Announcement Announcement Module
Collapse
No announcement yet.
Implement SSO using CAS + Spring Security Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Implement SSO using CAS + Spring Security

    Hi guys! I'm trying to implement SSO across several web applications using CAS and Spring Security. Expected case:
    CAS - http://localhost:8080/cas/
    App A protected content - http://localhost:8081/cas-client1/secure/index.html
    App B protected content - http://localhost:8081/cas-client2/secure/index.html

    1) When user access cas-client1, CAS login form will be prompted and trigger authentication.
    2) The same user access cas-client2, previous login should be recognized and no login form will be prompted

    However, I am failed to implement step 2. CAS login form still prompted to user and therefore requires double login. Is there any wrong setting in my Spring Security configuration:

    Code:
    <security:http entry-point-ref="casAuthenticationEntryPoint" auto-config="true">
      <security:intercept-url pattern="/secure/**" access="ROLE_USER" />
      <security:custom-filter position="CAS_FILTER" ref="casAuthenticationFilter" />
    </security:http>
    
    <bean id="casAuthenticationEntryPoint" class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">
      <property name="loginUrl" value="http://localhost:8080/cas/login" />
      <property name="serviceProperties" ref="serviceProperties" />
    </bean>
    
    <bean id="serviceProperties" class="org.springframework.security.cas.ServiceProperties">
      <!-- http://localhost:8081/cas-client2 for app 2-->
      <property name="service" value="http://localhost:8081/cas-client1/j_spring_cas_security_check" />
    </bean>
    
    <security:authentication-manager alias="authenticationManager">
      <security:authentication-provider ref="casAuthenticationProvider" />
    </security:authentication-manager>
    
    <bean id="casAuthenticationFilter" class="org.springframework.security.cas.web.CasAuthenticationFilter">
      <property name="authenticationManager" ref="authenticationManager" />
      <property name="authenticationFailureHandler">
        <bean class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
          <property name="defaultFailureUrl" value="/casfailed.jsp" />
        </bean>
      </property>
    </bean>
    
    <bean id="casAuthenticationProvider" class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
      <property name="userDetailsService" ref="userService" />
      <property name="serviceProperties"  ref="serviceProperties" />
      <property name="ticketValidator">
        <bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
          <constructor-arg index="0" value="http://localhost:8080/cas" />
        </bean>
      </property>
      <property name="key" value="an_id_for_this_auth_provider_only" />
    </bean>
    
    <security:user-service id="userService">
      <security:user name="wilson" password="wilson" authorities="ROLE_USER" />
    </security:user-service>

  • #2
    The problem is finally solved. My CAS is using HTTP and therefore need to set secure cookies to false.

    Modify ticketGrantingTicketCookieGenerator.xml
    Code:
    p:cookieSecure="false"

    Comment


    • #3
      Thanks! You just saved my life. I have spent hours and hours trying to see what was wrong. Thanks again!

      Comment


      • #4
        glad it helps!

        However I'm encountering another problem and it seems not able to solve in current version of Spring Security.

        I have some pages (e.g. mainpage) display different contents to anonymous / login user separately, but how to check if the user has CAS ticket or not before triggering the login entry point? CAS gateway should help but Spring Security 3 seems not fully support this at this moment. (I read the source code and found it always set gateway to false)

        I am still finding other workaround method...

        Comment

        Working...
        X