Hi all,
I am trying to get a default installation up and running with GeoServer
2.3-RC1 and a CAS server, as an experiment and demonstration.
To achieve this I added cas-client-core-3.2.1.jar,
spring-security-cas-3.1.0.RELEASE.jar, and sec-cas-2.3-RC1.jar to my
install, configured a CAS Auth filter, and configured
geoserver_data/security/config.xml as shown below. I also had to add all
intermediate certificates for our CAS server's HTTP-SSL certificate to
the Ubuntu keystore.
=======
<filters name="web" class="org.geoserver.security.HtmlLoginFilterChain"
interceptorName="interceptor" exceptionTranslationName="exception"
path="/web/**,/gwc/rest/web/**" disabled="false"
allowSessionCreation="true" ssl="false" matchHTTPMethod="false">
<filter>rememberme</filter>
<filter>cas</filter>
<!--
<filter>anonymous</filter>
-->
</filters>
<!--
<filters name="webLogin"
class="org.geoserver.security.ConstantFilterChain"
path="/j_spring_security_check,/j_spring_security_check/"
disabled="false" allowSessionCreation="true" ssl="false"
matchHTTPMethod="false">
<filter>form</filter>
</filters>
-->
=======
For the web UI, I had to remove the "anonymous" filter, otherwise there
was no way to trigger the CAS redirect. I also deleted the "webLogin"
chain, to prevent the original login form from showing up. After this,
things work great!
So, I was wondering if there was a way to keep the anonymous access
filter, so people can still access the Layer Preview page. I want the
CAS redirect to only take place when accessing a protected resource
(like Server Status), or when explicitly clicking "Login".
I know I can override the HTML template of the Login button, by cloning
the base page to
WEB-INF/classes/org/geoserver/web/GeoServerBasePage.html. I can remove
the original Username and Password fields, and change the action
parameter of the form.
Only where should I point it? Just accessing /j_spring_security_check
has no effect. Ideally, I need something that takes care of storing the
"original" requested URL in the session, do the CAS redirect, and on
success, redirect the user back again.
Does such a thing already exist and am I overcomplicating things, or
should I code it myself? I'll add a pull request in the latter situation.
My thanks to Christian Mueller for his help so far, and for his hard
work regarding integration of CAS support in GeoServer. Again, great work!
Erik-Jan Vos
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar
_______________________________________________
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users
