Spring Security3 CAS

Spring Security and CAS interaction process

2. Web User Access Services public page, not involving spring security and CAS
   

4. A user accesses a protected page or page that uses a protected bean,spring security ExceptionTranslationFilter found exception AccessDeniedException or authenticationexception

5. User'sAuthenticationObject (or Missing object) triggersAuthentication Exception,ExceptionTransla Tionfilter   will invoke the configured Authentication EntryPoint, if CAS is used, the casauthenticationentrypoint   class

7. CasAuthenticati Onentrypoint   jumps the user's browser to the CAS server, which specifies a service parameter that is the callback URL for the Spring Security Service. For example, the URL of a browser jump might be https://my.company.com/cas/login?service=https%3a%2f%2fserver3.company.com%2fwebapp%2fj_spring_cas_security_ Check

9. After the user's browser is turned over to the CAS, a user name and password will be prompted, and if the user provides a session cookie indicating that they have logged in before, they will no longer be prompted to log in. CAS will use passwordhandler   (if using CAS3.0 is authenticationhandler ) determine if the user name and password are valid

11. https://server3.company.com/webapp/j_spring_cas_security_check?ticket=st-0-er94xmjmn6pha35cqroz

    
    

13. back to the Web application, Casauthenticationfilter always listens /j_spring_cas_security_check request, which is configurable, we use the default configuration here. The processing filter constructs a casauthenticationfilter.cas_stateful_ The value of the Identifier,credentials property is the value of the service ticket encryption. Then this authentication request will be configured for AuthenticationManager processing

15. authenticationmanager implementation is Providermanager, and it is implemented by Casauthenticationprovider. casauthenticationprovider only contains CAS special subjects (such as casauthenticationfilter.cas_stateful_identifier ) and casauthenticationtokens's s responds.

16. CasAuthenticatio Nprovider   validates the service ticket through a Ticketvalidator implementation class. The typical implementation class is cas20serviceticketvalidator, which is contained in the CAS client library. For some applications that need to validate proxy tickets, use ticketvalidator   sends an HTTPS request to the CAS server to validate the service ticket. It may also contain a proxy callback URL, in this case: https://my.company.com/cas/ proxyvalidate?service=https%3a%2f%2fserver3.company.com%2fwebapp%2fj_spring_cas_security_check&ticket= St-0-er94xmjmn6pha35cqroz&pgturl=https://server3.company.com/webapp/j_spring_cas_security_proxyreceptor

18. Back to the CAS server, the checksum request will be received. If the service ticket that is provided matches the service URL that is published by the ticket, CAS provides a pro response and specifies the user name in the XML. If any agents are associated with the authentication, the XML response also contains a list of agents

20. Cas20TicketValidatorParse the XML received from the CAS server, which CasAuthenticationProvider returns a ticketresponse that contains a list of user names and proxies

22. next casauthenticationprovider casproxydecider. casproxydecider   indicates whether the list of proxies contained in the Ticketresponse can be accepted by the service. Spring Security provides some of its implementations, including rejectproxytickets, acceptanycasproxy and namedcasproxydecider. These names can be explained to a large extent, except namedcasproxydecider, which allows a list of trusted proxies

23. casauthenticationprovider authenticationuserdetailsservice assertion; White-space:normal; " >grantedauthority

25. grantedauthority casauthenticationtoken.

27. Then control is transferred to Casauthenticationfilter, which will be created CasAuthenticationToken into the security context

28. The user's browser is redirected to AuthenticationException the original page (or a custom destination depending on the configuration) that caused it

spring Security and CAS configuration

<?xml version= "1.0" encoding= "UTF-8"? ><beans xmlns= "http://www.springframework.org/schema/ Beans "xmlns:security=" http://www.springframework.org/schema/security "xmlns:xsi=" http://www.w3.org/2001/ Xmlschema-instance "xsi:schemalocation=" http://www.springframework.org/schema/beanshttp:// www.springframework.org/schema/beans/spring-beans-3.0.xsdhttp://www.springframework.org/schema/security  Http://www.springframework.org/schema/security/spring-security-3.0.xsd "><security:http  entry-point-ref= "Casprocessingfilterentrypoint"  use-expressions= "true"  access-denied-page= "/errors/ 403 ">    <security:intercept-urlpattern="/resources/** " filters=" None " / >    <security:intercept-urlpattern= "/api/**"  filters= "None"  />     <security:intercept-urlpattern= "/**"  access= "hasrole (' ROLE_USER ')"  />     <security:logout logout-success-uRl= "${cas.auth.server}/logout?service=${cas.local.server}"/>    <security: custom-filterref= "Casauthenticationfilter"  after= "Cas_filter"/></security:http><security: authentication-manager alias= "AuthenticationManager" >    <security: authentication-provider ref= "Casauthenticationprovider"/></security:authentication-manager>< Bean id= "Securitycontextpersistencefilter" class= " Org.springframework.security.web.context.SecurityContextPersistenceFilter ">    < Property name= "Securitycontextrepository" >        <bean  class= "Org.springframework.security.web.context.HttpSessionSecurityContextRepository" >             <property name= "AllowSessionCreation"  value= "false"  />        </bean>    </property></bean>    <bean id= "CasAuthenticationFilter"   class= "Org.springframework.security.cas.web.CasAuthenticationFilter" >    <property  name= "AuthenticationManager"  ref= "AuthenticationManager"/>    <property  name= "Authenticationfailurehandler" >        <bean  class= "Org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler" >              <property name= "DefaultFailureUrl"  value= "/errors/403"/>        </bean>     </property>    <property name= "Authenticationsuccesshandler" >         <bean class= " Com.baidu.issue.internal.security.login.SimpleLoginSuccessHandler ">            <property name= " Defaulttargeturl " value="/"/>        </bean>     </property>    <property name= "ProxyGrantingTicketStorage" ref= " Proxygrantingticketstorage " />    <property name=" PROXYRECEPTORURL "  Value= "/secure/receptor"  /></bean><bean id= "Casprocessingfilterentrypoint"  class= " Org.springframework.security.cas.web.CasAuthenticationEntryPoint ">     < Property name= "loginurl"  value= "${cas.auth.server}/login"/>    <property  name= "Serviceproperties"  ref= "serviceproperties"/></bean><bean id= " Casauthenticationprovider " class=" Org.springframework.security.cas.authentication.CasAuthenticationProvider " autowire=" Bytype ">    &nbSp;<property name= "Userdetailsservice" ref= "Userdetailsservice"/>    < Property name= "Serviceproperties"  ref= "Serviceproperties"  />    < Property name= "Ticketvalidator" >        <bean class= " Org.jasig.cas.client.validation.Cas20ServiceTicketValidator ">             <constructor-arg index= "0"  value= "${cas.auth.server}"  />             <property name= " Proxygrantingticketstorage "ref=" Proxygrantingticketstorage " />             <property name= "Proxycallbackurl"  value= "${cas.local.server}/ Secure/receptor " />        </bean>     </property>    <Property name= "Key"  value= "Will_project"/></bean><bean id= " Proxygrantingticketstorage " class=" Org.jasig.cas.client.proxy.ProxyGrantingTicketStorageImpl "/>< Bean id= "Serviceproperties"  class= "Org.springframework.security.cas.ServiceProperties" >     <property name= "service"  value= "${cas.local.server}/j_spring_cas_security_check "/>    <property name=" Sendrenew " value=" false "/></bean></ Beans>

This article is from the "Landed Transit Bird" blog, please be sure to keep this source http://fivedong.blog.51cto.com/1711530/1565676

Spring Security3 CAS