CAS single sign-on and anonymous access - seriously confused!

[raj_n]

Hi everyone,

I have been searching on the web for a few hours now and I am seriously confused. Basically what we want is this situation

http://www.ja-sig.org/wiki/display/C...ateway+Example

where if the user is logged in they get some options on the home page and if they're not logged in they don't. We've been using CAS single sign on for authenticating against the whole site so far and now we want to make the home page public but to know the user's credentials if they exist. The problem with just adding an anonymous security role is that the CAS login screen shows up still to try and authenticate when it shouldn't.

So far I'm really confused cause the articles that I can find are pretty scant and contradictory (e.g. different versions, different filter suggestions). We're using Spring 2.5, Spring Security 2.0, Cas Server 3.3 and Cas client 3.1.

This is our web.xml for the single sign on:

Code:

	<filter>
		<filter-name>springSecurityFilterChain</filter-name>
		<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
	</filter>
	<filter-mapping>
		<filter-name>springSecurityFilterChain</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>

And here's the Spring beans for the cas client:

Code:

    
<security:http entry-point-ref="casProcessingFilterEntryPoint">
        <security:intercept-url pattern="/index.jsp" access="ROLE_ANONYMOUS, ROLE_MEMBER"/>
        <security:intercept-url pattern="/" access="ROLE_ANONYMOUS, ROLE_MEMBER" />
        <security:intercept-url pattern="/**" access="ROLE_MEMBER" />

        <security:logout logout-url="/services/logout.html" logout-success-url="/services/loggedOut.html" />

        <security:concurrent-session-control max-sessions="1" expired-url="/cas/logout"/>
    </security:http>

    <bean id="serviceProperties" class="org.springframework.security.ui.cas.ServiceProperties">
        <property name="service" value="http://localhost:8080/j_spring_cas_security_check"/>
        <property name="sendRenew" value="false"/>
    </bean>

    <security:authentication-manager alias="authenticationManager"/>

    <bean id="casSingleSignOutFilter" class="org.jasig.cas.client.session.SingleSignOutFilter">
        <security:custom-filter before="CAS_PROCESSING_FILTER"/>
    </bean>

    <bean id="casProcessingFilter" class="org.springframework.security.ui.cas.CasProcessingFilter">
        <security:custom-filter after="CAS_PROCESSING_FILTER"/>
        <property name="authenticationManager" ref="authenticationManager"/>
        <property name="authenticationFailureUrl" value="/casfailed.jsp"/>
        <property name="defaultTargetUrl" value="/"/>
    </bean>

    <bean id="casProcessingFilterEntryPoint"
        class="org.springframework.security.ui.cas.CasProcessingFilterEntryPoint">
        <property name="loginUrl" value="http://localhost:8080/cas/login"/>
        <property name="serviceProperties" ref="serviceProperties"/>
    </bean>

    <bean id="casAuthenticationProvider" class="org.springframework.security.providers.cas.CasAuthenticationProvider">
        <security:custom-authentication-provider />
        <property name="userDetailsService" ref="userCredentialsDao"/>
        <property name="serviceProperties" ref="serviceProperties" />
        <property name="ticketValidator">
            <bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
                <constructor-arg index="0" value="http://localhost:8080/cas" />
            </bean>
        </property>
        <property name="key" value="an_id_for_this_auth_provider_only"/>
    </bean>

Anyone have any ideas?

[jacobmattison]

One option is to simply make the home page public (i.e. do not put it behind the CAS filter). Then check on the home page for the CAS ID in the user's session. If they've gone to some other (secured) page and logged in, then their ID will still be in the session. If so, you can display the options they should see.

[raj_n]

Hi Jacob,

Thanks for this suggestion but I find it doesn't work... unless I have done something wrong!

If I set up the home page like this:

Code:

<security:intercept-url pattern="/index.jsp" filters="none"/>

And this is how we normally get our UserDetails object from the session:

Code:

	public static UserDetails getUser(HttpServletRequest req)
	{
		try
		{
			Authentication auth = (Authentication) req.getUserPrincipal();
			return (UserDetails) auth.getPrincipal();
		}
		catch (NullPointerException npe)
		{
			return null;
		}
	}

This returns null on the home page even if I am already logged in. It makes sense to me that it would return null because there is no Spring security filter on the page to populate the UserDetails object for me.

[jacobmattison]

Instead of relying on the filter, try just looking in the session:

Code:

session.getAttribute("edu.yale.its.tp.cas.client.filter.user");

If the user has a CAS session, that value should be in the session.

[raj_n]

Thanks Jacob,

I was able to solve this by using the anonymous feature of the http bean:

Code:

    <security:http entry-point-ref="casProcessingFilterEntryPoint">
        <security:intercept-url pattern="/index.jsp" access="ROLE_ANONYMOUS, ROLE_MEMBER"/>
        ...
        <security:anonymous/>
    </security:http>

I found it quite by accident, whilst reading through the http bean's XSD file. It adds an anonymous authentication provider, which produces the effect I wanted.

This feature is very poorly documented, it should have not been such a struggle for me to find it - such a simple thing...

[Luke Taylor]

Poorly documented? There is an entire chapter on it in the reference manual...

http://static.springsource.org/sprin...anonymous.html

[raj_n]

No offence Luke, but yes it is poorly documented. Half the problem was that I knew what I was trying to achieve, but not the specific technique I had to invoke to get that job done. Hence my thread title - seriously confused!

All the config shown in the Anonymous Authentication chapter is vastly different from the config I eventually used. And in the HTTP chapter there is only one line in a table that mentions it.

That is, if you know *what to do* then it's easy to do it, but if you don't know then you have little chance of finding out the way.

... but I am very grateful to have solved it relatively easily in the end