[
https://issues.apache.org/jira/browse/SHIRO-285?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13027580#comment-13027580
]
Jérôme Leleu commented on SHIRO-285:
------------------------------------
I create a new version of my patch.
Here is my new shiro.ini for my webapp demo :
[main]
authcas = org.apache.shiro.cas.CasFilter
authcas.failureUrl = /demo2/error.jsp
casRealm = org.apache.shiro.cas.CasRealm
casRealm.defaultRoles= ROLE_USER
#casRealm.validationProtocol = SAML
casRealm.casServerUrlPrefix = http://localhost:11380/cas/
casRealm.casService = http://localhost:11380/demo2/shiro-cas
roles.loginUrl =
http://localhost:11380/cas/login?service=http://localhost:11380/demo2/shiro-cas
securityManager = org.apache.shiro.cas.CasRememberMeSecurityManager
[urls]
/protected/** = roles[ROLE_USER]
/shiro-cas = authcas
/** = anon
The CasFilter has not changed.
The CasToken has now remember me property.
The CasRealm is no more abstract, attributes retrieved from service ticket
validation are stored in SimpleAuthenticationInfo and used in
doGetAuthorization to compute roles and permissions of the user.
It's a bit like the JAAS CasLogin module : default roles and permissions are
granted if we are authenticated (or remembered), another roles and permissions
are found in attributes : roleAttributeNames is a list of atrributes separated
by comma, each attribute must be a list of roles separated by comma.
Remember me is a CAS feature not totally defined yet, I submit some proposal to
the CAS community but it's not included in CAS release (look at
https://issues.jasig.org/browse/CASW-46).
I didn't find a solution to create a CasRememberMeManager which works for
remember me, so I was obliged to create a CasRememberMeSecurityManager to make
remember me work. You have to use it in your configuration like I did in my
webapp demo to have remember me through CAS server.
I don't know if you should keep remember me feature in a first version of the
CAS integration.
Everything is well documented and I add some tests.
Hope it's a good starting point to integrate in trunk.
> Integration with CAS
> --------------------
>
> Key: SHIRO-285
> URL: https://issues.apache.org/jira/browse/SHIRO-285
> Project: Shiro
> Issue Type: New Feature
> Reporter: Jérôme Leleu
> Attachments: shiro_cas.txt
>
>
> As I wanted to test shiro with CAS, I created a CAS filter, a CAS token and a
> CAS realm. I'm new to shiro so maybe I was mistaken on some points.
> I have a demo webapp with these files :
> index.jsp
> error.jsp
> protected/index.jsp
> The idea is to protect the /protected folder. I have this shiro.ini
> configuration :
> [main]
> authcas = org.apache.shiro.cas.CasFilter
> authcas.failureUrl = /demo2/error.jsp
> defaultRealm = com.jle.demo2.realm.DefaultRealm
> defaultRealm.name = demo2
> defaultRealm.casServerUrlPrefix = http://localhost:11380/cas/
> defaultRealm.casService = http://localhost:11380/demo2/shiro-cas
> roles.loginUrl =
> http://localhost:11380/cas/login?service=http://localhost:11380/demo2/shiro-cas
> [urls]
> /protected/** = roles[ROLE_USER]
> /shiro-cas = authcas
> /** = anon
> The protection on /protected/** implies to have the role ROLE_USER, if it is
> not the case, the user is redirected to the CAS server according to the
> property loginUrl of roles :
> http://localhost:11380/cas/login?service=http://localhost:11380/demo2/shiro-cas.
> After authentication on CAS server, the user is redirected (CAS works like
> this) to the service url : http://localhost:11380/demo2/shiro-cas. On this
> url, there is the authcas filter defined as the DefaultRealm which inherits
> from CasRealm :
> public class DefaultRealm extends CasRealm {
>
> @Override
> protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection
> principals) {
> Set<String> roles = new HashSet<String>();
> roles.add("ROLE_USER");
> return new SimpleAuthorizationInfo(roles);
> }
> }
> The DefaultRealm always grants the authenticated user the ROLE_USER role to
> access to the /protected folder.
> The CasFilter is configured on a specific url corresponding to the CAS url
> service : http://localhost:11380/demo2/shiro-cas, it gets the service
> parameter in url and create a CasToken with it.
> The CasRealm uses the CasToken to authenticate the user, it gets the service
> ticket, uses the Cas20ServiceTicketValidator (from CAS client) to call the
> CAS server and validates the ticket granted by CAS.
> If the ticket is validated, the user is authenticated and redirected to the
> original protected url (/protected/index.jsp). If the validation fails, the
> user is redirected to the CAS error page (error.jsp = authcas.failureUrl).
> To add CasFilter, CasToken and CasRealm to the trunk, I created a CAS module
> inside support.
> * CasRealm :
> I didn't find how to set the remember me to the subject : I know if the user
> is in rememberme mode from CAS depending on a specific attribute from the
> Assertion object but I didn't know how to pass this information to the
> subject (there is a TODO).
> During the CAS service ticket validation, I get the object Assertion and all
> the attributes of the user populated by CAS are in the "attributes" property
> : I don't know what to do with these attributes.
> During the CAS service ticket validation, I choose not to throw an
> AuthenticationException, but returns null instead : is it the good way to do ?
> * CasFilter :
> I'm not sure I respect the spirit of shiro because my filter authcas is
> always the last one. I add on the onLoginFailure a test, if the user is
> already authenticated, it doesn't failed but redirects to default success url.
> I didn't know how to add my authcas filter as a default filter without
> configuring it in the shiro.ini file.
> I have no test yet.
> I join the SVN patch.
> Hope it works well for you. Don't hesitate to come back to me.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
