spring - Grails y CAS Basic Setup
grails spring security core (1)
Debe permitir el acceso no autenticado a su receptor. Prueba esto:
grails.plugins.springsecurity.interceptUrlMap = [
''/js/**'': [''IS_AUTHENTICATED_ANONYMOUSLY''],
''/css/**'': [''IS_AUTHENTICATED_ANONYMOUSLY''],
''/images/**'': [''IS_AUTHENTICATED_ANONYMOUSLY''],
''/login/**'': [''IS_AUTHENTICATED_ANONYMOUSLY''],
''/logout/**'': [''IS_AUTHENTICATED_ANONYMOUSLY''],
''/secure/receptor'': [''IS_AUTHENTICATED_ANONYMOUSLY''], // <- allows CAS to contact the receptor
''/**'': [''IS_AUTHENTICATED_FULLY'']
]
Intentando configurar una aplicación Grails sencilla con protección CAS básica.
Primero, tengo problemas para decir cuáles son las diferencias entre cas-plugin versus spring-security-core y spring-security-cas ... ¿cuándo usaría uno frente al otro?
En mi prueba, tengo los siguientes configurados:
En BuildConfig.groovy:
plugins {
...
...
compile ":spring-security-core:1.2.7.3"
compile ":spring-security-cas:1.0.5"
}
En Config.groovy ... no sé lo que necesito. Diferentes documentos se refieren a diferentes valores, pero esto es lo que tengo hasta ahora:
grails.plugins.springsecurity.providerNames = [''casAuthenticationProvider'']
grails.plugins.springsecurity.rejectIfNoRule = true
grails.plugins.springsecurity.securityConfigType = "InterceptUrlMap"
grails.plugins.springsecurity.interceptUrlMap = [
''/js/**'': [''IS_AUTHENTICATED_ANONYMOUSLY''],
''/css/**'': [''IS_AUTHENTICATED_ANONYMOUSLY''],
''/images/**'': [''IS_AUTHENTICATED_ANONYMOUSLY''],
''/login/**'': [''IS_AUTHENTICATED_ANONYMOUSLY''],
''/logout/**'': [''IS_AUTHENTICATED_ANONYMOUSLY''],
''/**'': [''IS_AUTHENTICATED_FULLY'']
]
grails.plugins.springsecurity.cas.loginUri = ''/login''
grails.plugins.springsecurity.cas.serviceUrl = ''http://cas2.mydomain.com:8085/'' + appName + ''/j_spring_cas_security_check''
grails.plugins.springsecurity.cas.serverUrlPrefix = ''https://cas2.mydomain.com:8443/cas''
grails.plugins.springsecurity.cas.proxyCallbackUrl = ''http://cas2.mydomain.com:8085/'' + appName + ''/secure/receptor''
grails.plugins.springsecurity.cas.proxyReceptorUrl = ''/secure/receptor''
grails.plugins.springsecurity.logout.afterLogoutUrl = ''https://cas2.mydomain.com:8443/cas/logout?url=http://cas2.mydomain.com:8085/'' + appName + ''/''
Ahora, cuando navego a mi aplicación, me reenvían a la página de inicio de sesión de CAS ... luego de ingresar credenciales, aparece una página de error del navegador:
The page isn''t redirecting properly
Firefox has detected that the server is redirecting the request for this address in a way that will never complete.
y el cas.log dice:
INFO: Server startup in 21570 ms
2013-10-31 11:28:05,178 INFO [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] - <Beginning ticket cleanup.>
2013-10-31 11:28:05,180 INFO [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] - <0 tickets found to be removed.>
2013-10-31 11:28:05,180 INFO [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] - <Finished ticket cleanup.>
2013-10-31 11:28:10,088 INFO [org.jasig.cas.web.flow.InitialFlowSetupAction] - <Setting path for cookies to: /cas/>
2013-10-31 11:28:16,498 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler successfully authenticated [username: myusername]>
2013-10-31 11:28:16,518 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <Resolved principal myusername>
2013-10-31 11:28:16,518 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler@4e1e6e1f authenticated myusername with credential [username: myusername].>
2013-10-31 11:28:16,523 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: [username: myusername]
WHAT: supplied credentials: [username: myusername]
ACTION: AUTHENTICATION_SUCCESS
APPLICATION: CAS
WHEN: Thu Oct 31 11:28:16 EDT 2013
CLIENT IP ADDRESS: xxx.xx150.30
SERVER IP ADDRESS: xxx.xx0.79
=============================================================
>
2013-10-31 11:28:16,527 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: [username: myusername]
WHAT: TGT-1-76m7jUyKI7pguovcGWmJqKOsbpqp6wW2yj3dTCNOCtb65MKpTH-cas2
ACTION: TICKET_GRANTING_TICKET_CREATED
APPLICATION: CAS
WHEN: Thu Oct 31 11:28:16 EDT 2013
CLIENT IP ADDRESS: xxx.xx150.30
SERVER IP ADDRESS: xxx.xx0.79
=============================================================
>
2013-10-31 11:28:16,533 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket [ST-1-rvDgqEvGQDeljEeVf5rM-cas2] for service [http://cas2.mydomain.com:8085/rss_03/j_spring_cas_security_check] for user [myusername]>
2013-10-31 11:28:16,533 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: myusername
WHAT: ST-1-rvDgqEvGQDeljEeVf5rM-cas2 for http://cas2.mydomain.com:8085/rss_03/j_spring_cas_security_check
ACTION: SERVICE_TICKET_CREATED
APPLICATION: CAS
WHEN: Thu Oct 31 11:28:16 EDT 2013
CLIENT IP ADDRESS: xxx.xx150.30
SERVER IP ADDRESS: xxx.xx0.79
=============================================================
>
2013-10-31 11:28:16,703 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler failed to authenticate [callbackUrl: http://cas2.mydomain.com:8085/rss_03/secure/receptor]>
2013-10-31 11:28:16,704 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: [callbackUrl: http://cas2.mydomain.com:8085/rss_03/secure/receptor]
WHAT: supplied credentials: [callbackUrl: http://cas2.mydomain.com:8085/rss_03/secure/receptor]
ACTION: AUTHENTICATION_FAILED
APPLICATION: CAS
WHEN: Thu Oct 31 11:28:16 EDT 2013
CLIENT IP ADDRESS: xxx.xx0.79
SERVER IP ADDRESS: xxx.xx0.79
=============================================================
>
2013-10-31 11:28:16,705 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: myusername
WHAT: error.authentication.credentials.bad
ACTION: PROXY_GRANTING_TICKET_NOT_CREATED
APPLICATION: CAS
WHEN: Thu Oct 31 11:28:16 EDT 2013
CLIENT IP ADDRESS: xxx.xx0.79
SERVER IP ADDRESS: xxx.xx0.79
=============================================================
>
2013-10-31 11:28:16,706 ERROR [org.jasig.cas.web.ServiceValidateController] - <TicketException generating ticket for: [callbackUrl: http://cas2.mydomain.com:8085/rss_03/secure/receptor]>
org.jasig.cas.ticket.TicketCreationException: error.authentication.credentials.bad
at org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket_aroundBody6(CentralAuthenticationServiceImpl.java:325)
at org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket_aroundBody7$advice(CentralAuthenticationServiceImpl.java:57)
at org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket(CentralAuthenticationServiceImpl.java:1)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:601)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:318)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
at org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.proceed(MethodInvocationProceedingJoinPoint.java:80)
at org.perf4j.aop.AbstractTimingAspect$1.proceed(AbstractTimingAspect.java:47)
at org.perf4j.aop.AgnosticTimingAspect.runProfiledMethod(AgnosticTimingAspect.java:53)
at org.perf4j.aop.AbstractTimingAspect.doPerfLogging(AbstractTimingAspect.java:45)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:601)
at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethodWithGivenArgs(AbstractAspectJAdvice.java:621)
at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethod(AbstractAspectJAdvice.java:610)
at org.springframework.aop.aspectj.AspectJAroundAdvice.invoke(AspectJAroundAdvice.java:65)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:161)
at org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.proceed(MethodInvocationProceedingJoinPoint.java:80)
at com.github.inspektr.audit.AuditTrailManagementAspect.handleAuditTrail(AuditTrailManagementAspect.java:126)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:601)
at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethodWithGivenArgs(AbstractAspectJAdvice.java:621)
at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethod(AbstractAspectJAdvice.java:610)
at org.springframework.aop.aspectj.AspectJAroundAdvice.invoke(AspectJAroundAdvice.java:65)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:161)
at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:90)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
at com.sun.proxy.$Proxy49.delegateTicketGrantingTicket(Unknown Source)
at org.jasig.cas.web.ServiceValidateController.handleRequestInternal(ServiceValidateController.java:138)
at org.springframework.web.servlet.mvc.AbstractController.handleRequest(AbstractController.java:153)
at org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(SimpleControllerHandlerAdapter.java:48)
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:923)
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:852)
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:882)
at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:778)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
at org.jasig.cas.web.init.SafeDispatcherServlet.service_aroundBody2(SafeDispatcherServlet.java:128)
at org.jasig.cas.web.init.SafeDispatcherServlet.service_aroundBody3$advice(SafeDispatcherServlet.java:57)
at org.jasig.cas.web.init.SafeDispatcherServlet.service(SafeDispatcherServlet.java:1)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at com.github.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:63)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:947)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1009)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
at org.apache.tomcat.util.net.AprEndpoint$SocketWithOptionsProcessor.run(AprEndpoint.java:1810)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:722)
Este bit:
2013-10-31 11:28:16,703 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler failed to authenticate [callbackUrl: http://cas2.mydomain.com:8085/rss_03/secure/receptor]>
parece ser el problema ... mis credenciales son buenas, así que parece que todavía falta algo en la configuración ... ¿alguna idea ...?
ACTUALIZAR:
Ponga la aplicación bajo SSL y Config.groovy, en InterceptUrlMap Agregado:
''/secure/receptor'': [''IS_AUTHENTICATED_ANONYMOUSLY''],
Ahora el cas.log muestra lo que parece ser un bucle similar (ida y vuelta entre cas y la aplicación) a lo que estaba obteniendo antes, excepto que no hay errores ... con el tiempo se detiene y el navegador muestra de nuevo:
Firefox has detected that the server is redirecting the request for this address in a way that will never complete.