stackoom
  简体   繁体   中英

Infinite redirection login loop in CAS-SSO & Spring Security (SpringBoot)

 原文  2019-03-14 16:02:34       java/ spring-boot/ spring-security/ single-sign-on/ cas

Question

I am performing the next steps:

  1. I access to a restricted URL (/myapp/login) of my java application
  2. I am redirected to /cas/login page
  3. I introduce the correct credentials
  4. CAS redirect the request to the restricted URL (ie:/myapp/login)
  5. My application instead of accepting the request, detect this URL as protected again and redirect again the request to CAS: /cas/login
  6. The auth-cookies are in the browser so the authentication is OK
  7. Step 4
  8. Step 5
  9. Step 6 etc

My CAS Server versions:

  • CAS Version: 6.1.0-RC3-SNAPSHOT
  • Spring Boot Version: 2.2.0.M1
  • Spring Version: 5.1.5.RELEASE
  • Java Home: C:\\Program Files\\Java\\jdk-11.0.2

cas.properties: 

cas.server.name=https://cas.example.org:8443
cas.server.prefix=${cas.server.name}/cas
logging.config: file:/etc/cas/config/log4j2.xml
cas.serviceRegistry.initFromJson=true
cas.serviceRegistry.json.location=file:/etc/cas/services

CAS Dependencies added: 

compile "org.apereo.cas:cas-server-webapp${project.appServer}:${casServerVersion}"
compile "org.apereo.cas:cas-server-support-json-service-registry:${project.'cas.version'}"
compile "org.apereo.cas:cas-server-support-rest:${project.'cas.version'}"
compile "org.apereo.cas:cas-server-support-rest-tokens:${project.'cas.version'}"

My CAS service declaration App-1001.json inside /etc/cas/service: 

{
  "@class" : "org.apereo.cas.services.RegexRegisteredService",
   "serviceId" : "http://127.0.0.1:9000/imq/ptp/pspp/login",
   "name" : "App",
   "id" : 1001,
   "evaluationOrder" : 10
 }

In my java application:

CAS Beans declaration: 

    @Bean
public ServiceProperties serviceProperties() {
    ServiceProperties serviceProperties = new ServiceProperties();
    serviceProperties.setService(serviceId);
    serviceProperties.setSendRenew(false);
    return serviceProperties;
}

@Bean
@Primary
public AuthenticationEntryPoint authenticationEntryPoint(
        ServiceProperties sP) {
    CasAuthenticationEntryPoint entryPoint = new CasAuthenticationEntryPoint();
    entryPoint.setLoginUrl("https://localhost:8443/cas/login");
    entryPoint.setServiceProperties(sP);
    return entryPoint;
}

@Bean
public TicketValidator ticketValidator() {
    return new Cas30ServiceTicketValidator("https://localhost:8443/cas");
}

@Bean
public CasAuthenticationProvider casAuthenticationProvider() {

    CasAuthenticationProvider provider = new CasAuthenticationProvider();
    provider.setServiceProperties(serviceProperties());
    provider.setTicketValidator(ticketValidator());
    provider.setUserDetailsService(
            s -> new User(casUsername, casPassword, true, true, true, true,
                    AuthorityUtils.createAuthorityList(casRole)
            )
    );
    provider.setKey(casKey);
    return provider;
}

/////

@Bean
public SecurityContextLogoutHandler securityContextLogoutHandler() {
    return new SecurityContextLogoutHandler();
}

@Bean
public LogoutFilter logoutFilter() {
    LogoutFilter logoutFilter = new LogoutFilter(
            "https://localhost:8443/cas/logout",
            securityContextLogoutHandler());
    logoutFilter.setFilterProcessesUrl("/logout/cas");
    return logoutFilter;
}

@Bean
public SingleSignOutFilter singleSignOutFilter() {
    SingleSignOutFilter singleSignOutFilter = new SingleSignOutFilter();
    singleSignOutFilter.setCasServerUrlPrefix("https://localhost:8443/cas");
    singleSignOutFilter.setIgnoreInitConfiguration(true);
    return singleSignOutFilter;
}

@EventListener
public SingleSignOutHttpSessionListener singleSignOutHttpSessionListener(
        HttpSessionEvent event) {
    return new SingleSignOutHttpSessionListener();
}

My WebSecurity class declaration: 

@EnableWebSecurity
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {

private AuthenticationProvider authenticationProvider;
private AuthenticationEntryPoint authenticationEntryPoint;
private SingleSignOutFilter singleSignOutFilter;
private LogoutFilter logoutFilter;

@Autowired
public SecurityConfig(CasAuthenticationProvider casAuthenticationProvider,
                      AuthenticationEntryPoint eP,
                      LogoutFilter lF,
                      SingleSignOutFilter ssF) {
    this.authenticationProvider = casAuthenticationProvider;
    this.authenticationEntryPoint = eP;
    this.logoutFilter = lF;
    this.singleSignOutFilter = ssF;
}

@Bean
CorsConfigurationSource corsConfigurationSource() {
    CorsConfiguration configuration = new CorsConfiguration();
    configuration.setAllowedOrigins(Arrays.asList("*"));
    configuration.setAllowedMethods(Arrays.asList("*"));
    configuration.setAllowedHeaders(Arrays.asList("*"));
    configuration.setAllowCredentials(true);
    UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
    source.registerCorsConfiguration("/**", configuration);
    return source;
}

@Bean
public HttpFirewall allowUrlEncodedSlashHttpFirewall() {
    StrictHttpFirewall firewall = new StrictHttpFirewall();
    firewall.setAllowUrlEncodedSlash(true);
    firewall.setAllowSemicolon(true);
    return firewall;
}

@Override
protected void configure(HttpSecurity http) throws Exception {

    http
            .authorizeRequests()
            .regexMatchers("/imq/ptp/pspp.*")
            .authenticated()
            .and()
            .authorizeRequests()
            .regexMatchers("/")
            .permitAll()
            .and()
            .httpBasic()
            .authenticationEntryPoint(authenticationEntryPoint)
            .and()
            .logout().logoutSuccessUrl("/logout")
            .and()
            .addFilterBefore(singleSignOutFilter, CasAuthenticationFilter.class)
            .addFilterBefore(logoutFilter, LogoutFilter.class);
}

// ...

@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
    auth.authenticationProvider(authenticationProvider);
}

@Override
protected AuthenticationManager authenticationManager() throws Exception {
    return new ProviderManager(Arrays.asList(authenticationProvider));
}

@Bean
public CasAuthenticationFilter casAuthenticationFilter(ServiceProperties sP) throws Exception {
    CasAuthenticationFilter filter = new CasAuthenticationFilter();
    filter.setServiceProperties(sP);
    filter.setAuthenticationManager(authenticationManager());
    return filter;
}
}

Thank you in advance!

1 answers

solution1
 2 ACCPTED  2019-03-26 18:08:02

I think you should put casAuthenticationFilter above the other settings. Like this: 

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .addFilter(casAuthenticationFilter())
            .csrf().disable()
            .authorizeRequests()
                .anyRequest()
                .authenticated()
                .and()
            .httpBasic()
                .authenticationEntryPoint(authenticationEntryPoint())
                .and()
            .logout()
                .logoutRequestMatcher(new AntPathRequestMatcher("/logout"))

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to use CAS-SSO if disable cookie Spring Security + CAS SSO AuthenticationManager Infinite Loop in spring security login Implement SSO using CAS + Spring Security Spring security cas with jakarta compatibility for Springboot 3 updagre CAS 4 with Spring Security 4 (java config) - stuck in a redirect loop after ticket granted SSO Spring Security with CAS rest (Direct login) Spring secutiry CAS SSO every time its asks login credentials Spring security creates infinite loop of 301 and 302 redirects to login page Getting stuck in redirection loop after successful login in Java cas client
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM