CAS is a great single sign on(SSO) solution and spring security also includes a lot of helpful classes to implement it in Java apps. However, getting CAS to use Basic Authentication took some persuading.
It involved creating a new filter that could be placed in front of CAS's spring filter( org.springframework.security.cas.web.CasAuthenticationFilter). But since CAS's filter only redirects to the login screen if a user isn't logged in, we needed to do some authentication before the filter executes so it can do it's thing (like populating UserAuthorities and UserDetails so we can use spring security's annotations like @Secured, etc).
So below is the new basic authentication filter. It authenticates via CAS's rest web service so that will need to be enabled. Once it authenticates it "adds" the service ticket to the HttpServletRequest object. I say "add" because you can't really add a parameter to the request, you have to wrap it in an HttpServletRequestWrapper. The whole thing kind of feels like a hack, but I couldn't find, or come up with, a better solution.
No comments:
Post a Comment