CAS 4 with Spring Security 4 (java config) - stuck in a redirect loop after ticket granted SSO
Question
I have been stuck on this issue for about a couple of days now. I have a CAS 4 app and a Spring-enabled (MVC and Security) web application running on a Tomcat 8 . I am trying to authenticate against the CAS server. All the setup works perfectly fine, but once i seem to be authenticated (given the ticket) and trying to redirect i am getting This webpage has a redirect loop,ERR_TOO_MANY_REDIRECTS . I am using the default in-memory authentication from CAS 4 (user: casuser, pass: Mellon)
I have tried:
1) Used a different prefix for the casAuthenticationFilter context path ( /test/j_spring_cas_security_check ) and a matching one in the serviceProperties ( serviceProperties.setService("https://OFB25572D8.OKFB.COM:8443/phoenixWeb/test/j_spring_cas_security_check"); )
- Redirect to my contextRoot from a custom
SavedRequestAwareAuthenticationSuccessHandlerand overriding
onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication)
- Going to
Spring MVC 3.2.8andSpring Security 3.2.8(someone had a similar issue and went to older versions of Spring)
Here is the setup (no web.xml , all is done using Java Config ) :
SecurityConfig.java
@Configuration
@EnableWebSecurity
public class PhoenixSecurityConfig extends WebSecurityConfigurerAdapter {
@Bean
public ServiceProperties serviceProperties() {
ServiceProperties serviceProperties = new ServiceProperties();
serviceProperties.setService("https://OFB25572D8.OKFB.COM:8443/phoenixWeb/j_spring_cas_security_check");
serviceProperties.setSendRenew(false);
return serviceProperties;
}
@Bean
public CasAuthenticationProvider casAuthenticationProvider() {
CasAuthenticationProvider casAuthenticationProvider = new CasAuthenticationProvider();
casAuthenticationProvider.setAuthenticationUserDetailsService(authenticationUserDetailsService());
casAuthenticationProvider.setServiceProperties(serviceProperties());
casAuthenticationProvider.setTicketValidator(cas20ServiceTicketValidator());
casAuthenticationProvider.setKey("phoenixWeb_CAS_ID");
return casAuthenticationProvider;
}
@Bean
public AuthenticationUserDetailsService authenticationUserDetailsService() {
return new TestCasAuthenticationUserDetailsService();
}
@Bean
public Cas20ServiceTicketValidator cas20ServiceTicketValidator() {
return new Cas20ServiceTicketValidator("https://OFB25572D8.OKFB.COM:8443/cas");
}
@Bean
public CasAuthenticationFilter casAuthenticationFilter() throws Exception {
CasAuthenticationFilter casAuthenticationFilter = new CasAuthenticationFilter();
casAuthenticationFilter.setAuthenticationManager(authenticationManager());
casAuthenticationFilter.setAuthenticationSuccessHandler(customSuccessHandler());
casAuthenticationFilter.setFilterProcessesUrl("/j_spring_cas_security_check");
return casAuthenticationFilter;
}
@Bean
public SavedRequestAwareAuthenticationSuccessHandler customSuccessHandler() {
return new CustomRequestHandler();
}
@Bean
public CasAuthenticationEntryPoint casAuthenticationEntryPoint() {
CasAuthenticationEntryPoint casAuthenticationEntryPoint = new CasAuthenticationEntryPoint();
casAuthenticationEntryPoint.setLoginUrl("https://OFB25572D8.OKFB.COM:8443/cas/login");
casAuthenticationEntryPoint.setServiceProperties(serviceProperties());
return casAuthenticationEntryPoint;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.addFilter(casAuthenticationFilter());
http
.exceptionHandling()
.authenticationEntryPoint(casAuthenticationEntryPoint());
http.authorizeRequests().antMatchers("/**").access("hasRole('ROLE_USER')");
//.anyRequest().permitAll()
//.and().csrf().csrfTokenRepository(csrfTokenRepository()).and();
//.and().csrf().disable()
//.formLogin()
//.loginPage("/login")
//.permitAll();
//Below is forcing over HTTPS
//.and().requiresChannel().anyRequest().requiresSecure();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.authenticationProvider(casAuthenticationProvider());
}
}
TestCasAuthenticationUserDetailsService.java
public class TestCasAuthenticationUserDetailsService implements AuthenticationUserDetailsService {
@Override
public UserDetails loadUserDetails(Authentication token) throws UsernameNotFoundException {
List<GrantedAuthority> authorities = new ArrayList<>();
authorities.add(new SimpleGrantedAuthority("ROLE_USER"));
return new User("casuser", "Mellon", authorities);
}
}
pom.xml
<dependencies>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-webmvc</artifactId>
<version>4.2.2.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-orm</artifactId>
<version>4.2.2.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.data</groupId>
<artifactId>spring-data-jpa</artifactId>
<version>1.9.1.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>4.0.3.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>4.0.3.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-ldap</artifactId>
<version>4.0.3.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-cas-client</artifactId>
<version>3.0.8.RELEASE</version>
</dependency>
</dependencies>
Initial Request to the Web App
Request URL:https://ofb25572d8.okfb.com:8443/phoenixWeb
Request Method:GET
Status Code:302 Found
Remote Address:10.1.24.71:8443
**Response Headers**
view source
Cache-Control:no-cache, no-store, max-age=0, must-revalidate
Content-Length:0
Date:Wed, 30 Dec 2015 19:20:14 GMT
Expires:0
Location:https://OFB25572D8.OKFB.COM:8443/cas/login?service=https%3A%2F%2FOFB25572D8.OKFB.COM%3A8443%2FphoenixWeb%2Fj_spring_cas_security_check
Pragma:no-cache
Server:Apache-Coyote/1.1
Set-Cookie:JSESSIONID=3BEED4D08DA6EF00EDBCB87B7930D521; Path=/phoenixWeb/; Secure; HttpOnly
Strict-Transport-Security:max-age=31536000 ; includeSubDomains
X-Content-Type-Options:nosniff
X-Frame-Options:DENY
X-XSS-Protection:1; mode=block
**Request Headers**
view source
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding:gzip, deflate, sdch
Accept-Language:en-US,en;q=0.8
Connection:keep-alive
Host:ofb25572d8.okfb.com:8443
Upgrade-Insecure-Requests:1
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36
Once i press SUBMIT
Request URL:https://ofb25572d8.okfb.com:8443/cas/login;jsessionid=988CBFBD15B4FE7562C8A5D4A3ADBE70?service=https%3A%2F%2FOFB25572D8.OKFB.COM%3A8443%2FphoenixWeb%2Fj_spring_cas_security_check
Request Method:POST
Status Code:302 Found
Remote Address:10.1.24.71:8443
**Response Headers**
view source
Cache-Control:no-cache
Cache-Control:no-store
Content-Length:0
Date:Wed, 30 Dec 2015 19:22:53 GMT
Expires:Thu, 01 Jan 1970 00:00:00 GMT
Location:https://OFB25572D8.OKFB.COM:8443/phoenixWeb/j_spring_cas_security_check?ticket=ST-1-LhfIkMXSX2iTmpRAKaXc-cas01.example.org
Pragma:no-cache
Server:Apache-Coyote/1.1
Set-Cookie:CASPRIVACY=""; Path=/cas/; Secure; HttpOnly
Set-Cookie:TGC=eyJhbGciOiJIUzUxMiJ9.ZXlKaGJHY2lPaUprYVhJaUxDSmxibU1pT2lKQk1USTRRMEpETFVoVE1qVTJJbjAuLndXYV9rNTVNRWVMWHNXdjlCWW1qVGcuVjFGM1VqWF93THVQWFBpbnBUaW9lRWRyS2p0QnNRODJwNG5INnRCZTlUYVJORk00QUprbVlRYlI0c2l3SFpJeHVCc0R6ZkZVdnlSaVhNekpkSURBaXQtazhpNkl2NEhUUjlyVzY1T1E1YmZ6VUEwX3JKOWdvLXNaNE5hTm9WTTNtSGVDalBsdGtFaVVUNXAxWGhYWVh5U25rZlQwaGxXLTJXVEZLZ0U3LXZQLVd2SVNCLTFtaHRjLWl6U2VfUWhrVS00RnZ1QWdOM2lZN2JvTGJ4c3VLMEE5RFBWM2xxZ2xncWtCQld2eW1PMkxKcm5fSGZ6aXdDeDdmS2N2Sjk1UlA1clIxaWs2Sk5VSTk2dEktUEtiS2cuSzl4YjM2aVY0Q0RfRDQtVWhDSzgzUQ.1KHCed4LP-E1VHN8nxTIoligha0yGYP-aAfbuIVkVPbbb2o5PiLdFrS3gbmuGLEApEXJpPcCExOcjYaLRNw8tg; Path=/cas/; Secure; HttpOnly
**Request Headers**
view source
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding:gzip, deflate
Accept-Language:en-US,en;q=0.8
Cache-Control:max-age=0
Connection:keep-alive
Content-Length:2894
Content-Type:application/x-www-form-urlencoded
Cookie:JSESSIONID=988CBFBD15B4FE7562C8A5D4A3ADBE70
Host:ofb25572d8.okfb.com:8443
Origin:https://ofb25572d8.okfb.com:8443
Referer:https://ofb25572d8.okfb.com:8443/cas/login?service=https%3A%2F%2FOFB25572D8.OKFB.COM%3A8443%2FphoenixWeb%2Fj_spring_cas_security_check
Upgrade-Insecure-Requests:1
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36
Query String Parameters
view source
view URL encoded
service:https://OFB25572D8.OKFB.COM:8443/phoenixWeb/j_spring_cas_security_check
Form Data
view source
view URL encoded
username:casuser
password:Mellon
lt:LT-1-3c6Q2CbmBx2YdWkQDM9fxHkWnc7AQJ-cas01.example.org
execution:a1757b02-69fc-46c7-a997-1b747ea87038_AAAAIgAAABAyzkQ98n/PaEXy025/kUJZAAAABmFlczEyOFsDrH9p+tpmDRMzL8sfKARNMiwmDEizgxEjXOHgNN0GhRtK8d600V6tEbNFQfoUKKibDDrjJ2YYfimZvArm0AARwzGgiFLV2MIuzs5poUXNXf1Gam6chUrgexNZRu+MKgnh3jTUjzEMGd8BQT/2wYUgbsYktbppTEYfsR1FjIC2rbL4euzaM452Wvdbbb7kyw4hHNWnF6/Gvtf6iQxg14vW7FtDGv5J96E1Cv/FrXpqHffMujN6ZlZs1rz5jonhehVJoWSjIJYQgeq6p9meBdNuzeoLZCyr71vxIT/CBElmIxDr4HDd+u7g3VPDJdZ0FfI+p6LOFH3l97HGwT8AjAKtAlZ+DfPXHXIDbDWeHgw31ke6VHsnjuTR6TG+gc2TkF82WOiZ5PpTS7J/N565hkrgEh7Mx5mH2WSrDUk+5V95ZY78ctZBHyiblT0xVWjZp/eEaDGy6+14IRFRXshkx/x0LkvrLbYsb1J+4tkUo1j959JEjHbLqDsUZUczYSkFXYJVcZGEiVOlgp66i0QpGR7O4ubRtFrA/ZKSAwDsTMaR4uKcORADCPSOOG3R8fUuQAF0UQZtsrsu/C8FBXD16wE81Jy/EDvUwiFpihkmkEoajvDDsYuVguapeWVIloHrAGp8RjzWPcG7mK7bO++/oet5TWm6yG3hvSPVTpR93ETpdfTYlcZneKaM7HRyGx1WbZntK5mgsBzJtqvgJy9mYANRggPpWVFOThMS6BP1Q14HpWA5XUDu4hay8Pulps4K7cRnk1SRjzCFNqYXA/ZI9hVf8+QrShl2T6xS7kdTfI283THixux2WSfyWkoYmN9xhweSw5YOL7zWBxvvcEEP8hOqPLfr1/pxQMFhiAu8xrg1Gbf6BYIX9f/Olp8Zp6MJtzM99TNLcp0Wvoa8Oj4WHB38cuGPppYNA5V7iDycIaEMCzYb+aOQZd455YuLQxpePVD48CTENEocBJGsKQ+dO2zVayRkwtLlB5PgXaJEkqwlFbNxPaImYahv9p/HteNNMS4jc1JsimhOaICOk/u1XG9jRLCRXKeYazKpRfPT8z9KEvVDmncOqSwK8uJqZMLZIaFLPGJzhehp081CToVb50WxJiO1ySYU8e441LrIHGjS4NNoeoIf1MThmXpXGqqeTEaZMP/+XQUF2VhWsZM5k6iYj0227MxYJlObnBCXgYjsv9v4VTa6kCVutUWMYIwdENID6S1fXF8Dqn4RSg3l2TRhGQZMzrylJdLA8K873i1wU7o2neEmL4PPBvHuxCBaIhF2lldcq1MXg+fH4mtRrULk+aTjc9zvWjXZvTqO1nVsWZyxuSG72QCfS5MEDUWqVA3BRkW1RLcQPQs7WxvkUi9MTJN99Gt/X30Kw4ifZk2RpZD8x8DI1HC+stBdY9mgl+8SYtoB6Cxuj/XVPMcZM+iw4sQTlDTqNw0p0Muwmj6sGduh4bjuZX2r+E/L8d3tARy0QtdHht/07Y24QA8If6C9rL7SlSkhhOQQynpI9BOFN/jOf9ya66HPTEVtyutiT+r+5SuawyhwUCvgnRkVxNsFIHIcuvUj10X9VAR0/5rHlTX0pXnMz8zO75nCCVb3yoaOfVKPiAar8bLY20PSwUm4hapMWHrnIwINR64jntyA0byq7zGPH2OiGrv1c/5ky5mhzEG5A9yrWId89kgNd8BjNpL9DJN0+0mCVECULYnSwk5nfJVsuUMFDClEmJ1L06uahTvxS1X0GdWjna36gqiW4uMIpW8czH4IAATqob/iF0f30U8+0I/aNUPGuUimMoeS+fCQM2enu0V8tCwU4oPemCYCrVQGi2ReCMglbQGDnp2IJPhgYN2E6OGndJOSNpc1w9KQF3t5bwnsrScnVj2gf3/GVEUwxRqhH2GA49LiqNLycwoJGZHMz6tK0DZL8FQu7I0S74SLsuFfmbeQwLVj3KMgMOWpLctPCIrn2CVfYvzd1uFZXTfK7s3+uR8Kfh+wSqAoF9c3du3Qb3saFg8AxRQ6A21BzgUgcU8nS5nhoGaGLdunpITtiRBK3DTuEWOnXnuQXU02CW4PbPLNDsiHydvJFmP6nn9Uhi4y1G7XPUrv/s3IkZxW4NsvtTNXC3gqvyWke0zQLNKszYcsIV5v+8POOZLXQpQRA79LN1toLjLvH8snhrgAMYND8NnAFLbgCJMzLvvPLnmWW6oMsIu3IH6irU8Qjk3FkwUOnUoQ1ybqTAdNsmG3RJ7dxM1sDBCRRY67dpbl4/fETYFQGgrYw8YOTeH3KF00w00q8ytyyXGGUOyrxiT1hDqPo+0Ya01q/BkEnhjwIgDSjTI3eoiNy/JS2Y8Yg94OpeTfaTOyRk8MNb6UYg+mx8QOrm8+A2/W5WwC6A050CWcXBOG/GCC94TqL+cQ1iJw8MMLl4ZXYRrY51voeXcWJipoVF3YH/cs+WvL3YfJAQzPgj8HhMiUtM9aMauQFg1Z6wNPndPx6M8p/d8YJqt2v8IamNDWNx/Qx7tAHie3dxids5E8GqmeVqFJ9mitMT2vIT6kmEiw
_eventId:submit
submit:LOGIN
After Ticket gets granted
Request URL:https://ofb25572d8.okfb.com:8443/phoenixWeb/j_spring_cas_security_check?ticket=ST-1-LhfIkMXSX2iTmpRAKaXc-cas01.example.org
Request Method:GET
Status Code:302 Found
Remote Address:10.1.24.71:8443
**Response Headers**
view source
Cache-Control:no-cache, no-store, max-age=0, must-revalidate
Content-Length:0
Date:Wed, 30 Dec 2015 19:24:29 GMT
Expires:0
Location:https://ofb25572d8.okfb.com:8443/phoenixWeb
Pragma:no-cache
Server:Apache-Coyote/1.1
Strict-Transport-Security:max-age=31536000 ; includeSubDomains
X-Content-Type-Options:nosniff
X-Frame-Options:DENY
X-XSS-Protection:1; mode=block
**Request Headers**
view source
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding:gzip, deflate, sdch
Accept-Language:en-US,en;q=0.8
Cache-Control:max-age=0
Connection:keep-alive
Cookie:JSESSIONID=3BEED4D08DA6EF00EDBCB87B7930D521
Host:ofb25572d8.okfb.com:8443
Referer:https://ofb25572d8.okfb.com:8443/cas/login?service=https%3A%2F%2FOFB25572D8.OKFB.COM%3A8443%2FphoenixWeb%2Fj_spring_cas_security_check
Upgrade-Insecure-Requests:1
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36
Query String Parameters
view source
view URL encoded
ticket:ST-1-LhfIkMXSX2iTmpRAKaXc-cas01.example.org
When I SHOULD be authenticated and home page displayed
Request URL:https://ofb25572d8.okfb.com:8443/phoenixWeb
Request Method:GET
Status Code:302 Found
Remote Address:10.1.24.71:8443
**Response Headers**
view source
Cache-Control:no-cache, no-store, max-age=0, must-revalidate
Content-Length:0
Date:Wed, 30 Dec 2015 19:24:29 GMT
Expires:0
Location:https://OFB25572D8.OKFB.COM:8443/cas/login?service=https%3A%2F%2FOFB25572D8.OKFB.COM%3A8443%2FphoenixWeb%2Fj_spring_cas_security_check
Pragma:no-cache
Server:Apache-Coyote/1.1
Set-Cookie:JSESSIONID=9A60C50821E55B52CAA138B9233B305F; Path=/phoenixWeb/; Secure; HttpOnly
Strict-Transport-Security:max-age=31536000 ; includeSubDomains
X-Content-Type-Options:nosniff
X-Frame-Options:DENY
X-XSS-Protection:1; mode=block
**Request Headers**
view source
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding:gzip, deflate, sdch
Accept-Language:en-US,en;q=0.8
Cache-Control:max-age=0
Connection:keep-alive
Host:ofb25572d8.okfb.com:8443
Referer:https://ofb25572d8.okfb.com:8443/cas/login?service=https%3A%2F%2FOFB25572D8.OKFB.COM%3A8443%2FphoenixWeb%2Fj_spring_cas_security_check
Upgrade-Insecure-Requests:1
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36
1 answers
solution1
3 ACCPTED 2015-12-31 13:49:12
I was finally able to find out why i was getting the Redirect Loop error. The problem was that when i made my initial request Spring had an empty string for the servletPath in the SAVED_REQUEST session attribute.
The initial URL was:
https://server:8443/contextPath
My Spring controller has a class-level, root mapping to "/" . My security setting for the app is:
http.authorizeRequests().antMatchers("/**").access("hasRole('ROLE_USER')");
So, with that in mind, when i made the initial request the servletPath was an empty string "" (i extended the SavedRequestAwareAuthenticationSuccessHandler to observe the redirect after a successful login) and since nothing was mapped to that the casFilter was trying to re-authenticate the request over and over.
If i use a slash at the end of my URL, everything works perfect:
https://server:8443/contextPath/ //NOTE the slash in the end
So, for those having a similar issue, where all the config and setup looks and behaves right, but still get Redirect Loops check your RequestMappings and the URL you are trying to authenticate!
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.
Related Question
Spring Security + CAS SSO AuthenticationManager
Infinite redirection login loop in CAS-SSO & Spring Security (SpringBoot)
Implement SSO using CAS + Spring Security
Getting a Loop Redirect with Spring Security + CAS, but should be working
How to config webapp using Spring security SSO with cas and running on Jboss 7.1?
Getting stuck in redirection loop after successful login in Java cas client
How to redirect my previous page after SSO Login in spring security?
How to make Spring security to redirect user to the original requested page after successfully authenticated by the CAS server
Retrieve CAS ticket after login
Spring + CAS Redirect to login page after logout
Related Tags