CAS 4 with Spring Security 4 (java config) - stuck in a redirect loop after ticket granted SSO

Question

I have been stuck on this issue for about a couple of days now. I have a CAS 4 app and a Spring-enabled (MVC and Security) web application running on a Tomcat 8. I am trying to authenticate against the CAS server. All the setup works perfectly fine, but once i seem to be authenticated (given the ticket) and trying to redirect i am getting This webpage has a redirect loop,ERR_TOO_MANY_REDIRECTS. I am using the default in-memory authentication from CAS 4 (user: casuser, pass: Mellon)

I have tried:

1) Used a different prefix for the casAuthenticationFilter context path (/test/j_spring_cas_security_check) and a matching one in the serviceProperties (serviceProperties.setService("https://OFB25572D8.OKFB.COM:8443/phoenixWeb/test/j_spring_cas_security_check");)

2. Redirect to my contextRoot from a custom SavedRequestAwareAuthenticationSuccessHandler and overriding

onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication)

3. Going to Spring MVC 3.2.8 and Spring Security 3.2.8 (someone had a similar issue and went to older versions of Spring)

Here is the setup (no web.xml, all is done using Java Config):

SecurityConfig.java

@Configuration
@EnableWebSecurity

public class PhoenixSecurityConfig extends WebSecurityConfigurerAdapter {

     @Bean
    public ServiceProperties serviceProperties() {
        ServiceProperties serviceProperties = new ServiceProperties();
        serviceProperties.setService("https://OFB25572D8.OKFB.COM:8443/phoenixWeb/j_spring_cas_security_check");
        serviceProperties.setSendRenew(false);
        return serviceProperties;
    }

    @Bean
    public CasAuthenticationProvider casAuthenticationProvider() {
        CasAuthenticationProvider casAuthenticationProvider = new CasAuthenticationProvider();
        casAuthenticationProvider.setAuthenticationUserDetailsService(authenticationUserDetailsService());
        casAuthenticationProvider.setServiceProperties(serviceProperties());
        casAuthenticationProvider.setTicketValidator(cas20ServiceTicketValidator());
        casAuthenticationProvider.setKey("phoenixWeb_CAS_ID");
        return casAuthenticationProvider;
    }

    @Bean
    public AuthenticationUserDetailsService authenticationUserDetailsService() {
        return new TestCasAuthenticationUserDetailsService();
    }

    @Bean
    public Cas20ServiceTicketValidator cas20ServiceTicketValidator() {
        return new Cas20ServiceTicketValidator("https://OFB25572D8.OKFB.COM:8443/cas");
    }

    @Bean
    public CasAuthenticationFilter casAuthenticationFilter() throws Exception {
        CasAuthenticationFilter casAuthenticationFilter = new CasAuthenticationFilter();
        casAuthenticationFilter.setAuthenticationManager(authenticationManager());
        casAuthenticationFilter.setAuthenticationSuccessHandler(customSuccessHandler());
        casAuthenticationFilter.setFilterProcessesUrl("/j_spring_cas_security_check");
        return casAuthenticationFilter;
    }

    @Bean
    public SavedRequestAwareAuthenticationSuccessHandler customSuccessHandler() {
        return new CustomRequestHandler();
    }

    @Bean
    public CasAuthenticationEntryPoint casAuthenticationEntryPoint() {
        CasAuthenticationEntryPoint casAuthenticationEntryPoint = new CasAuthenticationEntryPoint();
        casAuthenticationEntryPoint.setLoginUrl("https://OFB25572D8.OKFB.COM:8443/cas/login");
        casAuthenticationEntryPoint.setServiceProperties(serviceProperties());
        return casAuthenticationEntryPoint;
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {

         http
             .addFilter(casAuthenticationFilter());
         http
             .exceptionHandling()
                 .authenticationEntryPoint(casAuthenticationEntryPoint());

        http.authorizeRequests().antMatchers("/**").access("hasRole('ROLE_USER')");
            //.anyRequest().permitAll()
            //.and().csrf().csrfTokenRepository(csrfTokenRepository()).and();
            //.and().csrf().disable()
        //.formLogin()
        //.loginPage("/login")
        //.permitAll();
        //Below is forcing over HTTPS
        //.and().requiresChannel().anyRequest().requiresSecure();

    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth
            .authenticationProvider(casAuthenticationProvider());
    }

}

TestCasAuthenticationUserDetailsService.java

public class TestCasAuthenticationUserDetailsService implements AuthenticationUserDetailsService {
    @Override
    public UserDetails loadUserDetails(Authentication token) throws UsernameNotFoundException {
        List<GrantedAuthority> authorities = new ArrayList<>();
        authorities.add(new SimpleGrantedAuthority("ROLE_USER"));
        return new User("casuser", "Mellon", authorities);
    }
}

pom.xml

<dependencies>
    <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-webmvc</artifactId>
        <version>4.2.2.RELEASE</version>
    </dependency> 
    <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-orm</artifactId>
        <version>4.2.2.RELEASE</version>
    </dependency>
    <dependency>
        <groupId>org.springframework.data</groupId>
        <artifactId>spring-data-jpa</artifactId>
        <version>1.9.1.RELEASE</version>
    </dependency>
    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-web</artifactId>
        <version>4.0.3.RELEASE</version>
    </dependency>
    <dependency>
         <groupId>org.springframework.security</groupId>
         <artifactId>spring-security-config</artifactId>
         <version>4.0.3.RELEASE</version>
    </dependency>
    <dependency>
         <groupId>org.springframework.security</groupId>
         <artifactId>spring-security-ldap</artifactId>
         <version>4.0.3.RELEASE</version>
    </dependency>        
    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-cas-client</artifactId>
        <version>3.0.8.RELEASE</version>
    </dependency>   
  </dependencies>

Initial Request to the Web App

Request URL:https://ofb25572d8.okfb.com:8443/phoenixWeb
Request Method:GET
Status Code:302 Found
Remote Address:10.1.24.71:8443
**Response Headers**
view source
Cache-Control:no-cache, no-store, max-age=0, must-revalidate
Content-Length:0
Date:Wed, 30 Dec 2015 19:20:14 GMT
Expires:0
Location:https://OFB25572D8.OKFB.COM:8443/cas/login?service=https%3A%2F%2FOFB25572D8.OKFB.COM%3A8443%2FphoenixWeb%2Fj_spring_cas_security_check
Pragma:no-cache
Server:Apache-Coyote/1.1
Set-Cookie:JSESSIONID=3BEED4D08DA6EF00EDBCB87B7930D521; Path=/phoenixWeb/; Secure; HttpOnly
Strict-Transport-Security:max-age=31536000 ; includeSubDomains
X-Content-Type-Options:nosniff
X-Frame-Options:DENY
X-XSS-Protection:1; mode=block
**Request Headers**
view source
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding:gzip, deflate, sdch
Accept-Language:en-US,en;q=0.8
Connection:keep-alive
Host:ofb25572d8.okfb.com:8443
Upgrade-Insecure-Requests:1
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36

Once i press SUBMIT

Request URL:https://ofb25572d8.okfb.com:8443/cas/login;jsessionid=988CBFBD15B4FE7562C8A5D4A3ADBE70?service=https%3A%2F%2FOFB25572D8.OKFB.COM%3A8443%2FphoenixWeb%2Fj_spring_cas_security_check
Request Method:POST
Status Code:302 Found
Remote Address:10.1.24.71:8443
**Response Headers**
view source
Cache-Control:no-cache
Cache-Control:no-store
Content-Length:0
Date:Wed, 30 Dec 2015 19:22:53 GMT
Expires:Thu, 01 Jan 1970 00:00:00 GMT
Location:https://OFB25572D8.OKFB.COM:8443/phoenixWeb/j_spring_cas_security_check?ticket=ST-1-LhfIkMXSX2iTmpRAKaXc-cas01.example.org
Pragma:no-cache
Server:Apache-Coyote/1.1
Set-Cookie:CASPRIVACY=""; Path=/cas/; Secure; HttpOnly
Set-Cookie:TGC=eyJhbGciOiJIUzUxMiJ9.ZXlKaGJHY2lPaUprYVhJaUxDSmxibU1pT2lKQk1USTRRMEpETFVoVE1qVTJJbjAuLndXYV9rNTVNRWVMWHNXdjlCWW1qVGcuVjFGM1VqWF93THVQWFBpbnBUaW9lRWRyS2p0QnNRODJwNG5INnRCZTlUYVJORk00QUprbVlRYlI0c2l3SFpJeHVCc0R6ZkZVdnlSaVhNekpkSURBaXQtazhpNkl2NEhUUjlyVzY1T1E1YmZ6VUEwX3JKOWdvLXNaNE5hTm9WTTNtSGVDalBsdGtFaVVUNXAxWGhYWVh5U25rZlQwaGxXLTJXVEZLZ0U3LXZQLVd2SVNCLTFtaHRjLWl6U2VfUWhrVS00RnZ1QWdOM2lZN2JvTGJ4c3VLMEE5RFBWM2xxZ2xncWtCQld2eW1PMkxKcm5fSGZ6aXdDeDdmS2N2Sjk1UlA1clIxaWs2Sk5VSTk2dEktUEtiS2cuSzl4YjM2aVY0Q0RfRDQtVWhDSzgzUQ.1KHCed4LP-E1VHN8nxTIoligha0yGYP-aAfbuIVkVPbbb2o5PiLdFrS3gbmuGLEApEXJpPcCExOcjYaLRNw8tg; Path=/cas/; Secure; HttpOnly
**Request Headers**
view source
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding:gzip, deflate
Accept-Language:en-US,en;q=0.8
Cache-Control:max-age=0
Connection:keep-alive
Content-Length:2894
Content-Type:application/x-www-form-urlencoded
Cookie:JSESSIONID=988CBFBD15B4FE7562C8A5D4A3ADBE70
Host:ofb25572d8.okfb.com:8443
Origin:https://ofb25572d8.okfb.com:8443
Referer:https://ofb25572d8.okfb.com:8443/cas/login?service=https%3A%2F%2FOFB25572D8.OKFB.COM%3A8443%2FphoenixWeb%2Fj_spring_cas_security_check
Upgrade-Insecure-Requests:1
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36
Query String Parameters
view source
view URL encoded
service:https://OFB25572D8.OKFB.COM:8443/phoenixWeb/j_spring_cas_security_check
Form Data
view source
view URL encoded
username:casuser
password:Mellon
lt:LT-1-3c6Q2CbmBx2YdWkQDM9fxHkWnc7AQJ-cas01.example.org
execution:a1757b02-69fc-46c7-a997-1b747ea87038_AAAAIgAAABAyzkQ98n/PaEXy025/kUJZAAAABmFlczEyOFsDrH9p+tpmDRMzL8sfKARNMiwmDEizgxEjXOHgNN0GhRtK8d600V6tEbNFQfoUKKibDDrjJ2YYfimZvArm0AARwzGgiFLV2MIuzs5poUXNXf1Gam6chUrgexNZRu+MKgnh3jTUjzEMGd8BQT/2wYUgbsYktbppTEYfsR1FjIC2rbL4euzaM452Wvdbbb7kyw4hHNWnF6/Gvtf6iQxg14vW7FtDGv5J96E1Cv/FrXpqHffMujN6ZlZs1rz5jonhehVJoWSjIJYQgeq6p9meBdNuzeoLZCyr71vxIT/CBElmIxDr4HDd+u7g3VPDJdZ0FfI+p6LOFH3l97HGwT8AjAKtAlZ+DfPXHXIDbDWeHgw31ke6VHsnjuTR6TG+gc2TkF82WOiZ5PpTS7J/N565hkrgEh7Mx5mH2WSrDUk+5V95ZY78ctZBHyiblT0xVWjZp/eEaDGy6+14IRFRXshkx/x0LkvrLbYsb1J+4tkUo1j959JEjHbLqDsUZUczYSkFXYJVcZGEiVOlgp66i0QpGR7O4ubRtFrA/ZKSAwDsTMaR4uKcORADCPSOOG3R8fUuQAF0UQZtsrsu/C8FBXD16wE81Jy/EDvUwiFpihkmkEoajvDDsYuVguapeWVIloHrAGp8RjzWPcG7mK7bO++/oet5TWm6yG3hvSPVTpR93ETpdfTYlcZneKaM7HRyGx1WbZntK5mgsBzJtqvgJy9mYANRggPpWVFOThMS6BP1Q14HpWA5XUDu4hay8Pulps4K7cRnk1SRjzCFNqYXA/ZI9hVf8+QrShl2T6xS7kdTfI283THixux2WSfyWkoYmN9xhweSw5YOL7zWBxvvcEEP8hOqPLfr1/pxQMFhiAu8xrg1Gbf6BYIX9f/Olp8Zp6MJtzM99TNLcp0Wvoa8Oj4WHB38cuGPppYNA5V7iDycIaEMCzYb+aOQZd455YuLQxpePVD48CTENEocBJGsKQ+dO2zVayRkwtLlB5PgXaJEkqwlFbNxPaImYahv9p/HteNNMS4jc1JsimhOaICOk/u1XG9jRLCRXKeYazKpRfPT8z9KEvVDmncOqSwK8uJqZMLZIaFLPGJzhehp081CToVb50WxJiO1ySYU8e441LrIHGjS4NNoeoIf1MThmXpXGqqeTEaZMP/+XQUF2VhWsZM5k6iYj0227MxYJlObnBCXgYjsv9v4VTa6kCVutUWMYIwdENID6S1fXF8Dqn4RSg3l2TRhGQZMzrylJdLA8K873i1wU7o2neEmL4PPBvHuxCBaIhF2lldcq1MXg+fH4mtRrULk+aTjc9zvWjXZvTqO1nVsWZyxuSG72QCfS5MEDUWqVA3BRkW1RLcQPQs7WxvkUi9MTJN99Gt/X30Kw4ifZk2RpZD8x8DI1HC+stBdY9mgl+8SYtoB6Cxuj/XVPMcZM+iw4sQTlDTqNw0p0Muwmj6sGduh4bjuZX2r+E/L8d3tARy0QtdHht/07Y24QA8If6C9rL7SlSkhhOQQynpI9BOFN/jOf9ya66HPTEVtyutiT+r+5SuawyhwUCvgnRkVxNsFIHIcuvUj10X9VAR0/5rHlTX0pXnMz8zO75nCCVb3yoaOfVKPiAar8bLY20PSwUm4hapMWHrnIwINR64jntyA0byq7zGPH2OiGrv1c/5ky5mhzEG5A9yrWId89kgNd8BjNpL9DJN0+0mCVECULYnSwk5nfJVsuUMFDClEmJ1L06uahTvxS1X0GdWjna36gqiW4uMIpW8czH4IAATqob/iF0f30U8+0I/aNUPGuUimMoeS+fCQM2enu0V8tCwU4oPemCYCrVQGi2ReCMglbQGDnp2IJPhgYN2E6OGndJOSNpc1w9KQF3t5bwnsrScnVj2gf3/GVEUwxRqhH2GA49LiqNLycwoJGZHMz6tK0DZL8FQu7I0S74SLsuFfmbeQwLVj3KMgMOWpLctPCIrn2CVfYvzd1uFZXTfK7s3+uR8Kfh+wSqAoF9c3du3Qb3saFg8AxRQ6A21BzgUgcU8nS5nhoGaGLdunpITtiRBK3DTuEWOnXnuQXU02CW4PbPLNDsiHydvJFmP6nn9Uhi4y1G7XPUrv/s3IkZxW4NsvtTNXC3gqvyWke0zQLNKszYcsIV5v+8POOZLXQpQRA79LN1toLjLvH8snhrgAMYND8NnAFLbgCJMzLvvPLnmWW6oMsIu3IH6irU8Qjk3FkwUOnUoQ1ybqTAdNsmG3RJ7dxM1sDBCRRY67dpbl4/fETYFQGgrYw8YOTeH3KF00w00q8ytyyXGGUOyrxiT1hDqPo+0Ya01q/BkEnhjwIgDSjTI3eoiNy/JS2Y8Yg94OpeTfaTOyRk8MNb6UYg+mx8QOrm8+A2/W5WwC6A050CWcXBOG/GCC94TqL+cQ1iJw8MMLl4ZXYRrY51voeXcWJipoVF3YH/cs+WvL3YfJAQzPgj8HhMiUtM9aMauQFg1Z6wNPndPx6M8p/d8YJqt2v8IamNDWNx/Qx7tAHie3dxids5E8GqmeVqFJ9mitMT2vIT6kmEiw
_eventId:submit
submit:LOGIN

After Ticket gets granted

Request URL:https://ofb25572d8.okfb.com:8443/phoenixWeb/j_spring_cas_security_check?ticket=ST-1-LhfIkMXSX2iTmpRAKaXc-cas01.example.org
Request Method:GET
Status Code:302 Found
Remote Address:10.1.24.71:8443
**Response Headers**
view source
Cache-Control:no-cache, no-store, max-age=0, must-revalidate
Content-Length:0
Date:Wed, 30 Dec 2015 19:24:29 GMT
Expires:0
Location:https://ofb25572d8.okfb.com:8443/phoenixWeb
Pragma:no-cache
Server:Apache-Coyote/1.1
Strict-Transport-Security:max-age=31536000 ; includeSubDomains
X-Content-Type-Options:nosniff
X-Frame-Options:DENY
X-XSS-Protection:1; mode=block
**Request Headers**
view source
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding:gzip, deflate, sdch
Accept-Language:en-US,en;q=0.8
Cache-Control:max-age=0
Connection:keep-alive
Cookie:JSESSIONID=3BEED4D08DA6EF00EDBCB87B7930D521
Host:ofb25572d8.okfb.com:8443
Referer:https://ofb25572d8.okfb.com:8443/cas/login?service=https%3A%2F%2FOFB25572D8.OKFB.COM%3A8443%2FphoenixWeb%2Fj_spring_cas_security_check
Upgrade-Insecure-Requests:1
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36
Query String Parameters
view source
view URL encoded
ticket:ST-1-LhfIkMXSX2iTmpRAKaXc-cas01.example.org

When I SHOULD be authenticated and home page displayed

Request URL:https://ofb25572d8.okfb.com:8443/phoenixWeb
Request Method:GET
Status Code:302 Found
Remote Address:10.1.24.71:8443
**Response Headers**
view source
Cache-Control:no-cache, no-store, max-age=0, must-revalidate
Content-Length:0
Date:Wed, 30 Dec 2015 19:24:29 GMT
Expires:0
Location:https://OFB25572D8.OKFB.COM:8443/cas/login?service=https%3A%2F%2FOFB25572D8.OKFB.COM%3A8443%2FphoenixWeb%2Fj_spring_cas_security_check
Pragma:no-cache
Server:Apache-Coyote/1.1
Set-Cookie:JSESSIONID=9A60C50821E55B52CAA138B9233B305F; Path=/phoenixWeb/; Secure; HttpOnly
Strict-Transport-Security:max-age=31536000 ; includeSubDomains
X-Content-Type-Options:nosniff
X-Frame-Options:DENY
X-XSS-Protection:1; mode=block
**Request Headers**
view source
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding:gzip, deflate, sdch
Accept-Language:en-US,en;q=0.8
Cache-Control:max-age=0
Connection:keep-alive
Host:ofb25572d8.okfb.com:8443
Referer:https://ofb25572d8.okfb.com:8443/cas/login?service=https%3A%2F%2FOFB25572D8.OKFB.COM%3A8443%2FphoenixWeb%2Fj_spring_cas_security_check
Upgrade-Insecure-Requests:1
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36

Answer 1

I was finally able to find out why i was getting the Redirect Loop error. The problem was that when i made my initial request Spring had an empty string for the servletPath in the SAVED_REQUEST session attribute.

The initial URL was:

https://server:8443/contextPath

My Spring controller has a class-level, root mapping to "/". My security setting for the app is:

http.authorizeRequests().antMatchers("/**").access("hasRole('ROLE_USER')");

So, with that in mind, when i made the initial request the servletPath was an empty string "" (i extended the SavedRequestAwareAuthenticationSuccessHandler to observe the redirect after a successful login) and since nothing was mapped to that the casFilter was trying to re-authenticate the request over and over.

If i use a slash at the end of my URL, everything works perfect:

https://server:8443/contextPath/      //NOTE the slash in the end

So, for those having a similar issue, where all the config and setup looks and behaves right, but still get Redirect Loops check your RequestMappings and the URL you are trying to authenticate!