I tried to get Spring Boot + Spring Security work with CAS and ran into some troubles. After some time researching I found a good example project https://github.com/jgribonvald/demo-spring-security-cas It is very good, I only had to change the CAS URLs to mine and it started to work perfectly.
It uses spring boot 1.2.1.RELEASE and I wanted to upgrade it to latest version (1.5.2.RELEASE). In order to do that I had to do some modifications (fix compile errors, because some classes were removed in newer versions).
When compile errors were fixed I tested it with older version and it still worked, but it failed with latest version. It throws error that casServerUrlPrefix is null in SingleSignOutFilter
@Bean
public SingleSignOutFilter singleSignOutFilter() {
SingleSignOutFilter singleSignOutFilter = new SingleSignOutFilter();
singleSignOutFilter.setCasServerUrlPrefix(env.getRequiredProperty(CAS_URL_PREFIX));
// singleSignOutFilter.setIgnoreInitConfiguration(true);
return singleSignOutFilter;
}
Exception
java.lang.IllegalArgumentException: casServerUrlPrefix cannot be null.
at org.jasig.cas.client.util.CommonUtils.assertNotNull(CommonUtils.java:86)
at org.jasig.cas.client.session.SingleSignOutHandler.init(SingleSignOutHandler.java:140)
at org.jasig.cas.client.session.SingleSignOutFilter.init(SingleSignOutFilter.java:55)
at org.apache.catalina.core.ApplicationFilterConfig.initFilter(ApplicationFilterConfig.java:279)
at org.apache.catalina.core.ApplicationFilterConfig.<init>(ApplicationFilterConfig.java:109)
at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:4572)
at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5215)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1419)
at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1409)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Even though casServerUrlPrefix is set and it works with older version. Therefore my question is, whether this is some common bug/error when upgrading spring security and how should one fix it?
EDIT:
I tried doing smaller upgrades and it works with spring boot 1.2.8.RELEASE, but fails with 1.3.0.RELEASE.
I also tried to change spring security version lower while upgrading spring boot, but that did not help.
Then I create my own SingleSignOutFilter to hard-code casServerUrlPrefix and I got rid of that error and I could see, that casServerUrlPrefix was indeed set. Unfortunately that did not fix the problem, I still can't use my web app, but now it just doesn't throw exceptions in log.
So I finally managed to solve this issue.
In SecurityConfiguration class one must remove @Bean annotations from SingleSignOutFilter and CasAuthenticationEntryPoint. This seemed to be the main issue and was pretty hard to track down.
Also, one must make changes in application.properties:
app.service.security value from ../j_spring_cas_security_check to ../login/casspring.view.prefix with spring.mvc.view.prefixsuffix as well`That is all.