Announcement Announcement Module
Collapse
No announcement yet.
spring security, spring remoting, cas proxy authentication Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • #16
    I did not have time to look over your code in detail. I will have to do that this weekend. A few things jump out at me when I look over the attached code:

    In security-remoting-cas-965.zip/security.tests/ the CasAuthenticationCommonsHttpInvokerRequestExecutor has a few things that look like they might cause the redirect

    The code is requesting a proxy ticket for /j_spring_cas_security_check, but it looks like the the request is being submitted to https://10.128.17.191:8443/securityT...oteTestService. This means that the service used to authenticate the proxy ticket will not match. To fix this you probably want to use postMethod.getURI().toURL().toExternalForm() or something similar for the argument to getProxyTicketFor method.

    Code:
    createPostMethod(HttpInvokerClientConfiguration config) throws IOException {
    
                    ...
    		String ticket = cat.getAssertion().getPrincipal()
    
    			.getProxyTicketFor("https://10.128.17.191:8443/securityTest2/j_spring_cas_security_check");


    Code:
    		postMethod.addParameter("ticket", new String(Base64.encode(ticket.getBytes())));
    This should not be Base64 encoded. Just use the String value. The value will automatically be form encoded by http commons.

    The last thing I am not sure if it is an issue or not since I don't have all of your code. Did you ensure that you had a version of AbstractAuthenticationProcessingFilter that calls the successfulAuthentication with a FilterChain argument? I was not able to determine if you had noticed that this was also a change in the code. If it is not used, then the code will not work either.

    Originally posted by piotrj View Post
    I'm not familiar with gradle. Honestly speaking I didn't know such thing exists until now. So forgive my ignorance if the problem is trivial.
    Not a problem...things should just build (you shouldn't need to know anything about gradle other than the command to run things). I appreciate your time in telling me that it is not working and providing information on it. I'm a Linux guy myself so it is good to have someone let us know when things are broken on Windows. It looks like the Gradle issue you are having is related to this. Luke has fixed that in master, but I have not merged with the changes that fix this. I will update the branch this weekend to make it easier for you to try things out (I'll post an update when I do).

    Let me know if you find the initial pointers fixed your problem, otherwise I will try and dig in this weekend.

    Thanks again for taking the time to provide feedback.

    Comment


    • #17
      I rebased the branch from master so it should fix the gradle issue you had.

      I went ahead and tried to run your sample locally. The changes I mentioned were the only things needed for me to fix authentication. However, since I had never done anything with Spring Remoting I did not realize that specifying the POST parameter would break Spring Remoting. This is because it expects serialized data in the body and not the form encoded ticket. This means despite this being against the specification, you likely will need to use the header if you want to use both CAS and Spring Remoting.

      The takeaways I got out of this is that I should probably provide a method that can easily be overriden for obtaining the artifact (ticket). This would be similar to how the UsernamePasswordAuthenticationFilter allows the obtainUsername(HttpServletRequest) method to be overridden to obtain the username. This would allow you and others to just override a single method to use a header.

      Another take away is that the sample should demonstrate how to respond with an HTTP status code for failed authentication when doing proxy authentication. This would give you better error information if the proxy ticket was unable to be authenticated (i.e. the service ticket did not match the one used to create the proxy ticket).

      The last takeaway is I should probably ensure there is a bit better logging going on to help users troubleshoot issues better.

      Thanks again for your feedback,

      Comment


      • #18
        I have a similar issue. However I am unable to make the stateless configuration work. I posted my particular issue here :
        http://forum.springsource.org/showth...load-balancing

        Any help is greatly appreciated.

        Comment


        • #19
          You likely do not want to do this anyways since there would be an extra request each time you want a protected resource. Additionally stateless authentication does not get used so you have to get a new proxy ticket each time. The branch does not require a redirect for proxy ticket authentication and it allows for stateless mode to be used when doing proxy ticket authentication.

          __________________
          tissot prc200 automatic gents watch

          Comment


          • #20
            Hello, I am new to Spring and I am facing the same problem mentioned in this post.I am not able to send my proxy ticket received from CAS server, to server C and thus not able to authenticate srver C

            Basically ,I am invoking rest URL from server B(which is spring MVC app) ,I have added spring related configurations is server C(that is exposing rest services).
            I am trying to configure HTTP invoker as mentioned in post , but I am confused what is
            "security.test2.service.RemoteTestService" that is mentioned in post.

            <bean id="remoteService" class="org.springframework.remoting.httpinvoker.Ht tpInvokerProxyFactoryBean"> <property name="serviceUrl" value="https://10.128.17.191:8443/securityTest2/remoting/RemoteTestService" /> <property name="serviceInterface" value="security.test2.service.RemoteTestService" /> <property name="httpInvokerRequestExecutor"> <!-- <bean class="org.springframework.security.remoting.httpi nvoker.AuthenticationSimpleHttpInvokerRequestExecu tor" /> --> <bean class="org.springframework.security.remoting.httpi nvoker.CasAuthenticationCommonsHttpInvokerRequestE xecutor" /> </property> </bean>

            Is it required to in my case also,? or please guide me how to send proxy ticket to server C.

            Thanks

            Comment

            Working...
            X