Skip to content

SEC-1986: Add remember-me support for CAS #2209

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
spring-projects-issues opened this issue Jun 28, 2012 · 7 comments
Open

SEC-1986: Add remember-me support for CAS #2209

spring-projects-issues opened this issue Jun 28, 2012 · 7 comments
Labels
in: cas An issue in spring-security-cas type: enhancement A general enhancement type: jira An issue that was migrated from JIRA

Comments

@spring-projects-issues
Copy link

Jérôme Leleu (Migrated from SEC-1986) said:

Hi,

So far, the remember-me feature which can be enabled in CAS server is not handled in Spring Security when using the spring-security-cas module. In remember-me mode or not, the user is always considered fully authenticated.
That's what I'd like to change.

For that, I propose the following improvments :

  • every time a vote is required regarding IS_AUTHENTICATED_REMEMBERED, IS_AUTHENTICATED_FULLY, isRemembered() or isFullyAuthenticated(), the user is considered in remember-me mode if the CasAuthenticationToken has a specific attribute setted to true (longTermAuthenticationRequestTokenUsed by default) : it matches the configuration done on the CAS server side for the remember-me feature
  • every time a user is not granted an access (due to the previous vote or another one) and if this user is already authenticated in remember-me mode, a CAS round trip is done with the renew parameter setted to true to force CAS server to reauthenticate the user.

I'm preparing a pull request on my fork : https://github.com/leleuj/spring-security. I'm working on integration tests right now.

Regarding code, in the spring-security-cas project, I created a org.springframework.security.cas.rememberme package and :

  • a CasAuthenticationTokenEvaluator class which says if a CasAuthenticationToken is in remember-me mode or not
  • a CasRememberMeAuthenticationTrustResolverImpl class which inherits from AuthenticationTrustResolverImpl and uses the CasAuthenticationTokenEvaluator, to define if the user is in remember-me mode
  • a CasRememberMeAccessDeniedHandlerImpl class which inherits from AccessDeniedHandlerImpl and uses the CasAuthenticationTokenEvaluator, to make a CAS round-trip with renew=true if the user is already authenticated in remember-me mode
  • a CasRememberMeBeanPostProcessor to replace default beans by CAS remember-me aware beans if the user has define a minimal spring configuration with

Before finishing and sending this pull request, I'd like to get a feedback from the Spring Security team.

Thanks.
Best regards,
Jérôme
@spring-projects-issues
Copy link
Author

Jérôme Leleu said:

I send the pull request #11 to ease code review.

Some more explanations :

  • I changed the DefaultWebSecurityExpressionHandler class to make the internal authenticationTrustResolver property settable
  • I updated the CAS server (samples/cas/server) in version 3.5.0-RC2 with all configuration to enable remember-me feature (I won't enter into details for this configuration)
  • I added the IsFullyAuthenticatedPage and IsRememberedPage classes, modified the LoginPage class and added the CasSampleRememberMeTests class for the integration test in the CAS webapp demo (samples/cas/sample)
  • You should notice that the CasRememberMeBeanPostProcessor is also designed to update spring configuration done with tag without the use of expressions and this is not tested in the demo which is configured with the use of expressions (applicationContext-security.xml file) : I have nonetheless a private demo to test this feature.

@spring-projects-issues
Copy link
Author

Rob Winch said:

Thanks for the detailed submission. I will provide feedback within the next few days (most likely on the pull request as that simplifies commenting on code).

@spring-projects-issues
Copy link
Author

Scott Battaglia said:

Is there a link for the pull request?

@spring-projects-issues
Copy link
Author

Jérôme Leleu said:

Here it is : #14

@spring-projects-issues
Copy link
Author

ZhangLiangliang said:

New to SSO, this is my opinion after googling and reviewing Spring Security 3.1.1 source code (I'm using cas-server-webapp 3.5.1), This has not been tested yet. Hope it working.

  1. add marker interface RememberMeAuthentication:
package org.springframework.security.core;
public interface RememberMeAuthentication extends Authentication {
}
  1. modify RememberMeAuthenticationToken to implements RememberMeAuthentication
  2. modify AuthenticationTrustResolverImpl's private field rememberMeClass to RememberMeAuthentication.class
  3. modify cas-server-webapp's casServiceValidationSuccess.jsp , add cas:attributes
    <cas:attributes>
       <cas:isFromNewLogin>${fn:escapeXml(assertion.fromNewLogin)}</cas:isFromNewLogin2> <%-- FIXME: attributen name should be? --%>
    </cas:attributes>
  1. add empty class CasRememberMeAuthenticationToken.java which extends CasAuthenticationToken and implements RememberMeAuthentication
public class CasRememberMeAuthenticationToken extends CasAuthenticationToken implements RememberMeAuthentication {
    private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
    public CasRememberMeAuthenticationToken(final String key, final Object principal, final Object credentials,
        final Collection<? extends GrantedAuthority> authorities, final UserDetails userDetails, final Assertion assertion) {
        super(key, principal, credentials, authorities, userDetails, assertion);
    }
}}
  1. modify CasAuthenticationProvider to generate a new CasRememberMeAuthenticationToken if possible
...
    private CasAuthenticationToken authenticateNow(final Authentication authentication) throws AuthenticationException {
            ...
            if(Boolean.TRUE.equals(assertion.getAttributes().get("isFromNewLogin"))){ // FIXME : the key is right?
                return new CasRememberMeAuthenticationToken(this.key, userDetails, authentication.getCredentials(),
                       authoritiesMapper.mapAuthorities(userDetails.getAuthorities()), userDetails, assertion);
            }
            return ...;
            ...
    }
...
  1. FIXME : should modify CasAuthenticationEntryPoint#commence() : if(authenticationException instanceof RememberMeAuthenticationException) set renew = true and make it configurable?
  2. FIXME : should enhance XML configuration and modify ExceptionTranslationFilter, when AccessDeniedException is found, should call sendStartAuthentication() just like anonymous check?

Reference:
https://wiki.jasig.org/display/CASUM/Remember+Me
https://groups.google.com/forum/#!msg/jasig-cas-user/w9f5LAyHsWA/McpQQOcRUzgJ

@spring-projects-issues
Copy link
Author

Jérôme Leleu said:

I didn't review your code, but the CAS fromNewLogin property does not have the expected behaviour. I invite you to read : #14.
The solution designed under the supervision of the SpringSecurity tech lead (Rob) is based on timeout...

@spring-projects-issues spring-projects-issues added in: cas An issue in spring-security-cas Open type: enhancement A general enhancement type: jira An issue that was migrated from JIRA labels Feb 5, 2016
@spring-projects-issues spring-projects-issues added this to the 4.0 Backlog milestone Feb 5, 2016
@spring-projects-issues
Copy link
Author

This issue depends on #2211

@rwinch rwinch modified the milestone: 4.0 Backlog Aug 15, 2016
@rwinch rwinch removed the Open label May 3, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
in: cas An issue in spring-security-cas type: enhancement A general enhancement type: jira An issue that was migrated from JIRA
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rwinch @spring-projects-issues