grails-shiro-cas is no longer maintained, and this repository will be removed from GitHub on or after Saturday, January 21, 2017. Published release artifacts will continue to be available indefinitely via the Grails plugin portal.
Shiro is a flexible authentication and authorization framework for Java that has a corresponding Grails plugin for simplifying access control in Grails applications. This plugin extends the base Shiro plugin with support for authentication using the Shiro CAS integration.
This assumes that you've already configured the Shiro plugin.
To install the plugin, add declaration to your BuildConfig.groovy
plugins section in the form compile ":shiro-cas:VERSION"
.
Next, you need to re-configure your ShiroSecurityFilters
. The easiest way to accomplish this is to make your class extend org.apache.shiro.cas.grails.ShiroCasSecurityFilters
. If that's not an option, you can copy the onNotAuthenticated
handler into your class.
Finally, you need a CAS-enabled Shiro realm. Run grails create-cas-realm
to create such a realm based on a template. If desired, you can customize the name by specifying --prefix=PACKAGE.
or --prefix=PACKAGE.CLASSPREFIX
. Modify the generated class as needed for your application.
security.shiro.cas.serverUrl
(REQUIRED): The URL of the CAS instance to authenticate against. This should be an HTTPS URL.security.shiro.cas.baseServiceUrl
(OPTIONAL): The base URL to pass to CAS as theservice
parameter (see CAS Protocol for more details on how this is used). This should be the protocol/host/port portion of your application server's URL with the application context. If unset, the plugin will attempt to determine the base URL dynamically.security.shiro.cas.servicePath
(OPTIONAL): This should be the path at which end-users can reach the/shiro-cas
path within the current application (which is automatically registered by this plugin). Defaults to/shiro-cas
.security.shiro.cas.failurePath
(OPTIONAL): The path that users are redirected to if ticket validation fails. Defaults to/auth/cas-failure
.security.shiro.cas.loginUrl
(OPTIONAL): The URL that users are redirected to when login is required. By default, this directs users to/login
within theserverUrl
, passing along the service as a query parameter.security.shiro.cas.logoutUrl
(OPTIONAL): The URL that users are redirected to when logging out. By default, this directs users to/logout
within theserverUrl
, passing along the service as a query parameter.security.shiro.cas.loginParameters
(OPTIONAL): Key, Value pairs to be added to the generated or explicitly set loginUrl. (see CAS Parameters for more details on how this is used)security.shiro.cas.singleSignOut.disabled
(OPTIONAL): Boolean value controlling whether to disable Single Sign Out. By default, this isfalse
, resulting in Single Sign Out support being enabled (matching the default for CAS). Note that this configuration value is used at build-time to modify theweb.xml
, and externalized configuration will not be taken into account during that phase.security.shiro.cas.singleSignOut.artifactParameterName
(OPTIONAL): The parameter used to detect sessions in preparation for Single Sign Out support. By default, this isticket
(matching the default for CAS).security.shiro.cas.singleSignOut.logoutParameterName
(OPTIONAL): The parameter used to detect logout requests. By default, this islogoutRequest
(matching the default for CAS).
Assuming that:
- your CAS instance is deployed at context path
/cas
onsso.example.com
on the default HTTPS port - your Grails application is accessed at https://apps.example.com/my-app
- your service endpoint exists at https://apps.example.com/my-app/shiro-cas
The only required configuration parameter for this plugin is security.shiro.cas.serverUrl
-- the plugin will attempt to determine the baseServiceUrl
dynamically, if not set. It will use /shiro-cas
as the default servicePath
.
An example configuration would be:
security.shiro.cas.serverUrl='https://sso.example.com/cas'
Assuming that:
- your end-users use more than one domain to access the application
- your CAS instance is deployed at context path
/cas
onsso.example.com
on the default HTTPS port - your Grails application is accessed at https://*.example.com/my-app, where * indicates a wildcard.
No configuration changes are required. This plugin will automatically use the service base URL from the request, and return to the requesting service.
If you don't want to support multiple domains, or if the domain dynamically determined from the request doesn't work for you, you can configure a single static baseServiceUrl
. Here's an example configuration:
security.shiro.cas.serverUrl='https://sso.example.com/cas'
security.shiro.cas.baseServiceUrl='https://apps.example.com/my-app'
If, in your application, you need access to any of the configuration values, use ShiroCasConfigUtils
.
For accessing the login/logout URLs, use ShiroCasUrlBuilder
. It supports adding query parameters if needed.
Example:
ShiroCasUrlBuilder.forLogin().withRenew().withQueryParam("token", "12345").go(response)
In general, it's intended to make it quick and easy to use CAS by layering on top of the configuration already done by the shiro plugin. This includes:
- If Single Sign Out is not disabled:
- configures an instance of
SingleSignOutFilter
assingleSignOutFilter
and registers it inshiroFilter
'sfilterChainDefinitions
- registers
SingleSignOutHttpSessionListener
inweb.xml
- configures an instance of
- configures a CAS filter as
casFilter
and registers it inshiroFilter
'sfilterChainDefinitions
- configures an instance of
Cas20ServiceTicketValidator
ascasTicketValidator
- configures an instance of
CasSubjectFactory
ascasSubjectFactory
and registers it withshiroSecurityManager