Sample of Spring Security and CAS (Single Signon)

For people in hurry get the code from Github.

In continuation of my earlier blog on spring-test-mvc junit testing Spring Security layer with InMemoryDaoImpl, in this blog I will be doing the following,

  • Run a sample Jasig, deployed in tomcat instance
  • Run a sample Spring security Calendar application with uses single signon to do authentication and authorization of the application

Setup of Central Authorization Service (CAS): Jasig

Central Authorization Service (CAS) is a Single Signon application used to authenticate and authorize an application for centralized user access control. Jasig is an opensource CAS application. In order for Jasig to work we need to enable SSL.

<Connector SSLEnabled="true"
maxThreads="150"
port="8443"
protocol="HTTP/1.1"
scheme="https"
secure="true"
sslProtocol="TLS"
keystoreFile="${catalina.base}/conf/tomcat.keystore"
keystorePass="changeit"
truststoreFile="${catalina.base}/conf/tomcat.truststore"
trustStorePass="changeit"/>

Run the Calendar application against CAS

Build the code from spring-security-cas project using maven command “mvn clean package” and deploy the war file in the target folder into <Tomcat home>/webapps folder. Start the Tomcat instance. If you go to the calendar home page @ https://localhost:8443/calendar, you will see the webpage as below,

spring-security calendar application

spring-security calendar application

When you click on My Events we get the below Jasig page,

CAS jasig

CAS jasig

Enter login/password as user1@example.com/user1. You will get the access to your events.

When you log out, it will again redirect to Jasig logout page.

What is happening under the hood on Jasig side

Under the hood, Jasig CAS server is configured to work with inmemory LDAP as below,

<sec:ldap-server id="contextSource" ldif="classpath:ldif/calendar.ldif" root="dc=jbcpcalendar,dc=com" />

And mapping of LDAP attributes to CAS attributes happens in the below bean definition,

<!--
Bean that defines the attributes that a service may return.  This example uses the Stub/Mock version.  A real implementation
may go against a database or LDAP server.  The id should remain "attributeRepository" though.
-->
<bean id="attributeRepository">
<property name="contextSource" ref="contextSource"/>
<property name="requireAllQueryAttributes" value="true"/>
<property name="baseDN" value="ou=Users"/>
<property name="queryAttributeMapping">
<map>
<entry key="username" value="uid"/>
</map>
</property>
<property name="resultAttributeMapping">
<map>
<entry key="cn" value="FullName"/>
<entry key="sn" value="LastName"/>
<entry key="description" value="role"/>
</map>
</property>
</bean>

Check the deployerConfigContext.xml under webapp/WEB-INF folder in the project for more details

What is happening under the hood on Calendar application

In the web.xml we need to include a SingleSignon listener as below,

<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>

We need to define a casAuthProvider bean and include it in the authentication-manager in the security config as below,

<authentication-manager alias="authenticationManager">
<authentication-provider ref="casAuthProvider" />
</authentication-manager>

Refer src\main\webapp\WEB-INF\spring\security-cas.xml file for more details on casAuthProvider bean definition.

Maven dependency for Spring Security with CAS is as below,

<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-cas</artifactId>
<version>3.1.0.RELEASE</version>
<scope>compile</scope>
</dependency>

I hope this blog helped you.

REFERENCE

Spring Security 3.1 by Robert Winch and Peter Mularien

About these ads

One thought on “Sample of Spring Security and CAS (Single Signon)

  1. kkelleher

    Hi Krishna,

    Thanks for blog. I’ve not yet delved into it. But CAS stands for Central “Authentication” Service, not “Authorization” Service! Does your demo really provide authorization ( i.e. authorities).?

    Regards,
    Kevin

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s