Customizing CasClient used by acegi security
Scott Battaglia
scott.battaglia at gmail.com
Thu Nov 6 13:02:27 EST 2008
On Thu, Nov 6, 2008 at 12:55 PM, Robert Lewis <r.lewis at tamu.edu> wrote:
> Hi,
>
> Historically, with cas2 in production we have been using a customized
> xml response returned by casServiceValidationSuccess.jsp. Now we are
> wanting to move up to cas3.2.1 and the customized xml response breaks
> the services management servlet.
Which services management servlet? CAS doesn't care what the JSP page is.
Specifically, the cas client in acegi
> security is wanting the xml tag to be "<cas:user>" and we are sending
> "<cas:NetID>". I am investigating the approach of customizing the
> cas3.2.1 server so as not to break the existing webapps on campus that
> are expecting NetID in the xml response. To do this it looks like the
> cas client used by acegi security has to be customized.
>
> In searching the net I came across an exchange where someone else had a
> similar issue in March 2008. Scott submitted the following advice.
>
> "The custom attributes you defined are not recognized by the CAS client
> used by Acegi (because, well, they're custom). The CAS client used by
> Acegi by default interprets the protocol exactly and ignores anything
> that's extra.
>
> The upcoming Spring Security 2 will utilize the newer CAS Client for
> Java 3.1.1 which would make it easier to inject a custom ticket
> validator to retrieve those attributes. In addition, the Assertion
> (which holds the Principal and the attributes) will be available as part
> of the CasAuthenticationToken. This won't be ready until Spring
> Security 2.0 comes out though."
Spring Security 2.0.4 also uses CAS Client for Java 3.1.3 now (that's
an old email ;-))
>
> So, I have been trying to follow up on this advice and I have run into
> an obstacle I need help with. When I upgrade to Spring Security 2 I see
> the bean casAuthoritiesPopulator in securityContext.xml is still needed,
> but the class DaoCasAuthoritiesPopulator does not seem to be available
> in Spring Security 2. So, what do I replace it with? Do I have to write
> a class that returns a UserDetailsService ?
The documentation for Spring Security should include everything on how
to configure CAS. In addition, there is a sample CASified web
application included with Spring Security (it may only be available
from SVN) that you can use as a starting point (the Spring Security
documentation is based off of it).
-Scott
>
>
> Thanks,
>
> Robert Lewis
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
More information about the cas
mailing list