We had grails 4 app which we recently upgraded to grails 6. This app uses CAS for login and the app works fine when running locally. However when we deploy this app to AKS, we add context path(sonic) to access the service since we have multiple web applications running under same host name.

When we browse the app, it correctly redirects to CAS login page and after logging in, the url address change from :

https:[HOST]/sonic/login/cas?ticket=[SERVICE TICKET]

and then to to

https:[CAS server]/cas/login?service=https%3A%2F%2F[HOST]%2Fsonic%2Flogin%2Fcas

with error message:

This page isn’t working
[HOST] redirected you too many times.
Try deleting your cookies.
ERR_TOO_MANY_REDIRECTS

This issue however was not happening with old (grails 4) code, so it makes me believe that when we upgraded the spring security library for grails 6, there must be something we have missed. But its been really difficult to track since this is only happening in aks and cannot be reproduced locally(with/without context path).

These are the spring security plugins used in the web app:

    implementation("org.grails.plugins:spring-security-cas:4.0.0")
    implementation("org.grails.plugins:spring-security-core:6.0.3")
    implementation("org.grails.plugins:spring-security-rest:3.0.1")

And the cas configs are:

grails:
  plugin:
    springsecurity:
      cas:
        loginUri: "/login"
        serviceUrl: "${SONIC_APPLICATION_URL}/login/cas"
        serverUrlPrefix: "${SONIC_CAS_URL}"
        useSingleSignout: true
        filterProcessesUrl: '/login/cas'
        whiteListAlgorithms: 'RS256,RS512'

UPDATE:

when enabling debug logs I see:

  2024-05-10 15:53:08.694 [http-nio-8080-exec-36] DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Failed to authorize filter invocation [GET /sonic/login/cas?ticket=ST-5981-YBdk3BekFB1U4uPo-1OHKCYhBA0-cas-deployment-558466988-9kj4b] with attributes [ROLE_CONCEPT_ARCHIVE]

Asked the same here as well : https://stackoverflow.com/questions/78443531/err-too-many-redirects-with-cas-login-when-web-app-is-deployed-with-context-path

There seems to be a problem with the 3.1.1-BUILD-SNAPSHOT artefacts on

https://repo.grails.org/grails/core/org/grails/plugins/spring-security-cas/3.1.1.BUILD-SNAPSHOT/

All of them cause a 404 error.

{
   "errors": [
   {
      "status": 404,
      "message": "Artifact not found: org/grails/plugins/spring-security-cas/3.1.1.BUILD-SNAPSHOT/spring-security-cas-3.1.1.BUILD-20171003.112141-1.jar"
   }]
}

I am using

• Using gradle version 3.4.1 in this shell.
• Using grails version 3.3.11 in this shell.
• Using java version 8.0.252-amzn in this shell.

When i run test app they give me JFrog error.

• Could not generate a proxy class for class org.jfrog.gradle.plugin.artifactory.task.ExtractModuleTask.

I also used Gradle 4.x and 6.x still the same issue.

Is an update for Grails 4 in the roadmap for this plugin?

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Repository problems

These problems occurred while renovating this repository. View logs.

• WARN: Package lookup failures

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

• Update assetPipelineVersion to v4 (major) (com.bertramlabs.plugins:asset-pipeline-grails, com.bertramlabs.plugins:asset-pipeline-gradle)
• Update dependency gradle to v8
• Update dependency org.asciidoctor:asciidoctor-gradle-jvm to v4
• Update dependency org.asciidoctor:asciidoctor-gradle-jvm-epub to v4
• Update dependency org.asciidoctor:asciidoctor-gradle-jvm-gems to v4
• Update dependency org.asciidoctor:asciidoctor-gradle-jvm-pdf to v4
• Update dependency org.grails.plugins:spring-security-core to v6
• Update dependency org.grails:grails-gradle-plugin to v6
• Update dependency org.hibernate:hibernate-core to v6
• Update dependency org.springframework.security:spring-security-cas to v6
• Click on this checkbox to rebase all open PRs at once

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository

This is a request not a bug.

The docs and/or examples would benefit if they had a discussion of configuring a filter chain that ONLY accepts the CAS authentication method when other authentication methods exist and are covering other endpoints. Yes, there is plenty of documentation in Spring Security about filter chains, but it remains a confusing subject that is very difficult to research.

Dear all,

I'm developing a web app using Grails 3.1.9 and spring-security-cas 3.0.0. The problem is that when I try to login the username returned is "cas_stateful" and I can't use this username to find the real user data.

My question is, how can I get the logged user attributes, so I can use the correct attribute to load de user.

Thanks in advance.

Dear all,
I have a grails 2.5 application running with the following security
configuration in BuildConfig:

compile ':spring-security-core:2.0-RC5'
compile ':spring-security-cas:2.0-RC1'

I moved to
compile ':spring-security-core:2.0.0'
compile ':spring-security-cas:2.0.0'

and I get the following error during deployment:

Exception starting filter CAS Single Sign Out Filter
java.lang.IllegalArgumentException: casServerUrlPrefix cannot be null.
at org.jasig.cas.client.util.CommonUtils.assertNotNull(CommonUtils.java:86)
at org.jasig.cas.client.session.SingleSignOutHandler.init(SingleSignOutHandler.java:140)
at org.jasig.cas.client.session.SingleSignOutFilter.init(SingleSignOutFilter.java:55)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)

The cas configuration is included from Config.groovy:
grails.config.locations = ["file:${System.properties['catalina.base']}/webapps/appName/WEB-INF/gintegration-config.groovy"]

and in gintegration:

// app
grails.serverURL = "http://hostname:8080/appName"
grails.serverSecureURL = "https://hostname:8043/appName"

// CAS configuration
grails.plugin.springsecurity.seSessionFixationPrevention = false
grails.plugin.springsecurity.useCAS = true
grails.plugin.springsecurity.cas.active = true
grails.plugin.springsecurity.cas.serverUrlPrefix = 'https://hostname:10443/sso'
grails.plugin.springsecurity.cas.serverUrlEncoding = 'UTF-8'
grails.plugin.springsecurity.cas.loginUri = '/login'
grails.plugin.springsecurity.cas.sendRenew = false
grails.plugin.springsecurity.cas.serviceUrl = "${grails.serverURL}/secure/security_check"
grails.plugin.springsecurity.cas.key ='authentication_provider'
grails.plugin.springsecurity.cas.artifactParameter = 'ticket'
grails.plugin.springsecurity.cas.serviceParameter = 'service'
grails.plugin.springsecurity.cas.filterProcessesUrl = '/secure/security_check'
grails.plugin.springsecurity.cas.proxyCallbackUrl = "${grails.serverSecureURL}/secure/receptor"
grails.plugin.springsecurity.cas.proxyReceptorUrl = '/secure/receptor'

grails.plugin.springsecurity.cas.useSingleSignOut = true

// also CAS related - do not touch please
grails.plugin.springsecurity.logoutURL = "${grails.plugin.springsecurity.cas.serverUrlPrefix}/logout"
grails.plugin.springsecurity.logout.afterLogoutUrl = "${grails.plugin.springsecurity.cas.serverUrlPrefix}/logout?url=${grails.serverURL}"

I tried to change some configuration but it doesn't help. Am I doing something wrong?

grails:
plugin:
springsecurity:
cas:
active: true
serverUrlEncoding: UTF-8
loginUri: /login
serviceUrl: http://localhost:8080/login/cas
serverUrlPrefix: http://localhost:8088/cas
sendRenew: false
key: CasAuthenticationProvider
proxyCallbackUrl: http://localhost:8080/secure/receptor
proxyReceptorUrl: http://localhost:8080/secure/receptor

I've configured CAS and several services. Everything is okay except one feature - single logout.
When user goes to /logout on a service, he logout on the service and redirects to CAS. After that CAS sends POST requests to all registered (which has been authenticated) services where request is handled by org.jasig.cas.client.session.SingleSignOutFilter which calls destroySession method of org.jasig.cas.client.session.SingleSignOutHandler. In that method we find session by token and call session.invalidate(). Looks good, but it doesn't make user (authenticated on the other services) logged out. He will still authenticated on the services, where he didn't call /logout.
It seems we need to do something else with spring security session. But I'm not sure what exactly. Probably we need to remove session information in SessionRegistry like: sessionRegistry.removeSessionInformation(sessionId); But if so, I'm a little bit confused why it's not realized. Could you please clarify how to deal with this situation? And If I understand things wrong correct me if possible.
Thanks in advance!

Hi - I am trying top upgrade to the latest version but doesn't look like its in maven central? Where can i download the plugin from?

I tried running the "./grailsw install" but it fails with the following error

java.lang.reflect.InvocationTargetException
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at grails.init.Start.main(Start.java:127)
Caused by: java.lang.NoClassDefFoundError: org/codehaus/groovy/runtime/GeneratedLambda
	at java.lang.ClassLoader.defineClass1(Native Method)
	at java.lang.ClassLoader.defineClass(ClassLoader.java:756)
	at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142)
	at java.net.URLClassLoader.defineClass(URLClassLoader.java:468)
	at java.net.URLClassLoader.access$100(URLClassLoader.java:74)
	at java.net.URLClassLoader$1.run(URLClassLoader.java:369)
	at java.net.URLClassLoader$1.run(URLClassLoader.java:363)
	at java.security.AccessController.doPrivileged(Native Method)
	at java.net.URLClassLoader.findClass(URLClassLoader.java:362)
	at java.lang.ClassLoader.loadClass(ClassLoader.java:418)
	at groovy.lang.GroovyClassLoader.loadClass(GroovyClassLoader.java:677)
	at groovy.lang.GroovyClassLoader.loadClass(GroovyClassLoader.java:787)
	at groovy.lang.GroovyClassLoader.loadClass(GroovyClassLoader.java:775)
	at grails.util.Environment.<clinit>(Environment.groovy:60)
	at org.grails.build.parsing.CommandLineParser.<clinit>(CommandLineParser.java:44)
	at org.grails.cli.GrailsCli.<init>(GrailsCli.groovy:109)
	at org.grails.cli.GrailsCli.main(GrailsCli.groovy:157)
	at org.grails.cli.GrailsCli$main.call(Unknown Source)
	at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:48)
	at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:113)
	at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:125)
	at grails.init.RunCommand.main(RunCommand.groovy:35)
	... 5 more
Caused by: java.lang.ClassNotFoundException: org.codehaus.groovy.runtime.GeneratedLambda
	at java.net.URLClassLoader.findClass(URLClassLoader.java:382)
	at java.lang.ClassLoader.loadClass(ClassLoader.java:418)
	at groovy.lang.GroovyClassLoader.loadClass(GroovyClassLoader.java:677)
	at groovy.lang.GroovyClassLoader.loadClass(GroovyClassLoader.java:787)
	at groovy.lang.GroovyClassLoader.loadClass(GroovyClassLoader.java:775)
	... 27 more```

Hello again.

I'm developing a web app with Grails 3.1.19 with the spring-security-cas 3.0.0 plugin. The problem is that when I try to login against my CAS server the plugin gets the wrong user name cas_stateful, and can't find the logged user.

Here you can see a piece of the application log:

DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/login/cas'; against '/login/cas'
DEBUG org.springframework.security.cas.web.CasAuthenticationFilter - serviceTicketRequest = true
DEBUG org.springframework.security.cas.web.CasAuthenticationFilter - requiresAuthentication = true
DEBUG org.springframework.security.cas.web.CasAuthenticationFilter - Request is to process authentication
DEBUG org.springframework.security.cas.web.CasAuthenticationFilter - proxyReceptorConfigured = true
DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/login/cas'; against '//secure/receptor'
DEBUG org.springframework.security.cas.web.CasAuthenticationFilter - proxyReceptorRequest = false
DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/login/cas'; against '/login/cas'
DEBUG org.springframework.security.cas.web.CasAuthenticationFilter - serviceTicketRequest = true
DEBUG org.springframework.security.authentication.ProviderManager - Authentication attempt using org.springframework.security.cas.authentication.CasAuthenticationProvider
DEBUG org.springframework.security.cas.authentication.CasAuthenticationProvider - serviceUrl = http://localhost:8080/login/cas
DEBUG org.springframework.security.authentication.ProviderManager - Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider
WARN grails.plugin.springsecurity.userdetails.GormUserDetailsService - **User not found: cas_stateful
DEBUG org.springframework.security.authentication.dao.DaoAuthenticationProvider - User 'cas_stateful' not found
DEBUG org.springframework.security.cas.web.CasAuthenticationFilter - Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Bad credentials
DEBUG org.springframework.security.cas.web.CasAuthenticationFilter - Updated SecurityContextHolder to contain null Authentication
DEBUG org.springframework.security.cas.web.CasAuthenticationFilter - Delegating to authentication failure handler org.springframework.security.cas.web.CasAuthenticationFilter$CasAuthenticationFailureHandler@710e9427

This is strange because using a local CAS server I can log in without problems but when I try to log in against this test CAS server http://casserverpac4j.herokuapp.com I get the previous error.

Here you got my local development config:

grails:
        plugin:
            springsecurity:
                cas:
                  loginUri: /login
                  serviceUrl: https://seri.upo.es:8443/login/cas
                  # serverUrlPrefix: http://localhost:9090/cas
                  serverUrlPrefix: http://casserverpac4j.herokuapp.com
                  proxyCallbackUrl: https://seri.upo.es:8443/secure/receptor
                  proxyReceptorUrl: /secure/receptor
                  serverName: https://seri.upo.es:8443
                  key: changeit
                  sendRenew: true
                logout:
                  # afterLogoutUrl: http://localhost:9090/cas/logout?url=https://seri.upo.es:8443
                  afterLogoutUrl: http://casserverpac4j.herokuapp.com/logout?url=https://seri.upo.es:8443 

What am I doing wrong?

Thank you

The code in SpringSecurityCasGrailsPlugin - loads "DefaultCasSecurityConfig"

`SpringSecurityUtils.loadSecondaryConfig 'DefaultCasSecurityConfig'
		// have to get again after overlaying DefaultCasSecurityConfig
		conf = SpringSecurityUtils.securityConfig

		if (!conf.cas.active) {
			return
		}`

And in "DefaultCasSecurityConfig" there are default CAS configuration which are now loaded whenever the Plugin is included irrespective the active flag is true of false.

In similar line there is SAML plugin SpringSecuritySamlGrailsPlugin. The above mentioned code is commented.

Code in the CAS plugin need to be commented too. This will ensure that default CAS configuration wouldn't be loaded by default whenever this plugin is included.

Version 3.2.3 of grails-spring-security-core will be released soon.

The version number of the referenced dependency needs to be updated.

I'm trying to get my code up and running again. I was running 3.3.11 against spring-security-core 3.2.0 with the now defunct spring-security-cas 3.1.1-BUILD-SNAPSHOT. I've upgrade to 3.3.15 and I can get my code to compile by downgrading to spring-security-cas 3.1.0, but there are issues, which is why I went to 3.1.1-BUILD-SNAPSHOT 3 years ago. I do know the 3.3.x line is out of date and I've been trying to get to 4.x for a bit, but not having much luck. Upgrading my 3.3.15 code to spring-security-core 4.0.0 (either -RC1 or -SNAPSHOT) results in the same issue I've had with 4.1.1, namely this line:

Configuring Spring Security CAS

doesn't show up after

Configuring Spring Security Core ...
... finished configuring Spring Security Core

My authentication provider is injected with the CasTicketValidator and casServiceProperties, which aren't there because CAS doesn't load first (or it turns out at all). I had initially thought it was an order of operations issue so I removed my authentication provider to test out things and it still doesn't appear that CAS started. I don't see anything in SpringSecurityCasGrailsPlugin.groovy to suggest the parameters changed.

HOW TO RECREATE
Create a new grails 3.3.15 or grails 4.1.1 application and add the following to build.gradle

GRAILS 3.3.15:
compile "org.grails.plugins:spring-security-core:3.2.0"
compile "org.grails.plugins:spring-security-cas:4.0.0-RC1"

GRAILS 4.1.1:
compile "org.grails.plugins:spring-security-core:4.0.3"
compile "org.grails.plugins:spring-security-cas:4.0.0-RC1"

and the following under spring in application.yml

plugin:
    springsecurity:
        active: true

        controllerAnnotations.staticRules:
          - pattern: '/**'
            access: ['permitAll']            
            
        cas:
            active: true
            serverUrlPrefix: 'https://localhost/cas'
            loginUri: '/login'
            serviceUrl: 'http://localhost:8080/login/authenticate'
            sendRenew: false
            useSingleSignout: true
            key: 'test'
            artifactParameter: 'ticket'
            serviceParameter: 'service'
            filterProcessesUrl: '/login/authenticate'

In Grails 3.3.15, my output is

| Resolving Dependencies. Please wait...

CONFIGURE SUCCESSFUL

| Running application...

Configuring Spring Security Core ...
... finished configuring Spring Security Core

Grails application running at http://localhost:8080 in environment: development

and in Grails 4.1.1, it is

| Resolving Dependencies. Please wait...

| Running application...

Configuring Spring Security Core ...
... finished configuring Spring Security Core

Grails application running at http://localhost:8080 in environment: development
<==========---> 83% EXECUTING [22s]

:bootRun

If you downgrade 3.3.15 to spring-security-core 3.1.0 you get:

| Resolving Dependencies. Please wait...

CONFIGURE SUCCESSFUL

| Running application...

Configuring Spring Security Core ...
... finished configuring Spring Security Core

Configuring Spring Security CAS ...
2022-07-28 03:00:52.308 ERROR --- [ main] o.s.boot.SpringApplication : Application startup failed

java.lang.NullPointerException: Cannot execute null+null
...

It crashes because I haven't missed a parameter in my cut-down example config, but CAS starts (and it does boot in my actual code so I have the parameter over there apparently).

Any idea why CAS is not starting with spring-security-cas version 4.0.0?

The guide for this plugin says that if you're using Grails 3.3.x, you should depend on

compile 'org.grails.plugins:spring-security-cas:3.1.1.BUILD-SNAPSHOT'

But the guide does not say which repository contains the snapshot (It isn't in any of the default repositories)

After following the Configuration Instructions, I'm having some trouble. Hopefully it's something simple.

When I do I grails run-app the first page is a simple sign-on page at http://localhost:8080/login/auth, not the cas page that we would like to use: https://login.ua.edu/cas/login.

My application.yml looks like:
grails:
----plugin:
--------springsecurity:
------------cas:
----------------loginUri: /login
----------------serviceUrl: http://localhost:8080/login/cas
----------------serverUrlPrefix: https://login.ua.edu/cas
----------------useSingleSignout: false

and I added to my build.gradle under dependencies:
compile "org.grails.plugins:spring-security-core:3.2.3"
EDIT I got it to go to our page by using both:
compile 'org.grails.plugins:spring-security-cas:3.0.1'
compile "org.grails.plugins:spring-security-core:3.2.3" in my dependencies.

Next issue:
When I enter my credentials, it returns a page that says "This page isn't working Local host redirected you too many times Try clearing your cookies"

Dear all,

I'm developing a web app using Grails 3.1.9 and spring-security-cas 3.0.0.

I've followed the instructions and configured a local CAS server directly in the application.yml file, but now I can't figure out how I can configure two or more environments (local development, test, production, etc.).

My question is, how can I configure my web app, preferably with a Database table, to manage diferent environments.

Thanks in advance.

Hello,

I am wondering if there is a way change the default tolerance value.

Thanks,
Juan

There is an error with this repository's Renovate configuration that needs to be fixed. As a precaution, Renovate will stop PRs until it is resolved.

Location: .github/renovate.json
Error type: Invalid JSON (parsing failed)
Message: Syntax error: expecting end of expression or separator near
{

Looks like they've removed the FilterRegistrationBean in Grails 3.3.x which causes the error on boot...

Configuring Spring Security CAS ...
2017-06-28 18:01:15.201 ERROR --- [           main] o.s.boot.SpringApplication               : Application startup failed

java.lang.NoClassDefFoundError: org/springframework/boot/context/embedded/FilterRegistrationBean
        at grails.plugin.springsecurity.cas.SpringSecurityCasGrailsPlugin$_doWithSpring_closure1.doCall(SpringSecurityCasGrailsPlugin.groovy:82)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)

Mac OS X 10.12.5
Java 1.8.131
Grails 3.3.0.RC1

Following is the exception stacktrace

Run gradle/gradle-build-action@v2
Gradle setup only performed on first gradle-build-action step in workflow.
/home/runner/work/grails-spring-security-cas/grails-spring-security-cas/gradlew docs:docs

> Task :docs:asciidoc FAILED
Error: Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException: 0
	at org.asciidoctor.internal.EnvironmentInjector.inject(EnvironmentInjector.java:31)
	at org.asciidoctor.internal.JRubyAsciidoctor.injectEnvironmentVariables(JRubyAsciidoctor.java:142)
	at org.asciidoctor.internal.JRubyAsciidoctor.createJRubyAsciidoctorInstance(JRubyAsciidoctor.java:129)
	at org.asciidoctor.internal.JRubyAsciidoctor.create(JRubyAsciidoctor.java:82)
	at org.asciidoctor.Asciidoctor$Factory.create(Asciidoctor.java:7[26](https://github.com/grails/grails-spring-security-cas/actions/runs/7641687537/job/20819543071#step:9:27))
	at org.asciidoctor.gradle.backported.AsciidoctorJavaExec.getAsciidoctorInstance(AsciidoctorJavaExec.groovy:73)
	at org.asciidoctor.gradle.backported.AsciidoctorJavaExec.run(AsciidoctorJavaExec.groovy:39)
	at org.asciidoctor.gradle.backported.AsciidoctorJavaExec.main(AsciidoctorJavaExec.groovy:194)

Apply Change similar to grails/grails-core#13387

The Grails default UTF-8 characterEncodingFilter no longer encodes special characters correctly in an app with the Spring Security CAS plugin.

I believe this is due to the SingleSignOutFilter's registration order being set to Ordered.HIGHEST_PRECEDENCE and thus being first in the filter chain instead of the encoding filter. Not that this is the solution, but by setting the SingleSignOutFilter's order to Ordered.HIGHEST_PRECEDENCE + 1, and customizing characterEncodingFilter with order Ordered.HIGHEST_PRECEDENCE seems to fix the problem.

This is most easily demonstrated by submitting a post request to a controller with special characters, e.g. ™, ®, etc. in it.