Configuring Spring Security CAS Providers with Java Config

Configuring Spring Security to use CAS as a provider is pretty easy following the example in the documentation. However, once it’s time to start a new Boot project or move the old XML configuration to Java, it can take a little digging to get it running.

Below is the (nearly) equivalent Java configuration to the documentation:

Notice I said “nearly equivalent”. The documentation uses an in-memory version of UserDetailsService to provide simple login with this markup:

This is usually handled in Java config easily by calling the inMemoryAuthentication() method on the AuthenticationManagerBuilder (in the last configure() method from the gist above). However, the CasAuthenticationProvider deprecated the use of UserDetailsService in favor of AuthenticationUserDetailsService, so we will just create an implementation. The implementation below hardcodes the same user from the old user-service element that will be logged in after successful CAS authentication:

This bean is defined on line 24 and injected into the CasAuthenticationProvider on line 16. This is obviously just a toy implementation to get up and running, but this class is what you can use to do the lookup on users to load their authorities for the application.

About the Author

Object Partners profile.

One thought on “Configuring Spring Security CAS Providers with Java Config

  1. Christian Metzler says:

    You have to disable csrf for j_spring_cas_security_check because this will be used for backchannel single sign-out. This won’t work with csrf protection enabled.

  2. Tiago says:

    Thank you for you post, it helped me a lot.

  3. Ardjuna Wiwaha says:

    Problems Dell D610 Intarnal HDD HARD error! Strike the F1 key to continue, F2 to run the setup utility “Disk error press any key to restart.

  4. AlPez says:

    Thanks for the post, it’s nice to find some javaconfig for CAS authentication.
    Could you please list the SpringSecurity and CAS related dependencies that would be necesary to declare on the pom?

  5. Vibhatha says:

    Hey this code is not 100% clear to me. Do you have a complete implemented code or tutorial with spring java configuration for authentication and authorization.
    If you have any tutorial please send me a link. Thanks a lot.

  6. Edu says:

    Thank you for this post, it was currently very difficult to find some article using annotations.

  7. Edu says:

    Justo one comment, on Spring Security 4, the CasAuthenticationFilter filterProcessesUrl property default value changed from “/j_spring_cas_security_check” to “/login/cas”. On migration page there is more details http://docs.spring.io/spring-security/site/migrate/current/3-to-4/html5/migrate-3-to-4-jc.html

  8. Eduardo says:

    What about the logout?

  9. Renato Moraes says:

    Do I need to setup anything on CAS Server to allow my client application to authenticate on it?

Leave a Reply to Edu Cancel reply

Your email address will not be published.

Related Blog Posts
A security model for developers
Software security is more important than ever, but developing secure applications is more confusing than ever. TLS, mTLS, RBAC, SAML, OAUTH, OWASP, GDPR, SASL, RSA, JWT, cookie, attack vector, DDoS, firewall, VPN, security groups, exploit, […]
Building Better Data Visualization Experiences: Part 1 of 2
Through direct experience with data scientists, business analysts, lab technicians, as well as other UX professionals, I have found that we need a better understanding of the people who will be using our data visualization products in order to build them. Creating a product utilizing data with the goal of providing insight is fundamentally different from a typical user-centric web experience, although traditional UX process methods can help.
Kafka Schema Evolution With Java Spring Boot and Protobuf
In this blog I will be demonstrating Kafka schema evolution with Java, Spring Boot and Protobuf.  This app is for tutorial purposes, so there will be instances where a refactor could happen. I tried to […]
Redis Bitmaps: Storing state in small places
Redis is a popular open source in-memory data store that supports all kinds of abstract data structures. In this post and in an accompanying example Java project, I am going to explore two great use […]