Re: [cas-user] CAS + SpringSecurity + orginal url

Fri, 13 Apr 2012 07:24:03 -0700 

Thanks for your answer. Here is my configuration file :



I reviewed your config and there's nothing obviously wrong.  Time for 
code review.  The following two beans together define the redirect URL 
to CAS, which includes the service URL (and any parameters that would 
be attached to your service):



<bean id="casProcessingFilterEntryPoint" 
class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">
<property name="loginUrl" value="${casUrl}/login"/>
<property name="serviceProperties" ref="serviceProperties"/>
</bean>



<bean id="serviceProperties" 
class="org.springframework.security.cas.ServiceProperties">
<property name="service" value="${applicationUrl}/j_spring_cas_security_check"/>
<property name="sendRenew" value="false"/>
</bean>


Code review reveals a surprise:

CasAuthenticationEntryPoint.java[1]:


    protected String createServiceUrl(final HttpServletRequest request, 
final HttpServletResponse response) {
        return CommonUtils.constructServiceUrl(null, response, 
this.serviceProperties.getService(), null, 
this.serviceProperties.getArtifactParameter(), 
this.encodeServiceUrlWithSessionId);

    }

CommonUtils.java [2]:


    public static String constructServiceUrl(final HttpServletRequest 
request, final HttpServletResponse response, final String service, final 
String serverNames, final String artifactParameterName, final boolean 
encode) {

        if (CommonUtils.isNotBlank(service)) {
            return encode ? response.encodeURL(service) : service;
        }
...



Hopefully the issue is self evident, but I'll add a brief analysis in 
any case.  Since serviceProperties.getService() is not null, it uses 
that URL directly instead of considering querystring parameters. 
Additionally, createServiceUrl passes a null reference for the first 
argument to constructServiceUrl, which further precludes consideration 
of querystring parameters.



Scott would have to weigh in here as to why that's the case, but 
apparently it's not possible to preserve application parameters when 
using the Spring Security CAS client.


M


[1] 
https://github.com/SpringSource/spring-security/blob/3.0.x/cas/src/main/java/org/springframework/security/cas/web/CasAuthenticationEntryPoint.java



[2] 
https://github.com/Jasig/java-cas-client/blob/master/cas-client-core/src/main/java/org/jasig/cas/client/util/CommonUtils.java


--
You are currently subscribed to [email protected] as: 
[email protected]
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user






















					Reply via email to