Announcement Announcement Module
Collapse
No announcement yet.
CAS + JDBC authentication-provider configuration problem Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • CAS + JDBC authentication-provider configuration problem

    Hi,
    I'm using both cas authentication and authentication jdbc based.

    This simple configuration i've made works but I do not think it is clean one.

    For example

    If i do login via form (action = "j_spring_security_check")
    the custom-filter ref = "singleLogoutFilter" is executed and its "doFilter"
    performs a CommonUtils.safeGetParameter (request, "logoutRequest");
    throwing WARN: org.jasig.cas.client.util.CommonUtils - safeGetParameter called on a POST HttpServletRequest for LogoutRequest

    Do you think is rigth to put in the same authentication-manager both the authentication-provider jdbc and cas ?
    Should i do something to avoid conflicts between j_spring_security_check and cas filters ?

    thanks in advance

    Code:
    <security:authentication-manager id="authenticationmanager" alias="authenticationManager">
    
      <security:authentication-provider user-service-ref="userService">
        <security:password-encoder hash="plaintext"/>
      </security:authentication-provider>
    
      <security:authentication-provider ref="casAuthenticationProvider">
      </security:authentication-provider>
    
    </security:authentication-manager>
    Code:
    <security:http 
    authentication-manager-ref="authenticationmanager" 
    use-expressions="true"  > 
    
    <access-denied-handler error-page="/denied" />
    <security:custom-filter position="CAS_FILTER" ref="casFilter" />
    <form-login login-page="/login" authentication-failure-url="/loginfailed" />
    <logout logout-success-url="/logout" invalidate-session="false" />
    <custom-filter ref="requestSingleLogoutFilter" before="LOGOUT_FILTER"/>
    <custom-filter ref="singleLogoutFilter" before="CAS_FILTER"/>
    </security:http>

    Code:
    login.jsp
    
    <form  method="POST" action="j_spring_security_check"  >
    user<input size="22" maxlength="14" type="text" value="" name="j_username" id="user"/>
    password<input size="23" maxlength="22" type="password" value="" name="j_password" id="pass" />
    <input type="submit" value="ok" />
    </form>
    <br />
    <a href ="https://idp.test.it:4443/testcas/login?service=https%3A%2F%2Fmiaapp.mia.com%3A18443%2Fapp%2Fj_spring_cas_security_check" >
     cas auth
    </a>

  • #2
    Originally posted by aleale View Post
    Hi,
    I'm using both cas authentication and authentication jdbc based.

    This simple configuration i've made works but I do not think it is clean one.

    For example

    If i do login via form (action = "j_spring_security_check")
    the custom-filter ref = "singleLogoutFilter" is executed and its "doFilter"
    performs a CommonUtils.safeGetParameter (request, "logoutRequest");
    throwing WARN: org.jasig.cas.client.util.CommonUtils - safeGetParameter called on a POST HttpServletRequest for LogoutRequest

    Do you think is rigth to put in the same authentication-manager both the authentication-provider jdbc and cas ?
    Should i do something to avoid conflicts between j_spring_security_check and cas filters ?

    thanks in advance

    Code:
    <security:authentication-manager id="authenticationmanager" alias="authenticationManager">
    
      <security:authentication-provider user-service-ref="userService">
        <security:password-encoder hash="plaintext"/>
      </security:authentication-provider>
    
      <security:authentication-provider ref="casAuthenticationProvider">
      </security:authentication-provider>
    
    </security:authentication-manager>
    Code:
    <security:http 
    authentication-manager-ref="authenticationmanager" 
    use-expressions="true"  > 
    
    <access-denied-handler error-page="/denied" />
    <security:custom-filter position="CAS_FILTER" ref="casFilter" />
    <form-login login-page="/login" authentication-failure-url="/loginfailed" />
    <logout logout-success-url="/logout" invalidate-session="false" />
    <custom-filter ref="requestSingleLogoutFilter" before="LOGOUT_FILTER"/>
    <custom-filter ref="singleLogoutFilter" before="CAS_FILTER"/>
    </security:http>

    Code:
    login.jsp
    
    <form  method="POST" action="j_spring_security_check"  >
    user<input size="22" maxlength="14" type="text" value="" name="j_username" id="user"/>
    password<input size="23" maxlength="22" type="password" value="" name="j_password" id="pass" />
    <input type="submit" value="ok" />
    </form>
    <br />
    <a href ="https://idp.test.it:4443/testcas/login?service=https%3A%2F%2Fmiaapp.mia.com%3A18443%2Fapp%2Fj_spring_cas_security_check" >
     cas auth
    </a>
    If you're using cas, you don't need a form login in your application. the cas filter should redirect the user to the cas server if they aren't authenticated. Which will redirect them back into your application (and some other black magic) authenticated.

    Comment


    • #3
      Cas alone isn't enough.
      I have users in a remote cas of another organization and my db users locally.
      I have made the page login.jsp to ask the user where he want to autenticate, on remote-cas or via local authentication service.
      Spring security seems to work ok with both activated in the config i've made.
      My question is about the rightness of this config as i read a warning in the CAS_FILTER

      Comment

      Working...
      X