blog.smart-java.nl
Ordina J-Technologies – Java Blog
«
»


Spring Security 3.0 and CAS 3.3.4 integration

By: Stephan Oudmaijer, 29 December 2009


JA-SIG Central Authentication Service (CAS) is an enterprise level, open-source, single sign on solution with a Java server component and various client libraries written in a multitude of languages including PHP, PL/SQL, Java, .Net, PHP, Perl and more.

Both Spring Security 3.0 and Spring 3.0 where released this month. Spring Security provides excelent support for CAS. In Spring Security 3.0 a couple of CAS integration components have been changed (renamed). The configuration is also a bit different from Spring Security 2.0.x.

How CAS works
The CAS Server webapp should be deployed on an application server. Applications can use the CAS Server for the authentication process. CAS only provides authentication and no authorisation. The authorisation should be implemented (using Spring Security) by the applications using the CAS Server.

How Spring Security fits in
Lets say an user tries to access a protected resource within an application using Spring Security. Spring Security intercepts the request and checks if the user should be authenticated. If so, the user is forwarded tot the CAS login page. The users typically enters his username and password and submits it to the CAS server. If the user was successfully authenticated by CAS, the users will be redirected back to the application where it was accessing a protected resource. The redirect URL now contains a ticket generated by CAS. Spring Security will use this ticket to validate against CAS if the ticket is valid for this user. If so, the user details will be loaded by Spring Security. If the user is also authorised to access the protected resource, access will be granted.

Configuration
For my demo I use the CAS server webapp version 3.3.4. I have it deployed on Apache Tomcat 6.0.20. In the demo I access the CAS Server using HTTP, this should be HTTPS in a production environment! I have deployed the applications using the following URLs:

  • The CAS Server web application: http://localhost:8080/cas-server-webapp-3.3.4/
  • The application using CAS: http://localhost:8080/spring-security-cas/

    • I use Maven2 for managing my dependencies, the following libraries should be added to the pom.xml.

    Maven2 dependencies

    
	
		org.springframework
		spring-core
		3.0.0.RELEASE
		false
	
	
		org.springframework
		spring-webmvc
		3.0.0.RELEASE
		false
	
	
		org.springframework.security
		spring-security-core
		3.0.0.RELEASE
		false
	
	
		org.springframework.security
		spring-security-config
		3.0.0.RELEASE
		false
	
	
		org.springframework.security
		spring-security-cas-client
		3.0.0.RELEASE
		false

    Spring Security configuration
    Please be aware that the Spring Security reference documentation is not 100% accurate on the CAS integration.

    web.xml

    

	webapp

	
contextConfigLocation
/WEB-INF/applicationContext-security.xml
	

org.springframework.web.context.ContextLoaderListener
	

	
		springSecurityFilterChain
		org.springframework.web.filter.DelegatingFilterProxy
	
	
		springSecurityFilterChain
		/*
	

	
		index.html
		index.jsp

    Thats it, try it yourself!

    Original article posted at: http://oudmaijer.com

    Dit bericht is gepost op 29 December 2009 om 9:43 am uur en is geplaatst in Algemeen. Je kunt alle reacties op dit bericht volgen via de RSS 2.0 feed. Je kunt een reactie achter laten of trackback vanaf je eigen site.

    Laat een reactie achter