I'm trying to setup CAS authentication using Spring Security for my web application. I've followed the documentation and managed to convert the XML configuration examples to Java config. However, I'm not sure I did everything correctly and given the sensitiveness of security, I'd like someone to confirm that there are no mistakes.
For example, how can I be sure there are not default configurations anymore (like liberal permissions on URLs, different authentication managers and/or providers, etc...)?
Is the way I retrieved the current AuthenticationManager correct?
Is configuring the EntryPoint like I did the correct way?
I find understanding how to use WebSecurityConfigurerAdapter rather confusing...
This is my @Cofiguration class:
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Bean(name="authenticationManager")
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
// TODO Auto-generated method stub
return super.authenticationManagerBean();
}
@Bean
public ServiceProperties serviceProperties() {
final ServiceProperties serviceProperties = new ServiceProperties();
serviceProperties.setService("http://localhost:8088/webapp/login/cas");
return serviceProperties;
}
@Bean
public AuthenticationUserDetailsService<CasAssertionAuthenticationToken> authenticationUserDetailsService() {
return new MyCasAssertionUserDetailsService();
}
@Autowired
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
super.configure(auth);
final CasAuthenticationProvider casAuthenticationProvider = new CasAuthenticationProvider();
casAuthenticationProvider.setServiceProperties(serviceProperties());
casAuthenticationProvider.setAuthenticationUserDetailsService(authenticationUserDetailsService());
casAuthenticationProvider.setTicketValidator(new Cas20ProxyTicketValidator("https://my.cas.server.com/cas"));
casAuthenticationProvider.setKey("MY-KEY");
auth.authenticationProvider(casAuthenticationProvider);
}
@Bean
public CasAuthenticationEntryPoint casEntryPoint() {
final CasAuthenticationEntryPoint casEntryPoint = new CasAuthenticationEntryPoint();
casEntryPoint.setServiceProperties(serviceProperties());
casEntryPoint.setLoginUrl("https://my.cas.server.com/cas/activateAndLogin");
return casEntryPoint;
}
// filter to invoke the CAS server when the user click on "Logout from CAS" in the local logout success page
@Bean
public LogoutFilter requestSSOLogoutToCASServerLogoutFilter() {
final LogoutFilter logoutFilter = new LogoutFilter("https://my.cas.server.com/cas/logout", new SecurityContextLogoutHandler());
logoutFilter.setFilterProcessesUrl("/logout/cas");
return logoutFilter;
}
// filter that receives the request to logout from the CAS server
@Bean
public SingleSignOutFilter singleSignOutFilter() {
return new org.jasig.cas.client.session.SingleSignOutFilter();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
final CasAuthenticationFilter casAuthenticationFilter = new CasAuthenticationFilter();
casAuthenticationFilter.setAuthenticationManager(authenticationManager());
http
.exceptionHandling().authenticationEntryPoint(casEntryPoint())
.and()
.logout()
.logoutSuccessUrl("/cas-logout") // which page to redirect the User after the local log-out succeeded
.permitAll() // all users can logout
.and()
.authorizeRequests()
.anyRequest().authenticated()
.and()
.addFilter(casAuthenticationFilter)
.addFilterBefore(requestSSOLogoutToCASServerLogoutFilter(), LogoutFilter.class)
.addFilterBefore(singleSignOutFilter(), CasAuthenticationFilter.class)
;
}
}