CAS Spring Security SSO and "Skipping" The Entry Point

[Colin Ryan]

Folks,

So in the initial iteration of my project I had my spring security application working as it should w.r.t. to the common design/functional patterns for Spring Security and CAS.

Let's call this Application A)

My http security definition was as follows.

 http
     .addFilter(casAuthenticationFilter(serviceProperties))
      .authorizeRequests()
        .regexMatchers("/desktop.*")
        .authenticated()
        .and()
        .authorizeRequests()
        .regexMatchers("/")
        .permitAll()
        .and()
        .httpBasic()
        .authenticationEntryPoint(authenticationEntryPoint)
      .and()
      .logout().logoutSuccessUrl("/logout")
      .and()
      .addFilterBefore(singleSignOutFilter, CasAuthenticationFilter.class)
      .addFilterBefore(logoutFilter, LogoutFilter.class);

With this I would be able to go to my application, it would direct me to the / context and a "Login" link  to href=/desktop on this unauthenticated root page would trigger a redirect over to CAS for authentication then return to the /desktop page, full access

to session and user attribute data etc etc. All happy.

Now I'm working on SSO'ing into this application from another URL on a different server (same domain).

With this I go to Application B, end up authenticating to CAS all find and dandy.

Then when I go to Application A directly to the /desktop URL it turns around and takes me to the / of the application (as I'd kind of expect but don't want). Now if I hit the Login link it in fact does NOT take me back to CAS but SSO's me in and I can see the users attributes as I'd expect from the user I authenticated to in Application B. So it's essentially working.

But I'd like to do is be able to "skip" the entry point so to speak so I can drop directly from authentication on Application B over to the  /desktop URL of Application A without having to get directed to the root context and hit the Link to /desktop.

Or put another way, I have no need to have Application A actually redirect over to CAS, I just need it to not be anonymous and accept the SSO from CAS.

Not sure If this makes any sense.

Thanks.

Colin

[Ray Bon]

Colin,

This looks to be an application config issue and not related to cas [server or client].

Is the "Login" link to A/desktop, or is it something else like domain/cas/login?service=A/desktop?

Ray

On Fri, 2020-12-18 at 16:03 -0500, Colin Ryan wrote:

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

-- 

Ray Bon

Programmer Analyst

Development Services, University Systems

2507218831 | CLE 019 | rb...@uvic.ca

I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations.

[Colin Ryan]

The login link is A/desktop which matches and the serviceProperties definition is A/desktop/auth

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/d3cc1cb401c22cfabe887e332c4623dc398b9ff5.camel%40uvic.ca.

[Colin Ryan]

Ray et al.

Just some closure. Indeed was application error. Mismatch between the URL of the CASAuthenticationFilter and serviceProperties

Thanks

Have a Safe Holiday everyone.

Colin

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/9e27895c-d8a8-a382-5150-f6cf99598d89%40caveo.ca.