Announcement Announcement Module
Collapse
No announcement yet.
CAS - how to detect unavalaible CAS server Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • CAS - how to detect unavalaible CAS server

    Hello,

    I'm using CAS authentication with Spring Security 3.0.5. If the CAS server is not running, browser shows message that server is unavailable. I don't want user to see CAS server URL. Is it possible to redirect browser to some user friendly page? Did anybody resolve such situation?

    Thanks,
    Vladimir

  • #2
    OK, I have an idea. It should be possible to place custom servlet filter into the filter chain. The new filter can ping CAS server and eventually redirect to user friendly error page. Is it right solution?

    Vladimir

    Comment


    • #3
      This doesn't really have anything to do with Spring Security.

      Users will normally see the CAS URL when they login to the server. Why do you want to hide it?

      Comment


      • #4
        Yes, you are right Luke. Users normally see CAS URL if everything goes well. I didn't express my needs exactly. I don't want to confuse users by CAS URL if CAS is down. They usually don't notice/understand redirecting machinery and don't expect CAS URL on white error page.

        Spring Security filters deal with this situation in wrong way. ExceptionTranslationFilter catches AccessDeniedException and then considers the user as anonymous one. Unfortunatelly, AccessDeniedException doesn't hold another useful information about the reason of failure.
        Last edited by harasta; Feb 1st, 2011, 08:16 AM.

        Comment


        • #5
          Whether the SSO server is down or not is beyond Spring Security's control. Spring Security doesn't deal with it at all. The AccessDeniedException has nothing to do with the CAS server's availability.

          You would probably be better to look at making the CAS server itself more robust.

          Comment


          • #6
            Thanks for opinions, Luke. But I cannot agree. See my comments bellow.

            > You would probably be better to look at making the CAS server itself more robust.

            Very funny. I think the CAS server is robust enough. It simply isn't running for some reason.

            > Whether the SSO server is down or not is beyond Spring Security's control.

            Of course, Spring Security is not able to control CAS, but it should be aware of CAS unavailability. An CasIsDownException sounds better than AccessDeniedException, doesn't it?

            Comment


            • #7
              Originally posted by harasta View Post
              Very funny. I think the CAS server is robust enough. It simply isn't running for some reason.
              I think what Luke was trying to say is that you should ensure that the URL resolves to something (i.e. an error page). For what it's worth it's worth I agree with Luke. If I were doing this, I would probably ensure that the CAS URL displays an informative error page. This would take care of the use case where a user navigates directly to the cas server (i.e. bookmarks the login page).

              Originally posted by harasta View Post
              Of course, Spring Security is not able to control CAS, but it should be aware of CAS unavailability. An CasIsDownException sounds better than AccessDeniedException, doesn't it?
              This is a bit of a slippery slope and I don't think it is a good idea for Spring Security to do this by default. Should Spring Security validate internal URL's before redirecting to them? Should Spring Security validate all the URLs before allowing the FilterChain to continue? How does Spring Security know if the URL is valid or not?

              If you really want to validate the URL before redirecting I would write a custom CasAuthenticationEntryPoint and validate before performing the redirect.

              Cheers,

              Comment


              • #8
                Originally posted by rwinch View Post
                I think what Luke was trying to say is that you should ensure that the URL resolves to something (i.e. an error page). For what it's worth it's worth I agree with Luke. If I were doing this, I would probably ensure that the CAS URL displays an informative error page. This would take care of the use case where a user navigates directly to the cas server (i.e. bookmarks the login page).
                I'm relatively new in Spring Security. Maybe I don't get some detail. But how can be worth to ensure if CAS URL displays any page in case of CAS is down. No page displays, even no HTTP error returns.

                Originally posted by rwinch View Post
                This is a bit of a slippery slope and I don't think it is a good idea for Spring Security to do this by default. Should Spring Security validate internal URL's before redirecting to them? Should Spring Security validate all the URLs before allowing the FilterChain to continue? How does Spring Security know if the URL is valid or not?
                I don't think that Spring Security should check out that its configuration is right Tests should check it out.

                Originally posted by rwinch View Post
                If you really want to validate the URL before redirecting I would write a custom CasAuthenticationEntryPoint and validate before performing the redirect.
                Rob, thank you for constructive idea. All the time I have been waiting for something like that. I'll give it a try.

                Vladimir

                Comment


                • #9
                  Originally posted by harasta View Post
                  I'm relatively new in Spring Security. Maybe I don't get some detail. But how can be worth to ensure if CAS URL displays any page in case of CAS is down. No page displays, even no HTTP error returns.
                  It really depends on your infrastructure on how to best go about this. The The simplest example is to ensure you have specified an error page in your web.xml. Another example is to have a Filter that does something like...
                  Code:
                  public void doFilter(ServletRequest req,ServletResponse resp,FilterChain chain) 
                        throws IOException, ServletException {
                    try {
                      chain.doFilter(req,resp);
                    }catch(Throwable t) {
                      // log error
                      // forward or render a pretty error page
                    }
                  }
                  Yet another example, is to have your load balancer have a health check on your application. If the health check fails have the load balancer display an error page. As you can see there are a number of different ways to go about it. The main thing is if a user enters a URL that you own, then the page is rendered or an appropriate error message is displayed.

                  HTH,

                  Comment


                  • #10
                    Rob, thanks for advice and the example. But an error page and a load balancer are definitely dead ends. Believe me.

                    I have read all reactions in this thread again. And again I think of Luke's last advice:
                    > You would probably be better to look at making the CAS server itself more robust.

                    That's the point. Luke might have HW infrastructure on his mind. It would make sense. The CAS server should run on solid HW, simply because it is SSO service.

                    All I can do for users of my application is to let them enter thru an insecured page which checks out availability of services at first. If anything goes wrong after that, users should return to this well-known page and should contact an administrator.

                    Thank you all for kind following of my thoughts.
                    Best regards,
                    Vladimir

                    Comment


                    • #11
                      How to navigate to other authentication like AD when CAS is down

                      Hi,

                      I have a peculiar problem. I want to navigate to a other authentication url(like AD authentication) when Spring CAS server is down.

                      Can you please let me know, how to proceed with this. Initially I would like to know how to identify when the CAS server is down.

                      Thanks in advance.








                      Originally posted by harasta View Post
                      Rob, thanks for advice and the example. But an error page and a load balancer are definitely dead ends. Believe me.

                      I have read all reactions in this thread again. And again I think of Luke's last advice:
                      > You would probably be better to look at making the CAS server itself more robust.

                      That's the point. Luke might have HW infrastructure on his mind. It would make sense. The CAS server should run on solid HW, simply because it is SSO service.

                      All I can do for users of my application is to let them enter thru an insecured page which checks out availability of services at first. If anything goes wrong after that, users should return to this well-known page and should contact an administrator.

                      Thank you all for kind following of my thoughts.
                      Best regards,
                      Vladimir
                      Last edited by RAJANEESH kOLLURI; Nov 18th, 2011, 07:27 AM.

                      Comment


                      • #12
                        Hi,

                        I have a peculiar problem. I want to navigate to a other authentication url(like AD authentication) when Spring CAS server is down.

                        Can you please let me know, how to proceed with this. Initially I would like to know how to identify when the CAS server is down.

                        Thanks in advance.
                        Last edited by RAJANEESH kOLLURI; Nov 18th, 2011, 07:28 AM.

                        Comment


                        • #13
                          CAS Server issue

                          Our requirement is like..
                          we are using 'DelegatingFilterProxy'(SpringFramework) for delegating to CAS server.

                          So, now if the CAS server is down, we need to use AD authentication for authenticating the user.

                          Any ideas/suggestions.

                          Thanks in advance.

                          Raj

                          Comment


                          • #14
                            Maybe you can create a new LDAP provider beneath your CAS provider?

                            Comment


                            • #15
                              How do i do that... can you give me a sample for this.

                              Thanks in advance..

                              Comment

                              Working...
                              X