For solution #1, what is your concern about passing the SAMLResponse to CAS? Your actions should have access to any of the request methods (i.e. to retrieve it from the query string)
On Tue, May 20, 2014 at 10:39 AM, Anders Malmborg < [email protected]> wrote: > We happily uses CAS for SSO including proxy ticketing for some time now. > We use LDAP as authentication handler. > > Now there is a case where we are called from a WebSeal providing a > SAMLResponse. After validating the SAMLResponse a Service Ticket should be > generated and verified by the application. > > After consulting documentation in the web I came up with two possible > solutions, each with its drawbacks. > > Solution 1: Validate the SAMLResponse in CAS (inspired by > https://wiki.jasig.org/display/CASUM/X.509+Certificates): > * Implement a Credentials class wrapping the SAMLResponse > * Extend AbstractNonInteractiveCredentialsAction to construct credential > above. > * Extend AbstractPreAndPostProcessingAuthenticationHandler to validate the > SAMLResponse. > * Implement a CredentialsToPrincipalResolver to handle the SAMLResponse > Credential. > > The login-webflow will redirect to the CredentialsAction (bullet 2) before > (on failure) going on to the standard login form. > ->Drawback: how to pass the SAMLResponse to CAS from the service to > authenticate? > > Solution 2: Use Spring Security Pre-authentication filter to validate in > the service (CAS Client) and use https://wiki.jasig.org > */display/CASUM/Trusted: > * Validate the SAML in a Spring Security Pre-authentication filter prior > to calling CAS. > * Extend > org.springframework.security.cas.web.CasAuthenticationEntryPoint.preCommence(HttpServletRequest, > HttpServletResponse) to pass a Principal based on the authentication in the > filter. > ->Drawback: How can a Principal be set on the (final) HttpServletRequest > passed to CasAuthenticationEntryPoint.preCommence(HttpServletRequest, > HttpServletResponse)? > > Any hints how to solve this would be appreciated... > Regards, > Anders > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
