CAS + JDBC authentication-provider configuration problem

Hi,
I'm using both cas authentication and authentication jdbc based.

This simple configuration i've made works but I do not think it is clean one.

For example

If i do login via form (action = "j_spring_security_check")
the custom-filter ref = "singleLogoutFilter" is executed and its "doFilter"
performs a CommonUtils.safeGetParameter (request, "logoutRequest");
throwing WARN: org.jasig.cas.client.util.CommonUtils - safeGetParameter called on a POST HttpServletRequest for LogoutRequest

Do you think is rigth to put in the same authentication-manager both the authentication-provider jdbc and cas ?
Should i do something to avoid conflicts between j_spring_security_check and cas filters ?

thanks in advance

Code:

---

<security:authentication-manager id="authenticationmanager" alias="authenticationManager">

  <security:authentication-provider user-service-ref="userService">
    <security:password-encoder hash="plaintext"/>
  </security:authentication-provider>

  <security:authentication-provider ref="casAuthenticationProvider">
  </security:authentication-provider>

</security:authentication-manager>

---

Code:

---

<security:http
authentication-manager-ref="authenticationmanager"
use-expressions="true"  >

<access-denied-handler error-page="/denied" />
<security:custom-filter position="CAS_FILTER" ref="casFilter" />
<form-login login-page="/login" authentication-failure-url="/loginfailed" />
<logout logout-success-url="/logout" invalidate-session="false" />
<custom-filter ref="requestSingleLogoutFilter" before="LOGOUT_FILTER"/>
<custom-filter ref="singleLogoutFilter" before="CAS_FILTER"/>
</security:http>

---

Code:

---

login.jsp

<form  method="POST" action="j_spring_security_check"  >
user<input size="22" maxlength="14" type="text" value="" name="j_username" id="user"/>
password<input size="23" maxlength="22" type="password" value="" name="j_password" id="pass" />
<input type="submit" value="ok" />
</form>
<br />
<a href ="https://idp.test.it:4443/testcas/login?service=https%3A%2F%2Fmiaapp.mia.com%3A18443%2Fapp%2Fj_spring_cas_security_check" >
 cas auth
</a>

---

Quote:

---

Originally Posted by aleale

Hi,
I'm using both cas authentication and authentication jdbc based.

This simple configuration i've made works but I do not think it is clean one.

For example

If i do login via form (action = "j_spring_security_check")
the custom-filter ref = "singleLogoutFilter" is executed and its "doFilter"
performs a CommonUtils.safeGetParameter (request, "logoutRequest");
throwing WARN: org.jasig.cas.client.util.CommonUtils - safeGetParameter called on a POST HttpServletRequest for LogoutRequest

Do you think is rigth to put in the same authentication-manager both the authentication-provider jdbc and cas ?
Should i do something to avoid conflicts between j_spring_security_check and cas filters ?

thanks in advance

Code:

---

<security:authentication-manager id="authenticationmanager" alias="authenticationManager">

  <security:authentication-provider user-service-ref="userService">
    <security:password-encoder hash="plaintext"/>
  </security:authentication-provider>

  <security:authentication-provider ref="casAuthenticationProvider">
  </security:authentication-provider>

</security:authentication-manager>

---

Code:

---

<security:http
authentication-manager-ref="authenticationmanager"
use-expressions="true"  >

<access-denied-handler error-page="/denied" />
<security:custom-filter position="CAS_FILTER" ref="casFilter" />
<form-login login-page="/login" authentication-failure-url="/loginfailed" />
<logout logout-success-url="/logout" invalidate-session="false" />
<custom-filter ref="requestSingleLogoutFilter" before="LOGOUT_FILTER"/>
<custom-filter ref="singleLogoutFilter" before="CAS_FILTER"/>
</security:http>

---

Code:

---

login.jsp

<form  method="POST" action="j_spring_security_check"  >
user<input size="22" maxlength="14" type="text" value="" name="j_username" id="user"/>
password<input size="23" maxlength="22" type="password" value="" name="j_password" id="pass" />
<input type="submit" value="ok" />
</form>
<br />
<a href ="https://idp.test.it:4443/testcas/login?service=https%3A%2F%2Fmiaapp.mia.com%3A18443%2Fapp%2Fj_spring_cas_security_check" >
 cas auth
</a>

---

---

If you're using cas, you don't need a form login in your application. the cas filter should redirect the user to the cas server if they aren't authenticated. Which will redirect them back into your application (and some other black magic) authenticated.

Cas alone isn't enough.
I have users in a remote cas of another organization and my db users locally.
I have made the page login.jsp to ask the user where he want to autenticate, on remote-cas or via local authentication service.
Spring security seems to work ok with both activated in the config i've made.
My question is about the rightness of this config as i read a warning in the CAS_FILTER