spring grails cas

spring - Grails y CAS Basic Setup



grails spring security core (1)

Debe permitir el acceso no autenticado a su receptor. Prueba esto:

grails.plugins.springsecurity.interceptUrlMap = [ ''/js/**'': [''IS_AUTHENTICATED_ANONYMOUSLY''], ''/css/**'': [''IS_AUTHENTICATED_ANONYMOUSLY''], ''/images/**'': [''IS_AUTHENTICATED_ANONYMOUSLY''], ''/login/**'': [''IS_AUTHENTICATED_ANONYMOUSLY''], ''/logout/**'': [''IS_AUTHENTICATED_ANONYMOUSLY''], ''/secure/receptor'': [''IS_AUTHENTICATED_ANONYMOUSLY''], // <- allows CAS to contact the receptor ''/**'': [''IS_AUTHENTICATED_FULLY''] ]

Intentando configurar una aplicación Grails sencilla con protección CAS básica.

Primero, tengo problemas para decir cuáles son las diferencias entre cas-plugin versus spring-security-core y spring-security-cas ... ¿cuándo usaría uno frente al otro?

En mi prueba, tengo los siguientes configurados:

En BuildConfig.groovy:

plugins { ... ... compile ":spring-security-core:1.2.7.3" compile ":spring-security-cas:1.0.5" }

En Config.groovy ... no sé lo que necesito. Diferentes documentos se refieren a diferentes valores, pero esto es lo que tengo hasta ahora:

grails.plugins.springsecurity.providerNames = [''casAuthenticationProvider''] grails.plugins.springsecurity.rejectIfNoRule = true grails.plugins.springsecurity.securityConfigType = "InterceptUrlMap" grails.plugins.springsecurity.interceptUrlMap = [ ''/js/**'': [''IS_AUTHENTICATED_ANONYMOUSLY''], ''/css/**'': [''IS_AUTHENTICATED_ANONYMOUSLY''], ''/images/**'': [''IS_AUTHENTICATED_ANONYMOUSLY''], ''/login/**'': [''IS_AUTHENTICATED_ANONYMOUSLY''], ''/logout/**'': [''IS_AUTHENTICATED_ANONYMOUSLY''], ''/**'': [''IS_AUTHENTICATED_FULLY''] ] grails.plugins.springsecurity.cas.loginUri = ''/login'' grails.plugins.springsecurity.cas.serviceUrl = ''http://cas2.mydomain.com:8085/'' + appName + ''/j_spring_cas_security_check'' grails.plugins.springsecurity.cas.serverUrlPrefix = ''https://cas2.mydomain.com:8443/cas'' grails.plugins.springsecurity.cas.proxyCallbackUrl = ''http://cas2.mydomain.com:8085/'' + appName + ''/secure/receptor'' grails.plugins.springsecurity.cas.proxyReceptorUrl = ''/secure/receptor'' grails.plugins.springsecurity.logout.afterLogoutUrl = ''https://cas2.mydomain.com:8443/cas/logout?url=http://cas2.mydomain.com:8085/'' + appName + ''/''

Ahora, cuando navego a mi aplicación, me reenvían a la página de inicio de sesión de CAS ... luego de ingresar credenciales, aparece una página de error del navegador:

The page isn''t redirecting properly Firefox has detected that the server is redirecting the request for this address in a way that will never complete.

y el cas.log dice:

INFO: Server startup in 21570 ms 2013-10-31 11:28:05,178 INFO [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] - <Beginning ticket cleanup.> 2013-10-31 11:28:05,180 INFO [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] - <0 tickets found to be removed.> 2013-10-31 11:28:05,180 INFO [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] - <Finished ticket cleanup.> 2013-10-31 11:28:10,088 INFO [org.jasig.cas.web.flow.InitialFlowSetupAction] - <Setting path for cookies to: /cas/> 2013-10-31 11:28:16,498 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler successfully authenticated [username: myusername]> 2013-10-31 11:28:16,518 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <Resolved principal myusername> 2013-10-31 11:28:16,518 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler@4e1e6e1f authenticated myusername with credential [username: myusername].> 2013-10-31 11:28:16,523 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: [username: myusername] WHAT: supplied credentials: [username: myusername] ACTION: AUTHENTICATION_SUCCESS APPLICATION: CAS WHEN: Thu Oct 31 11:28:16 EDT 2013 CLIENT IP ADDRESS: xxx.xx150.30 SERVER IP ADDRESS: xxx.xx0.79 ============================================================= > 2013-10-31 11:28:16,527 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: [username: myusername] WHAT: TGT-1-76m7jUyKI7pguovcGWmJqKOsbpqp6wW2yj3dTCNOCtb65MKpTH-cas2 ACTION: TICKET_GRANTING_TICKET_CREATED APPLICATION: CAS WHEN: Thu Oct 31 11:28:16 EDT 2013 CLIENT IP ADDRESS: xxx.xx150.30 SERVER IP ADDRESS: xxx.xx0.79 ============================================================= > 2013-10-31 11:28:16,533 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket [ST-1-rvDgqEvGQDeljEeVf5rM-cas2] for service [http://cas2.mydomain.com:8085/rss_03/j_spring_cas_security_check] for user [myusername]> 2013-10-31 11:28:16,533 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: myusername WHAT: ST-1-rvDgqEvGQDeljEeVf5rM-cas2 for http://cas2.mydomain.com:8085/rss_03/j_spring_cas_security_check ACTION: SERVICE_TICKET_CREATED APPLICATION: CAS WHEN: Thu Oct 31 11:28:16 EDT 2013 CLIENT IP ADDRESS: xxx.xx150.30 SERVER IP ADDRESS: xxx.xx0.79 ============================================================= > 2013-10-31 11:28:16,703 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler failed to authenticate [callbackUrl: http://cas2.mydomain.com:8085/rss_03/secure/receptor]> 2013-10-31 11:28:16,704 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: [callbackUrl: http://cas2.mydomain.com:8085/rss_03/secure/receptor] WHAT: supplied credentials: [callbackUrl: http://cas2.mydomain.com:8085/rss_03/secure/receptor] ACTION: AUTHENTICATION_FAILED APPLICATION: CAS WHEN: Thu Oct 31 11:28:16 EDT 2013 CLIENT IP ADDRESS: xxx.xx0.79 SERVER IP ADDRESS: xxx.xx0.79 ============================================================= > 2013-10-31 11:28:16,705 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: myusername WHAT: error.authentication.credentials.bad ACTION: PROXY_GRANTING_TICKET_NOT_CREATED APPLICATION: CAS WHEN: Thu Oct 31 11:28:16 EDT 2013 CLIENT IP ADDRESS: xxx.xx0.79 SERVER IP ADDRESS: xxx.xx0.79 ============================================================= > 2013-10-31 11:28:16,706 ERROR [org.jasig.cas.web.ServiceValidateController] - <TicketException generating ticket for: [callbackUrl: http://cas2.mydomain.com:8085/rss_03/secure/receptor]> org.jasig.cas.ticket.TicketCreationException: error.authentication.credentials.bad at org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket_aroundBody6(CentralAuthenticationServiceImpl.java:325) at org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket_aroundBody7$advice(CentralAuthenticationServiceImpl.java:57) at org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket(CentralAuthenticationServiceImpl.java:1) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:601) at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:318) at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150) at org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.proceed(MethodInvocationProceedingJoinPoint.java:80) at org.perf4j.aop.AbstractTimingAspect$1.proceed(AbstractTimingAspect.java:47) at org.perf4j.aop.AgnosticTimingAspect.runProfiledMethod(AgnosticTimingAspect.java:53) at org.perf4j.aop.AbstractTimingAspect.doPerfLogging(AbstractTimingAspect.java:45) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:601) at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethodWithGivenArgs(AbstractAspectJAdvice.java:621) at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethod(AbstractAspectJAdvice.java:610) at org.springframework.aop.aspectj.AspectJAroundAdvice.invoke(AspectJAroundAdvice.java:65) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:161) at org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.proceed(MethodInvocationProceedingJoinPoint.java:80) at com.github.inspektr.audit.AuditTrailManagementAspect.handleAuditTrail(AuditTrailManagementAspect.java:126) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:601) at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethodWithGivenArgs(AbstractAspectJAdvice.java:621) at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethod(AbstractAspectJAdvice.java:610) at org.springframework.aop.aspectj.AspectJAroundAdvice.invoke(AspectJAroundAdvice.java:65) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:161) at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:90) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202) at com.sun.proxy.$Proxy49.delegateTicketGrantingTicket(Unknown Source) at org.jasig.cas.web.ServiceValidateController.handleRequestInternal(ServiceValidateController.java:138) at org.springframework.web.servlet.mvc.AbstractController.handleRequest(AbstractController.java:153) at org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(SimpleControllerHandlerAdapter.java:48) at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:923) at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:852) at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:882) at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:778) at javax.servlet.http.HttpServlet.service(HttpServlet.java:621) at javax.servlet.http.HttpServlet.service(HttpServlet.java:728) at org.jasig.cas.web.init.SafeDispatcherServlet.service_aroundBody2(SafeDispatcherServlet.java:128) at org.jasig.cas.web.init.SafeDispatcherServlet.service_aroundBody3$advice(SafeDispatcherServlet.java:57) at org.jasig.cas.web.init.SafeDispatcherServlet.service(SafeDispatcherServlet.java:1) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at com.github.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:63) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:947) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1009) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589) at org.apache.tomcat.util.net.AprEndpoint$SocketWithOptionsProcessor.run(AprEndpoint.java:1810) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:722)

Este bit:

2013-10-31 11:28:16,703 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler failed to authenticate [callbackUrl: http://cas2.mydomain.com:8085/rss_03/secure/receptor]>

parece ser el problema ... mis credenciales son buenas, así que parece que todavía falta algo en la configuración ... ¿alguna idea ...?

ACTUALIZAR:

Ponga la aplicación bajo SSL y Config.groovy, en InterceptUrlMap Agregado:

''/secure/receptor'': [''IS_AUTHENTICATED_ANONYMOUSLY''],

Ahora el cas.log muestra lo que parece ser un bucle similar (ida y vuelta entre cas y la aplicación) a lo que estaba obteniendo antes, excepto que no hay errores ... con el tiempo se detiene y el navegador muestra de nuevo:

Firefox has detected that the server is redirecting the request for this address in a way that will never complete.