grails - Q: Grails2.4, CAS and the infamous redirect loop -


i have several grails applications running in production , interfacing cas server (cas 3.3.5) via spring-security , "grails cas plugin". these applications supported various versions of grails version 1.3.7 2.2.4

i moving 1 of them 2.4.4 , have never ending problems authentication. @ end of exercise have notorious: "this webpage has redirect loop" (in chrome). @ server side have usual (!) error:

error [org.jasig.cas.web.servicevalidatecontroller] - <ticketexception generating ticket for: [callbackurl: https://casclient.mydomain.com:9043/testcas/secure/receptor]> org.jasig.cas.ticket.invalidticketexception     @ org.jasig.cas.centralauthenticationserviceimpl.delegateticketgrantingticket(centralauthenticationserviceimpl.java:268) 

here steps made reproduce problem:

  1. grails create-app testcas
  2. grails create-controller showsecure add action showsecurepage in controller
  3. grails generate-views
  4. create page showsecurepage under view/showsecure
  5. add urlmappings

    class urlmappings {     static mappings = {         "/showsecure" {             controller = "showsecure"             action = [ get: "showsecurepage" ]         }         "/"(view:"/index")         "500"(view:'/error')     } } 

at point if start application can access page "showsecurepage" without problems. let's move on , install "cas plugin".

  1. add in "plugins" snippet of buildconfig.groovy strings:

    compile ":spring-security-core:2.0-rc4" compile ":spring-security-cas:2.0-rc1" 

and in "dependencies" snippet:

    mavenrepo 'http://repo.spring.io/milestone' 
  1. execute grails clean , grails compile.

  2. run: grails s2-quickstart testcas user role

the config.groovy modified , has "tuned".

  1. since don't use annotations replace entries added s2-quickstart (the staticrules) with:

    grails.plugin.springsecurity.rejectifnorule = true grails.plugin.springsecurity.securityconfigtype = "intercepturlmap" grails.plugin.springsecurity.intercepturlmap = [     '/':                  ['permitall'],     '/index':             ['permitall'],     '/index.gsp':         ['permitall'],     '/**/js/**':          ['permitall'],     '/**/css/**':         ['permitall'],     '/**/images/**':      ['permitall'],     '/**/favicon.ico':    ['permitall'],     '/login/**':          ['permitall'],     '/logout/**':         ['permitall'],     '/secure/receptor':   ['permitall'],     '/showsecure/**':     ['isfullyauthenticated()'],     '/finance/**':        ['role_finance', 'isfullyauthenticated()'] ] 

note: added "permitall" "/secure/receptor" described in 19710841

  1. finally add cas configuration. described in documentation listed parameters have defined:

    grails.serverurl = "http://casclient.mydomain.com:9080/testcas" grails.serversecureurl = "https://casclient.mydomain.com:9043/testcas" grails.plugin.springsecurity.usecas = true grails.plugin.springsecurity.cas.active = true grails.plugin.springsecurity.cas.serverurlprefix = 'https://casserver.mydomain.com:10443/sso' grails.plugin.springsecurity.cas.serverurlencoding = 'utf-8' grails.plugin.springsecurity.cas.loginuri = '/login' grails.plugin.springsecurity.cas.sendrenew = false grails.plugin.springsecurity.cas.serviceurl = "${grails.serverurl}/secure/security_check" grails.plugin.springsecurity.cas.key ='authentication_provider' grails.plugin.springsecurity.cas.artifactparameter = 'ticket' grails.plugin.springsecurity.cas.serviceparameter = 'service' grails.plugin.springsecurity.cas.filterprocessesurl = '/secure/security_check' grails.plugin.springsecurity.cas.proxycallbackurl = "${grails.serversecureurl}/secure/receptor" grails.plugin.springsecurity.cas.proxyreceptorurl = '/secure/receptor' grails.plugin.springsecurity.cas.usesinglesignout = true  grails.plugin.springsecurity.logouturl = "${grails.plugin.springsecurity.cas.serverurlprefix}/logout" grails.plugin.springsecurity.logout.afterlogouturl = "${grails.plugin.springsecurity.cas.serverurlprefix}/logout?url=${grails.serverurl}" 

note: if in grails.plugin.springsecurity.cas.proxycallbackurl define link "http" , not "https" have loop with, @ cas server side, "bad credentials" message. adding secure link error disappears.

now accessing secure page see usual cas login. if login correctly "redirect loop" error while in cas log see:

-------------------------2015-03-31 13:33:33,736 error [org.jasig.cas.web.servicevalidatecontroller] - <ticketexception generating ticket for: [callbackurl: https://casclient.mydomain.com:9043/testcas/secure/receptor]> org.jasig.cas.ticket.invalidticketexception     @ org.jasig.cas.centralauthenticationserviceimpl.delegateticketgrantingticket(centralauthenticationserviceimpl.java:268)     @ org.jasig.cas.web.servicevalidatecontroller.handlerequestinternal(servicevalidatecontroller.java:126) 

edit: more information. among verbose output when enable sorts of debug, realized there continuos references role_anonymous. suspect (was) problem not authentication rather authorization. indeed problem. if modify config.groovy:

'/showsecure/**':     ['role_user', 'isfullyauthenticated()'], 

and implement service have (now) defined in resources.groovy:

// place spring dsl code here beans = {      userdetailsservice(esouserdetailsservice) } 

the problem disappears. have 1 though. if in esouserdetailsservice try retrieve roles database in way:

user.withtransaction { status ->             user user = user.findbyusername(username)             if (!user) throw new usernamenotfoundexception('user not found', username)              def authorities = user.authorities.collect { new grantedauthorityimpl(it.authority)             }              return new esouserdetails(user.username, user.password, user.enabled,             !user.accountexpired, !user.passwordexpired, !user.accountlocked, authorities,             user.id, user.getuserrealname())         } 

i have error:

method on class [eso.phase3.rm.user] used outside of grails application. if running in context of test using mocking api or bootstrap grails correctly.


Comments

Popular posts from this blog

Payment information shows nothing in one page checkout page magento -

tcpdump - How to check if server received packet (acknowledged) -