search

grails / grails-spring-security-cas

Apache License 2.0
19 stars 29 forks source link

ERR_TOO_MANY_REDIRECTS with cas login when web-app is deployed with context path in aks #106

Open shrede01 opened 2 months ago

shrede01 commented 2 months ago

We had grails 4 app which we recently upgraded to grails 6. This app uses CAS for login and the app works fine when running locally. However when we deploy this app to AKS, we add context path(sonic) to access the service since we have multiple web applications running under same host name.

When we browse the app, it correctly redirects to CAS login page and after logging in, the url address change from :

https:[HOST]/sonic/login/cas?ticket=[SERVICE TICKET]

and then to to

https:[CAS server]/cas/login?service=https%3A%2F%2F[HOST]%2Fsonic%2Flogin%2Fcas

with error message:

This page isn’t working
[HOST] redirected you too many times.
Try deleting your cookies.
ERR_TOO_MANY_REDIRECTS

This issue however was not happening with old (grails 4) code, so it makes me believe that when we upgraded the spring security library for grails 6, there must be something we have missed. But its been really difficult to track since this is only happening in aks and cannot be reproduced locally(with/without context path).

These are the spring security plugins used in the web app:

    implementation("org.grails.plugins:spring-security-cas:4.0.0")
    implementation("org.grails.plugins:spring-security-core:6.0.3")
    implementation("org.grails.plugins:spring-security-rest:3.0.1")

And the cas configs are:

grails:
  plugin:
    springsecurity:
      cas:
        loginUri: "/login"
        serviceUrl: "${SONIC_APPLICATION_URL}/login/cas"
        serverUrlPrefix: "${SONIC_CAS_URL}"
        useSingleSignout: true
        filterProcessesUrl: '/login/cas'
        whiteListAlgorithms: 'RS256,RS512'

UPDATE:

when enabling debug logs I see:

  2024-05-10 15:53:08.694 [http-nio-8080-exec-36] DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Failed to authorize filter invocation [GET /sonic/login/cas?ticket=ST-5981-YBdk3BekFB1U4uPo-1OHKCYhBA0-cas-deployment-558466988-9kj4b] with attributes [ROLE_CONCEPT_ARCHIVE]

Asked the same here as well : https://stackoverflow.com/questions/78443531/err-too-many-redirects-with-cas-login-when-web-app-is-deployed-with-context-path