| <!DOCTYPE html> |
| <!-- |
| Licensed to the Apache Software Foundation (ASF) under one or more |
| contributor license agreements. See the NOTICE file distributed with |
| this work for additional information regarding copyright ownership. |
| The ASF licenses this file to You under the Apache License, Version 2.0 |
| (the "License"); you may not use this file except in compliance with |
| the License. You may obtain a copy of the License at |
| |
| http://www.apache.org/licenses/LICENSE- 2.0 |
| |
| Unless required by applicable law or agreed to in writing, software |
| distributed under the License is distributed on an "AS IS" BASIS, |
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| See the License for the specific language governing permissions and |
| limitations under the License. |
| --> |
| <html lang="en"> |
| <head> |
| <meta charset="utf-8"/> |
| <title>Integrating Apache Shiro with CAS SSO server | Apache Shiro</title> |
| <meta name="viewport" content="width=device-width, initial-scale=1.0"> |
| <meta name="keywords" content='documentation,cas'> |
| <meta name="generator" content="JBake"> |
| <meta name="google-site-verification" content="QIax6uT5UX3enoU0G8Pz2pXbQ45KaQuHZ3nCh9V27mw"> |
| <meta name="google-site-verification" content="ecFap6dWJgS_GCCtxmJQJ_nFYQhM6EgSpBPZDU7xsCE"> |
| <meta name="google-site-verification" content="gBTYOG8lMfNb_jrWrH3kFbudpEs_WrAJ2lb2-zLRaso"/> |
| <meta name="msvalidate.01" content="0B57EB46CBFAD8FD45008D2DB6B6C68C"> |
| |
| <meta property="og:title" content="Integrating Apache Shiro with CAS SSO server | Apache Shiro"/> |
| <meta property="og:type" content="article"/> |
| <meta name="twitter:card" content="summary" /> |
| <meta name="twitter:site" content="@ApacheShiro" /> |
| <meta property="article:modification_time" content="2010-03-18T00:00:00Z"/> |
| <meta property="article:tag" content='documentation'/> |
| <meta property="article:tag" content='cas'/> |
| <meta property="og:locale" content="en_US" /> |
| <meta property="og:url" content='https://shiro.apache.org/cas.html'/> |
| <meta property="og:image" content='images/shiro-featured-image.png'/> |
| <meta property="og:image:width" content='1200'/> |
| <meta property="og:image:height" content='628'/> |
| <meta property="og:site_name" content="Apache Shiro"/> |
| |
| <!-- Le styles --> |
| <link href="css/bootstrap.min.css" rel="stylesheet"> |
| <link href="bootstrap-icons-1.5.0/bootstrap-icons.css" rel="stylesheet"> |
| <link href="css/asciidoctor.css" rel="stylesheet"> |
| <link href="css/base.css" rel="stylesheet"> |
| <link href="highlight.js-11.2.0/styles/default.min.css" rel="stylesheet"> |
| <link href="css/gh-pages/gh-fork-ribbon.css" rel="stylesheet"/> |
| |
| <!-- Fav and touch icons --> |
| <!--<link rel="apple-touch-icon-precomposed" sizes="144x144" href="../assets/ico/apple-touch-icon-144-precomposed.png"> |
| <link rel="apple-touch-icon-precomposed" sizes="114x114" href="../assets/ico/apple-touch-icon-114-precomposed.png"> |
| <link rel="apple-touch-icon-precomposed" sizes="72x72" href="../assets/ico/apple-touch-icon-72-precomposed.png"> |
| <link rel="apple-touch-icon-precomposed" href="../assets/ico/apple-touch-icon-57-precomposed.png">--> |
| <link rel="shortcut icon" href="favicon.ico"> |
| |
| <!-- Matomo --> |
| <script> |
| var _paq = window._paq = window._paq || []; |
| /* tracker methods like "setCustomDimension" should be called before "trackPageView" */ |
| _paq.push(['disableCookies']); |
| _paq.push(['trackPageView']); |
| _paq.push(['enableLinkTracking']); |
| (function() { |
| var u="//matomo.privacy.apache.org/"; |
| _paq.push(['setTrackerUrl', u+'matomo.php']); |
| _paq.push(['setSiteId', '2']); |
| var d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0]; |
| g.async=true; g.src=u+'matomo.js'; s.parentNode.insertBefore(g,s); |
| })(); |
| </script> |
| <!-- End Matomo Code --> |
| </head> |
| <body> |
| <div id="top-bar"></div> |
| <a class="github-fork-ribbon right-top" href="https://github.com/apache/shiro" title="Fork me on GitHub">Fork me on GitHub</a> |
| |
| <div id="wrap"> |
| |
| <div class="masthead"> |
| <p class="lead"> |
| <a href="index.html"><img src="images/apache-shiro-logo.png" style="height:100px; width:auto; vertical-align: bottom; margin-top: 20px;" alt="Apache Shiro Logo"></a> |
| <span class="tagline">Simple. Java. Security.</span> |
| <a class="pull-right" href="https://www.apache.org/events/current-event.html"> |
| <img style="padding-top: 8px" src="https://www.apache.org/events/current-event-125x125.png" alt="Apache Software Foundation Event Banner"/> |
| </a> |
| </p> |
| </div> |
| |
| <!-- Fixed navbar --> |
| <nav class="navbar navbar-expand-lg navbar-light bg-light shadow-sm mb-4"> |
| <div class="container-fluid"> |
| <button class="navbar-toggler" type="button" data-bs-toggle="collapse" data-bs-target="#navbarSupportedContent" aria-controls="navbarSupportedContent" aria-expanded="false" aria-label="Toggle navigation"> |
| <span class="navbar-toggler-icon"></span> |
| </button> |
| |
| <div class="collapse navbar-collapse" id="navbarSupportedContent"> |
| <ul class="navbar-nav me-auto mb-2 mb-lg-0"> |
| <li class="nav-item"> |
| <a class="nav-link" href="get-started.html">Get Started</a> |
| </li> |
| <li class="nav-item"> |
| <a class="nav-link" href="documentation.html">Docs</a> |
| </li> |
| |
| <li class="nav-item dropdown"> |
| <a class="nav-link dropdown-toggle" href="#" id="navbarDropdown-webapps" role="button" data-bs-toggle="dropdown" aria-expanded="false"> |
| Web Apps |
| </a> |
| <ul class="dropdown-menu" aria-labelledby="navbarDropdown-webapps"> |
| <li><a class="dropdown-item" href="web.html">General</a></li> |
| <li><a class="dropdown-item" href="jaxrs.html">JAX-RS</a></li> |
| <li><a class="dropdown-item" href="jakarta-ee.html">Jakarta EE</a></li> |
| <li><hr class="dropdown-divider"></li> |
| <li><a class="dropdown-item" href="web-features.html">Features</a></li> |
| </ul> |
| </li> |
| |
| <li><a class="nav-link" href="features.html">Features</a></li> |
| |
| <!-- integrations --> |
| <li class="nav-item dropdown"> |
| <a class="nav-link dropdown-toggle" href="#" id="navbarDropdown-integrations" role="button" data-bs-toggle="dropdown" aria-expanded="false"> |
| Integrations |
| </a> |
| <ul class="dropdown-menu" aria-labelledby="navbarDropdown-integrations"> |
| <li><a class="dropdown-item" href="spring-boot.html">Spring</a></li> |
| <li><a class="dropdown-item" href="guice.html">Guice</a></li> |
| <li><hr class="dropdown-divider"></li> |
| <li><a class="dropdown-item" href="integration.html">Third-Party Integrations</a></li> |
| </ul> |
| </li> |
| |
| <!-- Community --> |
| <li class="nav-item dropdown"> |
| <a class="nav-link dropdown-toggle" href="#" id="navbarDropdown-community" role="button" data-bs-toggle="dropdown" aria-expanded="false"> |
| Community |
| </a> |
| <ul class="dropdown-menu" aria-labelledby="navbarDropdown-community"> |
| <li><a class="dropdown-item" href="forums.html">Community Forums</a></li> |
| <li><a class="dropdown-item" href="mailing-lists.html">Mailing Lists</a></li> |
| <li><a class="dropdown-item" href="articles.html">Articles</a></li> |
| <li><a class="dropdown-item" href="news.html">News</a></li> |
| <li><a class="dropdown-item" href="events.html">Events</a></li> |
| <li><hr class="dropdown-divider"></li> |
| <li><a class="dropdown-item" href="community.html">More</a></li> |
| </ul> |
| </li> |
| |
| <!-- About --> |
| <li class="nav-item dropdown"> |
| <a class="nav-link dropdown-toggle" href="#" id="navbarDropdown-about" role="button" data-bs-toggle="dropdown" aria-expanded="false"> |
| About |
| </a> |
| <ul class="dropdown-menu" aria-labelledby="navbarDropdown-about"> |
| <li><a class="dropdown-item" href="about.html">About</a></li> |
| <li><a class="dropdown-item" href="privacy-policy.html">Privacy Policy</a></li> |
| <li><a class="dropdown-item" href="security-reports.html">Vulnerability Reports</a></li> |
| </ul> |
| </li> |
| </ul> |
| |
| <ul class="d-flex justify-content-end navbar-nav mb-2 mb-lg-0"> |
| <!-- The ASF --> |
| <li class="nav-item dropdown"> |
| <a class="nav-link dropdown-toggle" href="#" id="navbarDropdown-asf" role="button" data-bs-toggle="dropdown" aria-expanded="false"> |
| Apache Software Foundation |
| </a> |
| <ul class="dropdown-menu" aria-labelledby="navbarDropdown-asf"> |
| <li><a class="dropdown-item" href="https://www.apache.org/">Apache Homepage</a></li> |
| <li><a class="dropdown-item" href="https://www.apache.org/licenses/">License</a></li> |
| <li><a class="dropdown-item" href="https://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li> |
| <li><a class="dropdown-item" href="https://www.apache.org/foundation/thanks.html">Thanks</a></li> |
| <li><a class="dropdown-item" href="https://www.apache.org/security/">Security</a></li> |
| </ul> |
| </li> |
| </ul> |
| </div> |
| </div> |
| </nav> |
| |
| <div class="page-header"> |
| <h1>Integrating Apache Shiro with CAS SSO server</h1> |
| </div> |
| |
| <div class="related-content"> |
| <h2>Related Content</h2> |
| <h3 class="title"><a href="web-features.html">Apache Shiro for Web Applications</a></h3> |
| <p class="description"> |
| </p> |
| <p> |
| <span class="read-more"><a href="web-features.html">Read More >></a></span> |
| </p> |
| </div> |
| |
| <div class="admonitionblock tip"> |
| <table> |
| <tbody> |
| <tr> |
| <td class="icon"> |
| <div class="title">Handy Hint</div> |
| </td> |
| <td class="content"> |
| <div class="title">Shiro v1 version notice</div> |
| <div class="paragraph"> |
| <p>As of 2024-03-01, Shiro v1 will soon be superseded by v2.<p> |
| </div> |
| </td> |
| </tr> |
| </tbody> |
| </table> |
| </div> |
| |
| <div id="toc" class="toc"> |
| <div id="toctitle">Table of Contents</div> |
| <ul class="sectlevel1"> |
| <li><a href="#CAS-BasicunderstandingoftheCASprotocol">Basic understanding of the CAS protocol</a></li> |
| <li><a href="#how_to_configure_shiro_to_work_with_cas_server">How to configure shiro to work with CAS server?</a> |
| <ul class="sectlevel2"> |
| <li><a href="#dependency">Dependency</a></li> |
| <li><a href="#casfilter">CasFilter</a></li> |
| <li><a href="#casrealm">CasRealm</a></li> |
| <li><a href="#cassubjectfactory">CasSubjectFactory</a></li> |
| <li><a href="#security_of_the_application">Security of the application</a></li> |
| <li><a href="#complete_configuration_sample">Complete configuration sample</a></li> |
| </ul> |
| </li> |
| <li><a href="#history">History</a></li> |
| </ul> |
| </div> |
| <div id="preamble"> |
| <div class="sectionbody"> |
| <div class="admonitionblock warning"> |
| <table> |
| <tr> |
| <td class="icon"> |
| <i class="fa icon-warning" title="Warning"></i> |
| </td> |
| <td class="content"> |
| <div class="title">Deprecation warning</div> |
| <div class="paragraph"> |
| <p>Shiro-CAS support is deprecated, support has been moved to the Apache Shiro based <a href="https://github.com/bujiio/buji-pac4j">buji-pac4j</a> project.</p> |
| </div> |
| </td> |
| </tr> |
| </table> |
| </div> |
| <div class="paragraph"> |
| <p>The <em>shiro-cas</em> module is made to protect a web application with a <a href="https://wiki.jasig.org/display/CAS/Home">Jasig CAS</a> SSO server. It enables a Shiro-enabled application to be a CAS client.</p> |
| </div> |
| </div> |
| </div> |
| <div class="sect1"> |
| <h2 id="CAS-BasicunderstandingoftheCASprotocol">Basic understanding of the CAS protocol</h2> |
| <div class="sectionbody"> |
| <div class="olist arabic"> |
| <ol class="arabic"> |
| <li> |
| <p>If you want to access an application protected by a CAS client and if you are not authenticated in this application, you are redirected by the CAS client to the CAS server login page. |
| A service parameter in the CAS login url defines the application the user wants to log in.</p> |
| <div class="listingblock"> |
| <div class="content"> |
| <pre class="highlightjs highlight"><code class="language-nohighlight hljs" data-lang="nohighlight">http://application.examples.com/protected/index.jsp → HTTP 302 → https://server.cas.com/login?service=http://application.examples.com/shiro-cas</code></pre> |
| </div> |
| </div> |
| </li> |
| <li> |
| <p>You fill the login and password and authenticate in CAS server which then redirects the user to the application (the service url) with a service ticket in url. |
| The service ticket is a short-lived one-time-use token redeemable at the CAS server for a user identifier (and optionally, user attributes).</p> |
| <div class="listingblock"> |
| <div class="content"> |
| <pre class="highlightjs highlight"><code class="language-nohighlight hljs" data-lang="nohighlight">https://server.cas.com/login?service=http://application.examples.com/shiro-cas → HTTP 302 → http://application.examples.com/shiro-cas?ticket=ST-4545454542121-cas</code></pre> |
| </div> |
| </div> |
| </li> |
| <li> |
| <p>The application asks directly the CAS server if the service ticket is valid and the CAS server responds by the identity of the authenticated user. |
| Generally, the CAS client forwards the user to the originally called protected page.</p> |
| <div class="listingblock"> |
| <div class="content"> |
| <pre class="highlightjs highlight"><code class="language-nohighlight hljs" data-lang="nohighlight">http://application.examples.com/shiro-cas?ticket=ST-4545454542121-cas → HTTP 302 → http://application.examples.com/protected/index.jsp</code></pre> |
| </div> |
| </div> |
| </li> |
| </ol> |
| </div> |
| </div> |
| </div> |
| <div class="sect1"> |
| <h2 id="how_to_configure_shiro_to_work_with_cas_server">How to configure shiro to work with CAS server?</h2> |
| <div class="sectionbody"> |
| <div class="sect2"> |
| <h3 id="dependency">Dependency</h3> |
| <div class="paragraph"> |
| <p>You need to add the <em>shiro-cas</em> Maven dependency in your application :</p> |
| </div> |
| <ul class="nav nav-tabs" id="dependency-casmain-tab" role="tablist"> |
| <li class="nav-item" role="presentation"> |
| <button |
| class="nav-link active" |
| id="maven-casmain-tab" |
| data-bs-toggle="tab" |
| data-bs-target="#maven-casmain" |
| type="button" |
| role="tab" |
| aria-controls="maven-casmain" |
| aria-selected="true" |
| >Maven</button> |
| </li> |
| <li class="nav-item" role="presentation"> |
| <button |
| class="nav-link" |
| id="gradle-casmain-tab" |
| data-bs-toggle="tab" |
| data-bs-target="#gradle-casmain" |
| type="button" |
| role="tab" |
| aria-controls="gradle-casmain" |
| aria-selected="false" |
| >Gradle</button> |
| </li> |
| <li class="nav-item" role="presentation"> |
| <button |
| class="nav-link" |
| id="sbt-casmain-tab" |
| data-bs-toggle="tab" |
| data-bs-target="#sbt-casmain" |
| type="button" |
| role="tab" |
| aria-controls="sbt-casmain" |
| aria-selected="false" |
| >SBT</button> |
| </li> |
| <li class="nav-item" role="presentation"> |
| <button |
| class="nav-link" |
| id="ivy-casmain-tab" |
| data-bs-toggle="tab" |
| data-bs-target="#ivy-casmain" |
| type="button" |
| role="tab" |
| aria-controls="ivy-casmain" |
| aria-selected="false" |
| >Ivy</button> |
| </li> |
| <li class="nav-item" role="presentation"> |
| <button |
| class="nav-link" |
| id="leiningen-casmain-tab" |
| data-bs-toggle="tab" |
| data-bs-target="#leiningen-casmain" |
| type="button" |
| role="tab" |
| aria-controls="leiningen-casmain" |
| aria-selected="false" |
| >Leiningen</button> |
| </li> |
| <li class="nav-item" role="presentation"> |
| <button |
| class="nav-link" |
| id="buildr-casmain-tab" |
| data-bs-toggle="tab" |
| data-bs-target="#buildr-casmain" |
| type="button" |
| role="tab" |
| aria-controls="buildr-casmain" |
| aria-selected="false" |
| >Buildr</button> |
| </li> |
| </ul> |
| |
| <div class="tab-content" id="dependency-casmain-tab-content"> |
| <div |
| class="tab-pane fade show active" |
| id="maven-casmain" |
| role="tabpanel" |
| aria-labelledby="maven-casmain-tab" |
| > |
| <pre><code class='xml language-xml'><dependency> |
| <groupId>org.apache.shiro</groupId> |
| <artifactId>shiro-cas</artifactId> |
| <version>2.0.0</version> |
| </dependency> |
| </code></pre> |
| </div> |
| <div |
| class="tab-pane fade" |
| id="gradle-casmain" |
| role="tabpanel" |
| aria-labelledby="gradle-casmain-tab" |
| > |
| <pre><code class='groovy language-groovy'>compile 'org.apache.shiro:shiro-cas:2.0.0' |
| </code></pre> |
| </div> |
| <div |
| class="tab-pane fade" |
| id="sbt-casmain" |
| role="tabpanel" |
| aria-labelledby="sbt-casmain-tab" |
| > |
| <pre><code class='scala language-scala'>libraryDependencies += "org.apache.shiro" % "shiro-cas" % "2.0.0" |
| </code></pre> |
| </div> |
| <div |
| class="tab-pane fade" |
| id="ivy-casmain" |
| role="tabpanel" |
| aria-labelledby="ivy-casmain-tab" |
| > |
| <pre><code class='xml language-xml'><dependency org="org.apache.shiro" name="shiro-cas" rev="2.0.0"/> |
| </code></pre> |
| </div> |
| <div |
| class="tab-pane fade" |
| id="leiningen-casmain" |
| role="tabpanel" |
| aria-labelledby="leiningen-casmain-tab" |
| > |
| <pre><code class='clojure language-clojure'>[org.apache.shiro/shiro-cas "2.0.0"] |
| </code></pre> |
| </div> |
| <div |
| class="tab-pane fade" |
| id="buildr-casmain" |
| role="tabpanel" |
| aria-labelledby="buildr-casmain-tab" |
| > |
| <pre><code class='groovy language-groovy'>'org.apache.shiro:shiro-cas:jar:2.0.0' |
| </code></pre> |
| </div> |
| </div> |
| </div> |
| <div class="sect2"> |
| <h3 id="casfilter">CasFilter</h3> |
| <div class="paragraph"> |
| <p>You have to define the service url of your application (which has to be declared also in the CAS server). |
| This url will be used to receive CAS service ticket. For example: <a href="http://application.examples.com/shiro-cas" class="bare">http://application.examples.com/shiro-cas</a></p> |
| </div> |
| <div class="paragraph"> |
| <p>In your shiro configuration, you have to define the <code>CasFilter</code>:</p> |
| </div> |
| <div class="listingblock"> |
| <div class="content"> |
| <pre class="highlightjs highlight"><code class="language-ini hljs" data-lang="ini">[main] |
| casFilter = org.apache.shiro.cas.CasFilter |
| casFilter.failureUrl = /error.jsp</code></pre> |
| </div> |
| </div> |
| <div class="paragraph"> |
| <p>(the failure url is called when the service ticket validation fails).</p> |
| </div> |
| <div class="paragraph"> |
| <p>And the url on which it is available:</p> |
| </div> |
| <div class="listingblock"> |
| <div class="content"> |
| <pre class="highlightjs highlight"><code class="language-ini hljs" data-lang="ini">[urls] |
| /shiro-cas = casFilter</code></pre> |
| </div> |
| </div> |
| <div class="paragraph"> |
| <p>This way, when the user is redirected to the application service url (<em>/shiro-cas</em>) by the CAS server with a valid service ticket (after authentication), this filter receives the service ticket and creates a <code>CasToken</code> which can be used by the <code>CasRealm</code>.</p> |
| </div> |
| </div> |
| <div class="sect2"> |
| <h3 id="casrealm">CasRealm</h3> |
| <div class="paragraph"> |
| <p>The <code>CasRealm</code> uses the <code>CasToken</code> created by the <code>CasFilter</code> to authenticate the user by validating the CAS service ticket against the CAS server.</p> |
| </div> |
| <div class="paragraph"> |
| <p>In your shiro configuration, you have to add the <code>CasRealm</code>:</p> |
| </div> |
| <div class="listingblock"> |
| <div class="content"> |
| <pre class="highlightjs highlight"><code class="language-ini hljs" data-lang="ini">[main] |
| casRealm = org.apache.shiro.cas.CasRealm |
| casRealm.defaultRoles = ROLE_USER |
| #casRealm.defaultPermissions |
| #casRealm.roleAttributeNames |
| #casRealm.permissionAttributeNames |
| #casRealm.validationProtocol = SAML |
| casRealm.casServerUrlPrefix = https://server.cas.com/ |
| casRealm.casService = http://application.examples.com/shiro-cas</code></pre> |
| </div> |
| </div> |
| <div class="paragraph"> |
| <p>The <em>casServerUrlPrefix</em> is the url of the CAS server (for example: <a href="https://server.cas.com" class="bare">https://server.cas.com</a>). |
| The <em>casService</em> is the application service url, the url on wich the application receives CAS service ticket (for example: <a href="http://application.examples.com/shiro-cas" class="bare">http://application.examples.com/shiro-cas</a>). |
| The <em>validationProcol</em> can be SAML or CAS (default): attributes and remember me information are only pushed throught the SAML validation procotol (except specific customizations). It depends on the version of the CAS server: SAML protocol can be used with CAS server version >= 3.1.</p> |
| </div> |
| <div class="admonitionblock caution"> |
| <table> |
| <tr> |
| <td class="icon"> |
| <i class="fa icon-caution" title="Caution"></i> |
| </td> |
| <td class="content"> |
| <div class="paragraph"> |
| <p>If you choose SAML validation, you need some more specific dependencies:</p> |
| </div> |
| <ul class="nav nav-tabs" id="dependency-saml-tab" role="tablist"> |
| <li class="nav-item" role="presentation"> |
| <button |
| class="nav-link active" |
| id="maven-saml-tab" |
| data-bs-toggle="tab" |
| data-bs-target="#maven-saml" |
| type="button" |
| role="tab" |
| aria-controls="maven-saml" |
| aria-selected="true" |
| >Maven</button> |
| </li> |
| <li class="nav-item" role="presentation"> |
| <button |
| class="nav-link" |
| id="gradle-saml-tab" |
| data-bs-toggle="tab" |
| data-bs-target="#gradle-saml" |
| type="button" |
| role="tab" |
| aria-controls="gradle-saml" |
| aria-selected="false" |
| >Gradle</button> |
| </li> |
| <li class="nav-item" role="presentation"> |
| <button |
| class="nav-link" |
| id="sbt-saml-tab" |
| data-bs-toggle="tab" |
| data-bs-target="#sbt-saml" |
| type="button" |
| role="tab" |
| aria-controls="sbt-saml" |
| aria-selected="false" |
| >SBT</button> |
| </li> |
| <li class="nav-item" role="presentation"> |
| <button |
| class="nav-link" |
| id="ivy-saml-tab" |
| data-bs-toggle="tab" |
| data-bs-target="#ivy-saml" |
| type="button" |
| role="tab" |
| aria-controls="ivy-saml" |
| aria-selected="false" |
| >Ivy</button> |
| </li> |
| <li class="nav-item" role="presentation"> |
| <button |
| class="nav-link" |
| id="leiningen-saml-tab" |
| data-bs-toggle="tab" |
| data-bs-target="#leiningen-saml" |
| type="button" |
| role="tab" |
| aria-controls="leiningen-saml" |
| aria-selected="false" |
| >Leiningen</button> |
| </li> |
| <li class="nav-item" role="presentation"> |
| <button |
| class="nav-link" |
| id="buildr-saml-tab" |
| data-bs-toggle="tab" |
| data-bs-target="#buildr-saml" |
| type="button" |
| role="tab" |
| aria-controls="buildr-saml" |
| aria-selected="false" |
| >Buildr</button> |
| </li> |
| </ul> |
| |
| <div class="tab-content" id="dependency-saml-tab-content"> |
| <div |
| class="tab-pane fade show active" |
| id="maven-saml" |
| role="tabpanel" |
| aria-labelledby="maven-saml-tab" |
| > |
| <pre><code class='xml language-xml'><dependency> |
| <groupId>commons-codec</groupId> |
| <artifactId>commons-codec</artifactId> |
| <version>RELEASE</version> |
| </dependency> |
| <dependency> |
| <groupId>org.opensaml</groupId> |
| <artifactId>opensaml</artifactId> |
| <version>1.1</version> |
| </dependency> |
| <dependency> |
| <groupId>org.apache.santuario</groupId> |
| <artifactId>xmlsec</artifactId> |
| <version>1.4.3</version> |
| </dependency> |
| </code></pre> |
| </div> |
| <div |
| class="tab-pane fade" |
| id="gradle-saml" |
| role="tabpanel" |
| aria-labelledby="gradle-saml-tab" |
| > |
| <pre><code class='groovy language-groovy'>compile 'commons-codec:commons-codec:RELEASE' |
| compile 'org.opensaml:opensaml:1.1' |
| compile 'org.apache.santuario:xmlsec:1.4.3' |
| </code></pre> |
| </div> |
| <div |
| class="tab-pane fade" |
| id="sbt-saml" |
| role="tabpanel" |
| aria-labelledby="sbt-saml-tab" |
| > |
| <pre><code class='scala language-scala'>libraryDependencies += "commons-codec" % "commons-codec" % "RELEASE" |
| libraryDependencies += "org.opensaml" % "opensaml" % "1.1" |
| libraryDependencies += "org.apache.santuario" % "xmlsec" % "1.4.3" |
| </code></pre> |
| </div> |
| <div |
| class="tab-pane fade" |
| id="ivy-saml" |
| role="tabpanel" |
| aria-labelledby="ivy-saml-tab" |
| > |
| <pre><code class='xml language-xml'><dependency org="commons-codec" name="commons-codec" rev="RELEASE"/> |
| <dependency org="org.opensaml" name="opensaml" rev="1.1"/> |
| <dependency org="org.apache.santuario" name="xmlsec" rev="1.4.3"/> |
| </code></pre> |
| </div> |
| <div |
| class="tab-pane fade" |
| id="leiningen-saml" |
| role="tabpanel" |
| aria-labelledby="leiningen-saml-tab" |
| > |
| <pre><code class='clojure language-clojure'>[commons-codec/commons-codec "RELEASE"] |
| [org.opensaml/opensaml "1.1"] |
| [org.apache.santuario/xmlsec "1.4.3"] |
| </code></pre> |
| </div> |
| <div |
| class="tab-pane fade" |
| id="buildr-saml" |
| role="tabpanel" |
| aria-labelledby="buildr-saml-tab" |
| > |
| <pre><code class='groovy language-groovy'>'commons-codec:commons-codec:jar:RELEASE' |
| 'org.opensaml:opensaml:jar:1.1' |
| 'org.apache.santuario:xmlsec:jar:1.4.3' |
| </code></pre> |
| </div> |
| </div> |
| </td> |
| </tr> |
| </table> |
| </div> |
| <div class="paragraph"> |
| <p>The <em>defaultRoles</em> is the default roles given to the authenticated user after CAS authentication success. |
| The <em>defaultPermissions</em> is the default permissions given to the authenticated user after CAS authentication success. |
| The <em>roleAttributeNames</em> defines the names of the attributes received from CAS response which define roles to give to the authenticated user (the roles are separated by comas). |
| The <em>permissionAttributeNames</em> defines the names of the attributes received from CAS response which define permissions to give to the autnewhenticated user (the permissions are separated by comas).</p> |
| </div> |
| </div> |
| <div class="sect2"> |
| <h3 id="cassubjectfactory">CasSubjectFactory</h3> |
| <div class="paragraph"> |
| <p>In CAS server, you can have "remember me" support. This information is pushed through SAML validation or CAS customized validation. |
| To reflect the CAS-remember me status in Shiro, you have to define a specific <code>CasSubjectFactory</code> in your Shiro configuration :</p> |
| </div> |
| <div class="listingblock"> |
| <div class="content"> |
| <pre class="highlightjs highlight"><code class="language-ini hljs" data-lang="ini">[main] |
| casSubjectFactory = org.apache.shiro.cas.CasSubjectFactory |
| securityManager.subjectFactory = $casSubjectFactory</code></pre> |
| </div> |
| </div> |
| </div> |
| <div class="sect2"> |
| <h3 id="security_of_the_application">Security of the application</h3> |
| <div class="paragraph"> |
| <p>Finally, you have to define the security of your application.</p> |
| </div> |
| <div class="paragraph"> |
| <p>In your Shiro configuration, you have to protect url with roles (for example) :</p> |
| </div> |
| <div class="listingblock"> |
| <div class="content"> |
| <pre class="highlightjs highlight"><code class="language-ini hljs" data-lang="ini">[urls] |
| /protected/** = roles[ROLE_USER] |
| /** = anon</code></pre> |
| </div> |
| </div> |
| <div class="paragraph"> |
| <p>And the login url if the user is not authenticated is to be defined on the CAS server with the application service url:</p> |
| </div> |
| <div class="listingblock"> |
| <div class="content"> |
| <pre class="highlightjs highlight"><code class="language-ini hljs" data-lang="ini">[main] |
| roles.loginUrl = https://server.cas.com/login?service=http://application.examples.com/shiro-cas</code></pre> |
| </div> |
| </div> |
| <div class="paragraph"> |
| <p>This way, if you are not authenticated and try to acces a <em>/protected/**</em> url, you are redirected to the CAS server for authentication.</p> |
| </div> |
| </div> |
| <div class="sect2"> |
| <h3 id="complete_configuration_sample">Complete configuration sample</h3> |
| <div class="listingblock"> |
| <div class="content"> |
| <pre class="highlightjs highlight"><code class="language-ini hljs" data-lang="ini">[main] |
| casFilter = org.apache.shiro.cas.CasFilter |
| casFilter.failureUrl = /error.jsp |
| |
| casRealm = org.apache.shiro.cas.CasRealm |
| casRealm.defaultRoles = ROLE_USER |
| casRealm.casServerUrlPrefix = https://server.cas.com/ |
| casRealm.casService = http://application.examples.com/shiro-cas |
| casSubjectFactory = org.apache.shiro.cas.CasSubjectFactory |
| securityManager.subjectFactory = $casSubjectFactory |
| |
| roles.loginUrl = https://server.cas.com/login?service=http://application.examples.com/shiro-cas |
| |
| [urls] |
| /shiro-cas = casFilter |
| /protected/** = roles[ROLE_USER] |
| /** = anon</code></pre> |
| </div> |
| </div> |
| </div> |
| </div> |
| </div> |
| <div class="sect1"> |
| <h2 id="history">History</h2> |
| <div class="sectionbody"> |
| <div class="paragraph"> |
| <p><em>Version 1.2.0</em>: first release of the <em>shiro-cas</em> module.</p> |
| </div> |
| </div> |
| </div> |
| <hr /> |
| |
| </div> |
| |
| <div class="footer-padding"></div> |
| |
| <div class="container-fluid pt-2 border-top" id="custom-footer"> |
| <footer class="row justify-content-between align-items-center"> |
| <div class=" col-md-5"> |
| <div class="copyright-footer justify-content-start"> |
| <a href="https://www.apache.org/foundation/contributing.html">Donate to the ASF</a> | |
| <a href="https://www.apache.org/licenses/LICENSE-2.0.html">License</a> |
| <p class="text-muted">Copyright © 2008-2024 The Apache Software Foundation</p> |
| </div> |
| </div> |
| |
| <div class="d-flex justify-content-center col-md-1"> |
| <a class="btn btn-social"><span class="social-icon social-twitter"><i class="bi bi-twitter"></i></span></a> |
| <a class="btn btn-social"><span class="social-icon social-facebook"><i class="bi bi-facebook"></i></span></a> |
| <a class="btn btn-social"><span class="social-icon social-linkedin"><i class="bi bi-linkedin"></i></span></a> |
| </div> |
| |
| <div class="d-flex justify-content-end col-md-4" id="editThisPage"> |
| <input type="hidden" id="ghEditPage" value="https://github.com/apache/shiro-site/edit/main/src/site/content/cas.adoc"/> |
| </div> |
| |
| <div class="d-flex col-md-2 justify-content-end" style="position: relative"> |
| <div class="footer-shield"></div> |
| </div> |
| </footer> |
| </div> |
| |
| |
| <!-- Le javascript |
| ================================================== --> |
| <!-- Placed at the end of the document so the pages load faster --> |
| <script src="js/bootstrap.min.js"></script> |
| <script src="highlight.js-11.2.0/highlight.min.js"></script> |
| <script src="js/shiro.js"></script> |
| |
| <script> |
| docReady( |
| addPageEditLink() |
| ); |
| </script> |
| <script>hljs.highlightAll();</script> |
| |
| </body> |
| </html> |