Hi All,
I am integration CAS(SSO) with Spring security web application.
I am facing one issue in it.
when user hit our web application we are displaying home page to the user.this
home page url is /home.
on home page there is login link and other feature which can be access by guest
user.(without logged-in).
when user is already logged-in into some other application say App1 which also
use CAS.
and in other tab in same browser if user hit our web application say App2 we
are displaying same home page to
other which can be access by guest user but with logged-in status and welcome
message for user.
in our application non-secure resource's pattern will be *.html and secure
resource's pattern is *.do.
my spring security configurtaion is as below.
<security:http entry-point-ref="casEntryPoint" auto-config="true">
<security:intercept-url pattern="/home"
access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/login.html"
access="ROLE_USER" />
<security:intercept-url pattern="/*.html"
access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/*.do"
access="ROLE_USER" />
<security:intercept-url pattern="/*.view"
access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/*.jsp"
access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:custom-filter position="CAS_FILTER"
ref="casFilter" />
<security:custom-filter before="LOGOUT_FILTER"
ref="requestSingleLogoutFilter"/>
<security:custom-filter before="CAS_FILTER"
ref="casSingleSignOutFilter" />
<security:logout
logout-success-url="${cas.server.url}/logout?service=${application.service.url}/home"
invalidate-session="false"/>
</security:http>
If user is already logged-in in application App1 and visit application App2 in
other tab, controll will go to
/home url and as there is no role require for it, controll is not going to CAS
filter and home page is display to
the user with not sign in status and that is not desire.
Also we have implmemented url rewriting using tuckey filter.
Configuration of filter in web.xml.
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>
org.springframework.web.filter.DelegatingFilterProxy
</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
<dispatcher>INCLUDE</dispatcher>
<dispatcher>ERROR</dispatcher>
</filter-mapping>
<!-- <filter-mapping>-->
<!-- <filter-name>springSecurityFilterChain</filter-name>-->
<!--
<url-pattern>/j_spring_security_check</url-pattern>-->
<!-- <dispatcher>FORWARD</dispatcher>-->
<!-- </filter-mapping>-->
<!-- UrlRewriteFilter -->
<filter>
<filter-name>UrlRewriteFilter</filter-name>
<filter-class>
org.tuckey.web.filters.urlrewrite.UrlRewriteFilter
</filter-class>
<!-- Provide all extentions in lowercase -->
<init-param>
<param-name>logLevel</param-name>
<param-value>ERROR</param-value>
</init-param>
<init-param>
<param-name>statusEnabled</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<!-- UrlRewriteFilter Mapping -->
<filter-mapping>
<filter-name>UrlRewriteFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
Home page should be displayed to the user with loggedin status.
So how to achieve this?
In both application individually login and logout working fine.
Any help will be greatly appreciated.
Thanks and Regards,
Rohit Kotecha
-**************Nihilent***************
" *** All information contained in this communication is confidential,
proprietary, privileged
and is intended for the addressees only. If youhave received this E-mail in
error please notify
mail administrator by telephone on +91-20-39846100 or E-mail the sender by
replying to
this message, and then delete this E-mail and other copies of it from your
computer system.
Any unauthorized dissemination,publication, transfer or use of the contents of
this communication,
with or without modifications is punishable under the relevant law.
Nihilent has scanned this mail with current virus checking technologies.
However, Nihilent makes no
representations or warranties to the effect that this communication is
virus-free.
Nihilent reserves the right to monitor all E-mail communications through its
Corporate Network. *** "
*************************************************************************-
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
