><programlisting> </para>
&lt;filter&gt;
&lt;filter-name&gt;casProcessingFilter&lt;/filter-name&gt;
&lt;filter-class&gt;org.springframework.web.filter.DelegatingFilterProxy&lt;/filter-class&gt;
&lt;/filter&gt;
&lt;filter-mapping&gt;
&lt;filter-name&gt;casProcessingFilter&lt;/filter-name&gt;
&lt;url-pattern&gt;/*&lt;/url-pattern&gt;
&lt;/filter-mapping&gt;
</programlisting></para>
<para>The <literal>CasProcessingFilter</literal> has very similar <para>The <literal>CasProcessingFilter</literal> has very similar
properties to the <literal>AuthenticationProcessingFilter</literal> properties to the <literal>AuthenticationProcessingFilter</literal>
(used for form-based logins). Each property is (used for form-based logins). Each property is
self-explanatory.</para> self-explanatory. Note that we've also used the namespace syntax
for setting up an alias to the authentication mnager, since the
<literal>CasProcessingFilter</literal> needs a reference to it.</para>
<para>For CAS to operate, the <para>For CAS to operate, the
<literal>ExceptionTranslationFilter</literal> must have its <literal>ExceptionTranslationFilter</literal> must have its
@ -343,70 +333,35 @@
which provides the URL to the enterprise's CAS login server. This is which provides the URL to the enterprise's CAS login server. This is
where the user's browser will be redirected.</para> where the user's browser will be redirected.</para>
<para>Next you need to add an <literal>AuthenticationManager</literal> <para>Next you need to add a <literal>CasAuthenticationProvider</literal> and its
that uses <literal>CasAuthenticationProvider</literal> and its collaborators:
collaborators:</para> <programlisting><![CDATA[
<bean id="casAuthenticationProvider" class="org.springframework.security.providers.cas.CasAuthenticationProvider">
<security:custom-authentication-provider />
<property name="userDetailsService" ref="userService"/>
<property name="serviceProperties" ref="serviceProperties" />
<property name="ticketValidator">
<bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
<constructor-arg index="0" value="https://localhost:9443/cas" />
</bean>
</property>
<property name="key" value="an_id_for_this_auth_provider_only"/>
</bean>
<para><programlisting> <security:user-service id="userService">
&lt;bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager"&gt; <security:user name="joe" password="joe" authorities="ROLE_USER" />
&lt;property name="providers"&gt; ...
&lt;list&gt; </security:user-service>]]>
&lt;ref bean="casAuthenticationProvider"/&gt; </programlisting>
&lt;/list&gt; The <classname>CasAuthenticationProvider</classname> uses a <interfacename>UserDetailsService</interfacename>
&lt;/property&gt; instance to load the authorities for a user, once they have been authentiated by CAS. We've shown a simple
&lt;/bean&gt; in-memory setup here.
</para>
&lt;bean id="casAuthenticationProvider"
class="org.springframework.security.providers.cas.CasAuthenticationProvider"&gt;
&lt;property name="casAuthoritiesPopulator"&gt;&lt;ref bean="casAuthoritiesPopulator"/&gt;&lt;/property&gt;
&lt;property name="casProxyDecider"&gt;&lt;ref bean="casProxyDecider"/&gt;&lt;/property&gt;
&lt;property name="ticketValidator"&gt;&lt;ref bean="casProxyTicketValidator"/&gt;&lt;/property&gt;
&lt;property name="statelessTicketCache"&gt;&lt;ref bean="statelessTicketCache"/&gt;&lt;/property&gt;
&lt;property name="key"&gt;&lt;value&gt;my_password_for_this_auth_provider_only&lt;/value&gt;&lt;/property&gt;
&lt;/bean&gt;
&lt;bean id="casProxyTicketValidator"
class="org.springframework.security.providers.cas.ticketvalidator.CasProxyTicketValidator"&gt;
&lt;property name="casValidate"&gt;&lt;value&gt;https://localhost:8443/cas/proxyValidate&lt;/value&gt;&lt;/property&gt;
&lt;property name="proxyCallbackUrl"&gt;&lt;value&gt;https://localhost:8443/contacts-cas/casProxy/receptor&lt;/value&gt;&lt;/property&gt;
&lt;property name="serviceProperties"&gt;&lt;ref bean="serviceProperties"/&gt;&lt;/property&gt;
&lt;!-- &lt;property name="trustStore"&gt;&lt;value&gt;/some/path/to/your/lib/security/cacerts&lt;/value&gt;&lt;/property&gt; --&gt;
&lt;/bean&gt;
&lt;bean id="cacheManager" class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean"&gt;
&lt;property name="configLocation"&gt;
&lt;value&gt;classpath:/ehcache-failsafe.xml&lt;/value&gt;
&lt;/property&gt;
&lt;/bean&gt;
&lt;bean id="ticketCacheBackend" class="org.springframework.cache.ehcache.EhCacheFactoryBean"&gt;
&lt;property name="cacheManager"&gt;
&lt;ref local="cacheManager"/&gt;
&lt;/property&gt;
&lt;property name="cacheName"&gt;
&lt;value&gt;ticketCache&lt;/value&gt;
&lt;/property&gt;
&lt;/bean&gt;
&lt;bean id="statelessTicketCache" class="org.springframework.security.providers.cas.cache.EhCacheBasedTicketCache"&gt;
&lt;property name="cache"&gt;&lt;ref local="ticketCacheBackend"/&gt;&lt;/property&gt;
&lt;/bean&gt;
&lt;bean id="casAuthoritiesPopulator"
class="org.springframework.security.providers.cas.populator.DaoCasAuthoritiesPopulator"&gt;
&lt;property name="userDetailsService"&gt;&lt;ref bean="inMemoryDaoImpl"/&gt;&lt;/property&gt;
&lt;/bean&gt;
&lt;bean id="casProxyDecider" class="org.springframework.security.providers.cas.proxy.RejectProxyTickets"/&gt;
</programlisting></para>
<para>The beans are all reasonable self-explanatory if you refer back <para>The beans are all reasonable self-explanatory if you refer back
to the "How CAS Works" section. Careful readers might notice one to the "How CAS Works" section.</para>
surprise: the <literal>statelessTicketCache</literal> property of the </section>
<literal>CasAuthenticationProvider</literal>. This is discussed in <!--
detail in the "Advanced CAS Usage" section.</para>
<para>Note the <literal>CasProxyTicketValidator</literal> has a <para>Note the <literal>CasProxyTicketValidator</literal> has a
remarked out <literal>trustStore</literal> property. This property remarked out <literal>trustStore</literal> property. This property
might be helpful if you experience HTTPS certificate issues. Also note might be helpful if you experience HTTPS certificate issues. Also note
@ -501,5 +456,7 @@
<para>It is hoped you find CAS integration easy and useful with Spring <para>It is hoped you find CAS integration easy and useful with Spring
Security classes. Welcome to enterprise-wide single sign on!</para> Security classes. Welcome to enterprise-wide single sign on!</para>
</section> </section>
-->
</chapter> </chapter>