CAS 7.0.4 Can't get cas-management (7.0.0-SNAPSHOT) to authenticate to CAS
310 views
Skip to first unread message
Tom Reijnders
May 14, 2024, 12:11:20 PM5/14/24
to CAS Community
I am trying to migrate from CAS 6.6.15 to CAS 7.04 (because I could not get Password reset working on 6.6.15).
Password reset is working fine, but if I try to login to cas-management I end up in a redirection loop.
I use the overlays generated by getcas.apereo.org/ui (CAS 7.0.4, cas-management 7.0.0-SNAPSHOT) and deployed using tomcat11 (behind an apache reverse proxy).
If I browse to cas-management, it redirectts to cas (as expected). If I login as the user mentioned in the users.json file configured in management.properties I get redirected to
So far so good. But then I get redirected to cas again (that verifies the ticket) and redirects to cas-management, etc.
What am I doing wrong??
The service definition for cas-management is as follows:
{
@class: org.apereo.cas.services.CasRegisteredService
serviceId: ^https://cas.XXXXX/cas-management.*
name: CAS Management
id: 1001
description: Management of CAS enabled services
evaluationOrder: 5
logoutUrl: https://cas.XXXXX/cas-management/logout
}
@class: org.apereo.cas.services.CasRegisteredService
serviceId: ^https://cas.XXXXX/cas-management.*
name: CAS Management
id: 1001
description: Management of CAS enabled services
evaluationOrder: 5
logoutUrl: https://cas.XXXXX/cas-management/logout
}
Regards,
Tom
Ray Bon
May 14, 2024, 12:25:50 PM5/14/24
to cas-...@apereo.org
Tom,
I am experiencing the same problem (too many redirects).
I will be comparing the behaviour of cas-management 6.5 to 7-snapshot today.
I will be comparing the behaviour of cas-management 6.5 to 7-snapshot today.
Ray
On Tue, 2024-05-14 at 07:48 -0700, Tom Reijnders wrote:
Tom Reijnders
May 15, 2024, 3:30:01 AM5/15/24
to CAS Community, Ray Bon
Hi Ron,
Thank you for looking into this. Let me know if I can do something to help.
Cheers,
Tom
Tom Reijnders
May 15, 2024, 6:08:48 AM5/15/24
to CAS Community
Sorry Ray! I have no idea where Ron is coming from.
Ray Bon
May 16, 2024, 8:41:43 AM5/16/24
to cas-...@apereo.org
I have been able to determine that the problem results from cas-management not knowing how to handle the callback [from cas].
In cas-management 6.5, if one directly access the callback endpoint, https://local.uvic.ca/cas-management/callback
the log shows the CALLBACK code/filter being activated:
cas-management | 2024-05-15 20:21:40,263 DEBUG [ org.pac4.spri.secu.web.CallbackFilter] - <path: /callback | suffix: /callback> [https-openssl-nio-8443-exec-9]
cas-management | 2024-05-15 20:21:40,263 DEBUG [ org.pac4.core.engi.DefaultCallbackLogic] - <=== CALLBACK ===> [https-openssl-nio-8443-exec-9]
No redirect to cas, just a message that cas-management is unavailable.
in v7-SNAPSHOT, the SECURITY code/filter is activated:
cas-management | 2024-05-15 20:33:03,637 INFO [ org.pac4.core.adap.FrameworkAdapter] - <Using Spring Security framework adapter> [https-openssl-nio-8443-exec-3]
cas-management | 2024-05-15 20:33:03,650 DEBUG [ org.pac4.core.engi.DefaultSecurityLogic] - <=== SECURITY ===> [https-openssl-nio-8443-exec-3]
And there is a redirect to cas.
The callback endpoint is behind security (when it should not be).
If you need to access cas-management, turn off cas authn
mgmt.cas-sso=false
and use spring security login default:
username: user
password:
logged on first access to the application:
cas-management | 2024-05-15 20:30:13,159 WARN [spri.boot.auto.secu.serv.UserDetailsServiceAutoConfiguration] - <
cas-management |
cas-management | Using generated security password: 5243a8b5-cd24-47e7-9f46-103fee3c2ebb
Ray
On Tue, 2024-05-14 at 07:48 -0700, Tom Reijnders wrote:
Tom Reijnders
May 18, 2024, 10:20:17 PM5/18/24
to CAS Community
Hi Ray,
Aplogies for the late reply. Thank you for this. This allows me to go forward. It works like a charm. I assume at some point the fact that the SECURITY filter is activated will be fixed in the future.
I had a brief look at palantir, but so far that is not working for me.
Cheers,
Tom
qian du
May 21, 2024, 1:08:34 PM5/21/24
to CAS Community, Ray Bon
Hi Ray,
I don't know if I am right, I hope it helps someone.
Thank you for your sharing. I've been troubled by the same problem these days. I compared cas-management 7.0.0-SNAPSHOT and 6.6.4. As you said, in 7.x the request goes into DefaultSecurityLogic but never entered DefaultCallbackLogic. I guess the problem may lie here: 7.x added the following code:
registry.addInterceptor(new SecurityInterceptor(config)).addPathPatterns("/**");
I don't know if I am right, I hope it helps someone.
Reply all
Reply to author
Forward
0 new messages