Spring Security With CAS

[vijay kumar chauhan]

Hello Freinds,

I have problem when trying to integrate my 2 spring security application with CAS.

security xml for 1st application is below :

Code:

<?xml version="1.0" encoding="UTF-8"?>
<!--
  - Application context containing authentication, channel
  - security and web URI beans.
  -
  - Only used by "filter" artifact.
  -
  -->

<b:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:b="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">

    <global-method-security pre-post-annotations="enabled">
        <expression-handler ref="expressionHandler"/>
    </global-method-security>

    <http realm="Contacts App" entry-point-ref="casAuthEntryPoint">
        <intercept-url pattern="/" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
        <intercept-url pattern="/index.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
        <intercept-url pattern="/hello.htm" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
        <intercept-url pattern="/login.jsp*" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
        <intercept-url pattern="/switchuser.jsp" access="ROLE_SUPERVISOR"/>
        <intercept-url pattern="/j_spring_security_switch_user" access="ROLE_SUPERVISOR"/>
        <intercept-url pattern="/**" access="ROLE_USER"/>

        <form-login login-page="/login.jsp" authentication-failure-url="/login.jsp?login_error=1"/>
        <http-basic/>
        <logout logout-success-url="/index.jsp"/>
        <remember-me />
        <custom-filter ref="switchUserProcessingFilter" position="SWITCH_USER_FILTER"/>
         <custom-filter position="CAS_FILTER" ref="casAuthenticationFilter"></custom-filter>
    </http>
    <b:bean id="casAuthEntryPoint" class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">
        <b:property name="loginUrl" value="http://localhost:8080/cas-server-webapp-3.4.3.1"/>
        <b:property name="serviceProperties" ref="serviceProperties"/>
    </b:bean>
    <b:bean id="serviceProperties" class="org.springframework.security.cas.ServiceProperties">
        <b:property name="service" value="http://localhost:8080/SpringSecurityContact304/j_spring_cas_security_check"/>
    <b:property name="sendRenew" value="false"></b:property>
    </b:bean>
    <b:bean id="casAuthenticationFilter" class="org.springframework.security.cas.web.CasAuthenticationFilter">
        <b:property name="authenticationManager" ref="authenticationManager"/>
    </b:bean>
    <authentication-manager alias="authenticationManager">
        <authentication-provider ref="casAuthenticationProvider">
       <!--   <password-encoder hash="md5"/>
           <jdbc-user-service data-source-ref="dataSource"/>  -->
        </authentication-provider>
    </authentication-manager>
   <b:bean id="casAuthenticationProvider" class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
         <b:property name="ticketValidator" ref="casTicketValidator" /> 
        <b:property name="serviceProperties" ref="serviceProperties" />
        <b:property name="key" value="cas" /> 
        <b:property name="userDetailsService" ref="userService" /> 
  </b:bean>
  <jdbc-user-service data-source-ref="dataSource" id="userService"/>

  <b:bean id="casTicketValidator" class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
     <b:constructor-arg value="http://localhost:8080/cas-server-webapp-3.4.3.1/" /> 
  </b:bean>

    <!-- Automatically receives AuthenticationEvent messages -->
    <b:bean id="loggerListener" class="org.springframework.security.authentication.event.LoggerListener"/>

    <!-- Filter used to switch the user context. Note: the switch and exit url must be secured
        based on the role granted the ability to 'switch' to another user -->
    <!-- In this example 'rod' has ROLE_SUPERVISOR that can switch to regular ROLE_USER(s) -->
    <b:bean id="switchUserProcessingFilter" class="org.springframework.security.web.authentication.switchuser.SwitchUserFilter" autowire="byType">
       <b:property name="targetUrl" value="/secure/index.htm"/>
    </b:bean>

    <b:bean id="expressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
        <b:property name="permissionEvaluator" ref="permissionEvaluator"/>
    </b:bean>

    <b:bean id="permissionEvaluator" class="org.springframework.security.acls.AclPermissionEvaluator">
        <b:constructor-arg ref="aclService"/>
    </b:bean>
</b:beans>

and for 2nd application :

Code:

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xmlns:beans="http://www.springframework.org/schema/beans"
	xsi:schemaLocation="
		http://www.springframework.org/schema/beans 
		http://www.springframework.org/schema/beans/spring-beans.xsd
		http://www.springframework.org/schema/security 
		http://www.springframework.org/schema/security/spring-security-3.0.xsd
	">
	<!-- Ch 3 Start -->
	<http auto-config="true" use-expressions="true" entry-point-ref="casAuthEntryPoint">
		<intercept-url pattern="/login.do" access="permitAll"/>
		<intercept-url pattern="/*" access="hasRole('ROLE_USER')"/>
		<form-login login-page="/login.do"/>
		<custom-filter position="CAS_FILTER" ref="casAuthenticationFilter"></custom-filter>
	</http>
	<beans:bean id="casAuthEntryPoint" class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">
        <beans:property name="loginUrl" value="http://localhost:8080/cas-server-webapp-3.4.3.1"/>
        <beans:property name="serviceProperties" ref="serviceProperties"/>
    </beans:bean>
    <beans:bean id="serviceProperties" class="org.springframework.security.cas.ServiceProperties">
        <beans:property name="service" value="http://localhost:8080/JBCP3/j_spring_cas_security_check"/>
    <beans:property name="sendRenew" value="false"></beans:property>
    </beans:bean>
    <beans:bean id="casAuthenticationFilter" class="org.springframework.security.cas.web.CasAuthenticationFilter">
        <beans:property name="authenticationManager" ref="authenticationManager"/>
    </beans:bean>
    <authentication-manager alias="authenticationManager">
        <authentication-provider ref="casAuthenticationProvider">
       <!--   <password-encoder hash="md5"/>
           <jdbc-user-service data-source-ref="dataSource"/>  -->
        </authentication-provider>
    </authentication-manager>
    <beans:bean id="casAuthenticationProvider" class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
         <beans:property name="ticketValidator" ref="casTicketValidator" /> 
        <beans:property name="serviceProperties" ref="serviceProperties" />
        <beans:property name="key" value="cas" /> 
        <beans:property name="userDetailsService" ref="userService" /> 
  </beans:bean>
  <beans:bean id="casTicketValidator" class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
     <beans:constructor-arg value="http://localhost:8080/cas-server-webapp-3.4.3.1/" /> 
  </beans:bean>
	
	
			<user-service id="userService">
				<user authorities="ROLE_USER,ROLE_SUPERVISOR" name="rod" password="rod"/>
			</user-service>
		
</beans:beans>

Now when i am trying to login to 1st application it redirect me to cas login page and works fine but when i need to access to 2nd application it still redirect me to CAS login page which is not correct rather it have to redirect me to 2nd application's resources (i.e users dash board/secured resources).

May be I forget something in configuration.[]
Anybody know about these type of issues..help me out.

thanks

[vijay kumar chauhan]

Hello friends,

After going through the application logs i found that my both application only checks for authentication entry point and redirect to CAS login page means that my CAS_FILTER is no coming in picture during process of URL authentication.

I don't know what's the reason behind this.

If anybody knows about it plz reply.

thank you

[Rob Winch]

I'm not sure I understand your scenario. Can you try posting the results of the URLs requested and explain what you are doing throughout. Using a plugin like Firefox's Tamper Data will ensure that you do not miss URLs that are automatically being redirected to.

[vijay kumar chauhan]

Dear rwinch,

Thank you for giving time to read my issue.After giving giving time to stud CAS in depth i found that to use only "http://" service urls for authenticate through CAS we need to write in our CAS server app:

Code:

 cookieSecure="false"

in

Code:

 ticketGrantingTicketCookieGenerator.xml

as default it is true.

After putting this my all application are running.

thank u again []