tessl/maven-org-springframework-security--spring-security-cas
Spring Security support for Apereo's Central Authentication Service (CAS) enabling Single Sign-On authentication
—
Pending
authentication.mddocs/
Authentication
CAS authentication provider and token implementations for integrating CAS ticket validation with Spring Security's authentication framework. This module handles the core authentication logic, token management, and integration with CAS server ticket validation.
Capabilities
CAS Authentication Provider
Main authentication provider that validates CAS service tickets and creates authenticated Spring Security principals.
/**
* Authenticates a CAS service ticket by validating it with the CAS server
* and creating a Spring Security authentication token with user details.
*/
public class CasAuthenticationProvider implements AuthenticationProvider, InitializingBean, MessageSourceAware {
/**
* Authenticates the provided authentication request.
* @param authentication the authentication request (must be CasServiceTicketAuthenticationToken)
* @return fully authenticated object including credentials
* @throws AuthenticationException if authentication fails
*/
public Authentication authenticate(Authentication authentication) throws AuthenticationException;
/**
* Indicates whether this provider supports the specified authentication class.
* @param authentication the authentication class to check
* @return true if supports CasServiceTicketAuthenticationToken
*/
public boolean supports(Class<?> authentication);
/**
* Validates configuration after properties are set.
* @throws IllegalArgumentException if required properties are missing
*/
public void afterPropertiesSet() throws IllegalArgumentException;
/**
* Sets the user details service for loading user information.
* @param userDetailsService service to load UserDetails by username
*/
public void setUserDetailsService(UserDetailsService userDetailsService);
/**
* Sets authentication user details service for CAS assertion-based loading.
* @param authenticationUserDetailsService service that loads from CAS assertions
*/
public void setAuthenticationUserDetailsService(
AuthenticationUserDetailsService<CasAssertionAuthenticationToken> authenticationUserDetailsService);
/**
* Sets user details checker for account validation.
* @param userDetailsChecker checker for locked/expired accounts
*/
public void setUserDetailsChecker(UserDetailsChecker userDetailsChecker);
/**
* Sets service properties for CAS integration.
* @param serviceProperties CAS service configuration (required)
*/
public void setServiceProperties(ServiceProperties serviceProperties);
/**
* Sets the unique key for this authentication provider.
* @param key unique identifier for this provider instance
*/
public void setKey(String key);
/**
* Sets the ticket cache for stateless authentication scenarios.
* @param statelessTicketCache cache implementation for storing validated tickets
*/
public void setStatelessTicketCache(StatelessTicketCache statelessTicketCache);
/**
* Sets the CAS ticket validator for validating service tickets.
* @param ticketValidator validator that communicates with CAS server (required)
*/
public void setTicketValidator(TicketValidator ticketValidator);
/**
* Sets authorities mapper for converting CAS authorities to Spring Security authorities.
* @param authoritiesMapper mapper for authority conversion
*/
public void setAuthoritiesMapper(GrantedAuthoritiesMapper authoritiesMapper);
/**
* Sets message source for internationalization of error messages.
* @param messageSource message source for error messages
*/
public void setMessageSource(MessageSource messageSource);
/**
* Gets the configured stateless ticket cache.
* @return the ticket cache instance
*/
public StatelessTicketCache getStatelessTicketCache();
}Usage Example:
@Bean
public CasAuthenticationProvider casAuthenticationProvider() {
CasAuthenticationProvider provider = new CasAuthenticationProvider();
provider.setServiceProperties(serviceProperties());
provider.setTicketValidator(cas20ServiceTicketValidator());
provider.setUserDetailsService(userDetailsService());
provider.setKey("cas-authentication-provider");
provider.setStatelessTicketCache(ticketCache());
return provider;
}CAS Authentication Token
Represents a successful CAS authentication containing the validated user principal, credentials, authorities, and CAS assertion.
/**
* Authentication token representing a successful CAS authentication.
* Contains user details, authorities, and the original CAS assertion.
*/
public class CasAuthenticationToken extends AbstractAuthenticationToken implements Serializable {
/**
* Creates a CAS authentication token for a successfully authenticated user.
* @param key unique key identifying the authentication provider
* @param principal the authenticated principal (usually username)
* @param credentials the credentials (usually the validated ticket)
* @param authorities granted authorities for the user
* @param userDetails detailed user information
* @param assertion CAS assertion containing user attributes
*/
public CasAuthenticationToken(String key, Object principal, Object credentials,
Collection<? extends GrantedAuthority> authorities,
UserDetails userDetails, Assertion assertion);
/**
* Gets the credentials (usually the original CAS ticket).
* @return the credentials
*/
public Object getCredentials();
/**
* Gets the principal (usually the username).
* @return the principal
*/
public Object getPrincipal();
/**
* Gets the hash code of the authentication provider key.
* @return hash code of the provider key
*/
public int getKeyHash();
/**
* Gets the CAS assertion containing user attributes and authentication details.
* @return the CAS assertion
*/
public Assertion getAssertion();
/**
* Gets the user details loaded for this authentication.
* @return the user details
*/
public UserDetails getUserDetails();
/**
* Compares this token with another object for equality.
* @param obj object to compare
* @return true if equal
*/
public boolean equals(Object obj);
/**
* Returns hash code for this token.
* @return hash code
*/
public int hashCode();
/**
* Returns string representation of this token.
* @return string representation
*/
public String toString();
}CAS Assertion Authentication Token
Temporary authentication token used during the user details loading process from CAS assertions.
/**
* Temporary authentication token representing a CAS assertion before user details are loaded.
* Used internally by authentication user details services.
*/
public final class CasAssertionAuthenticationToken extends AbstractAuthenticationToken {
/**
* Creates an assertion authentication token for loading user details.
* @param assertion the CAS assertion containing user information
* @param ticket the original CAS service ticket
*/
public CasAssertionAuthenticationToken(Assertion assertion, String ticket);
/**
* Gets the principal (CAS assertion principal).
* @return the assertion principal
*/
public Object getPrincipal();
/**
* Gets the credentials (original service ticket).
* @return the service ticket
*/
public Object getCredentials();
/**
* Gets the CAS assertion.
* @return the CAS assertion
*/
public Assertion getAssertion();
}Service Ticket Authentication Token
Authentication token representing CAS service tickets for both stateful and stateless authentication scenarios.
/**
* Authentication token for CAS service tickets, supporting both stateful and stateless modes.
*/
public class CasServiceTicketAuthenticationToken extends AbstractAuthenticationToken {
/** Identifier for stateless CAS authentication */
public static final String CAS_STATELESS_IDENTIFIER = "_cas_stateless_";
/** Identifier for stateful CAS authentication */
public static final String CAS_STATEFUL_IDENTIFIER = "_cas_stateful_";
/**
* Creates a service ticket authentication token.
* @param identifier stateful or stateless identifier
* @param credentials the CAS service ticket
*/
public CasServiceTicketAuthenticationToken(String identifier, Object credentials);
/**
* Creates a service ticket authentication token with authorities.
* @param identifier stateful or stateless identifier
* @param credentials the CAS service ticket
* @param authorities granted authorities
*/
public CasServiceTicketAuthenticationToken(String identifier, Object credentials,
Collection<? extends GrantedAuthority> authorities);
/**
* Creates a stateful service ticket authentication token.
* @param credentials the CAS service ticket
* @return stateful authentication token
*/
public static CasServiceTicketAuthenticationToken stateful(Object credentials);
/**
* Creates a stateless service ticket authentication token.
* @param credentials the CAS service ticket
* @return stateless authentication token
*/
public static CasServiceTicketAuthenticationToken stateless(Object credentials);
/**
* Indicates if this token represents stateless authentication.
* @return true if stateless
*/
public boolean isStateless();
/**
* Gets the credentials (CAS service ticket).
* @return the service ticket
*/
public Object getCredentials();
/**
* Gets the principal (identifier).
* @return the identifier
*/
public Object getPrincipal();
/**
* Sets the authentication status.
* @param isAuthenticated true if authenticated
* @throws IllegalArgumentException if attempting to set authenticated to true
*/
public void setAuthenticated(boolean isAuthenticated) throws IllegalArgumentException;
/**
* Removes sensitive credential information.
*/
public void eraseCredentials();
}Service Authentication Details
Interface for providing service URL information when CAS tickets can be sent to multiple URLs.
/**
* Interface for providing service URL information during authentication.
* Used when the service URL cannot be determined from configuration alone.
*/
public interface ServiceAuthenticationDetails extends Serializable {
/**
* Gets the service URL for CAS authentication.
* @return the service URL that CAS should redirect to
*/
String getServiceUrl();
}Authentication Flow
- Service Ticket Reception:
CasAuthenticationFilterreceives CAS service ticket from callback - Token Creation: Creates
CasServiceTicketAuthenticationTokenwith the ticket - Provider Authentication:
CasAuthenticationProvidervalidates ticket with CAS server - Assertion Processing: CAS assertion is extracted from validation response
- User Details Loading: User details are loaded via
UserDetailsServiceorAuthenticationUserDetailsService - Token Creation: Final
CasAuthenticationTokenis created with user details and authorities - Security Context: Authentication is stored in Spring Security's
SecurityContext
Configuration Example
@Bean
public AuthenticationManager authenticationManager() {
return new ProviderManager(Arrays.asList(casAuthenticationProvider()));
}
@Bean
public CasAuthenticationProvider casAuthenticationProvider() {
CasAuthenticationProvider provider = new CasAuthenticationProvider();
provider.setServiceProperties(serviceProperties());
provider.setTicketValidator(ticketValidator());
provider.setUserDetailsService(userDetailsService());
provider.setKey("cas-provider-key");
provider.setAuthoritiesMapper(authoritiesMapper());
return provider;
}
@Bean
public TicketValidator ticketValidator() {
Cas20ServiceTicketValidator validator = new Cas20ServiceTicketValidator("https://cas.example.com/cas");
validator.setAcceptAnyProxy(true);
return validator;
}Common Exceptions
- BadCredentialsException: Invalid or expired CAS ticket
- TicketValidationException: CAS server validation failure
- AccountExpiredException: User account is expired
- LockedException: User account is locked
- DisabledException: User account is disabled
Install with Tessl CLI
npx tessl i tessl/maven-org-springframework-security--spring-security-cas