Welcome Page
The welcome page of a site is often a good place to add a gateway filter. The welcome page can be decorated with personal information if the visitor has validate CAS session. I.E. The visitor has previously authenticated themselves via CAS, cookies are enabled in the browser, and the TicketGrantingTicket has not expired.
The extent of the welcome page decoration is only limited by your imagination.
To fully understand a gateway request see http://www.ja-sig.org/products/cas/client/gateway/index.html
Configuration of Filters
Assuming you have a standard web site layout, with protected and unprotected areas, you will need to two authentication filters and one validation filter.
The two authentication filters will need to be configured slightly different; One will have gateway set to true and to other will have gateway set to false.
Following are two snippets of xml explain how to configure a gateway and protected web site.
- web.xml - defines your web container.
- securityConfiguration.xml - defines the spring beans.
... <filter> <filter-name>Gateway Authentication Filter</filter-name> <filter-class> org.springframework.web.filter.DelegatingFilterProxy </filter-class> <init-param> <param-name>targetBeanName</param-name> <param-value>gatewayAuthenticationFilter</param-value> </init-param> </filter> <filter> <filter-name>CAS Authentication Filter</filter-name> <filter-class> org.springframework.web.filter.DelegatingFilterProxy </filter-class> <init-param> <param-name>targetBeanName</param-name> <param-value>casNonGatewayAuthenticationFilter</param-value> </init-param> </filter> <filter> <filter-name>CAS Validation Filter</filter-name> <filter-class> org.springframework.web.filter.DelegatingFilterProxy </filter-class> <init-param> <param-name>targetBeanName</param-name> <param-value>casValidationFilter</param-value> </init-param> </filter> ... <!-- Gateway Authentication Filter --> <filter-mapping> <filter-name>Gateway Authentication Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- Non-Gateway Authentication Filter --> <filter-mapping> <filter-name>CAS Authentication Filter</filter-name> <url-pattern>/protected/*</url-pattern> </filter-mapping> <!-- Validation Filter --> <filter-mapping> <filter-name>CAS Validation Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> ...
... <!-- Gateway Authentication Filter Bean --> <bean id="casGatewayAuthenticationFilter" class="org.jasig.cas.client.web.filter.AuthenticationFilter"> <!-- serverName of client to construct serviceURL eg:"thisServer.myDomain.net" --> <constructor-arg index="0" value="${cas.client.serverName}"/> <!-- serviceUrl of client: either provide serverName or serviceUrl --> <constructor-arg index="1"> <null/> </constructor-arg> <!-- CAS server loginUrl --> <constructor-arg index="2" value="${cas.server.url}login"/> <!-- renew? --> <constructor-arg index="3" value="false"/> <!-- gateway? --> <constructor-arg index="4" value="true"/> </bean> <!-- Non-Gateway Authentication Filter Bean --> <bean id="casNonGatewayAuthenticationFilter" class="org.jasig.cas.client.web.filter.AuthenticationFilter"> <!-- serverName of client to construct serviceURL eg:"thisServer.myDomain.net" --> <constructor-arg index="0" value="${cas.client.serverName}"/> <!-- serviceUrl of client: either provide serverName or serviceUrl --> <constructor-arg index="1"> <null/> </constructor-arg> <!-- CAS server loginUrl --> <constructor-arg index="2" value="${cas.server.url}login"/> <!-- renew? --> <constructor-arg index="3" value="false"/> <!-- gateway? --> <constructor-arg index="4" value="false"/> </bean> <!-- Validation Filter Bean --> <bean id="casValidationFilter" class="org.jasig.cas.client.web.filter.TicketValidationFilter"> <constructor-arg index="0" value="${cas.client.serverName}" /> <constructor-arg index="1"> <null /> </constructor-arg> <constructor-arg index="2" value="true" /> <!-- ticketValidator implementation (defines protocol version to be used) --> <constructor-arg index="3" ref="ticketValidator" /> <constructor-arg index="4" value="true" /> </bean> ...
Useful Information
For a complete configuration of the CAS Java Client you will need to visit the CAS Java client page http://www.ja-sig.org/products/cas/client/client-java/index.html
The configuration on CAS Java Client page does not use this gateway setup. So edit the CAS Java Client configuration with these changes.
Page Layout
Assuming first time request
- If a visitor requests either www.site.com/welcome.jsp or www.site.com/other_page.jsp then a gateway log in authentication is called to CAS.
- If a visitor request either www.site.com/protected/accounts.jsp or www.site.com/protected/payments.jsp then a non-gateway log in authentication is called to CAS.
Sequence
A simplistic view of a gateway called when user does not have a validate CAS session.
A simplistic view of a gateway called when user does have a validate CAS session.