In some cases, CAS set origin = null when redirect to "https://gallifrey.com.br/analytics/j_spring_cas_security_check?ticket=ST-14-RbL5dc2AZFWG9NtlXZBX-gallifrey.com.br";
Em segunda-feira, 8 de agosto de 2016 09:10:13 UTC-3, Alexandre Arcanjo de Queiroz escreveu: > > I am using CAS Server version 4.0.7 in a multidomain environment. > > First the user logs in a portal, a PHP page (using PHP-CAS) in > tardis.com.br domain. The CAS Server is in tardis.com.br domain too. > > If the user logs in successfully, the portal enables a button that > redirects to the principal CAS Service deployed in another domain and > context: https://gallifrey.com.br/principal. > > The problem is that principal CAS Service invoke ajax requests to another > protected CAS Service, Analytics Service and CAS returns the login page > instead identify that user is logged. > > The Principal Service and Analytics Service are using Spring Framework > 3.2.3.RELEASE, Spring Security 3.2.9.RELEASE and CAS Client 3.4.1. The > applications are using > org.jasig.cas.client.validation.Cas20ProxyTicketValidator because we need > to execute server side requests between services and client side requests > via ajax too. > > CAS Proxy Authentication in the Server Side using Spring Security CAS and > CAS Client works as expected. > > final CasAuthenticationToken casAuthenticationToken = > (CasAuthenticationToken) > SecurityContextHolder.getContext().getAuthentication(); > final String proxyTicket = > casAuthenticationToken.getAssertion().getPrincipal().getProxyTicketFor(targetUrl); > // The proxyTicket is generated!!! > But if i'm in https://gallifrey.com.br/principal and a simple JavaScript > code in a html file like this returns 302 (the login page): > > $.ajax({ > "url": "/analytics/foo/bar/xpto/", > "contentType": "application/x-www-form-urlencoded", > "data": { > "name" : "Foo" > }, > "timeout": 3000, > "type": "POST", > "success": function(data, textStatus, jqXHR) { > // Returns the login page > }, > "error": function(jqXHR, textStatus, errorThrown) { > // Do something > } > }); > The Principal Service and Analytics Service are behind a Nginx, using > reverse proxy. The Principal Service is in a WebLogic and Analytics Service > in a Tomcat. And Nginx is using a SSL certificate. > > Here is an example of CAS + Spring Security configuration for the Java > applications: > > <?xml version="1.0" encoding="UTF-8"?> > <beans xmlns="http://www.springframework.org/schema/beans"; > xmlns:sec="http://www.springframework.org/schema/security"; xmlns:p=" > http://www.springframework.org/schema/p"; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xmlns:context=" > http://www.springframework.org/schema/context"; > xmlns:util="http://www.springframework.org/schema/util"; > xsi:schemaLocation="http://www.springframework.org/schema/security > > http://www.springframework.org/schema/security/spring-security-3.2.xsd > http://www.springframework.org/schema/beans > > http://www.springframework.org/schema/beans/spring-beans-3.2.xsd > http://www.springframework.org/schema/util > > http://www.springframework.org/schema/util/spring-util-3.2.xsd > http://www.springframework.org/schema/context > > http://www.springframework.org/schema/context/spring-context-3.2.xsd";> > > <sec:http auto-config="true" use-expressions="true" > entry-point-ref="casEntryPoint"> > <sec:intercept-url pattern="/**" access="isAuthenticated()" /> > <sec:custom-filter ref="requestSingleLogoutFilter" > before="LOGOUT_FILTER" /> > <sec:custom-filter ref="singleLogoutFilter" before="CAS_FILTER" /> > <sec:custom-filter ref="casFilter" position="CAS_FILTER" /> > > <sec:logout logout-url="/logout" > > logout-success-url="${cas.baseUrl}/logout?service=${service.baseUrl}/" > invalidate-session="true" > delete-cookies="JSESSIONID" /> > > <sec:headers> > <sec:cache-control /> > </sec:headers> > </sec:http> > > <sec:authentication-manager alias="authManager"> > <sec:authentication-provider ref="casProxyAuthProvider" /> > </sec:authentication-manager> > > <bean id="userService" > class="org.springframework.security.cas.userdetails.GrantedAuthorityFromAssertionAttributesUserDetailsService"> > <constructor-arg> > <array> > <value>role</value> > </array> > </constructor-arg> > </bean> > > <bean id="singleLogoutFilter" > class="org.jasig.cas.client.session.SingleSignOutFilter" /> > > <bean id="requestSingleLogoutFilter" > > class="org.springframework.security.web.authentication.logout.LogoutFilter" > p:filterProcessesUrl="/j_spring_cas_security_logout"> > <constructor-arg value="${cas.baseUrl}/logout" /> > <constructor-arg> > <bean > > class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" > > /> > </constructor-arg> > </bean> > > <bean id="serviceProperties" > class="org.springframework.security.cas.ServiceProperties" > p:service="${service.baseUrl}/j_spring_cas_security_check" > p:sendRenew="false" p:authenticateAllArtifacts="true" /> > > <bean id="casEntryPoint" > > class="org.springframework.security.cas.web.CasAuthenticationEntryPoint" > p:serviceProperties-ref="serviceProperties" > p:loginUrl="${cas.baseUrl}/login" /> > > <bean id="casFilter" > > class="org.springframework.security.cas.web.CasAuthenticationFilter" > p:authenticationManager-ref="authManager" > p:serviceProperties-ref="serviceProperties" > p:proxyGrantingTicketStorage-ref="pgtStorage" > p:proxyReceptorUrl="/j_spring_cas_security_proxyreceptor"> > <property name="authenticationDetailsSource"> > <bean > > class="org.springframework.security.cas.web.authentication.ServiceAuthenticationDetailsSource"> > <constructor-arg ref="serviceProperties" /> > </bean> > </property> > <property name="authenticationFailureHandler"> > <bean > > class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"> > </bean> > </property> > </bean> > > <bean id="pgtStorage" > class="org.jasig.cas.client.proxy.ProxyGrantingTicketStorageImpl" > /> > > <bean id="cacheManager" > > class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean"> > <property name="configLocation"> > <value>WEB-INF/classes/ehcache.xml</value> > </property> > </bean> > > <bean id="casTicketsCache" class="net.sf.ehcache.Cache" > factory-bean="cacheManager" factory-method="getCache"> > <constructor-arg value="casWebServiceTickets" /> > </bean> > > <bean id="casProxyAuthProvider" > > class="org.springframework.security.cas.authentication.CasAuthenticationProvider" > p:serviceProperties-ref="serviceProperties" > p:key="casProxyAuthProviderKey" > p:authenticationUserDetailsService-ref="userService"> > <property name="ticketValidator"> > <bean > class="org.jasig.cas.client.validation.Cas20ProxyTicketValidator" > > p:proxyCallbackUrl="${service.baseUrl}/j_spring_cas_security_proxyreceptor" > p:proxyGrantingTicketStorage-ref="pgtStorage" > p:acceptAnyProxy="true"> > <constructor-arg value="${cas.baseUrl}" /> > </bean> > </property> > <property name="statelessTicketCache"> > <bean > > class="org.springframework.security.cas.authentication.EhCacheBasedTicketCache"> > <property name="cache" ref="casTicketsCache" /> > </bean> > </property> > </bean> > > </beans> > Maven dependencies: > > <properties> > <java.version>1.7</java.version> > <spring.version>3.2.3.RELEASE</spring.version> > <spring-security.version>3.2.9.RELEASE</spring-security.version> > <cas-client.version>3.4.1</cas-client.version> > <ehcache.version>2.9.0</ehcache.version> > </properties> > <dependency> > <groupId>org.springframework.security</groupId> > <artifactId>spring-security-cas</artifactId> > <version>${spring-security.version}</version> > </dependency> > <dependency> > <groupId>org.springframework.security</groupId> > <artifactId>spring-security-core</artifactId> > <version>${spring-security.version}</version> > </dependency> > <dependency> > <groupId>org.springframework.security</groupId> > <artifactId>spring-security-config</artifactId> > <version>${spring-security.version}</version> > </dependency> > <dependency> > <groupId>org.springframework.security</groupId> > <artifactId>spring-security-web</artifactId> > <version>${spring-security.version}</version> > </dependency> > <dependency> > <groupId>org.jasig.cas.client</groupId> > <artifactId>cas-client-core</artifactId> > <version>${cas-client.version}</version> > </dependency> > <dependency> > <groupId>net.sf.ehcache</groupId> > <artifactId>ehcache</artifactId> > <version>${ehcache.version}</version> > </dependency> > CAS Server Service List: > > deployerConfigContext.xml: > > <util:list id="registeredServicesList"> > <bean class="org.jasig.cas.services.RegexRegisteredService" p:id="0" > p:name="HTTP and IMAP" p:description="Allows HTTP(S) and IMAP(S) > protocols" > p:serviceId="^(https?|imaps?)://.*" p:evaluationOrder="10000001" > p:enabled="true" p:allowedToProxy="true" p:ssoEnabled="true" /> > </util:list> > > Tomcat configuration (server.xml): > > <Connector port="8080" protocol="HTTP/1.1" > connectionTimeout="20000" > maxThreads="1000" > URIEncoding="UTF-8" > redirectPort="8443" /> > > > In a single domain environment everything works as expected but in a > multidomain environment CAS Server redirect to login page in first XHR > request instead detect that user is logged. Any ideas why this occurs? > > -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/14380a87-0a0b-4a1e-bf2d-0e78b158273f%40apereo.org. For more options, visit https://groups.google.com/a/apereo.org/d/optout.
