404 error with /j_spring_cas_security_check using SWF + Spring Security + CAS

[joy192k]

Spring web flow - 2.3.0.RELEASE
Spring security - 3.0.4.RELEASE
Spring - 3.0.4.RELEASE
Spring CAS Client - 3.0.4.RELEASE
CAS - 3.4.2

I have run into a problem integrating Spring web flow using spring security with CAS. There is a problem with the handshake between CAS Server and CAS Client (using spring security).

On accessing the secured resource, I am redirected to the CAS sever which generates a service ticket after successful login and CAS server redirects to the URL defined in the service properties bean which is /app/j_spring_cas_security_check which is the filterProcessesUrl set on the CasAuthenticationFilter bean.

The URL looks something like

PHP Code:

http://localhost:8888/acme/app/j_spring_cas_security_check?ticket=ST-4-em0DC5e6ddbETKAATTri-cas 


However I get a 404 while trying to access /app/j_spring_cas_security_check, check the above URL, I am not sure what could be wrong, any help will be appreciated.

Please find the web.xml and spring security config below.

WEB.XML

Code:

   <!-- Enables Spring Security -->
   <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>
	 
    <filter-mapping>
      <filter-name>springSecurityFilterChain</filter-name>
      <url-pattern>/*</url-pattern>
	  <dispatcher>FORWARD</dispatcher>
          <dispatcher>REQUEST</dispatcher>
    </filter-mapping>

	
<!-- SSO Entry start -->
    <context-param>
        <param-name>webAppRootKey</param-name>
        <param-value>cas.root</param-value>
    </context-param>
 
    <filter>
       <filter-name>CAS Single Sign Out Filter</filter-name>
       <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
    </filter>
     
    <filter-mapping>
       <filter-name>CAS Single Sign Out Filter</filter-name>
       <url-pattern>/*</url-pattern>
    </filter-mapping>
	
    <listener>
        <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
    </listener>

   <error-page>
        <error-code>403</error-code>
        <location>/app/casfailed</location>
    </error-page>	
	
    <!-- SSO Entry end -->
     
     <!-- The front controller of this Spring Web application, responsible for handling all application requests -->
	<servlet>
		<servlet-name>Spring MVC Dispatcher Servlet</servlet-name>
		<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
		<init-param>
			<param-name>contextConfigLocation</param-name>
			<param-value></param-value>
		</init-param>
		<load-on-startup>2</load-on-startup>
	</servlet>
		
	<!-- Map all /spring requests to the Dispatcher Servlet for handling -->
	<servlet-mapping>
		<servlet-name>Spring MVC Dispatcher Servlet</servlet-name>
		<url-pattern>/app/*</url-pattern>
	</servlet-mapping>

security-config.xml

Code:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security"
	xsi:schemaLocation="
           http://www.springframework.org/schema/beans
           http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
           http://www.springframework.org/schema/security
           http://www.springframework.org/schema/security/spring-security-3.0.xsd">

	<security:http entry-point-ref="casProcessingFilterEntryPoint" use-expressions="true" access-denied-page="/app/casfailed" auto-config="true">
		<security:intercept-url pattern="/app/casfailed" access="permitAll()" requires-channel="any" />
		<security:intercept-url pattern="/app/cas-logout" access="permitAll()" requires-channel="any" />
		<security:intercept-url pattern="/app/**" access="hasAnyRole('ROLE_USER')" requires-channel="any" />	
		<security:logout logout-success-url="/app/cas-logout" />
		
		<security:custom-filter position="CAS_FILTER" ref="casAuthenticationFilter" />
	</security:http>

	<bean id="casAuthenticationFilter" class="org.springframework.security.cas.web.CasAuthenticationFilter">	
		<property name="filterProcessesUrl" value="/app/j_spring_cas_security_check" />
		<property name="authenticationManager" ref="authenticationManager" />
		<property name="authenticationFailureHandler">
			<bean
				class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
				<property name="defaultFailureUrl" value="/app/casfailed" />
			</bean>
		</property>
		<property name="authenticationSuccessHandler">
		<bean  class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler">
				<property name="defaultTargetUrl" value="/app/home" />
			</bean>
		</property>		
	</bean>

	<bean id="casProcessingFilterEntryPoint"
		class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">
		<property name="loginUrl" value="https://localhost:8446/cas/login" />
		<property name="serviceProperties" ref="serviceProperties" />
	</bean>

	<bean id="casAuthenticationProvider"
		class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
		<property name="userDetailsService" ref="userService" />
		<property name="serviceProperties" ref="serviceProperties" />
		<property name="ticketValidator">
			<bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
				<constructor-arg index="0" value="https://localhost:8446/cas" />			
			</bean>
		</property>
		<property name="key" value="an_id_for_this_auth_provider_only" />
	</bean>

	<bean id="serviceProperties" class="org.springframework.security.cas.ServiceProperties">
		<property name="service"
			value="http://localhost:8888/acme/app/j_spring_cas_security_check" />
		<property name="sendRenew" value="false" />
	</bean>
	

	<security:authentication-manager alias="authenticationManager">
		<security:authentication-provider ref="casAuthenticationProvider"/>
	</security:authentication-manager>
	
	<security:user-service id="userService">
		<security:user name="rod" password="rod" authorities="ROLE_SUPERVISOR,ROLE_USER" />
		<security:user name="demo" password="demo" authorities="ROLE_USER" />
		<security:user name="scott" password="scott" authorities="ROLE_USER" />
	</security:user-service>

</beans>

[Rob Winch]

What do the spring security debug logs look like?

[joy192k]

There is not much information after the redirect to CAS..

PHP Code:

DEBUG: org.springframework.security.web.access.ExceptionTranslationFilter - Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
    at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:71)
    at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:203)
    at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:106)
    at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:378)
    at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:97)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:378)
    at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:100)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:378)
    at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:78)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:378)
    at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:378)
    at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:35)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:378)
    at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:177)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:378)
    at org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter.doFilter(DefaultLoginPageGeneratingFilter.java:91)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:378)
    at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:187)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:378)
    at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:187)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:378)
    at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:378)
    at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:79)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:378)
    at org.springframework.security.web.access.channel.ChannelProcessingFilter.doFilter(ChannelProcessingFilter.java:109)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:378)
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:167)
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
    at java.lang.Thread.run(Thread.java:595)
DEBUG: org.springframework.security.web.savedrequest.HttpSessionRequestCache - DefaultSavedRequest added to Session: DefaultSavedRequest[http://localhost:8888/acme/app/home]
DEBUG: org.springframework.security.web.access.ExceptionTranslationFilter - Calling Authentication entry point.
DEBUG: org.springframework.security.web.context.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed 


[Rob Winch]

Please include the logs that contain the j_spring_cas_security_check url

[joy192k]

For some strange reason after the redirect from the CAS server to the web application, there is no log for the /j_spring_cas_security_check and after the redirect any request to the web application returns 404 error.

[Rob Winch]

What is your full web.xml? Are you by chance using URLRewriteFilter? What do the redirects look like (use tamper data to obtain them)?

[joy192k]

What is your full web.xml? Are you by chance using URLRewriteFilter? What do the redirects look like (use tamper data to obtain them)?

There is no URLRewriteFilters declared in the web.xml

The request life cycle looks like this
1) http://localhost:8888/acme
2 http://localhost:8888/acme/app/home
3)https://localhost:8446/cas/login?ser...security_check ( Brings up CAS login Screen)
4) https://localhost:8446/cas/login?ser... 2Fapp%2Fj_sp...
with submit parameters with SSO login credentials (After submitting CAS login credentials)
5) http://localhost:8888/acme/app/j_spr...kHy7VdEwbGSHcH..
(After successful authentication on CAS)
6) 404 for above URL

Strangely neither DelegatingFilterProxy nor DispatcherServlet is picking up the URL pattern and there are no debug logs, it seems suddenly tomcat has suddenly stopped responding for applications deployed on tomcat.

However if I goto tomcat manager and click on the deployed applications link - I can see tomcat response but after the CAS redirects, it just goes dead again.

I may have to check if the switching from secure channel (https) to unsecured channel (http) is leading to such erroneous behavior on tomcat.

Any help will be greatly appreciated.

Thanks,
Vijay


WEB.XML

Code:

<?xml version="1.0" encoding="ISO-8859-1"?>
<web-app xmlns="http://java.sun.com/xml/ns/j2ee"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
	version="2.4">

	<!-- The master configuration file for this Spring web application -->
	<context-param>
		<param-name>contextConfigLocation</param-name>
		<param-value>
			/WEB-INF/config/web-application-config.xml
		</param-value>
	</context-param>
	
	<!-- Use JSF view templates saved as *.xhtml, for use with Facelets -->
	<context-param>
		<param-name>javax.faces.DEFAULT_SUFFIX</param-name>
		<param-value>.xhtml</param-value>
	</context-param>
	
	<!-- Enables special Facelets debug output during development -->
  	<context-param>
        <param-name>javax.faces.PROJECT_STAGE</param-name>
   		<param-value>Development</param-value>
  	</context-param>
  	
  	<!-- Causes Facelets to refresh templates during development -->
  	<context-param>
  		<param-name>javax.faces.FACELETS_REFRESH_PERIOD</param-name>
  		<param-value>1</param-value>
  	</context-param>
  	<context-param>
		<param-name>javax.faces.FACELETS_SKIP_COMMENTS</param-name>
		<param-value>true</param-value>
	</context-param>
	

	<!--
		Uncomment this to disable partial state saving when using Apache MyFaces 2 !!
	<context-param>
		<param-name>javax.faces.PARTIAL_STATE_SAVING</param-name>
		<param-value>false</param-value>
	</context-param>
	-->

  	
  	<!-- Declare Spring Security Facelets tag library -->
  	<context-param>
  		<param-name>javax.faces.FACELETS_LIBRARIES</param-name>
  		<param-value>/WEB-INF/springsecurity.taglib.xml</param-value>
  	</context-param>
  	
    <!-- Enforce UTF-8 Character Encoding -->
    <filter>
        <filter-name>charEncodingFilter</filter-name>
        <filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
        <init-param>
            <param-name>encoding</param-name>
            <param-value>UTF-8</param-value>
        </init-param>
        <init-param>
            <param-name>forceEncoding</param-name>
            <param-value>true</param-value>
        </init-param>
    </filter>
    
    <filter-mapping>
        <filter-name>charEncodingFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
    
	<!-- Enables Spring Security -->
	<filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>
	 
    <filter-mapping>
      <filter-name>springSecurityFilterChain</filter-name>
      <url-pattern>/*</url-pattern>
	  <dispatcher>FORWARD</dispatcher>
      <dispatcher>REQUEST</dispatcher>
    </filter-mapping>

	
	<!-- SSO Entry start -->
	<context-param>
        <param-name>webAppRootKey</param-name>
        <param-value>cas.root</param-value>
    </context-param>
 
    <filter>
       <filter-name>CAS Single Sign Out Filter</filter-name>
       <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
    </filter>
     
    <filter-mapping>
       <filter-name>CAS Single Sign Out Filter</filter-name>
       <url-pattern>/*</url-pattern>
    </filter-mapping>
	
	 <listener>
        <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
    </listener>

	<error-page>
        <error-code>403</error-code>
        <location>/app/casfailed</location>
    </error-page>	
	
	<!-- SSO Entry end -->


	<!-- Loads the Spring web application context -->
	<listener>
		<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
	</listener>
  	
	<!-- The front controller of this Spring Web application, responsible for handling all application requests -->
	<servlet>
		<servlet-name>Spring MVC Dispatcher Servlet</servlet-name>
		<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
		<init-param>
			<param-name>contextConfigLocation</param-name>
			<param-value></param-value>
		</init-param>
		<load-on-startup>2</load-on-startup>
	</servlet>
		
	<!-- Map all /spring requests to the Dispatcher Servlet for handling -->
	<servlet-mapping>
		<servlet-name>Spring MVC Dispatcher Servlet</servlet-name>
		<url-pattern>/app/*</url-pattern>
	</servlet-mapping>

	<!-- Just here so the JSF implementation can initialize, *not* used at runtime -->
	<servlet>
		<servlet-name>Faces Servlet</servlet-name>
		<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
		<load-on-startup>1</load-on-startup>
	</servlet>
	
	<!-- Just here so the JSF implementation can initialize -->
	<servlet-mapping>
		<servlet-name>Faces Servlet</servlet-name>
		<url-pattern>*.faces</url-pattern>
	</servlet-mapping>
	
	<welcome-file-list>
		<welcome-file>index.html</welcome-file>
	</welcome-file-list>
</web-app>

[Rob Winch]

Are you certain you have logging enabled for FilterChainProxy? Do you see any logs if you copy paste the URL into the browser? If you add a debug point to FilterChainProxy#doFilter does it stop in that method when receiving the ticket?

[joy192k]

I have enabled logging for spring security in log4j

Code:

log4j.logger.org.springframework.security=DEBUG

I see that FilterChainProxy#doFilter is called till the redirect happens ( sometimes with no logs ), after redirect there are neither logs nor does it stop at FilterChainProxy#doFilter.


Thanks,
Vijay

[Rob Winch]

What happens if you type the URL in your browser? Did you try tamper data to see what requests are being made? Please copy paste the results from tamper data of requesting the protected page, logging into cas, and the redirect back to the original service.