Colin,
Perhaps this approach can work (I assume on the login page, user is selecting a
profile):
1. Redirect from /login to CAS, /cas?service=serviceURL?param=...
2. CAS sends ST to serviceURL
3. ST validation happens, authenticated principal is returned
4. how does spring know where to redirect?
Cemal's solution is the spring way. The above solution may result in a lot of
extra work.
Ray
On Wed, 2020-01-08 at 12:27 -0500, Colin Ryan wrote:
Ray,
Sorry my friend, I'm catching what your saying but just not groking it...I even
backed out my DynamicCasAuthEntryPoint overridden class and still getting too
many redirects even when not appending things to the serviceURL.
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.regexMatchers("/desktop.*")
.authenticated()
.and()
.authorizeRequests()
.regexMatchers("/")
.permitAll()
.and()
.httpBasic()
.authenticationEntryPoint(authenticationEntryPoint)
.and()
.logout().logoutSuccessUrl("/logout")
.and()
.addFilterBefore(singleSignOutFilter, CasAuthenticationFilter.class)
.addFilterBefore(logoutFilter, LogoutFilter.class);
}
The service URL here is just https://host/desktop thus going to
https://host/desktop redirects me properly to CAS but then upon redirect back
with the ST gives me redirect errors.
I believe I"m understanding the implications of what you've describe (i.e. it's
arriving back from CAS authorization with a ST ticket appended but this isn't
meaning to the /desktop application that it's authenticated....
But again, don't get how to set the SecurityFilter routes other than the above
which is based upon many of the examples I see online.
Alas as a reminder my requirement is to have an central multi-user application
(/desktop) that in turn must take to user to CAS with something form of
identifier (in my previous examples was the GET parameter) so that I can from a
common app get mapped to specific set's of service definitions in CAS to ensure
the user in question get's presented with the proper Authentication setup (not
always just a difference in MFA so I can't rely on using step-up)
Le Sigh...
On 2020-01-02 1:04 p.m., Ray Bon wrote:
Colin,
>From your description, the 'desktop' page is protected and accessing it
>requires the user to be authenticated (and this is set in 'SecurityFilter').
>The flow you describe has the user arriving at the 'desktop' page with a ST
>from CAS but not yet authenticated in the host. The host then redirects to
>CAS, as you experience, and ends with too many redirects.
I am not sure of how the 'SecurityFilter' should be configured, since I have
not used it, but the order of processing should be; logout, validate,
authenticate, others.
In other words, login validation (ST check) should happen before
authentication. (Logout always happens first.) Validation creates an
authenticated user in the host.
Other things to consider:
You do not need to have the login page authorized.
Escape the '?' in /desktop?.* or combine both desktops as '/desktop.*'
Ray
On Mon, 2019-12-23 at 14:24 -0500, Colin Ryan wrote:
Cemal,
I tried this approach to this but I keep getting a too many re-directs error.
I'm new'ish to Spring Security so maybe I'm missing something.
But basically I see the "DynamicRedirectCasAuthenticationEntryPoint" being
processed in every request the first time through it I'm intercepting
https://host/login?parameter=one
Then in my overridden entrypoint I'm changing the serviceURL to be
https://host/desktop?parameter=one which in turn redirects me to CAS where I
authenticate against a service that matches /desktop?parameter=one, per your
code hint.
But as far as I can tell it then redirects me back to
https://host/desktop?parameter=one&ticket=xxxxx but seems to treat this like a
new request and sends me back to CAS - CAS does not in turn prompt be to
authenticate again - but returns to the application again but with
https://host/desktop?parameter=one&ticket=yyyyy
then on and on each time getting a new ticket parameter.
It's almost like it's treating the new ticket string as not matching the
original dynamically modified service string but upon taking me to CAS it
SSO's me but with a different ticket and around and around we go.
I was under the impression that the serviceURL definition in the Service
definition of the authenticationEntryPoint was to match a service policy in
CAS, and then CAS would SSO it to other URL's that are behind the
.authenticated() filters of Spring SecurityConfig...but it's seems to want to
go validate very string permutation.
Thoughts, what blindingly obvious thing am I missing :-).
Here is the SecurityFilter as an aside:
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.regexMatchers("/desktop/.*","/desktop?.*","/login.*")
.authenticated()
.and()
.authorizeRequests()
.regexMatchers("/")
.permitAll()
.and()
.httpBasic()
.authenticationEntryPoint(dynamicAuthenticationEntryPoint)
.and()
.logout().logoutSuccessUrl("/logout")
.and()
.addFilterBefore(singleSignOutFilter, CasAuthenticationFilter.class)
.addFilterBefore(logoutFilter, LogoutFilter.class);
}
Thank's in Advance.
Colin
On 2019-12-19 2:35 a.m., Cemal Önder wrote:
Yes I had that problem too when I want to create generic library that serves as
helper to make my microservices CASify. Here is a solution: Spring Security CAS
calls createServcieUrl of CasAuthenticationEntryPoint before every request.
This is the place where serviceProperites are used for redirection. You can
overwrite ServiceProperties with your dynamically created url here. But keep in
mind that neither I like this solution but no choice because of
ServiceProperties requires URL on startup which you mentioned.
public class
DynamicRedirectCasAuthenticationEntryPoint
extends
CasAuthenticationEntryPoint
{
// ...
@Override
protected
String createServiceUrl(
final
HttpServletRequest request,
final
HttpServletResponse response )
{
// here set your new serviceProperties based on the request etc. with
your business logic
this
.setServiceProperties( serviceProperties );
return super
.createServiceUrl( request, response );
}
// ...
}
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected]<mailto:[email protected]>.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f574fc4c-55ca-4c34-bb1f-d751a8f34553%40apereo.org<https://groups.google.com/a/apereo.org/d/msgid/cas-user/f574fc4c-55ca-4c34-bb1f-d751a8f34553%40apereo.org?utm_medium=email&utm_source=footer>.
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | [email protected]<mailto:[email protected]>
I respectfully acknowledge that my place of work is located within the
ancestral, traditional and unceded territory of the Songhees, Esquimalt and
WSÁNEĆ Nations.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected]<mailto:[email protected]>.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/011f349b69e809e2f2a551c70c49644df1c7ae8c.camel%40uvic.ca<https://groups.google.com/a/apereo.org/d/msgid/cas-user/011f349b69e809e2f2a551c70c49644df1c7ae8c.camel%40uvic.ca?utm_medium=email&utm_source=footer>.
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | [email protected]<mailto:[email protected]>
I respectfully acknowledge that my place of work is located within the
ancestral, traditional and unceded territory of the Songhees, Esquimalt and
WSÁNEĆ Nations.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/63e15d2b13fee7b3513998c1c08d641c33c6ad51.camel%40uvic.ca.
