...
CAS
...
Filter
...
The
...
CAS
...
filter
...
is
...
the
...
simplest
...
way
...
of
...
CAS-protecting
...
your
...
Java
...
Servlets
...
application.
...
Configuring CASFilter
Just a few lines of XML need to be added to your web application's deployment descriptor (web.xml):
...
Code Block | ||||
---|---|---|---|---|
| ||||
<web-app>
...
<filter>
<filter-name>CAS Filter</filter-name>
<filter-class>edu.yale.its.tp.cas.client.filter.CASFilter</filter-class>
<init-param>
<param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name>
<param-value>https://secure.its.yale.edu/cas/login</param-value>
</init-param>
<init-param>
<param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name>
<param-value>https://secure.its.yale.edu/cas/serviceValidate</param-value>
</init-param>
<init-param>
<param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name>
<param-value>your server name and port (e.g., www.yale.edu:8080)</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Filter</filter-name>
<url-pattern>/cas-protected/*</url-pattern>
</filter-mapping>
...
</web-app>
{code}
|
In
...
this
...
case,
...
any
...
URL
...
beneath
...
/webapp/cas-protected
...
would
...
require
...
a
...
CAS
...
login.
...
If
...
you
...
want
...
to
...
protect
...
your
...
entire
...
web
...
application,
...
you
...
can
...
simply
...
put
...
/*
...
for
...
the
...
URL
...
pattern:
...
Code Block | ||||
---|---|---|---|---|
| ||||
<filter-mapping>
<filter-name>CAS Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
{code}
|
The
...
serverName
...
initialization
...
parameter
...
does
...
not
...
require
...
a
...
port
...
number
...
if
...
you
...
are
...
using
...
the
...
standard
...
HTTP
...
port
...
(80).
...
You
...
can
...
specify
...
other
...
initialization
...
parameters
...
to
...
configure
...
the
...
behavior
...
of
...
the
...
filter:
...
Required
...
CASFilter
...
init-params
...
init-param |
---|
...
name |
---|
...
usage | |
---|---|
edu.yale.its.tp.cas.client.filter.loginUrl |
...
The |
...
URL |
...
whereat |
...
CAS |
...
offers |
...
its |
...
Login |
...
page. |
...
e.g. |
...
...
edu.yale.its.tp.cas.client.filter.validateUrl |
...
The |
...
URL |
...
whereat |
...
CAS |
...
offers |
...
its |
...
service |
...
ticket |
...
or |
...
proxy |
...
ticket |
...
validation |
...
service. |
...
e.g. |
...
...
or |
...
...
. |
...
Must |
...
be |
...
a |
...
proxyValidate |
...
service |
...
if |
...
you |
...
intend |
...
to |
...
accept |
...
any |
...
proxy |
...
tickets. |
...
edu.yale.its.tp.cas.client.filter.serverName |
...
This |
...
parameter |
...
specifies |
...
the |
...
server |
...
name |
...
and |
...
port |
...
of |
...
the |
...
service |
...
being |
...
filtered |
...
(not |
...
of |
...
the |
...
CAS |
...
Server |
...
itself). |
...
E.g., |
...
www.yale.edu:8080 |
...
Either |
...
this |
...
parameter |
...
or |
...
the |
...
serviceUrl |
...
parameter |
...
must |
...
be |
...
set. |
...
edu.yale.its.tp.cas.client.filter.serviceUrl |
...
This |
...
parameter |
...
replaces |
...
the |
...
serverName |
...
parameter |
...
above. |
...
It |
...
becomes |
...
the |
...
URL |
...
that |
...
CAS |
...
redirects |
...
to |
...
after |
...
login. |
...
If |
...
you |
...
have |
...
one |
...
specific |
...
point |
...
of |
...
entry |
...
to |
...
your |
...
web |
...
application |
...
and |
...
you |
...
want |
...
all |
...
logins |
...
to |
...
proceed |
...
through |
...
that |
...
page, |
...
you |
...
would |
...
specify |
...
the |
...
full |
...
URL |
...
of |
...
that |
...
page |
...
here. |
...
Either |
...
this |
...
parameter |
...
or |
...
the |
...
serverName |
...
parameter |
...
must |
...
be |
...
set. |
...
Optional CASFilter init-params
...
init-param |
---|
...
usage | |
---|---|
edu.yale.its.tp.cas.client.filter.proxyCallbackUrl |
...
to |
...
obtain |
...
a |
...
Proxy |
...
Granting |
...
Ticket |
...
and |
...
thereby |
...
have |
...
your |
...
application |
...
proxy |
...
authentication |
...
to |
...
other |
...
services, |
...
you'll |
...
need |
...
to |
...
specify |
...
an |
...
http: |
...
URL |
...
where |
...
you'd |
...
like |
...
PGT, |
...
PGTIOU |
...
pairs |
...
sent. |
...
This |
...
will |
...
typically |
...
be |
...
a |
...
URL |
...
you've |
...
mapped |
...
to |
...
an |
...
instance |
...
of |
...
the |
...
...
servlet. |
...
edu.yale.its.tp.cas.client.filter.authorizedProxy |
...
to |
...
allow |
...
the |
...
filter |
...
to |
...
accept |
...
proxy |
...
tickets, |
...
you |
...
need |
...
to |
...
specify |
...
valid |
...
proxies |
...
through |
...
which |
...
the |
...
authorization |
...
must |
...
have |
...
proceeded. |
...
This |
...
initialization |
...
parameter |
...
accepts |
...
a |
...
whitespace-delimited |
...
list |
...
of |
...
valid |
...
proxy |
...
URLs. |
...
Only |
...
one |
...
URL |
...
needs |
...
to |
...
match |
...
for |
...
the |
...
login |
...
to |
...
be |
...
successful. |
...
Note |
...
that |
...
if |
...
you |
...
do |
...
want |
...
to |
...
accept |
...
proxy |
...
tickets, |
...
you |
...
will |
...
have |
...
to |
...
change |
...
the |
...
validateUrl |
...
above |
...
to |
...
proxyValidate |
...
rather |
...
than |
...
serviceValidate |
...
edu.yale.its.tp.cas.client.filter.renew |
...
if |
...
set |
...
to |
...
the |
...
string, |
...
true, |
...
this |
...
is |
...
the |
...
equivalent |
...
of |
...
authenticating |
...
a |
...
ticket |
...
with |
...
renew=true |
...
passed |
...
as |
...
a |
...
parameter. |
...
This |
...
may |
...
be |
...
used |
...
for |
...
high-security |
...
applications |
...
where |
...
the |
...
user |
...
must |
...
enter |
...
his/her |
...
credentials |
...
again |
...
before |
...
accessing |
...
the |
...
filtered |
...
URLs. |
...
edu.yale.its.tp.cas.client.filter.wrapRequest |
...
if |
...
set |
...
to |
...
the |
...
string |
...
"true" |
...
the |
...
CASFilter |
...
will |
...
wrap |
...
the |
...
request |
...
such |
...
that |
...
calls |
...
to |
...
getRemoteUser() |
...
return |
...
the |
...
authenticated |
...
username. | |
edu.yale.its.tp.cas.client.filter.gateway | see gateway |
Consuming the results of CASFilter
Once the user has logged into your application through the filter, the application may access the user's name through the session attribute, edu.yale.its.tp.cas.client.filter.user,
...
or
...
if
...
you
...
import
...
edu.yale.its.tp.cas.client.filter.CASFilter
...
in
...
your
...
JSP
...
or
...
servlet,
...
simply
...
CASFilter.CAS_FILTER_USER.
...
Code Block | ||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| =
|
|
|
|
|
| }||||||||||
// either of these will work:
session.getAttribute(CASFilter.CAS_FILTER_USER);
session.getAttribute("edu.yale.its.tp.cas.client.filter.user");
{code}
{code:xml|title=Accessing the authenticated username via JSTL} |
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
<c:out value="${sessionScope[CAS:'edu.yale.its.tp.cas.client.filter.user']}"/> {code} |
Additionally,
...
the
...
client
...
application
...
may
...
access
...
a
...
CASReceipt
...
JavaBean-style
...
object
...
which
...
exposes
...
the
...
username
...
as
...
well
...
as
...
additional
...
information
...
about
...
the
...
successful
...
authentication,
...
in
...
the
...
session
...
attribute
...
edu.yale.its.tp.cas.client.filter.receipt
...
.
...
Code Block |
---|
// either of these will work:
session.getAttribute(CASFilter.CAS_FILTER_RECEIPT);
session.getAttribute("edu.yale.its.tp.cas.client.filter.receipt");
{code}
h4. Session attributes set by CASFilter
||Session attribute||usage||
| |
Session attributes set by CASFilter
Session attribute | usage |
---|---|
edu.yale.its.tp.cas.client.filter.user |
...
String |
...
representing |
...
the |
...
authenticated |
...
NetID |
...
edu.yale.its.tp.cas.client.filter.receipt |
...
CASReceipt |
...
representing |
...
the |
...
results |
...
of |
...
CAS |
...
authentication. |
...
Use |
...
this |
...
object |
...
to |
...
programmatically |
...
access |
...
the |
...
proxy |
...
chain, |
...
whether |
...
the |
...
authentication |
...
was |
...
required |
...
to |
...
have |
...
been |
...
by |
...
presentation |
...
of |
...
primary |
...
credentials, |
...
etc. |
...
Read
...
more
...
about
...
...
...
...
.