Mailing-List: contact dev-help@shiro.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@shiro.apache.org
Date: Mon, 19 Dec 2011 12:49:32 +0000 (UTC)
From: =?utf-8?Q?J=C3=A9r=C3=B4me_Leleu_=28Updated=29_=28JIRA=29?=
 <jira@apache.org>
To: dev@shiro.apache.org
Message-ID: 
 <282361086.26053.1324298972169.JavaMail.tomcat@hel.zones.apache.org>
In-Reply-To: 
 <566604729.64670.1303142225807.JavaMail.tomcat@hel.zones.apache.org>
Subject: [jira] [Updated] (SHIRO-285) Integration with CAS
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable


     [ https://issues.apache.org/jira/browse/SHIRO-285?page=3Dcom.atlassian=
.jira.plugin.system.issuetabpanels:all-tabpanel ]

J=C3=A9r=C3=B4me Leleu updated SHIRO-285:
-------------------------------

    Attachment: doc_shiro-cas.odt
   =20
> Integration with CAS
> --------------------
>
>                 Key: SHIRO-285
>                 URL: https://issues.apache.org/jira/browse/SHIRO-285
>             Project: Shiro
>          Issue Type: New Feature
>            Reporter: J=C3=A9r=C3=B4me Leleu
>         Attachments: doc_shiro-cas.odt, shiro_cas.txt, shiro_cas2.txt, sh=
iro_cas3.txt
>
>
> As I wanted to test shiro with CAS, I created a CAS filter, a CAS token a=
nd a CAS realm. I'm new to shiro so maybe I was mistaken on some points.
> I have a demo webapp with these files :
> index.jsp
> error.jsp
> protected/index.jsp
> The idea is to protect the /protected folder. I have this shiro.ini confi=
guration :
> [main]
> authcas =3D org.apache.shiro.cas.CasFilter
> authcas.failureUrl =3D /demo2/error.jsp
> defaultRealm =3D com.jle.demo2.realm.DefaultRealm
> defaultRealm.name =3D demo2
> defaultRealm.casServerUrlPrefix =3D http://localhost:11380/cas/
> defaultRealm.casService =3D http://localhost:11380/demo2/shiro-cas
> roles.loginUrl =3D http://localhost:11380/cas/login?service=3Dhttp://loca=
lhost:11380/demo2/shiro-cas
> [urls]
> /protected/** =3D roles[ROLE_USER]
> /shiro-cas =3D authcas
> /** =3D anon
> The protection on /protected/** implies to have the role ROLE_USER, if it=
 is not the case, the user is redirected to the CAS server according to the=
 property loginUrl of roles : http://localhost:11380/cas/login?service=3Dht=
tp://localhost:11380/demo2/shiro-cas.
> After authentication on CAS server, the user is redirected (CAS works lik=
e this) to the service url : http://localhost:11380/demo2/shiro-cas. On thi=
s url, there is the authcas filter defined as the DefaultRealm which inheri=
ts from CasRealm :
> public class DefaultRealm extends CasRealm {
>    =20
>     @Override
>     protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollectio=
n principals) {
>         Set<String> roles =3D new HashSet<String>();
>         roles.add("ROLE_USER");
>         return new SimpleAuthorizationInfo(roles);
>     }
> }
> The DefaultRealm always grants the authenticated user the ROLE_USER role =
to access to the /protected folder.
> The CasFilter is configured on a specific url corresponding to the CAS ur=
l service : http://localhost:11380/demo2/shiro-cas, it gets the service par=
ameter in url and create a CasToken with it.
> The CasRealm uses the CasToken to authenticate the user, it gets the serv=
ice ticket, uses the Cas20ServiceTicketValidator (from CAS client) to call =
the CAS server and validates the ticket granted by CAS.
> If the ticket is validated, the user is authenticated and redirected to t=
he original protected url (/protected/index.jsp). If the validation fails, =
the user is redirected to the CAS error page (error.jsp =3D authcas.failure=
Url).
> To add CasFilter, CasToken and CasRealm to the trunk, I created a CAS mod=
ule inside support.
> * CasRealm :
> I didn't find how to set the remember me to the subject : I know if the u=
ser is in rememberme mode from CAS depending on a specific attribute from t=
he Assertion object but I didn't know how to pass this information to the s=
ubject (there is a TODO).
> During the CAS service ticket validation, I get the object Assertion and =
all the attributes of the user populated by CAS are in the "attributes" pro=
perty : I don't know what to do with these attributes.
> During the CAS service ticket validation, I choose not to throw an Authen=
ticationException, but returns null instead : is it the good way to do ?
> * CasFilter :
> I'm not sure I respect the spirit of shiro because my filter authcas is a=
lways the last one. I add on the onLoginFailure a test, if the user is alre=
ady authenticated, it doesn't failed but redirects to default success url.
> I didn't know how to add my authcas filter as a default filter without co=
nfiguring it in the shiro.ini file.
> I have no test yet.
> I join the SVN patch.
> Hope it works well for you. Don't hesitate to come back to me.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrato=
rs: https://issues.apache.org/jira/secure/ContactAdministrators!default.jsp=
a
For more information on JIRA, see: http://www.atlassian.com/software/jira