shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jérôme Leleu (Commented) (JIRA) <>
Subject [jira] [Commented] (SHIRO-285) Integration with CAS
Date Thu, 05 Jan 2012 18:20:39 GMT


Jérôme Leleu commented on SHIRO-285:

Hi Les,

I've added the documentation for the CAS integration on the page you created. I let you review

I retest everything and I found a problem. A dependency is missing (when using SAML validation)

It was working in my first patch but as the cas-client-core version 3.1.10 was replaced by
the version 3.2.1, the commons-codec dependency has been marked optional and is therefore
missing if it is not explicitely defined in the pom.
With this missing dependency, everything is working just fine. I let you add and commit this
missing dependency (in the "saml validation" area of the pom).

> Integration with CAS
> --------------------
>                 Key: SHIRO-285
>                 URL:
>             Project: Shiro
>          Issue Type: New Feature
>            Reporter: Jérôme Leleu
>            Assignee: Les Hazlewood
>         Attachments: doc_shiro-cas.odt, shiro_cas.txt, shiro_cas2.txt, shiro_cas3.txt
> As I wanted to test shiro with CAS, I created a CAS filter, a CAS token and a CAS realm.
I'm new to shiro so maybe I was mistaken on some points.
> I have a demo webapp with these files :
> index.jsp
> error.jsp
> protected/index.jsp
> The idea is to protect the /protected folder. I have this shiro.ini configuration :
> [main]
> authcas = org.apache.shiro.cas.CasFilter
> authcas.failureUrl = /demo2/error.jsp
> defaultRealm = com.jle.demo2.realm.DefaultRealm
> = demo2
> defaultRealm.casServerUrlPrefix = http://localhost:11380/cas/
> defaultRealm.casService = http://localhost:11380/demo2/shiro-cas
> roles.loginUrl = http://localhost:11380/cas/login?service=http://localhost:11380/demo2/shiro-cas
> [urls]
> /protected/** = roles[ROLE_USER]
> /shiro-cas = authcas
> /** = anon
> The protection on /protected/** implies to have the role ROLE_USER, if it is not the
case, the user is redirected to the CAS server according to the property loginUrl of roles
: http://localhost:11380/cas/login?service=http://localhost:11380/demo2/shiro-cas.
> After authentication on CAS server, the user is redirected (CAS works like this) to the
service url : http://localhost:11380/demo2/shiro-cas. On this url, there is the authcas filter
defined as the DefaultRealm which inherits from CasRealm :
> public class DefaultRealm extends CasRealm {
>     @Override
>     protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals)
>         Set<String> roles = new HashSet<String>();
>         roles.add("ROLE_USER");
>         return new SimpleAuthorizationInfo(roles);
>     }
> }
> The DefaultRealm always grants the authenticated user the ROLE_USER role to access to
the /protected folder.
> The CasFilter is configured on a specific url corresponding to the CAS url service :
http://localhost:11380/demo2/shiro-cas, it gets the service parameter in url and create a
CasToken with it.
> The CasRealm uses the CasToken to authenticate the user, it gets the service ticket,
uses the Cas20ServiceTicketValidator (from CAS client) to call the CAS server and validates
the ticket granted by CAS.
> If the ticket is validated, the user is authenticated and redirected to the original
protected url (/protected/index.jsp). If the validation fails, the user is redirected to the
CAS error page (error.jsp = authcas.failureUrl).
> To add CasFilter, CasToken and CasRealm to the trunk, I created a CAS module inside support.
> * CasRealm :
> I didn't find how to set the remember me to the subject : I know if the user is in rememberme
mode from CAS depending on a specific attribute from the Assertion object but I didn't know
how to pass this information to the subject (there is a TODO).
> During the CAS service ticket validation, I get the object Assertion and all the attributes
of the user populated by CAS are in the "attributes" property : I don't know what to do with
these attributes.
> During the CAS service ticket validation, I choose not to throw an AuthenticationException,
but returns null instead : is it the good way to do ?
> * CasFilter :
> I'm not sure I respect the spirit of shiro because my filter authcas is always the last
one. I add on the onLoginFailure a test, if the user is already authenticated, it doesn't
failed but redirects to default success url.
> I didn't know how to add my authcas filter as a default filter without configuring it
in the shiro.ini file.
> I have no test yet.
> I join the SVN patch.
> Hope it works well for you. Don't hesitate to come back to me.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:!default.jspa
For more information on JIRA, see:


View raw message