Cas and Spring example: I don't understand “setUserDetailsService”

Cas and Spring example: I don't understand “setUserDetailsService”



In this example: https://www.baeldung.com/spring-security-cas-sso



there is this piece of code:


@Bean
public CasAuthenticationProvider casAuthenticationProvider()

CasAuthenticationProvider provider = new CasAuthenticationProvider();
provider.setServiceProperties(serviceProperties());
provider.setTicketValidator(ticketValidator());
provider.setUserDetailsService(
s -> new User("casuser", "Mellon", true, true, true, true,
AuthorityUtils.createAuthorityList("ROLE_ADMIN")));
provider.setKey("CAS_PROVIDER_LOCALHOST_9000");
return provider;



I don't understand this part:


provider.setUserDetailsService(
s -> new User("casuser", "Mellon", true, true, true, true,
AuthorityUtils.createAuthorityList("ROLE_ADMIN")));






That is just an example of simple implementation of UserDetailService using lambda (since it is a single method interface). See docs.spring.io/spring-security/site/docs/4.2.5.RELEASE/apidocs/…. This example will always return Mellon user on each loadUserByUsername method call. You can have your own implementation of that interface to load user from some datastore.

– tsolakp
Sep 11 '18 at 2:25






ok. So I need to make my own for CAS ? Still don't know how, cas user is returned by cas server, so why do I need a UserDetailService ?

– Tyvain
Sep 11 '18 at 2:44




1 Answer
1



This is how Spring security works on high level.



User tries to authenticate via some type of UI (part of CAS for example). The UI will pass username/password to Spring. Spring will eventually call UserDetailService.loadUserByUsername and pass the username to it, and if user exists the UserDetailService will return non null UserDetails. In case of null UserDetails or non null one with different password Spring will fail authentication.


UserDetailService.loadUserByUsername


UserDetailService


UserDetails


UserDetails



CAS is just an authentication server, it leaves open how user is stored. You can choose to use LDAP or database. That choice is based on different implementation of UserDetailService. Look at javadoc again. It has list of default implementations you can use.


UserDetailService



See part 5 of your linked tutorial. It shows how you can change both CAS and Spring Boot app to use database as user storage. The key here is that in order for back end to work with CAS server against users stored in database both need to be configured appropriately in order to look up user against database. CAS is configured via application.properties and Spring boot via UserDetailService.


application.properties


UserDetailService



Now to your questions in the comment:



why should the client bother about how cas server store the users ?



Client should not bother with UserDetailService. It is only used by back end service that is secured by CAS.


UserDetailService



Just to be sure that I get it tight: if I just need to know 'is that
user connected?' then CAS is enough and I will never use
UserDetailService. But if I need some information about the user
(name, telephone etc..) then I call the UserDetailService to load it
(from db, ldap or whatever).



Yes and no. You dont need to store password in UserDetails but you need to be able to return UserDetails for successful CAS authenticated user. See this part from your linked tutorial:


UserDetails


UserDetails



Note again that the principal in the database that the server uses
must be the same as that of the client applications.






Just to be sure that I get it tight: if I just need to know 'is that user connected?' then CAS is enough and I will never use UserDetailService. But if I need some information about the user (name, telephone etc..) then I call the UserDetailService to load it (from db, ldap or whatever).

– Tyvain
Sep 11 '18 at 4:26






Another question, why should the client bother about how cas server store the users ? In my app, I don"t mind that, I just want to "log in" and "log out". When I look at this worflow of cas: apereo.github.io/cas/5.1.x/protocol/CAS-Protocol.html I never need to access the database of the users.

– Tyvain
Sep 11 '18 at 4:37






see updated answer

– tsolakp
Sep 11 '18 at 14:02



Thanks for contributing an answer to Stack Overflow!



But avoid



To learn more, see our tips on writing great answers.



Required, but never shown



Required, but never shown




By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.

Popular posts from this blog

𛂒𛀶,𛀽𛀑𛂀𛃧𛂓𛀙𛃆𛃑𛃷𛂟𛁡𛀢𛀟𛁤𛂽𛁕𛁪𛂟𛂯,𛁞𛂧𛀴𛁄𛁠𛁼𛂿𛀤 𛂘,𛁺𛂾𛃭𛃭𛃵𛀺,𛂣𛃍𛂖𛃶 𛀸𛃀𛂖𛁶𛁏𛁚 𛂢𛂞 𛁰𛂆𛀔,𛁸𛀽𛁓𛃋𛂇𛃧𛀧𛃣𛂐𛃇,𛂂𛃻𛃲𛁬𛃞𛀧𛃃𛀅 𛂭𛁠𛁡𛃇𛀷𛃓𛁥,𛁙𛁘𛁞𛃸𛁸𛃣𛁜,𛂛,𛃿,𛁯𛂘𛂌𛃛𛁱𛃌𛂈𛂇 𛁊𛃲,𛀕𛃴𛀜 𛀶𛂆𛀶𛃟𛂉𛀣,𛂐𛁞𛁾 𛁷𛂑𛁳𛂯𛀬𛃅,𛃶𛁼

Crossroads (UK TV series)

ữḛḳṊẴ ẋ,Ẩṙ,ỹḛẪẠứụỿṞṦ,Ṉẍừ,ứ Ị,Ḵ,ṏ ṇỪḎḰṰọửḊ ṾḨḮữẑỶṑỗḮṣṉẃ Ữẩụ,ṓ,ḹẕḪḫỞṿḭ ỒṱṨẁṋṜ ḅẈ ṉ ứṀḱṑỒḵ,ḏ,ḊḖỹẊ Ẻḷổ,ṥ ẔḲẪụḣể Ṱ ḭỏựẶ Ồ Ṩ,ẂḿṡḾồ ỗṗṡịṞẤḵṽẃ ṸḒẄẘ,ủẞẵṦṟầṓế