integarte existing spring security web applications with CAS

[guythomas]

I have a bunch of web applications that are secured using Spring Security.

The authentication data are retrieved from a database and consist of a username, a password and a domain (= any environment to be secured - a web app, part of a web app, ...). Together thay make up a DomainSecurityAuthenticationToken which extends UsernamePasswordAuthenticationToken.
When a user logs in, he has to specify a username, a password and select one domain name from a list of domain names.

This set-up has been running with success for some time now. I started looking into CAS because single sign-on is required.

I have been reading about CAS and my impression is that I have to move the authentication against username, password and domain from my applications to the CAS server side and that the domain security database will be addressed from the CAS server and not from within my secured applications. Is this correct? That would lead to major changes in the security set-up of the applications.

[jleleu]

Hi,

Even if I'm not sure to fully understand the notion of "domain", your understanding is correct : if you use CAS, the CAS server will deal with username and password to check them and retrieved authenticated data in database. These authenticated data will then be pushed to the application during service ticket validation. With embedded CAS client, your web applications only know the CAS server.
Here is the documentation to "CASsify" your web applications : http://static.springsource.org/sprin...rence/cas.html.
Best regards,
Jérôme

[guythomas]

In the "Spring Security 3" book I read the following in the chapter on CAS: "We can see that in this diagram our application is no longer checking the authentication store to validate users (although a data source is still required to fully populate UserDetails of the authenticated user)."

Do I understand this correctly? Do we need a data store on the CAS server side AND on the side of the protected application?
I have four authentication items: username, password, domain and role (DOMAIN_ROLE_USER, DOMAIN_ROLE_ADMINISTRATOR and DOMAIN_ROLE_APPL (kind of super administrator)). Can I retrieve all four on the CAS server side and then pass them to the secured application and store them in a UserDetails object?

[Rob Winch]

On the CAS Server side you need some way to validate the user and return the attributes for that user. The default setup will only return a username. The CAS client will need a way to determine the user's roles by injecting a AuthenticationUserDetailsService<CasAssertionAuthe nticationToken> into the CasAuthenticationProvider. One way is to look up the authorities in a datastore another way is to configure the CAS Server to return custom attributes and then use the GrantedAuthorityFromAssertionAttributesUserDetails Service.

[JohnTheDroider]

I been trying to get the same thing working without any luck

[jleleu]

Hi,

In addition to what Rob said, you need a data store in both sides, but it's not the same goal.

On CAS server side, you have an authenticated user (username) with attributes (domain & role). The password is never stored except if you use the clearPass extension but generally you don't need it and I would recommend not to store the password. The CAS server performs credentials check (are login and password good ?) and retrieves data associated to the authenticated user : it has nothing to do with authorization at this stage.

On application side, the CAS client deals with the CAS protocol to retrieve the authenticated user and its attributes (use SAML validation to push attributes to CAS clients). With this authenticated user and attributes (CasAuthenticationToken), Spring security comes into play with the concept of UserDetailsService which turns an authentication token into a user with granted authorities which will be handled properly by the Spring Security authorization framework. At this step, the question is how to transform the attributes of my authenticated user into a Spring Security authenticated user with granted authorities : you can do it by hand or you can use the GrantedAuthorityFromAssertionAttributesUserDetails class.

Best regards,
Jérôme