yale cas as an acegi client in springside -凯发k8网页登录

yale cas as an acegi client in springside

first, set 's web.xml, we use acegi cas filter:

     < filter-mapping >
         < filter-name > hibernatefilter filter-name >
         < url-pattern > /j_acegi_cas_security_check url-pattern >
     filter-mapping >

we should set main acegi application context：
1) filterchainproxy should add a cas filter as acegi's sample, but here, we reuse
authenticationprocessingfilter, which we act as cas client filter.

     < bean id ="filterchainproxy"
          class ="org.acegisecurity.util.filterchainproxy" >
         < property name ="filterinvocationdefinitionsource" >
             < value >
                convert_url_to_lowercase_before_comparison
                pattern_type_apache_ant
                /**=httpsessioncontextintegrationfilter,anonymousprocessingfilter,authenticationprocessingfilter,remembermeprocessingfilter,logoutfilter,channelprocessingfilter,basicprocessingfilter,securitycontextholderawarerequestfilter,exceptiontranslationfilter,filterinvocationinterceptor
             value >
         property >
     bean >

2) authenticationprocessingfilter, of course, play the most important role in this
applicationcontext_acegi.xml.
in , /admin is protected resource, so defaulttargeturl protected it
and all those request to the target url must be authenticated by authenticationmanager.

<value>/security/login.jsp?login_error=1value>

property>

<value>/admin/value>

property>

<value>/j_acegi_cas_security_checkvalue>

property>

<value>

org.acegisecurity.userdetails.usernamenotfoundexception=/security/login.jsp?login_error=user_not_found_error

org.acegisecurity.badcredentialsexception=/security/login.jsp?login_error=user_psw_error

org.acegisecurity.concurrent.concurrentloginexception=/security/login.jsp?login_error=too_many_user_error

value>

property>

bean>

3) then, we set all the needed beans in cas filter

    <bean id="exceptiontranslationfilter" class="org.acegisecurity.ui.exceptiontranslationfilter">
        <property name="authenticationentrypoint">
            <ref local="casprocessingfilterentrypoint"/>
        property>
    bean>


    <bean id="casprocessingfilterentrypoint" class="org.acegisecurity.ui.cas.casprocessingfilterentrypoint">
        <property name="loginurl"><value>https://sourcesite:8443/cas/loginvalue>property>
        <property name="serviceproperties"><ref local="serviceproperties"/>property>
    bean>

    <bean id="authenticationmanager" class="org.acegisecurity.providers.providermanager">
        <property name="providers">
            <list>
                <ref local="casauthenticationprovider"/>
            list>
        property>
    bean>

    <bean id="casauthenticationprovider" class="org.acegisecurity.providers.cas.casauthenticationprovider">
        <property name="casauthoritiespopulator"><ref bean="casauthoritiespopulator"/>property>
        <property name="casproxydecider"><ref local="casproxydecider"/>property>
        <property name="ticketvalidator"><ref local="casproxyticketvalidator"/>property>
        <property name="statelessticketcache"><ref local="statelessticketcache"/>property>
        <property name="key"><value>my_password_for_this_auth_provider_onlyvalue>property>
    bean>
    <bean id="casproxyticketvalidator" class="org.acegisecurity.providers.cas.ticketvalidator.casproxyticketvalidator">
        <property name="casvalidate"><value>https://sourcesite:8443/cas/proxyvalidatevalue>property>
        <property name="serviceproperties"><ref local="serviceproperties"/>property>
    bean>

    <bean id="casproxydecider" class="org.acegisecurity.providers.cas.proxy.rejectproxytickets" />

    <bean id="serviceproperties" class="org.acegisecurity.ui.cas.serviceproperties">
        <property name="service">
            <value>http://gzug:8080/springside/j_acegi_cas_security_checkvalue>
        property>
        <property name="sendrenew">
            <value>falsevalue>
        property>
    bean>

    <bean id="statelessticketcache" class="org.acegisecurity.providers.cas.cache.ehcachebasedticketcache">
        <property name="cache">
            <bean class="org.springframework.cache.ehcache.ehcachefactorybean">
                <property name="cachemanager">
                    <bean class="org.springframework.cache.ehcache.ehcachemanagerfactorybean"/>
                property>
                <property name="cachename" value="usercache"/>
            bean>
        property>
    bean>

    <bean id="casauthoritiespopulator" class="org.acegisecurity.providers.cas.populator.daocasauthoritiespopulator">
        <property name="userdetailsservice"><ref local="jdbcdaoimpl"/>property>
    bean>

    <bean id="casprocessingfilter" class="org.acegisecurity.ui.cas.casprocessingfilter">
        <property name="authenticationmanager"><ref local="authenticationmanager"/>property>
        <property name="authenticationfailureurl"><value>/casfailed.jspvalue>property>
        <property name="defaulttargeturl"><value>/value>property>
        <property name="filterprocessesurl"><value>/j_acegi_cas_security_checkvalue>property>
    bean>

casprocessingfilterentrypoint is very critical,
loginurl is the cas server's /login url, you should set up your cas server(2.0 or 3.0) and config for
those jks keystore after enable ssl in tomcat(tomcat 5.5/conf/server.xml) and place the cacerts that
have the cas server's public cert to acegi client's /jre/lib/security/
check serviceproperties to make sure that service url is config as /j_acegi_cas_security_check

because yale cas use ticket cache for sso impl, so we should config for statelessticketcache
just use springframework's ehcache for cachemanager.

use jdbcdaoimpl which perform database authentication. so i am very happy to use it
as casauthoritiespopulator , which will set use detail for the user. and these info are very useful for
application authorization.

    <bean id="jdbcdaoimpl"
          class="org.acegisecurity.userdetails.jdbc.jdbcdaoimpl">
        <property name="datasource" ref="datasource"/>
        <property name="usersbyusernamequery">
            <value>
                select loginid,passwd,1 from ss_users where status='1' and loginid = ?
            value>
        property>
        <property name="authoritiesbyusernamequery">
            <value>
                select u.loginid,p.name from ss_users u,ss_roles r,ss_permissions
                p,ss_user_role ur,ss_role_permis rp where u.id=ur.user_id and
                r.id=ur.role_id and p.id=rp.permis_id and
                r.id=rp.role_id and p.status='1' and u.loginid=?
            value>
        property>
    bean>

there is little difference between casclient 2.0.12 and acegi, right?

note that in my env, gzug:8080/springside is bookstore webapp
and sourcesite:8443 is the cas 3 server.

hope for suggestion.....

posted on 2006-10-15 23:53 david.turing 阅读(8327) 评论(2) 编辑收藏所属分类: security领域、cas&saml&sso

# re: yale cas as an acegi client in springside 2006-10-16 12:16

楼主可否给点解释性的说明呀？？？回复

# re: yale cas as an acegi client in springside 2008-02-28 09:48 lib

< filter-mapping >
< filter-name > hibernatefilter
< url-pattern > /j_acegi_cas_security_check

为什么是"hibernatefilter "? 回复

新用户注册


只有注册用户后才能发表评论。




网站导航:
相关文章: 关于配置weblogic的nodemanager服务 [原创] pass ssl certificate to weblogic cluster through apache proxy under ssl [原创]apache proxy with weblogic cluster under ssl 发布一个简易版本的securexrcp [原创]国内大部分的usbkey通过b/s方式（capicom）产生数字签名的严重安全漏洞 securex eclipse plugin alpha2发布发布securex eclipse plugin 2.0.0 alpha版本 [转载]推荐一下csdn《程序员》的《开源大本营》 yale cas as an acegi client in springside

yale cas as an acegi client in springside -凯发k8网页登录