CAS authentication in 5.1 j_spring_security_check hangs

[lightsailpro]

I am testing 5.1 CAS security. Jasper Sever was able to forward to the CAS server. After I type in my user is and password in the CAS login screen, the CAS trid to redirect to the url withj_spring_security_check in it. But it just hang there. There is no error in the Jaser log. Could someone shed somne light on how to troubleshoot this? I know the user id and password works if I just log into the CAS server directly. Thanks.

[elizam]

can you share your extAuth config file, applicationContext-Security.xml, and applicationContext-Security-web.xml files?  You can hide your passwords if you want.

[lightsailpro]

This is a new 5.1 installation. I just edit the sample CAS configure file and copy it as applicationContext-externalAuth-CAS-staticRoles.xml to the WEB-INF folde. There is no change to the default applicationContext-Security.xml, and applicationContext-Security-web.xml files. I also tested the LDAP. But it seems to me that we cannot enable CAS and LDAP at the same time. So I disabled the LDAP by removing applicationContext-externalAuth-LDAP.xml in order to test CAS. I am using the http instaed of https here during the test. I changed the CAS server setting to allow http. Here is my setting. Please note I had to comment out a few external data source setting to make it server be able to run. My CAS server and Jasper server is on the same machine. They use different TOMCAT installation. CAS is on port 8087. Jasper is on port 80.

 

====================================================

<!--
  ~ Copyright © 2005 - 2012 Jaspersoft Corporation. All rights reserved.
  ~ http://www.jaspersoft.com.
  ~
  ~ Unless you have purchased  a commercial license agreement from Jaspersoft,
  ~ the following license terms  apply:
  ~
  ~ This program is free software: you can redistribute it and/or  modify
  ~ it under the terms of the GNU Affero General Public License  as
  ~ published by the Free Software Foundation, either version 3 of  the
  ~ License, or (at your option) any later version.
  ~
  ~ This program is distributed in the hope that it will be useful,
  ~ but WITHOUT ANY WARRANTY; without even the implied warranty of
  ~ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  ~ GNU Affero  General Public License for more details.
  ~
  ~  You should have received a copy of the GNU Affero General Public  License
  ~  along with this program. If not, see <http://www.gnu.org/licenses/>.
  -->

<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd">

    <!--
      - Sample configuration of SSO via CAS Spring API.
      - Additional user details are extracted via an external database (externalDataSource)
      - This file shows an example of automatic assignment of ROLE_ADMINISTRATOR to specific external username's.
    -->

    <bean id="proxyAuthenticationProcessingFilter" class="com.jaspersoft.jasperserver.api.security.externalAuth.cas.JSCasProcessingFilter">
        <property name="authenticationManager">
            <ref local="casAuthenticationManager"/>
        </property>

        <property name="externalDataSynchronizer">
            <ref local="externalDataSynchronizer"/>
        </property>

        <property name="sessionRegistry">
            <ref bean="sessionRegistry"/>
        </property>

        <property name="internalAuthenticationFailureUrl" value="/login.html?error=1"/>
        <property name="defaultTargetUrl" value="/loginsuccess.html"/>
        <property name="invalidateSessionOnSuccessfulAuthentication" value="true"/>
        <property name="migrateInvalidatedSessionAttributes" value="true"/>

        <property name="filterProcessesUrl" value="/j_spring_security_check"/>
    </bean>

    <bean id="proxyAuthenticationSoapProcessingFilter"
          class="com.jaspersoft.jasperserver.api.security.externalAuth.cas.JSSoapProcessingFilter">
        <property name="authenticationManager" ref="casSoapAuthenticationManager"/>

        <property name="externalDataSynchronizer" ref="externalDataSynchronizer"/>

        <property name="invalidateSessionOnSuccessfulAuthentication" value="true"/>
        <property name="migrateInvalidatedSessionAttributes" value="true"/>
        <property name="filterProcessesUrl" value="/services"/>
    </bean>

    <bean id="proxyAuthenticationRestProcessingFilter"
          class="com.jaspersoft.jasperserver.api.security.externalAuth.cas.CasRestProcessingFilter">
        <property name="authenticationManager" ref="casRestAuthenticationManager"/>
        <property name="externalDataSynchronizer" ref="externalDataSynchronizer"/>

        <property name="filterProcessesUrl" value="/rest/login"/>
        <property name="invalidateSessionOnSuccessfulAuthentication" value="true"/>
        <property name="migrateInvalidatedSessionAttributes" value="true"/>
    </bean>

    <bean id="proxyExceptionTranslationFilter" class="org.springframework.security.ui.ExceptionTranslationFilter" depends-on="externalAuthProperties">
        <property name="authenticationEntryPoint">
            <bean class="org.springframework.security.ui.cas.CasProcessingFilterEntryPoint">
                <property name="loginUrl" value="#{externalAuthProperties.externalLoginUrl}"/>

                <property name="serviceProperties">
                    <ref local="casServiceProperties"/>
                </property>
            </bean>
        </property>
        <property name="accessDeniedHandler">
            <bean class="com.jaspersoft.jasperserver.war.themes.ThemeAwareAccessDeniedHandlerImpl">
                <property name="errorPage" value="/WEB-INF/jsp/modules/system/AccessDeniedPage.jsp"/>
                <property name="themeResolver" ref="themeResolver" />
                <property name="themeSource" ref="themeSource" />
            </bean>
        </property>
    </bean>

    <bean id="casAuthenticationManager" class="org.springframework.security.providers.ProviderManager">
        <property name="providers">
            <list>
                <ref local="casAuthenticationProvider"/>
                <ref bean="${bean.daoAuthenticationProvider}"/>
                <!-- anonymousAuthenticationProvider only needed if filterInvocationInterceptor.alwaysReauthenticate is set to true
                <ref bean="anonymousAuthenticationProvider"/>-->
            </list>
        </property>
    </bean>

    <bean id="casRestAuthenticationManager" class="org.springframework.security.providers.ProviderManager">
        <property name="providers">
            <list>
                <ref local="casRestAuthenticationProvider"/>
                <ref bean="${bean.daoAuthenticationProvider}"/>
                <!-- anonymousAuthenticationProvider only needed if filterInvocationInterceptor.alwaysReauthenticate is set to true
                <ref bean="anonymousAuthenticationProvider"/>-->
            </list>
        </property>
    </bean>

    <bean id="casSoapAuthenticationManager" class="org.springframework.security.providers.ProviderManager">
        <property name="providers">
            <list>
                <ref local="casSoapAuthenticationProvider"/>
                <ref bean="${bean.daoAuthenticationProvider}"/>
                <!-- anonymousAuthenticationProvider only needed if filterInvocationInterceptor.alwaysReauthenticate is set to true
                <ref bean="anonymousAuthenticationProvider"/>-->
            </list>
        </property>
    </bean>

    <bean id="casAuthenticationProvider" class="org.springframework.security.providers.cas.CasAuthenticationProvider" depends-on="externalAuthProperties">

        <property name="userDetailsService"><ref local="userAuthorityService"/></property>

        <property name="serviceProperties">
            <ref local="casServiceProperties"/>
        </property>

        <property name="ticketValidator">
            <bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
                <constructor-arg index="0" value="#{externalAuthProperties.ssoServerLocation}" />
            </bean>
        </property>

        <property name="statelessTicketCache">
            <bean class="org.springframework.security.providers.cas.cache.EhCacheBasedTicketCache">
                <property name="cache">
                    <bean id="ticketCache" class="org.springframework.cache.ehcache.EhCacheFactoryBean">
                        <property name="cacheManager" ref="cacheManager"/>
                        <property name="cacheName" value="casTicketCache"/>
                    </bean>
                </property>
            </bean>
        </property>

        <property name="key" value="casCacheKey"/>
    </bean>

    <bean id="casRestAuthenticationProvider" class="org.springframework.security.providers.cas.CasAuthenticationProvider" depends-on="externalAuthProperties">
 
      <property name="userDetailsService"><ref local="userAuthorityService"/></property>

        <property name="serviceProperties">
            <ref local="casRestServiceProperties"/>
        </property>

        <property name="ticketValidator">
            <bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
                <constructor-arg index="0" value="#{externalAuthProperties.ssoServerLocation}" />
            </bean>
        </property>

        <property name="statelessTicketCache">
            <bean class="org.springframework.security.providers.cas.cache.EhCacheBasedTicketCache">
                <property name="cache">
                    <bean id="ticketCache" class="org.springframework.cache.ehcache.EhCacheFactoryBean">
                        <property name="cacheManager" ref="cacheManager"/>
                        <property name="cacheName" value="casTicketCache"/>
                    </bean>
                </property>
            </bean>
        </property>

        <property name="key" value="casCacheKey"/>
    </bean>

    <bean id="casSoapAuthenticationProvider" class="org.springframework.security.providers.cas.CasAuthenticationProvider" depends-on="externalAuthProperties">
 
      <property name="userDetailsService"><ref local="userAuthorityService"/></property>

        <property name="serviceProperties">
            <ref local="casSoapServiceProperties"/>
        </property>

        <property name="ticketValidator">
            <bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
                <constructor-arg index="0" value="#{externalAuthProperties.ssoServerLocation}" />
            </bean>
        </property>

        <property name="statelessTicketCache">
            <bean class="org.springframework.security.providers.cas.cache.EhCacheBasedTicketCache">
                <property name="cache">
                    <bean id="ticketCache" class="org.springframework.cache.ehcache.EhCacheFactoryBean">
                        <property name="cacheManager" ref="cacheManager"/>
                        <property name="cacheName" value="casTicketCache"/>
                    </bean>
                </property>
            </bean>
        </property>

        <property name="key" value="casCacheKey"/>
    </bean>

<!--
    <bean id="casJDBCUserDetailsService" class="com.jaspersoft.jasperserver.api.security.externalAuth.cas.CasJDBCUserDetailsService">
        <property name="dataSource" ref="externalDataSource"/>
        <property name="usersByUsernameQuery" value="select username, password, enabled from jiuser WHERE username = ?"/>
        <property name="authoritiesByUsernameQuery" value="SELECT u.username, r.rolename FROM jiuser u, jiuserrole ur, jirole r WHERE u.id = ur.userId and ur.roleId=r.id and u.username = ?"/>
    </bean>
-->

    <bean id="casServiceProperties" class="org.springframework.security.ui.cas.ServiceProperties">
        <property name="service" value="http://mytestserver1/jasperserver/j_spring_security_check"/>

 

        <property name="sendRenew" value="false"/>
    </bean>

    <!--we rely on the customer coming with a ticket that was issued to their system. this is where they need to specify
    the url-->
    <bean id="casRestServiceProperties" class="org.springframework.security.ui.cas.ServiceProperties">
        <property name="service" value="http://mytestserver1/rest/login"/>
        <property name="sendRenew" value="false"/>
    </bean>

    <bean id="casSoapServiceProperties" class="org.springframework.security.ui.cas.ServiceProperties">
        <property name="service" value="http://mytestserver1/jasperserver/services"/>
        <property name="sendRenew" value="false"/>
    </bean>

    <!-- ############ SSO auth ############ -->

    <!-- ############ Synchronizer ############ -->

    <bean id="externalDataSynchronizer"
          class="com.jaspersoft.jasperserver.api.security.externalAuth.ExternalDataSynchronizerImpl">
<!--
        <property name="externalUserDetailsService"> <ref local="userAuthorityService"/></property>
-->
        <property name="externalUserProcessors">
            <list>
                <ref local="externalUserSetupProcessor"/>
                <!-- Example processor for creating user folder-->
                <!--<ref local="externalUserFolderProcessor"/>-->
            </list>
        </property>
    </bean>

    <bean id="abstractExternalProcessor" class="com.jaspersoft.jasperserver.api.security.externalAuth.processors.AbstractExternalUserProcessor" abstract="true">
        <property name="repositoryService" ref="${bean.repositoryService}"/>
        <property name="userAuthorityService" ref="${bean.userAuthorityService}"/>
        <property name="tenantService" ref="${bean.tenantService}"/>
        <property name="profileAttributeService" ref="profileAttributeService"/>
        <property name="objectPermissionService" ref="${bean.objectPermissionService}"/>
    </bean>

    <bean id="externalUserSetupProcessor" class="com.jaspersoft.jasperserver.api.security.externalAuth.processors.ExternalUserSetupProcessor" parent="abstractExternalProcessor">
        <property name="userAuthorityService">
            <ref bean="${bean.internalUserAuthorityService}"/>
        </property>

        <!-- If the username is in adminUsernames list assign the user internal roles from defaultAdminRoles;
          - otherwise, assign the user all the roles from defaultInternalRoles list.
        -->
        <property name="adminUsernames">
            <list>
                <value>myorgadmin</value>
            </list>
        </property>
        <property name="defaultAdminRoles">
            <list>
                <value>ROLE_USER</value>
                <value>ROLE_ADMINISTRATOR</value>
            </list>
        </property>
        <property name="defaultInternalRoles">
            <list>
                <value>ROLE_USER</value>
            </list>
        </property>

        <property name="conflictingExternalInternalRoleNameSuffix" value="EXTERNAL"/>

        <property name="externalAuthProperties" ><ref local="externalAuthProperties"/></property>
    </bean>

    <bean id="externalUserFolderProcessor"
          class="com.jaspersoft.jasperserver.api.security.externalAuth.processors.ExternalUserFolderProcessor"
          parent="abstractExternalProcessor">
        <property name="repositoryService" ref="${bean.unsecureRepositoryService}"/>
    </bean>

    <!-- ############ Synchronizer ############ -->

    <!-- ############## external dataSource ############### -->
<!--
    <bean id="externalDataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource">

        <property name="driverClassName" value="com.postgres.jdbc.Driver"/>
        <property name="url" value="jdbc:mysql://localhost:3306/BD_URL_Example"/>
        <property name="username" value="*** DB username ***"/>
        <property name="password" value="*** DB password ***"/>

    </bean>
-->

    <!-- ############## external dataSource ############### -->

    <bean id="externalAuthProperties" class="com.jaspersoft.jasperserver.api.security.externalAuth.ExternalAuthProperties">
        <property name="externalLoginUrl" value="#ssoServerLocation#/login"/>

        <!-- external logout url. If specified, logout will redirect to that address. -->
        <property name="logoutUrl" value="#ssoServerLocation#/logout"/>
        <property name="ssoServerLocation" value="http://mytestserver1:8087/cas-server-webapp-3.5.2/login"/>
    </bean>
</beans>

 

 

[elizam]

There's nothing obviously wrong in this config file.

 

This error is most commonly seen when the CAS SSL certificate has not been imported into the Java truststore (cacerts). In this case, JRS won't be able to communicate to CAS to validate the service ticket. However, since your CAS is set up for http, that won't be the problem.

 

Can you set your rootlogger log level to DEBUG in web-inf/log4j.properties and upload the log file as an attachment?

[lightsailpro]

I set up CAS and Japser in another environment and redid the testing. I disabled the https requirement by following the follwing procedure. We usually do ssl offloading on F5 load balancer. That is why reason I test sso via http first.

===========================

--CAS without https:
http://www.codemarvels.com/2010/12/how-to-do-cas-sso-without-ssl/

This is a tiny tutorial on steps required to enable CAS (Jasig, v3.4x ) single-sign-out without SSL. These are the steps involved to remove dependency on SSL i.Use HTTP urls (instead of HTTPS ones) in all client configurations.
ii.Edit [CAS-server-deployment-root]/ WEB-INF/ spring-configuration/ ticketGrantingTicketCookieGenerator.xml
i.Change the value of attribute “p:cookieSecure” to false.
iii.Edit [CAS-server-deployment-root]/ WEB-INF /spring-configuration/ warnCookieGenerator.xml
i.Change the value of attribute “p:cookieSecure” to false.
The CAS authentication and SSO should work without problems on plain HTTP now.

============================

 

The login process hang a few mintutes on the following url
http://vmnsdev2008r203:8087/cas-server-webapp-3.5.2/login?service=http%3A%2F%2Fvmnsdev2008r203%2Fjasperserver%2Fj_spring_security_check

then redirect to this page (invalid credentials)
http://vmnsdev2008r203/jasperserver/login.html?error=1

The log is atatched. Thanks for your help