[jira] [Created] (SHIRO-285) Integration with CAS

["Jérôme Leleu (JIRA)" <ji...@apache.org>]

Integration with CAS
--------------------

                 Key: SHIRO-285
                 URL: https://issues.apache.org/jira/browse/SHIRO-285
             Project: Shiro
          Issue Type: Improvement
            Reporter: Jérôme Leleu


As I wanted to test shiro with CAS, I created a CAS filter, a CAS token and a CAS realm. I'm new to shiro so maybe I was mistaken on some points.

I have a demo webapp with these files :
index.jsp
error.jsp
protected/index.jsp

The idea is to protect the /protected folder. I have this shiro.ini configuration :

[main]
authcas = org.apache.shiro.cas.CasFilter
authcas.failureUrl = /demo2/error.jsp

defaultRealm = com.jle.demo2.realm.DefaultRealm
defaultRealm.name = demo2
defaultRealm.casServerUrlPrefix = http://localhost:11380/cas/
defaultRealm.casService = http://localhost:11380/demo2/shiro-cas

roles.loginUrl = http://localhost:11380/cas/login?service=http://localhost:11380/demo2/shiro-cas

[urls]
/protected/** = roles[ROLE_USER]
/shiro-cas = authcas
/** = anon

The protection on /protected/** implies to have the role ROLE_USER, if it is not the case, the user is redirected to the CAS server according to the property loginUrl of roles : http://localhost:11380/cas/login?service=http://localhost:11380/demo2/shiro-cas.
After authentication on CAS server, the user is redirected (CAS works like this) to the service url : http://localhost:11380/demo2/shiro-cas. On this url, there is the authcas filter defined as the DefaultRealm which inherits from CasRealm :

public class DefaultRealm extends CasRealm {
    
    @Override
    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
        Set<String> roles = new HashSet<String>();
        roles.add("ROLE_USER");
        return new SimpleAuthorizationInfo(roles);
    }
}

The DefaultRealm always grants the authenticated user the ROLE_USER role to access to the /protected folder.

The CasFilter is configured on a specific url corresponding to the CAS url service : http://localhost:11380/demo2/shiro-cas, it gets the service parameter in url and create a CasToken with it.
The CasRealm uses the CasToken to authenticate the user, it gets the service ticket, uses the Cas20ServiceTicketValidator (from CAS client) to call the CAS server and validates the ticket granted by CAS.
If the ticket is validated, the user is authenticated and redirected to the original protected url (/protected/index.jsp). If the validation fails, the user is redirected to the CAS error page (error.jsp = authcas.failureUrl).

To add CasFilter, CasToken and CasRealm to the trunk, I created a CAS module inside support.
* CasRealm :
I didn't find how to set the remember me to the subject : I know if the user is in rememberme mode from CAS depending on a specific attribute from the Assertion object but I didn't know how to pass this information to the subject (there is a TODO).
During the CAS service ticket validation, I get the object Assertion and all the attributes of the user populated by CAS are in the "attributes" property : I don't know what to do with these attributes.
During the CAS service ticket validation, I choose not to throw an AuthenticationException, but returns null instead : is it the good way to do ?
* CasFilter :
I'm not sure I respect the spirit of shiro because my filter authcas is always the last one. I add on the onLoginFailure a test, if the user is already authenticated, it doesn't failed but redirects to default success url.
I didn't know how to add my authcas filter as a default filter without configuring it in the shiro.ini file.

I have no test yet.

I join the SVN patch.
Hope it works well for you. Don't hesitate to come back to me.


--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (SHIRO-285) Integration with CAS

["Les Hazlewood (Commented) (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/SHIRO-285?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13170616#comment-13170616 ] 

Les Hazlewood commented on SHIRO-285:
-------------------------------------

Update - I'm updating the test now.  I should be able to get the tests working.
                
> Integration with CAS
> --------------------
>
>                 Key: SHIRO-285
>                 URL: https://issues.apache.org/jira/browse/SHIRO-285
>             Project: Shiro
>          Issue Type: New Feature
>            Reporter: Jérôme Leleu
>         Attachments: shiro_cas.txt, shiro_cas2.txt
>
>
> As I wanted to test shiro with CAS, I created a CAS filter, a CAS token and a CAS realm. I'm new to shiro so maybe I was mistaken on some points.
> I have a demo webapp with these files :
> index.jsp
> error.jsp
> protected/index.jsp
> The idea is to protect the /protected folder. I have this shiro.ini configuration :
> [main]
> authcas = org.apache.shiro.cas.CasFilter
> authcas.failureUrl = /demo2/error.jsp
> defaultRealm = com.jle.demo2.realm.DefaultRealm
> defaultRealm.name = demo2
> defaultRealm.casServerUrlPrefix = http://localhost:11380/cas/
> defaultRealm.casService = http://localhost:11380/demo2/shiro-cas
> roles.loginUrl = http://localhost:11380/cas/login?service=http://localhost:11380/demo2/shiro-cas
> [urls]
> /protected/** = roles[ROLE_USER]
> /shiro-cas = authcas
> /** = anon
> The protection on /protected/** implies to have the role ROLE_USER, if it is not the case, the user is redirected to the CAS server according to the property loginUrl of roles : http://localhost:11380/cas/login?service=http://localhost:11380/demo2/shiro-cas.
> After authentication on CAS server, the user is redirected (CAS works like this) to the service url : http://localhost:11380/demo2/shiro-cas. On this url, there is the authcas filter defined as the DefaultRealm which inherits from CasRealm :
> public class DefaultRealm extends CasRealm {
>     
>     @Override
>     protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
>         Set<String> roles = new HashSet<String>();
>         roles.add("ROLE_USER");
>         return new SimpleAuthorizationInfo(roles);
>     }
> }
> The DefaultRealm always grants the authenticated user the ROLE_USER role to access to the /protected folder.
> The CasFilter is configured on a specific url corresponding to the CAS url service : http://localhost:11380/demo2/shiro-cas, it gets the service parameter in url and create a CasToken with it.
> The CasRealm uses the CasToken to authenticate the user, it gets the service ticket, uses the Cas20ServiceTicketValidator (from CAS client) to call the CAS server and validates the ticket granted by CAS.
> If the ticket is validated, the user is authenticated and redirected to the original protected url (/protected/index.jsp). If the validation fails, the user is redirected to the CAS error page (error.jsp = authcas.failureUrl).
> To add CasFilter, CasToken and CasRealm to the trunk, I created a CAS module inside support.
> * CasRealm :
> I didn't find how to set the remember me to the subject : I know if the user is in rememberme mode from CAS depending on a specific attribute from the Assertion object but I didn't know how to pass this information to the subject (there is a TODO).
> During the CAS service ticket validation, I get the object Assertion and all the attributes of the user populated by CAS are in the "attributes" property : I don't know what to do with these attributes.
> During the CAS service ticket validation, I choose not to throw an AuthenticationException, but returns null instead : is it the good way to do ?
> * CasFilter :
> I'm not sure I respect the spirit of shiro because my filter authcas is always the last one. I add on the onLoginFailure a test, if the user is already authenticated, it doesn't failed but redirects to default success url.
> I didn't know how to add my authcas filter as a default filter without configuring it in the shiro.ini file.
> I have no test yet.
> I join the SVN patch.
> Hope it works well for you. Don't hesitate to come back to me.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

[jira] [Updated] (SHIRO-285) Integration with CAS

["Jérôme Leleu (JIRA)" <ji...@apache.org>]

     [ https://issues.apache.org/jira/browse/SHIRO-285?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jérôme Leleu updated SHIRO-285:
-------------------------------

    Attachment: shiro_cas2.txt

The new patch.

> Integration with CAS
> --------------------
>
>                 Key: SHIRO-285
>                 URL: https://issues.apache.org/jira/browse/SHIRO-285
>             Project: Shiro
>          Issue Type: New Feature
>            Reporter: Jérôme Leleu
>         Attachments: shiro_cas.txt, shiro_cas2.txt
>
>
> As I wanted to test shiro with CAS, I created a CAS filter, a CAS token and a CAS realm. I'm new to shiro so maybe I was mistaken on some points.
> I have a demo webapp with these files :
> index.jsp
> error.jsp
> protected/index.jsp
> The idea is to protect the /protected folder. I have this shiro.ini configuration :
> [main]
> authcas = org.apache.shiro.cas.CasFilter
> authcas.failureUrl = /demo2/error.jsp
> defaultRealm = com.jle.demo2.realm.DefaultRealm
> defaultRealm.name = demo2
> defaultRealm.casServerUrlPrefix = http://localhost:11380/cas/
> defaultRealm.casService = http://localhost:11380/demo2/shiro-cas
> roles.loginUrl = http://localhost:11380/cas/login?service=http://localhost:11380/demo2/shiro-cas
> [urls]
> /protected/** = roles[ROLE_USER]
> /shiro-cas = authcas
> /** = anon
> The protection on /protected/** implies to have the role ROLE_USER, if it is not the case, the user is redirected to the CAS server according to the property loginUrl of roles : http://localhost:11380/cas/login?service=http://localhost:11380/demo2/shiro-cas.
> After authentication on CAS server, the user is redirected (CAS works like this) to the service url : http://localhost:11380/demo2/shiro-cas. On this url, there is the authcas filter defined as the DefaultRealm which inherits from CasRealm :
> public class DefaultRealm extends CasRealm {
>     
>     @Override
>     protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
>         Set<String> roles = new HashSet<String>();
>         roles.add("ROLE_USER");
>         return new SimpleAuthorizationInfo(roles);
>     }
> }
> The DefaultRealm always grants the authenticated user the ROLE_USER role to access to the /protected folder.
> The CasFilter is configured on a specific url corresponding to the CAS url service : http://localhost:11380/demo2/shiro-cas, it gets the service parameter in url and create a CasToken with it.
> The CasRealm uses the CasToken to authenticate the user, it gets the service ticket, uses the Cas20ServiceTicketValidator (from CAS client) to call the CAS server and validates the ticket granted by CAS.
> If the ticket is validated, the user is authenticated and redirected to the original protected url (/protected/index.jsp). If the validation fails, the user is redirected to the CAS error page (error.jsp = authcas.failureUrl).
> To add CasFilter, CasToken and CasRealm to the trunk, I created a CAS module inside support.
> * CasRealm :
> I didn't find how to set the remember me to the subject : I know if the user is in rememberme mode from CAS depending on a specific attribute from the Assertion object but I didn't know how to pass this information to the subject (there is a TODO).
> During the CAS service ticket validation, I get the object Assertion and all the attributes of the user populated by CAS are in the "attributes" property : I don't know what to do with these attributes.
> During the CAS service ticket validation, I choose not to throw an AuthenticationException, but returns null instead : is it the good way to do ?
> * CasFilter :
> I'm not sure I respect the spirit of shiro because my filter authcas is always the last one. I add on the onLoginFailure a test, if the user is already authenticated, it doesn't failed but redirects to default success url.
> I didn't know how to add my authcas filter as a default filter without configuring it in the shiro.ini file.
> I have no test yet.
> I join the SVN patch.
> Hope it works well for you. Don't hesitate to come back to me.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Closed] (SHIRO-285) Integration with CAS

["Les Hazlewood (Closed) (JIRA)" <ji...@apache.org>]

     [ https://issues.apache.org/jira/browse/SHIRO-285?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Les Hazlewood closed SHIRO-285.
-------------------------------


Closing with the 1.2.0 release.
                
> Integration with CAS
> --------------------
>
>                 Key: SHIRO-285
>                 URL: https://issues.apache.org/jira/browse/SHIRO-285
>             Project: Shiro
>          Issue Type: New Feature
>            Reporter: Jérôme Leleu
>            Assignee: Les Hazlewood
>             Fix For: 1.2.0
>
>         Attachments: doc_shiro-cas.odt, shiro_cas.txt, shiro_cas2.txt, shiro_cas3.txt
>
>
> As I wanted to test shiro with CAS, I created a CAS filter, a CAS token and a CAS realm. I'm new to shiro so maybe I was mistaken on some points.
> I have a demo webapp with these files :
> index.jsp
> error.jsp
> protected/index.jsp
> The idea is to protect the /protected folder. I have this shiro.ini configuration :
> [main]
> authcas = org.apache.shiro.cas.CasFilter
> authcas.failureUrl = /demo2/error.jsp
> defaultRealm = com.jle.demo2.realm.DefaultRealm
> defaultRealm.name = demo2
> defaultRealm.casServerUrlPrefix = http://localhost:11380/cas/
> defaultRealm.casService = http://localhost:11380/demo2/shiro-cas
> roles.loginUrl = http://localhost:11380/cas/login?service=http://localhost:11380/demo2/shiro-cas
> [urls]
> /protected/** = roles[ROLE_USER]
> /shiro-cas = authcas
> /** = anon
> The protection on /protected/** implies to have the role ROLE_USER, if it is not the case, the user is redirected to the CAS server according to the property loginUrl of roles : http://localhost:11380/cas/login?service=http://localhost:11380/demo2/shiro-cas.
> After authentication on CAS server, the user is redirected (CAS works like this) to the service url : http://localhost:11380/demo2/shiro-cas. On this url, there is the authcas filter defined as the DefaultRealm which inherits from CasRealm :
> public class DefaultRealm extends CasRealm {
>     
>     @Override
>     protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
>         Set<String> roles = new HashSet<String>();
>         roles.add("ROLE_USER");
>         return new SimpleAuthorizationInfo(roles);
>     }
> }
> The DefaultRealm always grants the authenticated user the ROLE_USER role to access to the /protected folder.
> The CasFilter is configured on a specific url corresponding to the CAS url service : http://localhost:11380/demo2/shiro-cas, it gets the service parameter in url and create a CasToken with it.
> The CasRealm uses the CasToken to authenticate the user, it gets the service ticket, uses the Cas20ServiceTicketValidator (from CAS client) to call the CAS server and validates the ticket granted by CAS.
> If the ticket is validated, the user is authenticated and redirected to the original protected url (/protected/index.jsp). If the validation fails, the user is redirected to the CAS error page (error.jsp = authcas.failureUrl).
> To add CasFilter, CasToken and CasRealm to the trunk, I created a CAS module inside support.
> * CasRealm :
> I didn't find how to set the remember me to the subject : I know if the user is in rememberme mode from CAS depending on a specific attribute from the Assertion object but I didn't know how to pass this information to the subject (there is a TODO).
> During the CAS service ticket validation, I get the object Assertion and all the attributes of the user populated by CAS are in the "attributes" property : I don't know what to do with these attributes.
> During the CAS service ticket validation, I choose not to throw an AuthenticationException, but returns null instead : is it the good way to do ?
> * CasFilter :
> I'm not sure I respect the spirit of shiro because my filter authcas is always the last one. I add on the onLoginFailure a test, if the user is already authenticated, it doesn't failed but redirects to default success url.
> I didn't know how to add my authcas filter as a default filter without configuring it in the shiro.ini file.
> I have no test yet.
> I join the SVN patch.
> Hope it works well for you. Don't hesitate to come back to me.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

[jira] [Commented] (SHIRO-285) Integration with CAS

["Jérôme Leleu (Commented JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/SHIRO-285?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13172241#comment-13172241 ] 

Jérôme Leleu commented on SHIRO-285:
------------------------------------

Hi Les,

The documentation is an open office document. I attach it to this JIRA. I let you review it (my english is not really good).

I don't have an ICLA but I think I could get one. I may have some time to contribute, but I really don't know where to start.

Regards,
Jérôme

                
> Integration with CAS
> --------------------
>
>                 Key: SHIRO-285
>                 URL: https://issues.apache.org/jira/browse/SHIRO-285
>             Project: Shiro
>          Issue Type: New Feature
>            Reporter: Jérôme Leleu
>         Attachments: doc_shiro-cas.odt, shiro_cas.txt, shiro_cas2.txt, shiro_cas3.txt
>
>
> As I wanted to test shiro with CAS, I created a CAS filter, a CAS token and a CAS realm. I'm new to shiro so maybe I was mistaken on some points.
> I have a demo webapp with these files :
> index.jsp
> error.jsp
> protected/index.jsp
> The idea is to protect the /protected folder. I have this shiro.ini configuration :
> [main]
> authcas = org.apache.shiro.cas.CasFilter
> authcas.failureUrl = /demo2/error.jsp
> defaultRealm = com.jle.demo2.realm.DefaultRealm
> defaultRealm.name = demo2
> defaultRealm.casServerUrlPrefix = http://localhost:11380/cas/
> defaultRealm.casService = http://localhost:11380/demo2/shiro-cas
> roles.loginUrl = http://localhost:11380/cas/login?service=http://localhost:11380/demo2/shiro-cas
> [urls]
> /protected/** = roles[ROLE_USER]
> /shiro-cas = authcas
> /** = anon
> The protection on /protected/** implies to have the role ROLE_USER, if it is not the case, the user is redirected to the CAS server according to the property loginUrl of roles : http://localhost:11380/cas/login?service=http://localhost:11380/demo2/shiro-cas.
> After authentication on CAS server, the user is redirected (CAS works like this) to the service url : http://localhost:11380/demo2/shiro-cas. On this url, there is the authcas filter defined as the DefaultRealm which inherits from CasRealm :
> public class DefaultRealm extends CasRealm {
>     
>     @Override
>     protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
>         Set<String> roles = new HashSet<String>();
>         roles.add("ROLE_USER");
>         return new SimpleAuthorizationInfo(roles);
>     }
> }
> The DefaultRealm always grants the authenticated user the ROLE_USER role to access to the /protected folder.
> The CasFilter is configured on a specific url corresponding to the CAS url service : http://localhost:11380/demo2/shiro-cas, it gets the service parameter in url and create a CasToken with it.
> The CasRealm uses the CasToken to authenticate the user, it gets the service ticket, uses the Cas20ServiceTicketValidator (from CAS client) to call the CAS server and validates the ticket granted by CAS.
> If the ticket is validated, the user is authenticated and redirected to the original protected url (/protected/index.jsp). If the validation fails, the user is redirected to the CAS error page (error.jsp = authcas.failureUrl).
> To add CasFilter, CasToken and CasRealm to the trunk, I created a CAS module inside support.
> * CasRealm :
> I didn't find how to set the remember me to the subject : I know if the user is in rememberme mode from CAS depending on a specific attribute from the Assertion object but I didn't know how to pass this information to the subject (there is a TODO).
> During the CAS service ticket validation, I get the object Assertion and all the attributes of the user populated by CAS are in the "attributes" property : I don't know what to do with these attributes.
> During the CAS service ticket validation, I choose not to throw an AuthenticationException, but returns null instead : is it the good way to do ?
> * CasFilter :
> I'm not sure I respect the spirit of shiro because my filter authcas is always the last one. I add on the onLoginFailure a test, if the user is already authenticated, it doesn't failed but redirects to default success url.
> I didn't know how to add my authcas filter as a default filter without configuring it in the shiro.ini file.
> I have no test yet.
> I join the SVN patch.
> Hope it works well for you. Don't hesitate to come back to me.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

[jira] [Commented] (SHIRO-285) Integration with CAS

["Jérôme Leleu (Commented JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/SHIRO-285?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13178137#comment-13178137 ] 

Jérôme Leleu commented on SHIRO-285:
------------------------------------

Hi Les,

My ICLA has been "accepted" by the Apache Software Foundation. I also signed up on the Apache wiki as LELEU Jérôme.
I'd like to create a page called "CAS SSO" in the "V. Integration" chapter of the Apache Shiro Reference Documentation to add the documentation for CAS integration.
Is it ok for you ? If so, can you give me the rights to add / update a page ?
Thanks.
Best regards,
Jérôme

                
> Integration with CAS
> --------------------
>
>                 Key: SHIRO-285
>                 URL: https://issues.apache.org/jira/browse/SHIRO-285
>             Project: Shiro
>          Issue Type: New Feature
>            Reporter: Jérôme Leleu
>         Attachments: doc_shiro-cas.odt, shiro_cas.txt, shiro_cas2.txt, shiro_cas3.txt
>
>
> As I wanted to test shiro with CAS, I created a CAS filter, a CAS token and a CAS realm. I'm new to shiro so maybe I was mistaken on some points.
> I have a demo webapp with these files :
> index.jsp
> error.jsp
> protected/index.jsp
> The idea is to protect the /protected folder. I have this shiro.ini configuration :
> [main]
> authcas = org.apache.shiro.cas.CasFilter
> authcas.failureUrl = /demo2/error.jsp
> defaultRealm = com.jle.demo2.realm.DefaultRealm
> defaultRealm.name = demo2
> defaultRealm.casServerUrlPrefix = http://localhost:11380/cas/
> defaultRealm.casService = http://localhost:11380/demo2/shiro-cas
> roles.loginUrl = http://localhost:11380/cas/login?service=http://localhost:11380/demo2/shiro-cas
> [urls]
> /protected/** = roles[ROLE_USER]
> /shiro-cas = authcas
> /** = anon
> The protection on /protected/** implies to have the role ROLE_USER, if it is not the case, the user is redirected to the CAS server according to the property loginUrl of roles : http://localhost:11380/cas/login?service=http://localhost:11380/demo2/shiro-cas.
> After authentication on CAS server, the user is redirected (CAS works like this) to the service url : http://localhost:11380/demo2/shiro-cas. On this url, there is the authcas filter defined as the DefaultRealm which inherits from CasRealm :
> public class DefaultRealm extends CasRealm {
>     
>     @Override
>     protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
>         Set<String> roles = new HashSet<String>();
>         roles.add("ROLE_USER");
>         return new SimpleAuthorizationInfo(roles);
>     }
> }
> The DefaultRealm always grants the authenticated user the ROLE_USER role to access to the /protected folder.
> The CasFilter is configured on a specific url corresponding to the CAS url service : http://localhost:11380/demo2/shiro-cas, it gets the service parameter in url and create a CasToken with it.
> The CasRealm uses the CasToken to authenticate the user, it gets the service ticket, uses the Cas20ServiceTicketValidator (from CAS client) to call the CAS server and validates the ticket granted by CAS.
> If the ticket is validated, the user is authenticated and redirected to the original protected url (/protected/index.jsp). If the validation fails, the user is redirected to the CAS error page (error.jsp = authcas.failureUrl).
> To add CasFilter, CasToken and CasRealm to the trunk, I created a CAS module inside support.
> * CasRealm :
> I didn't find how to set the remember me to the subject : I know if the user is in rememberme mode from CAS depending on a specific attribute from the Assertion object but I didn't know how to pass this information to the subject (there is a TODO).
> During the CAS service ticket validation, I get the object Assertion and all the attributes of the user populated by CAS are in the "attributes" property : I don't know what to do with these attributes.
> During the CAS service ticket validation, I choose not to throw an AuthenticationException, but returns null instead : is it the good way to do ?
> * CasFilter :
> I'm not sure I respect the spirit of shiro because my filter authcas is always the last one. I add on the onLoginFailure a test, if the user is already authenticated, it doesn't failed but redirects to default success url.
> I didn't know how to add my authcas filter as a default filter without configuring it in the shiro.ini file.
> I have no test yet.
> I join the SVN patch.
> Hope it works well for you. Don't hesitate to come back to me.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

[jira] [Commented] (SHIRO-285) Integration with CAS

["Les Hazlewood (Commented) (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/SHIRO-285?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13169875#comment-13169875 ] 

Les Hazlewood commented on SHIRO-285:
-------------------------------------

Just a quick note:  I tried upgrading to the latest cas-client-core .jar in Maven central:

<dependency>
    <groupId>org.jasig.cas.client</groupId>
    <artifactId>cas-client-core</artifactId>
    <version>3.2.1</version>
</dependency>

But apparently this fails to compile.  Any ideas?
                
> Integration with CAS
> --------------------
>
>                 Key: SHIRO-285
>                 URL: https://issues.apache.org/jira/browse/SHIRO-285
>             Project: Shiro
>          Issue Type: New Feature
>            Reporter: Jérôme Leleu
>         Attachments: shiro_cas.txt, shiro_cas2.txt
>
>
> As I wanted to test shiro with CAS, I created a CAS filter, a CAS token and a CAS realm. I'm new to shiro so maybe I was mistaken on some points.
> I have a demo webapp with these files :
> index.jsp
> error.jsp
> protected/index.jsp
> The idea is to protect the /protected folder. I have this shiro.ini configuration :
> [main]
> authcas = org.apache.shiro.cas.CasFilter
> authcas.failureUrl = /demo2/error.jsp
> defaultRealm = com.jle.demo2.realm.DefaultRealm
> defaultRealm.name = demo2
> defaultRealm.casServerUrlPrefix = http://localhost:11380/cas/
> defaultRealm.casService = http://localhost:11380/demo2/shiro-cas
> roles.loginUrl = http://localhost:11380/cas/login?service=http://localhost:11380/demo2/shiro-cas
> [urls]
> /protected/** = roles[ROLE_USER]
> /shiro-cas = authcas
> /** = anon
> The protection on /protected/** implies to have the role ROLE_USER, if it is not the case, the user is redirected to the CAS server according to the property loginUrl of roles : http://localhost:11380/cas/login?service=http://localhost:11380/demo2/shiro-cas.
> After authentication on CAS server, the user is redirected (CAS works like this) to the service url : http://localhost:11380/demo2/shiro-cas. On this url, there is the authcas filter defined as the DefaultRealm which inherits from CasRealm :
> public class DefaultRealm extends CasRealm {
>     
>     @Override
>     protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
>         Set<String> roles = new HashSet<String>();
>         roles.add("ROLE_USER");
>         return new SimpleAuthorizationInfo(roles);
>     }
> }
> The DefaultRealm always grants the authenticated user the ROLE_USER role to access to the /protected folder.
> The CasFilter is configured on a specific url corresponding to the CAS url service : http://localhost:11380/demo2/shiro-cas, it gets the service parameter in url and create a CasToken with it.
> The CasRealm uses the CasToken to authenticate the user, it gets the service ticket, uses the Cas20ServiceTicketValidator (from CAS client) to call the CAS server and validates the ticket granted by CAS.
> If the ticket is validated, the user is authenticated and redirected to the original protected url (/protected/index.jsp). If the validation fails, the user is redirected to the CAS error page (error.jsp = authcas.failureUrl).
> To add CasFilter, CasToken and CasRealm to the trunk, I created a CAS module inside support.
> * CasRealm :
> I didn't find how to set the remember me to the subject : I know if the user is in rememberme mode from CAS depending on a specific attribute from the Assertion object but I didn't know how to pass this information to the subject (there is a TODO).
> During the CAS service ticket validation, I get the object Assertion and all the attributes of the user populated by CAS are in the "attributes" property : I don't know what to do with these attributes.
> During the CAS service ticket validation, I choose not to throw an AuthenticationException, but returns null instead : is it the good way to do ?
> * CasFilter :
> I'm not sure I respect the spirit of shiro because my filter authcas is always the last one. I add on the onLoginFailure a test, if the user is already authenticated, it doesn't failed but redirects to default success url.
> I didn't know how to add my authcas filter as a default filter without configuring it in the shiro.ini file.
> I have no test yet.
> I join the SVN patch.
> Hope it works well for you. Don't hesitate to come back to me.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

[jira] [Commented] (SHIRO-285) Integration with CAS

["Les Hazlewood (Commented) (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/SHIRO-285?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13171129#comment-13171129 ] 

Les Hazlewood commented on SHIRO-285:
-------------------------------------

Hi Jérôme,

In what format is the documentation?  The easiest thing to do would be to submit it as a patch or an attachment to a Jira issue.

If you think you might be contributing to the documentation a little bit more often (which would be appreciated!), we'll need an Apache Individual Contributor License Agreement (ICLA) on file.  Do you already have an ICLA on file with the Apache Software Foundation?

Thanks so much for continuing to help!

Cheers,

Les
                
> Integration with CAS
> --------------------
>
>                 Key: SHIRO-285
>                 URL: https://issues.apache.org/jira/browse/SHIRO-285
>             Project: Shiro
>          Issue Type: New Feature
>            Reporter: Jérôme Leleu
>         Attachments: shiro_cas.txt, shiro_cas2.txt, shiro_cas3.txt
>
>
> As I wanted to test shiro with CAS, I created a CAS filter, a CAS token and a CAS realm. I'm new to shiro so maybe I was mistaken on some points.
> I have a demo webapp with these files :
> index.jsp
> error.jsp
> protected/index.jsp
> The idea is to protect the /protected folder. I have this shiro.ini configuration :
> [main]
> authcas = org.apache.shiro.cas.CasFilter
> authcas.failureUrl = /demo2/error.jsp
> defaultRealm = com.jle.demo2.realm.DefaultRealm
> defaultRealm.name = demo2
> defaultRealm.casServerUrlPrefix = http://localhost:11380/cas/
> defaultRealm.casService = http://localhost:11380/demo2/shiro-cas
> roles.loginUrl = http://localhost:11380/cas/login?service=http://localhost:11380/demo2/shiro-cas
> [urls]
> /protected/** = roles[ROLE_USER]
> /shiro-cas = authcas
> /** = anon
> The protection on /protected/** implies to have the role ROLE_USER, if it is not the case, the user is redirected to the CAS server according to the property loginUrl of roles : http://localhost:11380/cas/login?service=http://localhost:11380/demo2/shiro-cas.
> After authentication on CAS server, the user is redirected (CAS works like this) to the service url : http://localhost:11380/demo2/shiro-cas. On this url, there is the authcas filter defined as the DefaultRealm which inherits from CasRealm :
> public class DefaultRealm extends CasRealm {
>     
>     @Override
>     protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
>         Set<String> roles = new HashSet<String>();
>         roles.add("ROLE_USER");
>         return new SimpleAuthorizationInfo(roles);
>     }
> }
> The DefaultRealm always grants the authenticated user the ROLE_USER role to access to the /protected folder.
> The CasFilter is configured on a specific url corresponding to the CAS url service : http://localhost:11380/demo2/shiro-cas, it gets the service parameter in url and create a CasToken with it.
> The CasRealm uses the CasToken to authenticate the user, it gets the service ticket, uses the Cas20ServiceTicketValidator (from CAS client) to call the CAS server and validates the ticket granted by CAS.
> If the ticket is validated, the user is authenticated and redirected to the original protected url (/protected/index.jsp). If the validation fails, the user is redirected to the CAS error page (error.jsp = authcas.failureUrl).
> To add CasFilter, CasToken and CasRealm to the trunk, I created a CAS module inside support.
> * CasRealm :
> I didn't find how to set the remember me to the subject : I know if the user is in rememberme mode from CAS depending on a specific attribute from the Assertion object but I didn't know how to pass this information to the subject (there is a TODO).
> During the CAS service ticket validation, I get the object Assertion and all the attributes of the user populated by CAS are in the "attributes" property : I don't know what to do with these attributes.
> During the CAS service ticket validation, I choose not to throw an AuthenticationException, but returns null instead : is it the good way to do ?
> * CasFilter :
> I'm not sure I respect the spirit of shiro because my filter authcas is always the last one. I add on the onLoginFailure a test, if the user is already authenticated, it doesn't failed but redirects to default success url.
> I didn't know how to add my authcas filter as a default filter without configuring it in the shiro.ini file.
> I have no test yet.
> I join the SVN patch.
> Hope it works well for you. Don't hesitate to come back to me.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

[jira] [Resolved] (SHIRO-285) Integration with CAS

["Les Hazlewood (Resolved) (JIRA)" <ji...@apache.org>]

     [ https://issues.apache.org/jira/browse/SHIRO-285?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Les Hazlewood resolved SHIRO-285.
---------------------------------

       Resolution: Fixed
    Fix Version/s: 1.2.0

I added the dependencies mentioned, but I made some changes:

I for commons-codec, opensaml and santuario, I made all three of these dependencies as optional=true and scope=runtime.  They are not required by the shiro-cas module at runtime, and they aren't mandatory at runtime either.  They are _only_ needed if specifying 'saml' ticket validation during configuration.

As I understand it, the "Maven Way" is to list these dependencies as optional=true and scope=runtime because they are not required by the shiro-module itself.  They are only necessary for the end user if the end user wants to use saml.  As such, the end user should specify the dependencies if they want to use that feature.
                
> Integration with CAS
> --------------------
>
>                 Key: SHIRO-285
>                 URL: https://issues.apache.org/jira/browse/SHIRO-285
>             Project: Shiro
>          Issue Type: New Feature
>            Reporter: Jérôme Leleu
>            Assignee: Les Hazlewood
>             Fix For: 1.2.0
>
>         Attachments: doc_shiro-cas.odt, shiro_cas.txt, shiro_cas2.txt, shiro_cas3.txt
>
>
> As I wanted to test shiro with CAS, I created a CAS filter, a CAS token and a CAS realm. I'm new to shiro so maybe I was mistaken on some points.
> I have a demo webapp with these files :
> index.jsp
> error.jsp
> protected/index.jsp
> The idea is to protect the /protected folder. I have this shiro.ini configuration :
> [main]
> authcas = org.apache.shiro.cas.CasFilter
> authcas.failureUrl = /demo2/error.jsp
> defaultRealm = com.jle.demo2.realm.DefaultRealm
> defaultRealm.name = demo2
> defaultRealm.casServerUrlPrefix = http://localhost:11380/cas/
> defaultRealm.casService = http://localhost:11380/demo2/shiro-cas
> roles.loginUrl = http://localhost:11380/cas/login?service=http://localhost:11380/demo2/shiro-cas
> [urls]
> /protected/** = roles[ROLE_USER]
> /shiro-cas = authcas
> /** = anon
> The protection on /protected/** implies to have the role ROLE_USER, if it is not the case, the user is redirected to the CAS server according to the property loginUrl of roles : http://localhost:11380/cas/login?service=http://localhost:11380/demo2/shiro-cas.
> After authentication on CAS server, the user is redirected (CAS works like this) to the service url : http://localhost:11380/demo2/shiro-cas. On this url, there is the authcas filter defined as the DefaultRealm which inherits from CasRealm :
> public class DefaultRealm extends CasRealm {
>     
>     @Override
>     protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
>         Set<String> roles = new HashSet<String>();
>         roles.add("ROLE_USER");
>         return new SimpleAuthorizationInfo(roles);
>     }
> }
> The DefaultRealm always grants the authenticated user the ROLE_USER role to access to the /protected folder.
> The CasFilter is configured on a specific url corresponding to the CAS url service : http://localhost:11380/demo2/shiro-cas, it gets the service parameter in url and create a CasToken with it.
> The CasRealm uses the CasToken to authenticate the user, it gets the service ticket, uses the Cas20ServiceTicketValidator (from CAS client) to call the CAS server and validates the ticket granted by CAS.
> If the ticket is validated, the user is authenticated and redirected to the original protected url (/protected/index.jsp). If the validation fails, the user is redirected to the CAS error page (error.jsp = authcas.failureUrl).
> To add CasFilter, CasToken and CasRealm to the trunk, I created a CAS module inside support.
> * CasRealm :
> I didn't find how to set the remember me to the subject : I know if the user is in rememberme mode from CAS depending on a specific attribute from the Assertion object but I didn't know how to pass this information to the subject (there is a TODO).
> During the CAS service ticket validation, I get the object Assertion and all the attributes of the user populated by CAS are in the "attributes" property : I don't know what to do with these attributes.
> During the CAS service ticket validation, I choose not to throw an AuthenticationException, but returns null instead : is it the good way to do ?
> * CasFilter :
> I'm not sure I respect the spirit of shiro because my filter authcas is always the last one. I add on the onLoginFailure a test, if the user is already authenticated, it doesn't failed but redirects to default success url.
> I didn't know how to add my authcas filter as a default filter without configuring it in the shiro.ini file.
> I have no test yet.
> I join the SVN patch.
> Hope it works well for you. Don't hesitate to come back to me.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

[jira] [Commented] (SHIRO-285) Integration with CAS

["Les Hazlewood (Commented) (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/SHIRO-285?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13170590#comment-13170590 ] 

Les Hazlewood commented on SHIRO-285:
-------------------------------------

Jerome,

Do you have any documentation on how to configure this in Shiro? Any example shiro.ini or spring xml configuration or something similar?

We can't release this as a supported module without at least cursory documentation.

Thanks,

Les
                
> Integration with CAS
> --------------------
>
>                 Key: SHIRO-285
>                 URL: https://issues.apache.org/jira/browse/SHIRO-285
>             Project: Shiro
>          Issue Type: New Feature
>            Reporter: Jérôme Leleu
>         Attachments: shiro_cas.txt, shiro_cas2.txt
>
>
> As I wanted to test shiro with CAS, I created a CAS filter, a CAS token and a CAS realm. I'm new to shiro so maybe I was mistaken on some points.
> I have a demo webapp with these files :
> index.jsp
> error.jsp
> protected/index.jsp
> The idea is to protect the /protected folder. I have this shiro.ini configuration :
> [main]
> authcas = org.apache.shiro.cas.CasFilter
> authcas.failureUrl = /demo2/error.jsp
> defaultRealm = com.jle.demo2.realm.DefaultRealm
> defaultRealm.name = demo2
> defaultRealm.casServerUrlPrefix = http://localhost:11380/cas/
> defaultRealm.casService = http://localhost:11380/demo2/shiro-cas
> roles.loginUrl = http://localhost:11380/cas/login?service=http://localhost:11380/demo2/shiro-cas
> [urls]
> /protected/** = roles[ROLE_USER]
> /shiro-cas = authcas
> /** = anon
> The protection on /protected/** implies to have the role ROLE_USER, if it is not the case, the user is redirected to the CAS server according to the property loginUrl of roles : http://localhost:11380/cas/login?service=http://localhost:11380/demo2/shiro-cas.
> After authentication on CAS server, the user is redirected (CAS works like this) to the service url : http://localhost:11380/demo2/shiro-cas. On this url, there is the authcas filter defined as the DefaultRealm which inherits from CasRealm :
> public class DefaultRealm extends CasRealm {
>     
>     @Override
>     protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
>         Set<String> roles = new HashSet<String>();
>         roles.add("ROLE_USER");
>         return new SimpleAuthorizationInfo(roles);
>     }
> }
> The DefaultRealm always grants the authenticated user the ROLE_USER role to access to the /protected folder.
> The CasFilter is configured on a specific url corresponding to the CAS url service : http://localhost:11380/demo2/shiro-cas, it gets the service parameter in url and create a CasToken with it.
> The CasRealm uses the CasToken to authenticate the user, it gets the service ticket, uses the Cas20ServiceTicketValidator (from CAS client) to call the CAS server and validates the ticket granted by CAS.
> If the ticket is validated, the user is authenticated and redirected to the original protected url (/protected/index.jsp). If the validation fails, the user is redirected to the CAS error page (error.jsp = authcas.failureUrl).
> To add CasFilter, CasToken and CasRealm to the trunk, I created a CAS module inside support.
> * CasRealm :
> I didn't find how to set the remember me to the subject : I know if the user is in rememberme mode from CAS depending on a specific attribute from the Assertion object but I didn't know how to pass this information to the subject (there is a TODO).
> During the CAS service ticket validation, I get the object Assertion and all the attributes of the user populated by CAS are in the "attributes" property : I don't know what to do with these attributes.
> During the CAS service ticket validation, I choose not to throw an AuthenticationException, but returns null instead : is it the good way to do ?
> * CasFilter :
> I'm not sure I respect the spirit of shiro because my filter authcas is always the last one. I add on the onLoginFailure a test, if the user is already authenticated, it doesn't failed but redirects to default success url.
> I didn't know how to add my authcas filter as a default filter without configuring it in the shiro.ini file.
> I have no test yet.
> I join the SVN patch.
> Hope it works well for you. Don't hesitate to come back to me.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

[jira] [Commented] (SHIRO-285) Integration with CAS

["Jérôme Leleu (Commented JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/SHIRO-285?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13170102#comment-13170102 ] 

Jérôme Leleu commented on SHIRO-285:
------------------------------------

Hi,

With cas client 3.2.1, the attributes of the principal is no longer a map of String,String but a map of String,Object. That's why compilation fails.
You should update the code in the CasRealm class (at line 106) :

                    Map<String, Object> attributes = principal.getAttributes();
                    // refresh authentication token (user id + remember me)
                    casToken.setUserId(userId);
                    boolean isRemembered = attributes.get(rememberMeAttributeName) != null ? Boolean
                        .parseBoolean((String) attributes.get(rememberMeAttributeName)) : false;
                    if (isRemembered) {
                        casToken.setRememberMe(true);
                    }

I test it and it works.
Regards,
Jérôme

                
> Integration with CAS
> --------------------
>
>                 Key: SHIRO-285
>                 URL: https://issues.apache.org/jira/browse/SHIRO-285
>             Project: Shiro
>          Issue Type: New Feature
>            Reporter: Jérôme Leleu
>         Attachments: shiro_cas.txt, shiro_cas2.txt
>
>
> As I wanted to test shiro with CAS, I created a CAS filter, a CAS token and a CAS realm. I'm new to shiro so maybe I was mistaken on some points.
> I have a demo webapp with these files :
> index.jsp
> error.jsp
> protected/index.jsp
> The idea is to protect the /protected folder. I have this shiro.ini configuration :
> [main]
> authcas = org.apache.shiro.cas.CasFilter
> authcas.failureUrl = /demo2/error.jsp
> defaultRealm = com.jle.demo2.realm.DefaultRealm
> defaultRealm.name = demo2
> defaultRealm.casServerUrlPrefix = http://localhost:11380/cas/
> defaultRealm.casService = http://localhost:11380/demo2/shiro-cas
> roles.loginUrl = http://localhost:11380/cas/login?service=http://localhost:11380/demo2/shiro-cas
> [urls]
> /protected/** = roles[ROLE_USER]
> /shiro-cas = authcas
> /** = anon
> The protection on /protected/** implies to have the role ROLE_USER, if it is not the case, the user is redirected to the CAS server according to the property loginUrl of roles : http://localhost:11380/cas/login?service=http://localhost:11380/demo2/shiro-cas.
> After authentication on CAS server, the user is redirected (CAS works like this) to the service url : http://localhost:11380/demo2/shiro-cas. On this url, there is the authcas filter defined as the DefaultRealm which inherits from CasRealm :
> public class DefaultRealm extends CasRealm {
>     
>     @Override
>     protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
>         Set<String> roles = new HashSet<String>();
>         roles.add("ROLE_USER");
>         return new SimpleAuthorizationInfo(roles);
>     }
> }
> The DefaultRealm always grants the authenticated user the ROLE_USER role to access to the /protected folder.
> The CasFilter is configured on a specific url corresponding to the CAS url service : http://localhost:11380/demo2/shiro-cas, it gets the service parameter in url and create a CasToken with it.
> The CasRealm uses the CasToken to authenticate the user, it gets the service ticket, uses the Cas20ServiceTicketValidator (from CAS client) to call the CAS server and validates the ticket granted by CAS.
> If the ticket is validated, the user is authenticated and redirected to the original protected url (/protected/index.jsp). If the validation fails, the user is redirected to the CAS error page (error.jsp = authcas.failureUrl).
> To add CasFilter, CasToken and CasRealm to the trunk, I created a CAS module inside support.
> * CasRealm :
> I didn't find how to set the remember me to the subject : I know if the user is in rememberme mode from CAS depending on a specific attribute from the Assertion object but I didn't know how to pass this information to the subject (there is a TODO).
> During the CAS service ticket validation, I get the object Assertion and all the attributes of the user populated by CAS are in the "attributes" property : I don't know what to do with these attributes.
> During the CAS service ticket validation, I choose not to throw an AuthenticationException, but returns null instead : is it the good way to do ?
> * CasFilter :
> I'm not sure I respect the spirit of shiro because my filter authcas is always the last one. I add on the onLoginFailure a test, if the user is already authenticated, it doesn't failed but redirects to default success url.
> I didn't know how to add my authcas filter as a default filter without configuring it in the shiro.ini file.
> I have no test yet.
> I join the SVN patch.
> Hope it works well for you. Don't hesitate to come back to me.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

[jira] [Commented] (SHIRO-285) Integration with CAS

["Les Hazlewood (Commented) (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/SHIRO-285?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13173494#comment-13173494 ] 

Les Hazlewood commented on SHIRO-285:
-------------------------------------

Hi Jérôme,

Thanks for the attachment!  If you submit an ICLA, you'll be able to edit the wiki documentation directly (https://cwiki.apache.org/confluence/display/SHIRO/Reference).

Cheers,

Les
                
> Integration with CAS
> --------------------
>
>                 Key: SHIRO-285
>                 URL: https://issues.apache.org/jira/browse/SHIRO-285
>             Project: Shiro
>          Issue Type: New Feature
>            Reporter: Jérôme Leleu
>         Attachments: doc_shiro-cas.odt, shiro_cas.txt, shiro_cas2.txt, shiro_cas3.txt
>
>
> As I wanted to test shiro with CAS, I created a CAS filter, a CAS token and a CAS realm. I'm new to shiro so maybe I was mistaken on some points.
> I have a demo webapp with these files :
> index.jsp
> error.jsp
> protected/index.jsp
> The idea is to protect the /protected folder. I have this shiro.ini configuration :
> [main]
> authcas = org.apache.shiro.cas.CasFilter
> authcas.failureUrl = /demo2/error.jsp
> defaultRealm = com.jle.demo2.realm.DefaultRealm
> defaultRealm.name = demo2
> defaultRealm.casServerUrlPrefix = http://localhost:11380/cas/
> defaultRealm.casService = http://localhost:11380/demo2/shiro-cas
> roles.loginUrl = http://localhost:11380/cas/login?service=http://localhost:11380/demo2/shiro-cas
> [urls]
> /protected/** = roles[ROLE_USER]
> /shiro-cas = authcas
> /** = anon
> The protection on /protected/** implies to have the role ROLE_USER, if it is not the case, the user is redirected to the CAS server according to the property loginUrl of roles : http://localhost:11380/cas/login?service=http://localhost:11380/demo2/shiro-cas.
> After authentication on CAS server, the user is redirected (CAS works like this) to the service url : http://localhost:11380/demo2/shiro-cas. On this url, there is the authcas filter defined as the DefaultRealm which inherits from CasRealm :
> public class DefaultRealm extends CasRealm {
>     
>     @Override
>     protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
>         Set<String> roles = new HashSet<String>();
>         roles.add("ROLE_USER");
>         return new SimpleAuthorizationInfo(roles);
>     }
> }
> The DefaultRealm always grants the authenticated user the ROLE_USER role to access to the /protected folder.
> The CasFilter is configured on a specific url corresponding to the CAS url service : http://localhost:11380/demo2/shiro-cas, it gets the service parameter in url and create a CasToken with it.
> The CasRealm uses the CasToken to authenticate the user, it gets the service ticket, uses the Cas20ServiceTicketValidator (from CAS client) to call the CAS server and validates the ticket granted by CAS.
> If the ticket is validated, the user is authenticated and redirected to the original protected url (/protected/index.jsp). If the validation fails, the user is redirected to the CAS error page (error.jsp = authcas.failureUrl).
> To add CasFilter, CasToken and CasRealm to the trunk, I created a CAS module inside support.
> * CasRealm :
> I didn't find how to set the remember me to the subject : I know if the user is in rememberme mode from CAS depending on a specific attribute from the Assertion object but I didn't know how to pass this information to the subject (there is a TODO).
> During the CAS service ticket validation, I get the object Assertion and all the attributes of the user populated by CAS are in the "attributes" property : I don't know what to do with these attributes.
> During the CAS service ticket validation, I choose not to throw an AuthenticationException, but returns null instead : is it the good way to do ?
> * CasFilter :
> I'm not sure I respect the spirit of shiro because my filter authcas is always the last one. I add on the onLoginFailure a test, if the user is already authenticated, it doesn't failed but redirects to default success url.
> I didn't know how to add my authcas filter as a default filter without configuring it in the shiro.ini file.
> I have no test yet.
> I join the SVN patch.
> Hope it works well for you. Don't hesitate to come back to me.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

[jira] [Commented] (SHIRO-285) Integration with CAS

["Les Hazlewood (Commented) (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/SHIRO-285?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13179125#comment-13179125 ] 

Les Hazlewood commented on SHIRO-285:
-------------------------------------

HI Jérôme,

I checked in the new Maven module after making some code changes.  Please note there is no need for a CasSecurityManager anymore - an existing SecurityManager should be configured with a CasSubjectFactory instance.  Can you please test this with your CAS setup and let me know how it goes?
                
> Integration with CAS
> --------------------
>
>                 Key: SHIRO-285
>                 URL: https://issues.apache.org/jira/browse/SHIRO-285
>             Project: Shiro
>          Issue Type: New Feature
>            Reporter: Jérôme Leleu
>         Attachments: doc_shiro-cas.odt, shiro_cas.txt, shiro_cas2.txt, shiro_cas3.txt
>
>
> As I wanted to test shiro with CAS, I created a CAS filter, a CAS token and a CAS realm. I'm new to shiro so maybe I was mistaken on some points.
> I have a demo webapp with these files :
> index.jsp
> error.jsp
> protected/index.jsp
> The idea is to protect the /protected folder. I have this shiro.ini configuration :
> [main]
> authcas = org.apache.shiro.cas.CasFilter
> authcas.failureUrl = /demo2/error.jsp
> defaultRealm = com.jle.demo2.realm.DefaultRealm
> defaultRealm.name = demo2
> defaultRealm.casServerUrlPrefix = http://localhost:11380/cas/
> defaultRealm.casService = http://localhost:11380/demo2/shiro-cas
> roles.loginUrl = http://localhost:11380/cas/login?service=http://localhost:11380/demo2/shiro-cas
> [urls]
> /protected/** = roles[ROLE_USER]
> /shiro-cas = authcas
> /** = anon
> The protection on /protected/** implies to have the role ROLE_USER, if it is not the case, the user is redirected to the CAS server according to the property loginUrl of roles : http://localhost:11380/cas/login?service=http://localhost:11380/demo2/shiro-cas.
> After authentication on CAS server, the user is redirected (CAS works like this) to the service url : http://localhost:11380/demo2/shiro-cas. On this url, there is the authcas filter defined as the DefaultRealm which inherits from CasRealm :
> public class DefaultRealm extends CasRealm {
>     
>     @Override
>     protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
>         Set<String> roles = new HashSet<String>();
>         roles.add("ROLE_USER");
>         return new SimpleAuthorizationInfo(roles);
>     }
> }
> The DefaultRealm always grants the authenticated user the ROLE_USER role to access to the /protected folder.
> The CasFilter is configured on a specific url corresponding to the CAS url service : http://localhost:11380/demo2/shiro-cas, it gets the service parameter in url and create a CasToken with it.
> The CasRealm uses the CasToken to authenticate the user, it gets the service ticket, uses the Cas20ServiceTicketValidator (from CAS client) to call the CAS server and validates the ticket granted by CAS.
> If the ticket is validated, the user is authenticated and redirected to the original protected url (/protected/index.jsp). If the validation fails, the user is redirected to the CAS error page (error.jsp = authcas.failureUrl).
> To add CasFilter, CasToken and CasRealm to the trunk, I created a CAS module inside support.
> * CasRealm :
> I didn't find how to set the remember me to the subject : I know if the user is in rememberme mode from CAS depending on a specific attribute from the Assertion object but I didn't know how to pass this information to the subject (there is a TODO).
> During the CAS service ticket validation, I get the object Assertion and all the attributes of the user populated by CAS are in the "attributes" property : I don't know what to do with these attributes.
> During the CAS service ticket validation, I choose not to throw an AuthenticationException, but returns null instead : is it the good way to do ?
> * CasFilter :
> I'm not sure I respect the spirit of shiro because my filter authcas is always the last one. I add on the onLoginFailure a test, if the user is already authenticated, it doesn't failed but redirects to default success url.
> I didn't know how to add my authcas filter as a default filter without configuring it in the shiro.ini file.
> I have no test yet.
> I join the SVN patch.
> Hope it works well for you. Don't hesitate to come back to me.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

[jira] [Commented] (SHIRO-285) Integration with CAS

["Jérôme Leleu (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/SHIRO-285?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13027580#comment-13027580 ] 

Jérôme Leleu commented on SHIRO-285:
------------------------------------

I create a new version of my patch.

Here is my new shiro.ini for my webapp demo :
[main]
authcas = org.apache.shiro.cas.CasFilter
authcas.failureUrl = /demo2/error.jsp

casRealm = org.apache.shiro.cas.CasRealm
casRealm.defaultRoles= ROLE_USER
#casRealm.validationProtocol = SAML
casRealm.casServerUrlPrefix = http://localhost:11380/cas/
casRealm.casService = http://localhost:11380/demo2/shiro-cas

roles.loginUrl = http://localhost:11380/cas/login?service=http://localhost:11380/demo2/shiro-cas

securityManager = org.apache.shiro.cas.CasRememberMeSecurityManager

[urls]
/protected/** = roles[ROLE_USER]
/shiro-cas = authcas
/** = anon


The CasFilter has not changed.
The CasToken has now remember me property.
The CasRealm is no more abstract, attributes retrieved from service ticket validation are stored in SimpleAuthenticationInfo and used in doGetAuthorization to compute roles and permissions of the user.
It's a bit like the JAAS CasLogin module : default roles and permissions are granted if we are authenticated (or remembered), another roles and permissions are found in attributes : roleAttributeNames is a list of atrributes separated by comma, each attribute must be a list of roles separated by comma.
Remember me is a CAS feature not totally defined yet, I submit some proposal to the CAS community but it's not included in CAS release (look at https://issues.jasig.org/browse/CASW-46).
I didn't find a solution to create a CasRememberMeManager which works for remember me, so I was obliged to create a CasRememberMeSecurityManager to make remember me work. You have to use it in your configuration like I did in my webapp demo to have remember me through CAS server.
I don't know if you should keep remember me feature in a first version of the CAS integration.

Everything is well documented and I add some tests.

Hope it's a good starting point to integrate in trunk.


> Integration with CAS
> --------------------
>
>                 Key: SHIRO-285
>                 URL: https://issues.apache.org/jira/browse/SHIRO-285
>             Project: Shiro
>          Issue Type: New Feature
>            Reporter: Jérôme Leleu
>         Attachments: shiro_cas.txt
>
>
> As I wanted to test shiro with CAS, I created a CAS filter, a CAS token and a CAS realm. I'm new to shiro so maybe I was mistaken on some points.
> I have a demo webapp with these files :
> index.jsp
> error.jsp
> protected/index.jsp
> The idea is to protect the /protected folder. I have this shiro.ini configuration :
> [main]
> authcas = org.apache.shiro.cas.CasFilter
> authcas.failureUrl = /demo2/error.jsp
> defaultRealm = com.jle.demo2.realm.DefaultRealm
> defaultRealm.name = demo2
> defaultRealm.casServerUrlPrefix = http://localhost:11380/cas/
> defaultRealm.casService = http://localhost:11380/demo2/shiro-cas
> roles.loginUrl = http://localhost:11380/cas/login?service=http://localhost:11380/demo2/shiro-cas
> [urls]
> /protected/** = roles[ROLE_USER]
> /shiro-cas = authcas
> /** = anon
> The protection on /protected/** implies to have the role ROLE_USER, if it is not the case, the user is redirected to the CAS server according to the property loginUrl of roles : http://localhost:11380/cas/login?service=http://localhost:11380/demo2/shiro-cas.
> After authentication on CAS server, the user is redirected (CAS works like this) to the service url : http://localhost:11380/demo2/shiro-cas. On this url, there is the authcas filter defined as the DefaultRealm which inherits from CasRealm :
> public class DefaultRealm extends CasRealm {
>     
>     @Override
>     protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
>         Set<String> roles = new HashSet<String>();
>         roles.add("ROLE_USER");
>         return new SimpleAuthorizationInfo(roles);
>     }
> }
> The DefaultRealm always grants the authenticated user the ROLE_USER role to access to the /protected folder.
> The CasFilter is configured on a specific url corresponding to the CAS url service : http://localhost:11380/demo2/shiro-cas, it gets the service parameter in url and create a CasToken with it.
> The CasRealm uses the CasToken to authenticate the user, it gets the service ticket, uses the Cas20ServiceTicketValidator (from CAS client) to call the CAS server and validates the ticket granted by CAS.
> If the ticket is validated, the user is authenticated and redirected to the original protected url (/protected/index.jsp). If the validation fails, the user is redirected to the CAS error page (error.jsp = authcas.failureUrl).
> To add CasFilter, CasToken and CasRealm to the trunk, I created a CAS module inside support.
> * CasRealm :
> I didn't find how to set the remember me to the subject : I know if the user is in rememberme mode from CAS depending on a specific attribute from the Assertion object but I didn't know how to pass this information to the subject (there is a TODO).
> During the CAS service ticket validation, I get the object Assertion and all the attributes of the user populated by CAS are in the "attributes" property : I don't know what to do with these attributes.
> During the CAS service ticket validation, I choose not to throw an AuthenticationException, but returns null instead : is it the good way to do ?
> * CasFilter :
> I'm not sure I respect the spirit of shiro because my filter authcas is always the last one. I add on the onLoginFailure a test, if the user is already authenticated, it doesn't failed but redirects to default success url.
> I didn't know how to add my authcas filter as a default filter without configuring it in the shiro.ini file.
> I have no test yet.
> I join the SVN patch.
> Hope it works well for you. Don't hesitate to come back to me.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (SHIRO-285) Integration with CAS

["Les Hazlewood (Commented) (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/SHIRO-285?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13170591#comment-13170591 ] 

Les Hazlewood commented on SHIRO-285:
-------------------------------------

I noticed the sample shiro.ini when you created the issue - is this sufficient documentation?  Would there be anything else that's relevant for documentation?
                
> Integration with CAS
> --------------------
>
>                 Key: SHIRO-285
>                 URL: https://issues.apache.org/jira/browse/SHIRO-285
>             Project: Shiro
>          Issue Type: New Feature
>            Reporter: Jérôme Leleu
>         Attachments: shiro_cas.txt, shiro_cas2.txt
>
>
> As I wanted to test shiro with CAS, I created a CAS filter, a CAS token and a CAS realm. I'm new to shiro so maybe I was mistaken on some points.
> I have a demo webapp with these files :
> index.jsp
> error.jsp
> protected/index.jsp
> The idea is to protect the /protected folder. I have this shiro.ini configuration :
> [main]
> authcas = org.apache.shiro.cas.CasFilter
> authcas.failureUrl = /demo2/error.jsp
> defaultRealm = com.jle.demo2.realm.DefaultRealm
> defaultRealm.name = demo2
> defaultRealm.casServerUrlPrefix = http://localhost:11380/cas/
> defaultRealm.casService = http://localhost:11380/demo2/shiro-cas
> roles.loginUrl = http://localhost:11380/cas/login?service=http://localhost:11380/demo2/shiro-cas
> [urls]
> /protected/** = roles[ROLE_USER]
> /shiro-cas = authcas
> /** = anon
> The protection on /protected/** implies to have the role ROLE_USER, if it is not the case, the user is redirected to the CAS server according to the property loginUrl of roles : http://localhost:11380/cas/login?service=http://localhost:11380/demo2/shiro-cas.
> After authentication on CAS server, the user is redirected (CAS works like this) to the service url : http://localhost:11380/demo2/shiro-cas. On this url, there is the authcas filter defined as the DefaultRealm which inherits from CasRealm :
> public class DefaultRealm extends CasRealm {
>     
>     @Override
>     protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
>         Set<String> roles = new HashSet<String>();
>         roles.add("ROLE_USER");
>         return new SimpleAuthorizationInfo(roles);
>     }
> }
> The DefaultRealm always grants the authenticated user the ROLE_USER role to access to the /protected folder.
> The CasFilter is configured on a specific url corresponding to the CAS url service : http://localhost:11380/demo2/shiro-cas, it gets the service parameter in url and create a CasToken with it.
> The CasRealm uses the CasToken to authenticate the user, it gets the service ticket, uses the Cas20ServiceTicketValidator (from CAS client) to call the CAS server and validates the ticket granted by CAS.
> If the ticket is validated, the user is authenticated and redirected to the original protected url (/protected/index.jsp). If the validation fails, the user is redirected to the CAS error page (error.jsp = authcas.failureUrl).
> To add CasFilter, CasToken and CasRealm to the trunk, I created a CAS module inside support.
> * CasRealm :
> I didn't find how to set the remember me to the subject : I know if the user is in rememberme mode from CAS depending on a specific attribute from the Assertion object but I didn't know how to pass this information to the subject (there is a TODO).
> During the CAS service ticket validation, I get the object Assertion and all the attributes of the user populated by CAS are in the "attributes" property : I don't know what to do with these attributes.
> During the CAS service ticket validation, I choose not to throw an AuthenticationException, but returns null instead : is it the good way to do ?
> * CasFilter :
> I'm not sure I respect the spirit of shiro because my filter authcas is always the last one. I add on the onLoginFailure a test, if the user is already authenticated, it doesn't failed but redirects to default success url.
> I didn't know how to add my authcas filter as a default filter without configuring it in the shiro.ini file.
> I have no test yet.
> I join the SVN patch.
> Hope it works well for you. Don't hesitate to come back to me.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

[jira] [Commented] (SHIRO-285) Integration with CAS

["Jérôme Leleu (Commented JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/SHIRO-285?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13247539#comment-13247539 ] 

Jérôme Leleu commented on SHIRO-285:
------------------------------------

Hi Ryan,

Thanks.
There is a complete documentation here : http://shiro.apache.org/cas.html. It should help. I don't know if you check it.
Don't hesitate to post your problem on the shiro-user mailing list to share questions/answers with others...
If it becomes necessary, I'll create a working example project.
Best regards,
Jérôme

                
> Integration with CAS
> --------------------
>
>                 Key: SHIRO-285
>                 URL: https://issues.apache.org/jira/browse/SHIRO-285
>             Project: Shiro
>          Issue Type: New Feature
>            Reporter: Jérôme Leleu
>            Assignee: Les Hazlewood
>             Fix For: 1.2.0
>
>         Attachments: doc_shiro-cas.odt, shiro_cas.txt, shiro_cas2.txt, shiro_cas3.txt
>
>
> As I wanted to test shiro with CAS, I created a CAS filter, a CAS token and a CAS realm. I'm new to shiro so maybe I was mistaken on some points.
> I have a demo webapp with these files :
> index.jsp
> error.jsp
> protected/index.jsp
> The idea is to protect the /protected folder. I have this shiro.ini configuration :
> [main]
> authcas = org.apache.shiro.cas.CasFilter
> authcas.failureUrl = /demo2/error.jsp
> defaultRealm = com.jle.demo2.realm.DefaultRealm
> defaultRealm.name = demo2
> defaultRealm.casServerUrlPrefix = http://localhost:11380/cas/
> defaultRealm.casService = http://localhost:11380/demo2/shiro-cas
> roles.loginUrl = http://localhost:11380/cas/login?service=http://localhost:11380/demo2/shiro-cas
> [urls]
> /protected/** = roles[ROLE_USER]
> /shiro-cas = authcas
> /** = anon
> The protection on /protected/** implies to have the role ROLE_USER, if it is not the case, the user is redirected to the CAS server according to the property loginUrl of roles : http://localhost:11380/cas/login?service=http://localhost:11380/demo2/shiro-cas.
> After authentication on CAS server, the user is redirected (CAS works like this) to the service url : http://localhost:11380/demo2/shiro-cas. On this url, there is the authcas filter defined as the DefaultRealm which inherits from CasRealm :
> public class DefaultRealm extends CasRealm {
>     
>     @Override
>     protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
>         Set<String> roles = new HashSet<String>();
>         roles.add("ROLE_USER");
>         return new SimpleAuthorizationInfo(roles);
>     }
> }
> The DefaultRealm always grants the authenticated user the ROLE_USER role to access to the /protected folder.
> The CasFilter is configured on a specific url corresponding to the CAS url service : http://localhost:11380/demo2/shiro-cas, it gets the service parameter in url and create a CasToken with it.
> The CasRealm uses the CasToken to authenticate the user, it gets the service ticket, uses the Cas20ServiceTicketValidator (from CAS client) to call the CAS server and validates the ticket granted by CAS.
> If the ticket is validated, the user is authenticated and redirected to the original protected url (/protected/index.jsp). If the validation fails, the user is redirected to the CAS error page (error.jsp = authcas.failureUrl).
> To add CasFilter, CasToken and CasRealm to the trunk, I created a CAS module inside support.
> * CasRealm :
> I didn't find how to set the remember me to the subject : I know if the user is in rememberme mode from CAS depending on a specific attribute from the Assertion object but I didn't know how to pass this information to the subject (there is a TODO).
> During the CAS service ticket validation, I get the object Assertion and all the attributes of the user populated by CAS are in the "attributes" property : I don't know what to do with these attributes.
> During the CAS service ticket validation, I choose not to throw an AuthenticationException, but returns null instead : is it the good way to do ?
> * CasFilter :
> I'm not sure I respect the spirit of shiro because my filter authcas is always the last one. I add on the onLoginFailure a test, if the user is already authenticated, it doesn't failed but redirects to default success url.
> I didn't know how to add my authcas filter as a default filter without configuring it in the shiro.ini file.
> I have no test yet.
> I join the SVN patch.
> Hope it works well for you. Don't hesitate to come back to me.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

[jira] [Commented] (SHIRO-285) Integration with CAS

["Jérôme Leleu (Commented JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/SHIRO-285?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13170882#comment-13170882 ] 

Jérôme Leleu commented on SHIRO-285:
------------------------------------

Hi Les,

I understand your problem. Here is a new patch : shiro_cas3.txt using the new version of the CAS client and with tests working.
You may have seen that the code is well documented, but I also wrote a complete documentation for this shiro-cas module. Where do you want me to put this documentation ?
Thanks,
Jérôme

                
> Integration with CAS
> --------------------
>
>                 Key: SHIRO-285
>                 URL: https://issues.apache.org/jira/browse/SHIRO-285
>             Project: Shiro
>          Issue Type: New Feature
>            Reporter: Jérôme Leleu
>         Attachments: shiro_cas.txt, shiro_cas2.txt
>
>
> As I wanted to test shiro with CAS, I created a CAS filter, a CAS token and a CAS realm. I'm new to shiro so maybe I was mistaken on some points.
> I have a demo webapp with these files :
> index.jsp
> error.jsp
> protected/index.jsp
> The idea is to protect the /protected folder. I have this shiro.ini configuration :
> [main]
> authcas = org.apache.shiro.cas.CasFilter
> authcas.failureUrl = /demo2/error.jsp
> defaultRealm = com.jle.demo2.realm.DefaultRealm
> defaultRealm.name = demo2
> defaultRealm.casServerUrlPrefix = http://localhost:11380/cas/
> defaultRealm.casService = http://localhost:11380/demo2/shiro-cas
> roles.loginUrl = http://localhost:11380/cas/login?service=http://localhost:11380/demo2/shiro-cas
> [urls]
> /protected/** = roles[ROLE_USER]
> /shiro-cas = authcas
> /** = anon
> The protection on /protected/** implies to have the role ROLE_USER, if it is not the case, the user is redirected to the CAS server according to the property loginUrl of roles : http://localhost:11380/cas/login?service=http://localhost:11380/demo2/shiro-cas.
> After authentication on CAS server, the user is redirected (CAS works like this) to the service url : http://localhost:11380/demo2/shiro-cas. On this url, there is the authcas filter defined as the DefaultRealm which inherits from CasRealm :
> public class DefaultRealm extends CasRealm {
>     
>     @Override
>     protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
>         Set<String> roles = new HashSet<String>();
>         roles.add("ROLE_USER");
>         return new SimpleAuthorizationInfo(roles);
>     }
> }
> The DefaultRealm always grants the authenticated user the ROLE_USER role to access to the /protected folder.
> The CasFilter is configured on a specific url corresponding to the CAS url service : http://localhost:11380/demo2/shiro-cas, it gets the service parameter in url and create a CasToken with it.
> The CasRealm uses the CasToken to authenticate the user, it gets the service ticket, uses the Cas20ServiceTicketValidator (from CAS client) to call the CAS server and validates the ticket granted by CAS.
> If the ticket is validated, the user is authenticated and redirected to the original protected url (/protected/index.jsp). If the validation fails, the user is redirected to the CAS error page (error.jsp = authcas.failureUrl).
> To add CasFilter, CasToken and CasRealm to the trunk, I created a CAS module inside support.
> * CasRealm :
> I didn't find how to set the remember me to the subject : I know if the user is in rememberme mode from CAS depending on a specific attribute from the Assertion object but I didn't know how to pass this information to the subject (there is a TODO).
> During the CAS service ticket validation, I get the object Assertion and all the attributes of the user populated by CAS are in the "attributes" property : I don't know what to do with these attributes.
> During the CAS service ticket validation, I choose not to throw an AuthenticationException, but returns null instead : is it the good way to do ?
> * CasFilter :
> I'm not sure I respect the spirit of shiro because my filter authcas is always the last one. I add on the onLoginFailure a test, if the user is already authenticated, it doesn't failed but redirects to default success url.
> I didn't know how to add my authcas filter as a default filter without configuring it in the shiro.ini file.
> I have no test yet.
> I join the SVN patch.
> Hope it works well for you. Don't hesitate to come back to me.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

[jira] [Commented] (SHIRO-285) Integration with CAS

["Jérôme Leleu (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/SHIRO-285?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13089530#comment-13089530 ] 

Jérôme Leleu commented on SHIRO-285:
------------------------------------

The CAS server 3.4.9 (and even 3.4.10) has been released : http://www.jasig.org/cas/download.


> Integration with CAS
> --------------------
>
>                 Key: SHIRO-285
>                 URL: https://issues.apache.org/jira/browse/SHIRO-285
>             Project: Shiro
>          Issue Type: New Feature
>            Reporter: Jérôme Leleu
>         Attachments: shiro_cas.txt, shiro_cas2.txt
>
>
> As I wanted to test shiro with CAS, I created a CAS filter, a CAS token and a CAS realm. I'm new to shiro so maybe I was mistaken on some points.
> I have a demo webapp with these files :
> index.jsp
> error.jsp
> protected/index.jsp
> The idea is to protect the /protected folder. I have this shiro.ini configuration :
> [main]
> authcas = org.apache.shiro.cas.CasFilter
> authcas.failureUrl = /demo2/error.jsp
> defaultRealm = com.jle.demo2.realm.DefaultRealm
> defaultRealm.name = demo2
> defaultRealm.casServerUrlPrefix = http://localhost:11380/cas/
> defaultRealm.casService = http://localhost:11380/demo2/shiro-cas
> roles.loginUrl = http://localhost:11380/cas/login?service=http://localhost:11380/demo2/shiro-cas
> [urls]
> /protected/** = roles[ROLE_USER]
> /shiro-cas = authcas
> /** = anon
> The protection on /protected/** implies to have the role ROLE_USER, if it is not the case, the user is redirected to the CAS server according to the property loginUrl of roles : http://localhost:11380/cas/login?service=http://localhost:11380/demo2/shiro-cas.
> After authentication on CAS server, the user is redirected (CAS works like this) to the service url : http://localhost:11380/demo2/shiro-cas. On this url, there is the authcas filter defined as the DefaultRealm which inherits from CasRealm :
> public class DefaultRealm extends CasRealm {
>     
>     @Override
>     protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
>         Set<String> roles = new HashSet<String>();
>         roles.add("ROLE_USER");
>         return new SimpleAuthorizationInfo(roles);
>     }
> }
> The DefaultRealm always grants the authenticated user the ROLE_USER role to access to the /protected folder.
> The CasFilter is configured on a specific url corresponding to the CAS url service : http://localhost:11380/demo2/shiro-cas, it gets the service parameter in url and create a CasToken with it.
> The CasRealm uses the CasToken to authenticate the user, it gets the service ticket, uses the Cas20ServiceTicketValidator (from CAS client) to call the CAS server and validates the ticket granted by CAS.
> If the ticket is validated, the user is authenticated and redirected to the original protected url (/protected/index.jsp). If the validation fails, the user is redirected to the CAS error page (error.jsp = authcas.failureUrl).
> To add CasFilter, CasToken and CasRealm to the trunk, I created a CAS module inside support.
> * CasRealm :
> I didn't find how to set the remember me to the subject : I know if the user is in rememberme mode from CAS depending on a specific attribute from the Assertion object but I didn't know how to pass this information to the subject (there is a TODO).
> During the CAS service ticket validation, I get the object Assertion and all the attributes of the user populated by CAS are in the "attributes" property : I don't know what to do with these attributes.
> During the CAS service ticket validation, I choose not to throw an AuthenticationException, but returns null instead : is it the good way to do ?
> * CasFilter :
> I'm not sure I respect the spirit of shiro because my filter authcas is always the last one. I add on the onLoginFailure a test, if the user is already authenticated, it doesn't failed but redirects to default success url.
> I didn't know how to add my authcas filter as a default filter without configuring it in the shiro.ini file.
> I have no test yet.
> I join the SVN patch.
> Hope it works well for you. Don't hesitate to come back to me.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

[jira] [Commented] (SHIRO-285) Integration with CAS

["Les Hazlewood (Commented) (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/SHIRO-285?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13179029#comment-13179029 ] 

Les Hazlewood commented on SHIRO-285:
-------------------------------------

HI Jérôme,

Thanks for the ICLA!  I've added you to the 'shiro-contributors' group in Confluence, and you should have Shiro wiki rights now.  Please let me know if you don't.

Also, I've created a new page here:  https://cwiki.apache.org/confluence/display/SHIRO/CAS

Please edit as you see fit!
                
> Integration with CAS
> --------------------
>
>                 Key: SHIRO-285
>                 URL: https://issues.apache.org/jira/browse/SHIRO-285
>             Project: Shiro
>          Issue Type: New Feature
>            Reporter: Jérôme Leleu
>         Attachments: doc_shiro-cas.odt, shiro_cas.txt, shiro_cas2.txt, shiro_cas3.txt
>
>
> As I wanted to test shiro with CAS, I created a CAS filter, a CAS token and a CAS realm. I'm new to shiro so maybe I was mistaken on some points.
> I have a demo webapp with these files :
> index.jsp
> error.jsp
> protected/index.jsp
> The idea is to protect the /protected folder. I have this shiro.ini configuration :
> [main]
> authcas = org.apache.shiro.cas.CasFilter
> authcas.failureUrl = /demo2/error.jsp
> defaultRealm = com.jle.demo2.realm.DefaultRealm
> defaultRealm.name = demo2
> defaultRealm.casServerUrlPrefix = http://localhost:11380/cas/
> defaultRealm.casService = http://localhost:11380/demo2/shiro-cas
> roles.loginUrl = http://localhost:11380/cas/login?service=http://localhost:11380/demo2/shiro-cas
> [urls]
> /protected/** = roles[ROLE_USER]
> /shiro-cas = authcas
> /** = anon
> The protection on /protected/** implies to have the role ROLE_USER, if it is not the case, the user is redirected to the CAS server according to the property loginUrl of roles : http://localhost:11380/cas/login?service=http://localhost:11380/demo2/shiro-cas.
> After authentication on CAS server, the user is redirected (CAS works like this) to the service url : http://localhost:11380/demo2/shiro-cas. On this url, there is the authcas filter defined as the DefaultRealm which inherits from CasRealm :
> public class DefaultRealm extends CasRealm {
>     
>     @Override
>     protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
>         Set<String> roles = new HashSet<String>();
>         roles.add("ROLE_USER");
>         return new SimpleAuthorizationInfo(roles);
>     }
> }
> The DefaultRealm always grants the authenticated user the ROLE_USER role to access to the /protected folder.
> The CasFilter is configured on a specific url corresponding to the CAS url service : http://localhost:11380/demo2/shiro-cas, it gets the service parameter in url and create a CasToken with it.
> The CasRealm uses the CasToken to authenticate the user, it gets the service ticket, uses the Cas20ServiceTicketValidator (from CAS client) to call the CAS server and validates the ticket granted by CAS.
> If the ticket is validated, the user is authenticated and redirected to the original protected url (/protected/index.jsp). If the validation fails, the user is redirected to the CAS error page (error.jsp = authcas.failureUrl).
> To add CasFilter, CasToken and CasRealm to the trunk, I created a CAS module inside support.
> * CasRealm :
> I didn't find how to set the remember me to the subject : I know if the user is in rememberme mode from CAS depending on a specific attribute from the Assertion object but I didn't know how to pass this information to the subject (there is a TODO).
> During the CAS service ticket validation, I get the object Assertion and all the attributes of the user populated by CAS are in the "attributes" property : I don't know what to do with these attributes.
> During the CAS service ticket validation, I choose not to throw an AuthenticationException, but returns null instead : is it the good way to do ?
> * CasFilter :
> I'm not sure I respect the spirit of shiro because my filter authcas is always the last one. I add on the onLoginFailure a test, if the user is already authenticated, it doesn't failed but redirects to default success url.
> I didn't know how to add my authcas filter as a default filter without configuring it in the shiro.ini file.
> I have no test yet.
> I join the SVN patch.
> Hope it works well for you. Don't hesitate to come back to me.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

[jira] [Updated] (SHIRO-285) Integration with CAS

["Jérôme Leleu (JIRA)" <ji...@apache.org>]

     [ https://issues.apache.org/jira/browse/SHIRO-285?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jérôme Leleu updated SHIRO-285:
-------------------------------

    Attachment: shiro_cas.txt

The SVN patch of CAS* classes.

> Integration with CAS
> --------------------
>
>                 Key: SHIRO-285
>                 URL: https://issues.apache.org/jira/browse/SHIRO-285
>             Project: Shiro
>          Issue Type: Improvement
>            Reporter: Jérôme Leleu
>         Attachments: shiro_cas.txt
>
>
> As I wanted to test shiro with CAS, I created a CAS filter, a CAS token and a CAS realm. I'm new to shiro so maybe I was mistaken on some points.
> I have a demo webapp with these files :
> index.jsp
> error.jsp
> protected/index.jsp
> The idea is to protect the /protected folder. I have this shiro.ini configuration :
> [main]
> authcas = org.apache.shiro.cas.CasFilter
> authcas.failureUrl = /demo2/error.jsp
> defaultRealm = com.jle.demo2.realm.DefaultRealm
> defaultRealm.name = demo2
> defaultRealm.casServerUrlPrefix = http://localhost:11380/cas/
> defaultRealm.casService = http://localhost:11380/demo2/shiro-cas
> roles.loginUrl = http://localhost:11380/cas/login?service=http://localhost:11380/demo2/shiro-cas
> [urls]
> /protected/** = roles[ROLE_USER]
> /shiro-cas = authcas
> /** = anon
> The protection on /protected/** implies to have the role ROLE_USER, if it is not the case, the user is redirected to the CAS server according to the property loginUrl of roles : http://localhost:11380/cas/login?service=http://localhost:11380/demo2/shiro-cas.
> After authentication on CAS server, the user is redirected (CAS works like this) to the service url : http://localhost:11380/demo2/shiro-cas. On this url, there is the authcas filter defined as the DefaultRealm which inherits from CasRealm :
> public class DefaultRealm extends CasRealm {
>     
>     @Override
>     protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
>         Set<String> roles = new HashSet<String>();
>         roles.add("ROLE_USER");
>         return new SimpleAuthorizationInfo(roles);
>     }
> }
> The DefaultRealm always grants the authenticated user the ROLE_USER role to access to the /protected folder.
> The CasFilter is configured on a specific url corresponding to the CAS url service : http://localhost:11380/demo2/shiro-cas, it gets the service parameter in url and create a CasToken with it.
> The CasRealm uses the CasToken to authenticate the user, it gets the service ticket, uses the Cas20ServiceTicketValidator (from CAS client) to call the CAS server and validates the ticket granted by CAS.
> If the ticket is validated, the user is authenticated and redirected to the original protected url (/protected/index.jsp). If the validation fails, the user is redirected to the CAS error page (error.jsp = authcas.failureUrl).
> To add CasFilter, CasToken and CasRealm to the trunk, I created a CAS module inside support.
> * CasRealm :
> I didn't find how to set the remember me to the subject : I know if the user is in rememberme mode from CAS depending on a specific attribute from the Assertion object but I didn't know how to pass this information to the subject (there is a TODO).
> During the CAS service ticket validation, I get the object Assertion and all the attributes of the user populated by CAS are in the "attributes" property : I don't know what to do with these attributes.
> During the CAS service ticket validation, I choose not to throw an AuthenticationException, but returns null instead : is it the good way to do ?
> * CasFilter :
> I'm not sure I respect the spirit of shiro because my filter authcas is always the last one. I add on the onLoginFailure a test, if the user is already authenticated, it doesn't failed but redirects to default success url.
> I didn't know how to add my authcas filter as a default filter without configuring it in the shiro.ini file.
> I have no test yet.
> I join the SVN patch.
> Hope it works well for you. Don't hesitate to come back to me.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (SHIRO-285) Integration with CAS

["Jérôme Leleu (Commented JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/SHIRO-285?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13180657#comment-13180657 ] 

Jérôme Leleu commented on SHIRO-285:
------------------------------------

Hi Les,

I've added the documentation for the CAS integration on the page you created. I let you review it.

I retest everything and I found a problem. A dependency is missing (when using SAML validation) :
  <dependency>
    <groupId>commons-codec</groupId>
    <artifactId>commons-codec</artifactId>
    <version>1.4</version>
  </dependency>

It was working in my first patch but as the cas-client-core version 3.1.10 was replaced by the version 3.2.1, the commons-codec dependency has been marked optional and is therefore missing if it is not explicitely defined in the pom.
With this missing dependency, everything is working just fine. I let you add and commit this missing dependency (in the "saml validation" area of the pom).
Thanks.
Cheers,
Jérôme

                
> Integration with CAS
> --------------------
>
>                 Key: SHIRO-285
>                 URL: https://issues.apache.org/jira/browse/SHIRO-285
>             Project: Shiro
>          Issue Type: New Feature
>            Reporter: Jérôme Leleu
>            Assignee: Les Hazlewood
>         Attachments: doc_shiro-cas.odt, shiro_cas.txt, shiro_cas2.txt, shiro_cas3.txt
>
>
> As I wanted to test shiro with CAS, I created a CAS filter, a CAS token and a CAS realm. I'm new to shiro so maybe I was mistaken on some points.
> I have a demo webapp with these files :
> index.jsp
> error.jsp
> protected/index.jsp
> The idea is to protect the /protected folder. I have this shiro.ini configuration :
> [main]
> authcas = org.apache.shiro.cas.CasFilter
> authcas.failureUrl = /demo2/error.jsp
> defaultRealm = com.jle.demo2.realm.DefaultRealm
> defaultRealm.name = demo2
> defaultRealm.casServerUrlPrefix = http://localhost:11380/cas/
> defaultRealm.casService = http://localhost:11380/demo2/shiro-cas
> roles.loginUrl = http://localhost:11380/cas/login?service=http://localhost:11380/demo2/shiro-cas
> [urls]
> /protected/** = roles[ROLE_USER]
> /shiro-cas = authcas
> /** = anon
> The protection on /protected/** implies to have the role ROLE_USER, if it is not the case, the user is redirected to the CAS server according to the property loginUrl of roles : http://localhost:11380/cas/login?service=http://localhost:11380/demo2/shiro-cas.
> After authentication on CAS server, the user is redirected (CAS works like this) to the service url : http://localhost:11380/demo2/shiro-cas. On this url, there is the authcas filter defined as the DefaultRealm which inherits from CasRealm :
> public class DefaultRealm extends CasRealm {
>     
>     @Override
>     protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
>         Set<String> roles = new HashSet<String>();
>         roles.add("ROLE_USER");
>         return new SimpleAuthorizationInfo(roles);
>     }
> }
> The DefaultRealm always grants the authenticated user the ROLE_USER role to access to the /protected folder.
> The CasFilter is configured on a specific url corresponding to the CAS url service : http://localhost:11380/demo2/shiro-cas, it gets the service parameter in url and create a CasToken with it.
> The CasRealm uses the CasToken to authenticate the user, it gets the service ticket, uses the Cas20ServiceTicketValidator (from CAS client) to call the CAS server and validates the ticket granted by CAS.
> If the ticket is validated, the user is authenticated and redirected to the original protected url (/protected/index.jsp). If the validation fails, the user is redirected to the CAS error page (error.jsp = authcas.failureUrl).
> To add CasFilter, CasToken and CasRealm to the trunk, I created a CAS module inside support.
> * CasRealm :
> I didn't find how to set the remember me to the subject : I know if the user is in rememberme mode from CAS depending on a specific attribute from the Assertion object but I didn't know how to pass this information to the subject (there is a TODO).
> During the CAS service ticket validation, I get the object Assertion and all the attributes of the user populated by CAS are in the "attributes" property : I don't know what to do with these attributes.
> During the CAS service ticket validation, I choose not to throw an AuthenticationException, but returns null instead : is it the good way to do ?
> * CasFilter :
> I'm not sure I respect the spirit of shiro because my filter authcas is always the last one. I add on the onLoginFailure a test, if the user is already authenticated, it doesn't failed but redirects to default success url.
> I didn't know how to add my authcas filter as a default filter without configuring it in the shiro.ini file.
> I have no test yet.
> I join the SVN patch.
> Hope it works well for you. Don't hesitate to come back to me.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

[jira] [Commented] (SHIRO-285) Integration with CAS

["Jérôme Leleu (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/SHIRO-285?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13068962#comment-13068962 ] 

Jérôme Leleu commented on SHIRO-285:
------------------------------------

I create a JIRA ticket to the CAS community to complete the remember me feature : https://issues.jasig.org/browse/CAS-973.
The patch has been committed and will be available for the next release 3.4.9.
The only difference is the name of remember me attribute which is now : "longTermAuthenticationRequestTokenUsed" instead of "isRemembered" (in my patch, rememberMeAttributeName property in CasRealm class).


> Integration with CAS
> --------------------
>
>                 Key: SHIRO-285
>                 URL: https://issues.apache.org/jira/browse/SHIRO-285
>             Project: Shiro
>          Issue Type: New Feature
>            Reporter: Jérôme Leleu
>         Attachments: shiro_cas.txt, shiro_cas2.txt
>
>
> As I wanted to test shiro with CAS, I created a CAS filter, a CAS token and a CAS realm. I'm new to shiro so maybe I was mistaken on some points.
> I have a demo webapp with these files :
> index.jsp
> error.jsp
> protected/index.jsp
> The idea is to protect the /protected folder. I have this shiro.ini configuration :
> [main]
> authcas = org.apache.shiro.cas.CasFilter
> authcas.failureUrl = /demo2/error.jsp
> defaultRealm = com.jle.demo2.realm.DefaultRealm
> defaultRealm.name = demo2
> defaultRealm.casServerUrlPrefix = http://localhost:11380/cas/
> defaultRealm.casService = http://localhost:11380/demo2/shiro-cas
> roles.loginUrl = http://localhost:11380/cas/login?service=http://localhost:11380/demo2/shiro-cas
> [urls]
> /protected/** = roles[ROLE_USER]
> /shiro-cas = authcas
> /** = anon
> The protection on /protected/** implies to have the role ROLE_USER, if it is not the case, the user is redirected to the CAS server according to the property loginUrl of roles : http://localhost:11380/cas/login?service=http://localhost:11380/demo2/shiro-cas.
> After authentication on CAS server, the user is redirected (CAS works like this) to the service url : http://localhost:11380/demo2/shiro-cas. On this url, there is the authcas filter defined as the DefaultRealm which inherits from CasRealm :
> public class DefaultRealm extends CasRealm {
>     
>     @Override
>     protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
>         Set<String> roles = new HashSet<String>();
>         roles.add("ROLE_USER");
>         return new SimpleAuthorizationInfo(roles);
>     }
> }
> The DefaultRealm always grants the authenticated user the ROLE_USER role to access to the /protected folder.
> The CasFilter is configured on a specific url corresponding to the CAS url service : http://localhost:11380/demo2/shiro-cas, it gets the service parameter in url and create a CasToken with it.
> The CasRealm uses the CasToken to authenticate the user, it gets the service ticket, uses the Cas20ServiceTicketValidator (from CAS client) to call the CAS server and validates the ticket granted by CAS.
> If the ticket is validated, the user is authenticated and redirected to the original protected url (/protected/index.jsp). If the validation fails, the user is redirected to the CAS error page (error.jsp = authcas.failureUrl).
> To add CasFilter, CasToken and CasRealm to the trunk, I created a CAS module inside support.
> * CasRealm :
> I didn't find how to set the remember me to the subject : I know if the user is in rememberme mode from CAS depending on a specific attribute from the Assertion object but I didn't know how to pass this information to the subject (there is a TODO).
> During the CAS service ticket validation, I get the object Assertion and all the attributes of the user populated by CAS are in the "attributes" property : I don't know what to do with these attributes.
> During the CAS service ticket validation, I choose not to throw an AuthenticationException, but returns null instead : is it the good way to do ?
> * CasFilter :
> I'm not sure I respect the spirit of shiro because my filter authcas is always the last one. I add on the onLoginFailure a test, if the user is already authenticated, it doesn't failed but redirects to default success url.
> I didn't know how to add my authcas filter as a default filter without configuring it in the shiro.ini file.
> I have no test yet.
> I join the SVN patch.
> Hope it works well for you. Don't hesitate to come back to me.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

[jira] [Assigned] (SHIRO-285) Integration with CAS

["Les Hazlewood (Assigned) (JIRA)" <ji...@apache.org>]

     [ https://issues.apache.org/jira/browse/SHIRO-285?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Les Hazlewood reassigned SHIRO-285:
-----------------------------------

    Assignee: Les Hazlewood
    
> Integration with CAS
> --------------------
>
>                 Key: SHIRO-285
>                 URL: https://issues.apache.org/jira/browse/SHIRO-285
>             Project: Shiro
>          Issue Type: New Feature
>            Reporter: Jérôme Leleu
>            Assignee: Les Hazlewood
>         Attachments: doc_shiro-cas.odt, shiro_cas.txt, shiro_cas2.txt, shiro_cas3.txt
>
>
> As I wanted to test shiro with CAS, I created a CAS filter, a CAS token and a CAS realm. I'm new to shiro so maybe I was mistaken on some points.
> I have a demo webapp with these files :
> index.jsp
> error.jsp
> protected/index.jsp
> The idea is to protect the /protected folder. I have this shiro.ini configuration :
> [main]
> authcas = org.apache.shiro.cas.CasFilter
> authcas.failureUrl = /demo2/error.jsp
> defaultRealm = com.jle.demo2.realm.DefaultRealm
> defaultRealm.name = demo2
> defaultRealm.casServerUrlPrefix = http://localhost:11380/cas/
> defaultRealm.casService = http://localhost:11380/demo2/shiro-cas
> roles.loginUrl = http://localhost:11380/cas/login?service=http://localhost:11380/demo2/shiro-cas
> [urls]
> /protected/** = roles[ROLE_USER]
> /shiro-cas = authcas
> /** = anon
> The protection on /protected/** implies to have the role ROLE_USER, if it is not the case, the user is redirected to the CAS server according to the property loginUrl of roles : http://localhost:11380/cas/login?service=http://localhost:11380/demo2/shiro-cas.
> After authentication on CAS server, the user is redirected (CAS works like this) to the service url : http://localhost:11380/demo2/shiro-cas. On this url, there is the authcas filter defined as the DefaultRealm which inherits from CasRealm :
> public class DefaultRealm extends CasRealm {
>     
>     @Override
>     protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
>         Set<String> roles = new HashSet<String>();
>         roles.add("ROLE_USER");
>         return new SimpleAuthorizationInfo(roles);
>     }
> }
> The DefaultRealm always grants the authenticated user the ROLE_USER role to access to the /protected folder.
> The CasFilter is configured on a specific url corresponding to the CAS url service : http://localhost:11380/demo2/shiro-cas, it gets the service parameter in url and create a CasToken with it.
> The CasRealm uses the CasToken to authenticate the user, it gets the service ticket, uses the Cas20ServiceTicketValidator (from CAS client) to call the CAS server and validates the ticket granted by CAS.
> If the ticket is validated, the user is authenticated and redirected to the original protected url (/protected/index.jsp). If the validation fails, the user is redirected to the CAS error page (error.jsp = authcas.failureUrl).
> To add CasFilter, CasToken and CasRealm to the trunk, I created a CAS module inside support.
> * CasRealm :
> I didn't find how to set the remember me to the subject : I know if the user is in rememberme mode from CAS depending on a specific attribute from the Assertion object but I didn't know how to pass this information to the subject (there is a TODO).
> During the CAS service ticket validation, I get the object Assertion and all the attributes of the user populated by CAS are in the "attributes" property : I don't know what to do with these attributes.
> During the CAS service ticket validation, I choose not to throw an AuthenticationException, but returns null instead : is it the good way to do ?
> * CasFilter :
> I'm not sure I respect the spirit of shiro because my filter authcas is always the last one. I add on the onLoginFailure a test, if the user is already authenticated, it doesn't failed but redirects to default success url.
> I didn't know how to add my authcas filter as a default filter without configuring it in the shiro.ini file.
> I have no test yet.
> I join the SVN patch.
> Hope it works well for you. Don't hesitate to come back to me.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

[jira] [Commented] (SHIRO-285) Integration with CAS

["Les Hazlewood (Commented) (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/SHIRO-285?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13169839#comment-13169839 ] 

Les Hazlewood commented on SHIRO-285:
-------------------------------------

Hi Jérôme,

With the release of 3.4.10, does affect or change your latest patch at all?

Thanks,

Les
                
> Integration with CAS
> --------------------
>
>                 Key: SHIRO-285
>                 URL: https://issues.apache.org/jira/browse/SHIRO-285
>             Project: Shiro
>          Issue Type: New Feature
>            Reporter: Jérôme Leleu
>         Attachments: shiro_cas.txt, shiro_cas2.txt
>
>
> As I wanted to test shiro with CAS, I created a CAS filter, a CAS token and a CAS realm. I'm new to shiro so maybe I was mistaken on some points.
> I have a demo webapp with these files :
> index.jsp
> error.jsp
> protected/index.jsp
> The idea is to protect the /protected folder. I have this shiro.ini configuration :
> [main]
> authcas = org.apache.shiro.cas.CasFilter
> authcas.failureUrl = /demo2/error.jsp
> defaultRealm = com.jle.demo2.realm.DefaultRealm
> defaultRealm.name = demo2
> defaultRealm.casServerUrlPrefix = http://localhost:11380/cas/
> defaultRealm.casService = http://localhost:11380/demo2/shiro-cas
> roles.loginUrl = http://localhost:11380/cas/login?service=http://localhost:11380/demo2/shiro-cas
> [urls]
> /protected/** = roles[ROLE_USER]
> /shiro-cas = authcas
> /** = anon
> The protection on /protected/** implies to have the role ROLE_USER, if it is not the case, the user is redirected to the CAS server according to the property loginUrl of roles : http://localhost:11380/cas/login?service=http://localhost:11380/demo2/shiro-cas.
> After authentication on CAS server, the user is redirected (CAS works like this) to the service url : http://localhost:11380/demo2/shiro-cas. On this url, there is the authcas filter defined as the DefaultRealm which inherits from CasRealm :
> public class DefaultRealm extends CasRealm {
>     
>     @Override
>     protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
>         Set<String> roles = new HashSet<String>();
>         roles.add("ROLE_USER");
>         return new SimpleAuthorizationInfo(roles);
>     }
> }
> The DefaultRealm always grants the authenticated user the ROLE_USER role to access to the /protected folder.
> The CasFilter is configured on a specific url corresponding to the CAS url service : http://localhost:11380/demo2/shiro-cas, it gets the service parameter in url and create a CasToken with it.
> The CasRealm uses the CasToken to authenticate the user, it gets the service ticket, uses the Cas20ServiceTicketValidator (from CAS client) to call the CAS server and validates the ticket granted by CAS.
> If the ticket is validated, the user is authenticated and redirected to the original protected url (/protected/index.jsp). If the validation fails, the user is redirected to the CAS error page (error.jsp = authcas.failureUrl).
> To add CasFilter, CasToken and CasRealm to the trunk, I created a CAS module inside support.
> * CasRealm :
> I didn't find how to set the remember me to the subject : I know if the user is in rememberme mode from CAS depending on a specific attribute from the Assertion object but I didn't know how to pass this information to the subject (there is a TODO).
> During the CAS service ticket validation, I get the object Assertion and all the attributes of the user populated by CAS are in the "attributes" property : I don't know what to do with these attributes.
> During the CAS service ticket validation, I choose not to throw an AuthenticationException, but returns null instead : is it the good way to do ?
> * CasFilter :
> I'm not sure I respect the spirit of shiro because my filter authcas is always the last one. I add on the onLoginFailure a test, if the user is already authenticated, it doesn't failed but redirects to default success url.
> I didn't know how to add my authcas filter as a default filter without configuring it in the shiro.ini file.
> I have no test yet.
> I join the SVN patch.
> Hope it works well for you. Don't hesitate to come back to me.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

[jira] [Updated] (SHIRO-285) Integration with CAS

["Jérôme Leleu (Updated JIRA)" <ji...@apache.org>]

     [ https://issues.apache.org/jira/browse/SHIRO-285?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jérôme Leleu updated SHIRO-285:
-------------------------------

    Attachment: shiro_cas3.txt
    
> Integration with CAS
> --------------------
>
>                 Key: SHIRO-285
>                 URL: https://issues.apache.org/jira/browse/SHIRO-285
>             Project: Shiro
>          Issue Type: New Feature
>            Reporter: Jérôme Leleu
>         Attachments: shiro_cas.txt, shiro_cas2.txt, shiro_cas3.txt
>
>
> As I wanted to test shiro with CAS, I created a CAS filter, a CAS token and a CAS realm. I'm new to shiro so maybe I was mistaken on some points.
> I have a demo webapp with these files :
> index.jsp
> error.jsp
> protected/index.jsp
> The idea is to protect the /protected folder. I have this shiro.ini configuration :
> [main]
> authcas = org.apache.shiro.cas.CasFilter
> authcas.failureUrl = /demo2/error.jsp
> defaultRealm = com.jle.demo2.realm.DefaultRealm
> defaultRealm.name = demo2
> defaultRealm.casServerUrlPrefix = http://localhost:11380/cas/
> defaultRealm.casService = http://localhost:11380/demo2/shiro-cas
> roles.loginUrl = http://localhost:11380/cas/login?service=http://localhost:11380/demo2/shiro-cas
> [urls]
> /protected/** = roles[ROLE_USER]
> /shiro-cas = authcas
> /** = anon
> The protection on /protected/** implies to have the role ROLE_USER, if it is not the case, the user is redirected to the CAS server according to the property loginUrl of roles : http://localhost:11380/cas/login?service=http://localhost:11380/demo2/shiro-cas.
> After authentication on CAS server, the user is redirected (CAS works like this) to the service url : http://localhost:11380/demo2/shiro-cas. On this url, there is the authcas filter defined as the DefaultRealm which inherits from CasRealm :
> public class DefaultRealm extends CasRealm {
>     
>     @Override
>     protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
>         Set<String> roles = new HashSet<String>();
>         roles.add("ROLE_USER");
>         return new SimpleAuthorizationInfo(roles);
>     }
> }
> The DefaultRealm always grants the authenticated user the ROLE_USER role to access to the /protected folder.
> The CasFilter is configured on a specific url corresponding to the CAS url service : http://localhost:11380/demo2/shiro-cas, it gets the service parameter in url and create a CasToken with it.
> The CasRealm uses the CasToken to authenticate the user, it gets the service ticket, uses the Cas20ServiceTicketValidator (from CAS client) to call the CAS server and validates the ticket granted by CAS.
> If the ticket is validated, the user is authenticated and redirected to the original protected url (/protected/index.jsp). If the validation fails, the user is redirected to the CAS error page (error.jsp = authcas.failureUrl).
> To add CasFilter, CasToken and CasRealm to the trunk, I created a CAS module inside support.
> * CasRealm :
> I didn't find how to set the remember me to the subject : I know if the user is in rememberme mode from CAS depending on a specific attribute from the Assertion object but I didn't know how to pass this information to the subject (there is a TODO).
> During the CAS service ticket validation, I get the object Assertion and all the attributes of the user populated by CAS are in the "attributes" property : I don't know what to do with these attributes.
> During the CAS service ticket validation, I choose not to throw an AuthenticationException, but returns null instead : is it the good way to do ?
> * CasFilter :
> I'm not sure I respect the spirit of shiro because my filter authcas is always the last one. I add on the onLoginFailure a test, if the user is already authenticated, it doesn't failed but redirects to default success url.
> I didn't know how to add my authcas filter as a default filter without configuring it in the shiro.ini file.
> I have no test yet.
> I join the SVN patch.
> Hope it works well for you. Don't hesitate to come back to me.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

[jira] [Commented] (SHIRO-285) Integration with CAS

["Jérôme Leleu (Commented JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/SHIRO-285?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13182415#comment-13182415 ] 

Jérôme Leleu commented on SHIRO-285:
------------------------------------

Hi Les,

It's exactly the idea of the "optional" maven dependecies, but I didn't know if you wanted to follow it.
As you define dependencies as "optional", I change the documentation and explain that these 3 dependencies should be added if saml validation is used.
I'm pretty happy that CAS is now supported in shiro.
Cheers,
Jérôme

                
> Integration with CAS
> --------------------
>
>                 Key: SHIRO-285
>                 URL: https://issues.apache.org/jira/browse/SHIRO-285
>             Project: Shiro
>          Issue Type: New Feature
>            Reporter: Jérôme Leleu
>            Assignee: Les Hazlewood
>             Fix For: 1.2.0
>
>         Attachments: doc_shiro-cas.odt, shiro_cas.txt, shiro_cas2.txt, shiro_cas3.txt
>
>
> As I wanted to test shiro with CAS, I created a CAS filter, a CAS token and a CAS realm. I'm new to shiro so maybe I was mistaken on some points.
> I have a demo webapp with these files :
> index.jsp
> error.jsp
> protected/index.jsp
> The idea is to protect the /protected folder. I have this shiro.ini configuration :
> [main]
> authcas = org.apache.shiro.cas.CasFilter
> authcas.failureUrl = /demo2/error.jsp
> defaultRealm = com.jle.demo2.realm.DefaultRealm
> defaultRealm.name = demo2
> defaultRealm.casServerUrlPrefix = http://localhost:11380/cas/
> defaultRealm.casService = http://localhost:11380/demo2/shiro-cas
> roles.loginUrl = http://localhost:11380/cas/login?service=http://localhost:11380/demo2/shiro-cas
> [urls]
> /protected/** = roles[ROLE_USER]
> /shiro-cas = authcas
> /** = anon
> The protection on /protected/** implies to have the role ROLE_USER, if it is not the case, the user is redirected to the CAS server according to the property loginUrl of roles : http://localhost:11380/cas/login?service=http://localhost:11380/demo2/shiro-cas.
> After authentication on CAS server, the user is redirected (CAS works like this) to the service url : http://localhost:11380/demo2/shiro-cas. On this url, there is the authcas filter defined as the DefaultRealm which inherits from CasRealm :
> public class DefaultRealm extends CasRealm {
>     
>     @Override
>     protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
>         Set<String> roles = new HashSet<String>();
>         roles.add("ROLE_USER");
>         return new SimpleAuthorizationInfo(roles);
>     }
> }
> The DefaultRealm always grants the authenticated user the ROLE_USER role to access to the /protected folder.
> The CasFilter is configured on a specific url corresponding to the CAS url service : http://localhost:11380/demo2/shiro-cas, it gets the service parameter in url and create a CasToken with it.
> The CasRealm uses the CasToken to authenticate the user, it gets the service ticket, uses the Cas20ServiceTicketValidator (from CAS client) to call the CAS server and validates the ticket granted by CAS.
> If the ticket is validated, the user is authenticated and redirected to the original protected url (/protected/index.jsp). If the validation fails, the user is redirected to the CAS error page (error.jsp = authcas.failureUrl).
> To add CasFilter, CasToken and CasRealm to the trunk, I created a CAS module inside support.
> * CasRealm :
> I didn't find how to set the remember me to the subject : I know if the user is in rememberme mode from CAS depending on a specific attribute from the Assertion object but I didn't know how to pass this information to the subject (there is a TODO).
> During the CAS service ticket validation, I get the object Assertion and all the attributes of the user populated by CAS are in the "attributes" property : I don't know what to do with these attributes.
> During the CAS service ticket validation, I choose not to throw an AuthenticationException, but returns null instead : is it the good way to do ?
> * CasFilter :
> I'm not sure I respect the spirit of shiro because my filter authcas is always the last one. I add on the onLoginFailure a test, if the user is already authenticated, it doesn't failed but redirects to default success url.
> I didn't know how to add my authcas filter as a default filter without configuring it in the shiro.ini file.
> I have no test yet.
> I join the SVN patch.
> Hope it works well for you. Don't hesitate to come back to me.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

[jira] [Commented] (SHIRO-285) Integration with CAS

["Les Hazlewood (Commented) (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/SHIRO-285?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13182912#comment-13182912 ] 

Les Hazlewood commented on SHIRO-285:
-------------------------------------

Great - thanks so much for the help on this one Jérôme.
                
> Integration with CAS
> --------------------
>
>                 Key: SHIRO-285
>                 URL: https://issues.apache.org/jira/browse/SHIRO-285
>             Project: Shiro
>          Issue Type: New Feature
>            Reporter: Jérôme Leleu
>            Assignee: Les Hazlewood
>             Fix For: 1.2.0
>
>         Attachments: doc_shiro-cas.odt, shiro_cas.txt, shiro_cas2.txt, shiro_cas3.txt
>
>
> As I wanted to test shiro with CAS, I created a CAS filter, a CAS token and a CAS realm. I'm new to shiro so maybe I was mistaken on some points.
> I have a demo webapp with these files :
> index.jsp
> error.jsp
> protected/index.jsp
> The idea is to protect the /protected folder. I have this shiro.ini configuration :
> [main]
> authcas = org.apache.shiro.cas.CasFilter
> authcas.failureUrl = /demo2/error.jsp
> defaultRealm = com.jle.demo2.realm.DefaultRealm
> defaultRealm.name = demo2
> defaultRealm.casServerUrlPrefix = http://localhost:11380/cas/
> defaultRealm.casService = http://localhost:11380/demo2/shiro-cas
> roles.loginUrl = http://localhost:11380/cas/login?service=http://localhost:11380/demo2/shiro-cas
> [urls]
> /protected/** = roles[ROLE_USER]
> /shiro-cas = authcas
> /** = anon
> The protection on /protected/** implies to have the role ROLE_USER, if it is not the case, the user is redirected to the CAS server according to the property loginUrl of roles : http://localhost:11380/cas/login?service=http://localhost:11380/demo2/shiro-cas.
> After authentication on CAS server, the user is redirected (CAS works like this) to the service url : http://localhost:11380/demo2/shiro-cas. On this url, there is the authcas filter defined as the DefaultRealm which inherits from CasRealm :
> public class DefaultRealm extends CasRealm {
>     
>     @Override
>     protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
>         Set<String> roles = new HashSet<String>();
>         roles.add("ROLE_USER");
>         return new SimpleAuthorizationInfo(roles);
>     }
> }
> The DefaultRealm always grants the authenticated user the ROLE_USER role to access to the /protected folder.
> The CasFilter is configured on a specific url corresponding to the CAS url service : http://localhost:11380/demo2/shiro-cas, it gets the service parameter in url and create a CasToken with it.
> The CasRealm uses the CasToken to authenticate the user, it gets the service ticket, uses the Cas20ServiceTicketValidator (from CAS client) to call the CAS server and validates the ticket granted by CAS.
> If the ticket is validated, the user is authenticated and redirected to the original protected url (/protected/index.jsp). If the validation fails, the user is redirected to the CAS error page (error.jsp = authcas.failureUrl).
> To add CasFilter, CasToken and CasRealm to the trunk, I created a CAS module inside support.
> * CasRealm :
> I didn't find how to set the remember me to the subject : I know if the user is in rememberme mode from CAS depending on a specific attribute from the Assertion object but I didn't know how to pass this information to the subject (there is a TODO).
> During the CAS service ticket validation, I get the object Assertion and all the attributes of the user populated by CAS are in the "attributes" property : I don't know what to do with these attributes.
> During the CAS service ticket validation, I choose not to throw an AuthenticationException, but returns null instead : is it the good way to do ?
> * CasFilter :
> I'm not sure I respect the spirit of shiro because my filter authcas is always the last one. I add on the onLoginFailure a test, if the user is already authenticated, it doesn't failed but redirects to default success url.
> I didn't know how to add my authcas filter as a default filter without configuring it in the shiro.ini file.
> I have no test yet.
> I join the SVN patch.
> Hope it works well for you. Don't hesitate to come back to me.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

[jira] [Commented] (SHIRO-285) Integration with CAS

["Les Hazlewood (Commented) (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/SHIRO-285?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13170598#comment-13170598 ] 

Les Hazlewood commented on SHIRO-285:
-------------------------------------

Jerome,

Compilation fails on the ServiceTicketValidatorMock class.  I then changed the type signature to Map<String,Object> there as well, and then it compiles.

However, test cases fail after making these changes.  Can you please update the tests and provide a new patch?

Incremental updates by copying-and-pasting issue posts are cumbersome and error prone - can you please please provide a patch?

Thanks,

Les
                
> Integration with CAS
> --------------------
>
>                 Key: SHIRO-285
>                 URL: https://issues.apache.org/jira/browse/SHIRO-285
>             Project: Shiro
>          Issue Type: New Feature
>            Reporter: Jérôme Leleu
>         Attachments: shiro_cas.txt, shiro_cas2.txt
>
>
> As I wanted to test shiro with CAS, I created a CAS filter, a CAS token and a CAS realm. I'm new to shiro so maybe I was mistaken on some points.
> I have a demo webapp with these files :
> index.jsp
> error.jsp
> protected/index.jsp
> The idea is to protect the /protected folder. I have this shiro.ini configuration :
> [main]
> authcas = org.apache.shiro.cas.CasFilter
> authcas.failureUrl = /demo2/error.jsp
> defaultRealm = com.jle.demo2.realm.DefaultRealm
> defaultRealm.name = demo2
> defaultRealm.casServerUrlPrefix = http://localhost:11380/cas/
> defaultRealm.casService = http://localhost:11380/demo2/shiro-cas
> roles.loginUrl = http://localhost:11380/cas/login?service=http://localhost:11380/demo2/shiro-cas
> [urls]
> /protected/** = roles[ROLE_USER]
> /shiro-cas = authcas
> /** = anon
> The protection on /protected/** implies to have the role ROLE_USER, if it is not the case, the user is redirected to the CAS server according to the property loginUrl of roles : http://localhost:11380/cas/login?service=http://localhost:11380/demo2/shiro-cas.
> After authentication on CAS server, the user is redirected (CAS works like this) to the service url : http://localhost:11380/demo2/shiro-cas. On this url, there is the authcas filter defined as the DefaultRealm which inherits from CasRealm :
> public class DefaultRealm extends CasRealm {
>     
>     @Override
>     protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
>         Set<String> roles = new HashSet<String>();
>         roles.add("ROLE_USER");
>         return new SimpleAuthorizationInfo(roles);
>     }
> }
> The DefaultRealm always grants the authenticated user the ROLE_USER role to access to the /protected folder.
> The CasFilter is configured on a specific url corresponding to the CAS url service : http://localhost:11380/demo2/shiro-cas, it gets the service parameter in url and create a CasToken with it.
> The CasRealm uses the CasToken to authenticate the user, it gets the service ticket, uses the Cas20ServiceTicketValidator (from CAS client) to call the CAS server and validates the ticket granted by CAS.
> If the ticket is validated, the user is authenticated and redirected to the original protected url (/protected/index.jsp). If the validation fails, the user is redirected to the CAS error page (error.jsp = authcas.failureUrl).
> To add CasFilter, CasToken and CasRealm to the trunk, I created a CAS module inside support.
> * CasRealm :
> I didn't find how to set the remember me to the subject : I know if the user is in rememberme mode from CAS depending on a specific attribute from the Assertion object but I didn't know how to pass this information to the subject (there is a TODO).
> During the CAS service ticket validation, I get the object Assertion and all the attributes of the user populated by CAS are in the "attributes" property : I don't know what to do with these attributes.
> During the CAS service ticket validation, I choose not to throw an AuthenticationException, but returns null instead : is it the good way to do ?
> * CasFilter :
> I'm not sure I respect the spirit of shiro because my filter authcas is always the last one. I add on the onLoginFailure a test, if the user is already authenticated, it doesn't failed but redirects to default success url.
> I didn't know how to add my authcas filter as a default filter without configuring it in the shiro.ini file.
> I have no test yet.
> I join the SVN patch.
> Hope it works well for you. Don't hesitate to come back to me.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

[jira] [Commented] (SHIRO-285) Integration with CAS

["Ryan Connolly (Commented) (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/SHIRO-285?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13247479#comment-13247479 ] 

Ryan Connolly commented on SHIRO-285:
-------------------------------------

Nice, Jerome. :)
Any possibility of attaching a working example project?  I am having trouble getting the Shiro/CAS integration working properly with the limited documentation available.

                
> Integration with CAS
> --------------------
>
>                 Key: SHIRO-285
>                 URL: https://issues.apache.org/jira/browse/SHIRO-285
>             Project: Shiro
>          Issue Type: New Feature
>            Reporter: Jérôme Leleu
>            Assignee: Les Hazlewood
>             Fix For: 1.2.0
>
>         Attachments: doc_shiro-cas.odt, shiro_cas.txt, shiro_cas2.txt, shiro_cas3.txt
>
>
> As I wanted to test shiro with CAS, I created a CAS filter, a CAS token and a CAS realm. I'm new to shiro so maybe I was mistaken on some points.
> I have a demo webapp with these files :
> index.jsp
> error.jsp
> protected/index.jsp
> The idea is to protect the /protected folder. I have this shiro.ini configuration :
> [main]
> authcas = org.apache.shiro.cas.CasFilter
> authcas.failureUrl = /demo2/error.jsp
> defaultRealm = com.jle.demo2.realm.DefaultRealm
> defaultRealm.name = demo2
> defaultRealm.casServerUrlPrefix = http://localhost:11380/cas/
> defaultRealm.casService = http://localhost:11380/demo2/shiro-cas
> roles.loginUrl = http://localhost:11380/cas/login?service=http://localhost:11380/demo2/shiro-cas
> [urls]
> /protected/** = roles[ROLE_USER]
> /shiro-cas = authcas
> /** = anon
> The protection on /protected/** implies to have the role ROLE_USER, if it is not the case, the user is redirected to the CAS server according to the property loginUrl of roles : http://localhost:11380/cas/login?service=http://localhost:11380/demo2/shiro-cas.
> After authentication on CAS server, the user is redirected (CAS works like this) to the service url : http://localhost:11380/demo2/shiro-cas. On this url, there is the authcas filter defined as the DefaultRealm which inherits from CasRealm :
> public class DefaultRealm extends CasRealm {
>     
>     @Override
>     protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
>         Set<String> roles = new HashSet<String>();
>         roles.add("ROLE_USER");
>         return new SimpleAuthorizationInfo(roles);
>     }
> }
> The DefaultRealm always grants the authenticated user the ROLE_USER role to access to the /protected folder.
> The CasFilter is configured on a specific url corresponding to the CAS url service : http://localhost:11380/demo2/shiro-cas, it gets the service parameter in url and create a CasToken with it.
> The CasRealm uses the CasToken to authenticate the user, it gets the service ticket, uses the Cas20ServiceTicketValidator (from CAS client) to call the CAS server and validates the ticket granted by CAS.
> If the ticket is validated, the user is authenticated and redirected to the original protected url (/protected/index.jsp). If the validation fails, the user is redirected to the CAS error page (error.jsp = authcas.failureUrl).
> To add CasFilter, CasToken and CasRealm to the trunk, I created a CAS module inside support.
> * CasRealm :
> I didn't find how to set the remember me to the subject : I know if the user is in rememberme mode from CAS depending on a specific attribute from the Assertion object but I didn't know how to pass this information to the subject (there is a TODO).
> During the CAS service ticket validation, I get the object Assertion and all the attributes of the user populated by CAS are in the "attributes" property : I don't know what to do with these attributes.
> During the CAS service ticket validation, I choose not to throw an AuthenticationException, but returns null instead : is it the good way to do ?
> * CasFilter :
> I'm not sure I respect the spirit of shiro because my filter authcas is always the last one. I add on the onLoginFailure a test, if the user is already authenticated, it doesn't failed but redirects to default success url.
> I didn't know how to add my authcas filter as a default filter without configuring it in the shiro.ini file.
> I have no test yet.
> I join the SVN patch.
> Hope it works well for you. Don't hesitate to come back to me.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

[jira] [Commented] (SHIRO-285) Integration with CAS

["Jérôme Leleu (Commented JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/SHIRO-285?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13170084#comment-13170084 ] 

Jérôme Leleu commented on SHIRO-285:
------------------------------------

Hi,

With the release 3.4.10, it changes the property name I use for remember me.
In the CasRealm class, the rememberMeAttributeName property value should be "longTermAuthenticationRequestTokenUsed" instead of "isRemembered", according to what is defined in the CAS server since 3.4.10.
Regards,
Jérôme

                
> Integration with CAS
> --------------------
>
>                 Key: SHIRO-285
>                 URL: https://issues.apache.org/jira/browse/SHIRO-285
>             Project: Shiro
>          Issue Type: New Feature
>            Reporter: Jérôme Leleu
>         Attachments: shiro_cas.txt, shiro_cas2.txt
>
>
> As I wanted to test shiro with CAS, I created a CAS filter, a CAS token and a CAS realm. I'm new to shiro so maybe I was mistaken on some points.
> I have a demo webapp with these files :
> index.jsp
> error.jsp
> protected/index.jsp
> The idea is to protect the /protected folder. I have this shiro.ini configuration :
> [main]
> authcas = org.apache.shiro.cas.CasFilter
> authcas.failureUrl = /demo2/error.jsp
> defaultRealm = com.jle.demo2.realm.DefaultRealm
> defaultRealm.name = demo2
> defaultRealm.casServerUrlPrefix = http://localhost:11380/cas/
> defaultRealm.casService = http://localhost:11380/demo2/shiro-cas
> roles.loginUrl = http://localhost:11380/cas/login?service=http://localhost:11380/demo2/shiro-cas
> [urls]
> /protected/** = roles[ROLE_USER]
> /shiro-cas = authcas
> /** = anon
> The protection on /protected/** implies to have the role ROLE_USER, if it is not the case, the user is redirected to the CAS server according to the property loginUrl of roles : http://localhost:11380/cas/login?service=http://localhost:11380/demo2/shiro-cas.
> After authentication on CAS server, the user is redirected (CAS works like this) to the service url : http://localhost:11380/demo2/shiro-cas. On this url, there is the authcas filter defined as the DefaultRealm which inherits from CasRealm :
> public class DefaultRealm extends CasRealm {
>     
>     @Override
>     protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
>         Set<String> roles = new HashSet<String>();
>         roles.add("ROLE_USER");
>         return new SimpleAuthorizationInfo(roles);
>     }
> }
> The DefaultRealm always grants the authenticated user the ROLE_USER role to access to the /protected folder.
> The CasFilter is configured on a specific url corresponding to the CAS url service : http://localhost:11380/demo2/shiro-cas, it gets the service parameter in url and create a CasToken with it.
> The CasRealm uses the CasToken to authenticate the user, it gets the service ticket, uses the Cas20ServiceTicketValidator (from CAS client) to call the CAS server and validates the ticket granted by CAS.
> If the ticket is validated, the user is authenticated and redirected to the original protected url (/protected/index.jsp). If the validation fails, the user is redirected to the CAS error page (error.jsp = authcas.failureUrl).
> To add CasFilter, CasToken and CasRealm to the trunk, I created a CAS module inside support.
> * CasRealm :
> I didn't find how to set the remember me to the subject : I know if the user is in rememberme mode from CAS depending on a specific attribute from the Assertion object but I didn't know how to pass this information to the subject (there is a TODO).
> During the CAS service ticket validation, I get the object Assertion and all the attributes of the user populated by CAS are in the "attributes" property : I don't know what to do with these attributes.
> During the CAS service ticket validation, I choose not to throw an AuthenticationException, but returns null instead : is it the good way to do ?
> * CasFilter :
> I'm not sure I respect the spirit of shiro because my filter authcas is always the last one. I add on the onLoginFailure a test, if the user is already authenticated, it doesn't failed but redirects to default success url.
> I didn't know how to add my authcas filter as a default filter without configuring it in the shiro.ini file.
> I have no test yet.
> I join the SVN patch.
> Hope it works well for you. Don't hesitate to come back to me.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

[jira] [Updated] (SHIRO-285) Integration with CAS

["Les Hazlewood (JIRA)" <ji...@apache.org>]

     [ https://issues.apache.org/jira/browse/SHIRO-285?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Les Hazlewood updated SHIRO-285:
--------------------------------

    Issue Type: New Feature  (was: Improvement)

> Integration with CAS
> --------------------
>
>                 Key: SHIRO-285
>                 URL: https://issues.apache.org/jira/browse/SHIRO-285
>             Project: Shiro
>          Issue Type: New Feature
>            Reporter: Jérôme Leleu
>         Attachments: shiro_cas.txt
>
>
> As I wanted to test shiro with CAS, I created a CAS filter, a CAS token and a CAS realm. I'm new to shiro so maybe I was mistaken on some points.
> I have a demo webapp with these files :
> index.jsp
> error.jsp
> protected/index.jsp
> The idea is to protect the /protected folder. I have this shiro.ini configuration :
> [main]
> authcas = org.apache.shiro.cas.CasFilter
> authcas.failureUrl = /demo2/error.jsp
> defaultRealm = com.jle.demo2.realm.DefaultRealm
> defaultRealm.name = demo2
> defaultRealm.casServerUrlPrefix = http://localhost:11380/cas/
> defaultRealm.casService = http://localhost:11380/demo2/shiro-cas
> roles.loginUrl = http://localhost:11380/cas/login?service=http://localhost:11380/demo2/shiro-cas
> [urls]
> /protected/** = roles[ROLE_USER]
> /shiro-cas = authcas
> /** = anon
> The protection on /protected/** implies to have the role ROLE_USER, if it is not the case, the user is redirected to the CAS server according to the property loginUrl of roles : http://localhost:11380/cas/login?service=http://localhost:11380/demo2/shiro-cas.
> After authentication on CAS server, the user is redirected (CAS works like this) to the service url : http://localhost:11380/demo2/shiro-cas. On this url, there is the authcas filter defined as the DefaultRealm which inherits from CasRealm :
> public class DefaultRealm extends CasRealm {
>     
>     @Override
>     protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
>         Set<String> roles = new HashSet<String>();
>         roles.add("ROLE_USER");
>         return new SimpleAuthorizationInfo(roles);
>     }
> }
> The DefaultRealm always grants the authenticated user the ROLE_USER role to access to the /protected folder.
> The CasFilter is configured on a specific url corresponding to the CAS url service : http://localhost:11380/demo2/shiro-cas, it gets the service parameter in url and create a CasToken with it.
> The CasRealm uses the CasToken to authenticate the user, it gets the service ticket, uses the Cas20ServiceTicketValidator (from CAS client) to call the CAS server and validates the ticket granted by CAS.
> If the ticket is validated, the user is authenticated and redirected to the original protected url (/protected/index.jsp). If the validation fails, the user is redirected to the CAS error page (error.jsp = authcas.failureUrl).
> To add CasFilter, CasToken and CasRealm to the trunk, I created a CAS module inside support.
> * CasRealm :
> I didn't find how to set the remember me to the subject : I know if the user is in rememberme mode from CAS depending on a specific attribute from the Assertion object but I didn't know how to pass this information to the subject (there is a TODO).
> During the CAS service ticket validation, I get the object Assertion and all the attributes of the user populated by CAS are in the "attributes" property : I don't know what to do with these attributes.
> During the CAS service ticket validation, I choose not to throw an AuthenticationException, but returns null instead : is it the good way to do ?
> * CasFilter :
> I'm not sure I respect the spirit of shiro because my filter authcas is always the last one. I add on the onLoginFailure a test, if the user is already authenticated, it doesn't failed but redirects to default success url.
> I didn't know how to add my authcas filter as a default filter without configuring it in the shiro.ini file.
> I have no test yet.
> I join the SVN patch.
> Hope it works well for you. Don't hesitate to come back to me.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Updated] (SHIRO-285) Integration with CAS

["Jérôme Leleu (Updated JIRA)" <ji...@apache.org>]

     [ https://issues.apache.org/jira/browse/SHIRO-285?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jérôme Leleu updated SHIRO-285:
-------------------------------

    Attachment: doc_shiro-cas.odt
    
> Integration with CAS
> --------------------
>
>                 Key: SHIRO-285
>                 URL: https://issues.apache.org/jira/browse/SHIRO-285
>             Project: Shiro
>          Issue Type: New Feature
>            Reporter: Jérôme Leleu
>         Attachments: doc_shiro-cas.odt, shiro_cas.txt, shiro_cas2.txt, shiro_cas3.txt
>
>
> As I wanted to test shiro with CAS, I created a CAS filter, a CAS token and a CAS realm. I'm new to shiro so maybe I was mistaken on some points.
> I have a demo webapp with these files :
> index.jsp
> error.jsp
> protected/index.jsp
> The idea is to protect the /protected folder. I have this shiro.ini configuration :
> [main]
> authcas = org.apache.shiro.cas.CasFilter
> authcas.failureUrl = /demo2/error.jsp
> defaultRealm = com.jle.demo2.realm.DefaultRealm
> defaultRealm.name = demo2
> defaultRealm.casServerUrlPrefix = http://localhost:11380/cas/
> defaultRealm.casService = http://localhost:11380/demo2/shiro-cas
> roles.loginUrl = http://localhost:11380/cas/login?service=http://localhost:11380/demo2/shiro-cas
> [urls]
> /protected/** = roles[ROLE_USER]
> /shiro-cas = authcas
> /** = anon
> The protection on /protected/** implies to have the role ROLE_USER, if it is not the case, the user is redirected to the CAS server according to the property loginUrl of roles : http://localhost:11380/cas/login?service=http://localhost:11380/demo2/shiro-cas.
> After authentication on CAS server, the user is redirected (CAS works like this) to the service url : http://localhost:11380/demo2/shiro-cas. On this url, there is the authcas filter defined as the DefaultRealm which inherits from CasRealm :
> public class DefaultRealm extends CasRealm {
>     
>     @Override
>     protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
>         Set<String> roles = new HashSet<String>();
>         roles.add("ROLE_USER");
>         return new SimpleAuthorizationInfo(roles);
>     }
> }
> The DefaultRealm always grants the authenticated user the ROLE_USER role to access to the /protected folder.
> The CasFilter is configured on a specific url corresponding to the CAS url service : http://localhost:11380/demo2/shiro-cas, it gets the service parameter in url and create a CasToken with it.
> The CasRealm uses the CasToken to authenticate the user, it gets the service ticket, uses the Cas20ServiceTicketValidator (from CAS client) to call the CAS server and validates the ticket granted by CAS.
> If the ticket is validated, the user is authenticated and redirected to the original protected url (/protected/index.jsp). If the validation fails, the user is redirected to the CAS error page (error.jsp = authcas.failureUrl).
> To add CasFilter, CasToken and CasRealm to the trunk, I created a CAS module inside support.
> * CasRealm :
> I didn't find how to set the remember me to the subject : I know if the user is in rememberme mode from CAS depending on a specific attribute from the Assertion object but I didn't know how to pass this information to the subject (there is a TODO).
> During the CAS service ticket validation, I get the object Assertion and all the attributes of the user populated by CAS are in the "attributes" property : I don't know what to do with these attributes.
> During the CAS service ticket validation, I choose not to throw an AuthenticationException, but returns null instead : is it the good way to do ?
> * CasFilter :
> I'm not sure I respect the spirit of shiro because my filter authcas is always the last one. I add on the onLoginFailure a test, if the user is already authenticated, it doesn't failed but redirects to default success url.
> I didn't know how to add my authcas filter as a default filter without configuring it in the shiro.ini file.
> I have no test yet.
> I join the SVN patch.
> Hope it works well for you. Don't hesitate to come back to me.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira