[cas-user] CAS, Spring Security and proxy authentication

Tue, 14 Jul 2009 02:43:04 -0700


Hello,

I am trying to set up a CAS client with spring security, that should be accessed through proxy authentication.


I already have it working for a combination of clients that do not 'Spring Security'. Here is what I do at the server that will call the proxying server (somewhat abbreviated):
       String urlString = "http://fina138:8180/my-cassample-webapp/index.jsp"
        String proxyTicket = casPrincipal.getProxyTicketFor(urlString);
        urlString += "?ticket=" + proxyTicket;
        URL url = "" URL(urlString);
        HttpURLConnection connection = (HttpURLConnection) url.openConnection();
        etc.

My working client configuration with cas-client has this configuration:
        <filter-name>CAS Validation Filter</filter-name>
        <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
        <init-param>
            <param-name>casServerUrlPrefix</param-name>
            <param-value>https://fina138:8543/cas-server</param-value>
          </init-param>
        <init-param>
            <param-name>serverName</param-name>
            <param-value>http://fina138:8180</param-value>
        </init-param>
        <init-param>
            <param-name>redirectAfterValidation</param-name>
            <param-value>true</param-value>
        </init-param>
        <init-param>
            <param-name>acceptAnyProxy</param-name>
            <param-value>true</param-value>
        </init-param>
        <!-- Does not work, see http://www.ja-sig.org/issues/browse/CASC-88
        <init-param>
            <param-name>allowedProxyChains</param-name>
            <param-value>https://fina138:8443/cas/proxyCallback</param-value>
        </init-param>
        -->
    </filter>

But I do not understand how I can set up the same configuration in Spring Security. Here is what I have currently:
    <bean id="casProcessingFilter" class="org.springframework.security.ui.cas.CasProcessingFilter">
        <sec:custom-filter after="CAS_PROCESSING_FILTER"/>
        <property name="authenticationManager" ref="authenticationManager"/>
        <property name="authenticationFailureUrl" value="/casfailed.jsp"/>
        <property name="defaultTargetUrl" value="/"/>
        <property name="proxyGrantingTicketStorage" ref="proxyGrantingTicketStorage" />
        <property name="proxyReceptorUrl" value="/secure/receptor" />
    </bean>
    <bean id="casProcessingFilterEntryPoint" class="org.springframework.security.ui.cas.CasProcessingFilterEntryPoint">
        <property name="loginUrl" value="https://fina138:8543/cas-server/login"/>
        <property name="serviceProperties" ref="serviceProperties"/>
    </bean>
    <bean id="casAuthenticationProvider" class="org.springframework.security.providers.cas.CasAuthenticationProvider">
        <sec:custom-authentication-provider />
        <property name="userDetailsService" ref="ldapUserDetailsService"/>
        <property name="serviceProperties" ref="serviceProperties" />
        <property name="ticketValidator">
            <bean class="org.jasig.cas.client.validation.Cas20ProxyTicketValidator">
                <constructor-arg index="0" value="https://fina138:8543/cas-server" />
                <property name="proxyGrantingTicketStorage" ref="proxyGrantingTicketStorage" />
                <property name="proxyCallbackUrl" value="https://fina138:8543/spring-security-cas-sample/secure/receptor" />
                <property name="acceptAnyProxy" value="true" />
            </bean>
        </property>
        <property name="key" value="an_id_for_this_auth_provider_only"/>
    </bean>
    <bean id="proxyGrantingTicketStorage" class="org.jasig.cas.client.proxy.ProxyGrantingTicketStorageImpl" />
    <bean id="serviceProperties" class="org.springframework.security.ui.cas.ServiceProperties">
        <property name="service" value="https://fina138:8543/spring-security-cas-sample/j_spring_cas_security_check"/>
        <property name="sendRenew" value="false"/>
    </bean>

(don't read too much into the variantion in webapp names, since I have multiple webapps running, one working and one not working)

Now, what I don't understand specifically is the service, at least I have the feeling that this is where my problem is. In the Spring variant, I cannot specify (find) serverName, I only have this service. But I do not want to request j_spring_cas_security_check, I want to request index.jsp (also, I'd rather use http for the request than https, the CAS communication can use https of course). I have the feeling, looking at the logs, that currently with the request for index.jsp?ticket=...., there is not even an attempt to check the ticket, it only looks for j_spring_cas_security_check urls.

I know that this may be more of a Spring than a jasig CAS question (although hey this is 'CAS User'), but I figure there are more people with CAS knowledge here than on Spring lists. Also, I have the feeling I am just missing something about these service URLs (they are supposed to match the request you actually make, right, so with index.jsp if I want to request that page?).

I hope someone can help me because this is getting really frustrating for me (any pointers on debugging this would also be appreciated).

Kind regards,

Sander Bos

-- 
You are currently subscribed to [email protected] as: [email protected]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user

Reply via email to