grails - Q: Grails2.4, CAS and the infamous redirect loop -
i have several grails applications running in production , interfacing cas server (cas 3.3.5) via spring-security , "grails cas plugin". these applications supported various versions of grails version 1.3.7 2.2.4
i moving 1 of them 2.4.4 , have never ending problems authentication. @ end of exercise have notorious: "this webpage has redirect loop" (in chrome). @ server side have usual (!) error:
error [org.jasig.cas.web.servicevalidatecontroller] - <ticketexception generating ticket for: [callbackurl: https://casclient.mydomain.com:9043/testcas/secure/receptor]> org.jasig.cas.ticket.invalidticketexception @ org.jasig.cas.centralauthenticationserviceimpl.delegateticketgrantingticket(centralauthenticationserviceimpl.java:268)
here steps made reproduce problem:
grails create-app testcas
grails create-controller showsecure
add action showsecurepage in controllergrails generate-views
- create page showsecurepage under view/showsecure
add urlmappings
class urlmappings { static mappings = { "/showsecure" { controller = "showsecure" action = [ get: "showsecurepage" ] } "/"(view:"/index") "500"(view:'/error') } }
at point if start application can access page "showsecurepage" without problems. let's move on , install "cas plugin".
add in "plugins" snippet of buildconfig.groovy strings:
compile ":spring-security-core:2.0-rc4" compile ":spring-security-cas:2.0-rc1"
and in "dependencies" snippet:
mavenrepo 'http://repo.spring.io/milestone'
execute
grails clean
,grails compile
.run:
grails s2-quickstart testcas user role
the config.groovy
modified , has "tuned".
since don't use annotations replace entries added s2-quickstart (the staticrules) with:
grails.plugin.springsecurity.rejectifnorule = true grails.plugin.springsecurity.securityconfigtype = "intercepturlmap" grails.plugin.springsecurity.intercepturlmap = [ '/': ['permitall'], '/index': ['permitall'], '/index.gsp': ['permitall'], '/**/js/**': ['permitall'], '/**/css/**': ['permitall'], '/**/images/**': ['permitall'], '/**/favicon.ico': ['permitall'], '/login/**': ['permitall'], '/logout/**': ['permitall'], '/secure/receptor': ['permitall'], '/showsecure/**': ['isfullyauthenticated()'], '/finance/**': ['role_finance', 'isfullyauthenticated()'] ]
note: added "permitall" "/secure/receptor" described in 19710841
finally add cas configuration. described in documentation listed parameters have defined:
grails.serverurl = "http://casclient.mydomain.com:9080/testcas" grails.serversecureurl = "https://casclient.mydomain.com:9043/testcas" grails.plugin.springsecurity.usecas = true grails.plugin.springsecurity.cas.active = true grails.plugin.springsecurity.cas.serverurlprefix = 'https://casserver.mydomain.com:10443/sso' grails.plugin.springsecurity.cas.serverurlencoding = 'utf-8' grails.plugin.springsecurity.cas.loginuri = '/login' grails.plugin.springsecurity.cas.sendrenew = false grails.plugin.springsecurity.cas.serviceurl = "${grails.serverurl}/secure/security_check" grails.plugin.springsecurity.cas.key ='authentication_provider' grails.plugin.springsecurity.cas.artifactparameter = 'ticket' grails.plugin.springsecurity.cas.serviceparameter = 'service' grails.plugin.springsecurity.cas.filterprocessesurl = '/secure/security_check' grails.plugin.springsecurity.cas.proxycallbackurl = "${grails.serversecureurl}/secure/receptor" grails.plugin.springsecurity.cas.proxyreceptorurl = '/secure/receptor' grails.plugin.springsecurity.cas.usesinglesignout = true grails.plugin.springsecurity.logouturl = "${grails.plugin.springsecurity.cas.serverurlprefix}/logout" grails.plugin.springsecurity.logout.afterlogouturl = "${grails.plugin.springsecurity.cas.serverurlprefix}/logout?url=${grails.serverurl}"
note: if in grails.plugin.springsecurity.cas.proxycallbackurl
define link "http" , not "https" have loop with, @ cas server side, "bad credentials" message. adding secure link error disappears.
now accessing secure page see usual cas login. if login correctly "redirect loop" error while in cas log see:
-------------------------2015-03-31 13:33:33,736 error [org.jasig.cas.web.servicevalidatecontroller] - <ticketexception generating ticket for: [callbackurl: https://casclient.mydomain.com:9043/testcas/secure/receptor]> org.jasig.cas.ticket.invalidticketexception @ org.jasig.cas.centralauthenticationserviceimpl.delegateticketgrantingticket(centralauthenticationserviceimpl.java:268) @ org.jasig.cas.web.servicevalidatecontroller.handlerequestinternal(servicevalidatecontroller.java:126)
edit: more information. among verbose output when enable sorts of debug, realized there continuos references role_anonymous. suspect (was) problem not authentication rather authorization. indeed problem. if modify config.groovy:
'/showsecure/**': ['role_user', 'isfullyauthenticated()'],
and implement service have (now) defined in resources.groovy:
// place spring dsl code here beans = { userdetailsservice(esouserdetailsservice) }
the problem disappears. have 1 though. if in esouserdetailsservice try retrieve roles database in way:
user.withtransaction { status -> user user = user.findbyusername(username) if (!user) throw new usernamenotfoundexception('user not found', username) def authorities = user.authorities.collect { new grantedauthorityimpl(it.authority) } return new esouserdetails(user.username, user.password, user.enabled, !user.accountexpired, !user.passwordexpired, !user.accountlocked, authorities, user.id, user.getuserrealname()) }
i have error:
method on class [eso.phase3.rm.user] used outside of grails application. if running in context of test using mocking api or bootstrap grails correctly.
Comments
Post a Comment