Hi,
I have developed a new jsp (ticketManager.jsp) to manage the different TGT
tickets that are active.
I would like to protect this page (in the root path of cas webapp) so that only
admin role can use it. I have modified the web.xml and the securityContext.xml
and cas.properties to do it but there is something that is left:
I have added the url to the securityChain in web.xml:
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/ticketManager.jsp</url-pattern>
</filter-mapping>
and I have done some modifications to the securityContext such as adding a new
casProcessingFilter with different parameters Basically:
<sec:http pattern="/ticketManager.jsp"
entry-point-ref="casProcessingFilterEntryPoint2" auto-config="false">
<sec:logout logout-url="/services/logout.html"
logout-success-url="/services/loggedOut.html"/>
<sec:custom-filter ref="casProcessingFilter2" position="CAS_FILTER"/>
<sec:intercept-url pattern="/ticketManager.jsp"
access="${cas.securityContext.serviceProperties.adminRoles}"/>
</sec:http>
Attached you can find both files.
I the cas.properties I have added the entry:
cas.securityContext.serviceProperties.ticketManager.service=${server.prefix}/ticketManager.jsp/j_acegi_cas_security_check
I enter the url:
https://localhost:8443/webapps/cas352/ticketManager.jsp
and I get redirected to the page:
https://localhost:8443/webapps/cas352/login?service=https%3A%2F%2Flocalhost%3A8443%2Fwebapps%2Fcas352%2FticketManager.jsp%2Fj_acegi_cas_security_check
Apparently, it should work but the thing is that although the service url is
well set, the cas server ends up redirecting to the page:
https://localhost:8443/webapps/cas352/login?ticket=ST-1-rxCKzfbCEnbneyJU37ed-localhost
like if there wasn't any service url.
Your help will be very appreciated to find what is left to make it work
properly.
Thank you very much in advance.
--
You are currently subscribed to cas-user@lists.jasig.org as:
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user<?xml version="1.0" encoding="ISO-8859-1"?>
<!--
Licensed to Jasig under one or more contributor license
agreements. See the NOTICE file distributed with this work
for additional information regarding copyright ownership.
Jasig licenses this file to you under the Apache License,
Version 2.0 (the "License"); you may not use this file
except in compliance with the License. You may obtain a
copy of the License at the following location:
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
<web-app xmlns="http://java.sun.com/xml/ns/j2ee";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd";
version="2.4">
<display-name>Central Authentication System (CAS) ${project.version}</display-name>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/spring-configuration/*.xml
/WEB-INF/deployerConfigContext.xml
</param-value>
</context-param>
<!-- This filter stores HttpResponse in threadLocal to be used in AuthenticationHandler -->
<!--
<filter>
<filter-name>Response Interceptor Filter</filter-name>
<filter-class>edu.uoc.cas.authentication.filter.ResponseInterceptorFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>Response Interceptor Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
-->
<filter>
<filter-name>CAS Client Info Logging Filter</filter-name>
<filter-class>com.github.inspektr.common.web.ClientInfoThreadLocalFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Client Info Logging Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/login</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/ticketManager.jsp</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/status</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/services/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>characterEncodingFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>characterEncodingFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--
- Loads the CAS ApplicationContext.
- The deployer choice here is how to handle Throwables thrown by Spring's
- ContextLoaderListener. The Spring ContextLoaderListener will throw an exception when the
- application context cannot be loaded, say because the bean XML files are not valid XML or do not
- refer to real classes and properties or because a bean configured via Spring throws an exception
- at construction, property setting, or on an afterPropertiesSet() lifecycle method.
-
- If you'd like these errors to be fatal and prevent the CAS servlet context from loading at all,
- use org.springframework.web.context.ContextLoaderListener.
-
- If you'd like these errors to result in all requests for CAS getting a "CAS is Unavailable" response,
- use org.jasig.cas.web.init.SafeContextLoaderListener
-->
<listener>
<listener-class>
org.jasig.cas.web.init.SafeContextLoaderListener
</listener-class>
</listener>
<!--
- This is the Spring dispatcher servlet which delegates all requests to the
- Spring WebMVC controllers as configured in cas-servlet.xml.
-
- The choice made above about how to handle a broken ApplicationContext at
- context initialization applies here as well, since this servlet is load-on-startup.
-
- If you'd like these errors to be fatal and prevent the CAS servlet from loading at all,
- use org.springframework.web.servlet.DispatcherServlet.
-
- If you'd like these errors to result in all requests for CAS getting a "CAS is Unavailable" response,
- use org.jasig.cas.web.init.SafeDispatcherServlet
-->
<servlet>
<servlet-name>cas</servlet-name>
<servlet-class>
org.jasig.cas.web.init.SafeDispatcherServlet
</servlet-class>
<init-param>
<param-name>publishContext</param-name>
<param-value>false</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>cas</servlet-name>
<url-pattern>/login</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>cas</servlet-name>
<url-pattern>/logout</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>cas</servlet-name>
<url-pattern>/validate</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>cas</servlet-name>
<url-pattern>/serviceValidate</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>cas</servlet-name>
<url-pattern>/samlValidate</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>cas</servlet-name>
<url-pattern>/proxy</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>cas</servlet-name>
<url-pattern>/proxyValidate</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>cas</servlet-name>
<url-pattern>/CentralAuthenticationService</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>cas</servlet-name>
<url-pattern>/services/add.html</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>cas</servlet-name>
<url-pattern>/services/viewStatistics.html</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>cas</servlet-name>
<url-pattern>/services/logout.html</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>cas</servlet-name>
<url-pattern>/services/loggedOut.html</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>cas</servlet-name>
<url-pattern>/services/manage.html</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>cas</servlet-name>
<url-pattern>/services/edit.html</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>cas</servlet-name>
<url-pattern>/openid/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>cas</servlet-name>
<url-pattern>/services/deleteRegisteredService.html</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>cas</servlet-name>
<url-pattern>/services/updateRegisteredServiceEvaluationOrder.html</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>cas</servlet-name>
<url-pattern>/status</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>cas</servlet-name>
<url-pattern>/authorizationFailure.html</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>cas</servlet-name>
<url-pattern>/403.html</url-pattern>
</servlet-mapping>
<session-config>
<!-- Default to 5 minute session timeouts -->
<session-timeout>5</session-timeout>
</session-config>
<error-page>
<exception-type>org.springframework.context.ApplicationContextException</exception-type>
<location>/WEB-INF/view/jsp/brokenContext.jsp</location>
</error-page>
<error-page>
<error-code>500</error-code>
<location>/WEB-INF/view/jsp/errors.jsp</location>
</error-page>
<error-page>
<error-code>404</error-code>
<location>/</location>
</error-page>
<error-page>
<error-code>403</error-code>
<location>/403.html</location>
</error-page>
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
<!--
<filter>
<display-name>PolicyFilter</display-name>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
-->
<!--
<init-param>
<param-name>targetBeanName</param-name>
<param-value>policyFilter</param-value>
</init-param>
-->
<!-- </filter> -->
<!--
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/login</url-pattern>
</filter-mapping>
-->
<!--
<filter>
<display-name>PolicyFilter</display-name>
<filter-name>policyFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>policyFilter</filter-name>
<url-pattern>/login</url-pattern>
</filter-mapping>
-->
</web-app>
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to Jasig under one or more contributor license
agreements. See the NOTICE file distributed with this work
for additional information regarding copyright ownership.
Jasig licenses this file to you under the Apache License,
Version 2.0 (the "License"); you may not use this file
except in compliance with the License. You may obtain a
copy of the License at the following location:
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
<beans xmlns="http://www.springframework.org/schema/beans";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:p="http://www.springframework.org/schema/p";
xmlns:sec="http://www.springframework.org/schema/security";
xmlns:context="http://www.springframework.org/schema/context";
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.0.xsd http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.2.xsd";>
<description>
Security configuration for services management and other sensitive areas of CAS.
In most cases it should not be necessary to edit this file as common configuration
can be managed by setting properties in the cas.properties file.
</description>
<context:annotation-config/>
<sec:debug/>
<!-- As of Spring SEC 3.1 -->
<sec:http pattern="/services/loggedout.html" security="none"/>
<sec:http pattern="/status/**" entry-point-ref="notAuthorizedEntryPoint" use-expressions="true" auto-config="true">
<sec:intercept-url pattern="/status" access="hasIpAddress('${cas.securityContext.status.allowedSubnet}')" />
</sec:http>
<!--
<sec:http pattern="/login" entry-point-ref="casProcessingFilterEntryPoint" use-expressions="true" auto-config="false">
<sec:intercept-url pattern="/login" access="permitAll"/>
<sec:custom-filter ref="policyFilter" position="LAST"/>
</sec:http>
-->
<sec:http pattern="/ticketManager.jsp" entry-point-ref="casProcessingFilterEntryPoint2" auto-config="false">
<sec:logout logout-url="/services/logout.html" logout-success-url="/services/loggedOut.html"/>
<sec:custom-filter ref="casProcessingFilter2" position="CAS_FILTER"/>
<sec:intercept-url pattern="/ticketManager.jsp" access="${cas.securityContext.serviceProperties.adminRoles}"/>
</sec:http>
<sec:http entry-point-ref="casProcessingFilterEntryPoint" auto-config="false">
<sec:logout logout-url="/services/logout.html" logout-success-url="/services/loggedOut.html"/>
<!--<sec:custom-filter ref="casProcessingFilterAll" after="CAS_FILTER"/>-->
<sec:custom-filter ref="casProcessingFilter" position="CAS_FILTER"/>
<!-- <sec:custom-filter ref="policyApplier" position="LAST"/> -->
<!-- <sec:custom-filter ref="casProcessingFilterAll" position="FORM_LOGIN_FILTER"/> -->
<sec:intercept-url pattern="/services/**" access="${cas.securityContext.serviceProperties.adminRoles}"/>
</sec:http>
<!-- <bean id="policyApplier" class="edu.uoc.cas.policy.PolicyFilter"/> -->
<sec:authentication-manager alias="casAuthenticationManager">
<sec:authentication-provider ref="casAuthenticationProvider"/>
</sec:authentication-manager>
<bean id="serviceProperties" class="org.springframework.security.cas.ServiceProperties"
p:service="${cas.securityContext.serviceProperties.service}"
p:sendRenew="false"/>
<bean id="serviceProperties_ticketManager" class="org.springframework.security.cas.ServiceProperties"
p:service="${cas.securityContext.serviceProperties.ticketManager.service}"
p:sendRenew="false"/>
<bean id="casProcessingFilter" class="org.springframework.security.cas.web.CasAuthenticationFilter"
p:authenticationManager-ref="casAuthenticationManager"
p:filterProcessesUrl="/services/j_acegi_cas_security_check">
<property name="authenticationSuccessHandler">
<bean class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler"
p:alwaysUseDefaultTargetUrl="false"
p:defaultTargetUrl="/services/manage.html"/>
</property>
<property name="authenticationFailureHandler">
<bean class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
<constructor-arg index="0" value="/authorizationFailure.html"/>
</bean>
</property>
</bean>
<bean id="casProcessingFilter2" class="org.springframework.security.cas.web.CasAuthenticationFilter"
p:authenticationManager-ref="casAuthenticationManager"
p:filterProcessesUrl="/ticketManager.jsp/j_acegi_cas_security_check">
<property name="authenticationSuccessHandler">
<bean class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler"
p:alwaysUseDefaultTargetUrl="true"
p:defaultTargetUrl="/ticketManager.jsp"/>
</property>
<property name="authenticationFailureHandler">
<bean class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
<constructor-arg index="0" value="/authorizationFailure.html"/>
</bean>
</property>
</bean>
<!--
<bean id="casProcessingFilterAll" class="org.springframework.security.cas.web.CasAuthenticationFilter"
p:authenticationManager-ref="casAuthenticationManager"
p:filterProcessesUrl="/j_acegi_cas_security_check">
<property name="authenticationSuccessHandler">
<bean class="edu.uoc.cas.authentication.handler.support.UOCSuccessfulAuthenticationHandler"
p:alwaysUseDefaultTargetUrl="false"
p:defaultTargetUrl="/services/manage.html"/>
</property>
<property name="authenticationFailureHandler">
<bean class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
<constructor-arg index="0" value="/authorizationFailure.html"/>
</bean>
</property>
</bean>
-->
<bean id="casProcessingFilterEntryPoint" class="org.springframework.security.cas.web.CasAuthenticationEntryPoint"
p:loginUrl="${cas.securityContext.casProcessingFilterEntryPoint.loginUrl}"
p:serviceProperties-ref="serviceProperties"
p:encodeServiceUrlWithSessionId="false" />
<bean id="casProcessingFilterEntryPoint2" class="org.springframework.security.cas.web.CasAuthenticationEntryPoint"
p:loginUrl="${cas.securityContext.casProcessingFilterEntryPoint.loginUrl}"
p:serviceProperties-ref="serviceProperties_ticketManager"
p:encodeServiceUrlWithSessionId="false" />
<bean id="notAuthorizedEntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint" />
<bean id="casAuthenticationProvider" class="org.springframework.security.cas.authentication.CasAuthenticationProvider"
p:key="my_password_for_this_auth_provider_only"
p:serviceProperties-ref="serviceProperties"
p:userDetailsService-ref="userDetailsService">
<property name="ticketValidator">
<bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
<constructor-arg index="0" value="${cas.securityContext.ticketValidator.casServerUrlPrefix}"/>
</bean>
</property>
</bean>
</beans>
