I would like to request feedback on a JBoss Portal/CAS/Acegi Security implementation. The implementation works now but I want to get feedback on it. My implementation uses CAS 3.0.5, JBoss Portal 2.4.1-SP1, and Acegi Security 1.0.2. Here's a walkthrough:
1. User requests portal page that requires authentication. 2. JBoss Portal redirects to login page. 3. Login page redirects to CAS login page with service equal to /j_cas_security_check. 4. On successful username/password validation, CAS redirects to /j_cas_security_check (with ticket). 5. My filter, CasContainerAdapterFilter, processes this request. It transforms a URL of the form /j_cas_security_check?ticket=<cas_ticket> into /j_security_check?j_username=_cas_stateful_&j_password=<cas_ticket>. 6. JBoss Portal instantiates JbossAcegiLoginModule to do the login. 7. JbossAcegiLoginModule delegates to CasAuthenticationProvider. 8. CasAuthenticationProvider validates the CAS ticket. 9. Roles are fetched. 10. JbossAcegiLoginModule returns a subject with username and roles. The biggest issue here is that I couldn't get JbossAcegiLoginModule to work out-of-the-box with this setup. I had to add the "CallerPrincipal" group as documented on the JBoss wiki (http://wiki.jboss.org/wiki/Wiki.jsp?page=UsingCustomPrincpalsWith). An excerpt from that page: "A custom principal must be installed under the Subject using a java.security.acl.group named "CallerPrincipal?" with the sole group member being the custom principal instance." PrincipalAcegiUserToken is most definitely a custom principal. My subclass of JbossAcegiLoginModule looks like: public class Jboss4AcegiLoginModule extends JbossAcegiLoginModule { protected Group[] getRoleSets() throws LoginException { Group[] groups = super.getRoleSets(); Group[] newGroups = new Group[groups.length + 1]; System.arraycopy(groups, 0, newGroups, 0, groups.length); Group callerPrincipalGroup = new SimpleGroup("CallerPrincipal"); //$NON-NLS-1$ callerPrincipalGroup.addMember(getIdentity()); newGroups[groups.length] = callerPrincipalGroup; return newGroups; } } Have any users had experience with CallerPrincipal? Is this something that needs to be a part of Acegi Security's JbossAcegiLoginModule? Any feedback on this solution would be appreciated. ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Home: http://acegisecurity.org Acegisecurity-developer mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
