session-timeoutcasspring-security-cas

Spring Security with CAS - SessionTimeout configuration


I have implemented Spring Security with CAS and was trying to configure session timeout. I see that setting values in ticketExpirationPolicies.xml will help with this. I have tried configuring values, but the session never get expired. I have tried setting session expiration in web.xml as well. Here is my spring-application-context configuration:

<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:context="http://www.springframework.org/schema/context" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd
http://www.springframework.org/schema/context 
http://www.springframework.org/schema/context/spring-context-3.1.xsd">
    <context:property-placeholder />
    <http auto-config='true' entry-point-ref="casEntryPoint">
        <intercept-url pattern="/**" access="ROLE_ADMIN" />
        <custom-filter position="CAS_FILTER" ref="casFilter" />
        <logout logout-success-url="/j_spring_cas_security_logout" />
        <custom-filter ref="requestSingleLogoutFilter" before="LOGOUT_FILTER" />
        <custom-filter ref="singleLogoutFilter" before="CAS_FILTER" />
    </http>
    <beans:bean id="singleLogoutFilter"
        class="org.jasig.cas.client.session.SingleSignOutFilter" />
    <beans:bean id="requestSingleLogoutFilter"
        class="org.springframework.security.web.authentication.logout.LogoutFilter">
        <beans:constructor-arg value="https://myipaddress:8443/cas/logout" />
        <beans:constructor-arg>
            <beans:bean
                class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" />
        </beans:constructor-arg>
        <beans:property name="filterProcessesUrl" value="/j_spring_cas_security_logout" />
    </beans:bean>
    <beans:bean id="casFilter"
        class="org.springframework.security.cas.web.CasAuthenticationFilter">
        <beans:property name="authenticationManager" ref="authenticationManager" />
        <beans:property name="authenticationSuccessHandler">
            <beans:bean
                class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler">
                <beans:property name="defaultTargetUrl" value="/" />
            </beans:bean>
        </beans:property>
    </beans:bean>
    <beans:bean id="casEntryPoint"
        class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">
        <beans:property name="loginUrl"
            value="https://myipaddress:8443/cas/login" />
        <beans:property name="serviceProperties" ref="serviceProperties" />
    </beans:bean>
    <beans:bean id="serviceProperties"
        class="org.springframework.security.cas.ServiceProperties">
        <beans:property name="service"
            value="https://myipaddress:8443/myApp/j_spring_cas_security_check" />
        <beans:property name="sendRenew" value="false" />
    </beans:bean>
    <authentication-manager alias="authenticationManager">
        <authentication-provider ref="casAuthenticationProvider" />
    </authentication-manager>
    <beans:bean id="casAuthenticationProvider"
        class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
        <beans:property name="userDetailsService" ref="userService" />
        <beans:property name="serviceProperties" ref="serviceProperties" />
        <beans:property name="ticketValidator">
            <beans:bean
                class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
                <beans:constructor-arg index="0"
                    value="https://myipaddress:8443/cas" />
            </beans:bean>
        </beans:property>
        <beans:property name="key"
            value="an_id_for_this_auth_provider_only" />
    </beans:bean>
    <user-service id="userService">
        <user name="user1" password="user1" authorities="ROLE_ADMIN" />
    </user-service>

</beans:beans>

I do have Single Signout configuration in web.xml:

<listener>
    <listener-class>
        org.jasig.cas.client.session.SingleSignOutHttpSessionListener
    </listener-class>
  </listener>
    <filter>
        <filter-name>characterEncodingFilter</filter-name>
        <filter-class>
            org.springframework.web.filter.CharacterEncodingFilter
        </filter-class>
        <init-param>
            <param-name>encoding</param-name>
            <param-value>UTF-8</param-value>
        </init-param>
    </filter>
    <filter-mapping>
        <filter-name>characterEncodingFilter</filter-name>
            <url-pattern>/*</url-pattern>
    </filter-mapping>

Solution

  • I have found the solution. For each web application which is being authenticated through CAS needs to set their own session-timeout settings in web.xml. Once the session times out for the application, it goes for an authentication at the CAS server. If the ticket has more life, you will be redirected to defaultTargetUrl, if specified. If the ticket is expired, you will be prompted for the credentials again.

    How I have configured is that, keeping the ticket expiry to same as the session timeout in my web applications. Once the session times out at my web application, it goes and finds that the ticket is already expired since the validity is same as that of the web application and prompts to login again.