CAS, Spring Security and proxy authentication
|
|
Sander Bos
|
Some javascript/style in this post has been disabled (why?)
Hello, I am trying to set up a CAS client with spring security, that should be accessed through proxy authentication. I already have it working for a combination of clients that do not 'Spring Security'. Here is what I do at the server that will call the proxying server (somewhat abbreviated): String urlString = "http://fina138:8180/my-cassample-webapp/index.jsp" String proxyTicket = casPrincipal.getProxyTicketFor(urlString); urlString += "?ticket=" + proxyTicket; URL url = new URL(urlString); HttpURLConnection connection = (HttpURLConnection) url.openConnection(); etc. My working client configuration with cas-client has this configuration: <filter-name>CAS Validation Filter</filter-name> <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class> <init-param> <param-name>casServerUrlPrefix</param-name> <param-value>https://fina138:8543/cas-server</param-value> </init-param> <init-param> <param-name>serverName</param-name> <param-value>http://fina138:8180</param-value> </init-param> <init-param> <param-name>redirectAfterValidation</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>acceptAnyProxy</param-name> <param-value>true</param-value> </init-param> <!-- Does not work, see http://www.ja-sig.org/issues/browse/CASC-88 <init-param> <param-name>allowedProxyChains</param-name> <param-value>https://fina138:8443/cas/proxyCallback</param-value> </init-param> --> </filter> But I do not understand how I can set up the same configuration in Spring Security. Here is what I have currently: <bean id="casProcessingFilter" class="org.springframework.security.ui.cas.CasProcessingFilter"> <sec:custom-filter after="CAS_PROCESSING_FILTER"/> <property name="authenticationManager" ref="authenticationManager"/> <property name="authenticationFailureUrl" value="/casfailed.jsp"/> <property name="defaultTargetUrl" value="/"/> <property name="proxyGrantingTicketStorage" ref="proxyGrantingTicketStorage" /> <property name="proxyReceptorUrl" value="/secure/receptor" /> </bean> <bean id="casProcessingFilterEntryPoint" class="org.springframework.security.ui.cas.CasProcessingFilterEntryPoint"> <property name="loginUrl" value="https://fina138:8543/cas-server/login"/> <property name="serviceProperties" ref="serviceProperties"/> </bean> <bean id="casAuthenticationProvider" class="org.springframework.security.providers.cas.CasAuthenticationProvider"> <sec:custom-authentication-provider /> <property name="userDetailsService" ref="ldapUserDetailsService"/> <property name="serviceProperties" ref="serviceProperties" /> <property name="ticketValidator"> <bean class="org.jasig.cas.client.validation.Cas20ProxyTicketValidator"> <constructor-arg index="0" value="https://fina138:8543/cas-server" /> <property name="proxyGrantingTicketStorage" ref="proxyGrantingTicketStorage" /> <property name="proxyCallbackUrl" value="https://fina138:8543/spring-security-cas-sample/secure/receptor" /> <property name="acceptAnyProxy" value="true" /> </bean> </property> <property name="key" value="an_id_for_this_auth_provider_only"/> </bean> <bean id="proxyGrantingTicketStorage" class="org.jasig.cas.client.proxy.ProxyGrantingTicketStorageImpl" /> <bean id="serviceProperties" class="org.springframework.security.ui.cas.ServiceProperties"> <property name="service" value="https://fina138:8543/spring-security-cas-sample/j_spring_cas_security_check"/> <property name="sendRenew" value="false"/> </bean> (don't read too much into the variantion in webapp names, since I have multiple webapps running, one working and one not working) Now, what I don't understand specifically is the service, at least I have the feeling that this is where my problem is. In the Spring variant, I cannot specify (find) serverName, I only have this service. But I do not want to request j_spring_cas_security_check, I want to request index.jsp (also, I'd rather use http for the request than https, the CAS communication can use https of course). I have the feeling, looking at the logs, that currently with the request for index.jsp?ticket=...., there is not even an attempt to check the ticket, it only looks for j_spring_cas_security_check urls. I know that this may be more of a Spring than a jasig CAS question (although hey this is 'CAS User'), but I figure there are more people with CAS knowledge here than on Spring lists. Also, I have the feeling I am just missing something about these service URLs (they are supposed to match the request you actually make, right, so with index.jsp if I want to request that page?). I hope someone can help me because this is getting really frustrating for me (any pointers on debugging this would also be appreciated). Kind regards, Sander Bos -- |
||||||||||||||||
|
Sander Bos
|
Some javascript/style in this post has been disabled (why?)
Hello, to add some feedback on my own question: To me it looks like in fact this is not working correctly (Spring Security and CAS proxy authentication, where the Spring Security webapp is the application being proxied). The authentication will only take place when the URL matches j_spring_cas_security_check (or whatever is set as filterProcessesUrl, but it is one fixed value). So if I have two URLs I want to proxy that's not possible. Well, what I see I can do because of all the Spring Security code around it is construct a URL like https://fina138:8543/spring-security-cas-sample/j_spring_cas_security_check? spring-security-redirect=/secure/index.jsp& ticket=ST-22-Wb2DLZLgv9I7uZQpkSoQ-cas where /secure/index.jsp is the URL (part of it) I actually wanted to retrieve. This actually works, but to say it is a hack is an understatement in my opinion. It does look like there are options to extend CasProcessingFilter::requiresAuthentication to make it work, but that would involve more hacks and I don't know whether it would then still work on other usage scenarios (since it would involve having more URLs become requiresAuthentication). Can anybody confirm/ deny/ comment on what I say above, so mainly: Does anybody have Spring Security with proxy authentication where the Spring Security based webapp is the proxied application working. And if so, didn't you have to do some special configuration to deal with j_spring_cas_security_check (and if so, what did you do?)? Kind regards, --Sander. Sander Bos schreef:
-- |
||||||||||||||||
Scott Battaglia-2
|
If you want to use Spring Security like you are, try using the CAS/Basic Auth support which allows you to pass in the ticket via Basic AUTH. Unfortunately, Spring Security was written such that everything redirects to the j_spring_cas_security_check whenever it encounters a protected URL.
Cheers. Scott On Tue, Jul 14, 2009 at 9:24 AM, Sander Bos <[hidden email]> wrote:
-- |
||||||||||||||||
|
Sander Bos
|
Some javascript/style in this post has been disabled (why?)
Hello Scott, thank you for your response, so that I have some sort of confirmation that j_spring_cas_security_check is in the way redirecting other requests. I don't think I can use the basic auth solution you mention but as I said before I already found a work-around. Met vriendelijke groet, Sander Bos Developer Finalist IT Group Never stop developing! E: [hidden email] T: +31 88 217 0 856 Scott Battaglia schreef:
If you want to use Spring Security like you are, try using the CAS/Basic Auth support which allows you to pass in the ticket via Basic AUTH. Unfortunately, Spring Security was written such that everything redirects to the j_spring_cas_security_check whenever it encounters a protected URL. -- |
||||||||||||||||
syadav
|
Hi Sander,
Do you mind sharing the work-around that you found if it is anything other than constructing the URL with spring-security-redirect that you mentioned in the thread before? Thanks, Susheel
|
||||
planocodr
|
I had a similar issue with another possible solution - I'm using Spring Security also:
http://n4.nabble.com/CAS-in-NAT-environment-td277982.html#a277982
|
||||||||||||||||
| Free Embeddable Forum Powered by Nabble | Help |
