If I use CAS server and my application in the same machine, logout is working fine for me. But if CAS server is deployed on the different machine and my application is deployed on the different machine, then cas logout is not working.
I am calling the following url from my application:
CAS Server URL: https://108.51.62.36:9443/cas/logout
And I have got the following entries in web.xml of my application:
<filter>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Single Sign Out Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- Included to support Single Logout. Note that the SingleSignOutFilter
is included in the springSecurityFilterChain. However, it could also be placed
as the first filter-mapping in the web.xml -->
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
Whe you use CAS, this create a secure cookie domain. You can see the value and modify in WEB-INF/spring-configuration:
ticketGrantingTicketCookieGenerator.xml
warnCookieGenerator.xml
So, I suggest don't use Ip. Use another like https://my.domaing.com:9443/cas/logout
Related
I have 2 domains for my site which is hosted in google app engine. I want to 301 redirect any request on the less desirable domain to the more desirable domain.
I have tried adding the following to my web.xml
<servlet>
<servlet-name>WebServlet</servlet-name>
<servlet-class>com.wmar.api.WebServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>WebServlet</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
<filter>
<filter-name>redirectFilter</filter-name>
<filter-class>com.wmar.api.WebFilterRedirect</filter-class>
</filter>
<filter-mapping>
<filter-name>redirectFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
For the servlet it hits it, but then I don't know how to just load the static resource (ideally just passing onto some default static file handler) if the domain is correct.
For the filter it doesn't hit it.
What is the best way to achieve what I want with servlet 2.5 / google app engine java?
Thanks
I realize now that the current ideal solution is to create a separate app engine project and point non-canonical domains at it which has a simple servlet that just 301 redirects to the canonical domain.
For Http to https 301s app.yaml can be used with secure: always.
As noted by konqi there are undesirable side effects by trying to do it all in the one app engine project/module.
I was reading about how Authentication works in Spring and found that there are two filters taking care of the Authentication.
AuthenticationProcessingFilter BasicProcessingFilter
So I set breakpoints within BasicProcessingFilter::doFilterHttp and AuthenticationProcessingFilter::attemptAuthentication and AuthenticationProcessingFilterEntryPoint::commence and the program didn't stop at any of them.
Does it mean that my web-application currently doesn't have an authentication mechanism at all?
Maybe it has something to do with that I defined a custom resource filter as follows:
<beans:bean id="secureResourceFilter"
class="my.custom.class.CustomSecureResourceFilter">
<beans:property name="jdbcSecuredUrlRoleDao" ref="jdbcSecuredUrlRoleDao" />
</beans:bean>
In my Spring-security configuration I didn't define
AuthenticationProcessingFilter and BasicProcessingFilter directly. I just specify
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
in web.xml.
Expect if you use Spring boot, you have to at least configure your Spring context. Either you use Java config, or XML files.
For Java config: http://docs.spring.io/autorepo/docs/spring-security/3.2.x/guides/helloworld.html
For XML files: http://www.springbyexample.org/examples/simple-spring-security-webapp-spring-config.html
Note that you can see which are the filters used in your application by putting a break point in the delegating filter proxy and see the filter chain. Sub-filters are applied sequentially.
I have two applications running on 2 different servers (one on tomcat and other on JBoss). Both these applications are connected to the same CAS server for authentication. Right now this CAS server also resides within the same JBoss.
Say:
App-1 --- is on tomcat and CASified
App-2 --- is on JBoss and CASified
CAS --- is on JBoss
Now that I am invoking an url of App-1 from a browser. The CAS login page comes up and after username/password is provided, the request now successfully enters the servlet of App-1. From this servlet code, I am trying to invoke a webservice that resides inside App-2.
Note: I use axis2 for this webservice and the axis2.war is also CASified
to the same CAS server for authentication.
I could not make this webservice call work no matter what I do. Is there a way to achieve this?
Note: If I call the CAS REST api with a hardcoded username/password, I am
getting the TGT, through which I am able to get the Service Ticket, with
which I am able to invoke that web-service. But I do not want to login again
with a hard-coded username or password. My webservice invocation should
happen with the already logged-in user only.
When you call the web service on App-2 are you getting a session cookie back? This should be the mechanism by which you're continuing to have access without reauthenticating on each call. If you're not getting a cookie back, then there's no way in which to continue access without authenticating each time (i.e. there's no way for the server to remember that it's you and that it should trust the rest of the message).
This is possible by using the CAS Proxy feature.
The link
https://wiki.jasig.org/display/CAS/Proxy+CAS+Walkthrough
helped a bit. But could not understand where to start with.
First take the CAS client jar from http://downloads.jasig.org/cas-clients/ . In my case I took cas-client-core-3.3.3.jar jar. I have included this jar in my application war.
In the web.xml of my application I have included the following 3 CAS Filters.
<!-- CAS Filters -->
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://cas-hostname.domainname:port/cas</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>https://app-hostname.domainname:port</param-value>
</init-param>
<init-param>
<param-name>proxyCallbackUrl</param-name>
<param-value>https://app-hostname.domainname:port/app/ticket</param-value>
</init-param>
<init-param>
<param-name>proxyReceptorUrl</param-name>
<param-value>/app/ticket</param-value>
</init-param>
</filter>
<filter>
<filter-name>CAS Authentication Filter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>https://cas-hostname.domainname:port/cas/login</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>https://app-hostname.domainname:port</param-value>
</init-param>
</filter>
<filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<!-- filter mappings -->
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/app/*</url-pattern>
<url-pattern>/ticket</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Authentication Filter</filter-name>
<url-pattern>/app/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/app/*</url-pattern>
</filter-mapping>
Note-1: The order of filter mapping should be as mentioned above.
First CAS Validation filter mapping should come, followed by CAS
Authentication Filter and last the CAS HttpServletRequest Wrapper
filter.
Note-2: The URL pattern /ticket which is basically your proxy callback
url need not be mentioned in the last two filters.
Once CAS client jar is included in the web-app and web.xml configured with these filters, then all the http requests go through these filters.
So once your http requests entered your servlet, then you can call the following code snippet to get a proxy ticket:
String proxyTicket = ((AttributePrincipal) req.getUserPrincipal())
.getProxyTicketFor(webservice_url);
req is the HttpServletRequest Object and AttributePrincipal is a class which is present in the cas-client-core-3.3.3.jar
This proxyTicket can then be appended to your web-service's URL as a query string like the following:
https://myother-webservice-app.com/ws/myData?ticket=<proxyTicket>
Once this URL is constructed, then you can make the web-service call programmatically.
Hope this helps.
I want to use two different Spring web contexts, each have own contextConfig, spring servlet and filter, that should be mapped to different urls. I have a
Standard Grails project, mapped to '/'
And an existing Spring webapp, that I want to map to /extra/
I know that I can deploy both into one Tomcat, but I'm looking for a way of making one app (one war, etc), because It can simplify our deployment and development process.
This applications don't need to share beans or anything, should be completely separate. Both have DispatcherServlet and DispatcherFilter (and both are using Spring Security, but different configuration)
How I can configure web.xml for such webapp?
I've tried to add new filter:
<filter>
<filter-name>extraSpringSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<init-param>
<param-name>contextAttribute</param-name>
<param-value>org.springframework.web.servlet.FrameworkServlet.CONTEXT.extraSpring</param-value>
</init-param>
<init-param>
<param-name>targetBeanName</param-name>
<param-value>extraSecurityFilterBean</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>extraSpringSecurityFilterChain</filter-name>
<url-pattern>/extra/*</url-pattern>
<dispatcher>FORWARD</dispatcher>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
and spring dispatcher servlet:
<servlet>
<servlet-name>extraSpring</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
<init-param>
<param-name>springConfigLocation</param-name>
<param-value>classpath:extra-spring-web.xml</param-value>
</init-param>
</servlet>
Where:
two context xml in classpath (inside exra library jar):
extra-spring-web.xml
extra-spring-security.xml (!!! how I should configure it?)
extra-spring-security.xml
is pretty standard Spring Security config
have configured bean extraSecurityFilterBean
have dependecy to beans from -web context (but it's not required to be)
It's semi-working now:
as I see from logs, extraSpring servlet successfully load beans from extra-spring-web.xml
but after accessing url /extra/ I got NoSuchBeanDefinitionException: No bean named 'extraSecurityFilterBean' is defined.
So, the question, how I can define context for DelegatingFilterProxy? I even tried to add this files into main context (contextConfigLocation param), it's not what i'm looking for, but it didn't work.
I've taken a look into DelegatingFilterProxy sources, but it's not clear for me how it loads the context.
As per my comment on the question, if the security filter chain is defined in extra-spring-security.xml then you need to ensure that that file is loaded by your extra DispatcherServlet in addition to extra-spring-web.xml either by <import>ing the -security file from the -web one or configuring it as:
<servlet>
<servlet-name>extraSpring</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>
classpath:extra-spring-web.xml
classpath:extra-spring-security.xml
</param-value>
</init-param>
</servlet>
You will also need to ensure that the security filter in the Grails application doesn't apply to /extra URIs, exactly how you do this depends on whether you're using annotations, database RequestMap entries etc.
If the modules are completely separate: the easiest way is to package them as two different webapp. Tens of different spring-based apps can run in one appserver -even on a modest developer machine- without issues.
A few questions
What does your Spring Security configuration look like?
I'm confused why the error states "No bean named 'apiservSecurityFilterChain' is defined" but the web.xml you have posted only references extraSpringSecurityFilterChain (the bean names should match or some important configuration is being left out).
Possible Answer
I'm guessing the problem is that the filter-name needs to match Spring Security's bean name (cannot know for sure without seeing the Spring Security configuration you are using). The default value used by the Spring Security namespace is springSecurityFilterChain, so try the following in the web.xml instead (notice extraSpringSecurityFilterChain changed to springSecurityFilterChain):
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<init-param>
<param-name>contextAttribute</param-name>
<param-value>org.springframework.web.servlet.FrameworkServlet.CONTEXT.extraSpring</param-value>
</init-param>
<init-param>
<param-name>targetBeanName</param-name>
<param-value>extraSecurityFilterBean</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/extra/*</url-pattern>
<dispatcher>FORWARD</dispatcher>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
i want to create url pattern that lead to filter in jsf2.
I tried this code
<filter-mapping>
<filter-name>filter</filter-name>
<url-pattern>www.mysite.com</url-pattern>
</filter-mapping>
but i don't get to my filter.
can you help?
thanks
You are expecting to map the URL path, i.e. the part of URL that follows host and your web application name.
This is how full URL looks like:
http://www.mysite.com:8080/myapp/path1/path2/path3
where:
8080 is a port - optional - default 80
myapp - the context path of your web application. It is empty if your application is default web application on your app server.
path1/path2/path2 the path. This is what you are mapping using <filter-mapping> tag.
So, if for example you want to pass through your filter all requests to JSP pages say:
<url-pattern>*.jsp</url-pattern>
If your UI is under directory ui and you want to filter such requests say:
<url-pattern>/ui/*</url-pattern>
etc.
I hope I get this right:
You want to point an URL to your already created ServletFilter in your JSF 2.0 web application?
You have to register your filter in your webapps web.xml file and map it to your desired URL, e.g.
<!-- register your filter -->
<filter>
<filter-name>YourFilterName</filter-name>
<filter-class>com.your.filter.class</filter-class>
</filter>
<filter-mapping>
<filter-name>YourFilterName</filter-name>
<!-- Mapped to any URL -->
<url-pattern>/*</url-pattern>
</filter-mapping>