Our SSO sample application is driven by a delivery use case. Given that ready-to-use CAS cannot be used to secure applications on production sites, we provide a simple example of how to enable single sign-on and sign-out for applications on live sites.
This chapter contains the following sections:
wem-sso-api-cas-sample.war file (to the
/sso-sample folder, for example). The application is located in the WebCenter Sites
Misc/Samples/WEM Samples/ WEM Sample applications/ directory.
applicationContext.xml file in the
WEB-INF folder by setting the following properties:
casUrl: Point to the CAS server base path:
casLoginPath: Include the login form template hosted by the SSO sample application:
Deploy the modified SSO sample application to your application server.
Access the application.
The SSO sample application consists of the following pages:
Protected area: a page that is protected by the WEM SSO filter. This page contains two single sign-out links (Figure 74-1).
The first link (single sign-out with redirect) is an HTML link that performs single sign-out on the CAS side and redirects the user back to the home page. The second link (single sign-out without redirect) is also an HTML link that performs single sign-out on the CAS side, but without leaving or reloading the current page.
Public area: a page that is excluded from the protection filter.
Public area with login form: this page is excluded from the protection filter, but has a login form, which allows performing a sign-in operation without leaving or reloading the current page.
The SSO sample application provides you with the basic code for utilizing single sign-on and sign-out functionality to protect applications on production sites. The following components provide access to the SSO sample application:
index.jsp: Starting page. This page contains links to the pages described as Protected area, Public area, and Public area with login form pages (see Section 74.1, "Deploying the SSO Sample Application").
template.html: Used to provide a custom sign-in form for CAS. Its path is referenced in the
wemLoginTemplate parameter in
casLoginPath in the
WEB-INF contains the following configuration files:
applicationContext.xml: Spring web application configuration file, which configures the SSO subsystem.
web.xml: Web application deployment descriptor.
Files in this area are protected by the SSO filter. By default, the following files are included in this folder:
protected.jsp: A page protected by the SSO filter. This page hosts two links for performing single sign-out. The first link leads to the CAS sign-out page with a redirect to the application's home page when sign-out is complete. The second link embeds an iframe into this page, which calls the CAS sign-out page with a redirect to the
signoutCallback.jsp page. The
protected.jsp page also prints out all attributes from the
Assertion object, which describes the current logged in user.
protected/jsp/protectedSection.jsp: Page that is referenced from the
public.jsp page, when the Sign in link is clicked in an embedded iframe. As this page is protected, a login screen is presented in the embedded iframe.
Files in this area are not protected by the SSO filter. By default, the following sample files are included in the /
public.jsp: This page not protected by the CAS filter
publicWithAuth.jsp: This page displays the Sign in link. Clicking the link embeds an iframe into the
publicWithAuth.jsp with the iframe pointing to the
protectedSection.jsp page. As the page is protected, a login screen is presented in the embedded iframe.
signoutCallback.jsp: This page is called from the
protected.jsp page upon sign-out completion when using iframe.
Implementing single sign-on for a website amounts to implementing a sign-in form. The sign-in form can be presented to site visitors in one of two ways:
The sign-in form is presented when the visitor tries to access a protected page. This is the default sign-in implementation. This sign in form could be either a default sign-in form shipped with CAS or a custom form provided by an application.
The sign-in form is embedded into a public page, and the sign-in function is performed without the user leaving the current page. This behavior can be implemented by embedding the iframe that points to a protected page. As the page is being protected, the sign-in form is presented to the visitor.
When implementing single sign-out on a web page, you can do one of the following:
Retrieve the "single sign-out" URL by invoking the following method:
getSignoutUrl() or getSignoutUrl(String callbackUrl) method of com.fatwire.wem.sso.SSO.getSSOSession() object.
After performing single sign-out, CAS can optionally redirect to the visitor-supplied URL, which is set in the callbackUrl parameter.
Use an iframe-embedding technique if the sign-out is to be performed without leaving the current page. This technique involves embedding an iframe with the single sign-out URL as source. When the iframe is loaded, the sign-out URL is called (this is done primarily to avoid cross-domain restrictions in browsers).