The CAS server after authentication redirects to the myapp (service),
but the operation couldnt be completed as authentication object not
found exception was thrown. CAS authentication was successful. Its
thrown in the filter entry point of exceptionTranslation filter when
the myapp is trying to check the authentication object user
credentials.
It looks like a cas - spring filter configuration issue. I have all
the required filters...
Here is the applicationContext-security.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN"
"http://www.springframework.org/dtd/spring-beans.dtd";>
<beans>
<bean id="loggerListener"
class="org.acegisecurity.event.authentication.LoggerListener" />
<bean id="serviceProperties"
class="org.acegisecurity.ui.cas.ServiceProperties">
<property name="service"
value="https://localhost:8443/myapp/j_acegi_cas_security_check"/>
<property name="sendRenew" value="false"/>
</bean>
<bean id="authenticationFilter"
class="com.myapp.security.AuthenticationFilter">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="userManager" ref="userManager"/>
<property name="authenticationFailureUrl" value="/casfailed.jsp"/>
<property name="defaultTargetUrl" value="/"/>
<property name="filterProcessesUrl"
value="/j_acegi_cas_security_check"/>
</bean>
<bean id="exceptionTranslationFilter"
class="org.acegisecurity.ui.ExceptionTranslationFilter">
<property name="authenticationEntryPoint">
<ref local="casProcessingFilterEntryPoint"/>
</property>
</bean>
<bean id="casProcessingFilterEntryPoint"
class="org.acegisecurity.ui.cas.CasProcessingFilterEntryPoint">
<property name="loginUrl" value="https://localhost:8443/cas/login"/>
<property name="serviceProperties" ref="serviceProperties"/>
</bean>
<bean id="authenticationManager"
class="org.acegisecurity.providers.ProviderManager">
<property name="providers">
<list>
<ref local="casAuthenticationProvider"/>
</list>
</property>
</bean>
<bean id="casAuthenticationProvider"
class="org.acegisecurity.providers.cas.CasAuthenticationProvider">
<property name="casAuthoritiesPopulator">
<ref local="casAuthoritiesPopulator"/>
</property>
<property name="casProxyDecider">
<ref local="casProxyDecider"/>
</property>
<property name="ticketValidator">
<ref local="casProxyTicketValidator"/>
</property>
<property name="statelessTicketCache">
<ref local="statelessTicketCache"/>
</property>
<property name="key" value="password"/><!--
password_for_this_auth_provider_only --><!-- changed from changeit to
password -->
</bean>
<bean id="casProxyTicketValidator"
class="org.acegisecurity.providers.cas.ticketvalidator.CasProxyTicketValidator">
<property name="casValidate"
value="https://localhost:8443/cas/proxyValidate"/>
<!-- <property name="proxyCallbackUrl"
value="https://localhost:8443/myapp/casProxy/receptor"/> -->
<property name="serviceProperties" ref="serviceProperties"/>
<!-- <property
name="trustStore"><value>/some/path/to/your/lib/security/cacerts</value></property>
-->
</bean>
<bean id="cacheManager"
class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean">
<property name="configLocation" value="classpath:/eh-cache.xml" />
</bean>
<bean id="ticketCacheBackend"
class="org.springframework.cache.ehcache.EhCacheFactoryBean">
<property name="cacheManager">
<ref local="cacheManager"/>
</property>
<property name="cacheName">
<value>ticketCache</value>
</property>
</bean>
<bean id="statelessTicketCache"
class="org.acegisecurity.providers.cas.cache.EhCacheBasedTicketCache">
<property name="cache">
<ref local="ticketCacheBackend"/>
</property>
</bean>
<!--Populates the CAS authorities via an UserDetailsService-->
<bean id="casAuthoritiesPopulator"
class="org.acegisecurity.providers.cas.populator.DaoCasAuthoritiesPopulator">
<property name="userDetailsService" ref="userManager"/>
</bean>
<bean id="casProxyDecider"
class="org.acegisecurity.providers.cas.proxy.RejectProxyTickets"/>
<bean id="filterChainProxy"
class="org.acegisecurity.util.FilterChainProxy">
<property name="filterInvocationDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/**=httpSessionContextIntegrationFilter,authenticationFilter,exceptionTranslationFilter,fitlerInvocationInterceptor
</value>
</property>
</bean>
<bean id="httpSessionContextIntegrationFilter"
class="org.acegisecurity.context.HttpSessionContextIntegrationFilter" />
<!-- ===================== HTTP CHANNEL REQUIREMENTS
==================== -->
<!-- This interceptor performs the security checks on HTTP resources.
The "objectDefinitionSource" contains newline-separated arguments
that specify behaviors and resources for the filter:
The behavior specifications tell the filter to convert the URL
to lowercase before doing comparisons, and to use Ant-style path
specifications for the following resources. The resources are
associated with directives that tell the filter how to decide if
specified URL is accessible:
ROLE_ANY means that the URL is available to any authenticated user
FEATURE_CHECK means that the the URL must be evaluated
against the authenticated user's Roles to determine whether or not
those Roles support access to the feature.
-->
<bean id="fitlerInvocationInterceptor"
class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
<property name="authenticationManager">
<ref local="authenticationManager" />
</property>
<property name="accessDecisionManager">
<ref local="httpRequestAccessDecisionManager" />
</property>
<property name="objectDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/login.action*=ROLE_ANY
/logout.action*=ROLE_ANY
/home.action*=ROLE_ANY
/refresh.action*=ROLE_ANY
/saveuserpreferences.action*=ROLE_ANY
/restoredefaultpreferences.action*=ROLE_ANY
/**/home.action*=ROLE_ANY
/admin/default.action*=ROLE_ANY
/admin/user/profile.action=ROLE_ANY
/admin/search/result.action=ROLE_ANY
/index.jsp*=ROLE_ANY
/**/*.action*=FEATURE_CHECK
</value>
</property>
</bean>
<bean id="httpRequestAccessDecisionManager"
class="org.acegisecurity.vote.AffirmativeBased">
<property name="allowIfAllAbstainDecisions">
<value>false</value>
</property>
<property name="decisionVoters">
<list>
<ref local="featureVoter" />
</list>
</property>
</bean>
<!—role to feature beans not included here
</beans>
and the log output
------------------------------------------------
DEBUG [http-8443-Processor22]
ExceptionTranslationFilter.sendStartAuthentication(195) |
Authentication entry point being called; SavedRequest added to
Session: SavedRequest[https://localhost:8443/myapp/home.action]
DEBUG [http-8443-Processor22]
HttpSessionContextIntegrationFilter.doFilter(291) |
SecurityContextHolder set to new context, as request processing
completed
2007-02-23 14:20:03,057 DEBUG
[org.jasig.cas.web.flow.TicketGrantingTicketExistsAction] - <Action
'org.jasig.cas.web.flow.TicketGrantingTicketExistsAction' beginning
execution>
2007-02-23 14:20:03,057 DEBUG
[org.jasig.cas.web.flow.TicketGrantingTicketExistsAction] - <Action
'org.jasig.cas.web.flow.TicketGrantingTicketExistsAction' completed
execution; result event is [EMAIL PROTECTED] source =
[EMAIL PROTECTED], id =
'ticketGrantingTicketExists', stateId = [null], parameters = [null]]>
2007-02-23 14:20:03,057 DEBUG
[org.jasig.cas.web.flow.HasServiceCheckAction] - <Action
'org.jasig.cas.web.flow.HasServiceCheckAction' beginning execution>
2007-02-23 14:20:03,057 DEBUG
[org.jasig.cas.web.flow.HasServiceCheckAction] - <Action
'org.jasig.cas.web.flow.HasServiceCheckAction' completed execution;
result event is [EMAIL PROTECTED] source =
[EMAIL PROTECTED], id =
'hasService', stateId = [null], parameters = [null]]>
2007-02-23 14:20:03,057 DEBUG
[org.jasig.cas.web.flow.RenewRequestCheckAction] - <Action
'org.jasig.cas.web.flow.RenewRequestCheckAction' beginning execution>
2007-02-23 14:20:03,057 DEBUG
[org.jasig.cas.web.flow.RenewRequestCheckAction] - <Action
'org.jasig.cas.web.flow.RenewRequestCheckAction' completed execution;
result event is [EMAIL PROTECTED] source =
[EMAIL PROTECTED], id =
'generateServiceTicket', stateId = [null], parameters = [null]]>
2007-02-23 14:20:03,057 DEBUG
[org.jasig.cas.web.flow.GenerateServiceTicketAction] - <Action
'org.jasig.cas.web.flow.GenerateServiceTicketAction' beginning
execution>
2007-02-23 14:20:03,057 DEBUG
[org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to
retrieve ticket [TGT-2-kcfKAuufUbaoac7FEATFbPVaMnERLxsiqKx-50]>
2007-02-23 14:20:03,057 DEBUG
[org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Ticket
[TGT-2-kcfKAuufUbaoac7FEATFbPVaMnERLxsiqKx-50] found in registry.>
2007-02-23 14:20:03,057 DEBUG
[org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Added ticket
[ST-292-f4iGv0CSJcWowY7FJ93fdCEmFzp95oesllm-20] to registry.>
2007-02-23 14:20:03,057 INFO
[org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service
ticket [ST-292-f4iGv0CSJcWowY7FJ93fdCEmFzp95oesllm-20] for service
[https://localhost:8443/myapp/j_acegi_cas_security_check] for user
[admin]>
2007-02-23 14:20:03,057 DEBUG
[org.jasig.cas.web.flow.GenerateServiceTicketAction] - <Action
'org.jasig.cas.web.flow.GenerateServiceTicketAction' completed
execution; result event is [EMAIL PROTECTED] source =
[EMAIL PROTECTED], id =
'success', stateId = [null], parameters = [null]]>
2007-02-23 14:20:03,057 DEBUG [org.jasig.cas.web.flow.WarnAction] -
<Action 'org.jasig.cas.web.flow.WarnAction' beginning execution>
2007-02-23 14:20:03,057 DEBUG [org.jasig.cas.web.flow.WarnAction] -
<Action 'org.jasig.cas.web.flow.WarnAction' completed execution;
result event is [EMAIL PROTECTED] source =
[EMAIL PROTECTED], id = 'redirect', stateId =
[null], parameters = [null]]>
DEBUG [http-8443-Processor22] AuthenticationFilter.doFilter(192) |
Request is to process authentication
DEBUG [http-8443-Processor22] ProviderManager.doAuthentication(183) |
Authentication attempt using
org.acegisecurity.providers.cas.CasAuthenticationProvider
2007-02-23 14:20:03,073 DEBUG
[org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to
retrieve ticket [ST-292-f4iGv0CSJcWowY7FJ93fdCEmFzp95oesllm-20]>
2007-02-23 14:20:03,073 DEBUG
[org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Ticket
[ST-292-f4iGv0CSJcWowY7FJ93fdCEmFzp95oesllm-20] found in registry.>
2007-02-23 14:20:03,073 DEBUG
[org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Removing
ticket [ST-292-f4iGv0CSJcWowY7FJ93fdCEmFzp95oesllm-20] from registry>
WARN [http-8443-Processor22] LoggerListener.onApplicationEvent(55) |
Authentication event AuthenticationSuccessEvent: admin; details: null
DEBUG [http-8443-Processor22]
AuthenticationFilter.successfulAuthentication(375) | Authentication
success: [EMAIL PROTECTED]:
Username: [EMAIL PROTECTED],id=-1]; Password:
[PROTECTED]; Authenticated: true; Details:
[EMAIL PROTECTED]:
RemoteIpAddress: 127.0.0.1; SessionId:
893AC08684B79AEB1470436C36DD9F72; Granted Authorities:
[EMAIL PROTECTED]
name=Administrator
id=-1
]; Credentials (Service/Proxy Ticket):
ST-292-f4iGv0CSJcWowY7FJ93fdCEmFzp95oesllm-20; Proxy-Granting Ticket
IOU: ; Proxy List: []
DEBUG [http-8443-Processor22]
AuthenticationFilter.successfulAuthentication(381) | Updated
SecurityContextHolder to contain the following Authentication:
'[EMAIL PROTECTED]:
Username: [EMAIL PROTECTED],id=-1]; Password:
[PROTECTED]; Authenticated: true; Details:
[EMAIL PROTECTED]:
RemoteIpAddress: 127.0.0.1; SessionId:
893AC08684B79AEB1470436C36DD9F72; Granted Authorities:
[EMAIL PROTECTED]
name=Administrator
id=-1
]; Credentials (Service/Proxy Ticket):
ST-292-f4iGv0CSJcWowY7FJ93fdCEmFzp95oesllm-20; Proxy-Granting Ticket
IOU: ; Proxy List: []'
DEBUG [http-8443-Processor22]
AuthenticationFilter.successfulAuthentication(392) | Redirecting to
target URL from HTTP Session (or default):
https://localhost:8443/myapp/home.action
DEBUG [http-8443-Processor22] GenericManagerImpl.debug(290) | Saving:
[EMAIL PROTECTED],id=-1]
INFO [http-8443-Processor22] UserDAOImpl.info(374) | Updated
User'[EMAIL PROTECTED],id=-1]'
WARN [http-8443-Processor22] LoggerListener.onApplicationEvent(55) |
Authentication event InteractiveAuthenticationSuccessEvent: admin;
details: [EMAIL PROTECTED]:
RemoteIpAddress: 127.0.0.1; SessionId:
893AC08684B79AEB1470436C36DD9F72
DEBUG [http-8443-Processor22]
PathBasedFilterInvocationDefinitionMap.lookupAttributes(100) |
Converted URL to lowercase, from: '/home.action'; to: '/home.action'
DEBUG [http-8443-Processor22]
PathBasedFilterInvocationDefinitionMap.lookupAttributes(112) |
Candidate is: '/home.action'; pattern is /**; matched=true
DEBUG [http-8443-Processor22] FilterChainProxy.doFilter(269) |
/home.action at position 1 of 4 in additional filter chain; firing
Filter: '[EMAIL PROTECTED]'
DEBUG [http-8443-Processor22]
HttpSessionContextIntegrationFilter.doFilter(205) | HttpSession
returned null object for ACEGI_SECURITY_CONTEXT - new SecurityContext
instance associated with SecurityContextHolder
DEBUG [http-8443-Processor22] FilterChainProxy.doFilter(269) |
/home.action at position 2 of 4 in additional filter chain; firing
Filter: '[EMAIL PROTECTED]'
DEBUG [http-8443-Processor22] FilterChainProxy.doFilter(269) |
/home.action at position 3 of 4 in additional filter chain; firing
Filter: '[EMAIL PROTECTED]'
DEBUG [http-8443-Processor22] FilterChainProxy.doFilter(269) |
/home.action at position 4 of 4 in additional filter chain; firing
Filter: '[EMAIL PROTECTED]'
DEBUG [http-8443-Processor22]
PathBasedFilterInvocationDefinitionMap.lookupAttributes(100) |
Converted URL to lowercase, from: '/home.action'; to: '/home.action'
DEBUG [http-8443-Processor22]
PathBasedFilterInvocationDefinitionMap.lookupAttributes(112) |
Candidate is: '/home.action'; pattern is /login.action*; matched=false
DEBUG [http-8443-Processor22]
PathBasedFilterInvocationDefinitionMap.lookupAttributes(112) |
Candidate is: '/home.action'; pattern is /logout.action*;
matched=false
DEBUG [http-8443-Processor22]
PathBasedFilterInvocationDefinitionMap.lookupAttributes(112) |
Candidate is: '/home.action'; pattern is /home.action*; matched=true
DEBUG [http-8443-Processor22]
AbstractSecurityInterceptor.beforeInvocation(248) | Secure object:
FilterInvocation: URL: /home.action; ConfigAttributes: [ROLE_ANY]
DEBUG [http-8443-Processor22]
ExceptionTranslationFilter.handleException(147) | Authentication
exception occurred; redirecting to authentication entry point
org.acegisecurity.AuthenticationCredentialsNotFoundException: An
Authentication object was not found in the
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
