Customize CasWebSecurityConfigurerAdapter to allow custom endpoint

[Ankit Kumar]

I was able to add bean in CasOverlayOverrideConfiguration of Cas overlay project and i am able to see in localhost:8443/cas/swagger-ui/index.html my new controller endpoint.  Now I have been trying to look for way to update CasWebSecurityConfigurerAdapter so that i can add my endpoint for CasWebSecurityConfigurerAdapter : Configuring protocol endpoints [[/login**, /login/**, /logout**, /logout/**, /validate**, ... to exclude/ignore from http security

My main goal is to create new endpoint and then create service class which would extend 

AbstractUsernamePasswordAuthenticationHandler and then override authenticateUsernamePasswordInternal.

We currently do that for cas 3.x version and as part of upgrading to 7.1.3 we are essentially rewriting the app.

I have been stuck on this problem for atleast a week and would appreciate some help.

Thanks

[Ankit Kumar]

Figured out the solution; just posting here if it helps anyone.

I create custom config endpoint to ignore my endpoint and then added the filename in org.springframework.boot.autoconfigure.AutoConfiguration.imports so that it can discover the config class

package com.test.config;

import org.apereo.cas.CasProtocolConstants;
import org.apereo.cas.web.CasWebSecurityConfigurer;
import org.apache.commons.lang3.StringUtils;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Primary;

import java.util.List;

@Configuration
public class CustomCasCoreWebEndpointsConfiguration {

@Bean
@Primary // Optional: Makes this bean the preferred one if there are multiple beans of the same type
public CasWebSecurityConfigurer<Void> casProtocolEndpointConfigurer() {
return new CasWebSecurityConfigurer<Void>() {
@Override
public List<String> getIgnoredEndpoints() {
// Custom implementation
return List.of(
StringUtils.prependIfMissing(CasProtocolConstants.ENDPOINT_LOGIN, "/"),
StringUtils.prependIfMissing(CasProtocolConstants.ENDPOINT_LOGOUT, "/"),
StringUtils.prependIfMissing(CasProtocolConstants.ENDPOINT_VALIDATE, "/"),
StringUtils.prependIfMissing(CasProtocolConstants.ENDPOINT_SERVICE_VALIDATE, "/"),
StringUtils.prependIfMissing(CasProtocolConstants.ENDPOINT_PROXY, "/"),
"/sso/status" // Add your custom endpoint here
);
}
};
}
}

[Ray Bon]

Ankit,

A lot has changed since the  dark ages of cas 3.x

Perhaps what you needed in 3.x is no longer required, or perhaps has been implemented.

If you need to create a custom authentication handler, see https://apereo.github.io/cas/7.1.x/authentication/Configuring-Custom-Authentication.html

For additional resources see https://fawnoos.com/blog/

I do not understand why you need to exclude those cas endpoints from security. 

See cas swagger integration, https://apereo.github.io/cas/7.1.x/integration/Swagger-Integration.html

Ray

[Ankit Kumar]

Thanks Ray, for your help and pointers.

So essentially our cas server serves as backend app and frontend is an angular app and the customizations we did for cas 3.x involved lot of endpoints around impersonation, saml and other attributes. My understanding could be wrong but there seem to be only limited number of endpoints that CAS exposes by default as rest endpoints.

Looking to learn more together. Appreciate the help again

[abdessamad kech]

Hi Ankit,
Happy to hear that you solved it.
I want your help with how to configure Angular to call CAS services that are protected by the CAS server. I am getting trouble with angular because it receives the cas login page as an API response.

How do you handle redirection to the login in angular.
Thank you

[Ray Bon]

Ankit,

There is a REST protocol for cas. All of the login endpoints are available: https://apereo.github.io/cas/7.1.x/protocol/REST-Protocol.html

Ray

On Wed, 2025-01-22 at 19:38 -0800, Ankit Kumar wrote:

You don't often get email from ankit....@savvas.com. Learn why this is important