Some 2-3 years ago I found a tutorial on the web how to do that with help of Spring Security (previuosly named Acegi), but later I learned a bit how to do it from scratch because I don't want Spring wasting more resources.
Basically there exists a ready to use CAS SSO filter that you include in the project and configure (let's say via dependency in pom.xml and config in web.xml) so that it will be called before a set of pages that you need to protect.
So, how it works?The filter will check for tickets and if you are logged in it will pass you to the page, otherwise will redirect to the cas login address.
In your application you just check the REMOTE_USER variable which will be set to the username of the logged in user. This is set by the CAS filter and will only be set if someone is logged in. Very simple.
Check here for examples from our students information system (enrollment, grades, courses):
http://develop.ii.edu.mk/projects/isii/browser/trunk Especially check for CAS references in: pom.xml web.xml mk.edu.ii.isii.upisi.model.UserInfoUserInfo is a sessionstate object that we keep arround in the session that holds who is logged in and what role, etc.
Of course since CAS is only for authentication (login logout), we implemented some access control by checking the logged in user in the database and using annotations (ex. @AdministratorPage) placed on page classes for various roles. The access controller only allows access if the page is accessed by a username that has the appropriate role. For this check:
mk.edu.ii.isii.upisi.model.UserInfo mk.edu.ii.isii.upisi.services.AccessController mk.edu.ii.isii.upisi.annotations...Of course comments are welcome by anyone, especially regarding how to better the solution security-wise.
smime.p7s
Description: S/MIME Cryptographic Signature
