CAS3: gateway=true and Spring ACEGI
Renaud Bruyeron
bruyeron at fullsix.com
Wed Jun 14 04:42:49 EDT 2006
I am looking for the best way to handle this scenario:
* a user can browse a site as "anonymous"
* a user can authenticate at any moment by entering credentials in the
login box in the navigation
I am using spring acegi 1.0.0 final on the "client" sites, and CAS 3.0.5
(from CVS) for SSO.
One issue is that when a user starts a session on site A, I must first
check with CAS that this user has not already authenticated from site B.
This means that I need to do a roundtrip with CAS to find out, without
presenting the login screen if it turns out the user is not logged in.
My thinking is that the "gateway" parameter is what I need to use:
1) detect that we have a new session
2) redirect to CAS login page with gateway=true
3) CAS redirects to us with either a ticket (if we have auth) or nothing
if the user is not logged in (but no login screen is displayed)
However, I can't find support for this in ACEGI. Right now
CasProcessingFilter throws a BadCredentialsException when the ticket is
empty, which triggers the login screen.
It seems that I need to supplement CasProcessingFilter and
CasProcessingFilterEntryPoint to take my scenario into account. Am I
correct?
My initial thoughts on how to implement this:
1) use a filter to detect the "new session" condition, and throw a
specialized subclass of AuthenticationException
2) detect this subclass in the entrypoint and redirect with gateway=true
3) in CasProcessingFilter, do not throw BadCredentialsException when the
ticket is empty if some flag is up (like "allowGatewayMode")
What do you think?
- Renaud
More information about the cas
mailing list