How to integrate CAS + Spring Security + Spring Integration

[harasta]

Hello,

I consider following architecture: web application running on Tomcat 6, users are authenticated and authorized through Spring Security 3 and CAS (Central Authentication Service). From web application users call remotely standalone application through Spring Integration 2 and JMS broker. I want such calls to be authenticated and authorized by CAS too.

My questions are:
1. Is there such architecture possible?
2. How are user credentials (or security context) passed to remote application?
3. How should be Spring Security filter chain configured there?

Thanks for any opinion,

Vladimir

[harasta]

100 viewers in 10 days, no opinion
Maybe this is a topic also about the architecture. I copied it to the Architecture forum.

[Rob Winch]

The questions you need to ask yourself to determine if you can use CAS for authentication should be independent of the technologies you use. The question I would ask is can the CAS protocol be used? First ensure that the client of the service can obtain a proxy ticket. You will also want to validate that it can specify the proxy ticket (i.e. specify it as an http parameter). You will also want to ensure the service can accept http parameters (i.e. ticket=PT-1-sadfjlDFj) and that the service can make an https connection to the CAS server. If you can validate these things, then you should be able to authenticate with CAS.

[harasta]

Thanks for good questions.

The questions you need to ask yourself to determine if you can use CAS for authentication should be independent of the technologies you use. The question I would ask is can the CAS protocol be used?

I hope so. All my applications I have mentioned, will be applications running in Spring application contexts with Spring Security configuration.

First ensure that the client of the service can obtain a proxy ticket. You will also want to validate that it can specify the proxy ticket (i.e. specify it as an http parameter) ... If you can validate these things, then you should be able to authenticate with CAS.

I want to rely upon CAS client library which should manage to communicate over HTTP. I also know that service can be authenticated in CAS stateless mode. And Spring Integration channels can use Spring Security as well. That is all my knowledge.

My first problem is that I have no experience with proxy configuration you wrote about. I have read about CAS 2 principles here. But there are few examples around.

[Rob Winch]

Are you trying to obtain a proxy ticket or consume a proxy ticket? Support for authenticating with Proxy Tickets is a known enhancement with Spring Security CAS support. I have just about wrapped up a fix within a branch of git. In the branch you will find some changes to Spring Security Web, Spring Security CAS, a sample application that demonstrates proxy ticket authentication, full integration tests, and and update to the CAS documentation that talks about proxy ticket authentication. You can either read directly from docs/manual/src/docbook/cas-auth-provider.xml or generate the manual using gradle. The doc is still a bit rough, so if you have feedback I would be glad to hear it.

PS: If you want to understand CAS proxy ticket authentication I recommend the Proxy CAS Walkthrough.

[harasta]

Thanks for resources.

The doc is still a bit rough, so if you have feedback I would be glad to hear it.

The documentation on the CAS is getting better and better. Good job.

Are you trying to obtain a proxy ticket or consume a proxy ticket?

I feel I should be clearer here. First, please, see Spring Integration security:

... The interceptor requires that a valid SecurityContext has been established by authenticating with Spring Security. See the Spring Security reference documentation for details.

I don't know how to obtain the SecurityContext. Have you any idea?
I'm going to sketch some picture in order we would talk more concrete.

Vladimir

[Rob Winch]

I have finalized the CAS documentation and sample for the 3.1.0-RC2 version of Spring Security. The doc and the sample both include how to authenticate a proxy ticket and how to use proxy tickets to authenticate to stateless clients. The branch has been removed since all of the changes now exist in master. If you look in the Spring Security Reference you should be able to figure out how to get a SecurityContext

[harasta]

Here is attached the picture which depicts my idea. The red arrows are Spring Security communications. The Inbound endpoint should handle secured calls. I hope the channel endpoint is powerful enough for that. It could be implemented by Message Handler Chain consisting of three parts:
1. Transformer which transforms JMS message.
2. Filter/filters which handle Spring Security.
3. Service Activator which activates service.
For now I simply imagine that filters in the chain can do the same work like Spring Security filters do. Originally I thought that the filters would be implemented by Spring Security filters, but they handle ServletRequest and ServletResponse. It seems to be needless complication. Therefore I considered to use original CAS client library.

Rob, do you think that it can work?

Vladimir

[harasta]

With new version of the Spring forum the attached picture from my previous post has lost
Never mind. Here is a better one:
SpringIntegrationAndCAS.jpg
(Eh, File Upload Manager has shrunk it.)