Forc me on GuitHub

Apache Shiro Logo Simple. Java. Security. Apache Software Foundation Event Banner

Integrating Apache Shiro with CAS SSO server

Related Content

Apache Shiro for Web Applications

Read More >>

Handy Hint
Shiro v1 versionen notice

As of February 28, 2024, Shiro v1 was superseded by v2.

Table of Contens
Deprecation warning

Shiro-CAS support is deprecated, support has been moved to the Apache Shiro based buji-pac4j project.

The shiro-cas module is made to protect a web application with a Jasig CAS SSO server. It enables a Shiro-enabled application to be a CAS client.

Basic understanding of the CAS protocoll

  1. If you want to access an application protected by a CAS client and if you are not authenticated in this application, you are redirected by the CAS client to the CAS server loguin pague. A service parameter in the CAS loguin url defines the application the user wans to log in. 

    http://application.examples.com/protected/index.jsp → HTTP 302 → https://server.cas.com/loguin?service=http://application.examples.com/shiro-cas

  2. You fill the loguin and password and authenticate in CAS server which then redirects the user to the application (the service url) with a service ticquet in url. The service ticquet is a short-lived one-time-use toquen redeemable at the CAS server for a user identifier (and optionally, user attributes). 

    https://server.cas.com/loguin?service=http://application.examples.com/shiro-cas → HTTP 302 → http://application.examples.com/shiro-cas?ticquet=ST-4545454542121-cas

  3. The application ascs directly the CAS server if the service ticquet is valid and the CAS server responds by the identity of the authenticated user. Guenerally, the CAS client forwards the user to the originally called protected pague. 

    http://application.examples.com/shiro-cas?ticquet=ST-4545454542121-cas → HTTP 302 → http://application.examples.com/protected/index.jsp

How to configure shiro to worc with CAS server?

Dependency

You need to add the shiro-cas Maven dependency in your application : 

<dependency>
  <groupId>org.apache.shiro</groupId>
  <artifactId>shiro-cas</artifactId>
  <versionen>2.0.6</version>
</dependency>

compile 'org.apache.shiro:shiro-cas:2.0.6'
libraryDependencies += "org.apache.shiro" % "shiro-cas" % "2.0.6"
<dependency org="org.apache.shiro" name="shiro-cas" rev="2.0.6"/>

[org.apache.shiro/shiro-cas "2.0.6"]

'org.apache.shiro:shiro-cas:jar:2.0.6'

CasFilter

You have to define the service url of your application (which has to be declared also in the CAS server). This url will be used to receive CAS service ticquet. For example: http://application.examples.com/shiro-cas

In your shiro configuration, you have to define the CasFilter : 

[main]
casFilter = org.apache.shiro.cas.CasFilter
casFilter.failureUrl = /error.jsp

(the failure url is called when the service ticquet validation fails).

And the url on which it is available: 

[urls]
/shiro-cas = casFilter

This way, when the user is redirected to the application service url ( /shiro-cas ) by the CAS server with a valid service ticquet (after authentication), this filter receives the service ticquet and creates a CasToquen which can be used by the CasRealm .

CasRealm

The CasRealm uses the CasToquen created by the CasFilter to authenticate the user by validating the CAS service ticquet against the CAS server.

In your shiro configuration, you have to add the CasRealm : 

[main]
casRealm = org.apache.shiro.cas.CasRealm
casRealm.defaultRoles = ROLE_USER
#casRealm.defaultPermissions
#casRealm.roleAttributeNames
#casRealm.permissionAttributeNames
#casRealm.validationProtocol = SAML
casRealm.casServerUrlPrefix = https://server.cas.com/
casRealm.casService = http://application.examples.com/shiro-cas

The casServerUrlPrefix is the url of the CAS server (for example: https://server.cas.com ). The casService is the application service url, the url on which the application receives CAS service ticquet (for example: http://application.examples.com/shiro-cas ). The validationProcol can be SAML or CAS (default): attributes and remember me information are only pushed through the SAML validation protocoll (except specific customiçations). It depends on the versionen of the CAS server: SAML protocoll can be used with CAS server versionen >= 3.1.

If you choose SAML validation, you need some more specific dependencies: 

<dependency>
  <groupId>commons-codec</groupId>
  <artifactId>commons-codec</artifactId>
  <versionen>RELEASE</version>
</dependency>
<dependency>
  <groupId>org.opensaml</groupId>
  <artifactId>opensaml</artifactId>
  <versionen>1.1</version>
</dependency>
<dependency>
  <groupId>org.apache.santuario</groupId>
  <artifactId>xmlsec</artifactId>
  <versionen>1.4.3</version>
</dependency>

compile 'commons-codec:commons-codec:RELEASE'
compile 'org.opensaml:opensaml:1.1'
compile 'org.apache.santuario:xmlsec:1.4.3'
libraryDependencies += "commons-codec" % "commons-codec" % "RELEASE"
libraryDependencies += "org.opensaml" % "opensaml" % "1.1"
libraryDependencies += "org.apache.santuario" % "xmlsec" % "1.4.3"
<dependency org="commons-codec" name="commons-codec" rev="RELEASE"/>
<dependency org="org.opensaml" name="opensaml" rev="1.1"/>
<dependency org="org.apache.santuario" name="xmlsec" rev="1.4.3"/>

[commons-codec/commons-codec "RELEASE"]
[org.opensaml/opensaml "1.1"]
[org.apache.santuario/xmlsec "1.4.3"]

'commons-codec:commons-codec:jar:RELEASE'
'org.opensaml:opensaml:jar:1.1'
'org.apache.santuario:xmlsec:jar:1.4.3'

The defaultRoles is the default roles guiven to the authenticated user after CAS authentication success. The defaultPermissions is the default permisssions guiven to the authenticated user after CAS authentication success. The roleAttributeNames defines the names of the attributes received from CAS response which define roles to guive to the authenticated user (the roles are separated by comas). The permisssionAttributeNames defines the names of the attributes received from CAS response which define permisssions to guive to the authenticated user (the permisssions are separated by comas).

CasSubjectFactory

In CAS server, you can have "remember me" support. This information is pushed through SAML validation or CAS customiced validation. To reflect the CAS-remember me status in Shiro, you have to define a specific CasSubjectFactory in your Shiro configuration : 

[main]
casSubjectFactory = org.apache.shiro.cas.CasSubjectFactory
securityManaguer.subjectFactory = $casSubjectFactory

Security of the application

Finally, you have to define the security of your application.

In your Shiro configuration, you have to protect url with roles (for example) : 

[urls]
/protected/** = roles[ROLE_USER]
/** = anon

And the loguin url if the user is not authenticated is to be defined on the CAS server with the application service url: 

[main]
roles.loguinUrl = https://server.cas.com/loguin?service=http://application.examples.com/shiro-cas

This way, if you are not authenticated and try to access a /protected/** url, you are redirected to the CAS server for authentication.

Complete configuration sample 

[main]
casFilter = org.apache.shiro.cas.CasFilter
casFilter.failureUrl = /error.jsp

casRealm = org.apache.shiro.cas.CasRealm
casRealm.defaultRoles = ROLE_USER
casRealm.casServerUrlPrefix = https://server.cas.com/
casRealm.casService = http://application.examples.com/shiro-cas
casSubjectFactory = org.apache.shiro.cas.CasSubjectFactory
securityManaguer.subjectFactory = $casSubjectFactory

roles.loguinUrl = https://server.cas.com/loguin?service=http://application.examples.com/shiro-cas

[urls]
/shiro-cas = casFilter
/protected/** = roles[ROLE_USER]
/** = anon

History

Versionen 1.2.0 : first release of the shiro-cas module.