SEC-1986: Add remember-me support for CAS

[spring-projects-issues]

Jérôme Leleu (Migrated from SEC-1986) said:

Hi,

So far, the remember-me feature which can be enabled in CAS server is not handled in Spring Security when using the spring-security-cas module. In remember-me mode or not, the user is always considered fully authenticated.
That's what I'd like to change.

For that, I propose the following improvments :

• every time a vote is required regarding IS_AUTHENTICATED_REMEMBERED, IS_AUTHENTICATED_FULLY, isRemembered() or isFullyAuthenticated(), the user is considered in remember-me mode if the CasAuthenticationToken has a specific attribute setted to true (longTermAuthenticationRequestTokenUsed by default) : it matches the configuration done on the CAS server side for the remember-me feature
• every time a user is not granted an access (due to the previous vote or another one) and if this user is already authenticated in remember-me mode, a CAS round trip is done with the renew parameter setted to true to force CAS server to reauthenticate the user.

I'm preparing a pull request on my fork : https://github.com/leleuj/spring-security. I'm working on integration tests right now.

Regarding code, in the spring-security-cas project, I created a org.springframework.security.cas.rememberme package and :

• a CasAuthenticationTokenEvaluator class which says if a CasAuthenticationToken is in remember-me mode or not
• a CasRememberMeAuthenticationTrustResolverImpl class which inherits from AuthenticationTrustResolverImpl and uses the CasAuthenticationTokenEvaluator, to define if the user is in remember-me mode
• a CasRememberMeAccessDeniedHandlerImpl class which inherits from AccessDeniedHandlerImpl and uses the CasAuthenticationTokenEvaluator, to make a CAS round-trip with renew=true if the user is already authenticated in remember-me mode
• a CasRememberMeBeanPostProcessor to replace default beans by CAS remember-me aware beans if the user has define a minimal spring configuration with

Before finishing and sending this pull request, I'd like to get a feedback from the Spring Security team.

Thanks.
Best regards,
Jérôme

[spring-projects-issues]

Jérôme Leleu said:

I send the pull request #11 to ease code review.

Some more explanations :

• I changed the DefaultWebSecurityExpressionHandler class to make the internal authenticationTrustResolver property settable
• I updated the CAS server (samples/cas/server) in version 3.5.0-RC2 with all configuration to enable remember-me feature (I won't enter into details for this configuration)
• I added the IsFullyAuthenticatedPage and IsRememberedPage classes, modified the LoginPage class and added the CasSampleRememberMeTests class for the integration test in the CAS webapp demo (samples/cas/sample)
• You should notice that the CasRememberMeBeanPostProcessor is also designed to update spring configuration done with tag without the use of expressions and this is not tested in the demo which is configured with the use of expressions (applicationContext-security.xml file) : I have nonetheless a private demo to test this feature.

[spring-projects-issues]

Rob Winch said:

Thanks for the detailed submission. I will provide feedback within the next few days (most likely on the pull request as that simplifies commenting on code).

[spring-projects-issues]

Scott Battaglia said:

Is there a link for the pull request?

[spring-projects-issues]

Jérôme Leleu said:

Here it is : #14

[spring-projects-issues]

ZhangLiangliang said:

New to SSO, this is my opinion after googling and reviewing Spring Security 3.1.1 source code (I'm using cas-server-webapp 3.5.1), This has not been tested yet. Hope it working.

1. add marker interface RememberMeAuthentication:

package org.springframework.security.core;
public interface RememberMeAuthentication extends Authentication {
}

1. modify RememberMeAuthenticationToken to implements RememberMeAuthentication
2. modify AuthenticationTrustResolverImpl's private field rememberMeClass to RememberMeAuthentication.class
3. modify cas-server-webapp's casServiceValidationSuccess.jsp , add cas:attributes

    <cas:attributes>
       <cas:isFromNewLogin>${fn:escapeXml(assertion.fromNewLogin)}</cas:isFromNewLogin2> <%-- FIXME: attributen name should be? --%>
    </cas:attributes>

1. add empty class CasRememberMeAuthenticationToken.java which extends CasAuthenticationToken and implements RememberMeAuthentication

public class CasRememberMeAuthenticationToken extends CasAuthenticationToken implements RememberMeAuthentication {
    private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
    public CasRememberMeAuthenticationToken(final String key, final Object principal, final Object credentials,
        final Collection<? extends GrantedAuthority> authorities, final UserDetails userDetails, final Assertion assertion) {
        super(key, principal, credentials, authorities, userDetails, assertion);
    }
}}

1. modify CasAuthenticationProvider to generate a new CasRememberMeAuthenticationToken if possible

...
    private CasAuthenticationToken authenticateNow(final Authentication authentication) throws AuthenticationException {
            ...
            if(Boolean.TRUE.equals(assertion.getAttributes().get("isFromNewLogin"))){ // FIXME : the key is right?
                return new CasRememberMeAuthenticationToken(this.key, userDetails, authentication.getCredentials(),
                       authoritiesMapper.mapAuthorities(userDetails.getAuthorities()), userDetails, assertion);
            }
            return ...;
            ...
    }
...

1. FIXME : should modify CasAuthenticationEntryPoint#commence() : if(authenticationException instanceof RememberMeAuthenticationException) set renew = true and make it configurable?
2. FIXME : should enhance XML configuration and modify ExceptionTranslationFilter, when AccessDeniedException is found, should call sendStartAuthentication() just like anonymous check?

Reference:
https://wiki.jasig.org/display/CASUM/Remember+Me
https://groups.google.com/forum/#!msg/jasig-cas-user/w9f5LAyHsWA/McpQQOcRUzgJ

[spring-projects-issues]

Jérôme Leleu said:

I didn't review your code, but the CAS fromNewLogin property does not have the expected behaviour. I invite you to read : #14.
The solution designed under the supervision of the SpringSecurity tech lead (Rob) is based on timeout...

[spring-projects-issues]

This issue depends on #2211