Spring Security ACL Plugin - Reference Documentation
Authors: Burt Beckwith
1 IntroductionThe CAS plugin adds CAS single sign-on support to a Grails application that uses Spring Security. It depends on the Spring Security Core plugin.Once you have configured a CAS server and have configured your Grails application(s) as clients, you can authenticate to any application that is a client of the CAS server and be automatically authenticated to all other clients.
- Version 1.0.3
- released July 4, 2012
- Version 1.0.2
- released February 12, 2011
- Version 1.0.1
- released September 1, 2010
- Version 1.0
- released July 27, 2010
- Version 0.1
- released June 18, 2010
Configuring your CAS server is beyond the scope of this document. There are many different approaches and this will most likely be done by IT staff. It's assumed here that you already have a running CAS server.CAS is a popular single sign-on implementation. It's open source and has an Apache-like license, and is easy to get started with but is also highly configurable. In addition it has clients written in Java, .Net, PHP, Perl, and other languages.There isn't much that you need to do in your application to be a CAS client. Just install this plugin, and configure any required parameters and whatever optional parameters you want in Config.groovy. These are described in detail in Chapter 3 but typically you only need to set these properties
where "your-app-name" is the Grails application context (will be blank if deployed as the default context) and "your-cas-server" is the name of your CAS server.
grails.plugins.springsecurity.cas.loginUri = '/login' grails.plugins.springsecurity.cas.serviceUrl = 'http://localhost:8080/your-app-name/j_spring_cas_security_check' grails.plugins.springsecurity.cas.serverUrlPrefix = 'https://your-cas-server/cas' grails.plugins.springsecurity.cas.proxyCallbackUrl = 'http://localhost:8080/your-app-name/secure/receptor' grails.plugins.springsecurity.cas.proxyReceptorUrl = '/secure/receptor'
Single SignoutSingle signout is enabled by default and enables signing out for all CAS-managed applications with one logout. This works best in the plugin when combined with the
afterLogoutUrlparameter, for example:
With this configuration, when a user logs out locally by navigating to
grails.plugins.springsecurity.logout.afterLogoutUrl = 'https://your-cas-server/cas/logout?url=http://localhost:8080/your-app-name/'
/logout/they'll then be redirected to the CAS server's logout URL. This request includes a local URL to redirect back to afterwards. When the whole process is finished they'll be logged out locally and at the CAS server, so subsequent secure URLs at the local server or other CAS-managed servers will require a new login.If you don't want the single signout filter registered, you can disable the feature:
grails.plugins.springsecurity.cas.useSingleSignout = false
3 ConfigurationThere are a few configuration options for the CAS plugin.
All of these property overrides must be specified in
grails.plugins.springsecuritysuffix, for examplegrails.plugins.springsecurity.cas.serverUrlPrefix = 'https://cas-server/cas'
|cas.active||whether the plugin is enabled or not (e.g. to disable per-environment)|
|cas.serverUrlPrefix||the 'root' of all CAS server URLs, e.g. |
|cas.loginUri||the login URI, relative to |
|cas.sendRenew||if true, ticket validation will only succeed if it was issued from a login form, but will fail if it was issued from a single sign-on session. Analagous to |
|cas.serviceUrl||the local application login URL, e.g. |
|cas.key||'grails-spring-security-cas', should be changed||used by |
|cas.artifactParameter||the ticket login url parameter|
|cas.serviceParameter||the service login url parameter|
|cas.filterProcessesUrl||'/j_spring_cas_security_check'||the URL that the filter intercepts for login|
|cas.proxyCallbackUrl||proxy callback url, e.g. 'http://localhost:8080/myapp/secure/receptor'|
|cas.proxyReceptorUrl||proxy receptor url, e.g. '/secure/receptor'|