Configuring Spring Security CAS Providers with Java Config

It can take a little digging to move Spring Security + CAS XML configuration to Java. Here is the Java config equivalent to the SS documentations example..

Object Partners

Configuring Spring Security to use CAS as a provider is pretty easy following the example in the documentation. However, once it’s time to start a new Boot project or move the old XML configuration to Java, it can take a little digging to get it running.

Below is the (nearly) equivalent Java configuration to the documentation:

@Configuration
@EnableWebMvcSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Bean
    public ServiceProperties serviceProperties() {
        ServiceProperties serviceProperties = new ServiceProperties();
        serviceProperties.setService("https://localhost:8443/cas-sample/j_spring_cas_security_check");
        serviceProperties.setSendRenew(false);
        return serviceProperties;
    }

    @Bean
    public CasAuthenticationProvider casAuthenticationProvider() {
        CasAuthenticationProvider casAuthenticationProvider = new CasAuthenticationProvider();
        casAuthenticationProvider.setAuthenticationUserDetailsService(authenticationUserDetailsService());
        casAuthenticationProvider.setServiceProperties(serviceProperties());
        casAuthenticationProvider.setTicketValidator(cas20ServiceTicketValidator());
        casAuthenticationProvider.setKey("an_id_for_this_auth_provider_only");
        return casAuthenticationProvider;
    }

    @Bean
    public AuthenticationUserDetailsService authenticationUserDetailsService() {
        return new TestCasAuthenticationUserDetailsService();
    }

    @Bean
    public Cas20ServiceTicketValidator cas20ServiceTicketValidator() {
        return new Cas20ServiceTicketValidator("https://localhost:9443/cas)";
    }

    @Bean
    public CasAuthenticationFilter casAuthenticationFilter() throws Exception {
        CasAuthenticationFilter casAuthenticationFilter = new CasAuthenticationFilter();
        casAuthenticationFilter.setAuthenticationManager(authenticationManager());
        return casAuthenticationFilter;
    }

    @Bean
    public CasAuthenticationEntryPoint casAuthenticationEntryPoint() {
        CasAuthenticationEntryPoint casAuthenticationEntryPoint = new CasAuthenticationEntryPoint();
        casAuthenticationEntryPoint.setLoginUrl("https://localhost:9443/cas/login");
        casAuthenticationEntryPoint.setServiceProperties(serviceProperties());
        return casAuthenticationEntryPoint;
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .addFilter(casAuthenticationFilter());
        http
            .exceptionHandling()
                .authenticationEntryPoint(casAuthenticationEntryPoint());
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth
            .authenticationProvider(casAuthenticationProvider());
    }
}

Notice I said “nearly equivalent”. The documentation uses an in-memory version of UserDetailsService to provide simple login with this markup:

<security:user-service id="userService">
  <security:user name="joe" password="joe" authorities="ROLE_USER" />
  ...
</security:user-service>

This is usually handled in Java config easily by calling the inMemoryAuthentication() method on the AuthenticationManagerBuilder (in the last configure() method from the gist above). However, the CasAuthenticationProvider deprecated the use of UserDetailsService in favor of AuthenticationUserDetailsService, so we will just create an implementation. The implementation below hardcodes the same user from the old user-service element that will be logged in after successful CAS authentication:

public class TestCasAuthenticationUserDetailsService implements AuthenticationUserDetailsService {
    @Override
    public UserDetails loadUserDetails(Authentication token) throws UsernameNotFoundException {
        List<GrantedAuthority> authorities = new ArrayList<>();
        authorities.add(new SimpleGrantedAuthority("ROLE_USER"));
        return new User("joe", "joe", authorities);
    }
}

This bean is defined on line 24 and injected into the CasAuthenticationProvider on line 16. This is obviously just a toy implementation to get up and running, but this class is what you can use to do the lookup on users to load their authorities for the application.

Share this Post

Related Blog Posts

JVM

Automatically test your dirty Grails classes

May 15th, 2014

A script to grab the list of modified files from git, parse their filenames, and pass those names for testing in grails test-app.

Igor Shults
JVM

Grails R14 Error (Memory quota exceeded) on Heroku

May 13th, 2014

Explains how to resolve the Grails R14 Error when it is encountered on Heroku.

Brandon Fish
JVM

Reuse your Gradle logic across the enterprise

April 24th, 2014

Gradle build code will sometimes need to be reused across the enterprise. Here are a few ways to do so.

David Norton

About the author

Object Partners

The Company

Insert bio here