kakawait / cas-security-spring-boot-starter Goto Github PK

Some class package path changed with spring-boot-starter-security , Can make a branch for spring boot 2 ?

public class CasConfiguration extends CasSecurityConfigurerAdapter {
       @Override
	public void configure(HttpSecurity http) throws Exception {
		http.authorizeRequests().antMatchers("/testServide/**").permitAll()
               .anyRequest().authenticated();
	}
}

With this configuration, it still requires testService authentication. Am I implementing correctly? I want this service not to require authentication.

• In-memory
• Database (JDBC?)
• Redis

And prototype/sample to change it and be able to also use existing one:

• https://github.com/apereo/java-cas-client/tree/master/cas-client-support-distributed-memcached
• https://github.com/apereo/java-cas-client/tree/master/cas-client-support-distributed-ehcache

Essentially to be conform with security issue reported by Snyk

Hi,

I want to securing my APIs which are accessed cross domain, so my expected behavior is(e.g.GET http://my.api/users/me from http://my.web/):

open http://my.web -(fetch API)->
OPTION http://my.api/users/me -> HTTP 200 ->
GET /users/me -> HTTP 403 or HTTP 401 ->
location.href='http://my.api/login/cas?return_url=http://my.web/' ->
http://my.api/login/cas?return_url=http://my.web/ -> HTTP 302 -> cas server

How could I implement this process?

I downloaded a spring boot app from spring initializer. Added the dependency to the POM and now my builds fail. Any idea on how to resolve this ?

Failed to execute goal on project dataAccessRequest: Could not resolve dependencies for project uk.ac.stand:dataAccessRequest:war:0.0.1-SNAPSHOT:

Failed to collect dependencies at com.kakawait:cas-security-spring-boot-starter:jar:0.8.0:

Failed to read artifact descriptor for com.kakawait:cas-security-spring-boot-starter:jar:0.8.0: Could not find artifact com.kakawait:cas-security-spring-boot-parent:pom:0.8.0

With following conf:

security:
  basic:
    enabled: false
  ignored: /ignored, /**/favicon.ico
  cas:
    server:
      base-url: http://localhost:8080/cas/
      protocol-version: 3
    service:
      resolution-mode: dynamic
    paths: /test

Auth does not work anymore because /login is not treated by CAS filters

Workaroud

security:
  basic:
    enabled: false
  ignored: /ignored, /**/favicon.ico
  cas:
    server:
      base-url: http://localhost:8080/cas/
      protocol-version: 3
    service:
      resolution-mode: dynamic
    paths: /test, /login

nginx :

listen       9001;
location / {
            proxy_pass http://192.168.208.1:8762/main;
        }

when I access localhost:9001, after login, SavedRequestAwareAuthenticationSuccessHandler cannot get the targetUrl so that redirect to http://192.168.208.1:8762, but what I want is http://192.168.208.1:8762/main

Hi @kakawait. You published new version. But there is a same bug again. When you done #14 issue it was fixed. There is also the same error in UI. Could you fix this? I think you must not to redirect login page. Maybe you can add a property to config for login page.

but static mode is ok.

Add the possibility to extend the ticket validator to do custom things.

The CAS server I am using sends the attributes in custom tags and the default implementation of this api does not recognize them. I am having a hard time to extend the existing ticket validator to be able to parse those fields.

Maybe adding parse handlers would be good.

related to #34

properties like

security.enable-csrf
security.headers.*
security.require-ssl

Hi @kakawait . I set security.cas.service.path.proxy-callback= /j_spring_cas_security_proxyreceptor. After this my app throw this

There was an unexpected error (type=Unauthorized, status=401). Authentication Failed: The supplied proxy callback url 'https://localhost:8443/j_spring_cas_security_proxyreceptor' could not be authenticated. Either 'https://localhost:8443/j_spring_cas_security_proxyreceptor' cannot be reached, it is not allowed to exercise proxy authentication.

How can i get pgt ticket for connect other cas-protected-apps?

Could you dockerize project?

when i logout in CAS, my client not logout.

Need to tests (help wanted) I even didn't try, it may already work (but I got some doubt)

I want to protect every resources in /secured/* but I get this error:
"Pattern cannot be null or empty"

with /** it works, but even my public resources (css, html...) are protected

security:
  cas:
    paths: /secured/
    server:
      base-url: https://myserver/cas
    service:
      base-url: http://localhost:8080/secured

And thinking about removing Hibernate Validator

Hi, I am having difficulties enabling csrf

I have added
security.enable-csrf=true
in properties file. However i think the line 191 in CasHttpSecurityConfigurer.java still gets triggered

Is there a different property that needs to be set ?

The user "userc" has two role "a" and "c" with CAS ticket back data [a,c],but the GrantedAuthoritiesFromAssertionAttributesWithDefaultRolesUserDetailsService set user roles
"ROLE_USER" and "ROLE_[a,c]" .

How can I define the returned XML data field to support Collection?
Or improve GrantedAuthoritiesFromAssertionAttributesWithDefaultRolesUserDetailsService support
"[ROLE_A,ROLE_B]" 、"ROLE_A,ROLE_B" string data.
thanks!

CAS Cas30ProxyTicketValidator back data

<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
	<cas:authenticationSuccess>
		<cas:user>testc</cas:user>
		<cas:attributes>
			<cas:longTermAuthenticationRequestTokenUsed>false
			</cas:longTermAuthenticationRequestTokenUsed>
			<cas:isFromNewLogin>true</cas:isFromNewLogin>
			<cas:authenticationDate>Fri Jan 05 15:12:03 CST 2018
			</cas:authenticationDate>
			<cas:roles>[a, c]</cas:roles>
			<cas:userid>1</cas:userid>
			<cas:username>testc</cas:username>
		</cas:attributes>
	</cas:authenticationSuccess>
</cas:serviceResponse>

Reminder

• Support Spring boot 2 (#94)
• Remove deprecated (#104)
• Revamp maven module name
• Update dependencies
• Create property deprecation for security.cas.authorize-mode -> security.cas.authorization.mode
• Update README.md (and remove absolute links)
• Add doc for breaking changes
• Edit TBD date on CHANGELOG.md
• Rewrite link that point to develop branch in CHANGELOG.md
• Social stuffs
  • tweet
  • gitter?
  • Community starter https://github.com/spring-projects/spring-boot/tree/master/spring-boot-project/spring-boot-starters
• Release to maven

My application has two types of users. Internal users and external users so I want to combine your starter with a simple login page authentication.

The problem I am having is that this starter doesn't expose the AuthenticationManagerBuilder configure method.

public void configure(AuthenticationManagerBuilder auth)

Since I need to add a second auth mechanism I need access to this configuration. I am trying to use the approach described here https://www.baeldung.com/spring-security-multiple-auth-providers

Is it possible to configure a second authentication method using this starter that I am missing?

when i visit my application's /logout url, it raise 404 error.

this is the configuration：

server:
  port: 8081

security:
  cas:
    server:
      base-url: http://127.0.0.1:8080/cas/
    service:
      resolution-mode: dynamic
  ignored: /ignored

BTW. dynamic resolution mode is OK.

• stateless (aka asking new ProxyTicket each time) (see #76)
• stateful
  • retry strategy (if stateful context is no more valid, ask a new stateless ticket)
  • stateful cookies (keep all cookies and retry with them, with chances that session is present inside cookie)
  • stateful ticket (using StatelessTicketCache feature)

Latest release 0.7.0 can't be used due to unresolved dependency on cas-security-spring-boot-parent 0.7.0:
Could not resolve all files for configuration ':compileClasspath'.

Could not resolve com.kakawait:cas-security-spring-boot-starter:0.7.0.
Required by:
project :
Could not resolve com.kakawait:cas-security-spring-boot-starter:0.7.0.
> Could not parse POM https://repo.maven.apache.org/maven2/com/kakawait/cas-security-spring-boot-starter/0.7.0/cas-security-spring-boot-starter-0.7.0.pom
> Could not find com.kakawait:cas-security-spring-boot-parent:0.7.0.
Searched in the following locations:
https://repo.maven.apache.org/maven2/com/kakawait/cas-security-spring-boot-parent/0.7.0/cas-security-spring-boot-parent-0.7.0.pom
https://repo.maven.apache.org/maven2/com/kakawait/cas-security-spring-boot-parent/0.7.0/cas-security-spring-boot-parent-0.7.0.jar
https://jcenter.bintray.com/com/kakawait/cas-security-spring-boot-parent/0.7.0/cas-security-spring-boot-parent-0.7.0.pom
https://jcenter.bintray.com/com/kakawait/cas-security-spring-boot-parent/0.7.0/cas-security-spring-boot-parent-0.7.0.jar
Could not resolve com.kakawait:cas-security-spring-boot-starter:0.7.0.
> Could not parse POM https://jcenter.bintray.com/com/kakawait/cas-security-spring-boot-starter/0.7.0/cas-security-spring-boot-starter-0.7.0.pom
> Could not find com.kakawait:cas-security-spring-boot-parent:0.7.0.

Need for #31

Module will be deprecated and remove for milestone 1.0.0

Hello , @kakawait
The user logout success default url is http://cas.mydomain.com/cas/logout.

How configuration logout success ,and go to service url.

Like this:

http://cas.mydomain.com/cas/logout?service=http://www.google.com

Thanks!

hello,I want configuration path authorize must has role! I override method configure(HttpSecurity http),
User login and have roles 'A' , but the user can access any paths!

thanks!

@Configuration
class CustomCasSecurityConfiguration extends CasSecurityConfigurerAdapter {
	
	@Autowired
	private List<CasSecurityConfigurer> configurers;
	
	@Override
	public void configure(CasAuthenticationFilterConfigurer filter) {
		// Here you can configure CasAuthenticationFilter
	}

	@Override
	public void configure(CasSingleSignOutFilterConfigurer filter) {
		// Here you can configure SingleSignOutFilter
	}

	@Override
	public void configure(CasAuthenticationProviderSecurityBuilder provider) {
		// Here you can configure CasAuthenticationProvider
	}

	@Override
	public void configure(HttpSecurity http) throws Exception {
		// Here you can configure Spring Security HttpSecurity object during
		// init configure
		http
			.authorizeRequests()
				.antMatchers("/testa").hasRole("A")
				.antMatchers("/testb").hasRole("B");
	}

	@Override
	public void configure(CasTicketValidatorBuilder ticketValidator) {
		// Here you can configure CasTicketValidator
	}
}

spring boot start log

2017-12-27 15:43:27.091 DEBUG 11056 --- [  restartedMain] edFilterInvocationSecurityMetadataSource : Adding web access control expression 'hasRole('ROLE_USER')', for org.springframework.security.web.util.matcher.AnyRequestMatcher@1
2017-12-27 15:43:27.091 DEBUG 11056 --- [  restartedMain] edFilterInvocationSecurityMetadataSource : Adding web access control expression 'hasRole('ROLE_A')', for Ant [pattern='/testa']
2017-12-27 15:43:27.092 DEBUG 11056 --- [  restartedMain] edFilterInvocationSecurityMetadataSource : Adding web access control expression 'hasRole('ROLE_B')', for Ant [pattern='/testb']

Hi. Thank you for this project. It is best for cas auto config. But i have a little problem.

I did a cas-client project with gradle and it looks like good. My application.yml is that:

security:
  basic:
    enabled: false
  ignored: /
  cas:
    paths: /protected
    server:
      base-url: https://localhost:10100/cas
      protocol-version: 2
    service:
      base-url: https://localhost:8443
      paths:
        proxy-callback: /j_spring_cas_security_proxyreceptor

server:
  port: 8443
  ssl:
    enabled: true
    key-store: file:/etc/keystore/localhost.jks
    key-store-password: changeit

Cas server runs on 10100 port. The client web project works good. But i want to access controller to through get and post method.

I try that: (i use postman)

1. step :

Header:
POST https://localhost:10100/cas/v1/tickets
Content-Type: application/x-www-form-urlencoded
Body:
username=myname&password=123456

1. step result:
   Body (html format):

<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">
<html>
    <head>
        <title>201 Created</title>
    </head>
    <body>
        <h1>TGT Created</h1>
        <form action="https://localhost:10100/cas/v1/tickets/TGT-32-NfRV2HIYL6JlqUFTpJuc6EfUyH6q9BImaS0a5CPyOpInrO3fqk-8ee6f154afba" method="POST">Service:
            <input type="text" name="service" value="">
            <br>
            <input type="submit" value="Submit">
        </form>
    </body>
</html>

2. step:
   I want to get a service ticket for "https://localhost:8443/protected"

Header:
POST https://localhost:10100/cas/v1/tickets/TGT-32-NfRV2HIYL6JlqUFTpJuc6EfUyH6q9BImaS0a5CPyOpInrO3fqk-8ee6f154afba
Content-Type: application/x-www-form-urlencoded
Body:
service=https%3A%2F%2Flocalhost%3A8443%2Fprotected

2. step result:

ST-171-b2Sz3TseQlmFjthK7xqV-8ee6f154afba

3. step:

Header:
GET https://localhost:8443/protected?ticket=ST-171-b2Sz3TseQlmFjthK7xqV-8ee6f154afba

I expect my protected page html format. But i saw login page. What is the problem? Could you help me?

I want to view with the code that was used to build the 1.0.0-beta-1 release.

There is no branch or tag that I can find which was used to build this version.

How can I see the commit used to build this version?

• spring-security-cas-extension #84
• cas-security-spring-boot-starter #91

Hi , i am trying to configure my application to work with
http://www.baeldung.com/spring-security-method-security

I was just wondering if i can do something like
security.securedEnabled = true
in the application.properties file to get this working with your CAS library