Results 1 to 6 of 6

Thread: Spring_security_saved_request_key

  1. Aug 28th, 2008, 06:52 PM #1
    lumpynose
    lumpynose is offline Senior Member
    Join Date
    May 2005
    Location
    California, US
    Posts
    735

    Default Spring_security_saved_request_key

    In the api docs for org.springframework.security.ui.AbstractProcessing Filter for the defaultTargetUrl they say
    defaultTargetUrl: indicates the URL that should be used for redirection if the HttpSession attribute named SPRING_SECURITY_SAVED_REQUEST_KEY does not indicate the target URL once authentication is completed successfully.
    On my desktop Windows system, running tomcat-6.0.18, and another system, a linux server running the same version of tomcat, I correctly get redirected back to whatever page I was on before I triggered authentication (I'm using CAS). But on our web farm, which has one or more apache httpds in front of tomcat, I'm being redirected back to what defaultTargetUrl is set to.

    Has anyone else experienced this? Or have any ideas why SPRING_SECURITY_SAVED_REQUEST_KEY isn't set?
  2. Aug 29th, 2008, 07:29 AM #2
    Luke Taylor
    Luke Taylor is offline Senior Member Acegi Security System TeamSpring Team
    Join Date
    Aug 2004
    Location
    Glasgow, Scotland
    Posts
    3,449

    Default

    Have you debugged the session handling (i.e. is it the same session) ?

    You should be able to track everything (the saved request being store, redirection to logon and the subsequent incoming URL which should match the request) from the debug log.
  3. Aug 30th, 2008, 06:51 AM #3
    jonnio
    jonnio is offline Senior Member
    Join Date
    Oct 2006
    Posts
    405

    Default

    Have you checked the apache configs for any rewrites and or redirects? What is the security section of your web.xml set for?
  4. Sep 29th, 2008, 03:42 PM #4
    spra85
    spra85 is offline Junior Member
    Join Date
    Sep 2008
    Posts
    1

    Default Solution Found?

    I'm having this exact same problem. Were you able to discover a solution?
  5. Sep 29th, 2008, 04:56 PM #5
    lumpynose
    lumpynose is offline Senior Member
    Join Date
    May 2005
    Location
    California, US
    Posts
    735

    Default

    Sorry, I've fixed it, but it was so long ago I don't remember what I did to fix it. The only thing that I have a vague memory about is needing to specify the port, although if your site/app is on port 80 that shouldn't be necessary, and I'm not sure the port problem was for this problem or something else.

    Here are the config lines from my maven pom.xml file; the cas.whatever names match up fairly closely with the property names in the cas .xml file.

    Code:
            <server.hostName>localhost</server.hostName>
        <server.port>8080</server.port>

        <webapp.name>people_locator</webapp.name>

        <cas.login.url>https://auth-test.berkeley.edu/cas/login</cas.login.url>
        <cas.serviceTicketValidator.url>https://auth-test.berkeley.edu/cas/</cas.serviceTicketValidator.url>
        <cas.serviceProperties.url>http://${server.hostName}:${server.port}/${webapp.name}/j_spring_cas_security_check</cas.serviceProperties.url>
    And here's my xml config file for CAS & Spring Security.

    Code:
    <?xml version="1.0" encoding="UTF-8"?>

<!-- people locator -->

<beans:beans
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:security="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:context="http://www.springframework.org/schema/context"
    xsi:schemaLocation="
        http://www.springframework.org/schema/beans
        http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
        http://www.springframework.org/schema/security
        http://www.springframework.org/schema/security/spring-security-2.0.2.xsd">

    <!-- order is significant for the intercept-url properties -->
    <security:http entry-point-ref="casProcessingFilterEntryPoint">
        <security:intercept-url
            pattern="/casFailed.zug"
            filters="none"
        />

        <security:intercept-url
            pattern="/admin/**"
            access="ROLE_ADMIN"
        />

        <security:intercept-url
            pattern="/localLogin.zug"
            access="ROLE_AUTHENTICATED"
        />

        <security:logout />
    </security:http>

    <security:authentication-manager
        alias="authenticationManager"
    />

    <beans:bean id="casProcessingFilter" class="org.springframework.security.ui.cas.CasProcessingFilter">
        <security:custom-filter
            after="CAS_PROCESSING_FILTER"
        />

        <beans:property
            name="authenticationManager"
            ref="authenticationManager"
        />

        <beans:property
            name="authenticationFailureUrl"
            value="/casFailed.zug"
        />

        <beans:property
            name="defaultTargetUrl"
            value="/search.zug"
        />
    </beans:bean>

    <beans:bean id="casProcessingFilterEntryPoint" class="org.springframework.security.ui.cas.CasProcessingFilterEntryPoint">
        <!-- https://auth-test.berkeley.edu/cas/login -->
        <beans:property
            name="loginUrl"
            value="${cas.login.url}"
        />

        <beans:property
            name="serviceProperties"
            ref="serviceProperties"
        />
    </beans:bean>

    <beans:bean id="casAuthenticationProvider" class="org.springframework.security.providers.cas.CasAuthenticationProvider">
        <security:custom-authentication-provider />

        <!-- eduUserDetailsService is a @Service annotated class -->
        <beans:property
            name="userDetailsService"
            ref="eduUserDetailsService"
        />

        <beans:property
            name="serviceProperties"
            ref="serviceProperties"
        />

        <beans:property name="ticketValidator">
            <beans:bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
                <!-- serviceValidate is appended to the url by Cas20ServiceTicketValidator -->
                <!-- https://auth-test.berkeley.edu/cas/ -->
                <beans:constructor-arg
                    index="0"
                    value="${cas.serviceTicketValidator.url}"
                />
            </beans:bean>
        </beans:property>

        <beans:property
            name="key"
            value="user"
        />
    </beans:bean>

    <beans:bean id="serviceProperties" class="org.springframework.security.ui.cas.ServiceProperties">
        <!-- http://localhost:8080/people_locator/j_spring_cas_security_check -->
        <beans:property
            name="service"
            value="${cas.serviceProperties.url}"
        />

        <beans:property
            name="sendRenew"
            value="false"
        />
    </beans:bean>
</beans:beans>
  6. Sep 29th, 2008, 05:10 PM #6
    lumpynose
    lumpynose is offline Senior Member
    Join Date
    May 2005
    Location
    California, US
    Posts
    735

    Default

    My setup may be a bit weird; rather than use the anonymous user I just send the user to the login page if they want to login (the only page which requires authentication) and then authenticate them. Otherwise (i.e., until they authenticate) throughout the app they're known to be unauthenticated and can't see the things that an authenticated user can.

    One way to think about it is that everything is read-only when you're not authenticated and read/write when you are authenticated.
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules