Is it possible to integrate CAS with Spring Security, while continuing to use a custom login page? If yes, are there any examples, documents, etc. that demonstrate how to do this? Thanks.
Junior Member
Spring Security CAS -- custom login page, single sign-out, and CAS attributes
Is it possible to integrate CAS with Spring Security, while continuing to use a custom login page? If yes, are there any examples, documents, etc. that demonstrate how to do this? Thanks.
Last edited by abking; Jul 25th, 2010 at 06:25 PM.
Senior Member
I'm confused, because the point of CAS is to perform authentication outside of your application across multiple services - are you somehow using it differently?
Peter Mularien | Blog
Author, Spring Security 3 (Book) - Packt Publishing, Available in print and eBook form
SCJP 5, Oracle DBA
Any postings are my own opinion, and should not be attributed to my employer or clients.
Junior Member
No, I'm not using it differently; I'm using CAS to centrally authenticate my application which is comprised of a web tier and a (restful web) service tier. Originally, I was having each component manage it's own authentication with Spring. I found the answer to my original post here.Originally Posted by pmularien
Since my original post, I've gotten CAS to "work" and I have the following additional questions:
- How do you configure CAS/Spring to perform a single log out? With just Spring all that was needed was a link to j_spring_security_logout.
- How do you populate a principal's attributes from a database?
- How can authorization be managed in CAS/Spring?
Last edited by abking; Jul 22nd, 2010 at 12:00 AM.
Senior Member
Spring Team
See https://jira.springsource.org/browse/SEC-748 (ensure to read the comments)
CasAuthenticationProvider uses an implementation of AuthenticationUserDetailsService to acquire the UserDetails. You will have to wire your own implementation.
I'm not sure I understand this question. Authorization should be the same since CAS only does authentication.
Junior Member
So, in order to add single sign-out and population of the principal's attributes, I believe I need to add the following respectively. But I'm unclear on where I need to add these configurations. Do I add them to the applicationContexts of all the applications using CAS or the applicationContext of the CAS server?
Code:<bean id="casSingleSignOutFilter" class="org.jasig.cas.client.session.SingleSignOutFilter"> <sec:custom-filter before="CAS_PROCESSING_FILTER"/> </bean>Code:<bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager"> <property name="providers"> <list> <ref bean="casAuthenticationProvider"/> </list> </property> </bean> <bean id="casAuthenticationProvider" class="org.springframework.security.providers.cas.CasAuthenticationProvider"> <property name="userDetailsService" ref="myUserDetailsServiceImpl"/> <property name="serviceProperties" ref="serviceProperties"/> <property name="ticketValidator"> <bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator"> <constructor-arg index="0" value="https://localhost:5543/cas"/> </bean> </property> </bean>As I understand it, CAS does not provide role based authorization like spring security, so I am curious how I can achieve something similar with CAS. The only way I could think of was by getting the principal's details, specifically the principal's roles, during a request and then programatically determining if they have sufficient authorization. I hope my explanation clarifies my question. Thanks.
Last edited by abking; Jul 22nd, 2010 at 11:10 PM.
Senior Member
Acegi Security System TeamSpring Team
CAS by default just tells your application who someone is, and thereafter things are the same as a normal Spring Security application. Usually the application will load the roles itself immediately following the authentication and store them in the security context, where they are accessed as normal by the security interceptor infrastructure.
So Getting the principal's roles "during a request" and "programatically determining if they have sufficient authorization" have nothing to do with whether you are using CAS. In a normal application all you should have to do is provide the implementation for loading the UserDetails (including the roles) as Rob described and configure your access restricitions.
The main question is how you want to load the role information and where from, but that's up to you. CAS can also be set up to send attributes with the user validation response, allowing some information to be centralized if required. And presumably the SAML support also allows this, but I haven't used that yet. It all depends on whether the role information you require in an application is based on shared information (e.g. country, organizational role, department) or whether it is application-specific (or a mix of the two).
Junior Member
I was under the impression that Spring Security absolved itself of ALL security matters and simply redirected to CAS -- as a result of this misunderstanding, I was throughly confused as to how things are supposed to be configured. Thanks for the clarification.
