Configure two CAS endpoints

[chris nikitas]

Hi all,

I am using in my application Spring Security and pac4j to configure CAS for authentication.

I would like to configure two CAS endpoints (both pointing to the same instance).

I want to achieve the following:

When the user browses public pages, Spring Security or CAS is not involved.

When the user requests a secure resource, Spring Security will redirect the browser to CAS (using an endpoint with an external secure url).

Any subsequent request, CAS will be internally called to make sure that the service ticket is valid (using an endpoint with an internal url)

How can I configure the above?

My current configuration is given below:

securityContext.xml

   <security:http create-session="always" auto-config="true" pattern="/**" entry-point-ref="casEntryPoint" >

        <security:custom-filter before="LOGOUT_FILTER" ref="requestSingleLogoutFilter" />

        <security:custom-filter after="CAS_FILTER" ref="clientFilter" />

        <security:intercept-url pattern="/**" access='IS_AUTHENTICATED_FULLY' />

        <security:logout/>

    </security:http>

    <bean id="casEntryPoint" class="org.pac4j.springframework.security.web.ClientAuthenticationEntryPoint">

        <property name="client" ref="casClient" />

    </bean>

    <bean id="clientFilter" class="org.pac4j.springframework.security.web.ClientAuthenticationFilter">

        <constructor-arg value="/callback"/>

        <property name="clients" ref="clients"/>

        <property name="authenticationManager" ref="authenticationManager"/>

    </bean>

    <bean id="clientProvider" class="org.pac4j.springframework.security.authentication.ClientAuthenticationProvider">

        <property name="clients" ref="clients"/>

    </bean>

    <security:authentication-manager alias="authenticationManager">

        <security:authentication-provider ref="clientProvider" />

    </security:authentication-manager>

    <bean id="casSingleSignOutHandler" class="org.pac4j.cas.logout.CasSingleSignOutHandler"/>

SecurityConfig.java

    @Bean

    public Clients clients(CasClient casClient) {

        Clients clients = new Clients();

        clients.setCallbackUrl(env.getRequiredProperty("cas.callbackUrl"));

        clients.setClients(casClient);

        return clients;

    }

    @Bean

    public CasClient casClient(CasSingleSignOutHandler casSingleSignOutHandler) {

        CasClient casClient = new CasClient();

        casClient.setCasLoginUrl(env.getRequiredProperty("cas.loginUrl"));

        casClient.setLogoutHandler(casSingleSignOutHandler);

        return casClient;

    }

    @Bean

    public LogoutFilter requestSingleLogoutFilter() {

        LogoutFilter logoutFilter = new LogoutFilter(env.getProperty("cas.logoutUrl"), new SecurityContextLogoutHandler());

        logoutFilter.setFilterProcessesUrl("/logout");

        return logoutFilter;

    }

[Jérôme LELEU]

Hi,

I'm not sure to understand why you want two endpoints pointing to the same CAS server. Is your application accessed through two different urls?

Best regards,

Jérôme

--
You received this message because you are subscribed to the Google Groups "pac4j-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[chris nikitas]

CAS can be accessed by two different urls.

And I want to configure one for the first login and all subsequent requests to go through the other url.

How can I do that?

[Jérôme LELEU]

Hi,

You need two CasClient, with different login urls and two different http sections using two different entry points pointing to these different CAS clients.

Set a different name for both clients otherwise things will go wrong.

Best regards,

Jérôme

[chris nikitas]

How is this going to work if both http sections have the same intercept url patterns?

Would it be possible for you to provide the config in XML and I will create the beans and everything else.

Cause I am a bit confused.

[Jérôme LELEU]

You can't have the same patterns for the http sections: how to you know which CAS server url you must use?

[chris nikitas]

That's where I am getting confused.

The requirement is that if the redirection comes from the browser (during initial login), it should use one url.

If CAS is contacted just for ticket validation, it should use the other url.

Does it make sense at all?

[Jérôme LELEU]

OK. I think I see. You can define the specific url for the service ticket validation using the setPrefixUrl method and the public url using the setLoginUrl method. https://github.com/leleuj/pac4j/blob/master/pac4j-cas/src/main/java/org/pac4j/cas/client/CasClient.java...

[chris nikitas]

Let me try... thanks for the suggestion.

Will let you know how it goes... and apologies for being a pain!