acegi 作为 yale cas认证服务器的客户端在springside项目中的应用

First, Set SpringSide's web.xml, we use Acegi CAS Filter:

< filter-mapping >
< filter-name > hibernateFilter </ filter-name >
< url-pattern > /j_acegi_cas_security_check </ url-pattern >
</ filter-mapping >

We Should Set Main ACEGI application Context：
1) filterChainProxy should add a cas filter as Acegi's Sample, but here, we reuse
authenticationProcessingFilter, which we act as cas client filter.

< bean id ="filterChainProxy"
class ="org.acegisecurity.util.FilterChainProxy" >
< property name ="filterInvocationDefinitionSource" >
< value >
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/**=httpSessionContextIntegrationFilter,anonymousProcessingFilter,authenticationProcessingFilter,rememberMeProcessingFilter,logoutFilter,channelProcessingFilter,basicProcessingFilter,securityContextHolderAwareRequestFilter,exceptionTranslationFilter,filterInvocationInterceptor
</ value >
</ property >
</ bean >

2) authenticationProcessingFilter, of course, play the most important role in this
applicationContext_acegi.xml.
In SpringSide, /admin is protected resource, so defaultTargetUrl protected it
andall those request to the target url must be authenticated by authenticationManager.

< bean id ="authenticationProcessingFilter" class ="org.acegisecurity.ui.cas.CasProcessingFilter" >
< property name ="authenticationManager" ref ="authenticationManager" />
< property name ="authenticationFailureUrl" >
< value > /security/login.jsp?login_error=1 </ value >
</ property >
< property name ="defaultTargetUrl" >
< value > /admin/ </ value >
</ property >
< property name ="filterProcessesUrl" >
< value > /j_acegi_cas_security_check </ value >
</ property >
< property name ="rememberMeServices" ref ="rememberMeServices" />
< property name ="exceptionMappings" >
< value >
org.acegisecurity.userdetails.UsernameNotFoundException=/security/login.jsp?login_error=user_not_found_error
org.acegisecurity.BadCredentialsException=/security/login.jsp?login_error=user_psw_error
org.acegisecurity.concurrent.ConcurrentLoginException=/security/login.jsp?login_error=too_many_user_error
</ value >
</ property >
</ bean >

3) Then, we set all the needed beans in CAS Filter

<!-- =========AcegiasaCASClient的配置============= -->
< bean id ="exceptionTranslationFilter" class ="org.acegisecurity.ui.ExceptionTranslationFilter" >
< property name ="authenticationEntryPoint" >
< ref local ="casProcessingFilterEntryPoint" />
</ property >
</ bean >

<!-- casconfig -->
< bean id ="casProcessingFilterEntryPoint" class ="org.acegisecurity.ui.cas.CasProcessingFilterEntryPoint" >
< property name ="loginUrl" >< value > https://sourcesite:8443/cas/login </ value ></ property >
< property name ="serviceProperties" >< ref local ="serviceProperties" /></ property >
</ bean >

< bean id ="authenticationManager" class ="org.acegisecurity.providers.ProviderManager" >
< property name ="providers" >
< list >
< ref local ="casAuthenticationProvider" />
</ list >
</ property >
</ bean >

< bean id ="casAuthenticationProvider" class ="org.acegisecurity.providers.cas.CasAuthenticationProvider" >
< property name ="casAuthoritiesPopulator" >< ref bean ="casAuthoritiesPopulator" /></ property >
< property name ="casProxyDecider" >< ref local ="casProxyDecider" /></ property >
< property name ="ticketValidator" >< ref local ="casProxyTicketValidator" /></ property >
< property name ="statelessTicketCache" >< ref local ="statelessTicketCache" /></ property >
< property name ="key" >< value > my_password_for_this_auth_provider_only </ value ></ property >
</ bean >
< bean id ="casProxyTicketValidator" class ="org.acegisecurity.providers.cas.ticketvalidator.CasProxyTicketValidator" >
< property name ="casValidate" >< value > https://sourcesite:8443/cas/proxyValidate </ value ></ property >
< property name ="serviceProperties" >< ref local ="serviceProperties" /></ property >
</ bean >
<!--
<beanid="casProxyDecider"class="org.acegisecurity.providers.cas.proxy.AcceptAnyCasProxy"/>
-->
< bean id ="casProxyDecider" class ="org.acegisecurity.providers.cas.proxy.RejectProxyTickets" />

< bean id ="serviceProperties" class ="org.acegisecurity.ui.cas.ServiceProperties" >
< property name ="service" >
< value > http://gzug:8080/springside/j_acegi_cas_security_check </ value >
</ property >
< property name ="sendRenew" >
< value > false </ value >
</ property >
</ bean >

< bean id ="statelessTicketCache" class ="org.acegisecurity.providers.cas.cache.EhCacheBasedTicketCache" >
< property name ="cache" >
< bean class ="org.springframework.cache.ehcache.EhCacheFactoryBean" >
< property name ="cacheManager" >
< bean class ="org.springframework.cache.ehcache.EhCacheManagerFactoryBean" />
</ property >
< property name ="cacheName" value ="userCache" />
</ bean >
</ property >
</ bean >

< bean id ="casAuthoritiesPopulator" class ="org.acegisecurity.providers.cas.populator.DaoCasAuthoritiesPopulator" >
< property name ="userDetailsService" >< ref local ="jdbcDaoImpl" /></ property >
</ bean >

< bean id ="casProcessingFilter" class ="org.acegisecurity.ui.cas.CasProcessingFilter" >
< property name ="authenticationManager" >< ref local ="authenticationManager" /></ property >
< property name ="authenticationFailureUrl" >< value > /casfailed.jsp </ value ></ property >
< property name ="defaultTargetUrl" >< value > / </ value ></ property >
< property name ="filterProcessesUrl" >< value > /j_acegi_cas_security_check </ value ></ property >
</ bean >

casProcessingFilterEntryPoint is very critical,
loginUrl is the CAS Server's /login url, you should set up your CAS Server(2.0 or 3.0) and config for
those JKS keystore after enable SSL in Tomcat(Tomcat 5.5/conf/server.xml) and place the cacerts that
have the CAS Server's public cert to Acegi Client's JDK/jre/lib/security/
Check serviceProperties to make sure thatSpringSide Service url is config as /j_acegi_cas_security_check

because Yale CAS use ticket cache for SSO impl, so we should config for statelessTicketCache
Just use springframework's ehcache for cacheManager.

SpringSide use jdbcDaoImpl which perform database authentication. So I am very happy to use it
ascasAuthoritiesPopulator , which will set use detail for the user. And these info are very useful for
application authorization.

< bean id ="jdbcDaoImpl"
class ="org.acegisecurity.userdetails.jdbc.JdbcDaoImpl" >
< property name ="dataSource" ref ="dataSource" />
< property name ="usersByUsernameQuery" >
< value >
selectloginid,passwd,1fromss_userswherestatus='1'andloginid=?
</ value >
</ property >
< property name ="authoritiesByUsernameQuery" >
< value >
selectu.loginid,p.namefromss_usersu,ss_rolesr,ss_permissions
p,ss_user_roleur,ss_role_permisrpwhereu.id=ur.user_idand
r.id=ur.role_idandp.id=rp.permis_idand
r.id=rp.role_idandp.status='1'andu.loginid=?
</ value >
</ property >
</ bean >

There is little difference between casclient 2.0.12 and Acegi, right?

Note that in my env, gzug:8080/springside is bookstore webapp
and sourcesite:8443 is the CAS 3 Server.

Hope for suggestion.....