How to check user and password, when I use Cas 3 and AuthenticationUserDetailsService

[KamilBek]

I use CAS and Spring Security 3.0. But I can't check password. How can I do it?
My configuration xml is:
<bean id="authenticationUserDetailsService" class="app.MyAuthenticationUserDetailsService"/>

<bean id="proxyGrantingTicketStorage" class="org.jasig.cas.client.proxy.ProxyGrantingTic ketStorageImpl"/>


<bean id="myPasswordEncoder" class="app.MyPasswordEncoder">
</bean>



<sec:http entry-point-ref="casProcessingFilterEntryPoint">
<sec:intercept-url pattern="/forgotpass.xhtml" access="ROLE_ANONYMOUS"/>
<sec:intercept-url pattern="/error.xhtml" access="ROLE_ANONYMOUS"/>
<sec:intercept-url pattern="/*.xhtml" access="ROLE_USER"/>

<sec:custom-filter ref="casAuthenticationFilter" after="CAS_FILTER"/>
</sec:http>



<sec:authentication-manager alias="authenticationManager">
<sec:authentication-provider ref="casAuthenticationProvider">
<sec: password-encoder ref="myPasswordEncoder"/>
</sec:authentication-provider>

</sec:authentication-manager>

<bean id="casAuthenticationFilter" class="org.springframework.security.cas.web.CasAut henticationFilter">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="authenticationFailureHandler">
<bean class="org.springframework.security.web.authentica tion.SimpleUrlAuthenticationFailureHandler">
<property name="defaultFailureUrl" value="/error.xhtml"/>
<property name="useForward" value="true"/>
</bean>
</property>
<property name="authenticationSuccessHandler">
<bean class="org.springframework.security.web.authentica tion.SimpleUrlAuthenticationSuccessHandler">
</bean>
</property>
<property name="proxyGrantingTicketStorage" ref="proxyGrantingTicketStorage"/>
<property name="proxyReceptorUrl" value="/secure/receptor"/>
</bean>

<bean id="casAuthenticationProvider" class="org.springframework.security.cas.authentica tion.CasAuthenticationProvider">

<property name="authenticationUserDetailsService" ref="authenticationUserDetailsService"/>
<property name="serviceProperties" ref="serviceProperties"/>
<property name="ticketValidator">
<bean class="org.jasig.cas.client.validation.Cas20Servic eTicketValidator">
<constructor-arg index="0" value="https://localhost:8443/cas"/>
<property name="proxyGrantingTicketStorage" ref="proxyGrantingTicketStorage"/>
<property name="proxyCallbackUrl" value="http://localhost:8080/app/secure/receptor"/>
</bean>
</property>
<property name="key" value="an_id_for_this_auth_provider_only"/>
</bean>

<bean id="casProcessingFilterEntryPoint" class="org.springframework.security.cas.web.CasAut henticationEntryPoint">
<property name="loginUrl" value="https://localhost:8443/cas/login"/>
<property name="serviceProperties" ref="serviceProperties"/>
</bean>

<bean id="serviceProperties" class="org.springframework.security.cas.ServicePro perties">
<property name="sendRenew" value="false"/>
<property name="service" value="http://localhost:8080/app/j_spring_cas_security_check"/>
</bean>

method of MyAuthenticationUserDetailsService returns UserDetail with username and encoded password.
MyPasswordEncoder encode it with same algorithm.
But 1)I put logs to MyPasswordEncoder and it doesn't riched
2) I try to enter to system with user 'admin' and password 'admin11'(it is right), but I can enter only with password 'admin'.

Is my way to check user and password wrong?

[Luke Taylor]

Why are you trying to use a PasswordEncoder? If you are using CAS then the application never sees the password.

Any username/password combination issues you have are CAS configuration issues, not Spring Security related. It sounds like you are using the default CAS authentication module (for testing) which authenticates the user if the password matches the username.

[KamilBek]

Do I understand right? I should modify cas-server application for chacking password for user. And CAS give me only username after chacking username and password?

[pmularien]

As Luke says, it sounds like you may not understand what role CAS plays in your system architecture. The intention of CAS is to intercept requests to your secured application. Your application should never see the password if you have CAS configured correctly.

[Luke Taylor]

Yes. Please consult the CAS Documentation for more information.

[KamilBek]

Am I right? I should implement AuthenticationHandler and PasswordEncoder in CAS server application. They should check is username and password right. then Cas send username to application and my AuthenticationUserDetailsService returns UserDitail not for checking username and password but for checking roles, for example.

I read Acegi Security Reference Documentation 1.0.7 (Ben Alex) again.
page 49:

5. After the user's browser redirects to CAS, they will be prompted for their username and
password. If the user presents a session cookie which indicates they've previously logged on,
they will not be prompted to login again (there is an exception to this procedure, which we'll
cover later). CAS will use the PasswordHandler (or AuthenticationHandler if using CAS 3.0)
discussed above to decide whether the username and password is valid.

[KamilBek]

But why in all examples was wrote user-service?

for example:

http://www.ja-sig.org/wiki/display/C...pring+Security

I think that CAS Client should check username and password. Do I understund wrong?

[pmularien]

Yes, you are wrong

You need a UserDetailsService on the application (not CAS) side to look up the username and load UserDetails (roles, and whatever else your application needs).

The CAS side is responsible for the actual authentication of the user's credentials, and also ensuring he/she has access to your secured application. There's some good architecture information on the CAS site, I'd suggest you read through it and understand which parts of the system are responsible for what.

The section on the JA-SIG site on CAS 2 architecture (Link) may help you.

[KamilBek]

Thank you!!!