search

kakawait / cas-security-spring-boot-starter

Spring boot starter for Apereo CAS client fully integrated with Spring security
MIT License
153 stars 45 forks source link

i got status=401 when i use resolution-mode: dynamic #3

Closed Panmax closed 7 years ago

Panmax commented 7 years ago

image

but static mode is ok.

kakawait commented 7 years ago

@Panmax Thank you for feedback, can you please share with me your configuration file?

The strange thing is the multiple '?' char between url.

And if you have more log on log output :)

Panmax commented 7 years ago

this is my config file:

server:
  port: 8081

security:
  cas:
    server:
      base-url: http://127.0.0.1:8080/cas/
    service:
      resolution-mode: dynamic
  ignored: /ignored

and there is no error log in terminal.

this config is ok:

server:
  port: 8081

security:
  cas:
    server:
      base-url: http://127.0.0.1:8080/cas/
    service:
      base-url: http://127.0.0.1:8081
  ignored: /ignored
kakawait commented 7 years ago

In fact it's more an issue with static mode which does not compute URL correctly 

http://localhost:8781/cas/p3/proxyValidate?pgtUrl=%2Fcas%2Fproxy-callback&ticket=ST-12-jcxNnklCEm3bIEIdjbb7-6caae9445ce0&service=http%3A%2F%2F127.0.0.1%3A8080%2Flogin

Check pgtUrl parameter is not a valid url, thus is disabling pgt callback.

I think when fixed you will have same problem with static and dynamic.

Does your CAS server is able to contact your service, during PGT callback process?

kakawait commented 7 years ago

@Panmax When 0.1.2 will be released can you please upgrade your configuration like following:

server:
  port: 8081

security:
  cas:
    server:
      base-url: http://127.0.0.1:8080/cas/
    service:
      proxy-callback-enabled: false
      resolution-mode: dynamic
  ignored: /ignored
Panmax commented 7 years ago

ok, i will try. thank you.

kakawait commented 7 years ago

I will release it in 5min (+ time to maven central to be fresh)

Panmax commented 7 years ago

i am a new CAS user, i don't know what's PGT callback process.

Panmax commented 7 years ago

My CAS config :

server.context-path=/cas

cas.server.port=
cas.server.http.port=8080
cas.server.name: http://127.0.0.1:8080
cas.server.prefix: http://127.0.0.1:8080/cas

cas.adminPagesSecurity.ip=127\.0\.0\.1

logging.config: file:/etc/cas/config/log4j2.xml
# cas.serviceRegistry.config.location: classpath:/services

cas.authn.accept.users=
server.ssl.enabled=false
cas.tgc.secure=false
cas.warningCookie.secure=false
cas.logout.followServiceRedirects=true

cas.authn.jdbc.query[0].sql=select password from account where username=?
cas.authn.jdbc.query[0].healthQuery=SELECT 1 FROM INFORMATION_SCHEMA.VIEWS
cas.authn.jdbc.query[0].isolateInternalQueries=false
cas.authn.jdbc.query[0].url=jdbc:mysql://localhost:3306/jupiter?&useUnicode=true&characterEncoding=UTF-8&autoReconnect=true&useSSL=false
cas.authn.jdbc.query[0].failFast=true
cas.authn.jdbc.query[0].isolationLevelName=ISOLATION_READ_COMMITTED
cas.authn.jdbc.query[0].dialect=org.hibernate.dialect.MySQL56InnoDBDialect
cas.authn.jdbc.query[0].leakThreshold=10
cas.authn.jdbc.query[0].propagationBehaviorName=PROPAGATION_REQUIRED
cas.authn.jdbc.query[0].batchSize=1
cas.authn.jdbc.query[0].user=root
cas.authn.jdbc.query[0].ddlAuto=update
cas.authn.jdbc.query[0].maxAgeDays=180
cas.authn.jdbc.query[0].password=
cas.authn.jdbc.query[0].autocommit=false
cas.authn.jdbc.query[0].driverClass=com.mysql.jdbc.Driver
cas.authn.jdbc.query[0].idleTimeout=500

cas.authn.jdbc.query[0].passwordEncoder.type=DEFAULT
cas.authn.jdbc.query[0].passwordEncoder.encodingAlgorithm=MD5
kakawait commented 7 years ago

@Panmax Unfortunately I'm most a CAS client user than CAS server power user so I can't help you with CAS server configuration.

About proxy callback you may find some useful information here https://wiki.jasig.org/display/CAS/Proxy+CAS+Walkthrough

But to summaries, when client validate the ticket using /serviceValidate or /proxyValidate API if you add pgtUrl as parameter (see specification) then CAS server will contact your server (is new request, CAS server will use its own http client) to send you PGT proxy granting ticket ticket (ticket that in mandatory to ask PT proxy ticket ticket). But if CAS server is not able to contact your server (network issue, DNS issue, etc?) it will break the flow.

Panmax commented 7 years ago

i understood, thank you very much.

kakawait commented 7 years ago

@Panmax After more thinking I will change configuration, I will delete proxy-callback-enabled property instead I will do other way. I will keep you in touch

Panmax commented 7 years ago

👌🏻

Panmax commented 7 years ago

i upgrade to 0.1.2 but when i visit my site, it doesn't redirect to CAS login page, but shows Hello anonymous.

kakawait commented 7 years ago

Artifact is not yet upload. I think maven simply just not find the artifact that has disable starter since maven can't fetch it

Panmax commented 7 years ago

alright😂

kakawait commented 7 years ago

@Panmax with this new PR you will no need to change your initial configuration, so please keep

server:
  port: 8081

security:
  cas:
    server:
      base-url: http://127.0.0.1:8080/cas/
    service:
      resolution-mode: dynamic
  ignored: /ignored
kakawait commented 7 years ago

@Panmax Just deploy to maven central, you should now use 0.1.2 version