shiro-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From abip <abipste...@gmail.com>
Subject SSO between Webapp and REST API using apache shiro
Date Thu, 03 Apr 2014 10:00:50 GMT
Hello, initially I posted this question in StackOverflow

"I'm trying to set up a SSO between a webapp and a REST API, to do this I'm
using Apache Shiro + Jasig CAS but now I'm having a problem related to the
authentication of the REST API. I'm using CASRealm + CASFilter in the Webapp
and trying to use the session created there to access the REST API, I've
tried 2 approaches:

propagating the CAS service ticket from the webapp to the REST API through
the request header (does not work, it says the service ticket is invalid
because it belongs to another app, maybe the TGT would work)

store the username and password in the webapp and use them in http basic
authentication (this might be a big security flaw, I'm trying to avoid it)

What other approach can I use to authenticate the user in the REST API?"

Now I'm using *buji-pac4j* by jleleu recomendation and following this post 
http://shiro-user.582556.n2.nabble.com/Shiro-cas-proxying-td7579694.html
<http://shiro-user.582556.n2.nabble.com/Shiro-cas-proxying-td7579694.html>  
but I'm having a problem getting the proxy ticket in the proxy application.
I get the following log /INFO
[org.jasig.cas.client.proxy.ProxyGrantingTicketStorageImpl] - <No Proxy
Ticket found for [PGTIOU-15-d4Cm3cF2StBgXXqF4dt1-cas01.example.org].>/ and
/casProxyProfile.getProxyTicketFor(serviceName)/ returns null. Any ideas?

These are my configurations
*proxy*
[main]
#proxy

proxyReceptor=org.pac4j.cas.client.CasProxyReceptor 
proxyReceptor.callbackUrl=https://localhost:8181/WebAppB/proxyReceptor.xhtml?client_name=CasClient

casClient = org.pac4j.cas.client.CasClient 
casClient.casLoginUrl = https://localhost:8181/cas/login
casClient.casProxyReceptor = $proxyReceptor 

clients = org.pac4j.core.client.Clients 
clients.callbackUrl = https://localhost:8181/WebAppB/shiro-cas
clients.clientsList = $casClient, $proxyReceptor

clientsRealm = io.buji.pac4j.ClientRealm 
#clientsRealm.defaultRoles = ROLE_USER 
clientsRealm.clients = $clients 

clientsFilter = io.buji.pac4j.ClientFilter 
clientsFilter.clients = $clients 
clientsFilter.failureUrl = /error.xhtml

casUsers = io.buji.pac4j.filter.ClientUserFilter 
casUsers.client = $casClient 

securityManager.realms = $clientsRealm 

[urls] 
/proxyReceptor.xhtml = anon 
/shiro-cas = clientsFilter 
/error.xhtml = anon 
/app/** = casUsers
/** = anon

*proxied*
[main]
#proxied

# configure CAS realm
casFilter = org.apache.shiro.cas.CasFilter
casFilter.failureUrl = /error.xhtml

casRealm = org.apache.shiro.cas.CasRealm
#casRealm.defaultRoles = ROLE_USER
casRealm.casServerUrlPrefix = https://localhost:8181/cas
casRealm.casService = https://localhost:8181/WebAppC/shiro-cas

casSubjectFactory = org.apache.shiro.cas.CasSubjectFactory
securityManager.subjectFactory = $casSubjectFactory

casClient = org.pac4j.cas.client.CasClient 
casClient.casLoginUrl = https://localhost:8181/cas/login
casClient.acceptAnyProxy=true 

clients = org.pac4j.core.client.Clients 
clients.callbackUrl = https://localhost:8181/WebAppC/shiro-cas-proxied
clients.clientsList = $casClient 

clientsRealm = io.buji.pac4j.ClientRealm 
#clientsRealm.defaultRoles = ROLE_USER 
clientsRealm.clients = $clients 

clientsFilter = io.buji.pac4j.ClientFilter 
clientsFilter.clients = $clients 
clientsFilter.failureUrl = /error.html 

#casUsers = io.buji.pac4j.filter.ClientUserFilter 
#casUsers.client = $casClient 

securityManager.realms = $casRealm, $clientsRealm 

authc.loginUrl =
https://localhost:8181/cas/login?service=https://localhost:8181/WebAppC/shiro-cas

[urls] 
/shiro-cas-proxied = clientsFilter 
/shiro-cas = casFilter 
/error.html = anon 
/api/** = authc
/** = anon


Thanks



--
View this message in context: http://shiro-user.582556.n2.nabble.com/SSO-between-Webapp-and-REST-API-using-apache-shiro-tp7579861.html
Sent from the Shiro User mailing list archive at Nabble.com.

Mime
View raw message