[
https://issues.apache.org/jira/browse/SHIRO-285?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13247479#comment-13247479
]
Ryan Connolly commented on SHIRO-285:
-------------------------------------
Nice, Jerome. :)
Any possibility of attaching a working example project? I am having trouble
getting the Shiro/CAS integration working properly with the limited
documentation available.
> Integration with CAS
> --------------------
>
> Key: SHIRO-285
> URL: https://issues.apache.org/jira/browse/SHIRO-285
> Project: Shiro
> Issue Type: New Feature
> Reporter: Jérôme Leleu
> Assignee: Les Hazlewood
> Fix For: 1.2.0
>
> Attachments: doc_shiro-cas.odt, shiro_cas.txt, shiro_cas2.txt,
> shiro_cas3.txt
>
>
> As I wanted to test shiro with CAS, I created a CAS filter, a CAS token and a
> CAS realm. I'm new to shiro so maybe I was mistaken on some points.
> I have a demo webapp with these files :
> index.jsp
> error.jsp
> protected/index.jsp
> The idea is to protect the /protected folder. I have this shiro.ini
> configuration :
> [main]
> authcas = org.apache.shiro.cas.CasFilter
> authcas.failureUrl = /demo2/error.jsp
> defaultRealm = com.jle.demo2.realm.DefaultRealm
> defaultRealm.name = demo2
> defaultRealm.casServerUrlPrefix = http://localhost:11380/cas/
> defaultRealm.casService = http://localhost:11380/demo2/shiro-cas
> roles.loginUrl =
> http://localhost:11380/cas/login?service=http://localhost:11380/demo2/shiro-cas
> [urls]
> /protected/** = roles[ROLE_USER]
> /shiro-cas = authcas
> /** = anon
> The protection on /protected/** implies to have the role ROLE_USER, if it is
> not the case, the user is redirected to the CAS server according to the
> property loginUrl of roles :
> http://localhost:11380/cas/login?service=http://localhost:11380/demo2/shiro-cas.
> After authentication on CAS server, the user is redirected (CAS works like
> this) to the service url : http://localhost:11380/demo2/shiro-cas. On this
> url, there is the authcas filter defined as the DefaultRealm which inherits
> from CasRealm :
> public class DefaultRealm extends CasRealm {
>
> @Override
> protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection
> principals) {
> Set<String> roles = new HashSet<String>();
> roles.add("ROLE_USER");
> return new SimpleAuthorizationInfo(roles);
> }
> }
> The DefaultRealm always grants the authenticated user the ROLE_USER role to
> access to the /protected folder.
> The CasFilter is configured on a specific url corresponding to the CAS url
> service : http://localhost:11380/demo2/shiro-cas, it gets the service
> parameter in url and create a CasToken with it.
> The CasRealm uses the CasToken to authenticate the user, it gets the service
> ticket, uses the Cas20ServiceTicketValidator (from CAS client) to call the
> CAS server and validates the ticket granted by CAS.
> If the ticket is validated, the user is authenticated and redirected to the
> original protected url (/protected/index.jsp). If the validation fails, the
> user is redirected to the CAS error page (error.jsp = authcas.failureUrl).
> To add CasFilter, CasToken and CasRealm to the trunk, I created a CAS module
> inside support.
> * CasRealm :
> I didn't find how to set the remember me to the subject : I know if the user
> is in rememberme mode from CAS depending on a specific attribute from the
> Assertion object but I didn't know how to pass this information to the
> subject (there is a TODO).
> During the CAS service ticket validation, I get the object Assertion and all
> the attributes of the user populated by CAS are in the "attributes" property
> : I don't know what to do with these attributes.
> During the CAS service ticket validation, I choose not to throw an
> AuthenticationException, but returns null instead : is it the good way to do ?
> * CasFilter :
> I'm not sure I respect the spirit of shiro because my filter authcas is
> always the last one. I add on the onLoginFailure a test, if the user is
> already authenticated, it doesn't failed but redirects to default success url.
> I didn't know how to add my authcas filter as a default filter without
> configuring it in the shiro.ini file.
> I have no test yet.
> I join the SVN patch.
> Hope it works well for you. Don't hesitate to come back to me.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
