Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

...

To fully understand a gateway request see http://www.ja-sigjasig.org/products/cas/client-integration/gateway/index.html

Configuration of Filters

Assuming you have a standard web site layout, with protected and unprotected areas, you will need to two authentication filters and one validation filter.

...

  • web.xml - defines your web container.
  • securityConfiguration.xml - defines the spring beans.
Code Block
xml
xml
borderStylesolid
titleweb.xml snippetborderStylesolid
...

  <filter>
    <filter-name>Gateway Authentication Filter</filter-name>
    <filter-class>
      org.springframework.web.filter.DelegatingFilterProxy
    </filter-class>
    <init-param>
      <param-name>targetBeanName</param-name>
      <param-value>gatewayAuthenticationFilter</param-value>
    </init-param>
  </filter>
  <filter>
    <filter-name>CAS Authentication Filter</filter-name>
    <filter-class>
      org.springframework.web.filter.DelegatingFilterProxy
    </filter-class>
    <init-param>
      <param-name>targetBeanName</param-name>
      <param-value>casNonGatewayAuthenticationFilter</param-value>
    </init-param>
  </filter>
  <filter>
    <filter-name>CAS Validation Filter</filter-name>
    <filter-class>
      org.springframework.web.filter.DelegatingFilterProxy
    </filter-class>
    <init-param>
      <param-name>targetBeanName</param-name>
      <param-value>casValidationFilter</param-value>
    </init-param>
  </filter>

...

  <!-- Gateway Authentication Filter -->
  <filter-mapping>
    <filter-name>Gateway Authentication Filter</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>

  <!-- Non-Gateway Authentication Filter -->
  <filter-mapping>
    <filter-name>CAS Authentication Filter</filter-name>
    <url-pattern>/protected/*</url-pattern>
  </filter-mapping>

  <!-- Validation Filter -->
  <filter-mapping>
    <filter-name>CAS Validation Filter</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>

...
Code Block
borderStyle
xml
xml
borderStylesolid
titlesecurityConfiguration.xml snippetsolid
...

  <!-- Gateway Authentication Filter Bean -->
  <bean id="casGatewayAuthenticationFilter"
        class="org.jasig.cas.client.web.filter.AuthenticationFilter">

    <!-- serverName of client to construct serviceURL eg:"thisServer.myDomain.net" -->
    <constructor-arg index="0" value="${cas.client.serverName}"/>

    <!-- serviceUrl of client: either provide serverName or serviceUrl -->
    <constructor-arg index="1">
      <null/>
    </constructor-arg>

    <!-- CAS server loginUrl -->
    <constructor-arg index="2" value="${cas.server.url}login"/>

    <!-- renew? -->
    <constructor-arg index="3" value="false"/>

    <!-- gateway? -->
    <constructor-arg index="4" value="true"/>
  </bean>

  <!-- Non-Gateway Authentication Filter Bean -->
  <bean id="casNonGatewayAuthenticationFilter"
        class="org.jasig.cas.client.web.filter.AuthenticationFilter">

    <!-- serverName of client to construct serviceURL eg:"thisServer.myDomain.net" -->
    <constructor-arg index="0" value="${cas.client.serverName}"/>

    <!-- serviceUrl of client: either provide serverName or serviceUrl -->
    <constructor-arg index="1">
      <null/>
    </constructor-arg>

    <!-- CAS server loginUrl -->
    <constructor-arg index="2" value="${cas.server.url}login"/>

    <!-- renew? -->
    <constructor-arg index="3" value="false"/>

    <!-- gateway? -->
    <constructor-arg index="4" value="false"/>
  </bean>

  <!-- Validation Filter Bean -->
  <bean id="casValidationFilter"
        class="org.jasig.cas.client.web.filter.TicketValidationFilter">

    <constructor-arg index="0" value="${cas.client.serverName}" />

    <constructor-arg index="1">
      <null />
    </constructor-arg>

    <constructor-arg index="2" value="true" />

    <!-- ticketValidator implementation (defines protocol version to be used) -->
    <constructor-arg index="3" ref="ticketValidator" />

    <constructor-arg index="4" value="true" />
  </bean>

...

...


Assuming first time request* If a visitor requests either www.site.com/welcome.jsp or www.site.com/other_page.jsp then a gateway log in authentication is called to CAS.

  • If a visitor request either www.site.com/protected/accounts.jsp or www.site.com/protected/payments.jsp then a non-gateway log in authentication is called to CAS.

Sequence

please excuse the bad diagrams

A simplistic view of a gateway called call when user does not have a validate CAS session.

A simplistic view of a gateway called call when user does have a validate CAS session.