CAS 5.0.0.RC3 - How to configure the delegation to another CAS server?

382 views
Skip to first unread message

Lewis Henderson

unread,
Oct 22, 2016, 2:55:52 PM10/22/16
to CAS Community
All,

I have a requirement to 'chain' two CAS servers.

My issue is that I am integrating with a third party that use a CAS server that I have no control over.

I would like to use CAS as the security server into an OAuth2 micro-service network (CAS as OAuth2 Server) but redirect login to the 3rd Party CAS server.

I have looked through the code and it seems as though if I manage to get it configured, it will show my login screen but with a link to the configured delegate server.

Two questions :-

  1. How do I configure this on my CAS server?
  2. If there is only one provider, would it be possible to redirect there directly, showing their login screen without the need to show mine? The reason for this is that theirs is branded with their logos etc...

Cheers


Erdal Gunyar

unread,
Oct 24, 2016, 8:15:05 AM10/24/16
to CAS Community
Hi,

I didn't get at all your use case, but to quickly answer to your questions :
- Configure: CAS 5 is basically "all by configuration":

- Branding: use overlay mechanisms to make your own UI:

Cheers,

Erdal.

Martin Bohun

unread,
Oct 24, 2016, 8:30:11 AM10/24/16
to CAS Community
Hi Lewis,

This is just a confirmation question, are you trying to delegate/forward auth request from one cas server to another cas server?
As shown in the following diagram (right-bottom corner):



Well, if yes, then the answer is (too) yes I did test that setup and it works fine.

cheers,

martin

Lewis Henderson

unread,
Oct 24, 2016, 9:03:10 AM10/24/16
to CAS Community
Martin,

Yes, I think your diagram shows it well.

What I would eventually like is to have the OAuth network protected by a CAS server.

The CAS server can be configured to provide Authentication itself as is the default or, as in this case, delegate authentication to another CAS server, using it's UI etc.

What configuration is required to do the delegation in this case?

I have added the cas-server-support-pac4j-webflow dependency and set the cas.server.authn.pac4j.cas.loginUrl and protocol. What else, if anything is required?

I currently get the redirect but on successful authentication, the redirect back to my CAS server fails.

I am not in the office at the moment, but will post the issue when I return....


Cheers!

Lewis Henderson

unread,
Oct 26, 2016, 7:46:06 AM10/26/16
to CAS Community

Here is my attempt at a diagram!

I am in control of everything inside the red box.

What I have :-
  1. User hits MyApp url and is redirected to CAS 5.0.0, which shows my login screen.
  2. User logs in Ok.
  3. User redirected back to MyApp Ok.
What I need to do :-
  1. User hits MyApp url and is redirected to CAS 4.x to show 3rd Party login screen.
  2. User logs in.
  3. User redirected back to MyApp.
The reason for this setup is that I need to use the 3rd party CAS server if there is one els use my own.
Everything inside the red box is secured by OAuth2.

I have added the cas-server-support-pac4j-webflow dependency and configured the cas.authn.pac4j.cas.loginUrl to point to the CAS 4.x server's /login url and set the protocol to CAS30.

I do not get redirected to the CAS 4.x server for login. Am I misunderstanding something or should this work?


Cheers

Martin Bohun

unread,
Oct 26, 2016, 8:35:54 AM10/26/16
to CAS Community
Hi Lewis,

As I mentioned/shown previously in my diagram, i tried successfully forwarding/delegating auth from cas-4.0.x server to an older cas-3.x server. I will look if I still have the whole project/repo in one of my backups, but in nutshell all I did was:

- add to the cas-4.0.x server's pom.xml cas-server-support-pac4j

- add to your project the pac4j repos

- add pac4j-cas

- add the configuration for delegating auth to another cas server (it was cas-3.x in my case) to the cas-4.0.x's applicationContext.xml (the same way like in this example i do for oauth2.0: https://github.com/AtlasOfLivingAustralia/ala-cas-2.0/blob/master/src/main/webapp/WEB-INF/spring-configuration/applicationContext.xml#L44-L71)


the whole source of my OAuth2.0 is free/open source, you can use that as an example, adjusting it to your needs (replacing the OAuth2.0 parts with cas), I will meanwhile try to look in my backups for the cas-delegating-auth-to-another-cas example.

cheers,

martin 

Lewis Henderson

unread,
Oct 26, 2016, 8:36:49 AM10/26/16
to CAS Community
After more digging...

The CAS 5.0.0.RC3 login page is rendered with a hidden link to the CAS client.

If I unhide the link in chrome and click it, I get...

org.springframework.webflow.engine.NoMatchingTransitionException: No transition was matched on the event(s) signaled by the [1] action(s) that executed in this action state 'clientAction' of flow 'login'; transitions must be defined to handle action result outcomes -- possible flow configuration error? Note: the eventIds signaled were: 'array['stopWebflow']', while the supported set of transitional criteria for this action state is 'array[success, error, stop]'
	at org.springframework.webflow.engine.ActionState.doEnter(ActionState.java:130)
	at org.springframework.webflow.engine.State.enter(State.java:194)
	at org.springframework.webflow.engine.Flow.start(Flow.java:527)
	at org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:368)
	at org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:223)
	at org.springframework.webflow.executor.FlowExecutorImpl.launchExecution(FlowExecutorImpl.java:140)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:497)
	at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:333)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:190)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157)
	at org.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:133)
	at org.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:121)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
	at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:213)
	at com.sun.proxy.$Proxy166.launchExecution(Unknown Source)
	at org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.handle(FlowHandlerAdapter.java:263)
	at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:963)
	at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:897)
	at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:970)
	at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:861)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:622)
	at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:846)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:230)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
	at org.springframework.boot.web.filter.ApplicationContextHeaderFilter.doFilterInternal(ApplicationContextHeaderFilter.java:55)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
	at org.apereo.cas.web.support.CurrentCredentialsAndAuthenticationClearingFilter.doFilter(CurrentCredentialsAndAuthenticationClearingFilter.java:28)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
	at org.apereo.cas.security.RequestParameterPolicyEnforcementFilter.doFilter(RequestParameterPolicyEnforcementFilter.java:261)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
	at org.apereo.cas.security.ResponseHeadersEnforcementFilter.doFilter(ResponseHeadersEnforcementFilter.java:238)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
	at org.apereo.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:62)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
	at org.springframework.boot.actuate.trace.WebRequestTraceFilter.doFilterInternal(WebRequestTraceFilter.java:105)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
	at org.apereo.cas.logging.web.ThreadContextMDCServletFilter.doFilter(ThreadContextMDCServletFilter.java:90)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
	at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
	at org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:89)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
	at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:77)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
	at org.springframework.boot.actuate.autoconfigure.MetricsFilter.doFilterInternal(MetricsFilter.java:107)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
	at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:197)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:108)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
	at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620)
	at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:677)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:349)
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:784)
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:802)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1410)
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.lang.Thread.run(Thread.java:745)
Reply all
Reply to author
Forward
0 new messages