Details

    • Type: New Feature New Feature
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 1.2.0
    • Component/s: None
    • Labels:
      None

      Description

      As I wanted to test shiro with CAS, I created a CAS filter, a CAS token and a CAS realm. I'm new to shiro so maybe I was mistaken on some points.

      I have a demo webapp with these files :
      index.jsp
      error.jsp
      protected/index.jsp

      The idea is to protect the /protected folder. I have this shiro.ini configuration :

      [main]
      authcas = org.apache.shiro.cas.CasFilter
      authcas.failureUrl = /demo2/error.jsp

      defaultRealm = com.jle.demo2.realm.DefaultRealm
      defaultRealm.name = demo2
      defaultRealm.casServerUrlPrefix = http://localhost:11380/cas/
      defaultRealm.casService = http://localhost:11380/demo2/shiro-cas

      roles.loginUrl = http://localhost:11380/cas/login?service=http://localhost:11380/demo2/shiro-cas

      [urls]
      /protected/** = roles[ROLE_USER]
      /shiro-cas = authcas
      /** = anon

      The protection on /protected/** implies to have the role ROLE_USER, if it is not the case, the user is redirected to the CAS server according to the property loginUrl of roles : http://localhost:11380/cas/login?service=http://localhost:11380/demo2/shiro-cas.
      After authentication on CAS server, the user is redirected (CAS works like this) to the service url : http://localhost:11380/demo2/shiro-cas. On this url, there is the authcas filter defined as the DefaultRealm which inherits from CasRealm :

      public class DefaultRealm extends CasRealm {

      @Override
      protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals)

      { Set<String> roles = new HashSet<String>(); roles.add("ROLE_USER"); return new SimpleAuthorizationInfo(roles); }

      }

      The DefaultRealm always grants the authenticated user the ROLE_USER role to access to the /protected folder.

      The CasFilter is configured on a specific url corresponding to the CAS url service : http://localhost:11380/demo2/shiro-cas, it gets the service parameter in url and create a CasToken with it.
      The CasRealm uses the CasToken to authenticate the user, it gets the service ticket, uses the Cas20ServiceTicketValidator (from CAS client) to call the CAS server and validates the ticket granted by CAS.
      If the ticket is validated, the user is authenticated and redirected to the original protected url (/protected/index.jsp). If the validation fails, the user is redirected to the CAS error page (error.jsp = authcas.failureUrl).

      To add CasFilter, CasToken and CasRealm to the trunk, I created a CAS module inside support.

      • CasRealm :
        I didn't find how to set the remember me to the subject : I know if the user is in rememberme mode from CAS depending on a specific attribute from the Assertion object but I didn't know how to pass this information to the subject (there is a TODO).
        During the CAS service ticket validation, I get the object Assertion and all the attributes of the user populated by CAS are in the "attributes" property : I don't know what to do with these attributes.
        During the CAS service ticket validation, I choose not to throw an AuthenticationException, but returns null instead : is it the good way to do ?
      • CasFilter :
        I'm not sure I respect the spirit of shiro because my filter authcas is always the last one. I add on the onLoginFailure a test, if the user is already authenticated, it doesn't failed but redirects to default success url.
        I didn't know how to add my authcas filter as a default filter without configuring it in the shiro.ini file.

      I have no test yet.

      I join the SVN patch.
      Hope it works well for you. Don't hesitate to come back to me.

      1. doc_shiro-cas.odt
        29 kB
        Jérôme Leleu
      2. shiro_cas3.txt
        38 kB
        Jérôme Leleu
      3. shiro_cas2.txt
        38 kB
        Jérôme Leleu
      4. shiro_cas.txt
        14 kB
        Jérôme Leleu

        Activity

        Les Hazlewood made changes -
        Status Resolved [ 5 ] Closed [ 6 ]
        Les Hazlewood made changes -
        Status Open [ 1 ] Resolved [ 5 ]
        Fix Version/s 1.2.0 [ 12315478 ]
        Resolution Fixed [ 1 ]
        Les Hazlewood made changes -
        Assignee Les Hazlewood [ lhazlewood ]
        Jérôme Leleu made changes -
        Attachment doc_shiro-cas.odt [ 12507901 ]
        Jérôme Leleu made changes -
        Attachment shiro_cas3.txt [ 12507677 ]
        Jérôme Leleu made changes -
        Attachment shiro_cas2.txt [ 12477934 ]
        Les Hazlewood made changes -
        Issue Type Improvement [ 4 ] New Feature [ 2 ]
        Jérôme Leleu made changes -
        Field Original Value New Value
        Attachment shiro_cas.txt [ 12476622 ]
        Jérôme Leleu created issue -

          People

          • Assignee:
            Les Hazlewood
            Reporter:
            Jérôme Leleu
          • Votes:
            2 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development