I am trying to configure CAS authentication using Spring Security for my web application. I completed the documentation and was able to convert the XML configuration examples to the Java configuration. However, Iām not sure that I did everything correctly and taking into account the security sensitivity, I would like someone to confirm that there are no errors.
For example, how can I be sure that the default configurations are no longer used (for example, permissions to access URLs, different authentication administrators and / or providers, etc.)?
Did I return the current authentication manager correctly?
Configures EntryPoint, how did I do the right way?
I find understanding how to use the WebSecurityConfigurerAdapter quite confusing ...
This is my @Cofiguration class:
@EnableWebSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter { @Bean(name="authenticationManager") @Override public AuthenticationManager authenticationManagerBean() throws Exception { // TODO Auto-generated method stub return super.authenticationManagerBean(); } @Bean public ServiceProperties serviceProperties() { final ServiceProperties serviceProperties = new ServiceProperties(); serviceProperties.setService("http://localhost:8088/webapp/login/cas"); return serviceProperties; } @Bean public AuthenticationUserDetailsService<CasAssertionAuthenticationToken> authenticationUserDetailsService() { return new MyCasAssertionUserDetailsService(); } @Autowired protected void configure(AuthenticationManagerBuilder auth) throws Exception { super.configure(auth); final CasAuthenticationProvider casAuthenticationProvider = new CasAuthenticationProvider(); casAuthenticationProvider.setServiceProperties(serviceProperties()); casAuthenticationProvider.setAuthenticationUserDetailsService(authenticationUserDetailsService()); casAuthenticationProvider.setTicketValidator(new Cas20ProxyTicketValidator("https://my.cas.server.com/cas")); casAuthenticationProvider.setKey("MY-KEY"); auth.authenticationProvider(casAuthenticationProvider); } @Bean public CasAuthenticationEntryPoint casEntryPoint() { final CasAuthenticationEntryPoint casEntryPoint = new CasAuthenticationEntryPoint(); casEntryPoint.setServiceProperties(serviceProperties()); casEntryPoint.setLoginUrl("https://my.cas.server.com/cas/activateAndLogin"); return casEntryPoint; } // filter to invoke the CAS server when the user click on "Logout from CAS" in the local logout success page @Bean public LogoutFilter requestSSOLogoutToCASServerLogoutFilter() { final LogoutFilter logoutFilter = new LogoutFilter("https://my.cas.server.com/cas/logout", new SecurityContextLogoutHandler()); logoutFilter.setFilterProcessesUrl("/logout/cas"); return logoutFilter; } // filter that receives the request to logout from the CAS server @Bean public SingleSignOutFilter singleSignOutFilter() { return new org.jasig.cas.client.session.SingleSignOutFilter(); } @Override protected void configure(HttpSecurity http) throws Exception { final CasAuthenticationFilter casAuthenticationFilter = new CasAuthenticationFilter(); casAuthenticationFilter.setAuthenticationManager(authenticationManager()); http .exceptionHandling().authenticationEntryPoint(casEntryPoint()) .and() .logout() .logoutSuccessUrl("/cas-logout") // which page to redirect the User after the local log-out succeeded .permitAll() // all users can logout .and() .authorizeRequests() .anyRequest().authenticated() .and() .addFilter(casAuthenticationFilter) .addFilterBefore(requestSSOLogoutToCASServerLogoutFilter(), LogoutFilter.class) .addFilterBefore(singleSignOutFilter(), CasAuthenticationFilter.class) ; } }
source share