I'm trying to implement Google authentication (OAuth) in CAS 4.1.9.
First of all I have created a new project on console.developers.google.com in which I have generated a new client id for my application.
Then, I have installed CAS using Maven overlays. In my pom.xml I included the pac4j dependency as it follows:
<dependency>
<groupId>org.pac4j</groupId>
<artifactId>pac4j-oauth</artifactId>
<version>3.4.0</version>
<scope>runtime</scope>
</dependency>
Moreover,this is what I have added in my applicationContext.xml file:
<bean id="GoogleAuthenticationHandler"
class="org.pac4j.oauth.client.Google2Client"
p:key="<MYKEY>"
p:secret="<MYSECRET>"
p:scope="EMAIL_AND_PROFILE" />
<bean id="clients"
class="org.pac4j.core.client.Clients">
<property name="callbackUrl" value="https://myapplication.com/cas" />
<property name="clients">
<list>
<ref bean="GoogleAuthenticationHandler" />
</list>
</property>
</bean>
And finally I have added the following line in casLoginView.jsp
Authenticate with Google <br />
The maven compilation worked fine and the war file deployed successfully on my tomcat server.
The problem is that the href to Google in my CAS login web page does not contain the correct OAuth url but the same redirect url I have defined for my client under console.developers.google.com.
As second attempt I tried to substitute ${Google2ClientUrl} with the OAuth url:
<a href="https://accounts.google.com/o/oauth2/auth?redirect_uri=https://myapplication.com/cas&response_type=code&client_i
d=<MY CLIENT ID>&scope=https://www.googleapis.com/auth/analytics.re
adonly+https://www.googleapis.com/auth/userinfo.email&approval_prompt=force&access_type=offline">Authenticate with Google</a> <br />
In this case the Google login page shows up and it accepts user authentication, but it seems that CAS does not recognize a successfully user authentication by Google (i.e. it does not show the normal page containing the authentication success message).
Did I miss something?
Thanks a lot for your help!
I managed to solve the problem by installing a newer version of CAS (5.3.6). Here the Google authenticator configuration is much easier. Actually only two steps are needed :
1) add pac4j dependency in the pom.xml file
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-pac4j-webflow</artifactId>
<version>${cas.version}</version>
</dependency>
2) add the Google authenticator parameter in the cas.properties file:
cas.authn.pac4j.google.id=<MY_CLIENT_ID>
cas.authn.pac4j.google.secret=<MY_SECRET>
cas.authn.pac4j.google.clientName=<MY_CLIENT_NAME>
cas.authn.pac4j.google.autoRedirect=false
cas.authn.pac4j.google.principalAttributeId=
cas.authn.pac4j.google.scope=EMAIL_AND_PROFILE
Once this is done a link to Google authentication shows up in the CAS login page automatically.
Related
I am attempting to have seamless movement between locally testing and cloud testing of my Azure Web App. The following is a snippet from my Web.Config file.
<appSettings>
<add key="ida:ClientId" value="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" />
... more items ...
</appSettings>
The value of ClientId corresponds to the value of an "App Registrations" object within my Azure Active Directory instance. When I click on that object and navigate to Settings --> Reply URLs, the entry is https://localhost:xxxxx/.
My problem is: When I publish the Azure Web App to the cloud, I am redirected to the above localhost URL. However, if I add another Reply URL entry of https://mywebappname.mydomain.com, then when I attempt to test locally, I am redirected to the web URL instead of the localhost URL.
I would like a method of seamless local and cloud testing: When testing locally and on the cloud, I would like to be redirected to the correct URL. What configurations am I missing in order to accomplish this?
---- UPDATE ----
Also when I right click on the Web Application project in Visual Studio 2017 and then click Properties, I am taken to this screen. Here are some additional properties I have set, which redirect to https://localhost:xxxxx/. Do I need to change this? And if so, how can I have both redirect URLs within the project's properties?
I ended up solving this problem by using the Web.config Transformation Syntax (see Stephen Muecke's link in the comments on the original post).
In the same directory as the Web.config, I added a Web.Release.config. Now, if in Visual Studio I select "Release" build, then the Web.Release.config transform config file will be used to replace the Web.config file's "ida:RedirectUri" key with the value in the transform config file.
Here is the Web.Release.config
<?xml version="1.0"?>
<!-- For more information on using Web.config transformation visit https://go.microsoft.com/fwlink/?LinkId=301874 -->
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
<appSettings>
<add key="ida:RedirectUri" value="https://<mywebappname>.<mywebappdomain>.com/" xdt:Transform="Replace" />
</appSettings>
</configuration>
And here a snippet from the very large Web.config
<?xml version="1.0"?>
<!-- For more information on using Web.config transformation visit https://go.microsoft.com/fwlink/?LinkId=301874 -->
...
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
...
<appSettings>
<add key="ida:RedirectUri" value="https://localhost:xxxxx/" xdt:Transform="Replace" />
...
</appSettings>
...
</configuration>
That way, redirecting to localhost is the default.
We have struts MVC in our app and want to now integrate spring security.
I am able to integrate it successfully and able to deploy application.
In order to get custom login page we must add form-login to spring security xml file. I am having difficulty in integrating custom login pages.
Struts global forward
<global-forwards>
<forward name="login" path="/" redirect="true"/>
</global-forwards>
When not logged in it will take us to login page
Web xml login config
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.vm</form-login-page>
<form-error-page>/loginError.vm</form-error-page>
</form-login-config>
</login-config>
Above section in web.xml is removed as part of integrating with spring security. Rather I have following section in spring security
<intercept-url pattern="/**" access="hasRole('ROLE')" />
<form-login login-page="/login.vm"
authentication-failure-url="/loginError.vm" />
But when I try to login I won't get custom login page rather it just points url to IP:PORT/APP/login.vm and page is not present.
Login form has j_spring_security
action="j_spring_security_check"
What changes are required in order to get custom login?
Should strut config be changed?
I'm guessing here, but I suspect that you are getting this as Spring Security does not understand/know about Velocity. I had a similair problem when I intergrated Spring Security into my Struts app using .jsp pages. In the end, I pointed login-page and authentication-failure-url to point to actions and loaded the jsp pages from there. I suggest that you try the same.
I'm trying to integrate Orbeon with a backend REST API (web application I just developed for testing purposes as we are evaluating Orbeon for a new project). I have followed the scenario mentioned on this tutorial http://wiki.orbeon.com/forms/doc/developer-guide/form-runner/persistence-api#TOC-A-scenario
and I have set my local properties (properties-local.xml) as following:
<properties xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:oxf="http://www.orbeon.com/oxf/processors">
<property
as="xs:string"
name="oxf.fr.persistence.provider.TestApp.WelcomeForm.data"
value="coffee"/>
<property as="xs:anyURI" name="oxf.fr.persistence.coffee.uri" value="http://localhost:8080/SpringMVC/coffee"/>
<property as="xs:boolean" name="oxf.fr.persistence.coffee.active" value="true"/>
<property as="xs:boolean" name="oxf.fr.persistence.coffee.autosave" value="false"/>
<property as="xs:boolean" name="oxf.fr.persistence.coffee.permissions" value="false"/>
</properties>
however, when I open my form in the form runner, I got Error message "Error performing search", and If I try to save a new form, I get the following message "There was an error communicating with the database. Please contact the application administrator."
Is there any tutorial shows how to integrate external REST backend service with Orbeon instead of a database (We want to use our backend REST services as persistence layer).
Has anyone had an issue with doing file uploads using Spring Webflow 2.3 and Spring Security? Anytime I have a JSP page with the enctype="multipart/form-data" it all goes up in flames. I have added this:
<bean id="multipartResolver" class="org.springframework.web.multipart.commons.CommonsMultipartResolver">
<!-- one of the properties available; the maximum file size in bytes -->
<property name="maxUploadSize" value="100000"/>
</bean>
into the Spring config as well as having the commons-fileupload JAR available to the application
Increase the maxUploadSize as value="1048576", strangely it doesn't throw any exception.
My group builds internally hosted ASP.NET MVC websites with forms-authentication.
I'd like to host a WCF service in the same virtual directory as an ASP.NET MVC website.
My Question:
How do I make the WCF service freely
accessible, that is without
forms-authentication.
My current predicament is this:
I can access the .svc and see the wsdl information if I first authenticate through forms-authentication with a web browser.
But when I try to access the WCF service with wcfTestClient.exe, I get the following error:
Error: Cannot obtain Metadata from
http://localhost/Services/MyService.svc
If this is a Windows (R) Communication
Foundation service to which you have
access, please check that you have
enabled metadata publishing at the
specified address. For help enabling
metadata publishing, please refer to
the MSDN documentation at
http://go.microsoft.com/fwlink/?LinkId=65455.WS-Metadata
Exchange Error
Do you have a mex endpoint defined in your web.config for the service? The testclient is likely looking for this.
IF you do, one other possibility is to disable authorization on the services folder. I've never tested this, but in theory it may work...
So if website is localhost, put WCF service in localhost/services/myservice.svc or the like. Then add a web.config to the /services folder, which overrides the authorization and allows all:
<configuration>
<authorization>
<allow users="*" />
</authorization>
</configuration>
If you can put your .svc file into a subfolder of the virtual directory, you can leverage the path attribute in Forms Authentication to enable access to it with a different level of authorization. Here is a tutorial.
Many thanks to all who tried to answer this question.
After hours of troubleshooting this problem, I discovered that a custom authentication module was rejecting my client attempts to get the metadata. Suffice it to say, I needed to route around this logic.
Oh - And stepping through the code is very underrated. ;)
I assume since you are using forms authentication that the virtual directory is configured for anonymous access in IIS. With that said, If you place your WCF service e.g. *.svc file in its own directory, you can update the main web.config file and add a location tag to disable forms authentication for the directory containing the service. Also be sure to disbale security via the WCF configuration binding settings in the web.config's <system.servicemodel> section which needs to be added if not already present:
<bindings>
<wsHttpBinding> <!-- one of many possible bindings -->
<binding name="...">
<security mode="None"> <-- allows anonymous access -->
<message clientCredentialType="None"/> <-- allows anonymous access -->
</security>
</binding>
</wsHttpBinding>
</bindings>