Implement SSO using CAS + Spring Security

[geniusgroup]

Hi guys! I'm trying to implement SSO across several web applications using CAS and Spring Security. Expected case:
CAS - http://localhost:8080/cas/
App A protected content - http://localhost:8081/cas-client1/secure/index.html
App B protected content - http://localhost:8081/cas-client2/secure/index.html

1) When user access cas-client1, CAS login form will be prompted and trigger authentication.
2) The same user access cas-client2, previous login should be recognized and no login form will be prompted

However, I am failed to implement step 2. CAS login form still prompted to user and therefore requires double login. Is there any wrong setting in my Spring Security configuration:

Code:

<security:http entry-point-ref="casAuthenticationEntryPoint" auto-config="true">
  <security:intercept-url pattern="/secure/**" access="ROLE_USER" />
  <security:custom-filter position="CAS_FILTER" ref="casAuthenticationFilter" />
</security:http>

<bean id="casAuthenticationEntryPoint" class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">
  <property name="loginUrl" value="http://localhost:8080/cas/login" />
  <property name="serviceProperties" ref="serviceProperties" />
</bean>

<bean id="serviceProperties" class="org.springframework.security.cas.ServiceProperties">
  <!-- http://localhost:8081/cas-client2 for app 2-->
  <property name="service" value="http://localhost:8081/cas-client1/j_spring_cas_security_check" />
</bean>

<security:authentication-manager alias="authenticationManager">
  <security:authentication-provider ref="casAuthenticationProvider" />
</security:authentication-manager>

<bean id="casAuthenticationFilter" class="org.springframework.security.cas.web.CasAuthenticationFilter">
  <property name="authenticationManager" ref="authenticationManager" />
  <property name="authenticationFailureHandler">
    <bean class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
      <property name="defaultFailureUrl" value="/casfailed.jsp" />
    </bean>
  </property>
</bean>

<bean id="casAuthenticationProvider" class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
  <property name="userDetailsService" ref="userService" />
  <property name="serviceProperties"  ref="serviceProperties" />
  <property name="ticketValidator">
    <bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
      <constructor-arg index="0" value="http://localhost:8080/cas" />
    </bean>
  </property>
  <property name="key" value="an_id_for_this_auth_provider_only" />
</bean>

<security:user-service id="userService">
  <security:user name="wilson" password="wilson" authorities="ROLE_USER" />
</security:user-service>

[geniusgroup]

The problem is finally solved. My CAS is using HTTP and therefore need to set secure cookies to false.

Modify ticketGrantingTicketCookieGenerator.xml

Code:

p:cookieSecure="false"

[spengler]

Thanks! You just saved my life. I have spent hours and hours trying to see what was wrong. Thanks again!

[geniusgroup]

glad it helps!

However I'm encountering another problem and it seems not able to solve in current version of Spring Security.

I have some pages (e.g. mainpage) display different contents to anonymous / login user separately, but how to check if the user has CAS ticket or not before triggering the login entry point? CAS gateway should help but Spring Security 3 seems not fully support this at this moment. (I read the source code and found it always set gateway to false)

I am still finding other workaround method...