Security Filter and CAS FORM
Brought to you by:
chris_schultz,
maxcooper
Menu
▾
▴
Dear all,
I know security filter support BASIC, FORM authenticate.
I want it support CAS Form (CAS authenticate ).
My web app use security filter but i want single sign on with cas. How to do it
Please help me
thank a lot
Securityfilter does not support CAS or single-sign-on out of the box.
The only ways for a webapp to collect credentials are using HTTP authentication headers (WWW-Authenticate), using FORM values (such as j_username and j_password) or using a client SSL certificate.
Using sf with CAS for authentication isn't a big deal: you just need to write a Realm that can authenticate against your central authentication service (which is what CAS is).
Using sf with CAS for single-sign-on is a tougher proposition: you need to make sure that your clients are broadcasting whatever security tickets are held by the client. You'll also need a service identifier for your web application that is recognized by the server to perform authentication.
So, how were you planning to deliver the security tickets to your web application? After you know that, the rest is easy.
-chris
I wrote something about combining CAS authentication with SecurityFilter a few years back (it relates to CAS 2 but should not be that out of date):
<http://www.ja-sig.org/wiki/display/CASC/Combining+CASFilter+with+Tomcat+Realms+using+SecurityFilter>
I'm a little rusty (I dare say that CAS 3 offers some new options) but essentially CAS authentication is not a BASIC or FORM authentication method. In the method above I use CAS for authentication and SecurityFilter for authorization. This is achieved via CASFilter (which redirects to the CAS server for authentication, in CAS usually the webapp never sees the user password), once the CAS authentication is complete and the remote username is available from the request and this can be passed along to SecurityFilter. Using a minor tweak to SecurityFilter's AuthenticationFactory and a new class CASAuthenticator I was able to get SecurityFilter to recognize CAS as an authentication method.
I hope that makes sense and helps,
Mark
http://www.ja-sig.org/wiki/download/attachments/9543/CASAuthenticator.java
http://www.ja-sig.org/wiki/download/attachments/9543/AuthenticatorFactory.java
Dear mmclaren,
I am very glad when you reply.
I have security filter source , you provide 2 file that, how to rebuild security filter source to get securityfilter.jar file.
Please help me
Thank a lot
I have a precompiled securityfilter.jar file which includes my modifications at this link:
http://www.ja-sig.org/wiki/download/attachments/9543/securityfilter.jar
I could give you full instructions on how to build it from scratch if you really want.
HTH
Mark
Dear mmclaren,
I really thanks for you.
I am very happy if you share with me.
I have a question for you.
pretend, I have 1 web app, I use CAS...but my database is my sql.
How to move all database in mysql to LDAP.
Because my cas authenticate by ldap.
Thank a lot
Hi,
I do not understand your question.
LDAP is a directory server (storing trees of data) and is often used to store user data.
MySQL is a relational database for general data storage.
It sounds like your CAS server getting it's user data from LDAP. This is fine.
I am guessing you want to access the LDAP user data from your web application?
In the example I mentioned before I use Tomcat Realms to get the user data for authorization:
http://www.ja-sig.org/wiki/display/CASC/Combining+CASFilter+with+Tomcat+Realms+using+SecurityFilter
In this example I use a JDBCRealm (a database!) for storing user access data.
If you are using LDAP you could use Tomcat's JNDIRealm instead (this can access LDAP).
HTH
Mark