CAS Spring Security Java - Not Authorizing with User Details Service Not Loading Roles

Question

I am using latest version of spring 3.2.5 and spring security 3.1.4 with java 6. I have setup CAS server using the instructions from this page https://wiki.jasig.org/display/CASUM/Best+Practice+-+Setting+Up+CAS+Locally+using+the+Maven+WAR+Overlay+Method

The CAS server part is working fine and authenticating. I have setup client side using the instructions from this page and various other pages https://wiki.jasig.org/display/CASC/Configuring+the+JA-SIG+CAS+Client+for+Java+using+Spring

When tried to enter secure page in the application, CAS is redirecting to the correct login page and then correctly authenticating and then correctly redirecting to the calling application page, but not invoking the user details service supplied and not authorizing the user and not loading roles using the user details service.

After authentication user lands on this page. The page was correct but I don't want to see the ticket parameter in the URL and also load the user and roles using user details service bean supplied.

http://localhost:8080/my/sports-life/schedule?ticket=ST-3-xklhdGJW6gZxieELGxo5-cas01.example.org

Any pointers to get my authorization going is highly appreciated. Thanks in advance.

Here are the relevant beans from application context

<!--  Single sign on with CAS   -->


    <bean id="casEntryPoint" class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">
        <property name="loginUrl" value="https://localhost:8443/cas/login"/>
        <property name="serviceProperties" ref="serviceProperties"/>
    </bean>

    <bean id="serviceProperties" class="org.springframework.security.cas.ServiceProperties">
        <property name="service" value="http://localhost:8080/my/sports-life/schedule/j_spring_cas_security_check"/>
        <property name="sendRenew" value="false"/>
    </bean>

    <bean id="casFilter" class="org.springframework.security.cas.web.CasAuthenticationFilter">
        <property name="authenticationManager" ref="preAuthenticationManager"/>

        <property name="authenticationSuccessHandler">
            <bean class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
                <property name="defaultTargetUrl" value="/my"/>
                <property name="targetUrlParameter" value="spring-security-redirect" />
            </bean>
        </property>
    </bean>

    <bean id="casAuthenticationProvider" class="org.springframework.security.cas.authentication.CasAuthenticationProvider">

        <property name="userDetailsService" ref="myAccountDetailsService" />
        <property name="serviceProperties" ref="serviceProperties" /> 
        <property name="ticketValidator">
            <bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
                <constructor-arg index="0" value="https://localhost:8443/cas" />
            </bean>
        </property>
        <property name="key" value="Vi9Pra88Si777"/> 
        <property name="authenticationUserDetailsService" ref="authenticationUserDetailsService"/>
     </bean> 

    <bean id="authenticationUserDetailsService" class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">    
        <property name="userDetailsService" ref="myAccountDetailsService"/>      
    </bean> 



    <bean name="authenticationFilter" class="org.jasig.cas.client.authentication.AuthenticationFilter">
        <property name="casServerLoginUrl" value="https://localhost:8443/cas/login" /> 
        <property name="renew" value="false" />
        <property name="gateway" value="false" />
        <property name="service" value="http://localhost:8080/my/sports-life/schedule" />
     </bean>

<!--  
<bean
    name="ticketValidationFilter"
    class="org.jasig.cas.client.validation.Cas10TicketValidationFilter">

    <property name="service" value="http://localhost:8080/my/sports-life/schedule" />
    <property name="ticketValidator">
            <bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
                <constructor-arg index="0" value="https://localhost:8443/cas" />
            </bean>
    </property>
</bean>
-->

  <bean id="preauthAuthProvider"
class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
    <property name="preAuthenticatedUserDetailsService">
      <bean id="userDetailsServiceWrapper"
          class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
        <property name="userDetailsService" ref="myAccountDetailsService"/>
      </bean>
    </property>
    </bean>

    <!--  
 <bean id="preAuthEntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint" />

    <bean id="j2eePreAuthFilter" class="org.springframework.security.web.authentication.preauth.j2ee.J2eePreAuthenticatedProcessingFilter">
        <property name="authenticationManager" ref="preAuthenticationManager"/>
        <property name="authenticationDetailsSource">
            <bean class="org.springframework.security.web.authentication.WebAuthenticationDetailsSource" />
        </property>
 </bean>
  -->

      <bean id="myAccountDetailsService" class="com.viprasi.security.AccountDetailsServiceImpl">        
     </bean> 

Then here are relevant config from my spring security configuration file.

<http use-expressions="true" entry-point-ref="casEntryPoint">

        <intercept-url pattern="/app/j_spring_cas*" access="permitAll"
            requires-channel="https" />


        <!-- Member -->
        <intercept-url pattern="/app/**" access="isAuthenticated()" />


        <access-denied-handler error-page="/app/login/accessdenied" />

        <anonymous />

        <http-basic />

        <custom-filter position="CAS_FILTER" ref="casFilter" />

    </http>

     <authentication-manager alias="preAuthenticationManager">

      <authentication-provider ref="casAuthenticationProvider" />
      <!-- 
      <authentication-provider user-service-ref='accountDetailsService' />
      -->
    </authentication-manager>

Answer 1

We ran into lot of issues and at the end the main culprit was url rewriting filter. This filter was changing url and then spring security and cas failed to handled the changed URL. After moving the url rewrite filter below the security filters, it's all started working.

Answer 2

i think the anonymous tag applies the role *IS_AUTHENTICATED_ANONYMOUSLY* to a user. the result of this is that the user isAuthenticated() and no further filter is invoked (e.g. the one who calls the UserDetailsServive) change isAuthenticated() to hasRole('ROLE')

Answer 3

I have an example cas client You can check in cas-web-client how provide your own authorization