David.Turing's blog

 

Yale CAS as an Acegi Client in SpringSide

First,  Set SpringSide's web.xml,  we use Acegi CAS Filter:

     < filter-mapping >
        
< filter-name > hibernateFilter </ filter-name >
        
< url-pattern > /j_acegi_cas_security_check </ url-pattern >
    
</ filter-mapping >

We Should Set Main ACEGI application Context:
1) filterChainProxy should add a cas filter as Acegi's Sample, but here, we reuse
authenticationProcessingFilter, which we act as cas client filter.

     < bean  id ="filterChainProxy"
          class
="org.acegisecurity.util.FilterChainProxy" >
        
< property  name ="filterInvocationDefinitionSource" >
            
< value >
                CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
                PATTERN_TYPE_APACHE_ANT
                /**=httpSessionContextIntegrationFilter,anonymousProcessingFilter,authenticationProcessingFilter,rememberMeProcessingFilter,logoutFilter,channelProcessingFilter,basicProcessingFilter,securityContextHolderAwareRequestFilter,exceptionTranslationFilter,filterInvocationInterceptor
            
</ value >
        
</ property >
    
</ bean >

2) authenticationProcessingFilter, of course, play the most important role in this
applicationContext_acegi.xml.
In SpringSide,  /admin  is protected resource, so defaultTargetUrl protected it
and all those request to the target url must be authenticated by authenticationManager.
    <bean id="authenticationProcessingFilter" class="org.acegisecurity.ui.cas.CasProcessingFilter">
        
<property name="authenticationManager" ref="authenticationManager"/>
        
<property name="authenticationFailureUrl">
            
<value>/security/login.jsp?login_error=1</value>
        
</property>
        
<property name="defaultTargetUrl">
            
<value>/admin/</value>
        
</property>
        
<property name="filterProcessesUrl">
            
<value>/j_acegi_cas_security_check</value>
        
</property>
        
<property name="rememberMeServices" ref="rememberMeServices"/>
        
<property name="exceptionMappings">
            
<value>
                org.acegisecurity.userdetails.UsernameNotFoundException=/security/login.jsp?login_error=user_not_found_error
                org.acegisecurity.BadCredentialsException=/security/login.jsp?login_error=user_psw_error
                org.acegisecurity.concurrent.ConcurrentLoginException=/security/login.jsp?login_error=too_many_user_error
            
</value>
        
</property>
    
</bean>


3) Then, we set all the needed beans in CAS Filter
    <!-- =========  Acegi as a CAS Client的配置============= --> 
    
<bean id="exceptionTranslationFilter" class="org.acegisecurity.ui.ExceptionTranslationFilter">
        
<property name="authenticationEntryPoint">
            
<ref local="casProcessingFilterEntryPoint"/>
        
</property>
    
</bean>
    
   
<!-- cas config -->
    
<bean id="casProcessingFilterEntryPoint" class="org.acegisecurity.ui.cas.CasProcessingFilterEntryPoint">
        
<property name="loginUrl"><value>https://sourcesite:8443/cas/login</value></property>
        
<property name="serviceProperties"><ref local="serviceProperties"/></property>
    
</bean>
    
    
<bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager">
        
<property name="providers">
            
<list>
                
<ref local="casAuthenticationProvider"/>
            
</list>
        
</property>
    
</bean>
    
    
<bean id="casAuthenticationProvider" class="org.acegisecurity.providers.cas.CasAuthenticationProvider">
        
<property name="casAuthoritiesPopulator"><ref bean="casAuthoritiesPopulator"/></property>
        
<property name="casProxyDecider"><ref local="casProxyDecider"/></property>
        
<property name="ticketValidator"><ref local="casProxyTicketValidator"/></property>
        
<property name="statelessTicketCache"><ref local="statelessTicketCache"/></property>
        
<property name="key"><value>my_password_for_this_auth_provider_only</value></property>
    
</bean>
    
<bean id="casProxyTicketValidator" class="org.acegisecurity.providers.cas.ticketvalidator.CasProxyTicketValidator">
        
<property name="casValidate"><value>https://sourcesite:8443/cas/proxyValidate</value></property>
        
<property name="serviceProperties"><ref local="serviceProperties"/></property>
    
</bean>
    
<!-- 
    <bean id="casProxyDecider" class="org.acegisecurity.providers.cas.proxy.AcceptAnyCasProxy" />
    
-->
    
<bean id="casProxyDecider" class="org.acegisecurity.providers.cas.proxy.RejectProxyTickets" />
    
    
<bean id="serviceProperties" class="org.acegisecurity.ui.cas.ServiceProperties">
        
<property name="service">
            
<value>http://gzug:8080/springside/j_acegi_cas_security_check</value>
        
</property>
        
<property name="sendRenew">
            
<value>false</value>
        
</property>
    
</bean>
    
    
<bean id="statelessTicketCache" class="org.acegisecurity.providers.cas.cache.EhCacheBasedTicketCache">
        
<property name="cache">
            
<bean class="org.springframework.cache.ehcache.EhCacheFactoryBean">
                
<property name="cacheManager">
                    
<bean class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean"/>
                
</property>
                
<property name="cacheName" value="userCache"/>
            
</bean>
        
</property>
    
</bean>
    
    
<bean id="casAuthoritiesPopulator" class="org.acegisecurity.providers.cas.populator.DaoCasAuthoritiesPopulator">
        
<property name="userDetailsService"><ref local="jdbcDaoImpl"/></property>
    
</bean>

    
<bean id="casProcessingFilter" class="org.acegisecurity.ui.cas.CasProcessingFilter">
        
<property name="authenticationManager"><ref local="authenticationManager"/></property>
        
<property name="authenticationFailureUrl"><value>/casfailed.jsp</value></property>
        
<property name="defaultTargetUrl"><value>/</value></property>
        
<property name="filterProcessesUrl"><value>/j_acegi_cas_security_check</value></property>
    
</bean>

casProcessingFilterEntryPoint is very critical,
loginUrl is the CAS Server's /login url, you should set up your CAS Server(2.0 or 3.0) and config for
those JKS keystore after enable SSL in Tomcat(Tomcat 5.5/conf/server.xml) and place the cacerts that
have the CAS Server's public cert to Acegi Client's JDK/jre/lib/security/
Check serviceProperties to make sure that SpringSide Service url is config as /j_acegi_cas_security_check

because Yale CAS use ticket cache for SSO impl, so we should config for statelessTicketCache
Just use springframework's ehcache for cacheManager.

SpringSide use jdbcDaoImpl which perform database authentication. So I am very happy to use it
as casAuthoritiesPopulator , which will set use detail for the user. And these info are very useful for
application authorization.
    <bean id="jdbcDaoImpl"
          class
="org.acegisecurity.userdetails.jdbc.JdbcDaoImpl">
        
<property name="dataSource" ref="dataSource"/>
        
<property name="usersByUsernameQuery">
            
<value>
                select loginid,passwd,1 from ss_users where status='1' and loginid = ?
            
</value>
        
</property>
        
<property name="authoritiesByUsernameQuery">
            
<value>
                select u.loginid,p.name from ss_users u,ss_roles r,ss_permissions
                p,ss_user_role ur,ss_role_permis rp where u.id=ur.user_id and
                r.id=ur.role_id and p.id=rp.permis_id and
                r.id=rp.role_id and p.status='1' and u.loginid=?
            
</value>
        
</property>
    
</bean>

There is little difference between casclient 2.0.12 and Acegi, right?

Note that in my env, gzug:8080/springside is bookstore webapp
and sourcesite:8443 is the CAS 3 Server.

Hope for suggestion.....

posted on 2006-10-15 23:53 david.turing 阅读(8442) 评论(2)  编辑  收藏 所属分类: Security领域CAS&SAML&SSO

评论

# re: Yale CAS as an Acegi Client in SpringSide 2006-10-16 12:16 Vista

楼主可否给点解释性的说明呀???  回复  更多评论   

# re: Yale CAS as an Acegi Client in SpringSide 2008-02-28 09:48 Lib

< filter-mapping >
< filter-name > hibernateFilter </ filter-name >
< url-pattern > /j_acegi_cas_security_check </ url-pattern >
</ filter-mapping >

为什么是"hibernateFilter "?  回复  更多评论   


只有注册用户登录后才能发表评论。


网站导航:
 

导航

统计

常用链接

留言簿(110)

我参与的团队

随笔分类(126)

随笔档案(155)

文章分类(9)

文章档案(19)

相册

搜索

积分与排名

最新随笔

最新评论

阅读排行榜

评论排行榜