search

casinthecloud / java-spring-security-cas-client-demo

Demo webapp protected by the CAS client from Spring Security
5 stars 5 forks source link

Can this code block work without enabling ssl in the client ? #1

Closed haggucan closed 7 years ago

haggucan commented 7 years ago

I am trying to use client demo combining with the virtual cas server exampled as : https://github.com/ubc/vagrant-cas. I have updated client securityContext.xml as below:

<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:sec="http://www.springframework.org/schema/security" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">

<sec:http use-expressions="true" entry-point-ref="casEntryPoint">
    <sec:intercept-url pattern="/protected/**" access="isAuthenticated()" />
    <sec:intercept-url pattern="/**" access="permitAll" />
    <sec:custom-filter position="CAS_FILTER" ref="casFilter" />
    <!-- Handle CAS logout request from the browser (on /j_spring_security_logout): -->
    <sec:logout />
    <!-- Handle CAS logout directly from the CAS server: -->
    <sec:custom-filter before="CAS_FILTER" ref="singleLogoutFilter" />
</sec:http>

<bean id="casFilter"
    class="org.springframework.security.cas.web.CasAuthenticationFilter">
    <property name="authenticationManager" ref="authenticationManager" />
</bean>

<bean id="singleLogoutFilter" class="org.jasig.cas.client.session.SingleSignOutFilter" />

<bean id="casEntryPoint"
    class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">
    <!-- Change with your own CAS server -->
    <property name="loginUrl"
        value="http://192.168.33.10/cas/login" />
    <property name="serviceProperties" ref="serviceProperties" />

</bean>
<bean id="serviceProperties" class="org.springframework.security.cas.ServiceProperties">
    <!-- Change with your own host name -->
    <property name="service"
        value="http://localhost:8080/j_spring_cas_security_check" />
</bean>

<sec:authentication-manager alias="authenticationManager">
    <sec:authentication-provider ref="casAuthenticationProvider" />
</sec:authentication-manager>

<bean id="casAuthenticationProvider"
    class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
    <property name="authenticationUserDetailsService">
        <bean
            class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
            <constructor-arg ref="userService" />
        </bean>
    </property>
    <property name="serviceProperties" ref="serviceProperties" />
    <property name="ticketValidator">
        <bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
            <!-- Change with your own CAS server -->
            <constructor-arg index="0"
                value="http://192.168.33.10/cas/p3/" />
        </bean>
    </property>
    <property name="key" value="an_id_for_this_auth_provider_only" />
</bean>

<sec:user-service id="userService">
    <sec:user name="scott" password="casuser" authorities="ROLE_ADMIN" />
</sec:user-service>

I can not login with the user scott. As far as I can see the client app server jetty does not have any ssl certificate and https://wiki.jasig.org/display/casum/end-to-end+windows+example#End-to-endWindowsExample-DeploytheServer this tutorial says that both client and server sides should have the ssl certificates. Can the problem be related to this issue?

Thank you in advance

leleuj commented 7 years ago

No, for sure, you can use both the CAS client and server in HTTP, but it's a matter of configuration of the CAS server and client application. It is nonetheless recommended to use SSL everywhere.