Blog for discussing EnduroTracker.com development, design, and implementation using Open Source tools including Fedora, Monorail (.Net MVC framework), Java, Spring, Hibernate, Postgresql using Amazon's EC2 and FPS services.
Other big companies like Google also use the Restlet framework for writing Web Services in a Restful way. I always lean towards projects that are well documented and the Restlet framework has some good documentation including examples, tutorials, and api documents. In addition, if you want to integrate a Spring Web project with Restlet, here is a good write up,
If your website leverages ajax via javascript, one of the nice things with Restlets is that you can easily call your Restful Web Services using javascript.
Restlets has implemented lots of extensions, for example if you want to write a smartphone app in android to call Restful Web Services, Restlets has an extension for this.
Restlet is extremely flexible and can be called from either a Web client or Web server code.
Most developers hate to repeat themselves, so they like to reuse as much code as possible. The folks at OpenSymphony.org who also brought you Quartz developed Sitemesh to utilize the Gang of Four pattern composition.
In short, SiteMesh is a web-page layout and decoration framework. It allows you to
reuse your layouts (header and footer for example) throughout your site, so that
you site has a consistent look and feel.
The general documentation at the SiteMesh Site site is quite good but I needed to utilize Sitemesh in the following specific scenario, I am using Spring MVC and Velocity Templates.
Since the general install documentation, installation instructions is very good, I will not repeat it here. Once you have downloaded and setup your web project, you will have 3 xml config that you will be dealing with, web.xml, sitemesh.xml, and decorators.xml. In my case I am using Spring MVC and Velocity, so I need to customize my web.xml configuration to handle this setup. Here is how my web.xml is configured:
If you followed the SiteMesh Install steps at their site and then customized your
web.xml for your Spring MVC web project, you should now have SiteMesh configured correctly to use with Spring MVC and Velocity.
Important to note in your decorators.xml since you are using Velocity,
you will be using *.vm decorator files, here is an example decorators.xml file:
<?xml version="1.0" encoding="ISO-8859-1"?>
<decorators defaultdir="/decorators">
<!-- Any urls that are excluded will never be decorated by Sitemesh -->
<!--<excludes>
<pattern>/exclude.vm</pattern>
<pattern>/exclude/*</pattern>
</excludes>-->
My journey begins with HA which means High Availability.
I'm not crazy about acronyms because given the variety of words in the english language they can mean any combination of things.
I have 2 main requirements/constraints when running my website:
1) Always be load balanced for High Availability,redundancy and also allow easy scalability.
2) Allow use Hibernate across multiple databases. I have a separate database for users (user db), and a separate database for the core of the web application.
My website is load balanced using Apache, I have a single load balance server , and 2 web servers also running Apache.
They get load balanced via Apache ProxyReverse or mod_proxy module.
I added a third requirement to my web application, always allow the users to sign in once and sign in with one set of credentials (username/password).
Another words, don't have separate sign up, sign in processes for third party applications like forums that you have tacked onto to your site.
This third requirement is straight forward and may appear easy to some, but it can be complicated and time consuming to implement.
Luckily, the folks at jasig.org , created CAS , Central Authentication Service, which can be implemented into one's website.
It is Java based, but can be integrated with lots of different website technology stacks like .Net, PHP, Perl, ColdFusion, Ruby on Rails, etc.
Combining these 3 requirements means that I need to be able to have CAS load balanced across multiple servers and multiple databases.
The standard implementation of CAS stores a user's credentials in the session. However, when CAS is implemented this way, the web site
ends up losing the credentials on redirects, etc.
To solve this issue CAS 4 (Cas version 4) introduced the concept of Database Session Storage named JpaSessionStorage in CAS.
Due to requirement #2, I had to implement my own Session Storage class that utilizes Spring's JtaTransactionManager rather EntityManager.
This allows for managing transactions over multiple databases.
I created a class called: JpaSessionStorageUsingJtaImpl within the package:org.jasig.cas.server.session, and part of the cas 4 project: cas-server-sessionstorage-jpa.
Here is my code:
/***
* Session Storage Implementation that uses Spring's a JtaTransactionManager rather
* than EntityManager. Allows for managing transactions over multiple databases which
* is required in some web application implementations.
* @author David Driscoll
*
*/
@TransactionConfiguration(transactionManager="jtaTransactionManager", defaultRollback=false)
@Transactional
@Repository
/*public class JpaSessionStorageUsingJtaImpl extends AbstractSessionStorageImpl implements Cleanable{*/
public class JpaSessionStorageUsingJtaImpl implements SessionStorage, Cleanable{
@Resource(name="sessionFactory3")
private org.hibernate.SessionFactory sessionFactory;
@NotNull
@CollectionSize(mode=CollectionSize.MODE_MINIMUM, minimumSize = 1)
@Autowired(required=false)
private List sessionFactories = new ArrayList();
throw new IllegalStateException("No SessionFactory configured that can handle this type of Authentication.");
}
catch(Exception ex){
System.out.println("exception in createSession, exception message:" + ex.getMessage());
throw new IllegalStateException("No SessionFactory configured that can handle this type of Authentication.");
}
}
public org.jasig.cas.server.session.Session destroySession(String sessionId) {
try {
Query query = this.sessionFactory.getCurrentSession().createQuery("select s from session s where s.sessionId = :sessionId").setParameter("sessionId", sessionId);
org.jasig.cas.server.session.Session session = (org.jasig.cas.server.session.Session) query.uniqueResult();
this.sessionFactory.getCurrentSession().delete(session);
return session;
} catch (Exception e) {
return null;
}
}
public org.jasig.cas.server.session.Session findSessionBySessionId(String sessionId) {
try {
Query query = this.sessionFactory.getCurrentSession().createQuery("select s from session s where s.sessionId = :sessionId").setParameter("sessionId", sessionId);
org.jasig.cas.server.session.Session session = (org.jasig.cas.server.session.Session) query.uniqueResult();
return session;
} catch ( Exception e) {
return null;
}
}
public org.jasig.cas.server.session.Session updateSession(org.jasig.cas.server.session.Session session) {
this.sessionFactory.getCurrentSession().update(session);
return session;
}
public org.jasig.cas.server.session.Session findSessionByAccessId(String accessId) {
try {
Query query = this.sessionFactory.getCurrentSession().
createQuery("select s from session s, IN(s.casProtocolAccesses) c where c.id = :accessId").setParameter("accessId", accessId);
org.jasig.cas.server.session.Session session = (org.jasig.cas.server.session.Session) query.uniqueResult();
return session;
} catch ( Exception e) {
return null;
}
}
public void purge() {
Query query = this.sessionFactory.getCurrentSession().
createQuery("delete from session s");
query.executeUpdate();
}
public void prune() {
Query query = this.sessionFactory.getCurrentSession().
createQuery("Delete From session s where (s.state.creationTime + :timeOut) >= :currentTime or s.state.count > :maxCount").
setParameter("timeOut", this.purgeTimeOut).setParameter("currentTime", System.currentTimeMillis()).setParameter("maxCount", this.purgeMaxCount);
query.executeUpdate();
}
public void setPurgeTimeOut(long purgeTimeOut) {
this.purgeTimeOut = purgeTimeOut;
}
public void setPurgeMaxCount(int purgeMaxCount) {
this.purgeMaxCount = purgeMaxCount;
}
You will need to setup your JTA configuration for your CAS 4 datasource.
See my series of blog posts on setting up Spring with Multiple Databases to setup JTA appropriately, here : http://endurotracker.blogspot.com/2009/08/using-spring-with-multiple-databases.html
CAS 4 uses utilizes autowiring annotations, so you only need to reference this new class in your pom.xml for it to be found and used as the session storage mechanism.
Here is a xml snippet from the pom.xml file:
In part 2, we will go over how to integrate CAS 4 Single Sign On with Roller ( a open source blog engine , see roller.apache.com ).
In this usage scenario we authenticate the user using CAS4 which in this case stores Username/password information in a separate User db from Roller's db.
So we will not be authenticating using Roller's db, however we will use Roller's db to determine what the users role / access rights are within the Roller application. (i.e Are they an editor, administrator, or do they not have a role yet).
Since Roller has implemented SSO for LDAP environment, we can utilize this and Roller will automatically create a role for a user if they do not have one yet. The default role is editor for their own blog.
The workflow for Roller integrating CAS 4 is as follows, user goes to a secured page on the roller application site, the user will get redirected to the
CAS 4 application site and be asked to login. After successful login, the user will be redirect back to where they started on the roller application site.
If they checked the remember me check box , then in the future, they will not have to login again until their remember me cookie expires.
Setting Up Your Development Environment
Roller uses Ant for compiling and deployment.
Depending on which IDE you use and what you development style is you may wish
to create a new empty roller_custom java project with Maven enabled if you want to use Maven dependency management instead using Ant and library references. I typically use Eclipse and Maven, so I created an empty roller_custom java project
and a new pom.xml, then enabled maven. This way I will be able to use Eclispe with Maven. I then built Roller using the ant build file (/roller/apps/weblogger/build.xml) to make sure Roller compiles correctly under ant first. To install Roller's jars into your local Maven Repository , you will need to use the experimental ant build file, /roller/build-poms.xml). You will need to download maven-ant-tasks-2.0.10.jar, and install it to roller/tools/buildtime/maven/maven-ant-tasks-2.0.10.jar and make sure to update it reference location in /roller/build-poms.xml. Next, I referenced the Roller's jars and CAS4 client jar in my roller_custom pom.xml file, like so:
Unfortunately this next part is time consuming. You will need to reference all the .jars that Roller references in your Pom.xml under /roller/tools, Roller has a lot of references so it is time consuming.
But, with all this hard work, you now have Maven goodness, and easy debugging compatibilty using Eclipse with Jetty if you wish.
SSO Implementation
Out of the box Roller supports SSO with LDAP. To use Spring Security with RememberMeServices we need to update
the class: RollerUserDetailsService.java, to include the specific Role Name Prefix that Spring Security looks for.
Specifically, Spring Security looks for the prefix "ROLE_" in every role name.
Additionally, Roller has a property setting for Autoprovision a user's account, we therefore will use this to automatically create a User if the Account exists in our CAS User db , but not in our Roller db.
Therefore we updated RememberMeServices like this:
public class RollerUserDetailsService implements UserDetailsService {
//Spring Security uses special required rolePrefix, typically ROLE_
private String rolePrefix = "";
public RollerUserDetailsService()
{
}
/**
* Allows a default role prefix to be specified. If this is set to a non-empty value, then it is
* automatically prepended to any roles read in from the db. This may for example be used to add the
* ROLE_ prefix expected to exist in role names (by default) by some other Spring Security
* classes, in the case that the prefix is not already present in the db.
*
* @param rolePrefix the new prefix
*/
public void setRolePrefix(String rolePrefix) {
this.rolePrefix = rolePrefix;
}
public UserDetails loadUserByUsername(String userName)
throws UsernameNotFoundException, DataAccessException {
try {
Weblogger roller = WebloggerFactory.getWeblogger();
UserManager umgr = roller.getUserManager();
User userData = null;
if (userName.startsWith("http://")) {
if (userName.endsWith("/")) {
userName = userName.substring(0, userName.length() -1 );
}
try {
userData = umgr.getUserByAttribute(
UserAttribute.Attributes.OPENID_URL.toString(),
userName);
} catch (WebloggerException ex) {
throw new DataRetrievalFailureException("ERROR in user lookup", ex);
}
String name;
String password;
GrantedAuthority[] authorities;
// We are not throwing UsernameNotFound exception in case of
// openid authentication in order to recieve user SREG attributes
// from the authentication filter and save them
if (userData == null) {
authorities = new GrantedAuthority[1];
GrantedAuthority g = new GrantedAuthorityImpl("openidLogin");
authorities[0] = g;
name = "openid";
password = "openid";
} else {
authorities = getAuthorities(userData, umgr);
name = userData.getUserName();
password = userData.getPassword();
}
UserDetails usr = new org.springframework.security.userdetails.User(name, password, true, authorities);
return usr;
} else {
try {
userData = umgr.getUserByUserName(userName);
} catch (WebloggerException ex) {
throw new DataRetrievalFailureException("ERROR in user lookup", ex);
}
if (userData == null) {
//determine if autoProvisioning is enabled if so create User
if (WebloggerConfig.getBooleanProperty("users.sso.autoProvision.enabled"))
{
AutoProvision provisioner = RollerContext.getAutoProvision();
if(provisioner != null) {
boolean userProvisioned = provisioner.execute(userName);
if(userProvisioned) {
// try lookup again real quick
try{
userData = umgr.getUserByUserName(userName);
}
catch (WebloggerException e) {
throw new UsernameNotFoundException("ERROR no user: " + userName);
}
}
}
}
else
{
throw new UsernameNotFoundException("ERROR no user: " + userName);
}
}
}
GrantedAuthority[] authorities = getAuthorities(userData, umgr);
return new org.springframework.security.userdetails.User(userData.getUserName(), userData.getPassword(), true, authorities);
private GrantedAuthority[] getAuthorities(User userData, UserManager umgr) throws WebloggerException {
List roles = umgr.getRoles(userData);
GrantedAuthority[] authorities = new GrantedAuthorityImpl[roles.size()];
if(!rolePrefix.isEmpty())
{
authorities = new GrantedAuthorityImpl[roles.size()*2];
}
int i = 0;
for (String role : roles) {
//add Roller Security Role for use with non-Spring Security Implementations
authorities[i++] = new GrantedAuthorityImpl(role);
//add Spring Security Role
authorities[i++] = new GrantedAuthorityImpl(rolePrefix + role);
}
return authorities;
}
}
In addition, since we need to get the Roles for a user from Roller's db so we may need to implement a Custom RememberMeServices class.
Developers will probably need to implement their own custom class, if they created their RememberMe cookie not using the standard Spring Security Remember Me configuration.
Here is a brief code outline (snippet), if you for example you call your class:
RollerRememberMeServices. You will need to extend AbstractRememberMeServices class which is a part of Spring Security ( using Spring Security 2.0) and implement all the required methods.
public class RollerRememberMeServices extends AbstractRememberMeServices{
}
One of the key methods is: processAutoLoginCoookie,
This method returns UserDetails object, within this method you will need to extract the username from the RememberMe cookie (this will vary depending on what you stored in your cookie value, some people will store username, some will store email, etc).
With the username you can the create a UserDetails object by doing something like this:
<!-- This is really strange, but for some reason it's needed to prevent
some problems with the file uploads not working intermittently -->
<filter>
<filter-name>struts2-cleanup</filter-name>
<filter-class>org.apache.struts2.dispatcher.ActionContextCleanUp</filter-class>
</filter>
<!--new-->
<filter>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
<!--
Most app servers support compression, if yours doesn't then use this one,
but don't forget to uncomment the mapping below too.
<filter>
<filter-name>CompressionFilter</filter-name>
<filter-class>org.apache.roller.weblogger.ui.core.filters.CompressionFilter</filter-class>
</filter>
-->
<!-- ******************************************
Filter mappings - order IS important here.
****************************************** -->
<!--
NOTE: Wherever "dispatcher" elements are specified in the filter mappings, they are
required for Servlet API 2.4 containers, such as Tomcat 5+ and Resin 3+, but should be
commented out for Servlet API 2.3 containers, like Tomcat 4.x and Resin 2.x.
-->
<!-- This filter ensures that the request encoding is set to UTF-8 before any
other processing forces request parsing using a default encoding.
Note: Any filters preceding this one MUST not cause request parsing. -->
<filter-mapping>
<filter-name>CharEncodingFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
<!-- Ip Banning is mapped for comment and trackbacks only.
Note: this filter does nothing if an ip ban list is not configured. -->
<filter-mapping>
<filter-name>IPBanFilter</filter-name>
<url-pattern>/roller-ui/rendering/comment/*</url-pattern>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>IPBanFilter</filter-name>
<url-pattern>/roller-ui/rendering/trackback/*</url-pattern>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
<!-- Scheme enforcement. Only here until we get Acegi scheme enforcement working -->
<filter-mapping>
<filter-name>SchemeEnforcementFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Single Sign Out Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- Original Security filters - controls secure access to different parts of Roller -->
<!--<filter-mapping>
<filter-name>securityFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>-->
<!-- Map everything to the PersistenceSessionFilter.
NOTE: Any filters preceding this one MUST NOT use persistence sessions.-->
<filter-mapping>
<filter-name>PersistenceSessionFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
<!-- Init filter. performs some initialization on first request -->
<filter-mapping>
<filter-name>InitFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
<!-- Request mapping. this is what allows the urls to work -->
<filter-mapping>
<filter-name>RequestMappingFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
<!--
Most app servers support compression, if yours doesn't then use this one,
but don't forget to uncomment the filter definition above too.
<filter-mapping>
<filter-name>CompressionFilter</filter-name>
<url-pattern>/roller-ui/rendering/page/*</url-pattern>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>CompressionFilter</filter-name>
<url-pattern>/roller-ui/rendering/feed/*</url-pattern>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
-->
<!-- Web Service Servlets -->
<servlet-mapping>
<servlet-name>XmlRpcServlet</servlet-name>
<url-pattern>/roller-services/xmlrpc</url-pattern>
</servlet-mapping>
<!-- Redirect support for some old struts1 urls -->
<servlet-mapping>
<servlet-name>StrutsRedirectServlet</servlet-name>
<url-pattern>/roller-ui/yourWebsites.do</url-pattern>
</servlet-mapping>
<!-- your customizations -->
<!--
Activates various annotations to be detected in bean classes:
Spring's @Required and @Autowired, as well as JSR 250's @Resource.
-->
<context:annotation-config />
<!--Try adding this-->
<aop:aspectj-autoproxy />
<!-- Turn on @Required -->
<beans:bean class="org.springframework.beans.factory.annotation.RequiredAnnotationBeanPostProcessor" />
<!-- Note: if your usersDao uses sessionFactory you will need to add sessionFactory bean as well, this is just for illustration purposes-->
<beans:bean id="usersDao"
class="yourPackage.UsersDao">
<beans:property name="sessionFactory" ref="sessionFactory"/>
</beans:bean>
<!--NOTE : Don't forget to implement a RollerRememberMeServices class, unless you use the Plain vanilla Spring Security RemberMeServices class -->
<!--plain vanilla using regular Spring Security-->
<!--<bean id="rememberMeServices" class="org.springframework.security.ui.rememberme.TokenBasedRememberMeServices">
<property name="userDetailsService" ref="usersDao"/>
<property name="key" value="CHANGE_THIS_2"/>
</bean>-->
Overview As an avid internet user I have a lot of different sites that I use, for most sites I have a separate user account and password.
With lots of accounts, it can be hard to remember all my different user names and passwords.
With Endurotracker.com, we want to make you user experience as enjoyable as possible. So, unlike some sites where you need to 3 different username and passwords one for main site, one for forum , and one for blog engine, we have made so that you only need a Single Sign On or Username/password combo for all the different applications.
In this series of blog entries, I will discuss how I implement Single Sign across 3 different applications, Roller ( a Open Source Blogging Engine),
JForum ( a Open Source Forum Engine), and our main application Endurotracker.com.
The way we implement Single Sign On (SSO) will be to use CAS 4, Central Authentication System 4 written by www.jasig.org and the
Spring Framework, specifically Spring Security formerly Aegis Security.
At a high level the way SSO works is : if a user is not logged in and they go to a secure area of the Roller application, then they will get prompted
to log in (via a redirect to the CAS 4 application), after successful login they get redirected back to where they where in the Roller application.
SSO will be implemented on 3 applications so this type of workflow will occur for the 3 applications, Roller, JForum, and Endurotracker.
Setting of CAS4
In this section we will go over how CAS4 was setup.
Step 1: Get CAS4 from jasig.org's SVN trunk repository
Step 2: Configure your Eclipse IDE and setup the CAS4 project : cas-server-webapp.
Optional (but good idea for debugging) , pull in all the CAS4 projects (over a dozen projects).
RememberMe Implementation
CAS4 takes advantage of the Open Source framework Spring. Specifically it uses Spring Web Flow and Spring Security.
(see www.springsource.org for full documenation).
In a nutshell, the way we implement RememberMe is by creating a RememberMe cookie and then utilize this cookie to determine
who the user is. If the RememberMe cookie is not found or is expired we force the user to login.
You can use the standard RememberMeServices class from Spring Security or you can create your own RememberMeServices class
if you need a implement things like encrypting your cookies. We implement our own RememberMeServices class to encrypt the values
stored in our cookies. Creating your own RememberMeServices class is optional.
Add this html snippet to promptForCredentials.jsp which will add a remember me check box to the login form:
For Spring Web Flow, to store whether the user has checked rememberMe check box, we need to create a small class, CaptchaRememberMeCredentialImpl.java, here is the source (small class):
@Component
@ValidateDefinition
public class CaptchaRememberMeAuthenticationResponsePluginImpl extends CaptchaAuthenticationResponsePluginImpl implements AuthenticationResponsePlugin {
//WARNING: implement all required methods this is just a SNIPPET for illustration purposes, this code will not compile, you will
// need to implement all required methods and add your imports, etc.
public static final String SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY = "SPRING_SECURITY_REMEMBER_ME_COOKIE";
@Override
public void handle(final LoginRequest loginRequest, final AuthenticationResponse response) {
if (response.succeeded()) {
if (!StringUtils.hasLength(username) || !StringUtils.hasLength(password)) {
return;
}
//if isRememberMe is false then return (don't set rememberme cookie)
if(userCred.isRememberMe()==false)
{
return;
}
//need to implement your own UserDetails Class , see Spring Security's UserDetails javadoc for more info
UserDetails userDetails = getUserDetailsService().loadUserByUsername(username);
if(userDetails != null){
//determine what data you wish to store in cookie value
//typically store username or email as the key, or userid possibly
String cookieValue = user.getUserName().toString();
response.getAttributes().put(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY, cookieValue);
}
return;
}
else
{
return;
}
}
}
}
To set the cookie we need to implement an Authentication plugin and a cookie creator class.
CAS4 has implemented a plugin architecture that allows developers to create custom plugins.
Once you create a plugin, to get CAS4 to use it you just reference the plugin in the your deployment configuration file (in CAS3 called deployerConfigContext.xml) or if you utilize annotations will get picked up automagically. (i.e @Component, etc)
In this case our plugin will need to get called during the authentication process, so we will extend the CaptchaAuthenticationResponsePluginImpl
and implement AuthenticationResponsePlugin.
In a nutshell the plugin calculates the Cookie's value and stores it in the HttpResponse.
During the workflow after successful authentication the RememberMeCookieCreater class , extracts the Cookie's value from
the HttpResponse and creates new RememberMe Cookie using this value as input.
@Component
@ValidateDefinition
public class CaptchaRememberMeAuthenticationResponsePluginImpl extends CaptchaAuthenticationResponsePluginImpl implements AuthenticationResponsePlugin {
//WARNING: implement all required methods this is just a SNIPPET for illustration purposes, this code will not compile, you will
// need to implement all required methods and add your imports, etc.
public static final String SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY = "SPRING_SECURITY_REMEMBER_ME_COOKIE";
@Override
public void handle(final LoginRequest loginRequest, final AuthenticationResponse response) {
if (response.succeeded()) {
if (!StringUtils.hasLength(username) || !StringUtils.hasLength(password)) {
return;
}
//if isRememberMe is false then return (don't set rememberme cookie)
if(userCred.isRememberMe()==false)
{
return;
}
//need to implement your own UserDetails Class , see Spring Security's UserDetails javadoc for more info
UserDetails userDetails = getUserDetailsService().loadUserByUsername(username);
if(userDetails != null){
//determine what data you wish to store in cookie value
//typically store username or email as the key, or userid possibly
String cookieValue = user.getUserName().toString();
response.getAttributes().put(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY, cookieValue);
}
return;
}
else
{
return;
}
}
}
}
We use org.springframework.web.util.CookieGenerator to generate the remember me cookie, and see configuration section further down.
We then have to configure the Spring Web Flow configuration file, login.xml (locate under /webapp/WEB-INF/login/login.xml) to call this class during our workflow.
Here is the xml snippets:
xml snippet 1, update credentials var to use CaptchaRememberMeCredentialsImpl:
<var name="credentials" class="org.jasig.cas.server.authentication.CaptchaRememberMeCredentialImpl" />
Step 8: Create deployerConfigContext.xml (main customization config file):
<?xml version="1.0" encoding="UTF-8"?>
<!--
| deployerConfigContext.xml centralizes into one file some of the declarative configuration that
| all CAS deployers will need to modify.
|
| This file declares some of the Spring-managed JavaBeans that make up a CAS deployment.
| The beans declared in this file are instantiated at context initialization time by the Spring
| ContextLoaderListener declared in web.xml. It finds this file because this
| file is among those declared in the context parameter "contextConfigLocation".
|
| By far the most common change you will need to make in this file is to change the last bean
| declaration to replace the default SimpleTestUsernamePasswordAuthenticationHandler with
| one implementing your approach for authenticating usernames and passwords.
+-->
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:aop="http://www.springframework.org/schema/aop"
xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:jee="http://www.springframework.org/schema/jee"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-2.5.xsd
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-2.5.xsd
http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-2.5.xsd
http://www.springframework.org/schema/jee http://www.springframework.org/schema/jee/spring-jee-2.5.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.4.xsd">
<!--
| This bean declares our AuthenticationManager. The CentralAuthenticationService service bean
| declared in applicationContext.xml picks up this AuthenticationManager by reference to its id,
| "authenticationManager". Most deployers will be able to use the default AuthenticationManager
| implementation and so do not need to change the class of this bean. We include the whole
| AuthenticationManager here in the deployerConfigContext.xml so that you can see the things you will
| need to change in context.
+-->
<!--You Can override Auth. Mgr here if you wish-->
<!--This is just a example to use as template-->
<!--<bean id="authenticationManager"
class="org.jasig.cas.server.authentication.DefaultAuthenticationManagerImpl">
</bean>-->
<!--You Can override CredentialToPrincipalResolver here if you wish-->
<!--This is just a example to use as template-->
<!--<bean class="org.jasig.cas.server.authentication.SimpleUsernamePasswordCredentialToPrincipalResolver" id="usernamePasswordCredentialToPrincipalResolver" />-->
<!--You Can override UsernamePasswordCredentialsAuthenticationHandler here if you wish-->
<!--This is just a example to use as template-->
<!--<bean class="org.jasig.cas.server.authentication.handler.TestUsernamePasswordCredentialsAuthenticationHandler" id="testUsernamePasswordCredentialsAuthenticationHandler"/>-->
<!--Your customizations here-->
<!--
Activates various annotations to be detected in bean classes:
Spring's @Required and @Autowired, as well as JSR 250's @Resource.
-->
<context:annotation-config />
<aop:aspectj-autoproxy />
<!-- Turn on @Required -->
<bean class="org.springframework.beans.factory.annotation.RequiredAnnotationBeanPostProcessor" />