I hit the same issue when I started using Spring Security and CAS a few months ago.
The thing is... if you use LDAP for authentication, you should be using LDAP for authorization as well - which is what the Spring Security userDetailService does. So... don't use the in-memory user detail service. I recommend you write your own user detail service that uses the username returned by CAS to query LDAP. It is very easy and there are plenty of documentation and examples that you can Google for. The reason why you should write your own user-detail service is that as you grow you'll want to make the user detail service do more things... for example, retrieve user attributes or roles from multiple sources - not just LDAP. Of course, I expect that Spring Security has some other user detail services 'ready to use'. If there is an LDAP-based one, you could use that one for now. There may even be a pre-digested one that gets its stuff from CAS. bruno -----Original Message----- From: deanhe01 [mailto:[email protected]] Sent: Wednesday, May 13, 2009 12:40 PM To: [email protected] Subject: [cas-user] Problem: User in LDAP auth tree but not in InMemoryUserService Let me preface this by saying I am a CAS neophyte. I have casified an existing application using Cas/SpringSecurity integration. Everything is working fine, until I remove the user from the User Service. Here is the behaviour I am seeing. 1) User hits a cas protected page for the first time 2) User is successfully re-directed to Cas login page 3) Cas successfuly auths the user against my LDAP auth tree and returns the following fragment [btpool0-2] DEBUG org.jasig.cas.client.validation.Cas20ServiceTicketValidator - Loading custom parameters from configuration. [btpool0-2] DEBUG org.jasig.cas.client.validation.Cas20ServiceTicketValidator - Constructing validation url:https://a123488vm2.noa.nintendo.com:8443/cas-server-webapp-3.3.2/serviceValidate?service=http3A%2F%2Fa123488vm2.noa.nintendo.com%3A8888%2Fcornerstone-sso2Fj_spring_cas_security_check&ticket=ST-1732-LcB9NWG5l4kUkcwmuekk-cas&; [btpool0-2] DEBUG org.jasig.cas.client.validation.Cas20ServiceTicketValidator - Retrieving response from server. [btpool0-2] DEBUG org.jasig.cas.client.validation.Cas20ServiceTicketValidator - Server response: <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationSuccess> <cas:user>deanhe01</cas:user> this makes me think that Cas successfully auth'd the user.. Now, we enter spring security which does not contain the user and his roles in the user service. I expect to see the following: [btpool0-2] DEBUG org.springframework.security.ui.cas.CasProcessingFilter - Authentication request failed: org.springframework.security.userdetails.UsernameNotFoundException: Could not find user: deanhe01 [btpool0-2] DEBUG org.springframework.security.ui.cas.CasProcessingFilter - Authentication request failed: org.springframework.security.userdetails.UsernameNotFoundException: Could not find user: deanhe01 ultimately, this is thrown by spring: [btpool0-2] DEBUG org.springframework.web.context.support.XmlWebApplicationContext - Publishing event in context [org.springframework.web.context.support.xmlwebapplicationcont...@14da86b]: org.springframework.security.event.authorization.AuthenticationCredentialsNotFoundEvent[source=FilterInvocation: URL: /noAccess.jsp] [btpool0-2] DEBUG org.springframework.security.ui.ExceptionTranslationFilter - Authentication exception occurred; redirecting to authentication entry point org.springframework.security.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext at org.springframework.security.intercept.AbstractSecurityInterceptor.credentialsNotFound(AbstractSecurityInterceptor.java:342) at org.springframework.security.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:254) ........ Spring is redirection to the cas entry point not the noaccess.jsp and this sets up an infinite loop I am pretty sure this is not the expected behaviour, maybe a bogus test case. Any Ideas on how to break the loop? Thanks Dean -- View this message in context: http://www.nabble.com/Problem%3A--User-in-LDAP-auth-tree-but-not-in-InMemoryUserService-tp23526574p23526574.html Sent from the CAS Users mailing list archive at Nabble.com. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
