grails - Q: Grails2.4, CAS and the infamous redirect loop -

i have several grails applications running in production , interfacing cas server (cas 3.3.5) via spring-security , "grails cas plugin". these applications supported various versions of grails version 1.3.7 2.2.4

i moving 1 of them 2.4.4 , have never ending problems authentication. @ end of exercise have notorious: "this webpage has redirect loop" (in chrome). @ server side have usual (!) error:

error [org.jasig.cas.web.servicevalidatecontroller] - <ticketexception generating ticket for: [callbackurl: https://casclient.mydomain.com:9043/testcas/secure/receptor]> org.jasig.cas.ticket.invalidticketexception     @ org.jasig.cas.centralauthenticationserviceimpl.delegateticketgrantingticket(centralauthenticationserviceimpl.java:268) 

here steps made reproduce problem:

1. grails create-app testcas
2. grails create-controller showsecure add action showsecurepage in controller
3. grails generate-views
4. create page showsecurepage under view/showsecure

5. add urlmappings

   class urlmappings {     static mappings = {         "/showsecure" {             controller = "showsecure"             action = [ get: "showsecurepage" ]         }         "/"(view:"/index")         "500"(view:'/error')     } } 

at point if start application can access page "showsecurepage" without problems. let's move on , install "cas plugin".

6. add in "plugins" snippet of buildconfig.groovy strings:

   compile ":spring-security-core:2.0-rc4" compile ":spring-security-cas:2.0-rc1" 

and in "dependencies" snippet:

    mavenrepo 'http://repo.spring.io/milestone' 

7. execute grails clean , grails compile.

8. run: grails s2-quickstart testcas user role

the config.groovy modified , has "tuned".

9. since don't use annotations replace entries added s2-quickstart (the staticrules) with:

   grails.plugin.springsecurity.rejectifnorule = true grails.plugin.springsecurity.securityconfigtype = "intercepturlmap" grails.plugin.springsecurity.intercepturlmap = [     '/':                  ['permitall'],     '/index':             ['permitall'],     '/index.gsp':         ['permitall'],     '/**/js/**':          ['permitall'],     '/**/css/**':         ['permitall'],     '/**/images/**':      ['permitall'],     '/**/favicon.ico':    ['permitall'],     '/login/**':          ['permitall'],     '/logout/**':         ['permitall'],     '/secure/receptor':   ['permitall'],     '/showsecure/**':     ['isfullyauthenticated()'],     '/finance/**':        ['role_finance', 'isfullyauthenticated()'] ] 

note: added "permitall" "/secure/receptor" described in 19710841

10. finally add cas configuration. described in documentation listed parameters have defined:

    grails.serverurl = "http://casclient.mydomain.com:9080/testcas" grails.serversecureurl = "https://casclient.mydomain.com:9043/testcas" grails.plugin.springsecurity.usecas = true grails.plugin.springsecurity.cas.active = true grails.plugin.springsecurity.cas.serverurlprefix = 'https://casserver.mydomain.com:10443/sso' grails.plugin.springsecurity.cas.serverurlencoding = 'utf-8' grails.plugin.springsecurity.cas.loginuri = '/login' grails.plugin.springsecurity.cas.sendrenew = false grails.plugin.springsecurity.cas.serviceurl = "${grails.serverurl}/secure/security_check" grails.plugin.springsecurity.cas.key ='authentication_provider' grails.plugin.springsecurity.cas.artifactparameter = 'ticket' grails.plugin.springsecurity.cas.serviceparameter = 'service' grails.plugin.springsecurity.cas.filterprocessesurl = '/secure/security_check' grails.plugin.springsecurity.cas.proxycallbackurl = "${grails.serversecureurl}/secure/receptor" grails.plugin.springsecurity.cas.proxyreceptorurl = '/secure/receptor' grails.plugin.springsecurity.cas.usesinglesignout = true  grails.plugin.springsecurity.logouturl = "${grails.plugin.springsecurity.cas.serverurlprefix}/logout" grails.plugin.springsecurity.logout.afterlogouturl = "${grails.plugin.springsecurity.cas.serverurlprefix}/logout?url=${grails.serverurl}" 

note: if in grails.plugin.springsecurity.cas.proxycallbackurl define link "http" , not "https" have loop with, @ cas server side, "bad credentials" message. adding secure link error disappears.

now accessing secure page see usual cas login. if login correctly "redirect loop" error while in cas log see:

-------------------------2015-03-31 13:33:33,736 error [org.jasig.cas.web.servicevalidatecontroller] - <ticketexception generating ticket for: [callbackurl: https://casclient.mydomain.com:9043/testcas/secure/receptor]> org.jasig.cas.ticket.invalidticketexception     @ org.jasig.cas.centralauthenticationserviceimpl.delegateticketgrantingticket(centralauthenticationserviceimpl.java:268)     @ org.jasig.cas.web.servicevalidatecontroller.handlerequestinternal(servicevalidatecontroller.java:126) 

edit: more information. among verbose output when enable sorts of debug, realized there continuos references role_anonymous. suspect (was) problem not authentication rather authorization. indeed problem. if modify config.groovy:

'/showsecure/**':     ['role_user', 'isfullyauthenticated()'], 

and implement service have (now) defined in resources.groovy:

// place spring dsl code here beans = {      userdetailsservice(esouserdetailsservice) } 

the problem disappears. have 1 though. if in esouserdetailsservice try retrieve roles database in way:

user.withtransaction { status ->             user user = user.findbyusername(username)             if (!user) throw new usernamenotfoundexception('user not found', username)              def authorities = user.authorities.collect { new grantedauthorityimpl(it.authority)             }              return new esouserdetails(user.username, user.password, user.enabled,             !user.accountexpired, !user.passwordexpired, !user.accountlocked, authorities,             user.id, user.getuserrealname())         } 

i have error:

method on class [eso.phase3.rm.user] used outside of grails application. if running in context of test using mocking api or bootstrap grails correctly.