We happily uses CAS for SSO including proxy ticketing for some time now. We use LDAP as authentication handler.
Now there is a case where we are called from a WebSeal providing a SAMLResponse. After validating the SAMLResponse a Service Ticket should be generated and verified by the application. After consulting documentation in the web I came up with two possible solutions, each with its drawbacks. Solution 1: Validate the SAMLResponse in CAS (inspired by https://wiki.jasig.org/display/CASUM/X.509+Certificates): * Implement a Credentials class wrapping the SAMLResponse * Extend AbstractNonInteractiveCredentialsAction to construct credential above. * Extend AbstractPreAndPostProcessingAuthenticationHandler to validate the SAMLResponse. * Implement a CredentialsToPrincipalResolver to handle the SAMLResponse Credential. The login-webflow will redirect to the CredentialsAction (bullet 2) before (on failure) going on to the standard login form. ->Drawback: how to pass the SAMLResponse to CAS from the service to authenticate? Solution 2: Use Spring Security Pre-authentication filter to validate in the service (CAS Client) and use https://wiki.jasig.org*/display/CASUM/Trusted: * Validate the SAML in a Spring Security Pre-authentication filter prior to calling CAS. * Extend org.springframework.security.cas.web.CasAuthenticationEntryPoint.preCommence(HttpServletRequest, HttpServletResponse) to pass a Principal based on the authentication in the filter. ->Drawback: How can a Principal be set on the (final) HttpServletRequest passed to CasAuthenticationEntryPoint.preCommence(HttpServletRequest, HttpServletResponse)? Any hints how to solve this would be appreciated... Regards, Anders -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
