SSO using CAS throws AccessDeniedException

[bill comer]

I have a working security-context.xml file (as far as login is concerned) using the namespace style syntax.

However we have high dependancy on DWR 1.1.4 defined in the old syle and we are reluctant to convert this to the namespace style syntax, and unfortunately this is incompatible with Spring defined using the namespace syntax. See DWRs docn and Bram Smeet's blog.

Therefore I need a security-context.xml file in the old syntax. Below is my current version. This works as long as I specify the specific ROLE of the user that is logging in in the FilterSecurityInterceptor. If I specify more than one role in this filter then I always get access denied.

Below is my security-context.xml file with just ROLE_SYSADMIN defined.

Any thoughts please?

FooCasAuthenticationProcessingFilter extends CasProcessingFilter & overrides determineTargetUrl but I do not feel this is the issue.

the Exception being thrown is:

HTML Code:

Access is denied (user is not anonymous); delegating to AccessDeniedHandler
org.springframework.security.AccessDeniedException: Access is denied
	at org.springframework.security.vote.UnanimousBased.decide(UnanimousBased.java:74)
	at org.springframework.security.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:262)
	at org.springframework.security.intercept.web.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:106)
	at org.springframework.security.intercept.web.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83)
	at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
	at org.springframework.security.ui.AbstractProcessingFilter.doFilterHttp(AbstractProcessingFilter.java:277)
	at org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53)
	at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390)

HTML Code:

<?xml version="1.0" encoding="UTF-8"?>

<beans xmlns="http://www.springframework.org/schema/beans"
  xmlns:sec="http://www.springframework.org/schema/security"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.xsd">

   <!-- Filter Chain -->
   <bean id="springSecurityFilterChain"
         class="org.springframework.security.util.FilterChainProxy">
      <property name="filterInvocationDefinitionSource">
         <value>
            CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
            PATTERN_TYPE_APACHE_ANT
            /**=httpSessionIntegrationFilter,exceptionTranslationFilter,casProcessingFilter,securityInterceptorFilter
         </value>
      </property>
   </bean>

   <!-- HTTP Session Integration Filter.  Transfers security details from request to request. -->
   <bean id="httpSessionIntegrationFilter"
         class="org.springframework.security.context.HttpSessionContextIntegrationFilter" />

  <bean id="securityInterceptorFilter"
    class="org.springframework.security.intercept.web.FilterSecurityInterceptor" >
    <property name="authenticationManager" ref="providerManager" />
    <property name="accessDecisionManager">
      <ref local="accessDecisionManager" />
    </property>
    <property name="objectDefinitionSource" >
      <value>
        CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
        PATTERN_TYPE_APACHE_ANT
        /**=ROLE_SYSADMIN
      </value>
    </property>
  </bean>
        <!--
        /access_denied.jsp=ROLE_ANONYMOUS
        /**=ROLE_CLERK_BILLIN,ROLE_SYSADMIN
         -->

  <bean id="casProcessingFilter"
        class="uk.co.foo.bar.security.FooCasAuthenticationProcessingFilter">
        <property name="authenticationManager" ref="providerManager"/>
        <property name="authenticationFailureUrl" value="/logout.htm"/>
        <property name="defaultTargetUrl" value="/"/>
        <property name="proxyGrantingTicketStorage" ref="proxyGrantingTicketStorage" />
        <property name="service" ref="userPreferenceDao" />
      <property name="trays">
         <map>
            <entry>
               <key><value>1</value></key>
               <value>/inTray.htm</value>
            </entry>
            <entry>
               <key><value>2</value></key>
               <value>/outTray.htm</value>
            </entry>
            <entry>
               <key><value>3</value></key>
               <value>/archiveTray.htm</value>
            </entry>
            <entry>
               <key><value>4</value></key>
               <value>/rejectTray.htm</value>
            </entry>
            <entry>
               <key><value>12</value></key>
               <value>/pendingTray.htm</value>
            </entry>
         </map>
      </property>
    </bean>


    <bean id="proxyGrantingTicketStorage" class="org.jasig.cas.client.proxy.ProxyGrantingTicketStorageImpl" />


  <bean id="exceptionTranslationFilter"

    class="org.springframework.security.ui.ExceptionTranslationFilter">
    <property name="authenticationEntryPoint" ref="casProcessingFilterEntryPoint" />
  </bean>

  <bean id="casProcessingFilterEntryPoint"
        class="org.springframework.security.ui.cas.CasProcessingFilterEntryPoint" >
        <property name="loginUrl" value="https://localhost:8443/casldap/login"/>
        <property name="serviceProperties" ref="serviceProperties"/>
    </bean>

    <bean id="serviceProperties" class="org.springframework.security.ui.cas.ServiceProperties">
        <property name="service" value="http://localhost:7070/foo/j_spring_cas_security_check"/>
        <property name="sendRenew" value="false"/>
    </bean>

  <bean id="providerManager"
    class="org.springframework.security.providers.ProviderManager">
    <property name="providers">
      <list>
        <ref bean="casAuthenticationProvider" />
      </list>
    </property>
  </bean>


  <bean id="casAuthenticationProvider" class="org.springframework.security.providers.cas.CasAuthenticationProvider">
    <property name="userDetailsService" ref="authenticationService" />
        <property name="serviceProperties" ref="serviceProperties" />
        <property name="ticketValidator">
          <bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
            <constructor-arg index="0" value="https://localhost:8443/casldap" />
            <property name="proxyGrantingTicketStorage" ref="proxyGrantingTicketStorage" />
            <!--
            <property name="proxyCallbackUrl" value="https://localhost:8443/foo/receptor" />
             -->
            </bean>
        </property>
        <property name="key" value="an_id_for_this_auth_provider_only"/>
    </bean>


  <bean id="accessDecisionManager"
    class="org.springframework.security.vote.UnanimousBased">
    <property name="allowIfAllAbstainDecisions" value="false" />
    <property name="decisionVoters">
      <list>
        <bean id="roleVoter"
          class="org.springframework.security.vote.RoleVoter" />
      </list>
    </property>
  </bean>

  <bean id="httpSessionContextIntegrationFilter"
    class="org.springframework.security.context.HttpSessionContextIntegrationFilter">
    <property name="contextClass"
      value="org.springframework.security.context.SecurityContextImpl" />
  </bean>

  <bean id="authenticationService"
    class="uk.co.foo.dfcommon.service.AuthenticationServiceImpl">
    <constructor-arg ref="userDao" />
  </bean>

  <bean id="saltSource"
    class="org.springframework.security.providers.dao.salt.ReflectionSaltSource">
    <property name="userPropertyToUse" value="getUsername" />
  </bean>

  <bean id="passwordEncoder"
    class="org.springframework.security.providers.encoding.Md5PasswordEncoder" />
</beans>

[hdeadman]

Have you tried using org.springframework.security.vote.AffirmativeBased instead of the UnanimousBased?

[hdeadman]

It looks like the UnanimousBased decision manager passes each config attribute in one at a time rather than just making sure the user has one of the roles. That would mean that the user would need to have all the configured roles for a resource since the RoleVoter returns denied if user doesn't have the passed in role.

I have been using the AffirmativeBased decision manager which will allows access if the user has one of the roles. One issue I may have is that I may need to have multiple voters (RoleVoter, custom IpAddressVoter, AuthenticatedVoter) and I want them to all be queried and I want a single denied to trump any number of granted. The AffirmativeBased decision manager allows any granted vote override deny votes. I guess that would be the UnanimousBased decision manager if it passed in the full list of attributes at once.

[bill comer]

Cheers hdeadman.

That solved my problem.
Let me know how you get on with yours.