Moving Spring Web Project using LDAP Authentication and Authorities to Spring and CAS
Question
I am trying to move a Spring Web Project using LDAP for Authentication and Authorities to Spring and CAS. My project was working great using LDAP but now I have to use CAS.. Once I changed the XML file everything stopped.
XML using LDAP:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:jdbc="http://www.springframework.org/schema/jdbc"
xmlns:jee="http://www.springframework.org/schema/jee"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/jdbc
http://www.springframework.org/schema/jdbc/spring-jdbc-3.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd
http://www.springframework.org/schema/jee
http://www.springframework.org/schema/jee/spring-jee-3.1.xsd
"
xmlns="http://www.springframework.org/schema/security">
<http auto-config="true" use-expressions="true">
<intercept-url access="hasRole('ROLE_MEMBER_INQUIRY')"
pattern="/requests/**" />
<form-login default-target-url="/requests/add.html" />
</http>
<authentication-manager>
<ldap-authentication-provider
user-search-base="ou=webusers" user-search-filter="(uid={0})">
<password-compare>
<password-encoder ref="passwordEncoder">
</password-encoder>
</password-compare>
</ldap-authentication-provider>
</authentication-manager>
<beans:bean id="passwordEncoder"
class="org.springframework.security.authentication.encoding.Md5PasswordEncoder">
</beans:bean>
<beans:bean id="contextSource"
class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<beans:constructor-arg
value="ldaps://dvldap01.uftwf.dev:636/dc=uftwf,dc=dev" />
<beans:property name="userDn" value="cn=Manager,dc=uftwf,dc=dev" />
<beans:property name="password" value="uftwf" />
</beans:bean>
<beans:bean id="ldapAuthProvider"
class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<beans:constructor-arg>
<beans:bean
class="org.springframework.security.ldap.authentication.BindAuthenticator">
<beans:constructor-arg ref="contextSource" />
<beans:property name="userDnPatterns">
<beans:list>
<beans:value>
uid={0},ou=webusers
</beans:value>
</beans:list>
</beans:property>
</beans:bean>
</beans:constructor-arg>
<beans:constructor-arg>
<beans:bean
class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
<beans:constructor-arg ref="contextSource" />
<beans:constructor-arg value="ou=groups" />
<beans:property name="groupRoleAttribute" value="ou" />
</beans:bean>
</beans:constructor-arg>
</beans:bean>
<ldap-server url="ldaps://dvldap01.uftwf.dev:636/dc=uftwf,dc=dev" />
<beans:bean id="propertyConfigurer"
class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
<beans:property name="location" value="classpath:jdbc.properties2" />
</beans:bean>
<beans:bean id="dataSource" class="org.apache.commons.dbcp.BasicDataSource"
> <beans:property name="driverClassName" value="${database.driver}" /> <beans:property
name="url" value="${database.url}" /> <beans:property name="username" value="${database.user}"
/> <beans:property name="password" value="${database.password}" /> <beans:property
name="initialSize" value="5" /> <beans:property name="maxActive" value="10"
/> </beans:bean>
<!--
<beans:bean id="dataSource" class="org.apache.commons.dbcp.BasicDataSource"
> <beans:property name="driverClassName" value="${database.driver}" /> <beans:property
name="url" value="${database.url}" /> <beans:property name="username" value="${database.user}"
/> <beans:property name="password" value="${database.password}" /> <beans:property
name="initialSize" value="5" /> <beans:property name="maxActive" value="10"
/> </beans:bean>
<jee:jndi-lookup id="dataSourcejndi" jndi-name="dataSourcejndi"
lookup-on-startup="false" proxy-interface="javax.sql.DataSource"
cache="true" resource-ref="true" />
<beans:bean id="dataSource" class="org.springframework.jndi.JndiObjectFactoryBean"
lazy-init="true">
<beans:property name="dataSource" ref="dataSourcejndi" />
</beans:bean>
<beans:bean id="dataSource" class="org.springframework.jndi.JndiObjectFactoryBean">
<beans:property name="jndiName" value="java:dataSourcejndi" />
</beans:bean>
<beans:bean id="dataSource" class="org.springframework.jndi.JndiObjectFactoryBean">
<beans:property name="jndiName" value="java:comp/env/jdbc/mi"/>
</beans:bean>
<mvc:annotation-driven />
-->
<!-- <beans:bean id="dataSource" class="org.springframework.jndi.JndiObjectFactoryBean">
<beans:property name="jndiName" value="java:dataSourcejndi" />
</beans:bean>
-->
</beans:beans>
XML using CAS:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:sec="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:util="http://www.springframework.org/schema/util"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.1.xsd">
<http auto-config="true" use-expressions="true">
<intercept-url access="hasRole('ROLE_MEMBER_INQUIRY')"
pattern="/requests/**" />
<form-login default-target-url="/requests/add.html" />
</http>
<bean id="securityFilter" class="org.springframework.security.util.FilterChainProxy">
<sec:filter-chain-map path-type="ant">
<sec:filter-chain pattern="/images/**" filters="channelProcessingFilter"/>
<sec:filter-chain pattern="/css/**" filters="channelProcessingFilter"/>
<sec:filter-chain pattern="/js/**" filters="channelProcessingFilter"/>
<sec:filter-chain pattern="/403.jsp" filters="channelProcessingFilter"/>
<sec:filter-chain pattern="/404.jsp" filters="channelProcessingFilter"/>
<sec:filter-chain pattern="/error.jsp" filters="channelProcessingFilter"/>
<sec:filter-chain pattern="/**/cas/changePassword.htm*" filters="channelProcessingFilter"/>
<sec:filter-chain pattern="/**/cas/login.htm*" filters="channelProcessingFilter"/>
<sec:filter-chain pattern="/**/cas/passwordExpired.htm*" filters="channelProcessingFilter"/>
<sec:filter-chain pattern="/**/*.html*" filters="channelProcessingFilter"/>
<sec:filter-chain pattern="/**"
filters="channelProcessingFilter,httpSessionContextIntegrationFilter,logoutFilter,casSingleSignOutFilter,casProcessingFilter,securityContextHolderAwareRequestFilter,exceptionTranslationFilter,filterInvocationInterceptor"/>
</sec:filter-chain-map>
</bean>
<!-- this is what hooks up the CAS entry point -->
<bean id="exceptionTranslationFilter" class="org.springframework.security.ui.ExceptionTranslationFilter">
<property name="authenticationEntryPoint">
<ref local="casProcessingFilterEntryPoint"/>
</property>
</bean>
<!-- where do I go when I need authentication from CAS-->
<bean id="casProcessingFilterEntryPoint" class="org.springframework.security.ui.cas.CasProcessingFilterEntryPoint">
<property name="loginUrl" value="https://dvjvm11.uftwf.dev:8443/cas-server-webapp/login"/>
<property name="serviceProperties" ref="serviceProperties"/>
</bean>
<!-- defines which roles are allowed to access http resources -->
<bean id="filterInvocationInterceptor" class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="accessDecisionManager" ref="accessDecisionManager"/>
<property name="objectDefinitionSource">
<value>
PATTERN_TYPE_APACHE_ANT
**=ROLE_ALLOWED_ROLES_HERE
</value>
</property>
</bean>
<!-- hooks up CAS ticket validator and user details loader -->
<bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager">
<property name="providers">
<list>
<ref bean="casAuthenticationProvider"/>
</list>
</property>
</bean>
<!-- supporting class for filterInvocationInterceptor -->
<bean id="accessDecisionManager" class="org.springframework.security.vote.AffirmativeBased">
<property name="allowIfAllAbstainDecisions" value="false"/>
<property name="decisionVoters">
<list>
<ref local="roleVoter"/>
</list>
</property>
</bean>
<bean id="roleVoter" class="org.springframework.security.vote.RoleVoter">
<property name="rolePrefix" value=""/>
</bean>
<!-- setup method level security using annotations -->
<sec:global-method-security jsr250-annotations="enabled" secured-annotations="enabled"/>
<alias name="authenticationManager" alias="_authenticationManager"/>
<bean id="passwordEncoder" class="org.springframework.security.providers.encoding.ShaPasswordEncoder"/>
<!-- which service (application) am I authenticating -->
<bean id="serviceProperties" class="org.springframework.security.ui.cas.ServiceProperties">
<property name="service" value="https://dvjvm11.uftwf.dev:8443/cas-server-webapp/j_spring_cas_security_check"/>
<property name="sendRenew" value="false"/>
</bean>
<!-- handles a logout request from the CAS server -->
<bean id="casSingleSignOutFilter" class="org.jasig.cas.client.session.SingleSignOutFilter"/>
<!-- performs CAS authentication -->
<bean id="casProcessingFilter" class="org.springframework.security.ui.cas.CasProcessingFilter">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="authenticationFailureUrl" value="/403.jsp"/>
<property name="alwaysUseDefaultTargetUrl" value="false"/>
<property name="defaultTargetUrl" value="/"/>
</bean>
<!-- Does the CAS ticket validation and user details loading -->
<bean id="casAuthenticationProvider" class="org.springframework.security.providers.cas.CasAuthenticationProvider">
<property name="userDetailsService" ref="pickYourUserDetailsServiceImplementation"/>
<property name="serviceProperties" ref="serviceProperties"/>
<property name="ticketValidator">
<bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
<constructor-arg index="0" value="https://dvjvm11.uftwf.dev:8443/cas-server-webapp/"/>
</bean>
</property>
<property name="key" value="my_password_for_this_auth_provider_only"/>
</bean>
<!-- Log failed authentication attempts to commons-logging -->
<bean id="loggerListener" class="org.springframework.security.event.authentication.LoggerListener"/>
<bean id="httpSessionContextIntegrationFilter"
class="org.springframework.security.context.HttpSessionContextIntegrationFilter"/>
<bean id="securityContextHolderAwareRequestFilter"
class="org.springframework.security.wrapper.SecurityContextHolderAwareRequestFilter"/>
<!-- ===================== SSL SWITCHING ==================== -->
<bean id="channelProcessingFilter" class="org.springframework.security.securechannel.ChannelProcessingFilter">
<property name="channelDecisionManager" ref="channelDecisionManager"/>
<property name="filterInvocationDefinitionSource">
<value>
PATTERN_TYPE_APACHE_ANT
**=REQUIRES_SECURE_CHANNEL
</value>
</property>
</bean>
<bean id="channelDecisionManager" class="org.springframework.security.securechannel.ChannelDecisionManagerImpl">
<property name="channelProcessors">
<list>
<bean class="org.springframework.security.securechannel.SecureChannelProcessor">
<property name="entryPoint" ref="channelEntryPoint"/>
</bean>
<bean class="org.springframework.security.securechannel.InsecureChannelProcessor">
<property name="entryPoint" ref="channelEntryPoint"/>
</bean>
</list>
</property>
</bean>
<bean id="channelEntryPoint" class="org.springframework.security.securechannel.RetryWithHttpsEntryPoint">
<property name="portMapper" ref="portMapper"/>
</bean>
<bean id="portMapper" class="org.springframework.security.util.PortMapperImpl">
<property name="portMappings">
<map>
<entry key="80" value="443"/>
<entry key="8080" value="8443"/>
<entry key="5580" value="5543"/>
</map>
</property>
</bean>
<!-- Invoked when the user clicks logout -->
<bean id="logoutFilter" class="org.springframework.security.ui.logout.LogoutFilter">
<!-- URL redirected to after logout success -->
<constructor-arg value="https://dvjvm11.uftwf.dev:8443/cas-server-webapp/logout"/>
<constructor-arg>
<list>
<bean class="org.springframework.security.ui.logout.SecurityContextLogoutHandler">
<property name="invalidateHttpSession" value="false"/>
</bean>
</list>
</constructor-arg>
</bean>
<bean id="dataSource" class="org.apache.commons.dbcp.BasicDataSource"> <property name="driverClassName" value="${database.driver}" /> <property
name="url" value="${database.url}" /> <property name="username" value="${database.user}"
/> <property name="password" value="${database.password}" /> <property
name="initialSize" value="5" /> <property name="maxActive" value="10"
/> </bean>
</beans>
can someone please tell me why everything stopped working
1 answers
solution1
0 2012-07-10 08:11:55
I'm not really sure why you use securityFilter and http tags. We use it like this
<http use-expressions="true"
request-matcher="ciRegex"
auto-config="false"
disable-url-rewriting="true"
access-denied-page="/denied.page"
entry-point-ref="casProcessingFilterEntryPoint">
[..]
<intercept-url
pattern="/.*"
access="isAuthenticated()" />
[..]
<custom-filter ref="casSingleSignOutFilter" before="CAS_FILTER" />
<custom-filter ref="casAuthenticationFilter" after="CAS_FILTER" />
<custom-filter ref="sessionRegistryFixFilter" after="SESSION_MANAGEMENT_FILTER" />
<logout invalidate-session="true"
logout-success-url="{cas.url}/logout?service=[..]" />
</http>
Andd this redirects your calls (if you request somethig that is actually behind an "isAuthenticated()" clause) to the CAS server.
And from that point on it works like described here
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.
Related Question
Spring project using CAS for Authentication and LDAP for Authorities
Spring security switch to Ldap authentication and database authorities
Spring ldap : not granted any authorities
LDAP Integration with CAS + Spring
Authentication in Java using Spring LDAP
Custom authorities with LDAP authentication
Spring Boot is ignoring Group Authorities authentication
Spring CAS authentication with 03 parameters
Custom LDAP authentication using Spring Security 4
spring ldap template authentication
Related Tags