Re: [cas-user] WebApp render to 404 after granting ticket from CAS

[Ray Bon]

Sagar,

What happens when you browse directly to inb9fnhr.nwmissouri.edu:8443/MyNWSSO/ 

This sounds like a problem with your application configuration and not cas. Or are you asking how to configure your cas client?

Ray

On Wed, 2020-11-04 at 09:56 -0800, sagar ghimire wrote:

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

Hello,

I have configured CAS in my Spring boot app and when I log in it render to 404 not found with the Service Ticket. 

Attached is the error image that i got.

Thanks

Sagar

-- 

Ray Bon

Programmer Analyst

Development Services, University Systems

2507218831 | CLE 019 | rb...@uvic.ca

I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations.

[sagar ghimire]

Hello Ray,

I have configured my Spring Boot App but I think the problem is when the CAS redirect to my webapp with Service Ticket my web app is not revalidating the ticket to CAS server again. The reference that I have taken for this webapp is from 

https://medium.com/@venkateshpnk22/single-sign-on-in-cas-client-setup-with-spring-security-b51a7e70294d

Also I have attached the error when I hit the inb9fnhr.nwmissouri.edu:8443/MyNWSSO/ it render to sign in and after sign in I got 404. 

Thanks

Sagar Ghimire

Software Developer

Northwest Missouri State University

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/05f195cffc9329228b4705f81da7e13f4037c9e8.camel%40uvic.ca.

[Ray Bon]

Sagar,

The ST handler must be publicly accessible. If inb9fnhr.nwmissouri.edu:8443/MyNWSSO/ takes you to cas login, it will not be able to receive the ST, but redirect to cas for login in an endless loop.

What is happening on the line above the red one in the image?

Ray

[sagar ghimire]

Roy,

I have attached the image before the red line one. Also I was looking at the server logs and found :

2020-11-04 12:16:05.770 ERROR 13281 --- [nio-8443-exec-4] o.s.b.w.servlet.support.ErrorPageFilter  : Forwarding to error page from request [/] due to exception [org.springframework.security.authentication.AnonymousAuthenticationToken cannot be cast to org.springframework.security.cas.authentication.CasAuthenticationToken]

java.lang.ClassCastException: org.springframework.security.authentication.AnonymousAuthenticationToken cannot be cast to org.springframework.security.cas.authentication.CasAuthenticationToken

It looks like token casting is the problem that I have been encountering. Any suggestions?

Thank you

Sagar

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/e563cb5582248e3b61299aaf01998f5ad03367e9.camel%40uvic.ca.

[Ray Bon]

Sagar,

Turn up logging in spring. Try to figure out what token is.

Ray

[sagar ghimire]

Hello Ray,

I have turned on the logging for my application and this is what i got.

The token is org.springframework.security.authentication.AnonymousAuthenticationToken@5367e0b6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@1de6: RemoteIpAddress: 10.2.101.208; SessionId: null; Granted Authorities: ROLE_ANONYMOUS

2020-11-05 08:42:10.167 ERROR 21715 --- [nio-8443-exec-4] o.s.b.w.servlet.support.ErrorPageFilter  : Cannot forward to error page for request [/] as the response has already been committed. As a result, the response may have the wrong status code. If your application is running on WebSphere Application Server you may be able to resolve this problem by setting com.ibm.ws.webcontainer.invokeFlushAfterService to false

It looks like I am getting logged in but getting rendered to error page for some reason. 

 This is my controller looks like.

package com.mynw.sso.Controller;

import com.mynw.sso.CASConfig;
import org.jasig.cas.client.authentication.AttributePrincipal;
import org.jasig.cas.client.validation.Assertion;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.cas.authentication.CasAuthenticationToken;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.GetMapping;

import java.sql.SQLOutput;
import java.util.logging.Logger;

@Controller
public class SSOController {


    @GetMapping("/")
    public String index(Model model){
        SecurityContext ctx= SecurityContextHolder.getContext();
        AnonymousAuthenticationToken aat = (AnonymousAuthenticationToken) ctx.getAuthentication();
        System.out.println("The token is " + aat);
        model.addAttribute("UserName", aat.toString());


        return "index";
    }
}

Thanks

Sagar

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/07f16efd28acdce013b788b077df0565efd9c4df.camel%40uvic.ca.

[Ray Bon]

Sagar,

I thought spring security provided everything, all you have to do is add some config.

Do you need this SSOController?

Maybe look at the spring documentation to see how they suggest configuration.

Ray

On Thu, 2020-11-05 at 08:54 -0600, sagar ghimire wrote:

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

Hello Ray,

[sagar ghimire]

Hello Ray,

I have changed the configuration got this from logged file. But the URL is redirecting too many times causing ERROR TOO MANY REDIRECTS.

From Log file:

2020-11-05 15:51:21.877 DEBUG 13867 --- [https-jsse-nio-8443-exec-3] o.s.s.cas.web.CasAuthenticationFilter    : serviceTicketRequest = false
2020-11-05 15:51:21.877 DEBUG 13867 --- [https-jsse-nio-8443-exec-3] o.s.s.cas.web.CasAuthenticationFilter    : proxyReceptorConfigured = false
2020-11-05 15:51:21.877 DEBUG 13867 --- [https-jsse-nio-8443-exec-3] o.s.s.cas.web.CasAuthenticationFilter    : proxyReceptorRequest = false
2020-11-05 15:51:21.877 DEBUG 13867 --- [https-jsse-nio-8443-exec-3] o.s.s.cas.web.CasAuthenticationFilter    : proxyTicketRequest = false
2020-11-05 15:51:21.877 DEBUG 13867 --- [https-jsse-nio-8443-exec-3] o.s.s.cas.web.CasAuthenticationFilter    : requiresAuthentication = false
2020-11-05 15:51:21.878 DEBUG 13867 --- [https-jsse-nio-8443-exec-3] o.s.s.w.a.AnonymousAuthenticationFilter  : Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9972129b: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@0: RemoteIpAddress: 10.2.101.208; SessionId: 46E280D90E89E9935FE52EA62CA29C65; Granted Authorities: ROLE_ANONYMOUS'

Looks like I am authenticated but it redirects too many times.

Any Suggestions?

Thanks

Sagar

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/6798adce6b2ccbf9fc5cd8a6b57390b19e1adbaf.camel%40uvic.ca.

[Ray Bon]

Sagar,

Too many redirects means that the ST/token can not be validated.

The client app must send the ST to cas for validation. So either cas is unable to verify the ST or it does not receive it. This could be the result of many things. Start by setting cas server logs to debug. 

You will want to make sure your servers have clocks synced and you are using https (if self signed certs, you may have to add them to the java keystore).

Ray

[sagar ghimire]

Hello Ray,

I talked with my DBA and he said we do have SSL certificate in our server. Tried everything else but couldn't find the solution. There was nothing in the cas server logs. Its same as my application logs. I am not sure what I miss, its really frustrating. Here is my configuration.

package com.mynw.sso;

import org.jasig.cas.client.session.SingleSignOutFilter;

import org.jasig.cas.client.validation.Cas30ServiceTicketValidator;

import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.cas.ServiceProperties;
import org.springframework.security.cas.authentication.CasAssertionAuthenticationToken;
import org.springframework.security.cas.authentication.CasAuthenticationProvider;
import org.springframework.security.cas.web.CasAuthenticationEntryPoint;
import org.springframework.security.cas.web.CasAuthenticationFilter;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.AuthenticationUserDetailsService;
import org.springframework.security.web.authentication.logout.LogoutFilter;
import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler;
import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
import org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;

import java.util.*;

@Configuration
@EnableWebSecurity
public class WebCASSecurity extends WebSecurityConfigurerAdapter {
    @Value("${cas.service.login}")
    String CAS_URL_LOGIN;
    @Value("${cas.service.logout}")
    String CAS_URL_LOGOUT;
    @Value("${cas.url.prefix}")
    String CAS_URL_PREFIX;
    @Value("${cas.ticket.validate.url}")
    String CAS_VALIDATE_URL;
    @Value("${app.service.security}")
    String CAS_SERVICE_URL;
    @Value("${app.service.home}")
    String APP_SERVICE_HOME;
//    @Value("${app.admin.userName:admin}")
//    String APP_ADMIN_USER_NAME;
//    @Bean
//    public Set<String> adminList() {
//        Set<String> admins = new HashSet<String>();
//        admins.add(APP_ADMIN_USER_NAME);
//        return admins;
//    }
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.exceptionHandling()
                .authenticationEntryPoint(casAuthenticationEntryPoint()).and().addFilter(casAuthenticationFilter())
                // .addFilterBefore(singleSignOutFilter(), CasAuthenticationFilter.class)
                .addFilterBefore(requestCasGlobalLogoutFilter(), LogoutFilter.class)
                .authorizeRequests()
    .antMatchers("/**")
                .access("hasRole('ROLE_ANONYMOUS')");

    }
    @Bean
    public ServiceProperties serviceProperties() {
        ServiceProperties sp = new ServiceProperties();
        sp.setService(CAS_SERVICE_URL);
        sp.setSendRenew(false);
        return sp;
    }

    @Bean
    public CasAuthenticationProvider casAuthenticationProvider() {
        CasAuthenticationProvider casAuthenticationProvider = new CasAuthenticationProvider();
        casAuthenticationProvider.setAuthenticationUserDetailsService(customUserDetailsService());
        casAuthenticationProvider.setServiceProperties(serviceProperties());
        casAuthenticationProvider.setTicketValidator(Cas30ServiceTicketValidator());
        casAuthenticationProvider.setKey("an_id_for_this_auth_provider_only");
        return casAuthenticationProvider;
    }

    @Bean
    public AuthenticationUserDetailsService<CasAssertionAuthenticationToken> customUserDetailsService() {
        return new CustomUserDetailsService();
    }
    @Override
    public void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.authenticationProvider(casAuthenticationProvider());
    }

    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers("/fonts/**").antMatchers("/images/**").antMatchers("/scripts/**").antMatchers("/styles/**")
                .antMatchers("/views/**").antMatchers("/i18n/**").antMatchers("/webjars/**");
    }
    @Bean
    public SessionAuthenticationStrategy sessionStrategy() {
        SessionAuthenticationStrategy sessionStrategy = new SessionFixationProtectionStrategy();
        return sessionStrategy;
    }

    @Bean
    public Cas30ServiceTicketValidator Cas30ServiceTicketValidator() {
        return new Cas30ServiceTicketValidator(CAS_VALIDATE_URL);
    }



    public CasAuthenticationEntryPoint casAuthenticationEntryPoint() {
        CasAuthenticationEntryPoint casAuthenticationEntryPoint = new CasAuthenticationEntryPoint();
        casAuthenticationEntryPoint.setLoginUrl(CAS_URL_LOGIN);
        casAuthenticationEntryPoint.setServiceProperties(serviceProperties());
        return casAuthenticationEntryPoint;
    }

//   public SingleSignOutFilter singleSignOutFilter() {
//       SingleSignOutFilter singleSignOutFilter = new SingleSignOutFilter();
//       singleSignOutFilter.setCasServerUrlPrefix("https://nwmsueist01.nwmissouri.edu:9443/cas");
//       return singleSignOutFilter;
//   }

    @Bean
    public LogoutFilter requestCasGlobalLogoutFilter() {
        LogoutFilter logoutFilter = new LogoutFilter(
                CAS_URL_LOGOUT + "?service=" + APP_SERVICE_HOME,
                new SecurityContextLogoutHandler());
        logoutFilter.setLogoutRequestMatcher(new AntPathRequestMatcher("/logout", "GET"));
        return logoutFilter;
    }




    @Bean
    public CasAuthenticationFilter casAuthenticationFilter() throws Exception {
        CasAuthenticationFilter casAuthenticationFilter = new CasAuthenticationFilter();
        casAuthenticationFilter.setAuthenticationManager(authenticationManager());
        casAuthenticationFilter.setSessionAuthenticationStrategy(sessionStrategy());
        return casAuthenticationFilter;
    }
}

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/7d19e9528aa4d766347a5623bd4b6aeed86d7697.camel%40uvic.ca.

[Ray Bon]

Sagar,

Lets back up for a moment.

Why are you creating classes to process login?

Is there some reason why the java cas client will not work with spring boot in your application?

Take a look at the documentation, https://github.com/apereo/java-cas-client. Set up your application with those instructions first.

Ray

On Sat, 2020-11-07 at 22:47 -0600, sagar ghimire wrote:

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

Hello Ray,