1

In context of a backend proxying a CAS, my users have often the default redirect page instead of original page.

In the workflow of my application, when I need to access to a resource server from my webapp, it needs to have a valid JWT token given by a Oauth2 server (which works with spring-security-oauth2 and spring-security-cas). If Oauth2 server have a CAS session for this user, it gives him JWT token, otherwise, it will redirect him to CAS login page.

In spring-security-cas mecanism of my Oauth2 server, it store original request (webapp URI I come from) in HTTP session while user fill login CAS page. If login is a success, user is redirected to an endpoint of my backend and previously stored request is used for building redirect to my webapp (https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#form-login-flow-handling).

In my application, it often happens that it do not found this stored request. Because session is expired. In this case, it redirect to a default page of my backend.

I could increase http session expiration time of my server but it will not solve the problem.

For me, the best would be to forward original URI to query request submited to CAS login (into "service" param). To be stateless.

I tried this changes :

  • In my http config : sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
  • In my http config, a customized AuthenticationSuccessHandler which set targetUrlParameter :
SimpleUrlAuthenticationSuccessHandler handler = new SimpleUrlAuthenticationSuccessHandler();
handler.setTargetUrlParameter("redirect_uri");
casAuthenticationFilter.setAuthenticationSuccessHandler(handler);
  • Set of authenticateAllArtifacts to true in serviceProperties bean
  • Customized AuthenticationDetailsSource and CasAuthenticationEntryPoint with a 'dynamicServiceResolver' like Matt done here : https://stackoverflow.com/a/28592699/8913925

My backend endpoint is well called after a login success (with redirect_uri).

But, in validate phase (when my backend call CAS with Service Ticket to /serviceValidate endpoint), my CAS say me 'INVALID_TICKET', my ticket is unknown.

EDIT: [sorry, it was a mistake caused by debug mode (ticket life is short)] But, when redirect to original request is done (GET http://oauth2/jwt-token in my case), it see me as an Anonymous user.

I expect to call CAS without use of HTTP session, but actualy I've not found how to do.

Erwann
  • 11
  • 4

0 Answers0