cas+spring security issue

**userio** · Sep 28th, 2012, 10:17 AM

Hi everyone!
I'm trying to implement SSO(single sign on) via CAS(jasig-CAS) in my app and as for now, I've faced the next problem:

Code:

HTTP Status 401 - Authentication Failed: Failed to provide a CAS service ticket to validate

type Status report

message Authentication Failed: Failed to provide a CAS service ticket to validate

description This request requires HTTP authentication (Authentication Failed: Failed to provide a CAS service ticket to validate).

I start my cas server on a different tomcat(so I have two apache tomcats at the same time, ports are different, for example, on cas server they are 8080, 8443 and etc. and on myApp server they are 9080, 9443 and etc.), login there and when I go to login pageat my app, then: 1. then is no autologin 2. when i enter credentials, I see the stacktrace shown above I took an example from this site .
in web.xml, I've includede spring security context and set the appropriate listeners and etc. in pom(I use maven) I've added the required dependencies, described in the article. But the problem stays. I'd be glad any pieces of advice

Also I've attached security context and my login page
login.txt
springSecurity.txt

**jleleu** · Sep 29th, 2012, 02:17 AM

Hi,

I'm not sure of what you really want to do because I see a CAS configuration in your webapp but also a form configuration : you don't need both. The login page is hosted on CAS server and is reponsible for authenticating user, that's all : you don't need a local login page.
That's why you get the problem : you send username / password form your local login page to /j_spring_cas_security_check, which excepts a CAS service ticket from CAS server -> failed to provider a CAS service ticket !
Best regards,
Jérôme

**userio** · Oct 1st, 2012, 03:53 AM

Jérôme,
you mean, that CAS will change the lohin page automatically?
so how I should configure it? can you give a sample of code?
or what steps I should do for my app's correct operation?

**jleleu** · Oct 1st, 2012, 04:23 AM

Hi,

I mean that the login page is hosted on the CAS server : you don't need to have one in applications. The authentication process is delegated to the CAS server.
You configuration looks good for CAS part, you should just remove what is linked to form authentication.
The reference documentation : http://static.springsource.org/sprin...rence/cas.html.
Best regards,
Jérôme

**userio** · Oct 1st, 2012, 04:49 AM

so, you mean I need to delete the login.jsp file and in my spring security context put url of CAS-server? I'm trying to understand the logic of the steps.

**jleleu** · Oct 1st, 2012, 06:01 AM

Originally Posted by userio

so, you mean I need to delete the login.jsp file and in my spring security context put url of CAS-server? I'm trying to understand the logic of the steps.

Right, remove the login.jsp and all the XML configuration added for the form authentication : remove <security:form-login, authenticationEntryPoint...
Once again, I recommend you follow the reference documentation for Spring Security & CAS (see the previous link I gave you).

The only challenge you will have is how to compute roles and define accesses on application side : generally, users are authenticated on CAS server side and their personal information (roles for example) are retrieved during authentication phase and pushed to CAS applications through custom CAS service ticket validation and it's the applications which decide what to do with these roles...

**userio** · Oct 3rd, 2012, 04:56 AM

Jérôme, I'm stuck

I don't understand, how the user should go to the login page. how to do it in the html code(I have an a href element), so I click and go to the login page.

thnx in advance.

**jleleu** · Oct 3rd, 2012, 08:55 AM

Hi,

You have to change your way of thinking : you don't go to the login page by clicking on a link.

You try to access a protected url in your application, this url is protected by your Spring Security CAS client which stores this requested url and send you to the CAS server which checks if you are authenticated and (as you're not) display a login page for authentication. After successfull authentication, you are redirected back to the "CAS url" of your application (something ending with /j_spring_cas_security_check) with a service ticket granted by the CAS server. The CAS client validates the service ticket against the CAS sever and restores the originally requested url. You are now authenticated in your application.

Best regards,
Jérôme

**userio** · Oct 3rd, 2012, 09:10 AM

so in the html code I have to put not a href="login.jsp", but a href = "someProtectedPage.jsp"? And for this page in my security context I have set the roles, that can access this page. that's right?

**jleleu** · Oct 3rd, 2012, 09:20 AM

You're right. Target the protected page.

The roles will be computed by your user details service which can grab information from a datasource in your application or use attributes pushed through CAS SAML validation (I recommend this option to centralize information retrieval on CAS server side).

Thread: cas+spring security issue

Thread Tools

Display

cas+spring security issue

Tags for this Thread

Posting Permissions