If you want to use Spring Security like you are, try using the CAS/Basic Auth support which allows you to pass in the ticket via Basic AUTH. Unfortunately, Spring Security was written such that everything redirects to the j_spring_cas_security_check whenever it encounters a protected URL.
Cheers. Scott On Tue, Jul 14, 2009 at 9:24 AM, Sander Bos <[email protected]> wrote: > > > Hello, > > to add some feedback on my own question: > To me it looks like in fact this is not working correctly (Spring Security > and CAS proxy authentication, where the Spring Security webapp is the > application being proxied). > > The authentication will only take place when the URL matches > j_spring_cas_security_check (or whatever is set as filterProcessesUrl, but > it is one fixed value). So if I have two URLs I want to proxy that's not > possible. > > Well, what I see I can do because of all the Spring Security code around it > is construct a URL like > > https://fina138:8543/spring-security-cas-sample/j_spring_cas_security_check > ? > spring-security-redirect=/secure/index.jsp& > ticket=ST-22-Wb2DLZLgv9I7uZQpkSoQ-cas > > where /secure/index.jsp is the URL (part of it) I actually wanted to > retrieve. This actually works, but to say it is a hack is an understatement > in my opinion. It does look like there are options to extend > CasProcessingFilter::requiresAuthentication to make it work, but that would > involve more hacks and I don't know whether it would then still work on > other usage scenarios (since it would involve having more URLs become > requiresAuthentication). > > > Can anybody confirm/ deny/ comment on what I say above, so mainly: Does > anybody have Spring Security with proxy authentication where the Spring > Security based webapp is the proxied application working. And if so, didn't > you have to do some special configuration to deal with > j_spring_cas_security_check (and if so, what did you do?)? > > Kind regards, > > --Sander. > > > Sander Bos schreef: > > > Hello, > > I am trying to set up a CAS client with spring security, that should be > accessed through proxy authentication. > > > I already have it working for a combination of clients that do not 'Spring > Security'. Here is what I do at the server that will call the proxying > server (somewhat abbreviated): > String urlString = > "http://fina138:8180/my-cassample-webapp/index.jsp";<http://fina138:8180/my-cassample-webapp/index.jsp> > String proxyTicket = casPrincipal.getProxyTicketFor(urlString); > urlString += "?ticket=" + proxyTicket; > URL url = new URL(urlString); > HttpURLConnection connection = (HttpURLConnection) > url.openConnection(); > etc. > > My *working* client configuration with cas-client has this configuration: > <filter-name>CAS Validation Filter</filter-name> > > <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class> > <init-param> > <param-name>casServerUrlPrefix</param-name> > <param-value>https://fina138:8543/cas-server</param-value> > </init-param> > <init-param> > <param-name>serverName</param-name> > <param-value>http://fina138:8180</param-value> > </init-param> > <init-param> > <param-name>redirectAfterValidation</param-name> > <param-value>true</param-value> > </init-param> > <init-param> > <param-name>acceptAnyProxy</param-name> > <param-value>true</param-value> > </init-param> > <!-- Does not work, see > http://www.ja-sig.org/issues/browse/CASC-88 > <init-param> > <param-name>allowedProxyChains</param-name> > <param-value>https://fina138:8443/cas/proxyCallback > </param-value> > </init-param> > --> > </filter> > > But I do not understand how I can set up the same configuration in Spring > Security. Here is what I have currently: > <bean id="casProcessingFilter" > class="org.springframework.security.ui.cas.CasProcessingFilter"> > <sec:custom-filter after="CAS_PROCESSING_FILTER"/> > <property name="authenticationManager" > ref="authenticationManager"/> > <property name="authenticationFailureUrl" value="/casfailed.jsp"/> > <property name="defaultTargetUrl" value="/"/> > <property name="proxyGrantingTicketStorage" > ref="proxyGrantingTicketStorage" /> > <property name="proxyReceptorUrl" value="/secure/receptor" /> > </bean> > <bean id="casProcessingFilterEntryPoint" > class="org.springframework.security.ui.cas.CasProcessingFilterEntryPoint"> > <property name="loginUrl" value= > "https://fina138:8543/cas-server/login";<https://fina138:8543/cas-server/login> > /> > <property name="serviceProperties" ref="serviceProperties"/> > </bean> > <bean id="casAuthenticationProvider" > class="org.springframework.security.providers.cas.CasAuthenticationProvider"> > <sec:custom-authentication-provider /> > <property name="userDetailsService" ref="ldapUserDetailsService"/> > <property name="serviceProperties" ref="serviceProperties" /> > <property name="ticketValidator"> > <bean > class="org.jasig.cas.client.validation.Cas20ProxyTicketValidator"> > <constructor-arg index="0" value= > "https://fina138:8543/cas-server"; <https://fina138:8543/cas-server> /> > <property name="proxyGrantingTicketStorage" > ref="proxyGrantingTicketStorage" /> > <property name="proxyCallbackUrl" value= > "https://fina138:8543/spring-security-cas-sample/secure/receptor";<https://fina138:8543/spring-security-cas-sample/secure/receptor>/> > <property name="acceptAnyProxy" value="true" /> > </bean> > </property> > <property name="key" value="an_id_for_this_auth_provider_only"/> > </bean> > <bean id="proxyGrantingTicketStorage" > class="org.jasig.cas.client.proxy.ProxyGrantingTicketStorageImpl" /> > <bean id="serviceProperties" > class="org.springframework.security.ui.cas.ServiceProperties"> > <property name="service" value= > "https://fina138:8543/spring-security-cas-sample/j_spring_cas_security_check";<https://fina138:8543/spring-security-cas-sample/j_spring_cas_security_check> > /> > <property name="sendRenew" value="false"/> > </bean> > > (don't read too much into the variantion in webapp names, since I have > multiple webapps running, one working and one not working) > > Now, what I don't understand specifically is the service, at least I have > the feeling that this is where my problem is. In the Spring variant, I > cannot specify (find) serverName, I only have this service. But I do not > want to request j_spring_cas_security_check, I want to request index.jsp > (also, I'd rather use http for the request than https, the CAS communication > can use https of course). I have the feeling, looking at the logs, that > currently with the request for index.jsp?ticket=...., there is not even an > attempt to check the ticket, it only looks for j_spring_cas_security_check > urls. > > I know that this may be more of a Spring than a jasig CAS question > (although hey this is 'CAS User'), but I figure there are more people with > CAS knowledge here than on Spring lists. Also, I have the feeling I am just > missing something about these service URLs (they are supposed to match the > request you actually make, right, so with index.jsp if I want to request > that page?). > > I hope someone can help me because this is getting really frustrating for > me (any pointers on debugging this would also be appreciated). > > Kind regards, > > Sander Bos > > > -- > You are currently subscribed to [email protected] as: > [email protected] > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
