Hi all,

I am trying to get a default installation up and running with GeoServer 2.3-RC1 and a CAS server, as an experiment and demonstration.

To achieve this I added cas-client-core-3.2.1.jar, spring-security-cas-3.1.0.RELEASE.jar, and sec-cas-2.3-RC1.jar to my install, configured a CAS Auth filter, and configured geoserver_data/security/config.xml as shown below. I also had to add all intermediate certificates for our CAS server's HTTP-SSL certificate to the Ubuntu keystore.

=======
<filters name="web" class="org.geoserver.security.HtmlLoginFilterChain" interceptorName="interceptor" exceptionTranslationName="exception" path="/web/**,/gwc/rest/web/**" disabled="false" allowSessionCreation="true" ssl="false" matchHTTPMethod="false">
   <filter>rememberme</filter>
   <filter>cas</filter>
   <!--
     <filter>anonymous</filter>
   -->
</filters>
<!--
   <filters name="webLogin" class="org.geoserver.security.ConstantFilterChain" path="/j_spring_security_check,/j_spring_security_check/" disabled="false" allowSessionCreation="true" ssl="false" matchHTTPMethod="false">
     <filter>form</filter>
   </filters>
-->

For the web UI, I had to remove the "anonymous" filter, otherwise there was no way to trigger the CAS redirect. I also deleted the "webLogin" chain, to prevent the original login form from showing up. After this, things work great!

So, I was wondering if there was a way to keep the anonymous access filter, so people can still access the Layer Preview page. I want the CAS redirect to only take place when accessing a protected resource (like Server Status), or when explicitly clicking "Login".

I know I can override the HTML template of the Login button, by cloning the base page to WEB-INF/classes/org/geoserver/web/GeoServerBasePage.html. I can remove the original Username and Password fields, and change the action parameter of the form.

Only where should I point it? Just accessing /j_spring_security_check has no effect. Ideally, I need something that takes care of storing the "original" requested URL in the session, do the CAS redirect, and on success, redirect the user back again.

Does such a thing already exist and am I overcomplicating things, or should I code it myself? I'll add a pull request in the latter situation.

My thanks to Christian Mueller for his help so far, and for his hard work regarding integration of CAS support in GeoServer. Again, great work!

Erik-Jan Vos

Hi Erik-Jan

I fear your scenario is not covered by the current architecture. You would need a CAS filter configuration where you can specify the redirect URL explicitly. At the moment, the CAS filter is calculating the redirect URL dynamically from the incoming request. Maybe, you can open an improvement request in the JIRA issue tracker.

If you want to demonstrate the filter, you can do the following:

• Start with the original filter configuration
• Add some users and roles (you can use the no password policy)
• Protect some layers using your roles, switch to catalog mode CHALLENGE.
• Configure your CAS filter
• Replace the basic auth filter with your CAS filter on the default chain (last chain, pattern /**)
• Use your browser to connect to Geoserver, you are logged in as user anonymous
• Click on layer preview
• No click on a protected layer and a CAS login should be triggered, after successful login you should see the layer

Cheers
Chrstian