CAS vs Spring Security PLUS CAS

[Chris Kell]

I'm making a web app for my company for a new product and we've setup a CAS server for authentication.  I'm fairly new to Spring in the first place so this has been pretty steep curve all around, but I've finally used the java-cas-client to integrate cas into my app.

I wound up doing this because all the tutorials and guides on how to set up spring security + CAS never worked.

But now that I've CAS going at all, I'm wondering if I shouldn't go back to trying to giet it working with Spring Security as well.  Does anyone have any comments/thoughts/experiences that might enlighten me as to what the "best" path forward is?

[Fernando Bárcenas Martínez]

This is just a thought. I'm in kind of the same position as you are. I was given the task to implement SSO and SLO for our apps even though I'm rather inexperienced and been working with Spring for less than a year.

I don't know exactly which versions of either Spring, Java nor CAS you are using, and I've found it matters (little, but it does, especially for configuration). The spring security tutorials I think you've followed does work, but they don't really go into much detail, and after a couple monts struggling with it, I found out that the configuration can be VERY flexible. You can autowire several components or declare them as beans or as plain objects, for instance. My first recommendation is to read carefully the basic documentation for the version of CAS you're deploying and read carefully the tutorials and the code. The goal is to really understand how CAS works, as knowing this will make debugging rather straightforward. Next, set goals per point in the spring security-to-CAS communications as described by the Spring Security team in their documentation.  

You could also mention what style of configuration you're using. I believe XML config is the easiest right now because thats exactly how Spring Security has it documented (Even if Spring itself encourages the use of Java config or properties file config). For Java config I could be more helpful, but translating from XML to Java beans is rather easy (Again, understanding the SpringSecurity-to-CAS flow is pretty much a must here) and most recent tutorials use yaml/application.properties type of config, so just read carefully.

If, by any chance, you are using Java 8 stack in Spring (Not boot) applications (Or use Java config) with Cas 5.3.x, then I might be able to help you a bit. I'm guessing most troubles you had revovled around the URLs or Too many petitions or even SSL handshakes if you went that far (Not to mention the SAN little issue when working with self-signed certificates).

For short, it works with Spring Security. If you are working with Spring, my recommendation would be to take advantage of Security. 

[Richard Frovarp]

Fernando's message below is great advice. The version of the CAS server isn't going to matter too terribly much. It will depend on what protocol you are planning to use against CAS. I'm going to guess CAS Protocol v3, which gives you everything you need. You are going to want a security library in your application. Since it is taking logins, something in it must be not for public consumption, and the easiest way to tie all of that together is through a security library. I use Apache Shiro (we don't use Spring), but have used Spring Security in the past and it is a very capable library. You will want to take advantage of Spring Security, and you will want to have CAS auth travel through your security library.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/d91dd614-9783-4835-8a5b-1bb111ff9139n%40apereo.org.