how to get current user in spring security integrated with cas? - spring-security

I have integrated CAS to Spring Security using Spring security tutorial on cas wiki. Now I want to get the current user and don't know how!
Should I get it from Spring security or CAS?
SecurityContextHolder.getContext().getAuthentication() returns null :|

If SecurityContextHolder.getContext().getAuthentication() is null means that the user is not authenticated yet.
Some pointers on CAS
Make sure that you use SSL for the communication to CAS thus CAS
must be hosted on SSL ports (443 or 8443)
Make sure that you Spring
Apps is hosted on SSL ports so that CAS can call to your Spring via
SSL server.
Common error is that both CAS and Spring Apps are not on SSL ports.
If this is the case, get a free SSL cert from www.startssl.com

Found the problem! I was going to use my own Access Control system, so I commented filters who where responsible for checking user's roles to access URLs. Apparently if I don't intercept URLs, spring security's context won't be accessible through that request (or at least it seems like that! I am not a big fan of Documents, so I try out codes and when I get an exception, I try to guess the reason! I really should stop doing that :| but anyway now that I intercept URLs, SecurityContextHolder.getContext().getAuthentication() doesn't return null anymore :) )

Related

Spring Cloud Gateway x Spring Security 5 x OAuth2 Client: How can I got the authenticated user?

I have a Spring Boot Cloud Gateway application running on a k8s POD. That application have no page, no endpoint at all, just receive the traffic from Ingress and redirect for a Vue Web Application with just static pages on another POD.
That Gateway is also a OAuth2 Client, authentication on GitHub, over a authentication code mode. Everything works fine, except I can't access the authenticated user. I'd like to apply my own validations, besides the GitHub IDP itself.
I tried used the Spring Security 5 Custom Configuration, but it just doesn't works. Maybe because I have no Controller, no endpoint aside the Gateway redirects. I haven't tried everything: with WebSecurityConfigurerAdapter, without it... All I got it just dependencies error and even I overcame them, it just doesn' run...
So, I quit Spring Security 5 Custom and tried use the Gateway Filters (AbstractGatewayFilterFactory) that I knew already that works, in order to read SecurityContextHolder.getContext().getAuthentication(), waiting to read the GitHub OAuth2 authenticated user over it. However, I just got null reference...
All my logs are turned on and I know the Spring is reading user-info endpoint from GitHub. I just want to get access to that information and negate access on Gateway Filters, based on my own rules.
Anyone have an idea about how can I read the Oauth2 authenticated principal in Gateway Filters?
Thanks at advance.

Make existing form-login application also serve as an oauth2 authorization server?

We had an web application that already using form-login provided by spring-security, say, ERP. Now we are considering make ERP as an oauth2 authorization server to authorize other internal services.
The ERP still serving its business and all access are required to be authorized, but doesn't based on access token so I think it is not an oauth2 client. It does NOT serve as an Resource Server, neither.
I have read many article about how to setup oauth2 authorization server and develop an application using it. According to this comment I feel it is possible to make ERP authorizing other services without explicit setup a standalone authorization server (it's our final goal but not now):
Within the context of OAuth2, we can break things up according to the component you're implementing:
Client app: it's likely that server based OAuth2 Client app already uses HttpSession and therefore it makes sense to use Spring Session and benefit from all the goodies it brings
Resource Server app: since this component provides a stateless API that's authenticated against using an Access Token as a bearer, the HttpSession is not used and therefore Spring Session isn't suitable as well
Authorization Server app: it's highly likely that this already uses HttpSession so similarly like with OAuth2 Client app, it makes sense to use Spring Session and benefit from all the goodies it brings
What I'm going to do is add the #EnableAuthorizationServer into config, but I have no idea what's the next step.
My question is can I convert an existing application into an authorization server while keeping its original service unchanged? Where and How should I start?
I just found it's not that hard to integrate OAuth2 into existing system, below is what I did to make it work.
In short: EnableAuthorizationServer won't break anything exists, but they don't coming from nothing, either.
When I put on the EnableAuthorizationServer, spring-security-oauth2 gives me following endpoing:
/oauth/authorize
/oauth/check_token
/oauth/token
/oauth/confirm_access
/oauth/error
Those endpoints provide necessary functions to make OAuth2 works, and I just need to apply access control onto those endpoints with existing form login mechanism (probable not the check_token one).
Since this system didn't act as resource-server role, the authorization part is done.

Is it possible in Spring Security to use form login if CAS is not available?

everybody!
In my project I use SSO with CAS. But what if the CAS-server is down?
I want a user to be able to login with a simple login/password form when CAS is not available.
Is it possible to configure Spring Security that way?
What should I do to achieve this?
Having said that you use SSO and wanting to use Spring Security as a backup when CAS is down, I am trying to understand how the SSO part will work with spring security. You can certainly implement your own version of single sign on with spring security using oauth2 services or your own implementation. If you did implement something like that, it brings up a question of redundant SSO services, managing them and maintaining them.
CAS, to my understanding, is primarily used for SSO purpose and has its own set of configuration. I am sure, you would have cassified your application for this purpose as well.
Is CAS server being down is an issue, I would suggest setting up a backup or standby for CAS server or building your own single sign on solution. I am trying to say that it is "either or" is more recommended than "having both"

CAS & spring-security-cas with stateless session

I'm currently working through a spring application which is using stateless session and JWT based mechanism for authentication & authorizations.
A new requirement arrived: using CAS v4.0 SSO solution to replace the authentication system. I went through the CAS documentation and the spring security documentation and saw no sign of "stateless mode". Trying to set the spring security session policy to stateless is breaking my CAS integration.
My intuition would tell me to totally drop the JWT mechanism and switch on classic statefull based sessionid mode to avoid issues. Is there some resource trying to adress a CAS + stateless client? Has someone had experience with it?

Problems while implementing SSO with Spring Security CAS extension

I'm trying to use Spring Security CAS extension to authenticate users on my applications. Earlier there was only one application, so SSO was not needed. Now there is one more application and I want the user to log in once and use all the applications without having to go through authentication again (SSO, basically). I've a bunch of questions like these -
All the applications I have are part of a single tomcat container and will be served via same domain. I checked Tomcat SSO Valve, but it seems to need container based authentication, I'm not really sure if I would want to use that for authentication / authorization. I'm using spring security form-based login. Do I really need something like Jasig CAS or will it be an overkill?
Spring Security and CAS deployerContext Configuration - http://pastie.org/8408976 and http://pastie.org/8408967
I set up Spring Security CAS with Jasig server and SSO seems to work as logging in to any of the applications suffices to access the other application. I've modified the deployerConfigContext.xml to replace the inMemoryServiceRegistryDaoImpl with JPA / Hibernate one. But I always see the below line in my logs. Though the tables have been created (SERVICETICKET and so on) in my db. These tables are always empty when I try logging in and out.
2013-10-17 16:41:18,882 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] - <Loaded 0 services.>
When I try to access URL https://localhost/cas/services, it returns an error "This website has a redirect loop". and I see the below piece repeating n number of times in the logs (with different ticket numbers)-
http://pastie.org/8408940
I don't have any REST or stateless services accessing authenticated resources, do I need proxy tickets at all?
Note: I'm using Spring Security 3.1.4.RELEASE and CAS server 3.5.2 version.
Any pointers will be helpful.
I set up Spring Security CAS with Jasig server and SSO seems to work
as logging in to any of the applications suffices to access the other
application. I've modified the deployerConfigContext.xml to replace
the inMemoryServiceRegistryDaoImpl with JPA / Hibernate one. But I
always see the below line in my logs. Though the tables have been
created (SERVICETICKET and so on) in my db. These tables are always
empty when I try logging in and out.
When I try to access URL `https://localhost/cas/services`, it returns an error "This website has a redirect loop". and I see the
below piece repeating n number of times in the logs (with different
ticket numbers)
I figured out the solution to this. This was happening as filterProcessesUrl in CAS server configuration had the string "acegi" (old name for Spring Security), which didn't match to "spring", hence the problem. Modifying that helped. Not sure why old name was hardcoded there. Also, it didn't pick up this string from cas.properties, so figuring it out was a little more difficult.
I hope to get answers for other questions.

Resources