Announcement Announcement Module
Collapse
No announcement yet.
cas+jdbc security Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • cas+jdbc security

    Hi all, (be kind i'm really new to Spring).
    I was able to configure security JDBC-based and also CAS-Based in two different projects.
    Now .. i need both on the same project.

    i have done something like this...

    a login form like project one (jdbc security)and a link to cas like project two in main page menu:


    1) https://mydom:9443/myapp/security/login
    ---> login.jsp: action="myapp/j_spring_security_check"

    2) https://cas.it:9443/cas-server-webapp/login?service=https%3A%2F%2Fmydom%3A7443%2Fmyapp%2 Fj_spring_cas_security_check


    users can autenticate in both way and all works fine. (if they use my links)
    but if thery are anonymousUser and they go on a reserved resource cas filter start first and they cant choose:

    i understand this is because CAS_FILTER come first of FORM_LOGIN_FILTER.
    in the cas login page if they cant autenticate they are stuck.


    <security:http
    authentication-manager-ref="authenticationmanager"
    entry-point-ref="casEntryPoint"
    use-expressions="true"
    >
    <securityort-mappings ><securityort-mapping http="#{env.application_http}" https="#{env.application_https}"/>
    </securityort-mappings>

    <form-login login-page="/security/login" authentication-failure-url="/security/loginfailed" />
    <intercept-url pattern="/**/j_spring_security_check" requires-channel="https" />
    <intercept-url pattern="/**" requires-channel="https" />
    <access-denied-handler error-page="/security/denied" />
    <security:custom-filter position="CAS_FILTER" ref="casFilter" />
    <logout logout-success-url="/security/logout" invalidate-session="false" />
    <custom-filter ref="requestSingleLogoutFilter" before="LOGOUT_FILTER"/>
    <custom-filter ref="singleLogoutFilter" before="CAS_FILTER"/>
    </security:http>



    i dont like the idea of processing cas password by my application, its against the cas filosofy.

    i'd like something like a popup on a reserved resource: "where do you want to autenticate ?" choose ..cas/ local.

    So ...what should i do ? i'm stuck like my users ... (some custom popup filter ? )

    -----------------------------------------



    <authentication-manager id="authenticationmanager">
    <authentication-provider user-service-ref="userService">
    <securityassword-encoder hash="md5"></securityassword-encoder>
    </authentication-provider>
    </authentication-manager>



    <beans:bean id="singleLogoutFilter" class="org.jasig.cas.client.session.SingleSignOutF ilter"/>


    <beans:bean id="requestSingleLogoutFilter"
    class="org.springframework.security.web.authentica tion.logout.LogoutFilter">
    <beans:constructor-arg value="#{env.cas_service_logout}"/>
    <beans:constructor-arg>
    <beans:bean class=
    "org.springframework.security.web.authentication.l ogout.SecurityContextLogoutHandler"/>
    </beans:constructor-arg>
    <beansroperty name="filterProcessesUrl" value="/j_spring_cas_security_logout"/>
    </beans:bean>




    <beans:bean id="serviceProperties"
    class="org.springframework.security.cas.ServicePro perties">
    <beansroperty name="service"
    value="#{'https://' + env.application_domain + ':' + env.application_https + '/' + env.application_name + '/j_spring_cas_security_check' }"/>
    <beansroperty name="sendRenew" value="false"/>
    </beans:bean>



    <beans:bean id="casFilter"
    class="org.springframework.security.cas.web.CasAut henticationFilter">
    <beansroperty name="authenticationManager" ref="authenticationManager"/>
    </beans:bean>



    <beans:bean id="casEntryPoint"
    class="org.springframework.security.cas.web.CasAut henticationEntryPoint">
    <beansroperty name="loginUrl" value="#{env.cas_service_login}"/>
    <beansroperty name="serviceProperties" ref="serviceProperties"/>
    </beans:bean>



    <beans:bean id="casAuthenticationProvider"
    class="org.springframework.security.cas.authentica tion.CasAuthenticationProvider">
    <beansroperty name="userDetailsService" ref="userService"/>
    <beansroperty name="serviceProperties" ref="serviceProperties" />
    <beansroperty name="ticketValidator">
    <beans:bean class="org.jasig.cas.client.validation.Cas20Servic eTicketValidator">
    <beans:constructor-arg index="0" value="#{env.cas_service}" />
    </beans:bean>
    </beansroperty>
    <beansroperty name="key" value="#{env.application_name+'casid'}"/>
    </beans:bean>



    <jdbc-user-service
    id="userService"
    data-source-ref="dataSource"
    users-by-username-query="select USERID, lower(PASSWD), 1 from ute where USERID=?"
    authorities-by-username-query="select USERID, RUOLO from UTE where USERID=?" />




    <security:authentication-manager alias="authenticationManager">
    <security:authentication-provider ref="casAuthenticationProvider" />
    </security:authentication-manager>

  • #2
    You should configure an AuthenticationEntryPoint that takes the user to a page that allows the user to make this choice. The buttons on the link could then submit to another URL that sends the user to a login form or to a URL that uses the CasAuthenticationEntryPoint to redirect to the CAS server.

    PS: Please use code tags (i.e. the # button) when posting configuration, code, logs, etc as this makes it easier to read.

    Comment


    • #3
      thank you,
      i think i've done something similar,
      i put the login.jsp form in the "casEntryPoint loginUrl property and then in that form (login.jsp) i tell the user, local login (submit form)or link to cas login page.
      is that correct? is horrible? seems to work ...

      anyway this is not working really good, because the cas authenticated user who is entering my portal always has to see the login.jsp page. same problem i think i will meet implementing your solution (AuthenticationEntryPoint that takes the user to a page that allows the user to make this choice) ?

      At this point i wonder what is the best practice to autenticate users by cas and by jdbc .. my users can leave the "cas organization" but they have to use the portal.
      has someone already solved the problem ? should be common problem

      Comment


      • #4
        Originally posted by aleale View Post
        anyway this is not working really good, because the cas authenticated user who is entering my portal always has to see the login.jsp page.
        What do you want to happen? Can you outline how the application should know automatically?

        One possibility is you could add a cookie to remember their decision.

        Comment


        • #5
          You are right, but you are a developer .. customer think application should know .. why not ? i pay i m right too...
          After lots of alcohol i was thinkink of an IFRAME in my login.jsp page 0x0 pixel pointing at the cas page ... so if the user is cas autenticated in the login page application know ... and javascript doing an autoreloadPageOnce() (if iframe content is not on cas server)go to the resource the user need.
          This is a very bad thing .. but points out that the application could know someway automatically without sending the user in a cas page where he can be autenthicated. I really dont want to do anything like this i ve just written about.

          Comment


          • #6
            If you want to support both, then you still need to provide a requirement of when one is chosen over the other. I cannot determine your applications requirements. I provided a possible solution using a cookie to remember their decision so the choice is only presented once, but once again you need to be able to determine your applications requirements.

            Comment

            Working...
            X