Apache Shiro Integrated-cas

Source: Internet
Author: User
Tags cas ticket

http://blog.csdn.net/peterwanghao/article/details/8825008

Shiro Integrated CAs is a new feature in the 1.2 release.

The Shiro-cas module protects the Web app along with the CAS SSO server as a CAS client.

A basic understanding of the CAS protocol:

1. If you want to access an app that is protected by a CAS client, you are not yet certified. You speak the login page that is redirected to the CAS server. In the app you need to configure the login URL address of the CAs.

Http://application.examples.com/protected/index.jsp→http 302

→https://server.cas.com/login?service=http://application.examples.com/shiro-cas

2. When you enter a login and password to authenticate to the CAS server, you are redirected to an app URL with a service-side ticket. A server-side ticket is a disposable token that identifies the user's uniqueness (or user attributes) on the CAS server.

Https://server.cas.com/login?service=http://application.examples.com/shiro-cas→http 302

→http://application.examples.com/shiro-cas?ticket=st-4545454542121-cas

3. The application goes to the CAS server to inquire about the validity of the ticket, and the CAS service side responds to the authenticated user's unique identity. The CAS client forwards the page to the protected page.

Http://application.examples.com/shiro-cas?ticket=st-4545454542121-cas→http 302

→http://application.examples.com/protected/index.jsp

How do I configure Shiro to work with a CAS server?

Add Shiro-cas maven dependencies to your app

<dependency>

<groupId>org.apache.shiro</groupId>

<artifactId>shiro-cas</artifactId>

<version>version</version>

</dependency>

Add a server-side URL to your app that is used to receive CAS service-side tickets.

Define the Casfilter in the Shiro configuration:

[Main]

Casfilter = Org.apache.shiro.cas.CasFilter

Casfilter.failureurl =/error.jsp

Define the URL for the filter:

[URLs]

/shiro-cas = Casfilter

This allows the user to be redirected to the application's service address (/shiro-cas) after being authenticated by the CAS server, which receives the service-side ticket and creates a castoken that can be used by Casrealm.

Casrealm uses the Castoken created by Casfilter to verify the legitimacy of the user. Add Casrealm to your Shiro configuration:

[Main]

Casrealm = Org.apache.shiro.cas.CasRealm

Casrealm.defaultroles = Role_user

#casRealm. defaultpermissions

#casRealm. Roleattributenames

#casRealm. Permissionattributenames

#casRealm. Validationprotocol = SAML

Casrealm.casserverurlprefix = https://server.cas.com/

Casrealm.casservice = Http://application.examples.com/shiro-cas

Casserverurlprefix is the CAS service-side address.

Casservice is the application service address used to receive CAS service-side tickets.

The Validationprocol value is SAML or CAs, which is CAS by default. It relies on the version of the CAS server, and the SAML protocol can only be used in CAS Server Edition >= 3.1.

Defaultroles is the default role after authentication is passed.

Defaultpermissions is the default permission after authentication is passed.

Roleattributenames is the name of the role attribute for the authenticated user, separated by commas.

Permissionattributenames is the name of the user's permission attribute passed by the authentication, separated by commas.

The CAS server can support the ' Remember Me ' feature, which is published through SAML authentication or CAS custom validation. You need to define the cassubjectfactory in the Shiro configuration:

[Main]

Cassubjectfactory = Org.apache.shiro.cas.CasSubjectFactory

Securitymanager.subjectfactory = $casSubjectFactory

Finally, add security controls to your application. Define the URL addresses that need to be protected and the CAS server-side addresses that require authentication:

[Main]

Roles.loginurl = Https://server.cas.com/login?service=http://application.examples.com/shiro-cas

[URLs]

/protected/** = Roles[role_user]

/** = Anon

A complete example of configuration:

[Main]

Casfilter = Org.apache.shiro.cas.CasFilter

Casfilter.failureurl =/error.jsp

Casrealm = Org.apache.shiro.cas.CasRealm

Casrealm.defaultroles = Role_user

Casrealm.casserverurlprefix = https://server.cas.com/

Casrealm.casservice = Http://application.examples.com/shiro-cas

Cassubjectfactory = Org.apache.shiro.cas.CasSubjectFactory

Securitymanager.subjectfactory = $casSubjectFactory

Roles.loginurl = Https://server.cas.com/login?service=http://application.examples.com/shiro-cas

[URLs]

/shiro-cas = Casfilter

/protected/** = Roles[role_user]

/** = Anon

Apache Shiro Integrated-cas

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.