I started this post to ask for help... but I figured things out while discovering there is no good information/documentation on how to upgrade CAS to use Spring Security 3.0.x. I don't have time right now to do a full post on the wiki but I wanted the know-how to be captured somewhere, so here it is:
1) The CAS documentation (http://www.ja-sig.org/wiki/display/CASC/Using+the+CAS+Client+3.1+with+Spring+Security) is a draft and does not work yet. It contains things that trigger Spring Security 3.0 error messages. 2) The Spring Security documentation on how to connect to CAS (http://static.springsource.org/spring-security/site/docs/3.0.x/reference/cas.html) may or may not work. It didn't for me at first, but I changed a few things later, so it may actually work. One thing that it does if your HTTPS isn't configured right is send you on an infinite loop of ticket granting. So you might want to avoid it anyway. 3) One configuration that works fairly well is in the oudmaijer blog (http://www.oudmaijer.com/blog/2009/12/28/spring-3-spring-security-3-cas-3-3-4-integration/). It has a bug where it says (position="CAS_FILTER") since there is no such thing as a CAS_FILTER in Spring Security 3.0, but I fixed it by replacing it with (after="PRE_AUTH_FILTER"). This may not be the 'right value' but it works. One good thing about this configuration is that if HTTPS is incorrectly setup it blows up nicely: It shows only one ticket granting, and then it throws an exception. I went with option (3) and it is working for me. If anybody has suggestions for improvement (especially regarding that PRE_AUTH_FILTER piece), I would definitely welcome them. I hope this helps the person writing the wiki item, and any others who are banging their head against the wall while asking themselves why they upgraded to Spring Security 3.0.x. bruno -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
