Securing Spring boot Rest services with CAS

Question

Friends,

Recently I have created one web-services application using spring-boot and now its having few unsecured entry points. (This is a pure rest based application having only rest entry points doesn't have any UI components).

Now I would like to add CAS client with this application for securing the rest entry points.

My CAS server is ready and its up and running. And I have configured CAS Rest protocol as well in my cas server to access TGT/ST through rest call and I'm in the planning of using only the rest call rather than using login pages.

So, when an user tries to access my rest application, I'm going to call CAS rest entry points internally (by using restTemplate) to validate user credentials and generating TGT and ST.

Available CAS entry points are (from jasig reference docs),

1. POST /cas/v1/tickets HTTP/1.0 username=battags&password=password&additionalParam1=paramvalue
2. POST /cas/v1/tickets/{TGT id} HTTP/1.0 service={form encoded parameter for the service url}
3. DELETE /cas/v1/tickets/TGT-fdsjfsdfjkalfewrihfdhfaie HTTP/1.0

I think, I'm little clear on this part. Please correct me if I'm wrong.

And now my query here is, what should I do to add a ST ticket validator in my spring boot application? Do I need to add any filters using spring-security? Or do I need to call any other rest api for validating the ST? Please guide me to proceed further.

Answer 1

You can use existing Spring boot cas starter:

• cas security spring boot starter
• cas client autoconfig support

That will configure for you and magically your spring boot app with CAS authentication (and thus your application will be able to read ST or PT without effort).

I'm author of cas security spring boot starter, so I won't influence your choice but main difference from that project and cas client autoconfig support developed by Unicon is about Spring security integration.

Indeed cas security spring boot starter is fully compliant with spring security, thus you will be able to use any feature you know from spring security. Whereas cas client autoconfig support will instantiate and configure Apereo (Jasig) filters that is not designed to work out of box with Spring security.

Answer 2

You don't need a service ticket unless you want to call another service from your web service. Validating the received credentials via the CAS REST API is enough.

If you are looking for a security library to protect your web service via the CAS REST API, you should give a try to: https://github.com/pac4j/spring-webmvc-pac4j and especially this configuration: https://github.com/pac4j/spring-webmvc-pac4j-demo/blob/master/src/main/webapp/WEB-INF/demo-servlet.xml#L74