Hi I am using CAS 3.4.8 with Spring security 3.1.0.RC2. I am new to CAS and have some trouble understanding how I can use CAS for single sign-on across multiple applications. Here is my environment:
1. app-web : UI application WAR (maven+spring+gwt) 2. app-ds: Data services WAR (maven+spring+hibernate) 3. app-cas: Maven overlay war. 4. Active directory : Existing enterprise directory. Additional information a. I have made changes to deploymentConfigContext.xml , securityContext.xml in the app-cas and deployed on tomcat. I have confirmed at user is able to sign in, services configured and attributes from active directory released correctly. b. Individual applications (app-ds and app-web) are secured with spring security. I have confirmed that secure URLs and business services require the CAS login first and then redirect upon authentication. *Problem*: When the user logs into app-web and requests services from the app-ds, the user app-ds throws an exception and wants the user to authenticate again. I adding the service ticket (ST-XXXX) to the query string before sending post requests to the app-ds. Any calls to String proxyTicket = assertion.getPrincipal().getProxyTicketFor(serviceUrl); return Null where serviceUrl = https://localhost:8888/app-web/j_spring_cas_security_check I am not sure if I am using the SAML validator incorrectly. Using the Cas20TicketValidator does not return any attributes from Active Directory. Any help would be appreciated. *Configuration *Everything is standard configuration except for ticketValidator and UserDetailsService configuration. I am using SAML11TicketValidator else the AD attributes are not in the security context <b:bean id="casAuthProvider" class="org.springframework.security.cas.authentication.CasAuthenticationProvider" p:serviceProperties-ref="serviceProperties" p:key="casAuthProviderKey"> <b:property name="authenticationUserDetailsService" ref="userDetailsService"> </b:property> <b:property name="ticketValidator"> *<b:bean class="org.jasig.cas.client.validation.Saml11TicketValidator"> <b:constructor-arg value="https://localhost:8443/app-cas"; /> </b:bean>* </b:property> <b:property name="statelessTicketCache"> <b:bean class="org.springframework.security.cas.authentication.EhCacheBasedTicketCache"> <b:property name="cache"> <b:bean class="net.sf.ehcache.Cache" init-method="initialise" destroy-method="dispose"> <b:constructor-arg value="casTickets" /> <b:constructor-arg value="50" /> <b:constructor-arg value="true" /> <b:constructor-arg value="false" /> <b:constructor-arg value="3600" /> <b:constructor-arg value="900" /> </b:bean> </b:property> </b:bean> </b:property> </b:bean> <b:bean id="casFilter" class="org.springframework.security.cas.web.CasAuthenticationFilter" p:authenticationManager-ref="authManager" p:serviceProperties-ref="serviceProperties" p:proxyGrantingTicketStorage-ref="pgtStorage" p:proxyReceptorUrl="/j_spring_cas_security_proxyreceptor"> <b:property name="authenticationDetailsSource"> <b:bean class="org.springframework.security.cas.web.authentication.ServiceAuthenticationDetailsSource" /> </b:property> <b:property name="authenticationFailureHandler"> <b:bean class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler" p:defaultFailureUrl="/casfailed.jsp" /> </b:property> </b:bean> c. Custom UserDetailsServiceImpl iterates over the assertion attributes -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
