Sagar, Lets back up for a moment. Why are you creating classes to process login?
Is there some reason why the java cas client will not work with spring boot in your application? Take a look at the documentation, https://github.com/apereo/java-cas-client. Set up your application with those instructions first. Ray On Sat, 2020-11-07 at 22:47 -0600, sagar ghimire wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. Hello Ray, I talked with my DBA and he said we do have SSL certificate in our server. Tried everything else but couldn't find the solution. There was nothing in the cas server logs. Its same as my application logs. I am not sure what I miss, its really frustrating. Here is my configuration. package com.mynw.sso ; import org.jasig.cas.client.session.SingleSignOutFilter ; import org.jasig.cas.client.validation.Cas30ServiceTicketValidator ; import org.springframework.beans.factory.annotation. Value ; import org.springframework.context.annotation. Bean ; import org.springframework.context.annotation. Configuration ; import org.springframework.security.cas.ServiceProperties ; import org.springframework.security.cas.authentication.CasAssertionAuthenticationToken ; import org.springframework.security.cas.authentication.CasAuthenticationProvider ; import org.springframework.security.cas.web.CasAuthenticationEntryPoint ; import org.springframework.security.cas.web.CasAuthenticationFilter ; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder ; import org.springframework.security.config.annotation.web.builders.HttpSecurity ; import org.springframework.security.config.annotation.web.builders.WebSecurity ; import org.springframework.security.config.annotation.web.configuration. EnableWebSecurity ; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter ; import org.springframework.security.core.userdetails.AuthenticationUserDetailsService ; import org.springframework.security.web.authentication.logout.LogoutFilter ; import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler ; import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy ; import org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy ; import org.springframework.security.web.util.matcher.AntPathRequestMatcher ; import java.util.* ; @Configuration @EnableWebSecurity public class WebCASSecurity extends WebSecurityConfigurerAdapter { @Value ( "${cas.service.login}" ) String CAS_URL_LOGIN ; @Value ( "${cas.service.logout}" ) String CAS_URL_LOGOUT ; @Value ( "${cas.url.prefix}" ) String CAS_URL_PREFIX ; @Value ( "${cas.ticket.validate.url}" ) String CAS_VALIDATE_URL ; @Value ( "${app.service.security}" ) String CAS_SERVICE_URL ; @Value ( "${app.service.home}" ) String APP_SERVICE_HOME ; // @Value("${app.admin.userName:admin}") // String APP_ADMIN_USER_NAME; // @Bean // public Set<String> adminList() { // Set<String> admins = new HashSet<String>(); // admins.add(APP_ADMIN_USER_NAME); // return admins; // } @Override protected void configure (HttpSecurity http) throws Exception { http.exceptionHandling() .authenticationEntryPoint(casAuthenticationEntryPoint()).and().addFilter(casAuthenticationFilter()) // .addFilterBefore(singleSignOutFilter(), CasAuthenticationFilter.class) .addFilterBefore(requestCasGlobalLogoutFilter() , LogoutFilter. class ) .authorizeRequests() .antMatchers( "/**" ) .access( "hasRole('ROLE_ANONYMOUS')" ) ; } @Bean public ServiceProperties serviceProperties () { ServiceProperties sp = new ServiceProperties() ; sp.setService( CAS_SERVICE_URL ) ; sp.setSendRenew( false ) ; return sp ; } @Bean public CasAuthenticationProvider casAuthenticationProvider () { CasAuthenticationProvider casAuthenticationProvider = new CasAuthenticationProvider() ; casAuthenticationProvider.setAuthenticationUserDetailsService(customUserDetailsService()) ; casAuthenticationProvider.setServiceProperties(serviceProperties()) ; casAuthenticationProvider.setTicketValidator(Cas30ServiceTicketValidator()) ; casAuthenticationProvider.setKey( "an_id_for_this_auth_provider_only" ) ; return casAuthenticationProvider ; } @Bean public AuthenticationUserDetailsService<CasAssertionAuthenticationToken> customUserDetailsService () { return new CustomUserDetailsService() ; } @Override public void configure (AuthenticationManagerBuilder auth) throws Exception { auth.authenticationProvider(casAuthenticationProvider()) ; } @Override public void configure (WebSecurity web) throws Exception { web.ignoring().antMatchers( "/fonts/**" ).antMatchers( "/images/**" ).antMatchers( "/scripts/**" ).antMatchers( "/styles/**" ) .antMatchers( "/views/**" ).antMatchers( "/i18n/**" ).antMatchers( "/webjars/**" ) ; } @Bean public SessionAuthenticationStrategy sessionStrategy () { SessionAuthenticationStrategy sessionStrategy = new SessionFixationProtectionStrategy() ; return sessionStrategy ; } @Bean public Cas30ServiceTicketValidator Cas30ServiceTicketValidator () { return new Cas30ServiceTicketValidator( CAS_VALIDATE_URL ) ; } public CasAuthenticationEntryPoint casAuthenticationEntryPoint () { CasAuthenticationEntryPoint casAuthenticationEntryPoint = new CasAuthenticationEntryPoint() ; casAuthenticationEntryPoint.setLoginUrl( CAS_URL_LOGIN ) ; casAuthenticationEntryPoint.setServiceProperties(serviceProperties()) ; return casAuthenticationEntryPoint ; } // public SingleSignOutFilter singleSignOutFilter() { // SingleSignOutFilter singleSignOutFilter = new SingleSignOutFilter(); // singleSignOutFilter.setCasServerUrlPrefix(" <https://nwmsueist01.nwmissouri.edu:9443/cas> https://nwmsueist01.nwmissouri.edu:9443/cas "); // return singleSignOutFilter; // } @Bean public LogoutFilter requestCasGlobalLogoutFilter () { LogoutFilter logoutFilter = new LogoutFilter( CAS_URL_LOGOUT + "?service=" + APP_SERVICE_HOME , new SecurityContextLogoutHandler()) ; logoutFilter.setLogoutRequestMatcher( new AntPathRequestMatcher( "/logout" , "GET" )) ; return logoutFilter ; } @Bean public CasAuthenticationFilter casAuthenticationFilter () throws Exception { CasAuthenticationFilter casAuthenticationFilter = new CasAuthenticationFilter() ; casAuthenticationFilter.setAuthenticationManager(authenticationManager()) ; casAuthenticationFilter.setSessionAuthenticationStrategy(sessionStrategy()) ; return casAuthenticationFilter ; } } On Fri, Nov 6, 2020 at 11:01 AM Ray Bon <[email protected]<mailto:[email protected]>> wrote: Sagar, Too many redirects means that the ST/token can not be validated. The client app must send the ST to cas for validation. So either cas is unable to verify the ST or it does not receive it. This could be the result of many things. Start by setting cas server logs to debug. You will want to make sure your servers have clocks synced and you are using https (if self signed certs, you may have to add them to the java keystore). Ray On Fri, 2020-11-06 at 10:40 -0600, sagar ghimire wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. Hello Ray, I have changed the configuration got this from logged file. But the URL is redirecting too many times causing ERROR TOO MANY REDIRECTS. >From Log file: 2020-11-05 15:51:21.877 DEBUG 13867 --- [https-jsse-nio-8443-exec-3] o.s.s.cas.web.CasAuthenticationFilter : serviceTicketRequest = false 2020-11-05 15:51:21.877 DEBUG 13867 --- [https-jsse-nio-8443-exec-3] o.s.s.cas.web.CasAuthenticationFilter : proxyReceptorConfigured = false 2020-11-05 15:51:21.877 DEBUG 13867 --- [https-jsse-nio-8443-exec-3] o.s.s.cas.web.CasAuthenticationFilter : proxyReceptorRequest = false 2020-11-05 15:51:21.877 DEBUG 13867 --- [https-jsse-nio-8443-exec-3] o.s.s.cas.web.CasAuthenticationFilter : proxyTicketRequest = false 2020-11-05 15:51:21.877 DEBUG 13867 --- [https-jsse-nio-8443-exec-3] o.s.s.cas.web.CasAuthenticationFilter : requiresAuthentication = false 2020-11-05 15:51:21.878 DEBUG 13867 --- [https-jsse-nio-8443-exec-3] o.s.s.w.a.AnonymousAuthenticationFilter : Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9972129b: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@0: RemoteIpAddress: 10.2.101.208; SessionId: 46E280D90E89E9935FE52EA62CA29C65; Granted Authorities: ROLE_ANONYMOUS' Looks like I am authenticated but it redirects too many times. Any Suggestions? Thanks Sagar On Thu, Nov 5, 2020 at 10:36 AM Ray Bon <[email protected]<mailto:[email protected]>> wrote: Sagar, I thought spring security provided everything, all you have to do is add some config. Do you need this SSOController? Maybe look at the spring documentation to see how they suggest configuration. Ray On Thu, 2020-11-05 at 08:54 -0600, sagar ghimire wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. Hello Ray, I have turned on the logging for my application and this is what i got. The token is org.springframework.security.authentication.AnonymousAuthenticationToken@5367e0b6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@1de6: RemoteIpAddress: 10.2.101.208; SessionId: null; Granted Authorities: ROLE_ANONYMOUS 2020-11-05 08:42:10.167 ERROR 21715 --- [nio-8443-exec-4] o.s.b.w.servlet.support.ErrorPageFilter : Cannot forward to error page for request [/] as the response has already been committed. As a result, the response may have the wrong status code. If your application is running on WebSphere Application Server you may be able to resolve this problem by setting com.ibm.ws.webcontainer.invokeFlushAfterService to false It looks like I am getting logged in but getting rendered to error page for some reason. This is my controller looks like. package com.mynw.sso.Controller ; import com.mynw.sso.CASConfig ; import org.jasig.cas.client.authentication.AttributePrincipal ; import org.jasig.cas.client.validation.Assertion ; import org.springframework.security.authentication.AnonymousAuthenticationToken ; import org.springframework.security.cas.authentication.CasAuthenticationToken ; import org.springframework.security.core.context.SecurityContext ; import org.springframework.security.core.context.SecurityContextHolder ; import org.springframework.stereotype. Controller ; import org.springframework.ui.Model ; import org.springframework.web.bind.annotation. GetMapping ; import java.sql.SQLOutput ; import java.util.logging.Logger ; @Controller public class SSOController { @GetMapping ( "/" ) public String index (Model model){ SecurityContext ctx= SecurityContextHolder. getContext () ; AnonymousAuthenticationToken aat = (AnonymousAuthenticationToken) ctx.getAuthentication() ; System. out .println( "The token is " + aat) ; model.addAttribute( "UserName" , aat.toString()) ; return "index" ; } } Thanks Sagar On Wed, Nov 4, 2020 at 4:07 PM Ray Bon <[email protected]<mailto:[email protected]>> wrote: Sagar, Turn up logging in spring. Try to figure out what token is. Ray On Wed, 2020-11-04 at 14:11 -0600, sagar ghimire wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. Roy, I have attached the image before the red line one. Also I was looking at the server logs and found : 2020-11-04 12:16:05.770 ERROR 13281 --- [nio-8443-exec-4] o.s.b.w.servlet.support.ErrorPageFilter : Forwarding to error page from request [/] due to exception [org.springframework.security.authentication.AnonymousAuthenticationToken cannot be cast to org.springframework.security.cas.authentication.CasAuthenticationToken] java.lang.ClassCastException: org.springframework.security.authentication.AnonymousAuthenticationToken cannot be cast to org.springframework.security.cas.authentication.CasAuthenticationToken It looks like token casting is the problem that I have been encountering. Any suggestions? Thank you Sagar On Wed, Nov 4, 2020 at 12:57 PM Ray Bon <[email protected]<mailto:[email protected]>> wrote: Sagar, The ST handler must be publicly accessible. If inb9fnhr.nwmissouri.edu:8443/MyNWSSO/<http://inb9fnhr.nwmissouri.edu:8443/MyNWSSO/> takes you to cas login, it will not be able to receive the ST, but redirect to cas for login in an endless loop. What is happening on the line above the red one in the image? Ray On Wed, 2020-11-04 at 12:33 -0600, sagar ghimire wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. Hello Ray, I have configured my Spring Boot App but I think the problem is when the CAS redirect to my webapp with Service Ticket my web app is not revalidating the ticket to CAS server again. The reference that I have taken for this webapp is from https://medium.com/@venkateshpnk22/single-sign-on-in-cas-client-setup-with-spring-security-b51a7e70294d Also I have attached the error when I hit the inb9fnhr.nwmissouri.edu:8443/MyNWSSO/<http://inb9fnhr.nwmissouri.edu:8443/MyNWSSO/> it render to sign in and after sign in I got 404. Thanks Sagar Ghimire Software Developer Northwest Missouri State University On Wed, Nov 4, 2020 at 12:26 PM Ray Bon <[email protected]<mailto:[email protected]>> wrote: Sagar, What happens when you browse directly to inb9fnhr.nwmissouri.edu:8443/MyNWSSO/<http://inb9fnhr.nwmissouri.edu:8443/MyNWSSO/> This sounds like a problem with your application configuration and not cas. Or are you asking how to configure your cas client? Ray On Wed, 2020-11-04 at 09:56 -0800, sagar ghimire wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. Hello, I have configured CAS in my Spring boot app and when I log in it render to 404 not found with the Service Ticket. Attached is the error image that i got. [X] Thanks Sagar -- Ray Bon Programmer Analyst Development Services, University Systems 2507218831 | CLE 019 | [email protected]<mailto:[email protected]> I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/05f195cffc9329228b4705f81da7e13f4037c9e8.camel%40uvic.ca<https://groups.google.com/a/apereo.org/d/msgid/cas-user/05f195cffc9329228b4705f81da7e13f4037c9e8.camel%40uvic.ca?utm_medium=email&utm_source=footer>. -- Ray Bon Programmer Analyst Development Services, University Systems 2507218831 | CLE 019 | [email protected]<mailto:[email protected]> I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/e563cb5582248e3b61299aaf01998f5ad03367e9.camel%40uvic.ca<https://groups.google.com/a/apereo.org/d/msgid/cas-user/e563cb5582248e3b61299aaf01998f5ad03367e9.camel%40uvic.ca?utm_medium=email&utm_source=footer>. -- Ray Bon Programmer Analyst Development Services, University Systems 2507218831 | CLE 019 | [email protected]<mailto:[email protected]> I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/07f16efd28acdce013b788b077df0565efd9c4df.camel%40uvic.ca<https://groups.google.com/a/apereo.org/d/msgid/cas-user/07f16efd28acdce013b788b077df0565efd9c4df.camel%40uvic.ca?utm_medium=email&utm_source=footer>. -- Ray Bon Programmer Analyst Development Services, University Systems 2507218831 | CLE 019 | [email protected]<mailto:[email protected]> I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/6798adce6b2ccbf9fc5cd8a6b57390b19e1adbaf.camel%40uvic.ca<https://groups.google.com/a/apereo.org/d/msgid/cas-user/6798adce6b2ccbf9fc5cd8a6b57390b19e1adbaf.camel%40uvic.ca?utm_medium=email&utm_source=footer>. -- Ray Bon Programmer Analyst Development Services, University Systems 2507218831 | CLE 019 | [email protected]<mailto:[email protected]> I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations. -- Ray Bon Programmer Analyst Development Services, University Systems 2507218831 | CLE 019 | [email protected]<mailto:[email protected]> I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/82c025226f931e598b68754db7736282dc1e1717.camel%40uvic.ca.
