{"id":15024545,"url":"https://github.com/kakawait/cas-security-spring-boot-starter","last_synced_at":"2026-03-03T09:33:13.883Z","repository":{"id":44965923,"uuid":"92945138","full_name":"kakawait/cas-security-spring-boot-starter","owner":"kakawait","description":"Spring boot starter for Apereo CAS client fully integrated with Spring security","archived":false,"fork":false,"pushed_at":"2022-10-17T07:14:02.000Z","size":494,"stargazers_count":151,"open_issues_count":21,"forks_count":45,"subscribers_count":13,"default_branch":"master","last_synced_at":"2025-10-19T02:26:35.704Z","etag":null,"topics":["apereo","cas","spring","spring-boot","spring-security"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/kakawait.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-05-31T12:55:26.000Z","updated_at":"2025-03-17T02:19:46.000Z","dependencies_parsed_at":"2022-09-11T03:10:43.475Z","dependency_job_id":null,"html_url":"https://github.com/kakawait/cas-security-spring-boot-starter","commit_stats":null,"previous_names":[],"tags_count":29,"template":false,"template_full_name":null,"purl":"pkg:github/kakawait/cas-security-spring-boot-starter","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kakawait%2Fcas-security-spring-boot-starter","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kakawait%2Fcas-security-spring-boot-starter/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kakawait%2Fcas-security-spring-boot-starter/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kakawait%2Fcas-security-spring-boot-starter/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/kakawait","download_url":"https://codeload.github.com/kakawait/cas-security-spring-boot-starter/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kakawait%2Fcas-security-spring-boot-starter/sbom","scorecard":{"id":548032,"data":{"date":"2025-08-11","repo":{"name":"github.com/kakawait/cas-security-spring-boot-starter","commit":"fb48505a4efc5f33a3e4ba72bd90231d944ebbcf"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":1.8,"checks":[{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Code-Review","score":1,"reason":"Found 2/20 approved changesets -- score normalized to 1","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Token-Permissions","score":-1,"reason":"No tokens found","details":null,"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Dangerous-Workflow","score":-1,"reason":"no workflows found","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Binary-Artifacts","score":9,"reason":"binaries present in source code","details":["Warn: binary detected: .mvn/wrapper/maven-wrapper.jar:1"],"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE.md:0","Info: FSF or OSI recognized license: MIT License: LICENSE.md:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: containerImage not pinned by hash: cas-security-spring-boot-sample/Dockerfile:1","Warn: containerImage not pinned by hash: cas-security-spring-boot-sample/Dockerfile:6: pin your Docker image by updating eclipse-temurin:11-jre to eclipse-temurin:11-jre@sha256:0b8a158ee1c8625bd142e594103edd9feef85f2ecb7ee157e2e635e1fd00c610","Info:   0 out of   2 containerImage dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 17 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":0,"reason":"58 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-rc42-6c7j-7h5r","Warn: Project is vulnerable to: GHSA-xf96-w227-r7c4","Warn: Project is vulnerable to: GHSA-4gc7-5j7h-4qph","Warn: Project is vulnerable to: GHSA-4wp7-92pw-q264","Warn: Project is vulnerable to: GHSA-564r-hj7v-mcr5","Warn: Project is vulnerable to: GHSA-9cmq-m9j5-mvww","Warn: Project is vulnerable to: GHSA-wxqc-pxw9-g2p8","Warn: Project is vulnerable to: GHSA-vmq6-5m68-f53m","Warn: Project is vulnerable to: GHSA-6v67-2wr5-gvf4","Warn: Project is vulnerable to: GHSA-pr98-23f8-jwxv","Warn: Project is vulnerable to: GHSA-h46c-h94j-95f3","Warn: Project is vulnerable to: GHSA-jjjh-jjxp-wpff","Warn: Project is vulnerable to: GHSA-rgv9-q543-rqg4","Warn: Project is vulnerable to: GHSA-27hp-xhwr-wr2m","Warn: Project is vulnerable to: GHSA-5j33-cvvr-w245","Warn: Project is vulnerable to: GHSA-7w75-32cg-r6g2","Warn: Project is vulnerable to: GHSA-83qj-6fr2-vhqg","Warn: Project is vulnerable to: GHSA-fccv-jmmp-qg76","Warn: Project is vulnerable to: GHSA-g8pj-r55q-5c2v","Warn: Project is vulnerable to: GHSA-h2fw-rfh5-95r3","Warn: Project is vulnerable to: GHSA-h3gc-qfqq-6h8f","Warn: Project is vulnerable to: GHSA-hfrx-6qgj-fp6c","Warn: Project is vulnerable to: GHSA-p22x-g9px-3945","Warn: Project is vulnerable to: GHSA-q3mw-pvr8-9ggc","Warn: Project is vulnerable to: GHSA-qppj-fm5r-hxr3","Warn: Project is vulnerable to: GHSA-r6j3-px5g-cq3x","Warn: Project is vulnerable to: GHSA-rq2w-37h9-vg94","Warn: Project is vulnerable to: GHSA-wc4r-xq3c-5cf3","Warn: Project is vulnerable to: GHSA-wm9w-rjj3-j356","Warn: Project is vulnerable to: GHSA-v682-8vv8-vpwr","Warn: Project is vulnerable to: GHSA-4cx2-fc23-5wg6","Warn: Project is vulnerable to: GHSA-8xfc-gm6g-vgpv","Warn: Project is vulnerable to: GHSA-hr8g-6v94-x4m9","Warn: Project is vulnerable to: GHSA-v435-xc8x-wvr9","Warn: Project is vulnerable to: GHSA-wjxj-5m7g-mg7q","Warn: Project is vulnerable to: GHSA-jjfh-589g-3hjx","Warn: Project is vulnerable to: GHSA-g5h3-w546-pj7f","Warn: Project is vulnerable to: GHSA-3h6f-g5f3-gc4w","Warn: Project is vulnerable to: GHSA-f3jh-qvm4-mg39","Warn: Project is vulnerable to: GHSA-mmmh-wcxm-2wr4","Warn: Project is vulnerable to: GHSA-q3v6-hm2v-pw99","Warn: Project is vulnerable to: GHSA-mg83-c7gq-rv5c","Warn: Project is vulnerable to: GHSA-c4q5-6c82-3qpw","Warn: Project is vulnerable to: GHSA-2rmj-mq67-h97g","Warn: Project is vulnerable to: GHSA-2wrp-6fg6-hmc5","Warn: Project is vulnerable to: GHSA-4wrc-f8pq-fpqp","Warn: Project is vulnerable to: GHSA-ccgv-vj62-xf9h","Warn: Project is vulnerable to: GHSA-hgjh-9rj2-g67j","Warn: Project is vulnerable to: GHSA-cx7f-g6mp-7hqm","Warn: Project is vulnerable to: GHSA-g5vr-rgqm-vf78","Warn: Project is vulnerable to: GHSA-w3c8-7r8f-9jp8","Warn: Project is vulnerable to: GHSA-3mc7-4q67-w48m","Warn: Project is vulnerable to: GHSA-98wm-3w3q-mw94","Warn: Project is vulnerable to: GHSA-9w3m-gqgf-c4p9","Warn: Project is vulnerable to: GHSA-c4r9-r8fh-9vj2","Warn: Project is vulnerable to: GHSA-hhhw-99gj-p3c3","Warn: Project is vulnerable to: GHSA-mjmj-j48q-9wg2","Warn: Project is vulnerable to: GHSA-w37g-rhq8-7m4j"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-20T10:02:34.972Z","repository_id":44965923,"created_at":"2025-08-20T10:02:34.972Z","updated_at":"2025-08-20T10:02:34.972Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30039888,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-03T06:58:30.252Z","status":"ssl_error","status_checked_at":"2026-03-03T06:58:15.329Z","response_time":61,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["apereo","cas","spring","spring-boot","spring-security"],"created_at":"2024-09-24T20:00:31.575Z","updated_at":"2026-03-03T09:33:13.843Z","avatar_url":"https://github.com/kakawait.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Spring Security CAS starter\n\n[![Travis](https://img.shields.io/travis/kakawait/cas-security-spring-boot-starter.svg)](https://travis-ci.org/kakawait/cas-security-spring-boot-starter)\n[![Maven Central](https://img.shields.io/maven-central/v/com.kakawait/cas-security-spring-boot-starter.svg)](https://search.maven.org/#artifactdetails%7Ccom.kakawait%7Ccas-security-spring-boot-starter%7C1.1.0%7Cjar)\n[![License](https://img.shields.io/github/license/kakawait/cas-security-spring-boot-starter.svg)](https://github.com/kakawait/cas-security-spring-boot-starter/blob/master/LICENSE.md)\n[![Codecov](https://img.shields.io/codecov/c/github/kakawait/cas-security-spring-boot-starter.svg)](https://codecov.io/gh/kakawait/cas-security-spring-boot-starter)\n[![SonarQube Tech Debt](https://img.shields.io/sonar/https/sonarcloud.io/com.kakawait%3Acas-security-spring-boot-parent/tech_debt.svg)](https://sonarcloud.io/dashboard?id=com.kakawait%3Acas-security-spring-boot-parent)\n[![Twitter Follow](https://img.shields.io/twitter/follow/thibaudlepretre.svg?style=social\u0026label=%40thibaudlepretre)](https://twitter.com/intent/follow?screen_name=thibaudlepretre)\n\n\u003e A Spring boot starter that will help you configure [Spring Security Cas](http://docs.spring.io/spring-security/site/docs/current/reference/html/cas.html) within the application security context.\n\n## Features\n\n- Spring boot 1 and 2 support.\n- Configures CAS authentication and authorization\n- Support dynamic service resolution based on current `HttpServletRequest`\n- Advance configuration through [CasSecurityConfigurerAdapter](https://github.com/kakawait/cas-security-spring-boot-starter/blob/master/cas-security-spring-boot-autoconfigure/src/main/java/com/kakawait/spring/boot/security/cas/CasSecurityConfigurerAdapter.java)\n- Integration with _Basic authentication_ if `security.basic.enabled=true` will allow you to authenticate using header `Authorization: Basic ...` in addition to _CAS_\n- `RestTemplate` integration\n\n## Setup\n\nAdd the Spring boot starter to your project\n\n```xml\n\u003cdependency\u003e\n  \u003cgroupId\u003ecom.kakawait\u003c/groupId\u003e\n  \u003cartifactId\u003ecas-security-spring-boot-starter\u003c/artifactId\u003e\n  \u003cversion\u003e1.1.0\u003c/version\u003e\n\u003c/dependency\u003e\n```\n\nBut be careful `1.x.x` version has some **breaking changes** if you comes from `0.x.x` version.\nBut be careful `2.x.x` version will have some **breaking changes** if you comes from `1.x.x` version.\n\nPlease checkout [CHANGELOG.md](https://github.com/kakawait/cas-security-spring-boot-starter/blob/master/CHANGELOG.md), in particular `breaking changes` sections.\n\n\\* breaking changes should be only possible between two major version, example:\n\n- from `0.x.x` to `1.x.x`\n- from `1.x.x` to `2.x.x`\n- ...\n\n## Usage\n\nIn order to trigger auto-configuration you must fill, at least, the following properties regarding the resolution mode you want to use\n\n### _static_ (_classic_) resolution mode\n\n_static_ resolution mode is _classic_ and default mode that you could find if you're using plain old [Apereo Java client](https://github.com/apereo/java-cas-client) or [Spring Security CAS](http://docs.spring.io/spring-security/site/docs/current/reference/html/cas.html).\n\nThus you have to fill at least the following mandatory properties:\n\n```yml\nsecurity:\n  cas:\n    server:\n      base-url: http://your.cas.server/cas\n    service:\n      base-url: http://localhost:8080\n```\n\n| Property                        | [Apereo Java client](https://github.com/apereo/java-cas-client) equivalent | Description                                                                                                                                                                                                              |\n|---------------------------------|----------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| `security.cas.server.base-url`  | `casServerUrlPrefix`                                                       | The start of the CAS server url, i.e. https://localhost:8443/cas                                                                                                                                                         |\n| `security.cas.service.base-url` | `serviceName`                                                              | The name of the server this application is hosted on. Service URL will be dynamically constructed using this, i.e. https://localhost:8443 (you must include the protocol, but port is optional if it's a standard port). |\n\n### _dynamic_ resolution mode:\n\n_dynamic_ resolution mode is a novel mode from that starter that will allow you to do not hard-code service url in your configuration. Thereby your configuration will be more portable and easy to use.\n\n**ATTENTION** _dynamic_ resolution mode use information from `HttpServletRequest` to build service url, that can be a security breach if you do not control headers like `Host` or `X-Forwarded-*` that why _dynamic_ resolution mode **is not the default mode** and you must activate it as described in below properties.\n\n```yml\nsecurity:\n  cas:\n    server:\n      base-url: http://your.cas.server/cas\n    service:\n      resolution-mode: dynamic\n```\n\n| Property                               | [Apereo Java client](https://github.com/apereo/java-cas-client) equivalent | Description                                                                                                                                                                                                         |\n|----------------------------------------|----------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| `security.cas.server.base-url`         | `casServerUrlPrefix`                                                       | the start of the CAS server url, i.e. https://localhost:8443/cas                                                                                                                                                    |\n| `security.cas.service.resolution-mode` | **Not implemented**                                                        | Resolution modes can be `static` or `dynamic`, by default is `static` and you must fill `security.cas.service.base-url` whereas in `dynamic` mode service url will be generated from receiving `HttpServletRequest` |\n\nif you're using `X-Forwarding-Prefix` header I will strongly recommend you to use [ForwardedHeaderFilter](http://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/filter/ForwardedHeaderFilter.html) since _Tomcat_ [`RemoteIpValve`](https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/catalina/valves/RemoteIpValve.html) used when setting up `server.use-forward-headers=true` does not support _prefix_/_context-path_.\n\n```java\n@Bean\nFilterRegistrationBean forwardedHeaderFilter() {\n    FilterRegistrationBean filterRegistrationBean = new FilterRegistrationBean();\n    filterRegistrationBean.setFilter(new ForwardedHeaderFilter());\n    filterRegistrationBean.setOrder(Ordered.HIGHEST_PRECEDENCE);\n    return filterRegistrationBean;\n}\n```\n\n## Properties\n\nThe supported properties are:\n\n| Property                                    | Default value                  | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |\n|---------------------------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| `security.cas.enabled`                      | `true`                         | Enable CAS security                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |\n| `security.cas.key`                          | `UUID.randomUUID().toString()` | An id used by the [`CasAuthenticationProvider`](https://docs.spring.io/spring-security/site/docs/current/apidocs/org/springframework/security/cas/authentication/CasAuthenticationProvider.html#setKey-java.lang.String-)                                                                                                                                                                                                                                                                                                                                                                             |\n| `security.cas.paths`                        | `/**`                          | Comma-separated list of paths to secure (works the same way as `security.basic.path`)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |\n| `security.cas.user.default-roles`           | `USER`                         | Comma-separated list of default user roles. If roles have been found from `security.cas.user.roles-attributes` default roles will be append to the list of users roles                                                                                                                                                                                                                                                                                                                                                                                                                                |\n| `security.cas.user.roles-attributes`        |                                | Comma-separated list of CAS attributes to be used to determine user roles                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |\n| `security.cas.proxy-validation.enabled`     | `true`                         | Defines if proxy should be checked again chains `security.cas.proxy-validation.chains`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |\n| `security.cas.proxy-validation.chains`      |                                | Defines proxy chains. Each acceptable proxy chain should include a comma-separated list of URLs (for exact match) or regular expressions of URLs (starting by the ^ character)                                                                                                                                                                                                                                                                                                                                                                                                                        |\n| `security.cas.server.protocol-version`      | `3`                            | Determine which CAS protocol version to be used, only protocol version 1, 2 or 3 is supported.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |\n| `security.cas.server.base-url`              |                                | The start of the CAS server url, i.e. https://localhost:8443/cas                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |\n| `security.cas.server.validation-base-url`   |                                | Optional, `security.cas.server.base-url` is used if missing. The start of the CAS server url (similar to `security.cas.server.base-url`) used during ticket validation flow. Could be useful when server (your service) to server (CAS server) network is different from your external/browser network (i.e. docker environment, see [docker profile properties](https://github.com/kakawait/cas-security-spring-boot-starter/blob/master/cas-security-spring-boot-sample/src/main/resources/application.yml)).                                                                                       |\n| `security.cas.server.paths.login`           | `/login`                       | Defines the location of the CAS server login path that will be append to the existing `security.cas.server.base-url` url                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |\n| `security.cas.server.paths.logout`          | `/logout`                      | Defines the location of the CAS server logout path that will be appended to the existing `security.cas.server.base-url` url                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |\n| `security.cas.service.resolution-mode`      | `static`                       | Resolution modes can be `static` or `dynamic`, the default is `static` and you must fill `security.cas.service.base-url` whereas in `dynamic` mode service url will be generated from receiving `HttpServletRequest`. **Attention** will not override `security.cas.server.validation-base-url` and `security.cas.service.callback-base-url` if defined, see [docker profile properties](https://github.com/kakawait/cas-security-spring-boot-starter/blob/master/cas-security-spring-boot-sample/src/main/resources/application.yml) to get an example.                                               |\n| `security.cas.service.base-url`             |                                | The name of the server this application is hosted on. Service URL will be dynamically constructed using this, i.e. https://localhost:8443 (you must include the protocol, but port is optional if it's a standard port). Skipped if resolution mode is `dynamic`.                                                                                                                                                                                                                                                                                                                                     |\n| `security.cas.service.callback-base-url`    |                                | Optional, `security.cas.service.base-url` is used if missing. Represents the base url that will be used to compute _Proxy granting ticket callback_ (see `security.cas.service.paths.proxy-callback`). It could be useful to be different from `security.cas.service.base-url` when server (CAS server) to server (your service) network is different from your external/browser network (i.e. docker environment, see see [docker profile properties](https://github.com/kakawait/cas-security-spring-boot-starter/blob/master/cas-security-spring-boot-sample/src/main/resources/application.yml)). |\n| `security.cas.service.paths.login`          | `/login`                       | Defines the application login path that will be appended to the existing `security.cas.service.base-url` url                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |\n| `security.cas.service.paths.logout`         | `/logout`                      | Defines the application logout path that will be appended to the existing `security.cas.service.base-url` url                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |\n| `security.cas.service.paths.proxy-callback` |                                | The callback path that will be, if present, appended to the `security.cas.service.callback-base-url` or `security.cas.service.base-url` and added to as parameter inside request validation. **It must be set if you want to receive _Proxy Granting Ticket_ `PGT`**.                                                                                                                                                                                                                                                                                                                                     |\n\nOtherwise you can checkout [CasSecurityProperties](https://github.com/kakawait/cas-security-spring-boot-starter/blob/master/cas-security-spring-boot-autoconfigure/src/main/java/com/kakawait/spring/boot/security/cas/CasSecurityProperties.java) class.\n\n## Additional configuration\n\nIf you need to set additional configuration options simply register within Spring application context instance of [`CasSecurityConfigurerAdapter`](https://github.com/kakawait/cas-security-spring-boot-starter/blob/master/cas-security-spring-boot-autoconfigure/src/main/java/com/kakawait/spring/boot/security/cas/CasSecurityConfigurerAdapter.java)\n\n```java\n@Configuration\nclass CustomCasSecurityConfiguration extends CasSecurityConfigurerAdapter {\n    @Override\n    public void configure(CasAuthenticationFilterConfigurer filter) {\n        // Here you can configure CasAuthenticationFilter\n    }\n\n    @Override\n    public void configure(CasSingleSignOutFilterConfigurer filter) {\n        // Here you can configure SingleSignOutFilter\n    }\n\n    @Override\n    public void configure(CasAuthenticationProviderSecurityBuilder provider) {\n        // Here  you can configure CasAuthenticationProvider\n    }\n\n    @Override\n    public void configure(HttpSecurity http) throws Exception {\n        // Here you can configure Spring Security HttpSecurity object during init configure\n    }\n\n    @Override\n    public void configure(CasTicketValidatorBuilder ticketValidator) {\n        // Here you can configure CasTicketValidator\n    }\n}\n```\n\nOtherwise many beans defined in that starter are annotated with `@ConditionOnMissingBean` thus you can override default bean definitions.\n\n## Proxy granting storage\n\nStarter does not provide any additional _proxy granting storage_ (yet), by default an _in memory_ storage is used [`ProxyGrantingTicketStorageImpl`](https://github.com/apereo/java-cas-client/blob/master/cas-client-core/src/main/java/org/jasig/cas/client/proxy/ProxyGrantingTicketStorageImpl.java).\n\nTo override it you can expose a `ProxyGrantingTicketStorage` bean like following:\n\n```java\n@Bean\nProxyGrantingTicketStorage proxyGrantingTicketStorage() {\n    return new MyCustomProxyGrantingTicketStorage();\n}\n```\n\n**Or** use `configurer` but a bit longer since you must report `ProxyGrantingTicketStorage` in both `CasAuthenticationFilter` and `TicketValidator`\n\n```java\n@Configuration\nclass CustomCasSecurityConfiguration extends CasSecurityConfigurerAdapter {\n    @Override\n    public void configure(CasAuthenticationFilterConfigurer filter) {\n        filter.proxyGrantingTicketStorage(new MyCustomProxyGrantingStorage());\n    }\n\n    @Override\n    public void configure(CasTicketValidatorBuilder ticketValidator) {\n        ticketValidator.proxyGrantingTicketStorage(new MyCustomProxyGrantingStorage());\n    }\n}\n```\n\n## Logout \u0026 SLO\n\nBy default starter will configure both _logout_ and _single logout (SLO)_.\n\n**ATTENTION** default _logout_ (on `/logout`) behavior will:\n\n1. Logout from application and also logout from CAS server that will logout any other applications.\n2. Keep default Spring security behavior concerning _CSRF_ and _logging out_ to summarize if _CSRF_ is enabled logout will only mapped on `POST`, see https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#csrf-logout for more details\n\nIf you want to change those behaviors, for example by adding a logout page that will propose user to logout from other application, you may configure like following:\n\n```java\n@Configuration\nclass CasCustomLogoutConfiguration extends CasSecurityConfigurerAdapter {\n    private final CasSecurityProperties casSecurityProperties;\n\n    private final LogoutSuccessHandler casLogoutSuccessHandler;\n\n    public CustomLogoutConfiguration(LogoutSuccessHandler casLogoutSuccessHandler) {\n        this.casLogoutSuccessHandler = casLogoutSuccessHandler;\n    }\n\n    @Override\n    public void configure(HttpSecurity http) throws Exception {\n        http.logout()\n            .permitAll()\n            // Add null logoutSuccessHandler to disable CasLogoutSuccessHandler\n            .logoutSuccessHandler(null)\n            .logoutSuccessUrl(\"/logout.html\")\n            .logoutRequestMatcher(new AntPathRequestMatcher(\"/logout\"));\n        LogoutFilter filter = new LogoutFilter(casLogoutSuccessHandler, new SecurityContextLogoutHandler());\n        filter.setFilterProcessesUrl(\"/cas/logout\");\n        http.addFilterBefore(filter, LogoutFilter.class);\n    }\n}\n\n@Configuration\nclass WebMvcConfiguration extends WebMvcConfigurerAdapter {\n    @Override\n    public void addViewControllers(ViewControllerRegistry registry) {\n        registry.addViewController(\"/logout.html\").setViewName(\"logout\");\n        registry.setOrder(Ordered.HIGHEST_PRECEDENCE);\n    }\n}\n```\n\nWith possible `logout.html` like following\n\n ```html\n\u003c!DOCTYPE html\u003e\n\u003chtml xmlns:th=\"http://www.thymeleaf.org\"\u003e\n\u003chead\u003e\n    \u003cmeta charset=\"UTF-8\" /\u003e\n    \u003ctitle\u003eLogout page\u003c/title\u003e\n\u003c/head\u003e\n\u003cbody\u003e\n    \u003ch2\u003eDo you want to log out of CAS?\u003c/h2\u003e\n    \u003cp\u003eYou have logged out of this application, but may still have an active single-sign on session with CAS.\u003c/p\u003e\n    \u003cp\u003e\u003ca href=\"/cas/logout\" th:href=\"@{/cas/logout}\"\u003eLogout of CAS\u003c/a\u003e\u003c/p\u003e\n\u003c/body\u003e\n\u003c/html\u003e\n```\n\nYou can checkout \u0026 run sample module [`cas-security-spring-boot-sample`](https://github.com/kakawait/cas-security-spring-boot-starter/tree/master/cas-security-spring-boot-sample) with _profile_ `custom-logout`.\n\n## Proxy chains validation\n\nBy default client configuration is `security.cas.proxy-validation.enabled = true` with empty proxy chains (`security.cas.proxy-validation.chains`). That means you will not be able to validate proxy ticket since proxy chains is empty.\n\nYou should disable proxy validation using:\n\n```yml\nsecurity:\n  cas:\n    proxy-validation:\n      enabled: false\n```\n\n**But is not recommended for production environment**, or define your own proxy chains:\n\n```yml\nsecurity\n  cas:\n    proxy-validation:\n      chains:\n        - http://localhost:8180, http://localhost:8181\n        - - http://localhost:8280\n          - http://localhost:8281\n        - ^http://my\\\\.domain\\\\..*\n```\n\nAs you can see there is multiple syntaxes for `yml` format to define _collection of collection_:\n\n1. Using _comma-separated_ list\n2. Using double `- -` syntax\n\nIf you are using `properties` format you could translate like following:\n\n```properties\nsecurity.cas.proxy-validation.chains[0] = http://localhost:8180, http://localhost:8181\nsecurity.cas.proxy-validation.chains[1] = http://localhost:8280, http://localhost:8281\nsecurity.cas.proxy-validation.chains[2] = ^http://my\\\\.domain\\\\..*\n```\n\n## RestTemplate integration with Proxy ticket\n\nSince `0.7.0` version, there is a simple integration with `RestTemplate` but not enabled by default.\n\nIn order to enable it you must create your own `RestTemplate` bean and add an _interceptor_\n\n```java\n@Bean\nRestTemplate casRestTemplate(ServiceProperties serviceProperties, ProxyTicketProvider proxyTicketProvider) {\n    RestTemplate restTemplate = new RestTemplate();\n    restTemplate.getInterceptors().add(new CasAuthorizationInterceptor(serviceProperties, proxyTicketProvider));\n    return restTemplate;\n}\n```\n\nThis _interceptor_ is pretty simple, it will simply ask a new _proxy ticket_ for each request and append it to request query parameter.\nFor example with: `http://httpbin.org/get` interceptor will modify request uri to become `http://httpbin.org/get?ticket=PT-XX-YYYYYYYYYY`.\n\n**ATTENTION** if _interceptor_ gets any issue to get _proxy ticket_ from CAS server, it will throw an `IllegalStateException`.\n\nPlease checkout You can find sample usage for both on [`CasSecuritySpringBootSampleApplication`](https://github.com/kakawait/cas-security-spring-boot-starter/blob/master/cas-security-spring-boot-sample/src/main/java/com/kakawait/CasSecuritySpringBootSampleApplication.java)\n\n### AssertionProvider and ProxyTicketProvider\n\nIn addition to `RestTemplate` integration, since `0.7.0` there are now two new autoconfigured beans:\n\n1. `AssertionProvider` that will provide you a way to retrieve the current (bounded to current authenticated request) `org.jasig.cas.client.validation.Assertion`\n2. `ProxyTicketProvider` that will provide you a simple way to ask a _proxy ticket_ for a given service (regarding the current authenticated request)\n\nYou can find sample usage for both on [`CasSecuritySpringBootSampleApplication`](https://github.com/kakawait/cas-security-spring-boot-starter/blob/master/cas-security-spring-boot-sample/src/main/java/com/kakawait/CasSecuritySpringBootSampleApplication.java)\n\n## License\n\nMIT License\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkakawait%2Fcas-security-spring-boot-starter","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkakawait%2Fcas-security-spring-boot-starter","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkakawait%2Fcas-security-spring-boot-starter/lists"}