Dashboard > Central Authentication Service > Home > CAS Java Client Gateway Example
CAS has a new home page: http://www.ja-sig.org/products/cas/
Central Authentication Service Log In | Sign Up   View a printable version of the current page.
CAS Java Client Gateway Example

Added by Dom , last edited by Dom on Aug 30, 2007  (view change) show comment
Labels: 

Welcome Page

The welcome page of a site is often a good place to add a gateway filter. The welcome page can be decorated with personal information if the visitor has validate CAS session. I.E. The visitor has previously authenticated themselves via CAS, cookies are enabled in the browser, and the TicketGrantingTicket has not expired.

The extent of the welcome page decoration is only limited by your imagination.

To fully understand a gateway request see http://www.ja-sig.org/products/cas/client/gateway/index.html

Configuration of Filters

Assuming you have a standard web site layout, with protected and unprotected areas, you will need to two authentication filters and one validation filter.

The two authentication filters will need to be configured slightly different; One will have gateway set to true and to other will have gateway set to false.

Following are two snippets of xml explain how to configure a gateway and protected web site.

  • web.xml - defines your web container.
  • securityConfiguration.xml - defines the spring beans.
web.xml snippet
...

  <filter>
    <filter-name>Gateway Authentication Filter</filter-name>
    <filter-class>
      org.springframework.web.filter.DelegatingFilterProxy
    </filter-class>
    <init-param>
      <param-name>targetBeanName</param-name>
      <param-value>gatewayAuthenticationFilter</param-value>
    </init-param>
  </filter>
  <filter>
    <filter-name>CAS Authentication Filter</filter-name>
    <filter-class>
      org.springframework.web.filter.DelegatingFilterProxy
    </filter-class>
    <init-param>
      <param-name>targetBeanName</param-name>
      <param-value>casNonGatewayAuthenticationFilter</param-value>
    </init-param>
  </filter>
  <filter>
    <filter-name>CAS Validation Filter</filter-name>
    <filter-class>
      org.springframework.web.filter.DelegatingFilterProxy
    </filter-class>
    <init-param>
      <param-name>targetBeanName</param-name>
      <param-value>casValidationFilter</param-value>
    </init-param>
  </filter>

...

  <!-- Gateway Authentication Filter -->
  <filter-mapping>
    <filter-name>Gateway Authentication Filter</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>

  <!-- Non-Gateway Authentication Filter -->
  <filter-mapping>
    <filter-name>CAS Authentication Filter</filter-name>
    <url-pattern>/protected/*</url-pattern>
  </filter-mapping>

  <!-- Validation Filter -->
  <filter-mapping>
    <filter-name>CAS Validation Filter</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>

...
securityConfiguration.xml snippet
...

  <!-- Gateway Authentication Filter Bean -->
  <bean id="casGatewayAuthenticationFilter"
        class="org.jasig.cas.client.web.filter.AuthenticationFilter">

    <!-- serverName of client to construct serviceURL eg:"thisServer.myDomain.net" -->
    <constructor-arg index="0" value="${cas.client.serverName}"/>

    <!-- serviceUrl of client: either provide serverName or serviceUrl -->
    <constructor-arg index="1">
      <null/>
    </constructor-arg>

    <!-- CAS server loginUrl -->
    <constructor-arg index="2" value="${cas.server.url}login"/>

    <!-- renew? -->
    <constructor-arg index="3" value="false"/>

    <!-- gateway? -->
    <constructor-arg index="4" value="true"/>
  </bean>

  <!-- Non-Gateway Authentication Filter Bean -->
  <bean id="casNonGatewayAuthenticationFilter"
        class="org.jasig.cas.client.web.filter.AuthenticationFilter">

    <!-- serverName of client to construct serviceURL eg:"thisServer.myDomain.net" -->
    <constructor-arg index="0" value="${cas.client.serverName}"/>

    <!-- serviceUrl of client: either provide serverName or serviceUrl -->
    <constructor-arg index="1">
      <null/>
    </constructor-arg>

    <!-- CAS server loginUrl -->
    <constructor-arg index="2" value="${cas.server.url}login"/>

    <!-- renew? -->
    <constructor-arg index="3" value="false"/>

    <!-- gateway? -->
    <constructor-arg index="4" value="false"/>
  </bean>

  <!-- Validation Filter Bean -->
  <bean id="casValidationFilter"
        class="org.jasig.cas.client.web.filter.TicketValidationFilter">

    <constructor-arg index="0" value="${cas.client.serverName}" />

    <constructor-arg index="1">
      <null />
    </constructor-arg>

    <constructor-arg index="2" value="true" />

    <!-- ticketValidator implementation (defines protocol version to be used) -->
    <constructor-arg index="3" ref="ticketValidator" />

    <constructor-arg index="4" value="true" />
  </bean>

...
Useful Information

For a complete configuration of the CAS Java Client you will need to visit the CAS Java client page http://www.ja-sig.org/products/cas/client/client-java/index.html

The configuration on CAS Java Client page does not use this gateway setup. So edit the CAS Java Client configuration with these changes.

Page Layout


Assuming first time request* If a visitor requests either www.site.com/welcome.jsp or www.site.com/other_page.jsp then a gateway log in authentication is called to CAS.

  • If a visitor request either www.site.com/protected/accounts.jsp or www.site.com/protected/payments.jsp then a non-gateway log in authentication is called to CAS.

Sequence

please excuse the bad diagrams

A simplistic view of a gateway call when user does not have a validate CAS session.


A simplistic view of a gateway call when user does have a validate CAS session.
Powered by a free Atlassian Confluence Open Source Project License granted to Java Architectures Special Interest Group. Evaluate Confluence today.
Powered by Atlassian Confluence 2.7.3, the Enterprise Wiki. Bug/feature request - Atlassian news - Contact administrators