Clever Geek Handbook

CAS 403 Single Output Callback Callback (Disabled)

I rephrased the question and deleted the old one. Hopefully I can get answers now.

The CAS is trying to send a callback request to the secure SLO application:

<Error Sending message to url endpoint [http://localhost:8080/j_spring_cas_security_check]. Error is [Server returned HTTP response code: 403 for URL: http://localhost:8080/j_spring_cas_security_check]>

org.jasig.cas.client.session.SingleSignOutFilter

Never hits when debugging .

@Override
    public void configure(HttpSecurity http) throws Exception {
        http.
                addFilter(casFilter()).
                addFilterBefore(requestSingleLogoutFilter(), LogoutFilter.class).
                addFilterBefore(singleSignOutFilter(), CasAuthenticationFilter.class)
                .logout().permitAll().logoutSuccessUrl("http://localhost:8080/j_spring_cas_security_logout").invalidateHttpSession(true).and()
                .authorizeRequests().antMatchers("/home2").hasAuthority("USER").and()
                .exceptionHandling()
                .authenticationEntryPoint(casEntryPoint)
                .and()
                .httpBasic();
    }


Filter casFilter() {
    CasAuthenticationFilter casAuthenticationFilter = new CasAuthenticationFilter();
    casAuthenticationFilter.setServiceProperties(getServiceProperties());
    casAuthenticationFilter.setAuthenticationManager(getProviderManager());
    return casAuthenticationFilter;

}

LogoutFilter requestSingleLogoutFilter() {
    LogoutFilter logoutFilter = new LogoutFilter("http://localhost:8089/cas/logout",
            new SecurityContextLogoutHandler());
    logoutFilter.setFilterProcessesUrl("/j_spring_cas_security_logout");
    return logoutFilter;
}


SingleSignOutFilter singleSignOutFilter() {
    SingleSignOutFilter singleSignOutFilter = new SingleSignOutFilter();
    return singleSignOutFilter;
}

 @Override
public void onStartup(ServletContext servletContext) throws ServletException {
    servletContext.addListener(new   org.jasig.cas.client.session.SingleSignOutHttpSessionListener());
}

I have everything except logout. It currently cancels the session thanks to the LogoutFilter, destroys the ticket (when redirecting to the CAS), but if the SLO request is sent from another secured application, it will obviously not affect that application (since the sessionid will still be here).

Any suggestions?

+3


source to share


1 answer


In the same situation (status code 403) with CAS SLO in my spring security log I found:

Invalid CSRF token found for http://localhost:8080/j_spring_cas_security_check

so I disabled the csrf filter in my security config:



http.csrf().disable();

This might not be a good practice, just a quick solution that works for me now. Also I'm not sure if I can get the correct csrf token if the SLO is triggered in another secure application.

+3


source






More articles:


All Articles