How to read CAS ticket validation XML using spring security?
I have a Spring Boot application and use the Java Apereo CAS Client (version 3.6.2) to use an CAS server for authentication. In other words, I want to turn my app into a CAS client, I didn't set up the CAS server myself.
I checked the list of calls made to CAS server:
The first call to the CAS server is made, but I don't see the second call to the server for ticket validation (i.e., a call to https://cas-server-address/cas/serviceValidate URL) that will return an XML document with user and authtype attributes that I want to extract to store in the database.
I have 2 questions:
- Why there is no second call for the CAS server for ticket validation? Is it hidden?
- How do I extract
userandauthtypeattributes from the XML document and store them in the database?
Why there is no second call for the CAS server for ticket validation?
There is. The second call is a back-channel call from your application server over to the CAS server. By definition, this is not something you would see in your browser. This call goes over to the CAS server behind the scenes to validate the service ticket received in the first leg (i.e. ST-xyz). The Java CAS client library should be automatically doing this for you, and you can verify this in the logs.
If you don't see this happening, your configuration is not set correctly or there is an error along the process.
Is it hidden?
Hidden from the browser, as it's a back-channel call. For additional details on what happens and why, please study the CAS protocol.
How do I extract user and authtype attributes from the XML document and store them in the database?
The Java CAS client library typically extracts the user id and other attributes. Then, the user-id would be available under the REMOTE-USER header that can be fetched via the http request object. If you have access to the http session, you can also fetch the final Assertion from the session which contains the CAS payload:
var assertion = (Assertion) session.getAttribute(AbstractCasFilter.CONST_CAS_ASSERTION);
For a more practical example, see this.
- Spring @Sql Annotations, possible to run once before all tests?
- Springboot mySQL Failed to determine a suitable driver class
- Add JSF Message From Spring Bean
- Spring Boot - no log file written (logging.file is not respected)
- Handling Internal Server Error When OAuth Issuer Is Not Available in WebFluxSecurity
- Return file from Spring @Controller having OutputStream
- With deprecation of the `SecurityContextRepository.loadContext(HttpRequestResponseHolder)` method, how do we add `Set-Cookie` to the response?
- How to correctly read Flux<DataBuffer> and convert it to a single inputStream
- Implementing Custom Expression Handling with Spring Security 6
- Can I set a TTL for @Cacheable
- Row was updated or deleted by another transaction (or unsaved-value mapping was incorrect)
- How to fix: Error creating bean with name : Unsatisfied dependency expressed through field
- Error in Java Import statement "The import javax.validation.constraints.NotNull cannot be resolved"
- How to conditionally enable or disable scheduled jobs in Spring?
- How do I get the connection inside of a Spring transaction?
- Kafka No Acknowledgment available as an argument
- How to use fixed values in Spring CrudRepository?
- WARNING: Exception encountered during context initialization - cancelling refresh attempt
- How to increase the maximum length of SpEL expressions in spring boot 3.3.0?
- Start a spring batch job when already within a transaction
- How to persist data in H2 database
- is using DTOs in every case always a good practice?
- How to add custom ApplicationContextInitializer to a spring boot application?
- How do I make the update query executed by JdbcPollingChannelAdapter transactional?
- How to configure a TransactionInterceptor equivalent to the @Transactional annotation for use with PollerMetadata advice
- Spring Webflux - WebClient over TLSv1.2
- Spring 5 WebClient using ssl
- Application version does not show up in Spring Boot banner.txt
- package org.springframework.boot does not exist
- How to specify prefix for all controllers in Spring Boot?