Hello Ray,
I talked with my DBA and he said we do have SSL certificate in our server.
Tried everything else but couldn't find the solution. There was nothing in
the cas server logs. Its same as my application logs. I am not sure what I
miss, its really frustrating. Here is my configuration.
package com.mynw.sso;
import org.jasig.cas.client.session.SingleSignOutFilter;
import org.jasig.cas.client.validation.Cas30ServiceTicketValidator;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.cas.ServiceProperties;
import
org.springframework.security.cas.authentication.CasAssertionAuthenticationToken;
import
org.springframework.security.cas.authentication.CasAuthenticationProvider;
import org.springframework.security.cas.web.CasAuthenticationEntryPoint;
import org.springframework.security.cas.web.CasAuthenticationFilter;
import
org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import
org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import
org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import
org.springframework.security.core.userdetails.AuthenticationUserDetailsService;
import org.springframework.security.web.authentication.logout.LogoutFilter;
import
org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler;
import
org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
import
org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import java.util.*;
@Configuration
@EnableWebSecurity
public class WebCASSecurity extends WebSecurityConfigurerAdapter {
@Value("${cas.service.login}")
String CAS_URL_LOGIN;
@Value("${cas.service.logout}")
String CAS_URL_LOGOUT;
@Value("${cas.url.prefix}")
String CAS_URL_PREFIX;
@Value("${cas.ticket.validate.url}")
String CAS_VALIDATE_URL;
@Value("${app.service.security}")
String CAS_SERVICE_URL;
@Value("${app.service.home}")
String APP_SERVICE_HOME;
// @Value("${app.admin.userName:admin}")
// String APP_ADMIN_USER_NAME;
// @Bean
// public Set<String> adminList() {
// Set<String> admins = new HashSet<String>();
// admins.add(APP_ADMIN_USER_NAME);
// return admins;
// }
@Override
protected void configure(HttpSecurity http) throws Exception {
http.exceptionHandling()
.authenticationEntryPoint(casAuthenticationEntryPoint()).and().addFilter(casAuthenticationFilter())
// .addFilterBefore(singleSignOutFilter(),
CasAuthenticationFilter.class)
.addFilterBefore(requestCasGlobalLogoutFilter(),
LogoutFilter.class)
.authorizeRequests()
.antMatchers("/**")
.access("hasRole('ROLE_ANONYMOUS')");
}
@Bean
public ServiceProperties serviceProperties() {
ServiceProperties sp = new ServiceProperties();
sp.setService(CAS_SERVICE_URL);
sp.setSendRenew(false);
return sp;
}
@Bean
public CasAuthenticationProvider casAuthenticationProvider() {
CasAuthenticationProvider casAuthenticationProvider = new
CasAuthenticationProvider();
casAuthenticationProvider.setAuthenticationUserDetailsService(customUserDetailsService());
casAuthenticationProvider.setServiceProperties(serviceProperties());
casAuthenticationProvider.setTicketValidator(Cas30ServiceTicketValidator());
casAuthenticationProvider.setKey("an_id_for_this_auth_provider_only");
return casAuthenticationProvider;
}
@Bean
public AuthenticationUserDetailsService<CasAssertionAuthenticationToken>
customUserDetailsService() {
return new CustomUserDetailsService();
}
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(casAuthenticationProvider());
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/fonts/**").antMatchers("/images/**").antMatchers("/scripts/**").antMatchers("/styles/**")
.antMatchers("/views/**").antMatchers("/i18n/**").antMatchers("/webjars/**");
}
@Bean
public SessionAuthenticationStrategy sessionStrategy() {
SessionAuthenticationStrategy sessionStrategy = new
SessionFixationProtectionStrategy();
return sessionStrategy;
}
@Bean
public Cas30ServiceTicketValidator Cas30ServiceTicketValidator() {
return new Cas30ServiceTicketValidator(CAS_VALIDATE_URL);
}
public CasAuthenticationEntryPoint casAuthenticationEntryPoint() {
CasAuthenticationEntryPoint casAuthenticationEntryPoint = new
CasAuthenticationEntryPoint();
casAuthenticationEntryPoint.setLoginUrl(CAS_URL_LOGIN);
casAuthenticationEntryPoint.setServiceProperties(serviceProperties());
return casAuthenticationEntryPoint;
}
// public SingleSignOutFilter singleSignOutFilter() {
// SingleSignOutFilter singleSignOutFilter = new SingleSignOutFilter();
//
singleSignOutFilter.setCasServerUrlPrefix("https://nwmsueist01.nwmissouri.edu:9443/cas";);
// return singleSignOutFilter;
// }
@Bean
public LogoutFilter requestCasGlobalLogoutFilter() {
LogoutFilter logoutFilter = new LogoutFilter(
CAS_URL_LOGOUT + "?service=" + APP_SERVICE_HOME,
new SecurityContextLogoutHandler());
logoutFilter.setLogoutRequestMatcher(new
AntPathRequestMatcher("/logout", "GET"));
return logoutFilter;
}
@Bean
public CasAuthenticationFilter casAuthenticationFilter() throws Exception {
CasAuthenticationFilter casAuthenticationFilter = new
CasAuthenticationFilter();
casAuthenticationFilter.setAuthenticationManager(authenticationManager());
casAuthenticationFilter.setSessionAuthenticationStrategy(sessionStrategy());
return casAuthenticationFilter;
}
}
On Fri, Nov 6, 2020 at 11:01 AM Ray Bon <[email protected]> wrote:
> Sagar,
>
> Too many redirects means that the ST/token can not be validated.
> The client app must send the ST to cas for validation. So either cas is
> unable to verify the ST or it does not receive it. This could be the result
> of many things. Start by setting cas server logs to debug.
> You will want to make sure your servers have clocks synced and you are
> using https (if self signed certs, you may have to add them to the java
> keystore).
>
> Ray
>
> On Fri, 2020-11-06 at 10:40 -0600, sagar ghimire wrote:
>
> Notice: This message was sent from outside the University of Victoria
> email system. Please be cautious with links and sensitive information.
>
> Hello Ray,
> I have changed the configuration got this from logged file. But the URL is
> redirecting too many times causing ERROR TOO MANY REDIRECTS.
> From Log file:
>
> 2020-11-05 15:51:21.877 DEBUG 13867 --- [https-jsse-nio-8443-exec-3]
> o.s.s.cas.web.CasAuthenticationFilter : serviceTicketRequest = false
>
> 2020-11-05 15:51:21.877 DEBUG 13867 --- [https-jsse-nio-8443-exec-3]
> o.s.s.cas.web.CasAuthenticationFilter : proxyReceptorConfigured = false
>
> 2020-11-05 15:51:21.877 DEBUG 13867 --- [https-jsse-nio-8443-exec-3]
> o.s.s.cas.web.CasAuthenticationFilter : proxyReceptorRequest = false
>
> 2020-11-05 15:51:21.877 DEBUG 13867 --- [https-jsse-nio-8443-exec-3]
> o.s.s.cas.web.CasAuthenticationFilter : proxyTicketRequest = false
>
> 2020-11-05 15:51:21.877 DEBUG 13867 --- [https-jsse-nio-8443-exec-3]
> o.s.s.cas.web.CasAuthenticationFilter : requiresAuthentication = false
>
> 2020-11-05 15:51:21.878 DEBUG 13867 --- [https-jsse-nio-8443-exec-3]
> o.s.s.w.a.AnonymousAuthenticationFilter : Populated SecurityContextHolder
> with anonymous token:
> 'org.springframework.security.authentication.AnonymousAuthenticationToken@9972129b:
> Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true;
> Details:
> org.springframework.security.web.authentication.WebAuthenticationDetails@0:
> RemoteIpAddress: 10.2.101.208; SessionId: 46E280D90E89E9935FE52EA62CA29C65;
> Granted Authorities: ROLE_ANONYMOUS'
>
> Looks like I am authenticated but it redirects too many times.
>
>
> Any Suggestions?
>
> Thanks
> Sagar
>
> On Thu, Nov 5, 2020 at 10:36 AM Ray Bon <[email protected]> wrote:
>
> Sagar,
>
> I thought spring security provided everything, all you have to do is add
> some config.
> Do you need this SSOController?
>
> Maybe look at the spring documentation to see how they suggest
> configuration.
>
> Ray
>
> On Thu, 2020-11-05 at 08:54 -0600, sagar ghimire wrote:
>
> Notice: This message was sent from outside the University of Victoria
> email system. Please be cautious with links and sensitive information.
>
> Hello Ray,
> I have turned on the logging for my application and this is what i got.
> The token is
> org.springframework.security.authentication.AnonymousAuthenticationToken@5367e0b6:
> Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true;
> Details:
> org.springframework.security.web.authentication.WebAuthenticationDetails@1de6:
> RemoteIpAddress: 10.2.101.208; SessionId: null; Granted Authorities:
> ROLE_ANONYMOUS
> 2020-11-05 08:42:10.167 ERROR 21715 --- [nio-8443-exec-4]
> o.s.b.w.servlet.support.ErrorPageFilter : Cannot forward to error page for
> request [/] as the response has already been committed. As a result, the
> response may have the wrong status code. If your application is running on
> WebSphere Application Server you may be able to resolve this problem by
> setting com.ibm.ws.webcontainer.invokeFlushAfterService to false
>
>
> It looks like I am getting logged in but getting rendered to error page
> for some reason.
> This is my controller looks like.
>
> package
>
> com.mynw.sso.Controller
>
> ;
>
>
>
> import
>
> com.mynw.sso.CASConfig
>
> ;
>
>
> import
>
> org.jasig.cas.client.authentication.AttributePrincipal
>
> ;
>
>
> import
>
> org.jasig.cas.client.validation.Assertion
>
> ;
>
>
> import
>
> org.springframework.security.authentication.AnonymousAuthenticationToken
>
> ;
>
>
> import
>
> org.springframework.security.cas.authentication.CasAuthenticationToken
>
> ;
>
>
> import
>
> org.springframework.security.core.context.SecurityContext
>
> ;
>
>
> import
>
> org.springframework.security.core.context.SecurityContextHolder
>
> ;
>
>
> import
>
> org.springframework.stereotype.
>
> Controller
>
> ;
>
>
> import
>
> org.springframework.ui.Model
>
> ;
>
>
> import
>
> org.springframework.web.bind.annotation.
>
> GetMapping
>
> ;
>
>
>
> import
>
> java.sql.SQLOutput
>
> ;
>
>
> import
>
> java.util.logging.Logger
>
> ;
>
>
>
> @Controller
>
>
> public class
>
> SSOController {
>
>
>
>
> @GetMapping
>
> (
>
> "/"
>
> )
>
>
> public
>
> String
>
> index
>
> (Model model){
>
>
> SecurityContext ctx= SecurityContextHolder.
>
> getContext
>
> ()
>
> ;
>
>
> AnonymousAuthenticationToken aat = (AnonymousAuthenticationToken)
> ctx.getAuthentication()
>
> ;
>
>
> System.
>
> out
>
> .println(
>
> "The token is "
>
> + aat)
>
> ;
>
>
> model.addAttribute(
>
> "UserName"
>
> ,
>
> aat.toString())
>
> ;
>
>
>
>
> return
>
> "index"
>
> ;
>
>
> }
>
>
> }
>
>
> Thanks
> Sagar
>
> On Wed, Nov 4, 2020 at 4:07 PM Ray Bon <[email protected]> wrote:
>
> Sagar,
>
> Turn up logging in spring. Try to figure out what token is.
>
> Ray
>
> On Wed, 2020-11-04 at 14:11 -0600, sagar ghimire wrote:
>
> Notice: This message was sent from outside the University of Victoria
> email system. Please be cautious with links and sensitive information.
>
> Roy,
> I have attached the image before the red line one. Also I was looking at
> the server logs and found :
>
> 2020-11-04 12:16:05.770 ERROR 13281 --- [nio-8443-exec-4]
> o.s.b.w.servlet.support.ErrorPageFilter : Forwarding to error page from
> request [/] due to exception
> [org.springframework.security.authentication.AnonymousAuthenticationToken
> cannot be cast to
> org.springframework.security.cas.authentication.CasAuthenticationToken]
>
> java.lang.ClassCastException:
> org.springframework.security.authentication.AnonymousAuthenticationToken
> cannot be cast to
> org.springframework.security.cas.authentication.CasAuthenticationToken
>
>
>
>
> It looks like token casting is the problem that I have been encountering.
> Any suggestions?
>
>
> Thank you
> Sagar
>
> On Wed, Nov 4, 2020 at 12:57 PM Ray Bon <[email protected]> wrote:
>
> Sagar,
>
> The ST handler must be publicly accessible. If
> inb9fnhr.nwmissouri.edu:8443/MyNWSSO/ takes you to cas login, it will not
> be able to receive the ST, but redirect to cas for login in an endless loop.
> What is happening on the line above the red one in the image?
>
> Ray
>
> On Wed, 2020-11-04 at 12:33 -0600, sagar ghimire wrote:
>
> Notice: This message was sent from outside the University of Victoria
> email system. Please be cautious with links and sensitive information.
>
> Hello Ray,
> I have configured my Spring Boot App but I think the problem is when the
> CAS redirect to my webapp with Service Ticket my web app is not
> revalidating the ticket to CAS server again. The reference that I have
> taken for this webapp is from
>
> https://medium.com/@venkateshpnk22/single-sign-on-in-cas-client-setup-with-spring-security-b51a7e70294d
> Also I have attached the error when I hit the
> inb9fnhr.nwmissouri.edu:8443/MyNWSSO/ it render to sign in and after sign
> in I got 404.
>
>
> Thanks
>
> Sagar Ghimire
> Software Developer
> Northwest Missouri State University
>
>
>
> On Wed, Nov 4, 2020 at 12:26 PM Ray Bon <[email protected]> wrote:
>
> Sagar,
>
> What happens when you browse directly to
> inb9fnhr.nwmissouri.edu:8443/MyNWSSO/
>
> This sounds like a problem with your application configuration and not
> cas. Or are you asking how to configure your cas client?
>
> Ray
>
> On Wed, 2020-11-04 at 09:56 -0800, sagar ghimire wrote:
>
> Notice: This message was sent from outside the University of Victoria
> email system. Please be cautious with links and sensitive information.
>
> Hello,
> I have configured CAS in my Spring boot app and when I log in it render to
> 404 not found with the Service Ticket.
> Attached is the error image that i got.
>
>
> Thanks
> Sagar
>
> --
>
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | [email protected]
>
> I respectfully acknowledge that my place of work is located within the
> ancestral, traditional and unceded territory of the Songhees, Esquimalt and
> WSÁNEĆ Nations.
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/05f195cffc9329228b4705f81da7e13f4037c9e8.camel%40uvic.ca
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/05f195cffc9329228b4705f81da7e13f4037c9e8.camel%40uvic.ca?utm_medium=email&utm_source=footer>
> .
>
> --
>
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | [email protected]
>
> I respectfully acknowledge that my place of work is located within the
> ancestral, traditional and unceded territory of the Songhees, Esquimalt and
> WSÁNEĆ Nations.
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/e563cb5582248e3b61299aaf01998f5ad03367e9.camel%40uvic.ca
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/e563cb5582248e3b61299aaf01998f5ad03367e9.camel%40uvic.ca?utm_medium=email&utm_source=footer>
> .
>
> --
>
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | [email protected]
>
> I respectfully acknowledge that my place of work is located within the
> ancestral, traditional and unceded territory of the Songhees, Esquimalt and
> WSÁNEĆ Nations.
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/07f16efd28acdce013b788b077df0565efd9c4df.camel%40uvic.ca
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/07f16efd28acdce013b788b077df0565efd9c4df.camel%40uvic.ca?utm_medium=email&utm_source=footer>
> .
>
> --
>
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | [email protected]
>
> I respectfully acknowledge that my place of work is located within the
> ancestral, traditional and unceded territory of the Songhees, Esquimalt and
> WSÁNEĆ Nations.
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/6798adce6b2ccbf9fc5cd8a6b57390b19e1adbaf.camel%40uvic.ca
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/6798adce6b2ccbf9fc5cd8a6b57390b19e1adbaf.camel%40uvic.ca?utm_medium=email&utm_source=footer>
> .
>
> --
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | [email protected]
>
> I respectfully acknowledge that my place of work is located within the
> ancestral, traditional and unceded territory of the Songhees, Esquimalt and
> WSÁNEĆ Nations.
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/7d19e9528aa4d766347a5623bd4b6aeed86d7697.camel%40uvic.ca
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/7d19e9528aa4d766347a5623bd4b6aeed86d7697.camel%40uvic.ca?utm_medium=email&utm_source=footer>
> .
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAKBdEbfJ4tD2mafvd1eJ1gTMbQ8ZjKQP3UbqOCO%2BDKfQaCctCg%40mail.gmail.com.
