CAS - how to detect unavalaible CAS server

**harasta** · Feb 1st, 2011, 02:21 AM

Hello,

I'm using CAS authentication with Spring Security 3.0.5. If the CAS server is not running, browser shows message that server is unavailable. I don't want user to see CAS server URL. Is it possible to redirect browser to some user friendly page? Did anybody resolve such situation?

Thanks,
Vladimir

**harasta** · Feb 1st, 2011, 07:37 AM

OK, I have an idea. It should be possible to place custom servlet filter into the filter chain. The new filter can ping CAS server and eventually redirect to user friendly error page. Is it right solution?

Vladimir

**Luke Taylor** · Feb 1st, 2011, 07:40 AM

This doesn't really have anything to do with Spring Security.

Users will normally see the CAS URL when they login to the server. Why do you want to hide it?

**harasta** · Feb 1st, 2011, 08:13 AM

Yes, you are right Luke. Users normally see CAS URL if everything goes well. I didn't express my needs exactly. I don't want to confuse users by CAS URL if CAS is down. They usually don't notice/understand redirecting machinery and don't expect CAS URL on white error page.

Spring Security filters deal with this situation in wrong way. ExceptionTranslationFilter catches AccessDeniedException and then considers the user as anonymous one. Unfortunatelly, AccessDeniedException doesn't hold another useful information about the reason of failure.

**Luke Taylor** · Feb 1st, 2011, 11:15 AM

Whether the SSO server is down or not is beyond Spring Security's control. Spring Security doesn't deal with it at all. The AccessDeniedException has nothing to do with the CAS server's availability.

You would probably be better to look at making the CAS server itself more robust.

**harasta** · Feb 2nd, 2011, 01:45 AM

Thanks for opinions, Luke. But I cannot agree. See my comments bellow.

> You would probably be better to look at making the CAS server itself more robust.

Very funny. I think the CAS server is robust enough. It simply isn't running for some reason.

> Whether the SSO server is down or not is beyond Spring Security's control.

Of course, Spring Security is not able to control CAS, but it should be aware of CAS unavailability. An CasIsDownException sounds better than AccessDeniedException, doesn't it?

**Rob Winch** · Feb 2nd, 2011, 12:00 PM

Originally Posted by harasta

Very funny. I think the CAS server is robust enough. It simply isn't running for some reason.

I think what Luke was trying to say is that you should ensure that the URL resolves to something (i.e. an error page). For what it's worth it's worth I agree with Luke. If I were doing this, I would probably ensure that the CAS URL displays an informative error page. This would take care of the use case where a user navigates directly to the cas server (i.e. bookmarks the login page).

Originally Posted by harasta

Of course, Spring Security is not able to control CAS, but it should be aware of CAS unavailability. An CasIsDownException sounds better than AccessDeniedException, doesn't it?

This is a bit of a slippery slope and I don't think it is a good idea for Spring Security to do this by default. Should Spring Security validate internal URL's before redirecting to them? Should Spring Security validate all the URLs before allowing the FilterChain to continue? How does Spring Security know if the URL is valid or not?

If you really want to validate the URL before redirecting I would write a custom CasAuthenticationEntryPoint and validate before performing the redirect.

Cheers,

**harasta** · Feb 3rd, 2011, 04:35 AM

Originally Posted by rwinch

I think what Luke was trying to say is that you should ensure that the URL resolves to something (i.e. an error page). For what it's worth it's worth I agree with Luke. If I were doing this, I would probably ensure that the CAS URL displays an informative error page. This would take care of the use case where a user navigates directly to the cas server (i.e. bookmarks the login page).

I'm relatively new in Spring Security. Maybe I don't get some detail. But how can be worth to ensure if CAS URL displays any page in case of CAS is down. No page displays, even no HTTP error returns.

Originally Posted by rwinch

This is a bit of a slippery slope and I don't think it is a good idea for Spring Security to do this by default. Should Spring Security validate internal URL's before redirecting to them? Should Spring Security validate all the URLs before allowing the FilterChain to continue? How does Spring Security know if the URL is valid or not?

I don't think that Spring Security should check out that its configuration is right

Tests should check it out.

Originally Posted by rwinch

If you really want to validate the URL before redirecting I would write a custom CasAuthenticationEntryPoint and validate before performing the redirect.

Rob, thank you for constructive idea. All the time I have been waiting for something like that. I'll give it a try.

Vladimir

**Rob Winch** · Feb 3rd, 2011, 08:20 AM

Originally Posted by harasta

I'm relatively new in Spring Security. Maybe I don't get some detail. But how can be worth to ensure if CAS URL displays any page in case of CAS is down. No page displays, even no HTTP error returns.

It really depends on your infrastructure on how to best go about this. The The simplest example is to ensure you have specified an error page in your web.xml. Another example is to have a Filter that does something like...

Code:

public void doFilter(ServletRequest req,ServletResponse resp,FilterChain chain) 
      throws IOException, ServletException {
  try {
    chain.doFilter(req,resp);
  }catch(Throwable t) {
    // log error
    // forward or render a pretty error page
  }
}

Yet another example, is to have your load balancer have a health check on your application. If the health check fails have the load balancer display an error page. As you can see there are a number of different ways to go about it. The main thing is if a user enters a URL that you own, then the page is rendered or an appropriate error message is displayed.

HTH,

**harasta** · Feb 4th, 2011, 02:09 AM

Rob, thanks for advice and the example. But an error page and a load balancer are definitely dead ends. Believe me.

I have read all reactions in this thread again. And again I think of Luke's last advice:
> You would probably be better to look at making the CAS server itself more robust.

That's the point. Luke might have HW infrastructure on his mind. It would make sense. The CAS server should run on solid HW, simply because it is SSO service.

All I can do for users of my application is to let them enter thru an insecured page which checks out availability of services at first. If anything goes wrong after that, users should return to this well-known page and should contact an administrator.

Thank you all for kind following of my thoughts.
Best regards,
Vladimir

Thread: CAS - how to detect unavalaible CAS server

Thread Tools

Display

CAS - how to detect unavalaible CAS server

Posting Permissions