Hi,
I've integrated Spring Security 3 with CAS. I'm stuck as I attempt to use CAS
as a gateway.
My app has a few protected and unprotected pages with each page having a
login/logout link. I access a secure page after authenticating with CAS.
Accessing any page during that session would still display the logout
link(indicating that the user has authenticated with CAS).
Currently, when I try to access a non-secure page(when I'm still logged into
CAS from another casified app or have a remember me cookie set by my cas
server), I would expect myself to be logged in automatically. But the
non-secure page still displays a login link(clicking which talks to CAS and
logs me in automatically as I previously authenticated successfully and the
browser has not been closed).
I do not want to redirect the user to CAS login page if he tries to access a
non-secure resource, I just need to validate behind the scene to check if he
still logged into CAS and if not redirect him to the non-secure page as a guest
user.
Please let me know what I need to add to my security context to achieve this.
Prasanna
ps:I've attached my web.xml and security xml.
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns="http://java.sun.com/xml/ns/javaee"; xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd";
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd";
id="WebApp_ID" version="2.5">
<display-name>app</display-name>
<context-param>
<param-name>webAppRootKey</param-name>
<param-value>iped.root</param-value>
</context-param>
<context-param>
<param-name>log4jConfigLocation</param-name>
<param-value>/WEB-INF/classes/log4j.xml</param-value>
</context-param>
<context-param>
<param-name>log4jRefreshInterval</param-name>
<param-value>1000</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.util.Log4jConfigListener</listener-class>
</listener>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/applicationcontext-servlet.xml
/WEB-INF/applicationcontext-security.xml
</param-value>
</context-param>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Single Sign Out Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<servlet>
<servlet-name>iped</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>iped</servlet-name>
<url-pattern>/iped/*</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>/redirect.jsp</welcome-file>
</welcome-file-list>
</web-app><?xml version="1.0"?>
<beans xmlns="http://www.springframework.org/schema/beans";
xmlns:security="http://www.springframework.org/schema/security";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd";>
<!--
Enable security, let the casAuthenticationEntryPoint handle all intercepted urls.
The CAS_FILTER needs to be in the right position within the filter chain.
-->
<security:http entry-point-ref="casAuthenticationEntryPoint" auto-config="true" use-expressions="true">
<security:logout success-handler-ref="CustomLogoutHandler" invalidate-session="true"/>
<security:intercept-url pattern="/cas/login" access="isAuthenticated()"></security:intercept-url>
<security:intercept-url pattern="/iped/modify_profile" access="isAuthenticated()"></security:intercept-url><!--
<security:intercept-url pattern="/**" access="hasAnyRole('ROLE_USER', 'ROLE_ANONYMOUS')"></security:intercept-url>
-->
<security:anonymous/>
<security:custom-filter ref="casAuthenticationFilter" position="CAS_FILTER"></security:custom-filter>
</security:http>
<!--
Required for the casProcessingFilter, so define it explicitly set and
specify an Id Even though the authenticationManager is created by
default when namespace based config is used.
-->
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="casAuthenticationProvider"></security:authentication-provider>
</security:authentication-manager>
<!--
This section is used to configure CAS. The service is the
actual redirect that will be triggered after the CAS login sequence.
-->
<bean id="serviceProperties" class="org.springframework.security.cas.ServiceProperties">
<property name="service" value="${cas.service.url}"></property>
<!-- <property name="service" value="http://localhost:8090/prototype01/news/view"/>-->
<property name="sendRenew" value="false"></property>
</bean>
<!--
The CAS filter handles the redirect from the CAS server and starts the ticket validation.
-->
<bean id="casAuthenticationFilter" class="org.springframework.security.cas.web.CasAuthenticationFilter">
<property name="authenticationManager" ref="authenticationManager"></property>
<property name="authenticationSuccessHandler" ref="customSuccessHandler"></property>
</bean>
<!--<property name="authenticationManager" ref="mdsAuthenticationManager"></property>
-->
<bean name="customSuccessHandler" class="com.ec.iped.security.IpedAuthSuccessHandler"/>
<!--
The entryPoint intercepts all the CAS authentication requests.
It redirects to the CAS loginUrl for the CAS login page.
-->
<bean id="casAuthenticationEntryPoint" class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">
<property name="loginUrl" value="${cas.login.url}"></property>
<property name="serviceProperties" ref="serviceProperties"></property>
</bean>
<!--
Handles the CAS ticket processing.
-->
<bean id="casAuthenticationProvider" class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
<property name="authenticationUserDetailsService" ref="userService"></property>
<property name="serviceProperties" ref="serviceProperties"></property>
<property name="ticketValidator">
<bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
<constructor-arg index="0" value="${cas.validate.url}">
</constructor-arg></bean>
</property>
<property name="key" value="cas"></property>
</bean>
<!-- Custom UserService which assigns roles to users -->
<bean id="userService" class="com.ec.iped.security.UserDetails.IpedUserService"/>
<bean id="CustomLogoutHandler" class="com.ec.iped.security.IpedLogoutHandler"/>
<!-- Spring security properties -->
<bean id="propertyPlaceholder"
class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
<property name="location"
value="WEB-INF/security.properties" />
</bean>
</beans>
