CAS Java Client Gateway Example

Owned by Dom Farr
Last updated: Mar 11, 2010 by PatrickBVersion comment
3 min read

Welcome Page

The welcome page of a site is often a good place to add a gateway filter. The welcome page can be decorated with personal information if the visitor has validate CAS session. I.E. The visitor has previously authenticated themselves via CAS, cookies are enabled in the browser, and the TicketGrantingTicket has not expired.

The extent of the welcome page decoration is only limited by your imagination.

To fully understand a gateway request see http://www.jasig.org/cas/client-integration/gateway

Configuration of Filters

Assuming you have a standard web site layout, with protected and unprotected areas, you will need to two authentication filters and one validation filter.

The two authentication filters will need to be configured slightly different; One will have gateway set to true and to other will have gateway set to false.

Following are two snippets of xml explain how to configure a gateway and protected web site.

  • web.xml - defines your web container.
  • securityConfiguration.xml - defines the spring beans.
web.xml snippet
...

  <filter>
    <filter-name>Gateway Authentication Filter</filter-name>
    <filter-class>
      org.springframework.web.filter.DelegatingFilterProxy
    </filter-class>
    <init-param>
      <param-name>targetBeanName</param-name>
      <param-value>gatewayAuthenticationFilter</param-value>
    </init-param>
  </filter>
  <filter>
    <filter-name>CAS Authentication Filter</filter-name>
    <filter-class>
      org.springframework.web.filter.DelegatingFilterProxy
    </filter-class>
    <init-param>
      <param-name>targetBeanName</param-name>
      <param-value>casNonGatewayAuthenticationFilter</param-value>
    </init-param>
  </filter>
  <filter>
    <filter-name>CAS Validation Filter</filter-name>
    <filter-class>
      org.springframework.web.filter.DelegatingFilterProxy
    </filter-class>
    <init-param>
      <param-name>targetBeanName</param-name>
      <param-value>casValidationFilter</param-value>
    </init-param>
  </filter>

...

  <!-- Gateway Authentication Filter -->
  <filter-mapping>
    <filter-name>Gateway Authentication Filter</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>

  <!-- Non-Gateway Authentication Filter -->
  <filter-mapping>
    <filter-name>CAS Authentication Filter</filter-name>
    <url-pattern>/protected/*</url-pattern>
  </filter-mapping>

  <!-- Validation Filter -->
  <filter-mapping>
    <filter-name>CAS Validation Filter</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>

...
securityConfiguration.xml snippet
...

  <!-- Gateway Authentication Filter Bean -->
  <bean id="casGatewayAuthenticationFilter"
        class="org.jasig.cas.client.web.filter.AuthenticationFilter">

    <!-- serverName of client to construct serviceURL eg:"thisServer.myDomain.net" -->
    <constructor-arg index="0" value="${cas.client.serverName}"/>

    <!-- serviceUrl of client: either provide serverName or serviceUrl -->
    <constructor-arg index="1">
      <null/>
    </constructor-arg>

    <!-- CAS server loginUrl -->
    <constructor-arg index="2" value="${cas.server.url}login"/>

    <!-- renew? -->
    <constructor-arg index="3" value="false"/>

    <!-- gateway? -->
    <constructor-arg index="4" value="true"/>
  </bean>

  <!-- Non-Gateway Authentication Filter Bean -->
  <bean id="casNonGatewayAuthenticationFilter"
        class="org.jasig.cas.client.web.filter.AuthenticationFilter">

    <!-- serverName of client to construct serviceURL eg:"thisServer.myDomain.net" -->
    <constructor-arg index="0" value="${cas.client.serverName}"/>

    <!-- serviceUrl of client: either provide serverName or serviceUrl -->
    <constructor-arg index="1">
      <null/>
    </constructor-arg>

    <!-- CAS server loginUrl -->
    <constructor-arg index="2" value="${cas.server.url}login"/>

    <!-- renew? -->
    <constructor-arg index="3" value="false"/>

    <!-- gateway? -->
    <constructor-arg index="4" value="false"/>
  </bean>

  <!-- Validation Filter Bean -->
  <bean id="casValidationFilter"
        class="org.jasig.cas.client.web.filter.TicketValidationFilter">

    <constructor-arg index="0" value="${cas.client.serverName}" />

    <constructor-arg index="1">
      <null />
    </constructor-arg>

    <constructor-arg index="2" value="true" />

    <!-- ticketValidator implementation (defines protocol version to be used) -->
    <constructor-arg index="3" ref="ticketValidator" />

    <constructor-arg index="4" value="true" />
  </bean>

...

Useful Information

For a complete configuration of the CAS Java Client you will need to visit the CAS Java client page http://www.ja-sig.org/products/cas/client/client-java/index.html

The configuration on CAS Java Client page does not use this gateway setup. So edit the CAS Java Client configuration with these changes.

Page Layout


Assuming first time request* If a visitor requests either www.site.com/welcome.jsp or www.site.com/other_page.jsp then a gateway log in authentication is called to CAS.

  • If a visitor request either www.site.com/protected/accounts.jsp or www.site.com/protected/payments.jsp then a non-gateway log in authentication is called to CAS.

Sequence

please excuse the bad diagrams

A simplistic view of a gateway call when user does not have a validate CAS session.

A simplistic view of a gateway call when user does have a validate CAS session.