CAS from bean configuration in proxy mode isn't working

[jgribonvald]

Describe the bug CAS configuration from bean isn't working for proxy mode. Only configuring it into the web.xml is working, The CAS client is initializing the conf correctly from servlet mapping but not from bean. The bug is on the CAS-client library.

See the related topic about it : https://groups.google.com/a/apereo.org/forum/#!topic/uportal-dev/vZ1Ot0uVjU8

Platform:

• uPortal Version: 5

Additional context When the bug will be solved into CAS-client, we will be able to be back from the bean configuration Else in waiting, to work follow these steps:

1. Replace CAS Validation Filter definition in web.xml (a spring proxy) with the actual definition from uP4.3.
2. Replace variables with actual values.
3. Remove CAS Validation Filter bean from securityContext.xml (optional).

uPortal 5 does not filter web.xml, so the variables will not be substituted for values in properties files. This was the reason the filter configuration was moved to Spring. Unfortunately, the Spring configuration does not seem to support proxying configuration completely.

One thing to enable cas proxy mode you should add this bean in your custom deployment: <bean id="casTicketUserInfoService" class="org.apereo.portal.portlet.container.services.CasTicketUserInfoService" />

[bjagg]

N.B. The latest version of Java CAS Client does not completely support all the configurations uPortal uses via Spring Framework.

[drewwills]

Can we fix this issue by updating our CAS client dependency?

Will we be able to do so if we first fix a bug in the CAS client?

[bjagg]

@drewwills Yes, IIRC.

[jgribonvald]

Do you have any idea of when the CAS client library will be fixed ? I know some adopters that a fix could help...

[mmoayyed]

I am hoping to chat with Benito some time next week to figure out what the issues are, and work with him to apply/make fixes, if any.

[markmclaren]

I finally got CAS proxy authentication working in uPortal-start but I had to make changes to several files both inside CAS and uPortal. I implemented this locally by copying my modified files into the overlays section for cas/uPortal (I expect there are better ways).

In CAS I modified deployerConfigContext.xml's serviceRegistryDao so that the RegexRegisteredService bean included the property:

<property name="allowedToProxy" value="true"/>

In uPortal;

I modified security.properties to uncomment these values:

cas.ticketValidationFilter.proxyReceptorUrl=/CasProxyServlet
cas.ticketValidationFilter.ticketValidator.proxyCallbackUrl=${portal.protocol}://${portal.lbServerName}${portal.context}${cas.ticketValidationFilter.proxyReceptorUrl}

I uncommented the casTicketUserInfoService bean inside portletContainerContext.xml.

I modified securityContext.xml replacing the ticketValidationFilter with:

   <bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator" id="ticketValidator">
        <constructor-arg index="0" value="${cas.ticketValidationFilter.ticketValidator.server}" />
        <property name="proxyGrantingTicketStorage" ref="proxyGrantingTicketStorage" />
        <property name="proxyCallbackUrl" value="${cas.ticketValidationFilter.ticketValidator.proxyCallbackUrl:}" />
    </bean>

    <bean id="proxyGrantingTicketStorage" class="org.jasig.cas.client.proxy.ProxyGrantingTicketStorageImpl" />

    <bean id="ticketValidationFilter" class="org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter">
        <property name="serverName" value="${portal.allServerNames}" />
        <property name="exceptionOnValidationFailure" value="true" />
        <property name="proxyGrantingTicketStorage" ref="proxyGrantingTicketStorage" />
        <property name="redirectAfterValidation" value="true" />
        <property name="ticketValidator" ref="ticketValidator" />
        <property name="proxyReceptorUrl" value="${cas.ticketValidationFilter.proxyReceptorUrl:}" />
    </bean>

The changes to the ticketValidationFilter were inspired from Spring Security Integration; Changes to applicationContext-security.xml

After all that it worked. ;)

[jgribonvald]

hi @markmclaren

You don't need to copy original files to overlay context, you only need to add a new xml bean file into overlays/uPortal/src/main/resources/properties/contextOverrides/ and add the bean id that you want to override

like the security.properties file shouldn't not be overriden, you need only to override properties from a $uPortal.home/uPortal.properties file with that:

cas.ticketValidationFilter.service=${portal.protocol}://${portal.server}${portal.context}/Login
cas.ticketValidationFilter.proxyReceptorUrl=/CasProxyServlet
cas.ticketValidationFilter.ticketValidator.server=${cas.protocol}://${cas.server}${cas.context}
cas.ticketValidationFilter.ticketValidator.proxyCallbackUrl=${portal.protocol}://${portal.lbServerName}${portal.context}${cas.ticketValidationFilter.proxyReceptorUrl}
cas.ticketValidationFilter.encodeServiceUrl=false
org.apereo.portal.security.provider.cas.CasAssertionSecurityContextFactory.enabled=true
org.apereo.portal.security.provider.cas.CasAssertionSecurityContextFactory.credentialToken=ticket

org.apereo.portal.security.cas.assertion.copyAttributesToUserAttributes=true

Else you tested with which version of uPortal ?

Maybe the cas lib was updated and permit it now, I didn't check since a long time.

[jgribonvald]

So it seems working and this should be due to proxyGrantingTicketStorage we need to make a bean of it and use it as property into ticketValidator and the TicketValidator filter ! thanks @markmclaren

After the two other properties aren't needed (exceptionOnValidationFailure, redirectAfterValidation) as they seems to be already on these default values.

I can make quickly the Pull request for that.

[jgribonvald]

@markmclaren here the PR #2317