Help with Spring Security setup for an app that doesn't use https would be
appreciated. When I follow the instructions in the Spring Security CAS chapter,
the result is a 401 error that "This request requires HTTP authentication."
That config is attached.
Which of the following do you think are the best course of action?
*Convert the app to https (not sure the level of effort there)
*The machine doesn't trust the cert as explained here:
http://forum.spring.io/forum/spring-projects/security/125679-http-status-401-authentication-failed-for-sso-using-cas-3-5-2-and-spring-security
**Note that I've run into various problems with that approach
*Reconfigure spring security to allow both secure and insecure channels as
described here:
http://stackoverflow.com/questions/9925057/issue-with-https-to-http-redirection-by-elastic-load-balancer-to-tomcat-server
Note that the app will be deployed behind a load balancer that can be
configured to add HTTPS.
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans";
xmlns:p="http://www.springframework.org/schema/p";
xmlns:security="http://www.springframework.org/schema/security";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd";>
<security:http entry-point-ref="casEntryPoint" use-expressions="true" auto-config="false">
<security:anonymous username="guest" granted-authority="ANONYMOUS"/>
<security:intercept-url pattern="/app/resources/**" access="hasAnyRole('ANONYMOUS', 'cm_user')"/>
<security:intercept-url pattern="/app/**" access="hasRole('cm_user')"/>
<security:custom-filter position="CAS_FILTER" ref="casFilter"/>
<security:session-management>
<security:concurrency-control max-sessions="5" error-if-maximum-exceeded="true"/>
</security:session-management>
<!-- <security:logout logout-url="/j_spring_security_logout" logout-success-url="/home" /> -->
</security:http>
<!-- Base URL for the onboarder application. Used for generating links in outgoing emails -->
<bean id="winauthDomain" class="java.lang.String">
<!-- Property obtained from deploytime.properties -->
<constructor-arg value="${winauthDomain}"/>
</bean>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="casAuthenticationProvider" />
</security:authentication-manager>
<bean id="serviceProperties"
class="org.springframework.security.cas.ServiceProperties">
<property name="service"
value="http://localhost:18080/connmgr/app/j_spring_cas_security_check"/>
<property name="sendRenew" value="false"/>
</bean>
<!-- The CAS filter handles the redirect from the CAS server and starts
the ticket validation. -->
<bean id="casFilter"
class="org.springframework.security.cas.web.CasAuthenticationFilter">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="filterProcessesUrl" value="/app/j_spring_cas_security_check"/>
</bean>
<bean id="casEntryPoint"
class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">
<property name="loginUrl" value="https://mcauth01.nexus.commercehub.com:5443/login"/>
<property name="serviceProperties" ref="serviceProperties"/>
</bean>
<bean id="casAuthenticationProvider"
class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
<property name="userDetailsService" ref="userDetailsService"/>
<property name="serviceProperties" ref="serviceProperties" />
<property name="ticketValidator">
<bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
<constructor-arg index="0" value="https://mcauth01.nexus.commercehub.com:5443"; />
</bean>
</property>
<property name="key" value="an_id_for_this_auth_provider_only"/>
</bean>
<bean id="permissionConversionService"
class="com.commercehub.connmgmt.misc.security.PermissionConversionServiceImpl"/>
<bean id="userDetailsService"
class="com.commercehub.connmgmt.misc.security.CmUserDetailsService">
<property name="userRepository" ref="userRepository"/>
<property name="permissionConversionService" ref="permissionConversionService"/>
</bean>
<bean id="accessDecisionManager"
class="org.springframework.security.access.vote.AffirmativeBased">
<property name="allowIfAllAbstainDecisions">
<value>false</value>
</property>
<property name="decisionVoters">
<list>
<ref bean="roleVoter"/>
</list>
</property>
</bean>
<bean id="roleVoter" class="org.springframework.security.access.vote.RoleVoter">
<property name="rolePrefix" value=""/>
</bean>
<!--
This bean automatically receives AuthenticationEvent messages
from DaoAuthenticationProvider
-->
<bean id="loggerListener"
class="org.springframework.security.access.event.LoggerListener"/>
<!-- Enable JSR250 annotations, disable Spring Security annotations for now -->
<security:global-method-security secured-annotations="disabled"
jsr250-annotations="enabled"
access-decision-manager-ref="accessDecisionManager"/>
</beans>
