Cas and Spring example: I don't understand “setUserDetailsService”
Cas and Spring example: I don't understand “setUserDetailsService”
In this example: https://www.baeldung.com/spring-security-cas-sso
there is this piece of code:
@Bean
public CasAuthenticationProvider casAuthenticationProvider()
CasAuthenticationProvider provider = new CasAuthenticationProvider();
provider.setServiceProperties(serviceProperties());
provider.setTicketValidator(ticketValidator());
provider.setUserDetailsService(
s -> new User("casuser", "Mellon", true, true, true, true,
AuthorityUtils.createAuthorityList("ROLE_ADMIN")));
provider.setKey("CAS_PROVIDER_LOCALHOST_9000");
return provider;
I don't understand this part:
provider.setUserDetailsService(
s -> new User("casuser", "Mellon", true, true, true, true,
AuthorityUtils.createAuthorityList("ROLE_ADMIN")));
ok. So I need to make my own for CAS ? Still don't know how, cas user is returned by cas server, so why do I need a UserDetailService ?
– Tyvain
Sep 11 '18 at 2:44
1 Answer
1
This is how Spring security works on high level.
User tries to authenticate via some type of UI (part of CAS for example). The UI will pass username/password to Spring. Spring will eventually call UserDetailService.loadUserByUsername and pass the username to it, and if user exists the UserDetailService will return non null UserDetails. In case of null UserDetails or non null one with different password Spring will fail authentication.
UserDetailService.loadUserByUsername
UserDetailService
UserDetails
UserDetails
CAS is just an authentication server, it leaves open how user is stored. You can choose to use LDAP or database. That choice is based on different implementation of UserDetailService. Look at javadoc again. It has list of default implementations you can use.
UserDetailService
See part 5 of your linked tutorial. It shows how you can change both CAS and Spring Boot app to use database as user storage. The key here is that in order for back end to work with CAS server against users stored in database both need to be configured appropriately in order to look up user against database. CAS is configured via application.properties and Spring boot via UserDetailService.
application.properties
UserDetailService
Now to your questions in the comment:
why should the client bother about how cas server store the users ?
Client should not bother with UserDetailService. It is only used by back end service that is secured by CAS.
UserDetailService
Just to be sure that I get it tight: if I just need to know 'is that
user connected?' then CAS is enough and I will never use
UserDetailService. But if I need some information about the user
(name, telephone etc..) then I call the UserDetailService to load it
(from db, ldap or whatever).
Yes and no. You dont need to store password in UserDetails but you need to be able to return UserDetails for successful CAS authenticated user. See this part from your linked tutorial:
UserDetails
UserDetails
Note again that the principal in the database that the server uses
must be the same as that of the client applications.
Just to be sure that I get it tight: if I just need to know 'is that user connected?' then CAS is enough and I will never use UserDetailService. But if I need some information about the user (name, telephone etc..) then I call the UserDetailService to load it (from db, ldap or whatever).
– Tyvain
Sep 11 '18 at 4:26
Another question, why should the client bother about how cas server store the users ? In my app, I don"t mind that, I just want to "log in" and "log out". When I look at this worflow of cas: apereo.github.io/cas/5.1.x/protocol/CAS-Protocol.html I never need to access the database of the users.
– Tyvain
Sep 11 '18 at 4:37
see updated answer
– tsolakp
Sep 11 '18 at 14:02
Thanks for contributing an answer to Stack Overflow!
But avoid …
To learn more, see our tips on writing great answers.
Required, but never shown
Required, but never shown
By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.
That is just an example of simple implementation of UserDetailService using lambda (since it is a single method interface). See docs.spring.io/spring-security/site/docs/4.2.5.RELEASE/apidocs/…. This example will always return Mellon user on each loadUserByUsername method call. You can have your own implementation of that interface to load user from some datastore.
– tsolakp
Sep 11 '18 at 2:25