I have found the solution to this problem.
When instantiating the Saml11TicketValidationFilter bean using Spring the
init method sets the artefact parameter name to SAMLart.
e.g.
public class Saml11TicketValidationFilter extends
AbstractTicketValidationFilter {
public Saml11TicketValidationFilter() {
setArtifactParameterName("SAMLart");
setServiceParameterName("TARGET");
}
....
However, when using a standard filter this artefact parameter is set to the
default of 'ticket', which is what CAS (at least in my case) returns after
logging in.
With this in mind, the following Spring configuration works for me:
<bean name="authenticationFilter"
class="org.jasig.cas.client.authentication.AuthenticationFilter">
<property name="casServerLoginUrl" value="${cas.loginUrl}" />
<property name="serverName" value="${cas.serverName}" />
</bean>
<bean name="ticketValidationFilter"
class="org.jasig.cas.client.validation.Saml11TicketValidationFilter">
<property name="serverName" value="${cas.serverName}" />
<property name="redirectAfterValidation" value="true" />
*<property name="artifactParameterName" value="ticket" />*
<property name="ticketValidator">
<bean
class="org.jasig.cas.client.validation.Saml11TicketValidator">
<constructor-arg index="0" value="${cas.url}" />
</bean>
</property>
</bean>
The key property is the artifactParameterName, which resets things back to
the default of 'ticket'.
With this property set this SAML filter is able to retrieve and validate the
CAS ticket.
David
On Mon, Aug 9, 2010 at 4:17 PM, David Harrison <
david.harri...@stress-free.co.nz> wrote:
> On Mon, Aug 9, 2010 at 3:00 PM, Scott Battaglia <scott.battag...@gmail.com
> > wrote:
>
>> For the authentication filter, are you setting the correct parameters?
>>
>> It looks like our example might be slightly off.
>>
>> These would need to be set on the AuthenticationFilter I believe:
>>
>> setArtifactParameterName("SAMLart");
>> setServiceParameterName("TARGET");
>>
>> Let me know if that helps and we'll update the documentation.
>>
>
>
> No luck I am afraid using the following Spring configuration:
>
> <bean name="authenticationFilter"
>
> class="org.jasig.cas.client.authentication.AuthenticationFilter">
> <property name="casServerLoginUrl" value="${cas.loginUrl}" />
> <property name="serverName" value="${cas.serverName}" />
> <property name="artifactParameterName" value="SAMLart" />
> <property name="serviceParameterName" value="TARGET" />
> </bean>
>
> <bean name="ticketValidationFilter"
>
> class="org.jasig.cas.client.validation.Saml11TicketValidationFilter">
>
> <property name="serverName" value="${cas.serverName}" />
> <property name="ticketValidator">
> <bean
> class="org.jasig.cas.client.validation.Saml11TicketValidator">
> <constructor-arg index="0" value="${cas.url}" />
> </bean>
> </property>
> </bean>
>
>
> Setting those properties in the AuthenticationFilter Spring bean returned
> the following error when logging in:
>
> org.opensaml.artifact.InvalidArgumentException: Unexpected length: 22
> (expected 20)
> org.opensaml.artifact.SAMLArtifact.checkHandleArg(Unknown Source)
> org.opensaml.artifact.SAMLArtifactType0001.<init>(Unknown Source)
>
> org.jasig.cas.util.SamlCompliantUniqueTicketIdGenerator.getNewTicketId_aroundBody0(SamlCompliantUniqueTicketIdGenerator.java:46)
>
> org.jasig.cas.util.SamlCompliantUniqueTicketIdGenerator.getNewTicketId_aroundBody1$advice(SamlCompliantUniqueTicketIdGenerator.java:44)
>
> org.jasig.cas.util.SamlCompliantUniqueTicketIdGenerator.getNewTicketId(SamlCompliantUniqueTicketIdGenerator.java:1)
> ....
>
>
> The web.xml filter configuration below works fine with SAML authentication,
> so I don't think there's a problem with the uniqueId generator configuration
> (i.e. testing on https://localhost:8443).
>
> At the moment I am using this web.xml filter configuration with SAML
> without any issues (CAS server 3.4.2 with the Java CAS client 3.1.10):
>
> <filter>
> <filter-name>CAS Authentication Filter</filter-name>
>
>
> <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
> <init-param>
> <param-name>casServerLoginUrl</param-name>
> <param-value>https://localhost:8443/cas/login</param-value>
> </init-param>
> <init-param>
> <param-name>serverName</param-name>
> <param-value>https://localhost:8443</param-value>
> </init-param>
> </filter>
> <filter>
> <filter-name>CAS Validation Filter</filter-name>
>
>
> <filter-class>org.jasig.cas.client.validation.Saml11TicketValidationFilter</filter-class>
> <init-param>
> <param-name>casServerUrlPrefix</param-name>
> <param-value>https://localhost:8443/cas</param-value>
> </init-param>
> <init-param>
> <param-name>serverName</param-name>
> <param-value>https://localhost:8443</param-value>
> </init-param>
> <init-param>
> <param-name>redirectAfterValidation</param-name>
> <param-value>true</param-value>
> </init-param>
> </filter>
>
>
>
> David
>
>
>
>> On Sun, Aug 8, 2010 at 6:04 PM, David Harrison <
>> david.harri...@stress-free.co.nz> wrote:
>>
>>> Hi,
>>> I am testing SAML 1.1 ticket validation with the help of this
>>> introductory example:
>>>
>>> https://wiki.jasig.org/display/CASC/JASIG+Client+SAML+Saml11TicketValidationFilter+Example
>>>
>>> This works correctly, but I cannot get this to work with a Spring-based
>>> DelegatingFilterProxy configuration.
>>> e.g. web.xml snippet:
>>>
>>> <filter>
>>> <filter-name>CAS Authentication Filter</filter-name>
>>>
>>>
>>> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
>>> <init-param>
>>> <param-name>targetBeanName</param-name>
>>> <param-value>authenticationFilter</param-value>
>>> </init-param>
>>> </filter>
>>> <filter>
>>> <filter-name>CAS Validation Filter</filter-name>
>>>
>>>
>>> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
>>> <init-param>
>>> <param-name>targetBeanName</param-name>
>>> <param-value>ticketValidationFilter</param-value>
>>> </init-param>
>>> </filter>
>>> <filter>
>>> <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
>>>
>>>
>>> <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
>>> </filter>
>>>
>>>
>>> Spring configuration snippet:
>>>
>>> <bean name="authenticationFilter"
>>>
>>> class="org.jasig.cas.client.authentication.AuthenticationFilter">
>>> <property name="casServerLoginUrl" value="${cas.loginUrl}" />
>>> <property name="serverName" value="${cas.serverName}" />
>>> </bean>
>>>
>>> <bean name="ticketValidationFilter"
>>>
>>> class="org.jasig.cas.client.validation.Saml11TicketValidationFilter">
>>>
>>> <property name="serverName" value="${cas.serverName}" />
>>> <property name="redirectAfterValidation" value="true" />
>>> <property name="ticketValidator">
>>> <bean
>>> class="org.jasig.cas.client.validation.Saml11TicketValidator">
>>> <constructor-arg index="0" value="${cas.url}" />
>>> </bean>
>>> </property>
>>> </bean>
>>>
>>>
>>> Note: I've been using a similar configuration for the last few years with
>>> CAS tickets without issue.
>>>
>>> I have tested the configuration example listed here with no effect:
>>>
>>> https://wiki.jasig.org/display/CASC/Configuring+the+JA-SIG+CAS+Client+for+Java+using+Spring
>>>
>>>
>>> The authenticationFilter bean is working correctly, the problem seems to
>>> be the ticketValidationFilter configuration.
>>> I've enabled debug logging on the client, but there seems to be very
>>> little output.
>>> i.e. It is almost like the ticketValidationFilter is not even
>>> being engaged.
>>>
>>>
>>> Could anyone provide a Spring configuration that matches (or is similar
>>> to) the initial SAML example that I initially referenced?
>>>
>>> e.g. The Spring DelegatingFilterProxy equivalent of:
>>>
>>> <filter>
>>> <filter-name>CAS Validation Filter</filter-name>
>>>
>>>
>>> <filter-class>org.jasig.cas.client.validation.Saml11TicketValidationFilter</filter-class>
>>> <init-param>
>>> <param-name>casServerUrlPrefix</param-name>
>>> <param-value>https://cas.mydomain.com/cas</param-value>
>>> </init-param>
>>> <init-param>
>>> <param-name>serverName</param-name>
>>> <param-value>http://localhost:8084</param-value>
>>> </init-param>
>>> <init-param>
>>> <param-name>redirectAfterValidation</param-name>
>>> <param-value>true</param-value>
>>> </init-param>
>>> </filter>
>>>
>>>
>>> David
>>>
>>> --
>>> You are currently subscribed to cas-dev@lists.jasig.org as:
>>> scott.battag...@gmail.com
>>>
>>>
>>>
>>>
>>> To unsubscribe, change settings or access archives, see
>>> http://www.ja-sig.org/wiki/display/JSG/cas-dev
>>>
>>>
>> --
>> You are currently subscribed to cas-dev@lists.jasig.org as:
>> david.harri...@stress-free.co.nz
>>
>>
>> To unsubscribe, change settings or access archives, see
>> http://www.ja-sig.org/wiki/display/JSG/cas-dev
>>
>>
>
--
You are currently subscribed to cas-dev@lists.jasig.org as:
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-dev
