Hi, I think your understanding is correct. The general behaviour is to save the requested protected url and restore it after a successful authentication, which relies completely on the web session to save/restore the original url. This works perfectly from a browser (with cookies). Though, from another application, no session is kept by default, unless you do it explicitely by storing cookies (the JSESSIONID cookie). This explains the problems you get trying to make CAS proxification work.
Storing cookies is a good solution, but you raise a very interesting lead with your previous post: making the ClientFilter "pass through" when it's a proxied CAS service. It definitely makes sense to me. Would you mind proposing a pull request that way? (some passThrough property, false by default but which can be turned on for CAS proxied service) In any case, thanks for you thoroughfull usage of buji-pac4j. Best regards, Jérôme 2014-03-05 12:03 GMT+01:00 Dinabandhu [via Shiro User] < [email protected]>: > Hi, > > After a bit more thinking, managed to get it working with the original > ClientFilter. The configuration is looking good but I am not sure whether > correct/optimal > > First I changed my shiro ini in proxied application to the following - > > > [main] > casFilter = org.apache.shiro.cas.CasFilter > casFilter.failureUrl = /error.jsp > > > casRealm = org.apache.shiro.cas.CasRealm > casRealm.defaultRoles =ROLE_USER > casRealm.casServerUrlPrefix = https://user-think:8443/cerberus-sso-test > casRealm.casService = https://user-think:8443/shiro-cas-proxied/shiro-cas > > casSubjectFactory = org.apache.shiro.cas.CasSubjectFactory > securityManager.subjectFactory = $casSubjectFactory > > casClient = org.pac4j.cas.client.CasClient > casClient.casLoginUrl = https://user-think:8443/cerberus-sso-test/login > casClient.acceptAnyProxy=true > > clients = org.pac4j.core.client.Clients > clients.callbackUrl = > https://user-think:8443/shiro-cas-proxied/shiro-cas-proxied > clients.clientsList = $casClient > > clientsRealm = io.buji.pac4j.ClientRealm > clientsRealm.defaultRoles = ROLE_USER > clientsRealm.clients = $clients > > clientsFilter = io.buji.pac4j.ClientFilter > clientsFilter.clients = $clients > clientsFilter.failureUrl = /error.jsp > #clientsFilter.successUrl = /index.jsp > > #casUsers = io.buji.pac4j.filter.ClientUserFilter > #casUsers.client = $casClient > > securityManager.realms = $casRealm, $clientsRealm > > authc.loginUrl = > https://user-think:8443/cerberus-sso-test/login?service=https://user-think:8443/shiro-cas-proxied/shiro-cas > > > [urls] > /shiro-cas-proxied = clientsFilter > /shiro-cas = casFilter > /error.jsp = anon > /** = authc > > Basically I have set up two parallel authentication mechanisms (standard > shiro-cas and pac4j) each with its own service url. Only the service urls > are protected by corresponding cas service filters. All other urls are > protected by standard shiro filter (authc in this case). > > I changed the java client program to use a two stage mechanism. Instead of > appending the PT to the actual web url, - > > 1. I set up a cookie manager. > 2. I first make call to clients.callbackUrl and append the PT. This makes > clientsFilter kick in which authenticates the PT and and a session > (authenticated) is established between java client and proxied application. > 3. Then I make call to the actual resource url without any ticket. Authc > filter intercepts this and sees that the session is already authenticated > and allows access to resource. > > Now, if I access a protected resource from proxied application then normal > shiro-cas mechanism is kick in I get redirected to cas login url is there > is no established sso session. > > Does this setup look right to you? or there is a better approach? > > Regards, > Dinabandhu > > > > ------------------------------ > If you reply to this email, your message will be added to the discussion > below: > > http://shiro-user.582556.n2.nabble.com/Shiro-cas-proxying-tp7579694p7579724.html > To start a new topic under Shiro User, email > [email protected] > To unsubscribe from Shiro User, click > here<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=582556&code=bGVsZXVqQGdtYWlsLmNvbXw1ODI1NTZ8LTExNzY2MzcxMTY=> > . > NAML<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml> > -- View this message in context: http://shiro-user.582556.n2.nabble.com/Shiro-cas-proxying-tp7579694p7579727.html Sent from the Shiro User mailing list archive at Nabble.com.
