Redirect loop on SSO with Apache Shiro and CAS for a Webapp

Question

I am working on a typical Webapplication but with Authentication and Authorization performed via Shiro and using JASIG CAS SSO. My Application is a JSF 2 webapp running on tomcat 7. I have Shiro-enabled it and in my Shiro configuration I have hooked in the CAS realm. All works fine ... that is, the web app is running fine and shiro is redirecting to the CAS login page. In turn , CAS is redirecting me back to the originally requested URL. Then nothing happens!!! I get a redirect loop!

https://myhost:8443/gdsicache/secured/index?ticket=ST-37-L2N7SCVtHxHWENqBfpOY-cas01.example.org

As can be seen from the link: I am redirected to the requested secure resource https://myhost/gdsicache/secured/index, and I also get a ticket, but then end up in a loop.

Does anyone has any idea why the flow ends up in a redirect loop? Iam not making any more redirects since I dont have any other filters apart from the shiro filter in my Web.xml file.

Answer 1

This redirect loop usually caused by server certificate that did not recognized by the JVM, mostly by client machine JVM. If your application is separated from the server, especially the JVM, you should ensure that you have import root, intermediate (and sometimes cross) certificate, issued by your CA. Otherwise your CAS client will do the loop, because it didn't recognize the certificate on your server.

Please note, that it is not the browser certificate that caused the issue, it is the JVM.

PS. You might also need to import your root, intermeadiate (and someties cross) certificate to your CAS server JVM.