Sander, Spring security only requires you to introduce a few JARs and a Spring configuration, so it is suppose to be pretty easy to use. Hopefully someone else can chime in on the details. We currently use a custom JAAS authentication module like the one you reference in the link. I can attest to the problems inherent with the JAAS module approach:
1. CON: Customization of Tomcat server prevents quick setup 2. CON: Complications with classloader issues if login module needs to use JARs needed by other apps (database connection, logging, etc) 3. PRO: Authorization is handled in spot in a consistent manner across all apps without individual customization Anyhow, I think the Spring Security route is probably the best due to all of the features it offers, however I am not the authority in it. HTH, A- On 7/9/09 12:01 PM, "Sander Bos" <[email protected]> wrote: > > Hello Andrew, > > Thank you for your response. > > I don't want to move to another security mechanism at this point, because I > only need to cassify these apps to be able to access them from a portal, so > not do a complete rearchitecture of them. Changing web.xml and introducing a > few jars is about as far as I wish to go. > > With respect to what you say about a custom JAAS module, do you mean something > like is described at > http://www.kopz.org/public/documents/tomcat/jaasintomcat.html > ? > (because technically that seems very doable, but already involves a lot of > deployment config changes so I hoped to stay away from that) > > Kind regards, > > --Sander. > > Andrew Feller schreef: >> Re: [cas-user] CASsify application with role-based security constraints in >> web.xml? Sander, >> >> Most people use Spring Security 2.0 to incorporate CAS and Servlet Container >> Management. ( http://static.springsource.org/spring-security/site/index.html >> ) If that doesn¹t meet your needs, then you need to create a custom JAAS >> module that can register users and their roles with the servlet container. >> >> HTH, >> A- >> >> On 7/9/09 11:43 AM, "Sander Bos" <[email protected]> wrote: >> >> >>> >>> Hello, >>> >>> I would like to know how to/ get some pointers on how to CASsify an >>> application that protects resources based on roles. More specifically, uses >>> security-constraint's in web.xml to protect resources. To be clear I mean >>> this: >>> <security-constraint> >>> <web-resource-collection> >>> <url-pattern>/notforeveryCASauthenticateduser/*</url-pattern> >>> <http-method>GET</http-method> >>> <http-method>POST</http-method> >>> </web-resource-collection> >>> <auth-constraint> >>> <role-name>SuperSpecialAdmin</role-name> >>> </auth-constraint> >>> </security-constraint> >>> >>> >>> I understand that CAS only deals with the authentication part, but to >>> CASsify an existing application fully I still have to deal with roles. And I >>> am totally confused as to where to set things now. >>> >>> The particular application in question runs in JBoss, and currently >>> authentication/ role determination happens through a login-module which has >>> a form that posts to j_security_check, and that then gets handled by a >>> LoginModule configured in JBoss, which has a chance to set the roles. >>> >>> If I switch to CAS servlets, where can I set the roles in a way that they >>> are picked by by a security-constraint configured in web.xml (I understand I >>> have to code it myself, and I can determine the role-names based on a >>> username in code if CAS tells me the username, I just don't understand where >>> I would have to place such code so that the roles would be picked up). >>> >>> Can I even use security-constraint in combination with CAS? For instance >>> http://tp.its.yale.edu/pipermail/cas/2008-March/007725.html suggests that >>> security-constraints will be checked before the CAS filters are even >>> executed? >>> >>> I would be grateful for any tips. >>> >>> Kind regards, >>> >>> --Sander. >>> >>> >> >> -- >> Andrew Feller, Analyst >> LSU University Information Services >> 200 Frey Computing Services Center >> Baton Rouge, LA 70803 >> Office: 225.578.3737 >> Fax: 225.578.6400 >> >> -- Andrew Feller, Analyst LSU University Information Services 200 Frey Computing Services Center Baton Rouge, LA 70803 Office: 225.578.3737 Fax: 225.578.6400 -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
