Shiro Authentication

CAS support handling the authentication event via Apache Shiro.

Components

Support is enabled by including the following dependency in the WAR overlay:

1
2
3
4
5
<dependency>
  <groupId>org.apereo.cas</groupId>
  <artifactId>cas-server-support-generic</artifactId>
  <version>${cas.version}</version>
</dependency>

Shiro Configuration

Apache Shiro supports retrieving and checking roles and permissions for an authenticated subject. CAS exposes a modest configuration to enforce roles and permissions as part of the authentication, so that in their absence, the authentication may fail. While by default these settings are optional, you may configure roles and/or permissions for the given authentication handler to check their presence and report back.

To see the relevant list of CAS properties, please review this guide.

Sample shiro.ini that needs be placed on the classpath based on the example above:

1
2
3
4
5
6
7
8
9
[main]
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager

[users]
casuser = Mellon, admin

[roles]
admin = system,admin,staff,superuser:*