Spring Security and CAS
460 views
Skip to first unread message
Justin Holmes
Jan 3, 2014, 8:20:27 AM1/3/14
to pac4j...@googlegroups.com
I have an application which needs to use CAS, I have it going to the CAS server and correctly obtaining the user with a granted authority from the callback, however when it then tries to go back to the original page I get the HttpSession returned null object for SPRING_SECURITY_CONTEXT and No SecurityContext was available from the HttpSession. A new one will be created. This means that the application continuously loops.
Thanks in advance.
Jérôme LELEU
Jan 3, 2014, 9:27:51 AM1/3/14
to Justin Holmes, pac4j...@googlegroups.com
Hi,
Did you make a test using the demo : https://github.com/leleuj/spring-security-pac4j-demo ?
Does it work ?
It looks like you're losing your web session. Do you have more than one server behind a load balancer for example ?
Thanks.
Best regards,
Jérôme
I have an application which needs to use CAS, I have it going to the CAS server and correctly obtaining the user with a granted authority from the callback, however when it then tries to go back to the original page I get the HttpSession returned null object for SPRING_SECURITY_CONTEXT and No SecurityContext was available from the HttpSession. A new one will be created. This means that the application continuously loops.Thanks in advance.
--
You received this message because you are subscribed to the Google Groups "pac4j-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
Justin Holmes
Jan 3, 2014, 9:37:34 AM1/3/14
to pac4j...@googlegroups.com, Justin Holmes
No load balancer at the moment.
Some logs:
casProfile : <CasProfile> | id: justin | attributes: {} |
userDetails: org.springframework.security.core.userdetails.User@bb887711: Username: justin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER
authorities : [ROLE_USER]
Registering session XXXXX, for principal CasProfile#justin
Authentication success. Updating SecurityContextHolder to contain: org.pac4j.springframework.security.authentication.ClientAuthenticationToken
Redirecting to 'http://payments.local:8080/user'
Redirecting to 'http://payments.local:8080/user'
HttpSession returned null object for SPRING_SECURITY_CONTEXT
No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@7b6f44a2. A new one will be created.
Thanks
Jérôme LELEU
Jan 4, 2014, 3:20:16 AM1/4/14
to Justin Holmes, pac4j...@googlegroups.com
Hi,
It's hard to know what's wrong just with these logs... And it works perfectly using my demo...
Did you try my demo ? Did you also try authenticating with Facebook for example ?
Can you share your configuration with us ?
And would you mind enabling DEBUG logs on org.springframework.security and org.pac4j and post the generated logs ?
Thanks.
Best regards,
Jérôme
Justin Holmes
Jan 6, 2014, 4:06:12 AM1/6/14
to pac4j...@googlegroups.com, Justin Holmes
Hi,
I am using Spring Security 3.2.0.RC2 would that be an issue?
Attached logs and context.
Kind Regards
Justin
Justin Holmes
Jan 6, 2014, 5:49:38 AM1/6/14
to pac4j...@googlegroups.com, Justin Holmes
I have put my configuration into the demo app and it works fine.
Jérôme LELEU
Jan 6, 2014, 9:26:36 AM1/6/14
to Justin Holmes, pac4j...@googlegroups.com
Hi,
I tried to reproduce the error by updating my demo : https://github.com/leleuj/spring-security-pac4j-demo/commit/288f3528ec88ad761a81a0c31880a77ffb0c3db9 and https://github.com/leleuj/spring-security-pac4j-demo/commit/af3305b5f39598f92936832d2fa9bd5a1b759efd, but it still works perfectly !
Reading your logs, it seems ok:
08:58:17.920 [http-nio-8080-exec-3] DEBUG o.s.s.w.a.s.SessionFixationProtectionStrategy - Invalidating session with Id 'F25C9C1C6E185C9A7AB0C755A92597D3' and migrating attributes.
08:58:17.920 [http-nio-8080-exec-3] DEBUG o.s.s.w.a.s.SessionFixationProtectionStrategy - Started new session: FCA06DEFBD8E07E2B68A5654942B33F1
08:58:17.921 [http-nio-8080-exec-3] DEBUG o.p.s.s.w.ClientAuthenticationFilter - Authentication success. Updating SecurityContextHolder to contain: org.pac4j.springframework.security.authentication.ClientAuthenticationToken@aee740a4: Principal: CasProfile#justin; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffd148a: RemoteIpAddress: 127.0.0.1; SessionId: F25C9C1C6E185C9A7AB0C755A92597D3; Granted Authorities: ROLE_USER
08:58:17.921 [http-nio-8080-exec-3] DEBUG o.s.s.w.a.SavedRequestAwareAuthenticationSuccessHandler - Redirecting to DefaultSavedRequest Url: http://payments.local:8080/user
Then, it goes wrong:
08:58:17.931 [http-nio-8080-exec-4] DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - HttpSession returned null object for SPRING_SECURITY_CONTEXT
08:58:17.931 [http-nio-8080-exec-4] DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@77cd65f2. A new one will be created.
What's the value of the JSESSIONID cookie (before and after the redirection to the /user url)? What application server do you use?
Thanks.
Best regards,
Jérôme
Justin Holmes
Jan 6, 2014, 9:28:37 AM1/6/14
to pac4j...@googlegroups.com, Justin Holmes
Cheers for the help, I switched the project from a Spring Boot project to a normal Spring MVC project and it appears to work :)
Reply all
Reply to author
Forward
0 new messages