CAS Spring Security Example

Example Spring Security Configuration for Applications

The example below is a stripped-down web.xml and Spring Application context that is used to demonstrate configuring Spring Security for Java. This client is significantly more advanced than the basic JASIG CAS Client for Java.

For more advanced usage of this CAS client, please see the official documentation.

Example web.xml

view plaincopy to clipboardprint?
  1. <?xml version=“1.0” encoding=“ISO-8859-1”?>
  2. <web-app xmlns=“http://java.sun.com/xml/ns/j2ee” xmlns:xsi=“http://www.w3.org/2001/XMLSchema-instance” xsi:schemaLocation=“http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd” version=“2.4”>
  3.     <display-name>Sample Application</display-name>
  4.     <context-param>
  5.         <param-name>contextConfigLocation</param-name>
  6.         <param-value>/WEB-INF/securityContext.xml</param-value>
  7.     </context-param>
  9.     <filter>
  10.         <filter-name>springSecurityFilterChain</filter-name>
  11.         <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
  12.     </filter>
  14.     <filter-mapping>
  15.         <filter-name>springSecurityFilterChain</filter-name>
  16.         <url-pattern>/services/*</url-pattern>
  17.     </filter-mapping>
  19.     <listener>
  20.         <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
  21.     </listener>
  23.     <servlet>
  24.         <servlet-name>myservlet</servlet-name>
  25.         <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
  26.         <init-param>
  27.             <param-name>publishContext</param-name>
  28.             <param-value>false</param-value>
  29.         </init-param>
  30.         <load-on-startup>1</load-on-startup>
  31.     </servlet>
  33.     <servlet-mapping>
  34.         <servlet-name>myservlet</servlet-name>
  35.         <url-pattern>/*</url-pattern>
  36.     </servlet-mapping>
  38.     <session-config>
  39.         <!– Default to 5 minute session timeouts –>
  40.         <session-timeout>5</session-timeout>
  41.     </session-config>
  43.     <welcome-file-list>
  44.         <welcome-file>index.jsp</welcome-file>
  45.     </welcome-file-list>
  46. </web-app>

Example securityContext.xml

view plaincopy to clipboardprint?
  1. <?xml version=“1.0” encoding=“UTF-8”?>
  2. <beans xmlns=“http://www.springframework.org/schema/beans”
  3.        xmlns:xsi=“http://www.w3.org/2001/XMLSchema-instance”
  4.        xmlns:p=“http://www.springframework.org/schema/p”
  5.        xmlns:tx=“http://www.springframework.org/schema/tx”
  6.        xmlns:sec=“http://www.springframework.org/schema/security”
  7.        xsi:schemaLocation=”http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
  8.        http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-2.0.xsd
  9.        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.1.xsd”>
  10.     <description>
  11.         This is the configuration file for the Spring Security configuration used with the sample application.
  12.     </description>
  14.     <sec:http entry-point-ref=“casProcessingFilterEntryPoint”>
  15.         <sec:intercept-url pattern=“/**” access=“ROLE_ADMIN” />
  16.         <sec:logout logout-url=“/logout.html” logout-success-url=“/loggedOut.html” />
  17.     </sec:http>
  19.     <sec:authentication-manager alias=“casAuthenticationManager”/>
  21.     <bean id=“serviceProperties” class=“org.springframework.security.ui.cas.ServiceProperties”
  22.         p:service=“https://myservice.rutgers.edu/j_acegi_cas_security_check”
  23.         p:sendRenew=“false” />
  25.     <bean id=“casProcessingFilter” class=“org.springframework.security.ui.cas.CasProcessingFilter”
  26.         p:authenticationManager-ref=“casAuthenticationManager”
  27.         p:authenticationFailureUrl=“/authorizationFailure.jsp”
  28.         p:alwaysUseDefaultTargetUrl=“true”
  29.         p:filterProcessesUrl=“/j_acegi_cas_security_check”
  30.         p:defaultTargetUrl=“/manage.html”>
  31.         <sec:custom-filter after=“CAS_PROCESSING_FILTER” />
  32.     </bean>
  34.     <bean id=“casProcessingFilterEntryPoint” class=“org.springframework.security.ui.cas.CasProcessingFilterEntryPoint”
  35.         p:loginUrl=“https://test-cas.rutgers.edu/login”
  36.         p:serviceProperties-ref=“serviceProperties” />
  38.     <bean id=“casAuthenticationProvider” class=“org.springframework.security.providers.cas.CasAuthenticationProvider”
  39.         p:key=“my_password_for_this_auth_provider_only”
  40.         p:serviceProperties-ref=“serviceProperties”
  41.         p:userDetailsService-ref=“userDetailsService”>
  42.         <sec:custom-authentication-provider />
  43.         <property name=“ticketValidator”>
  44.           <bean class=“org.jasig.cas.client.validation.Cas20ServiceTicketValidator”>
  45.             <constructor-arg index=“0” value=“https://test-cas.rutgers.edu” />
  46.             </bean>
  47.         </property>
  48.     </bean>
  49. </beans>

Note: the example securityContext.xml doesn’t include a userDetailsService bean. You’ll need to add one that points to your data store.

Related Articles