Hello,
to add some feedback on my own question:
To me it looks like in fact this is not working correctly (Spring
Security and CAS proxy authentication, where the Spring Security webapp
is the application being proxied).
The authentication will only take place when the URL matches
j_spring_cas_security_check (or whatever is set as filterProcessesUrl,
but it is one fixed value). So if I have two URLs I want to proxy
that's not possible.
Well, what I see I can do because of all the Spring Security code
around it is construct a URL like
https://fina138:8543/spring-security-cas-sample/j_spring_cas_security_check?
spring-security-redirect=/secure/index.jsp&
ticket=ST-22-Wb2DLZLgv9I7uZQpkSoQ-cas
where /secure/index.jsp is the URL (part of it) I actually wanted to
retrieve. This actually works, but to say it is a hack is an
understatement in my opinion. It does look like there are options to
extend CasProcessingFilter::requiresAuthentication to make it work, but
that would involve more hacks and I don't know whether it would then
still work on other usage scenarios (since it would involve having more
URLs become requiresAuthentication).
Can anybody confirm/ deny/ comment on what I say above, so mainly: Does
anybody have Spring Security with proxy authentication where the Spring
Security based webapp is the proxied application working. And if so,
didn't you have to do some special configuration to deal with
j_spring_cas_security_check (and if so, what did you do?)?
Kind regards,
--Sander.
Sander Bos schreef:
Hello,
I am trying to set up a CAS client with spring security, that should be
accessed through proxy authentication.
I already have it working for a combination of clients that do not
'Spring Security'. Here is what I do at the server that will call the
proxying server (somewhat abbreviated):
String urlString = "http://fina138:8180/my-cassample-webapp/index.jsp"
String proxyTicket =
casPrincipal.getProxyTicketFor(urlString);
urlString += "?ticket=" + proxyTicket;
URL url = "" URL(urlString);
HttpURLConnection connection = (HttpURLConnection)
url.openConnection();
etc.
My working client configuration with cas-client has this
configuration:
<filter-name>CAS Validation Filter</filter-name>
<filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://fina138:8543/cas-server</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://fina138:8180</param-value>
</init-param>
<init-param>
<param-name>redirectAfterValidation</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>acceptAnyProxy</param-name>
<param-value>true</param-value>
</init-param>
<!-- Does not work, see
http://www.ja-sig.org/issues/browse/CASC-88
<init-param>
<param-name>allowedProxyChains</param-name>
<param-value>https://fina138:8443/cas/proxyCallback</param-value>
</init-param>
-->
</filter>
But I do not understand how I can set up the same configuration in
Spring Security. Here is what I have currently:
<bean id="casProcessingFilter"
class="org.springframework.security.ui.cas.CasProcessingFilter">
<sec:custom-filter after="CAS_PROCESSING_FILTER"/>
<property name="authenticationManager"
ref="authenticationManager"/>
<property name="authenticationFailureUrl"
value="/casfailed.jsp"/>
<property name="defaultTargetUrl" value="/"/>
<property name="proxyGrantingTicketStorage"
ref="proxyGrantingTicketStorage" />
<property name="proxyReceptorUrl" value="/secure/receptor"
/>
</bean>
<bean id="casProcessingFilterEntryPoint"
class="org.springframework.security.ui.cas.CasProcessingFilterEntryPoint">
<property name="loginUrl"
value="https://fina138:8543/cas-server/login"/>
<property name="serviceProperties"
ref="serviceProperties"/>
</bean>
<bean id="casAuthenticationProvider"
class="org.springframework.security.providers.cas.CasAuthenticationProvider">
<sec:custom-authentication-provider />
<property name="userDetailsService"
ref="ldapUserDetailsService"/>
<property name="serviceProperties" ref="serviceProperties"
/>
<property name="ticketValidator">
<bean
class="org.jasig.cas.client.validation.Cas20ProxyTicketValidator">
<constructor-arg index="0"
value="https://fina138:8543/cas-server"
/>
<property name="proxyGrantingTicketStorage"
ref="proxyGrantingTicketStorage" />
<property name="proxyCallbackUrl"
value="https://fina138:8543/spring-security-cas-sample/secure/receptor"
/>
<property name="acceptAnyProxy" value="true" />
</bean>
</property>
<property name="key"
value="an_id_for_this_auth_provider_only"/>
</bean>
<bean id="proxyGrantingTicketStorage"
class="org.jasig.cas.client.proxy.ProxyGrantingTicketStorageImpl" />
<bean id="serviceProperties"
class="org.springframework.security.ui.cas.ServiceProperties">
<property name="service"
value="https://fina138:8543/spring-security-cas-sample/j_spring_cas_security_check"/>
<property name="sendRenew" value="false"/>
</bean>
(don't read too much into the variantion in webapp names, since I have
multiple webapps running, one working and one not working)
Now, what I don't understand specifically is the service, at least I
have the feeling that this is where my problem is. In the Spring
variant, I cannot specify (find) serverName, I only have this service.
But I do not want to request j_spring_cas_security_check, I want to request index.jsp
(also, I'd rather use http for the request than https, the CAS
communication can use https of course). I have the feeling, looking at
the logs, that currently with the request for index.jsp?ticket=....,
there is not even an attempt to check the ticket, it only looks for
j_spring_cas_security_check urls.
I know that this may be more of a Spring than a jasig CAS question
(although hey this is 'CAS User'), but I figure there are more people
with CAS knowledge here than on Spring lists. Also, I have the feeling
I am just missing something about these service URLs (they are supposed
to match the request you actually make, right, so with index.jsp if I
want to request that page?).
I hope someone can help me because this is getting really frustrating
for me (any pointers on debugging this would also be appreciated).
Kind regards,
Sander Bos
--
You are currently subscribed to [email protected] as: [email protected]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
|
