I'm trying to implement SSO across several web applications using CAS and Spring Security. Expected case:
CAS - http:// localhost:8080/cas/
App A protected content - http: //localhost:8081/cas-client1/secure/index.html
App B protected content - http: //localhost:8081/cas-client2/secure/index.html
1) When user access cas-client1, CAS login form will be prompted and trigger authentication.
2) The same user access cas-client2, previous login should be recognized and no login form will be prompted
However, I am failed to implement step 2. CAS login form still prompted to user and therefore requires double login. Is there any wrong setting in my Spring Security configuration:
<security:http entry-point-ref="casAuthenticationEntryPoint" auto-config="true">
<security:intercept-url pattern="/secure/**" access="ROLE_USER" />
<security:custom-filter position="CAS_FILTER" ref="casAuthenticationFilter" />
</security:http>
<bean id="casAuthenticationEntryPoint" class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">
<property name="loginUrl" value="http://localhost:8080/cas/login" />
<property name="serviceProperties" ref="serviceProperties" />
</bean>
<bean id="serviceProperties" class="org.springframework.security.cas.ServiceProperties">
<!-- http://localhost:8081/cas-client2 for app 2-->
<property name="service" value="http://localhost:8081/cas-client1/j_spring_cas_security_check" />
</bean>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="casAuthenticationProvider" />
</security:authentication-manager>
<bean id="casAuthenticationFilter" class="org.springframework.security.cas.web.CasAuthenticationFilter">
<property name="authenticationManager" ref="authenticationManager" />
<property name="authenticationFailureHandler">
<bean class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
<property name="defaultFailureUrl" value="/casfailed.jsp" />
</bean>
</property>
</bean>
<bean id="casAuthenticationProvider" class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
<property name="userDetailsService" ref="userService" />
<property name="serviceProperties" ref="serviceProperties" />
<property name="ticketValidator">
<bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
<constructor-arg index="0" value="http://localhost:8080/cas" />
</bean>
</property>
<property name="key" value="an_id_for_this_auth_provider_only" />
</bean>
<security:user-service id="userService">
<security:user name="wilson" password="wilson" authorities="ROLE_USER" />
</security:user-service>
The problem is finally solved. My CAS is using HTTP and therefore need to set secure cookies to false.
Modify ticketGrantingTicketCookieGenerator.xml
p:cookieSecure="false"
Related
I have a spring application with the config files as shown below. All configs seem correct but while debugging I found that, during the initialization spring creates two beans for FilterSecurityInterceptor one without any intercept-url rules and the other with the rules that I have specified.
When a request comes, it uses the FilterSecurityInterceptor bean with no intercept-url rules. So I see the following log:
DEBUG FilterSecurityInterceptor:183 - Public object - authentication not attempted
But the request URL falls under the intercept URL rule. I debugged and found that this is because the bean used didn't have any intercept rules in httpMethodMap of DefaultFilterInvocationSecurityMetadataSource.
I am not sure what is wrong here.
Below is the applicationContext-security.xml:
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd"
default-init-method="init">
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider
user-service-ref="userDetailService">
</security:authentication-provider>
</security:authentication-manager>
<alias name="filterChainProxy" alias="springSecurityFilterChain" />
<bean id="accessDecisionManager"
class="org.springframework.security.access.vote.AffirmativeBased">
<property name="decisionVoters">
<list>
<bean class="org.springframework.security.access.vote.RoleVoter" />
<bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
</list>
</property>
</bean>
<bean id="consoleAuthenticationSuccessHandler"
class="custom_class">
<property name="defaultTargetUrl" value="/loginSuccess.htm" />
<property name="targetUrlParameter" value="targetURL" />
</bean>
<bean id="consoleAuthenticationFailureHandler"
class="custom_class">
<property name="loginFailureUrl" value="/loginFailure.htm" />
</bean>
<bean id="consoleLogoutSuccessHandler"
class="custom_class">
<property name="logoutUrl" value="/loggedout.htm" />
</bean>
<bean id="userDetailService"
class="custom_class">
</bean>
<security:http auto-config="true"
security-context-repository-ref="securityContextRepository">
<security:form-login authentication-failure-url="/loginFailure.htm"
default-target-url="/loginSuccess.htm"
authentication-success-handler-ref="consoleAuthenticationSuccessHandler" />
<security:logout success-handler-ref="consoleLogoutSuccessHandler" />
<security:anonymous enabled="false" />
<security:session-management
session-fixation-protection="none" />
</security:http>
<bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy">
<security:filter-chain-map path-type="ant">
<security:filter-chain pattern="/login.htm*"
filters="none" />
<security:filter-chain pattern="/**"
filters="securityContextFilter, logoutFilter, formLoginFilter, servletApiFilter, exceptionTranslator, filterSecurityInterceptor" />
</security:filter-chain-map>
</bean>
<bean id="securityContextRepository"
class="org.springframework.security.web.context.HttpSessionSecurityContextRepository" />
<bean id="securityContextFilter"
class="org.springframework.security.web.context.SecurityContextPersistenceFilter">
<property name="securityContextRepository" ref="securityContextRepository" />
</bean>
<bean id="logoutFilter"
class="org.springframework.security.web.authentication.logout.LogoutFilter">
<constructor-arg ref="consoleLogoutSuccessHandler"
index="0"
type="org.springframework.security.web.authentication.logout.LogoutSuccessHandler" />
<constructor-arg>
<list>
<bean
class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" />
</list>
</constructor-arg>
</bean>
<bean id="servletApiFilter"
class="org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter" />
<bean id="exceptionTranslator"
class="org.springframework.security.web.access.ExceptionTranslationFilter">
<property name="authenticationEntryPoint">
<bean
class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<property name="loginFormUrl" value="/login.jsp" />
</bean>
</property>
</bean>
<bean id="formLoginFilter"
class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
<property name="authenticationManager" ref="authenticationManager" />
<property name="authenticationSuccessHandler" ref="consoleAuthenticationSuccessHandler" />
<property name="authenticationFailureHandler" ref="consoleAuthenticationFailureHandler" />
</bean>
<bean id="filterSecurityInterceptor"
class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
<property name="securityMetadataSource">
<security:filter-security-metadata-source>
<security:intercept-url pattern="/login.htm*"
access="ROLE_ANONYMOUS" />
<security:intercept-url pattern="/**"
access="ROLE_USER,ROLE_ADMIN" />
</security:filter-security-metadata-source>
</property>
<property name="accessDecisionManager" ref="accessDecisionManager" />
<property name="authenticationManager" ref="authenticationManager" />
</bean>
</beans>
Appreciate any help here.
You have <security:http> element in the config. From the documentation:
38.1.2 <http>
Each <http> namespace block always creates an SecurityContextPersistenceFilter, an ExceptionTranslationFilter and a FilterSecurityInterceptor. These are fixed and cannot be replaced with alternatives.
So your <bean id="filterSecurityInterceptor"> is ignored. Instead of
<bean id="filterSecurityInterceptor"
class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
<property name="securityMetadataSource">
<security:filter-security-metadata-source>
<security:intercept-url pattern="/login.htm*"
access="ROLE_ANONYMOUS" />
<security:intercept-url pattern="/**"
access="ROLE_USER,ROLE_ADMIN" />
</security:filter-security-metadata-source>
</property>
<property name="accessDecisionManager" ref="accessDecisionManager" />
<property name="authenticationManager" ref="authenticationManager" />
</bean>
you should change <security:http> to include something like
<security:http ...
authentication-manager-ref="authenticationManager">
...
<security:intercept-url pattern="/login.htm*"
access="ROLE_ANONYMOUS" />
<security:intercept-url pattern="/**"
access="ROLE_USER,ROLE_ADMIN" />
</security:http>
You don't need <bean id="accessDecisionManager">, because (quote from the docs) "by default an AffirmativeBased implementation is used for with a RoleVoter and an AuthenticatedVoter", which is exactly what you define.
Also your <bean id="securityContextFilter"> is ignored, instead you should add security-context-repository-ref="securityContextRepository" attribute to http element.
And your <bean id="exceptionTranslator"> is ignored, I'm not sure how to replace it properly.
And you manually define a lot of org.springframework.security beans. I suspect that most of them are either unnecessary (defined by default), or should be defined using specialized elements of security: namespace, instead of raw spring beans.
We've recently ugpraded Spring Security from 3.1.3 to 4.01, and we've had to make some changes to our OAuth configs that left some requests breaking with a class cast when they try to cast the principal to a user -- specifically, it's the string form of the client id.
Here are the relevant sections of our configs.
For context, our standard auth management (which returns a user for the principal):
<!-- define an authentication-manager who uses a custom userDetailService -->
<sec:authentication-manager alias="authenticationManager">
<!-- Utility username / password form based authentication-provider -->
<sec:authentication-provider user-service-ref="adminUserDetailsService">
<!-- etc. -->
</sec:authentication-provider>
</sec:authentication-manager>
Secondly, our filter that looks stuff up in a oauth client details table and adds auth:
<bean id="oauth2ProviderFilter" class="blah.blah.blah.BlahOAuth2AuthenticationProcessingFilter">
<property name="authenticationManager">
<bean class="org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationManager">
<property name="tokenServices" ref="oauth2TokenServices" />
</bean>
</property>
</bean>
<bean id="oauth2TokenServices" class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
<property name="tokenStore" ref="tokenStore" />
<property name="supportRefreshToken" value="true" />
</bean>
<bean id="tokenStore" class="org.springframework.security.oauth2.provider.token.JdbcTokenStore">
<constructor-arg ref="dataSource" />
</bean>
<bean id="dataSource" class="com.mchange.v2.c3p0.ComboPooledDataSource" destroy-method="close">
<!-- etc... -->
</bean>
Checking the token in the headers:
<bean id="oauth2ClientCredentialsTokenEndpointFilter"
class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
<constructor-arg index="0" value="/oauth/authorize" />
<property name="authenticationManager" ref="oauthAuthenticationManager" />
</bean>
<bean id="oauthAuthenticationManager" class="org.springframework.security.authentication.ProviderManager">
<constructor-arg>
<list>
<ref bean="oauthDaoAuthenticationProvider"/>
</list>
</constructor-arg>
</bean>
<bean id="oauthDaoAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<property name="userDetailsService" ref="oauthUserDetailService" />
<property name="passwordEncoder" ref="oauthPasswordEncoder" />
</bean>
Our best theory at the moment is that something within the endpoint filter has stopped doing a look up of the user object and instead just returns the user id -- is this known to be the case? Where have we gone wrong in our set up?
I'm trying to cofigure "remember-me" in my web app. I use Spring security 3.1, LDAP and ActiveDirectory. This is applicationcontext-security.xml:
<!-- LDAP server details -->
<authentication-manager>
<authentication-provider ref="ldapActiveDirectoryAuthProvider" />
</authentication-manager>
<!-- enable security tag libraries on jsp pages -->
<beans:bean id="grantedAuthoritiesMapper" class="xxcutxx.spring.security.ActiveDirectoryGrantedAuthoritiesMapper"/>
<beans:bean id="ldapActiveDirectoryAuthProvider" class="org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider">
<beans:constructor-arg value="xxcutxx" />
<beans:constructor-arg value="xxcutxx" />
<beans:property name="authoritiesMapper" ref="grantedAuthoritiesMapper" />
<beans:property name="useAuthenticationRequestCredentials" value="true" />
<beans:property name="convertSubErrorCodesToExceptions" value="true" />
</beans:bean>
<http pattern="/index.jsp*" security="none"/>
<http pattern="/img/**" security="none"/>
<http pattern="/css/**" security="none"/>
<http pattern="/js/**" security="none"/>
<beans:bean id="successHandler" class="xxcutxx.spring.security.CustomAuthenticationSuccessHandler"/>
<beans:bean class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler"/>
<http access-decision-manager-ref="accessDecisionManager" auto-config="true" pattern="/**"> <!--"-->
<!-- Login pages -->
<form-login login-page="/index.jsp" default-target-url="xxcutxx" authentication-success-handler-ref="successHandler"
login-processing-url="/j_spring_security_check" authentication-failure-url="/index.jsp?loginerr=1" />
<logout logout-success-url="/index.jsp"/>
<access-denied-handler error-page="/index.jsp?loginerr=3"/>
<intercept-url pattern="/*.do" access="READER" />
<remember-me key="MY_REMEMBER_ME_KEY" services-ref="rememberMeServices"/>
</http>
And this is applicationcontext.xml:
<bean id="rememberMeServices" class="org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices">
<property name="key" value="MY_REMEMBER_ME_KEY" />
<property name="cookieName" value="MY_REMEMBER_ME_COOKIE" />
<property name="parameter" value="remember" />
<property name="tokenValiditySeconds" value="1209600" />
<property name="userDetailsService" ref="MyUserDetailsService" />
<property name="alwaysRemember" value="false" />
</bean>
<bean id="MyUserDetailsService" class="org.springframework.security.ldap.userdetails.LdapUserDetailsService">
<constructor-arg index="0" ref="ldapUserSearch"/>
</bean>
<bean id="ldapUserSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<constructor-arg index="0" type="String">
<value>
xxcutxx
</value>
</constructor-arg>
<constructor-arg index="1" type="String" value="(objectCategory=Person)">
</constructor-arg>
<constructor-arg index="2" ref="ldapPoolContext"/>
</bean>
<bean id="ldapPoolContext" class="org.springframework.ldap.core.support.LdapContextSource">
<property name="url" value="xxcutxx"/>
<property name="pooled" value="false"/>
</bean>
The web app starts but don't create the cookie and seems remember me does not work.
Where is the error and/or something is missing? i don't understand what i must to do
THX for HELP!!
I have a security app context which works fine with Pre-authentication.
I would want to know if it is possible to have both Basic Authentication (With LDAP Bind as authentication manager) and Pre-authentication effective at the same time:
If container provides principal name, we will rely on it (and go to LDAP to get user details), and if pre-authentication of container does not happen (e.g. we have deployed in Jetty for testing without pre-authetication), we would want Basic Authentication to be used which in turns authenticated by LDAP Bind.
Is it something possible? How can I do it?
Here is my existing (simplified) app context:
<s:global-method-security
secured-annotations="enabled"
pre-post-annotations="enabled"
proxy-target-class="true" />
<bean id="springSecurityFilterChain" class="org.springframework.security.web.FilterChainProxy">
<s:filter-chain-map path-type="ant">
<s:filter-chain pattern="/**"
filters="securityContextPersistenceFilter,preAuthenticatedFilter" />
</s:filter-chain-map>
</bean>
<bean id="securityContextPersistenceFilter"
class="org.springframework.security.web.context.SecurityContextPersistenceFilter">
<property name='securityContextRepository'>
<bean
class='org.springframework.security.web.context.HttpSessionSecurityContextRepository'>
<property name='allowSessionCreation' value='true' />
</bean>
</property>
</bean>
<bean id="preAuthenticatedFilter"
class="org.springframework.security.web.authentication.preauth.j2ee.J2eePreAuthenticatedProcessingFilter">
<property name="authenticationManager" ref="authenticationManager" />
</bean>
<s:authentication-manager alias="authenticationManager">
<s:authentication-provider ref="preAuthenticatedAuthProvider" />
</s:authentication-manager>
<bean id="preAuthenticatedAuthProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
<property name="preAuthenticatedUserDetailsService" >
<bean class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper" >
<property name="userDetailsService" ref="userDetailsService" />
</bean>
</property>
</bean>
<bean id="contextSource"
class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<!-- some config skipped -->
</bean>
<bean id="userDetailsService" class="org.springframework.security.ldap.userdetails.LdapUserDetailsService" >
<constructor-arg index="0" ref="ldapUserSearch"/>
<constructor-arg index="1" ref="ldapAuthoritiesPopulator"/>
<property name="userDetailsMapper" ref="fooUserDetailsMapper" />
</bean>
<bean id="fooUserDetailsMapper" class="com.foo.FooUserDetailsMapper" />
<bean id="ldapUserSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<!-- some config skipped -->
</bean>
<bean id="ldapAuthoritiesPopulator"
class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
<!-- some config skipped -->
</bean>
<bean id="ldapTemplate" class="org.springframework.ldap.core.simple.SimpleLdapTemplate">
<constructor-arg ref="contextSource" />
</bean>
<bean id="ldapAuthorities" class="com.fil.ims.LdapAuthoritiesServices" />
I have tried the followings but none of them works
add a new ldap authentication provider (org.springframework.security.ldap.authentication.LdapAuthenticationProvider), and add one more <s:authentication-provider> entry under <s:authentication-manager>, or
add a separate org.springframework.security.web.authentication.www.BasicAuthenticationFilter, which points to a new <s:authentication-provider> which points to the new ldap authentication provider (It is complaining for "An AuthenticationEntryPoint is required".)
What should be the right way to do so?
From my bare understanding, seems 2 should be the right way, if someone can give me some direction, it will be good enough.
Thanks
I am using latest version of spring 3.2.5 and spring security 3.1.4 with java 6. I have setup CAS server using the instructions from this page
https://wiki.jasig.org/display/CASUM/Best+Practice+-+Setting+Up+CAS+Locally+using+the+Maven+WAR+Overlay+Method
The CAS server part is working fine and authenticating.
I have setup client side using the instructions from this page and various other pages
https://wiki.jasig.org/display/CASC/Configuring+the+JA-SIG+CAS+Client+for+Java+using+Spring
When tried to enter secure page in the application, CAS is redirecting to the correct login page and then correctly authenticating and then correctly redirecting to the calling application page, but not invoking the user details service supplied and not authorizing the user and not loading roles using the user details service.
After authentication user lands on this page. The page was correct but I don't want to see the ticket parameter in the URL and also load the user and roles using user details service bean supplied.
http://localhost:8080/my/sports-life/schedule?ticket=ST-3-xklhdGJW6gZxieELGxo5-cas01.example.org
Any pointers to get my authorization going is highly appreciated. Thanks in advance.
Here are the relevant beans from application context
<!-- Single sign on with CAS -->
<bean id="casEntryPoint" class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">
<property name="loginUrl" value="https://localhost:8443/cas/login"/>
<property name="serviceProperties" ref="serviceProperties"/>
</bean>
<bean id="serviceProperties" class="org.springframework.security.cas.ServiceProperties">
<property name="service" value="http://localhost:8080/my/sports-life/schedule/j_spring_cas_security_check"/>
<property name="sendRenew" value="false"/>
</bean>
<bean id="casFilter" class="org.springframework.security.cas.web.CasAuthenticationFilter">
<property name="authenticationManager" ref="preAuthenticationManager"/>
<property name="authenticationSuccessHandler">
<bean class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
<property name="defaultTargetUrl" value="/my"/>
<property name="targetUrlParameter" value="spring-security-redirect" />
</bean>
</property>
</bean>
<bean id="casAuthenticationProvider" class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
<property name="userDetailsService" ref="myAccountDetailsService" />
<property name="serviceProperties" ref="serviceProperties" />
<property name="ticketValidator">
<bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
<constructor-arg index="0" value="https://localhost:8443/cas" />
</bean>
</property>
<property name="key" value="Vi9Pra88Si777"/>
<property name="authenticationUserDetailsService" ref="authenticationUserDetailsService"/>
</bean>
<bean id="authenticationUserDetailsService" class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
<property name="userDetailsService" ref="myAccountDetailsService"/>
</bean>
<bean name="authenticationFilter" class="org.jasig.cas.client.authentication.AuthenticationFilter">
<property name="casServerLoginUrl" value="https://localhost:8443/cas/login" />
<property name="renew" value="false" />
<property name="gateway" value="false" />
<property name="service" value="http://localhost:8080/my/sports-life/schedule" />
</bean>
<!--
<bean
name="ticketValidationFilter"
class="org.jasig.cas.client.validation.Cas10TicketValidationFilter">
<property name="service" value="http://localhost:8080/my/sports-life/schedule" />
<property name="ticketValidator">
<bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
<constructor-arg index="0" value="https://localhost:8443/cas" />
</bean>
</property>
</bean>
-->
<bean id="preauthAuthProvider"
class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
<property name="preAuthenticatedUserDetailsService">
<bean id="userDetailsServiceWrapper"
class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
<property name="userDetailsService" ref="myAccountDetailsService"/>
</bean>
</property>
</bean>
<!--
<bean id="preAuthEntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint" />
<bean id="j2eePreAuthFilter" class="org.springframework.security.web.authentication.preauth.j2ee.J2eePreAuthenticatedProcessingFilter">
<property name="authenticationManager" ref="preAuthenticationManager"/>
<property name="authenticationDetailsSource">
<bean class="org.springframework.security.web.authentication.WebAuthenticationDetailsSource" />
</property>
</bean>
-->
<bean id="myAccountDetailsService" class="com.viprasi.security.AccountDetailsServiceImpl">
</bean>
Then here are relevant config from my spring security configuration file.
<http use-expressions="true" entry-point-ref="casEntryPoint">
<intercept-url pattern="/app/j_spring_cas*" access="permitAll"
requires-channel="https" />
<!-- Member -->
<intercept-url pattern="/app/**" access="isAuthenticated()" />
<access-denied-handler error-page="/app/login/accessdenied" />
<anonymous />
<http-basic />
<custom-filter position="CAS_FILTER" ref="casFilter" />
</http>
<authentication-manager alias="preAuthenticationManager">
<authentication-provider ref="casAuthenticationProvider" />
<!--
<authentication-provider user-service-ref='accountDetailsService' />
-->
</authentication-manager>
i think the anonymous tag applies the role *IS_AUTHENTICATED_ANONYMOUSLY* to a user.
the result of this is that the user isAuthenticated() and no further filter is invoked (e.g. the one who calls the UserDetailsServive)
change isAuthenticated() to hasRole('ROLE')
I have an example cas client You can check in cas-web-client how provide your own authorization
We ran into lot of issues and at the end the main culprit was url rewriting filter. This filter was changing url and then spring security and cas failed to handled the changed URL. After moving the url rewrite filter below the security filters, it's all started working.