CAS 6.6.5 to 7.0.4 - customized css and js with prohibited access from html.

[Leonardo Ferreira]

Hi everyone!

I'm migrating from version 6.6.15 to 7.0.4 and I'm facing a small problem.
My customized html pages are unable to access the .css and .js files that are also customized.
It is important to comment that in version 6.6.15 everything works perfectly.

My files are in the following structure:
src:
 - main:
   - resources:

      - templates:

           - fragments

           - login

           - logout 

           layout.html

      - static:

           - ect:

              - css

              - js

              - img

               loginform.css

My layout.html file has the following references:

    <link rel="shortcut icon" th:href="@{/ect/img/favi-ect.png}" type="image/x-icon"/>
    <link rel="stylesheet" th:href="@{/ect/css/bunker.css}" type="text/css">
    <link rel="stylesheet" th:href="@{/ect/css/global.css} + '?v=2'" type="text/css">
    <link rel="stylesheet" th:href="@{/ect/loginform.css}" type="text/css">

  ...

    <script th:src="@{/ect/js/bunker.js}"></script>
    <script th:src="@{/ect/js/alertaerro.js}"></script>
    <script th:src="@{/ect/js/menu.js}"></script>
    <script type="text/javascript" th:src="@{#{webjars.jquery.js}}"></script>

The strange thing is that in the browser console I get 403 errors. Ex:

GET http://localhost:8080/ect/css/bunker.css net::ERR_ABORTED 403 (Forbidden)

GET http://localhost:8080/ect/js/alertaerro.js net::ERR_ABORTED 403 (Forbidden)

Has anyone gone through something similar or could guide me on how to get around this issue?

Thank you for the help!

Leonardo.

[Meysam Shirazi]

Hi Leonardo

I guess the main cause is that the /ect  is not in the list of secure path of the application. Spring Boot , by default, permit access to /css/**, /js/**, /images/**, and /**/favicon.ico. you can use custom theme for this purpose.

[Leonardo Ferreira]

After researching a little, I discovered that in version 7.0.x a new class was added restricting access to the application directories. The class name is: CasWebSecurityConfigurerAdapter
After inspecting it, I changed the directory structure and it started working again.

src:
 - main:
   - resources:

      - templates:

           - fragments

           - login

           - logout 

           layout.html

      - static:

              - css

              - js

              - img

               loginform.css

[Leonardo Ferreira]

Thank you Meysam!

[Petr Bodnár]

Hi there,

thanks for sharing your findings! We have run into a similar issue that is possibly caused by the same thing:

Via a custom @RestController, we provide a page on a custom path, say /mypage. And since CAS 7.0.x, we get error 403 when accessing this page. It looks like CAS (Spring??) no longer lets you access contexts which are not explicitly listed. In CAS, this seems to be resolved by providing a bean of type CasWebSecurityConfigurer, e.g.:

    @Bean
    @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
    public CasWebSecurityConfigurer<Void> customPagesEndpointsConfigurer() {
        return new CasWebSecurityConfigurer<>() {
            @Override
            public List<String> getIgnoredEndpoints() {
                return List.of("/mypage");
            }
        };
    }

Technically, instead of that, we could just change the URL to /v1/mypage for example, because /v1 is already listed by CAS out-of-the-box.

It would be great if someone could confirm these findings.

Regards

Petr