Yale CAS as an Acegi Client in SpringSide

First, Set SpringSide's web.xml, we use Acegi CAS Filter:

< filter-mapping > < filter-name > hibernateFilter </ filter-name > < url-pattern > /j_acegi_cas_security_check </ url-pattern > </ filter-mapping >

We Should Set Main ACEGI application Context： 1) filterChainProxy should add a cas filter as Acegi's Sample, but here, we reuse authenticationProcessingFilter, which we act as cas client filter.

< bean id ="filterChainProxy" class ="org.acegisecurity.util.FilterChainProxy" > < property name ="filterInvocationDefinitionSource" > < value > CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON PATTERN_TYPE_APACHE_ANT /**=httpSessionContextIntegrationFilter,anonymousProcessingFilter,authenticationProcessingFilter,rememberMeProcessingFilter,logoutFilter,channelProcessingFilter,basicProcessingFilter,securityContextHolderAwareRequestFilter,exceptionTranslationFilter,filterInvocationInterceptor </ value > </ property > </ bean >

2) authenticationProcessingFilter, of course, play the most important role in this applicationContext_acegi.xml. In SpringSide, /admin is protected resource, so defaultTargetUrl protected it andall those request to the target url must be authenticated by authenticationManager.

<beanid="authenticationProcessingFilter"class="org.acegisecurity.ui.cas.CasProcessingFilter"> <propertyname="authenticationManager"ref="authenticationManager"/> <propertyname="authenticationFailureUrl"> <value>/security/login.jsp?login_error=1</value> </property> <propertyname="defaultTargetUrl"> <value>/admin/</value> </property> <propertyname="filterProcessesUrl"> <value>/j_acegi_cas_security_check</value> </property> <propertyname="rememberMeServices"ref="rememberMeServices"/> <propertyname="exceptionMappings"> <value> org.acegisecurity.userdetails.UsernameNotFoundException=/security/login.jsp?login_error=user_not_found_error org.acegisecurity.BadCredentialsException=/security/login.jsp?login_error=user_psw_error org.acegisecurity.concurrent.ConcurrentLoginException=/security/login.jsp?login_error=too_many_user_error </value> </property> </bean>

3) Then, we set all the needed beans in CAS Filter

<!--=========AcegiasaCASClient的配置=============--> <beanid="exceptionTranslationFilter"class="org.acegisecurity.ui.ExceptionTranslationFilter"> <propertyname="authenticationEntryPoint"> <reflocal="casProcessingFilterEntryPoint"/> </property> </bean> <!--casconfig--> <beanid="casProcessingFilterEntryPoint"class="org.acegisecurity.ui.cas.CasProcessingFilterEntryPoint"> <propertyname="loginUrl"><value>https://sourcesite:8443/cas/login</value></property> <propertyname="serviceProperties"><reflocal="serviceProperties"/></property> </bean> <beanid="authenticationManager"class="org.acegisecurity.providers.ProviderManager"> <propertyname="providers"> <list> <reflocal="casAuthenticationProvider"/> </list> </property> </bean> <beanid="casAuthenticationProvider"class="org.acegisecurity.providers.cas.CasAuthenticationProvider"> <propertyname="casAuthoritiesPopulator"><refbean="casAuthoritiesPopulator"/></property> <propertyname="casProxyDecider"><reflocal="casProxyDecider"/></property> <propertyname="ticketValidator"><reflocal="casProxyTicketValidator"/></property> <propertyname="statelessTicketCache"><reflocal="statelessTicketCache"/></property> <propertyname="key"><value>my_password_for_this_auth_provider_only</value></property> </bean> <beanid="casProxyTicketValidator"class="org.acegisecurity.providers.cas.ticketvalidator.CasProxyTicketValidator"> <propertyname="casValidate"><value>https://sourcesite:8443/cas/proxyValidate</value></property> <propertyname="serviceProperties"><reflocal="serviceProperties"/></property> </bean> <!-- <beanid="casProxyDecider"class="org.acegisecurity.providers.cas.proxy.AcceptAnyCasProxy"/> --> <beanid="casProxyDecider"class="org.acegisecurity.providers.cas.proxy.RejectProxyTickets"/> <beanid="serviceProperties"class="org.acegisecurity.ui.cas.ServiceProperties"> <propertyname="service"> <value>http://gzug:8080/springside/j_acegi_cas_security_check</value> </property> <propertyname="sendRenew"> <value>false</value> </property> </bean> <beanid="statelessTicketCache"class="org.acegisecurity.providers.cas.cache.EhCacheBasedTicketCache"> <propertyname="cache"> <beanclass="org.springframework.cache.ehcache.EhCacheFactoryBean"> <propertyname="cacheManager"> <beanclass="org.springframework.cache.ehcache.EhCacheManagerFactoryBean"/> </property> <propertyname="cacheName"value="userCache"/> </bean> </property> </bean> <beanid="casAuthoritiesPopulator"class="org.acegisecurity.providers.cas.populator.DaoCasAuthoritiesPopulator"> <propertyname="userDetailsService"><reflocal="jdbcDaoImpl"/></property> </bean> <beanid="casProcessingFilter"class="org.acegisecurity.ui.cas.CasProcessingFilter"> <propertyname="authenticationManager"><reflocal="authenticationManager"/></property> <propertyname="authenticationFailureUrl"><value>/casfailed.jsp</value></property> <propertyname="defaultTargetUrl"><value>/</value></property> <propertyname="filterProcessesUrl"><value>/j_acegi_cas_security_check</value></property> </bean>

casProcessingFilterEntryPoint is very critical, loginUrl is the CAS Server's /login url, you should set up your CAS Server(2.0 or 3.0) and config for those JKS keystore after enable SSL in Tomcat(Tomcat 5.5/conf/server.xml) and place the cacerts that have the CAS Server's public cert to Acegi Client's JDK/jre/lib/security/ Check serviceProperties to make sure thatSpringSide Service url is config as /j_acegi_cas_security_check because Yale CAS use ticket cache for SSO impl, so we should config for statelessTicketCache Just use springframework's ehcache for cacheManager. SpringSide use jdbcDaoImpl which perform database authentication. So I am very happy to use it ascasAuthoritiesPopulator , which will set use detail for the user. And these info are very useful for application authorization.

<beanid="jdbcDaoImpl" class="org.acegisecurity.userdetails.jdbc.JdbcDaoImpl"> <propertyname="dataSource"ref="dataSource"/> <propertyname="usersByUsernameQuery"> <value> selectloginid,passwd,1fromss_userswherestatus='1'andloginid=? </value> </property> <propertyname="authoritiesByUsernameQuery"> <value> selectu.loginid,p.namefromss_usersu,ss_rolesr,ss_permissions p,ss_user_roleur,ss_role_permisrpwhereu.id=ur.user_idand r.id=ur.role_idandp.id=rp.permis_idand r.id=rp.role_idandp.status='1'andu.loginid=? </value> </property> </bean>

There is little difference between casclient 2.0.12 and Acegi, right? Note that in my env, gzug:8080/springside is bookstore webapp and sourcesite:8443 is the CAS 3 Server.