Allow access to anonymous page with CAS authentication first in spring CAS sample app

[chrismarx]

In the sample app here:

http://static.springsource.org/sprin...tml#cas-sample

the role based access is configured using the following bean:

Code:

   <bean id="fsi" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
        <property name="authenticationManager" ref="authenticationManager"/>
        <property name="accessDecisionManager" ref="httpRequestAccessDecisionManager"/>
        <property name="securityMetadataSource">
            <sec:filter-invocation-definition-source>
                <sec:intercept-url pattern="/secure/extreme/**" access="ROLE_SUPERVISOR"/>
                <sec:intercept-url pattern="/secure/**" access="ROLE_USER"/>
                <sec:intercept-url pattern="/**" access="ROLE_USER"/>
            </sec:filter-invocation-definition-source>
        </property>
    </bean>

Is there any way to grant access to pages which should be accessible anonymously, even though cas is handling authentication?

[Rob Winch]

You can specify a page as anonymous, but the default implementation will will not trigger an attempt to authenticate when accessing anonymous pages. You are likely looking for gateway support. One way to do this would be to modify the CasAuthenticationEntryPoint to ensure the gateway parameter was specified for anonymous pages. It would also need to keep track that it already attempted authentication in some way (i.e. only provide an anonymous authentication token upon completion of a gateway request that returned no user).

You also might want to trigger authentication if someone hits an anonymous page, then in another tab logs into the cas server, and then refreshes the anonymous page. There are a number of ways to do this, but the easiest would be to have a dummy cookie that is shared for the entire domain and at /. This cookie should NOT be used for authentication (i.e. do not reuse JSESSION or CASTGT). If the cookie is present an attempt to authenticate would be made. If not, it would continue as anonymous.

HTH,

[chrismarx]

ah, thank you for the clarification, yes I am looking for gateway support. but your answer hits on another thing -- the cas documentation for integrating with spring ( here - https://wiki.jasig.org/display/CASC/...pring+Security doesn't use the org.springframework.security.cas.web.CasAuthentica tionEntryPoint, instead, it sets up a filterChainproxy.

Is one or the other of these methods more advisable to use at this point?

[Rob Winch]

In my opinion it really depends on which library you want to focus on. The Spring Security library has better integration with Spring Security where as the CAS library has richer support for CAS. The current cas sample in Spring Security demonstrates a way to do this with the CAS filters and PreAuth, but the doc describes how to do it with Spring Security's filter. If you want I am working on updating the sample to use Spring Security and can see the branch I have created. Please note that the branch will probably not be maintained like a normal git repo in that may be rebased or removed since this is a person branch. You will also note there are some features that do not yet exist in Spring Security 3.x since the purpose of the branch is to add some more CAS support.

Update: SEC-965 was integrated into 3.1.0-RC2

HTH,

[chrismarx]

thank you! i wish that was spelled out somewhere before I got started, oh well, I'm on the right track now. So I can see that for the app where I needed that gateway, I can use the spring security route, and I just tested that out, and it works great. I have another app thats already configured for preauth, I'm checking out now whether I still need to use that, or whether I can use more of the spring configuration-