Home/ Questions/Q 3680954
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-19T03:38:14+00:00

When working with Spring Security + CAS I keep hitting a small road block

  • 0

When working with Spring Security + CAS I keep hitting a small road block with the callback URL that is sent to CAS, ie the service property. I’ve looked at a bunch of examples such as this and this but they all use hard coded URLs (even Spring’s CAS docs). A typical snip looks something like this…

  <bean id="serviceProperties" class="org.springframework.security.ui.cas.ServiceProperties">
    <property name="service" value="http://localhost:8080/click/j_spring_cas_security_check" />
  </bean>

First, I don’t want to hard code the server name or the port since I want this WAR to be deployable anywhere and I don’t want my application tied to a particular DNS entry at compile time. Second, I don’t understand why Spring can’t auto detect my application’s context and the request’s URL to automagically build the URL. The first part of that statement still stand but As Raghuram pointed out below with this link, we can’t trust the HTTP Host Header from the client for security reasons.

Ideally I would like service URL to be exactly what the user requested (as long as the request is valid such as a sub domain of mycompany.com) so it is seamless or at the very least I would like to only specify some path relative my applications context root and have Spring determine the service URL on the fly. Something like the following…

  <bean id="serviceProperties" class="org.springframework.security.ui.cas.ServiceProperties">
    <property name="service" value="/my_cas_callback" />
  </bean>

OR…

  <bean id="serviceProperties" class="org.springframework.security.ui.cas.ServiceProperties">
    <property name="service" value="${container.and.app.derived.value.here}" />
  </bean>

Is any of this possible or easy or have I missed the obvious?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    In Spring 2.6.5 spring you could extend org.springframework.security.ui.cas.ServiceProperties

    In spring 3 the method is final you could get around this by subclassing the CasAuthenticationProvider and CasEntryPoint and then use with your own version of ServiceProperties and override the getService() method with a more dynamic implementation.

    You could use the host header to calculate the the required domain and make it more secure by validating that only domains/subdomains under your control are used. Then append to this some configurable value.

    Of course you would be at risk that your implementation was insecure though… so be careful.

    It could end up looking like:

    <bean id="serviceProperties" class="my.ServiceProperties">
    <property name="serviceRelativeUrl" value="/my_cas_callback" />
    <property name="validDomainPattern" value="*.mydomain.com" />
</bean>
    • 0