Announcement Announcement Module
Collapse
No announcement yet.
cas+spring security issue Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • cas+spring security issue

    Hi everyone!
    I'm trying to implement SSO(single sign on) via CAS(jasig-CAS) in my app and as for now, I've faced the next problem:
    Code:
    HTTP Status 401 - Authentication Failed: Failed to provide a CAS service ticket to validate
    
    type Status report
    
    message Authentication Failed: Failed to provide a CAS service ticket to validate
    
    description This request requires HTTP authentication (Authentication Failed: Failed to provide a CAS service ticket to validate).
    I start my cas server on a different tomcat(so I have two apache tomcats at the same time, ports are different, for example, on cas server they are 8080, 8443 and etc. and on myApp server they are 9080, 9443 and etc.), login there and when I go to login pageat my app, then: 1. then is no autologin 2. when i enter credentials, I see the stacktrace shown above I took an example from this site .
    in web.xml, I've includede spring security context and set the appropriate listeners and etc. in pom(I use maven) I've added the required dependencies, described in the article. But the problem stays. I'd be glad any pieces of advice

    Also I've attached security context and my login page
    Attachment
    Attachment
    Attached Files

  • #2
    Hi,

    I'm not sure of what you really want to do because I see a CAS configuration in your webapp but also a form configuration : you don't need both. The login page is hosted on CAS server and is reponsible for authenticating user, that's all : you don't need a local login page.
    That's why you get the problem : you send username / password form your local login page to /j_spring_cas_security_check, which excepts a CAS service ticket from CAS server -> failed to provider a CAS service ticket !
    Best regards,
    Jérôme

    Comment


    • #3
      Jérôme,
      you mean, that CAS will change the lohin page automatically?
      so how I should configure it? can you give a sample of code?
      or what steps I should do for my app's correct operation?

      Comment


      • #4
        Hi,

        I mean that the login page is hosted on the CAS server : you don't need to have one in applications. The authentication process is delegated to the CAS server.
        You configuration looks good for CAS part, you should just remove what is linked to form authentication.
        The reference documentation : http://static.springsource.org/sprin...rence/cas.html.
        Best regards,
        Jérôme

        Comment


        • #5
          so, you mean I need to delete the login.jsp file and in my spring security context put url of CAS-server? I'm trying to understand the logic of the steps.
          Last edited by userio; Oct 1st, 2012, 05:18 AM.

          Comment


          • #6
            Originally posted by userio View Post
            so, you mean I need to delete the login.jsp file and in my spring security context put url of CAS-server? I'm trying to understand the logic of the steps.
            Right, remove the login.jsp and all the XML configuration added for the form authentication : remove <security:form-login, authenticationEntryPoint...
            Once again, I recommend you follow the reference documentation for Spring Security & CAS (see the previous link I gave you).

            The only challenge you will have is how to compute roles and define accesses on application side : generally, users are authenticated on CAS server side and their personal information (roles for example) are retrieved during authentication phase and pushed to CAS applications through custom CAS service ticket validation and it's the applications which decide what to do with these roles...

            Comment


            • #7
              Jérôme, I'm stuck
              I don't understand, how the user should go to the login page. how to do it in the html code(I have an a href element), so I click and go to the login page.

              thnx in advance.

              Comment


              • #8
                Hi,

                You have to change your way of thinking : you don't go to the login page by clicking on a link.

                You try to access a protected url in your application, this url is protected by your Spring Security CAS client which stores this requested url and send you to the CAS server which checks if you are authenticated and (as you're not) display a login page for authentication. After successfull authentication, you are redirected back to the "CAS url" of your application (something ending with /j_spring_cas_security_check) with a service ticket granted by the CAS server. The CAS client validates the service ticket against the CAS sever and restores the originally requested url. You are now authenticated in your application.

                Best regards,
                Jérôme

                Comment


                • #9
                  so in the html code I have to put not a href="login.jsp", but a href = "someProtectedPage.jsp"? And for this page in my security context I have set the roles, that can access this page. that's right?

                  Comment


                  • #10
                    You're right. Target the protected page.

                    The roles will be computed by your user details service which can grab information from a datasource in your application or use attributes pushed through CAS SAML validation (I recommend this option to centralize information retrieval on CAS server side).

                    Comment


                    • #11
                      now I have link:
                      https://localhost:9443/cas-server-we...security_check
                      as I understand, it's a correct link, but I get the next stacktrace(in different browsers they are described differently):
                      SSL connection error

                      Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol Error.

                      I incorrectly configured or what?

                      Comment


                      • #12
                        Indeed, the url looks correct. However, it seems that you have a SSL problem : is your CAS server accepting SSL connections ?

                        Comment


                        • #13
                          when CAS server is started, the link http://localhost:9443/cas-server-webapp-3.4.10/login works fine and I can enter there any credentials and login. and when the link is http://localhost:9080/cas-server-webapp-3.4.10/login, CAS server works fine, but there is warning You are currently accessing CAS over a non-secure connection. Single Sign on WILL NOT WORK. In order to have single sign on work, you MUST log in over HTTPS.

                          Comment


                          • #14
                            Hi,

                            It's logical : CAS security is based on the use of SSL. When you don't use SSL (for testing for example), you have a warning.
                            Nothing special here, nonetheless, if you want that SSO works on none SSL environment, you need to setup your CAS server to set its cookie on none-secure connection. You should set p:cookieSecure="false" in this case (cas-server-webapp/src/main/webapp/WEB-INF/spring-configuration/ticketGrantingTicketCookieGenerator.xml).
                            Best regards,
                            Jérôme

                            Comment


                            • #15
                              there was incorrect port in my config. when I entered the correct port, I finally obtained the needed CAS server login page via SSL.
                              BUT my happiness was not so long... when I entered credetials, I saw in my browser next message:
                              HTTP Status 404 - /spring-security-cas/j_spring_cas_security_check

                              type Status report

                              message /spring-security-cas/j_spring_cas_security_check

                              description The requested resource (/spring-security-cas/j_spring_cas_security_check) is not available.

                              Comment

                              Working...
                              X