Colin, >From your description, the 'desktop' page is protected and accessing it >requires the user to be authenticated (and this is set in 'SecurityFilter'). >The flow you describe has the user arriving at the 'desktop' page with a ST >from CAS but not yet authenticated in the host. The host then redirects to >CAS, as you experience, and ends with too many redirects.
I am not sure of how the 'SecurityFilter' should be configured, since I have not used it, but the order of processing should be; logout, validate, authenticate, others. In other words, login validation (ST check) should happen before authentication. (Logout always happens first.) Validation creates an authenticated user in the host. Other things to consider: You do not need to have the login page authorized. Escape the '?' in /desktop?.* or combine both desktops as '/desktop.*' Ray On Mon, 2019-12-23 at 14:24 -0500, Colin Ryan wrote: Cemal, I tried this approach to this but I keep getting a too many re-directs error. I'm new'ish to Spring Security so maybe I'm missing something. But basically I see the "DynamicRedirectCasAuthenticationEntryPoint" being processed in every request the first time through it I'm intercepting https://host/login?parameter=one Then in my overridden entrypoint I'm changing the serviceURL to be https://host/desktop?parameter=one which in turn redirects me to CAS where I authenticate against a service that matches /desktop?parameter=one, per your code hint. But as far as I can tell it then redirects me back to https://host/desktop?parameter=one&ticket=xxxxx but seems to treat this like a new request and sends me back to CAS - CAS does not in turn prompt be to authenticate again - but returns to the application again but with https://host/desktop?parameter=one&ticket=yyyyy then on and on each time getting a new ticket parameter. It's almost like it's treating the new ticket string as not matching the original dynamically modified service string but upon taking me to CAS it SSO's me but with a different ticket and around and around we go. I was under the impression that the serviceURL definition in the Service definition of the authenticationEntryPoint was to match a service policy in CAS, and then CAS would SSO it to other URL's that are behind the .authenticated() filters of Spring SecurityConfig...but it's seems to want to go validate very string permutation. Thoughts, what blindingly obvious thing am I missing :-). Here is the SecurityFilter as an aside: protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .regexMatchers("/desktop/.*","/desktop?.*","/login.*") .authenticated() .and() .authorizeRequests() .regexMatchers("/") .permitAll() .and() .httpBasic() .authenticationEntryPoint(dynamicAuthenticationEntryPoint) .and() .logout().logoutSuccessUrl("/logout") .and() .addFilterBefore(singleSignOutFilter, CasAuthenticationFilter.class) .addFilterBefore(logoutFilter, LogoutFilter.class); } Thank's in Advance. Colin On 2019-12-19 2:35 a.m., Cemal Önder wrote: Yes I had that problem too when I want to create generic library that serves as helper to make my microservices CASify. Here is a solution: Spring Security CAS calls createServcieUrl of CasAuthenticationEntryPoint before every request. This is the place where serviceProperites are used for redirection. You can overwrite ServiceProperties with your dynamically created url here. But keep in mind that neither I like this solution but no choice because of ServiceProperties requires URL on startup which you mentioned. public class DynamicRedirectCasAuthenticationEntryPoint extends CasAuthenticationEntryPoint { // ... @Override protected String createServiceUrl( final HttpServletRequest request, final HttpServletResponse response ) { // here set your new serviceProperties based on the request etc. with your business logic this .setServiceProperties( serviceProperties ); return super .createServiceUrl( request, response ); } // ... } -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f574fc4c-55ca-4c34-bb1f-d751a8f34553%40apereo.org<https://groups.google.com/a/apereo.org/d/msgid/cas-user/f574fc4c-55ca-4c34-bb1f-d751a8f34553%40apereo.org?utm_medium=email&utm_source=footer>. -- Ray Bon Programmer Analyst Development Services, University Systems 2507218831 | CLE 019 | [email protected]<mailto:[email protected]> I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/011f349b69e809e2f2a551c70c49644df1c7ae8c.camel%40uvic.ca.
