1. for Java using Spring
Configuration of the CAS Client for Java via Spring IoC will depend heavily on their DelegatingFilterProxy class. For each filter that will be configured for CAS via Spring, a corresponding DelegatingFilterProxy is needed in the web.xml.
As the SingleSignOutFilter, HttpServletRequestWrapperFilter and AssertionThreadLocalFilter have no configuration options, we recommend you just configure them in the web.xml
Note: A sample authentication configuration is attached to this page.
Bean definition examples:
<filter> <filter-name>CAS Authentication Filter</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> <init-param> <param-name>targetBeanName</param-name> <param-value>authenticationFilter</param-value> </init-param> </filter> |
<filter-mapping> <filter-name>CAS Authentication Filter</filter-name> <url-pattern>/*</url-pattern></filter-mapping> |
The specific filters can be configured in the following ways. Please see the JavaDocs included in the distribution for specific required and optional properties:
AuthenticationFilter
<bean name="authenticationFilter" class="org.jasig.cas.client.authentication.AuthenticationFilter" p:renew="false" p:gateway="false" |
Cas10TicketValidationFilter
<bean name="ticketValidationFilter" class="org.jasig.cas.client.validation.Cas10TicketValidationFilter" <property name="ticketValidator"> <bean class="org.jasig.cas.client.validation.Cas10TicketValidator"> </bean> </property></bean> |
Saml11TicketValidationFilter
<bean name="ticketValidationFilter" class="org.jasig.cas.client.validation.Saml11TicketValidationFilter" <property name="ticketValidator"> <bean class="org.jasig.cas.client.validation.Saml11TicketValidator"> </bean> </property></bean> |
Note: When using the Saml11TicketValidationFilter for non-SAML authentication with attribute release the artifactParameterName must be set to "ticket" for the ticket to be consumed by the filter. Add p:artifactParameterName="ticket" to the bean definition above.
Cas20ProxyReceivingTicketValidationFilter
Configuration to just validate service tickets:
<bean name="ticketValidationFilter" class="org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter" <property name="ticketValidator"> <bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator"> </bean> </property></bean> |
Configuration to accept a Proxy Granting Ticket:
<bean name="ticketValidationFilter" class="org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter" p:proxyReceptorUrl="/proxy/receptor"> <property name="ticketValidator"> <bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator" p:proxyCallbackUrl="/proxy/receptor"> </bean> </property></bean> |
Configuration to accept any Proxy Ticket (and Proxy Granting Tickets):
<bean name="ticketValidationFilter" class="org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter" p:proxyReceptorUrl="/proxy/receptor"> <property name="ticketValidator"> <bean class="org.jasig.cas.client.validation.Cas20ProxyTicketValidator" p:acceptAnyProxy="true" p:proxyCallbackUrl="/proxy/receptor"> </bean> </property></bean> |
Configuration to accept Proxy Ticket from a chain (and Proxy Granting Tickets):
<bean name="ticketValidationFilter" class="org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter" p:service="https://my.local.service.com/cas-client" p:proxyReceptorUrl="/proxy/receptor"> <property name="ticketValidator"> <bean class="org.jasig.cas.client.validation.Cas20ProxyTicketValidator" p:proxyCallbackUrl="/proxy/receptor"> <constructor-arg index="0" value="https://localhost:8443/cas" /> <property name="allowedProxyChains"> <list> <value>http://proxy1 http://proxy2</value> </list> </property> </bean> </property> </bean>
The CAS Client for Java 3.1/3.2 can be configured via web.xml via a series of context-params and filter init-params. Each filter for the CAS Client has a required (and optional) set of properties. The filters are designed to look for these properties in the following way:
- Check the filter's local init-params for a parameter matching the required property name.
- Check the context's parameters for a parameter matching the required property name.
If two properties are found with the same name in the init-params and the context's params, the init-param takes precedence. This method of configuration is useful in the scenario where two filters share properties (such as the renew property).
Note:
The correct order of the filters in web.xml is necessary:
- AuthenticationFilter
- TicketValidationFilter (whichever one is chosen)
- HttpServletRequestWrapperFilter
- AssertionThreadLocalFilter
Available filters are as follows:
org.jasig.cas.client.authentication.AuthenticationFilter
The AuthenticationFilter is what detects whether a user needs to be authenticated or not. If a user needs to be authenticated, it will redirect the user to the CAS server.
<filter> <filter-name>CAS Authentication Filter</filter-name> <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class> <init-param> <param-name>casServerLoginUrl</param-name> </init-param> <init-param> <param-name>serverName</param-name> </init-param></filter> |
Required Properties
- casServerLoginUrl - Defines the location of the CAS server login URL, i.e. https://localhost:8443/cas/login
- service or serverName
- service - the service URL to send to the CAS server, e.g. https://localhost:8443/yourwebapp/index.html
- serverName - the server name of the server this application is hosted on. Service URL will be dynamically constructed using this, i.e.https://localhost:8443 (you must include the protocol, but port is optional if it's a standard port).
Optional Properties
- renew - specifies whether renew=true should be sent to the CAS server. Valid values are either "true" or "false" (or no value at all).
- gateway - specifies whether gateway=true should be sent to the CAS server. Valid values are either "true" or "false" (or no value at all).
- artifactParameterName - specifies the name of the request parameter on where to find the artifact (i.e. "ticket").
- serviceParameterName - specifies the name of the request parameter on where to find the service (i.e. "service").
org.jasig.cas.client.authentication.Saml11AuthenticationFilter
The AuthenticationFilter is what detects whether a user needs to be authenticated or not. If a user needs to be authenticated, it will redirect the user to the CAS server.
<filter> <filter-name>CAS Authentication Filter</filter-name> <filter-class>org.jasig.cas.client.authentication.Saml11AuthenticationFilter</filter-class> <init-param> <param-name>casServerLoginUrl</param-name> </init-param> <init-param> <param-name>serverName</param-name> </init-param> </filter> |
Required Properties
- casServerLoginUrl - Defines the location of the CAS server login URL, i.e. https://localhost:8443/cas/login
- service or serverName :
- service - the service URL to send to the CAS server, e.g. https://localhost:8443/yourwebapp/index.html
- serverName - the server name of the server this application is hosted on. Service URL will be dynamically constructed using this, i.e.https://localhost:8443 (you must include the protocol, but port is optional if it's a standard port).
Optional Properties
- renew - specifies whether renew=true should be sent to the CAS server. Valid values are either "true" or "false" (or no value at all).
- gateway - specifies whether gateway=true should be sent to the CAS server. Valid values are either "true" or "false" (or no value at all).
- artifactParameterName - specifies the name of the request parameter on where to find the artifact (i.e. "SAMLArt").
- serviceParameterName - specifies the name of the request parameter on where to find the service (i.e. "TARGET").
org.jasig.cas.client.validation.Cas10TicketValidationFilter
Validates tickets using the CAS 1.0 Protocol.
<filter> <filter-name>CAS Validation Filter</filter-name> <filter-class>org.jasig.cas.client.validation.Cas10TicketValidationFilter</filter-class> <init-param> <param-name>casServerUrlPrefix</param-name> </init-param></filter> |
Required Properties
- casServerUrlPrefix - the start of the CAS server URL, i.e. https://localhost:8443/cas.
- serverName - the server name of the server this application is hosted on. Service URL will be dynamically constructed using this, i.e.https://localhost:8443 (you must include the protocol, but port is optional if it's a standard port).
Optional Properties
- redirectAfterValidation (default: true) - whether to redirect to the same URL after ticket validation, but without the ticket in the parameter.
- useSession (default: true) - whether to store the Assertion in session or not. If sessions are not used, tickets will be required for each request.
- exceptionOnValidationFailure (default: true) - whether to throw an exception or not on ticket validation failure.
- renew (default: false) - specifies whether renew=true should be sent to the CAS server. Valid values are either "true" or "false"
org.jasig.cas.client.validation.Saml11TicketValidationFilter
Validates tickets using the SAML 1.1 protocol.
<filter> <filter-name>CAS Validation Filter</filter-name> <filter-class>org.jasig.cas.client.validation.Saml11TicketValidationFilter</filter-class> <init-param> <param-name>casServerUrlPrefix</param-name> </init-param> <init-param> <param-name>serverName</param-name> </init-param> </filter> |
Required Properties
- casServerUrlPrefix - the start of the CAS server URL, i.e. https://localhost:8443/cas.
- serverName or service :
- serverName - the server name of the server this application is hosted on. Service URL will be dynamically constructed using this, i.e.https://localhost:8443 (you must include the protocol, but port is optional if it's a standard port).
- service - the service URL to send to the CAS server, e.g. https://localhost:8443/yourwebapp/index.html
Optional Properties
- redirectAfterValidation (default: true) - whether to redirect to the same URL after ticket validation, but without the ticket in the parameter.
- useSession (default: true) - whether to store the Assertion in session or not. If sessions are not used, tickets will be required for each request.
- exceptionOnValidationFailure (default: true) - whether to throw an exception or not on ticket validation failure.
- tolerance (default: 1000 mSec) - the tolerance for drifting clocks when validating SAML tickets. Note that 10 seconds should be more than enough for most environments that have NTP time synchronization.
- renew (default: false) - specifies whether renew=true should be sent to the CAS server. Valid values are either "true" or "false" (NOTE: Available as of version 3.1.6.)
org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter
Validates the tickets using the CAS 2.0 protocol. If you provide either the acceptAnyProxy or the allowedProxyChains parameters, a Cas20ProxyTicketValidator will be constructed. Otherwise a general Cas20ServiceTicketValidator will be constructed that does not accept proxy tickets.
<filter> <filter-name>CAS Validation Filter</filter-name> <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class> <init-param> <param-name>casServerUrlPrefix</param-name> </init-param> <init-param> <param-name>serverName</param-name> </init-param></filter> |
Required Properties
- casServerUrlPrefix - the start of the CAS server URL, i.e. https://localhost:8443/cas.
- serverName - the start of the URL that this application is running on. Service URL will be dynamically constructed using this, i.e. https://localhost:8443(you must include the protocol, but port is optional if it's a standard port). Service URL is passed to the CAS server for ticket validation.
Optional Properties
- redirectAfterValidation (default: true) - whether to redirect to the same URL after ticket validation, but without the ticket in the parameter.
- useSession (default: true) - whether to store the Assertion in session or not. If sessions are not used, tickets will be required for each request.
- exceptionOnValidationFailure (default: true) - whether to throw an exception or not on ticket validation failure.
- proxyReceptorUrl (default: null) - the URL to watch for PGTIOU/PGT responses from the CAS server. Should be defined from the root of the context. For example, ff your application is deployed in /cas-client-app and you want the proxy receptor URL to be /cas-client-app/my/receptor you need to configure proxyReceptorUrl to be /my/receptor
- renew (default: false) - specifies whether renew=true should be sent to the CAS server. Valid values are either "true" or "false."
- acceptAnyProxy (default: false) - specifies whether any proxy is OK.
- allowedProxyChains (default: null) - specifies the proxy chain. Each acceptable proxy chain should include a space-separated list of URLs. Each acceptable proxy chain should appear on its own line.
- proxyCallbackUrl (default: none) - the callback URL to provide the CAS server to accept Proxy Granting Tickets.
- proxyGrantingTicketStorageClass (@since 3.1.9) (default: none) - specify an implementation of the ProxyGrantingTicketStorage class that has a no-arg constructor.
Replicating PGT using "proxyGrantingTicketStorageClass" and Distributed Caching
The Java CAS client has support for clustering and distributing the TGT state among application nodes that are behind a load balancer. In order to do so, the parameter needs to be defined as such in the web.xml file for the filter:
<init-param> <param-name>proxyGrantingTicketStorageClass</param-name> <param-value>org.jasig.cas.client.proxy.EhcacheBackedProxyGrantingTicketStorageImpl</param-value></init-param> |
The setting provides an implementation for proxy storage using EhCache to take advantage of its replication features so that the PGT is successfully replicated and shared among nodes, regardless which node is selected as the result of the load balancer rerouting.
Note: A similar implementation based on Memcached is also available.
Configuration of this parameter is not enough. The EhCache configuration needs to enable the replication mechanism through once of its suggested ways. Asample of that configuration based on RMI replication can be found here. Please note that while the sample is done for a distributed ticket registry implementation, the basic idea and configuration should easily be transferable.
org.jasig.cas.client.util.HttpServletRequestWrapperFilter
Wraps an HttpServletRequest so that the getRemoteUser and getPrincipal return the CAS related entries.
<filter> <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class></filter> |
Required Properties
None
Optional Properties
None
org.jasig.cas.client.util.AssertionThreadLocalFilter
Places the Assertion in a ThreadLocal for portions of the application that need access to it. This is useful when the Web application that this filter "fronts" needs to get the Principal name, but it has no access to the HttpServletRequest, hence making getRemoteUser() call impossible.
<filter> <filter-name>CAS Assertion Thread Local Filter</filter-name> <filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class></filter> |
Configuring the JASIG CAS Client for Java via JNDI is essentially the same as configuring the client via the web.xml, except the properties will reside in JNDI and not in the web.xml.
All properties that are placed in JNDI should be placed under java:comp/env/cas
We use the following conventions:
- JNDI will first look in java:comp/env/cas/{SHORT FILTER NAME}/{PROPERTY NAME} (i.e. java:comp/env/cas/AuthenticationFilter/serverName)
- JNDI will as a last resort look in java:comp/env/cas/{PROPERTY NAME} (i.e. java:comp/env/cas/serverName)
Example:
(this is an update to the META-INF/context.xml that is included in Tomcat 6's Manager application)
<?xml version="1.0" encoding="UTF-8"?> <!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. --> <Context antiResourceLocking="false" privileged="true"> <Environment description="" name="cas/serverName" override="false" type="java.lang.String" value="http://localhost:8080"/> <Environment description="" name="cas/AuthenticationFilter/casServerLoginUrl" override="false" type="java.lang.String" value="https://www.ja-sig.org/cas/login"/> <Environment description="" name="cas/Cas20ProxyReceivingTicketValidationFilter/casServerUrlPrefix" override="false" type="java.lang.String" value="https://www.ja-sig.org/cas"/> </Context>
Configuring Single Sign Out
The Single Sign Out support in CAS consists of configuring one filter and one ContextListener. Please note that if you have configured the CAS Client for Java as Web filters, this filter must come before the other filters as described on the preceding page
Add the following configuration to your web.xml where appropriate:
/* With CAS 2.0 Protocol */
<filter> <filter-name>CAS Single Sign Out Filter</filter-name> <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class> </filter> ... <filter-mapping> <filter-name>CAS Single Sign Out Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> ... <listener> <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class> </listener>
/* With SAML 1.1 Protocol */ <filter> <filter-name>CAS Single Sign Out Filter</filter-name> <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class> <init-param> <param-name>artifactParameterName</param-name> <param-value>SAMLart</param-value> </init-param> </filter> ... <filter-mapping> <filter-name>CAS Single Sign Out Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> ... <listener> <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class> </listener>
原文地址:https://wiki.jasig.org/display/CASC/CAS+Client+for+Java+3.1
微信公众号: 架构师日常笔记 欢迎关注!
