Spring Security 6.2 and CAS authentication : what happened to CasAuthenticationFilter.CAS_STATEFUL_IDENTIFIER?

Question

I'm setting up CAS authentication on my application using Spring Security 6.2.

The documentation (https://docs.spring.io/spring-security/reference/servlet/authentication/cas.html) states:

The processing filter will construct a UsernamePasswordAuthenticationToken representing the service ticket. The principal will be equal to CasAuthenticationFilter.CAS_STATEFUL_IDENTIFIER, whilst the credentials will be the service ticket opaque value.

However, it seems that in version 6 of Spring Security, the CAS_STATEFUL_IDENTIFIER member has disappeared from the CasAuthenticationFilter class.

So, what's the best way to create this UsernamePasswordAuthenticationToken?

Answer 1

Since Spring Security 6.1.0, the CasAuthenticationFilter creates an instance of CasServiceTicketAuthenticationToken instead of UsernamePasswordAuthenticationToken and the CAS_STATEFUL_IDENTIFIER constant got moved to the new class.

The change was made in the commit Use a Custom Authentication Token for CAS. Apparently though, the project's documentation page source was left intact, so it is no longer up-to-date with the changed code.

So, what's the best way to create this UsernamePasswordAuthenticationToken?

Provided you don't insist on creating UsernamePasswordAuthenticationToken, you can create a new CasServiceTicketAuthenticationToken instead:

token = CasServiceTicketAuthenticationToken.stateful(serviceTicket);

While you can surely still create UsernamePasswordAuthenticationToken, it could be a little bit more complicated because the visibility of CasServiceTicketAuthenticationToken.CAS_STATEFUL_IDENTIFIER (obtainable via token.getPrincipal() in the example above) is package-level now.