使用Spring Security 3实施CAS

Question

I currently have spring security configured and working correctly. I want to get CAS working so I can have a single sign on across multiple apps I've written. I am confused how I can make cas use my custom userdetailService.

Currently I have this is my spring-security.xml

    <authentication-manager alias="authManager">
        <authentication-provider user-service-ref="userDetailsService">
            <password-encoder ref="passwordEncoder">
                <salt-source ref="saltSource"/>
            </password-encoder>
        </authentication-provider>
    </authetication-manager>

From all the cas examples I have found they say to do implement the manage this way:

<beans:bean id="casAuthenticationProvider" class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
    <beans:property name="authenticationUserDetailsService">
        <beans:bean class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
            <beans:constructor-arg ref="userDetailsService"/>
        </beans:bean>
    </beans:property>
    <beans:property name="serviceProperties" ref="serviceProperties"/>
    <beans:property name="ticketValidator">
        <beans:bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
            <beans:constructor-arg index="0" value="https://localhost:8443/cas"/>
        </beans:bean>
    </beans:property>
    <beans:property name="key" value="1234554321"/>
</beans:bean>

<authentication-manager alias="authManager">
    <authentication-provider ref="casAuthenticationProvider"/>
</authentication-manager>

The documentation is confusing. How do I go from a working spring-security app to one that implements cas and still use my custom user details? Also what do I need to change on the jsp pages? Any help would be much appreciated.

Thanks

Answer 1

I think you want CAS to authenticate the password using your own password+salt encoder.

Unfortunately, it is not a straight forward configuration and the configuration is not in your Spring apps. You need to recompile CAS to include your custom password+salt encoder. Thus, when Spring calls CAS for authentication, the same custom password+salt encoder will be used.

Fortunately, CAS team has created WAR Overlay approach so that it is easy for the user to recompile CAS server in order to include custom password+salt encoders

The documentation is here https://wiki.jasig.org/display/CASUM/Best+Practice+-+Setting+Up+CAS+Locally+using+the+Maven2+WAR+Overlay+Method

You need to be very patient to follow the steps and make sure that your system has Maven2 You need not to download any library as Maven will take care of that. The basic idea of WAR Overlay approach is to create a maven controlled folder where you can create subfolders to add your custom java libraries.

Maven will used to recompiled the custom java code together with the CAS files to produce a WAR file where you can publish it to a SSL server.

Just make sure that both CAS and your Spring Apps are using SSL.

Good luck!

Answer 2

Here are the steps I would recommend when setting up a CAS infrastructure

1. First of all, you should be aware of what CAS is, and how it works. Check out this article and the jasig-webpage.
2. Then download the examples from Spring Source , make the cas-sample run, and play with it to get a better feeling of it. (I'm not sure whether there is a readme file or you get infos on how to use it on the spring source webpage, but there is definitely info out there)
3. Make your app authenticate against this simple CAS-Server (find config examples on the CAS webpage)
4. Setup and configure your own CAS-Server that uses your current authentication system to authorize a user.
   • you may use the SAML protocol to transfer roles etc from the CAS to the client app after authentication
   • to apply the roles at the client app you may need to implement that on your own.
5. Adapt other apps to use the CAS-Server