SEC-2127: Support multiple hostnames

[spring-projects-issues]

Condor (Migrated from SEC-2127) said:

I have 3 related problems with the Spring Security CAS client:

1. My web application is accessible on multiple host names and after logging in the CAS server should redirect to the original host and not one single host as specified in the service config option.
2. I patched the code to use the host and port of the original request, but then I noticed that the request url was also wrong because my application server is behind a proxy server. So I modified the patch to also use the X-Proxy-Host header when available.
3. I configured my CAS server to allow a service parameter for redirect after single sign out. Spring Security CAS has no standard logout handler for this, so I created one and I had to add the same service url processing as SEC-1900: Fixed by removing dependency to equals method in SimpleGrantedAuthority #2.

This all works, but I assume that more people are having this problem. So I would like to request that these feature are added to the library. Thanks.

[spring-projects-issues]

Rob Winch said:

I don't this this is necessary. As discussed in this thread on the forums, you should properly configure your application server to work behind a proxy. There are a few custom properties you need to add to WebSphere to get this to work:

com.ibm.ws.webcontainer.extractHostHeaderPort = true
trusthostheaderport = true
httpsIndicatorHeader = com.ibm.ws.httpsIndicatorHeader

In short, I don't think this is a necessary enhancement. If you disagree, please provide a little more details as to why you feel the proposed solution does not work.

[spring-projects-issues]

Condor said:

Thanks for the info. I'll have a look at those websphere config options tomorrow.

But at most that would solve issue 2 and not 1 and 3.

The main issue remains that you can only specify one (absolute) cas service url.

[spring-projects-issues]

Rob Winch said:

I think this is a valid request. I will rephrase to ensure we are on the same page. Given the configuration settings, we should be able to have a configuration (out of the box) that uses the current HttpServletRequest object to create the service URL.

For now you can ensure your application uses an instance of ServiceAuthenticationDetails for the Authentication.getDetails() and it will use the serviceUrl within it. The default implementation of this will use the current URL to create the service URL which works well for PGTs for rest services. You can create your own implementation that returns the authentication URL with the current host. There are some details about this within the reference.

[spring-projects-issues]

Condor said:

Thanks, that would indeed be a good solution to issue 1.

Tomorrow I'll also have a look at those classes you mentioned.

And what is your take on issue 3?

[spring-projects-issues]

Rob Winch said:

I think for issue 3 you should probably be sending the user to a controller after successful logout and implementing the logic to redirect to in the controller. This decouples your logic from Spring Security. It is not all that common for the CAS Server to be hosted on multiple domains as this prevents SSO (i.e. the TGT cookie will not be found if the domains switch).

[spring-projects-issues]

Condor said:

No I think you misunderstood. The CAS server is on a single host name (otherwise CAS wouldn't work as you already mention).

My goal is that after single logout on the CAS server I want to redirect to a public page on the original webserver. The CAS server has an option to allow a service parameter for this. I just needed to create a logout handler that added this parameter to the request.

[spring-projects-issues]

Rob Winch said:

You are correct I did misunderstand what you were looking for. It sounds as though you have solved #3 on your own. Is that correct? Alternatively, you could also implement this logic in a controller.

[spring-projects-issues]

Condor said:

True, the solution was simple, but maybe more people could benefit from an extended SimpleUrlLogoutSuccessHandler that allows adding a service parameter to the defaultTargetUrl.

This is of course only required when you need a service parameter with the domain copied from the request url, otherwise you can simply include the parameter in the defaultTargetUrl itself.

[spring-projects-issues]

Condor said:

Coming back to your ServiceAuthenticationDetails reference. That was not the only thing that needed changing:

1. I extended CasAuthenticationEntryPoint to override createServiceUrl().
2. I extended ServiceAuthenticationDetailsSource to return my own ServiceAuthenticationDetails instance from buildDetails().

[spring-projects-issues]

Puneet Goyal said:

@condor , Could you please elaborate your fix, i am experiencing the same issue.
I have one application being used from 2 different Hostnames.

[spring-projects-issues]

Condor said:

Example implementation for CAS 3.5.2

[spring-projects-issues]

Condor said:

These example files implement all three changes mentioned above.

For issue 3 the CAS server was configured with:
cas.logout.followServiceRedirects=true

[spring-projects-issues]

Puneet Goyal said:

Thanks for the prompt response.
I could not understand though, that what value is being used for ${cas.service.url} in serviceProperties.

Don't we need only "/j_spring_cas_security_check" here as rest part of the absolute URL will be constructed at runtime using request's Object.
Do we need WebApplicationContext here.

[spring-projects-issues]

Condor said:

It's not required when ${cas.service.url} is just a host, but I included it in case it contained a path too.

The security-context.xml is a context file that is included in my web-context.xml, so it does not contain the context for a complete application.

[spring-projects-issues]

Puneet Goyal said:

Thanks for the fix, i really appreciate the prompt response.