[cas-dev] Trusting another CAS server?
Romain Bourgue
romain.bourgue at agriculture.gouv.fr
Fri Aug 24 06:36:04 EDT 2007
Hi,
I have implemented a solution in 3.1 that utilize the CAS client2.1.1 that comes
with cas3.1 to validate a partner's ticket. I don't know if it can be considered
as a "native solution" and still don't know if it's the best way of doing it (I
had other ideas but no answer on
http://tp.its.yale.edu/pipermail/cas/2007-August/005713.html yet), but it works
and should do what you need :
First, you create an action class that extends
AbstractNonInteractiveCredentialsAction, let's call it "checkTicket". In this
class, you override constructCredentialsFromRequest method. In this method,
you'll validate the ticket contained in the request argument with a
ServiceTicketValidator (refer to CAS-client 3.0 Java Object example :
http://www.ja-sig.org/products/cas/client/javaclient/index.html ).
This action class will construct some specific credentials (create a class
called trustableCredentials) that should be trusted by a specific
authenticationHandler that only supports trustableCredentials and always says
'true' on authenticate()/
Once you have this action class, the trustableCredentials class and the
authentication handler, you'll have to modify the login flow so that this action
bean is called before the interaction authentication (just like the x509
authentication) :
Modify the login web-flow.xml to add the action bean you created :
add :
<action-state id="startAuthenticate">
<action bean="ticketCheck" />
<transition on="success" to="sendTicketGrantingTicket" />
<transition on="error" to="viewLoginForm" />
</action-state>
and modify the generateServiceTicket action state to :
<action-state id="generateServiceTicket">
<action bean="generateServiceTicketAction" />
<transition on="success" to ="warn" />
<transition on="error" to="startAuthenticate" />
<transition on="gateway" to="redirect" />
</action-state>
then, on cas-servlet.xml specify your ticketCheck action bean, depending on the
class implementation you made, it might look like this :
<bean id="ticketCheck" class="....web.flow.MyCASNonInteractiveAction"
p:centralAuthenticationService-ref="centralAuthenticationService"/>
and then add your authenticationHandler to your deployerConfigContext.xml :
<bean
class="....authentication.handler.MyTrustableCredentialsAuthenticationHandler">
Once again, it might not be the most native way of doing it... but I hope it'll
help.
Romain
Jeff Harwell a écrit :
> I am attempting to configure a stand-alone CAS 3.1 server to trust the CAS
> server included in Luminis 4. Could someone outline the configuration
> involved in implementing the "more native solution" referenced in issue
> CAS-425. I am very new to CAS so any extra details would be appreciated.
>
>
> scott_battaglia wrote:
>>
>> Setting up multiple authentication paths requires modifying the login flow
>> (you would need to configure in the "trusted" NonInteractive Login) as
>> well as configuring the appropriate
>> AuthenticationHandler/CredentialsToPrincipalResolver. You would then need
>> to place the CAS Client validate filter in front of the CAS server and
>> enable the HttpServletRequest wrapping.
>>
>> I am working on a more native solution that will utilize the CAS Client
>> v3.0
>> :
>> http://www.ja-sig.org/issues/browse/CAS-425
>>
>> -Scott
>>
>>
>
More information about the cas-dev
mailing list