How to turn off SSO authentication on client side occasionally

[Tiancheng Hu]

For certain necessities, I've to implement a switchable SSO scheme in WebApp side.

Current plan is to add a top-level filter which retrieves SSO ON/OFF config, forwards to 4 SSO filters + 1 SLO filter when SSO's on, or keep on to non-SSO authentication when SSO' off.

if (!isSsoOn){
    chain.doFilter(request, response);
}else{
    String path = request.getRequestURI().substring(request.getContextPath().length());
    request.getRequestDispatcher("/sso" + path).forward(request, response);
}

For this, I need to filter-mapping SSO filters to pattern like ”/sso/*“ and remove this prefix after SSO handling (authentication, ticket-validation, request-wrapper, assertion-thread-localization). Is it secure, or appropriate to do so, considering all those afterwards redirecting between cas-server and cas-client? 

[TimothyHu]

I'm using CasServer 4.2.7 and CasClient 3.4.1, aiming at normal Servlet Apps. 

[Ray Bon]

Tiancheng,

My filter knowledge may be rusty but you could break out of the filter chain when !isSsoOn.

if (isSsoOn){
    chain.doFilter(request, response); // continue with CAS filters
}else{
    String path = ...; // non SSO login
    response.sendRedirect(path);
}

Ray

-- 
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca

[TimothyHu]

Thank you, Ray~

I finally solved it by calling request.setAttribute("isSsoOff", Boolean.TRUE) in top-level filter, and then checking it in .doFilter() method of CAS's AuthenticationFilter (actually I created a delegate class).

AuthenticationFilter can also handle ignorePattern parameter, which means if I can append "&ssoOff=true" to request url, I even needn't to override cas client filter.