I'll reply to the rest of this later but I just wanted to note that I fixed the build script so that all of those handlers (source and jar) will be included in CAS 3.0.5-rc3.
-Scott Pascal Aubry wrote: > Scott Battaglia wrote: > >> Pascal, > > Hello Scott, > >> >> One problem I immediately see is that this solution will result in a >> duplicated effort. Out of the box, CAS3 provides: >> >> * LegacyPasswordHandlerAdaptorAuthenticationHandler (accepting CAS2 >> PasswordHandler) >> * AcceptsUsersAuthenticationHandler (simply has a map of acceptable >> username/passwords) >> * FileAuthenticationHandler (reads from a file) >> * RejectUsersAuthenticationHandler (list of names to reject) >> * BindModeSearchDatabaseAuthenticationHandler >> * QueryDatabaseAuthenticationHandler >> * SearchModeSearchDatabaseAuthenticationHandler >> * BindLdapAuthenticationHandler >> * FastBindLdapAuthenticationHandler >> * PrincipalBearingCredentialsAuthenticationHandler (gets user from >> request.getRemoteUser()) >> * X509CredentialsAuthenticationHandler (for X.509 Certificates) >> * HttpBasedCredentialsAuthenticationHandler (for authenticating SSL >> certificates) >> * TestAuthenticationHandler (for username=password) >> >> You'll notice most of those are based on the GenericHandler project ;-) > > Thanks ;-) > >> >> CAS 3.0.6 will also most likely include a handler for SPNEGO and >> RADIUS on top of the above handlers. > > Please add the handlers above to the 3.0.6 distribution, as there were > not in 3.0.5-rc1. > >> Note that the majority of these AuthenticationHandlers (i.e. the >> ones that accept UsernamePasswordCredentials) can simply use the >> UsernamePasswordCredentialsToPrincipalResolver in every case EXCEPT >> the aliasing case. Because of this, I would recommend keeping the >> AuthenticationHandler and the CredentialsToPrincipalResolver as two >> separate interfaces rather than combining them (it allows for easier >> re-use). If there needs to be a specific >> AuthenticationHandler->CredentialsToPrincipalResolver association >> that can easily be handled in a custom AuthenticationManager. > > Exactly what I thought of: a custom authentication manager that would > have a list of AuthenticatorResolverAndPopulators. I believe code > redundancy will be minimized by inheriting actual > AuthenticationHandlers and pointing to actual resolvers. I may have > something to show at the end of August; until then you will find > attached what could be the properties file of the quick start. > Guidelines with this file would simply be: > 1. download and unzip > 2. edit build.properties to fit to your configuration > 3. run 'ant install', 'ant start' and test. > I also thought of an interactive ant target to write it automatically > by asking users a few questions. > >> If this complicates the configuration (I'm not convinced it will >> though), Spring provides ways of providing custom (i.e. easier) XML >> configuration via XMLSchemas. By keeping the APIs the same we are >> not forcing people to learn two separate APIs (i.e. the "CAS" API >> and the "ESUP-Portail" API) or forking the userbase to provide >> slightly different configuration options. The same API would thus >> allow tighter integration between the two projects as well as more >> code re-use (and making it easier for pure CAS deployers to leverage >> some of the ESUP-Portail stuff). > > Sure, we have to keep this in mind. > Time to leave for three weeks now ;-) > Cheers, > PA > >> >> -Scott >> >> Scott Battaglia >> Application Developer, Architecture & Engineering Team >> Enterprise Systems and Services, Rutgers University >> v: 732.445.0097 | f: 732.445.5493 | [EMAIL PROTECTED] >> >> >> Pascal Aubry wrote: >> >>> Stephen A. Cochran wrote: >>> >>>> On Jun 27, 2006, at 4:11 AM, Velpi wrote: >>>> >>>> >>>> >>>>> That's certainly a solid solution, but it's not configurable at >>>>> all, am I right? >>>>> It would be great if another principal like yours could actually >>>>> be configured >>>>> to replace the default SimplePrincipal (most people don't like to >>>>> change the >>>>> code to much, certainly because it's usually a (fatal) annoyance >>>>> when upgrading). >>>>> >>>> >>>> >>>> Not configurable without recompiling and deploying, true. But it's >>>> not something that I would see changing often. >>>> >>>> I agree about changing code, which is why I didn't just change the >>>> SimplePrincipal class, I made a new class. I also did the same >>>> with all of the Auth handlers, mostly just duplicated and renamed >>>> to be something like x509DartAuthenticationHanlder. This avoids >>>> the upgrade problems because I didn't touch the distribution code. >>>> Thinking back, the x509 one was really the only default one I had >>>> to duplicate/ change. Wrote my own User/Pass because of our unusual >>>> directory system. >>>> >>>> I guess to save duplicating auth handlers and making only a minor >>>> change a config option on what default Principal class to use >>>> would solve the problem assuming Java lets you do something like >>>> that. Honestly what I did was not difficult, considering at the >>>> time I didn't know anything about the structure of CAS and hadn't >>>> worked with a Java app since before ant/tomcat/maven etc existed. >>>> I also don't see the benefit in being able to reconfigure the >>>> Principal without redeploying, I can't imagine I'd ever use that >>>> functionality. >>>> >>>> Steve Cochran >>>> Dartmouth College >>>> _______________________________________________ >>>> cas-dev mailing list >>>> [email protected] >>>> http://tp.its.yale.edu/mailman/listinfo/cas-dev >>>> >>> >>> Thank you Scott, Velpi and Stephen for your answers, I think the >>> problem is clearer to me now. >>> >>> I agree with Velpi when he says that it is important not to have >>> code to write at all. Even if it is quite simple for us, it is not >>> at all for most of the people that deploy CAS; just think that they >>> even do not Java (nor XML sometimes). Moreover I know people who >>> customized their CAS server but never upraded. >>> >>> IMHO, the goal of the quick start is not to make everything possible >>> with it; people who want to do fancy things with CAS will use the >>> original distribution, and adapt it for their needs. The goal of the >>> quick start is to make it possible for 90% of the CAS deployers to >>> deploy it in the simplest way, i.e. by using a properties file (yes, >>> XML beans are much more difficult than properties). In a second >>> step, let's say that 99% should be able to deploy CAS by simply >>> editing properties files or beans. At least, the rest (1%) should be >>> able to write Java code for CAS to fit to their environment, which >>> is probably everything but standard (I believe your are in this case >>> Stephen); anyway, people relying on specific configurations are >>> prepared to this (note: once you have Java code to write, there are >>> many ways to do it, and the most clever way is obviously the one >>> proposed by Stephen - not modifying the distribution code). >>> >>> So let's come back to the quick start. What I intend to propose >>> responds to 99% of the needs of the community I know the best, i.e. >>> the French education/research community. These needs will be >>> satisfied by handlers looking like the ones brought by CAS GH v2, a >>> little extended to be able to resolve credentials after the >>> authentication (for what I called previously "aliasing"). I already >>> started writing things based on an authentication manager having a >>> list of AuthenticatorResolverAndPopulator instances. You will find >>> attached a configuration file for such handlers, feel free to >>> comment and criticize. Note : the configuration of a x509 >>> authentication is missing, also feel free to complete. >>> >>> PA >>> -- >>> http://perso.univ-rennes1.fr/pascal.aubry >>> >>> ------------------------------------------------------------------------ >>> >>> >>> _______________________________________________ >>> cas-dev mailing list >>> [email protected] >>> http://tp.its.yale.edu/mailman/listinfo/cas-dev >> > > >------------------------------------------------------------------------ > >######################################################################### ># CAS configuration >######################################################################### > ># ># The path of the cas-server installation. If not set, a cas-server ># instance will be installed and used. ># ># Warning: People using package esup-cas-server and esup-cas-quick-start ># must not set this property (for cas to be automatically installed). ># > >#cas-server.home=<install-dir>/cas-server-3.0.5-rc1 > ># ># The folder where the cas-server application will be ># deployed. If not set, a default folder will be created ># and used. ># ># Warning: People using package esup-cas-server and esup-cas-quick-start ># must not set this property ># > >#cas-server.deploy=<install-dir>/cas-server-webapp > >######################################################################### ># Tomcat configuration >######################################################################### > ># ># The path of the tomcat installation. If not set, or if the ># corresponding folder is not a tomcat installation a tomcat ># instance will be installed and used. ># The tomcat instance is used to: ># 1. provide some libraries needed to compile ># 2. run the CAS server (use ant target start and stop) ># ># Warning: People using package esup-cas-quick-start must not set this ># property (for tomcat to be automatically installed). ># > >#tomcat.home=<install-dir>/apache-tomcat-5.5.17 > ># ># in case a tomcat installation is created (see above), the ># following properties are used to write >C:\esup\esup-cas-handlers/apache-tomcat-5.5.17/conf/server.xml: ># - tomcat.hostname ># - tomcat.context-path ># - tomcat.protocol ># - tomcat.port ># - tomcat.shutdown-port ># if default values are used, then the CAS server will be available at ># https://localhost:8443/cas > ># ># the hostname tomcat will be listening to, default to localhost ># > >#tomcat.hostname=localhost > ># ># the protocol that will be used, accepted values are http and https (defaults ># to https). Note: http should be used for testing only. ># > >#tomcat.protocol=https > ># ># the port tomcat will be running on, defaults to 8080 if http, 8443 if https. ># > >#tomcat.port=8443 > ># ># the path of the tomcat context used for the cas server, default to '/cas'. ># Leave the property empty not to use a context path (not '/'). ># > >#tomcat.context-path= > ># ># the port used to shutdown tomcat, defaults to 8005. ># > >#tomcat.shutdown-port=8005 > >######################################################################### ># X509 configuration >######################################################################### > ># ># The path of the keystore used for the HTTPS protocol. Set this property if ># you use an existing keystore; if the property is not set, then a keystore is ># automatically generated using the properties tomcat.keystore.*. You should ># be aware that the keystore only contains a self-signed certificate, which >will ># not be recognized by the browsers. ># ># Note: if HTTP is used, then all the tomcat.keystore.* properties are ignored ># > >#tomcat.keystore=/usr/local/security/server.ks > ># ># The alias of the server certificate in the keystore. This property can be >set, ># whatever the kind of the keystore used. Defaults to 'tomcat'. ># > >#tomcat.keystore.alias=tomcat > ># ># The password used to read the keystore. This property can be set, whatever >the ># kind of the keystore used. Defaults to 'secret'. ># Note: as Tomcat expects the same password for the store and the private key >of ># the certificate, tomcat.keystore.password is used for both. ># > >#tomcat.keystore.password=secret > ># ># The encryption algorigthm for the private key of the server certificate, ># defaults to RSA. This property is used only when generating the keystore. ># > >#tomcat.keystore.algorithm=RSA > ># ># The attributes of the server certificate. ># These properties are used only when generating the keystore and are optional ># (default values are indicated below). ># > >#tomcat.keystore.dname.cn=localhost >#tomcat.keystore.dname.ou=v >#tomcat.keystore.dname.o=ESUP-Portail >#tomcat.keystore.dname.c=fr > >######################################################################### ># Authentication >######################################################################### > ># ># When this property is set to true, a template is used to build file ># deployerConfigContext.xml thanks to properties authentication.*. ># When set to false, custom/webapp/WEB-INF/deployerConfigContext.xml is used ># (and properties authentication.* are ignored). ># Defaults to 'true'. ># > >#authentication.use-template=true > >#------------------------------------------------------------------------ ># Test >#------------------------------------------------------------------------ ># ># When this property is set to true, emptyPasswordHandler is used. This ># handler authenticates users when they give an empty password. Defaults ># to 'false'. ># This handler should NEVER be used in production. ># > >#authentication.emptyPassword.enabled=false > ># ># When this property is set to true, usernamePasswordMatchHandler is used. ># This handler authentcates users when the username provided and the password ># match. Defaults to 'true'. ># This handler should NEVER be used in production. ># > >#authentication.test.usernamePasswordMatch.enabled=true > >#------------------------------------------------------------------------ ># File >#------------------------------------------------------------------------ ># ># When this property is not empty, fileHandler is used. This handler ># authenticates users using a file. When this property is empty, no fileHandler ># is used and all the other authentication.file.* properties should not be set. ># Defaults to ''. ># > >#authentication.file.fileLocation= > ># ># The string used to separate the user from the password (they expected to be ># found in ths order). ># Defaults to ':'. ># > >#authentication.file.separator=: > ># ># The password encoder that will be used to encode the password provided by >the ># user and compare it to the one stored in the file. Accepted values are: ># - plainTextPasswordEncoder ># - Md5PasswordEncoder ># - DesPasswordEncoder ># - PamMd5PasswordEncoder ># Defaults to 'plainTextpasswordEncoder'. ># > >#authentication.file.passwordEncoder=plainTextpasswordEncoder > ># ># When this property is set to true, the authentication process stops if the ># username is found in the file but the corresponding password does not match. ># Otherwise, next lines of the file are read, and next handlers are tried. ># Defaults to 'false'. ># > >#authentication.file.abortWhenWrongPassword=false > >#------------------------------------------------------------------------ ># LDAP (bind) >#------------------------------------------------------------------------ ># ># The URL of the LDAP server used to authentiticate with handler >bindLdapHandler, ># (e.g. ldap://ldap.esup-portail.org). This handler authenticate by binding to ># a LDAP directory with the username/password provided by users. If this ># property is left empty, then the handler is not used. ># Defaults to ''. ># > >#authentication.bindLdap.server.url= > ># ># Set this property to true if the LDAP server should skip referrals (when ># binding to AD). Defaults to 'false'. ># > >#authentication.bindLdap.server.skipReferrals=false > ># ># The properties of a replica. If not set or set empty, no replica will be >used. ># Default to '' and 'false'. ># > >#authentication.bindLdap.replica.url= >#authentication.bindLdap.replica.skipReferrals=false > ># ># The filter used to deduce the DN from the uid. The following tokens (similar >to ># ldap_saslauthd) can be used in the filter string: ># - %% = % ># - %u = user ># - %U = user portion of %u (%U = test when %u = [EMAIL PROTECTED]) ># - %d = domain portion of %u (%d = domain.tld when %u = [EMAIL PROTECTED]) ># - %1-9 = domain tokens (%1 = tld, %2 = domain when %d = domain.tld) ># - %s = service ># - %r = realm ># The %u token has to be used at minimum for the filter to be useful. ># Defaults to 'uid=%u'. ># > >#authentication.bindLdap.filter=uid=%u > >#------------------------------------------------------------------------ ># LDAP (search) >#------------------------------------------------------------------------ ># ># The URL of the LDAP server used to authentiticate with handler >searchLdapHandler, ># (e.g. ldap://ldap.esup-portail.org). This handler authenticate by searching ># the users' DN in a LDAP directory from the username provided, next by binding ># to the LDAP directory. If this property is left empty, then the handler is >not used. ># Defaults to ''. ># > >#authentication.searchLdap.server.url= > ># ># Set this property to true if the LDAP server should skip referrals (when ># binding to AD). Defaults to 'false'. ># > >#authentication.searchLdap.server.skipReferrals=false > ># ># The properties of a replica. If not set or set empty, no replica will be >used. ># Default to '' and 'false'. ># > >#authentication.searchLdap.replica.url= >#authentication.searchLdap.replica.skipReferrals=false > ># ># The location where to search in the LDAP directory. ># Defaults to 'ou=people'. ># > >#authentication.searchLdap.searchBase=ou=people > ># ># The filter used to deduce the users' DN from the username they provide. ># See property authentication.bindLdap.filter for allowed tokens. ># Defaults to 'uid=%u'. ># > >#authentication.searchLdap.filter=uid=%u > ># ># The scope used to search the LDAP directory. ># Defaults to 'sub'. ># > >#authentication.searchLdap.scope=sub > ># ># The DN used to bind to the LDAP directory when searching the user's DN. When ># this property is empty, an anonymous connection is done and property ># default.authentication.searchLdap.bindPassword is ignored (otherwise it is ># mandatory). ># Defaults to ''. ># > >#authentication.searchLdap.bindDn= >#authentication.searchLdap.bindPassword= > >#------------------------------------------------------------------------ ># LDAP (aliasing & search) >#------------------------------------------------------------------------ ># ># The URL of the LDAP server used to authentiticate with handler >searchLdapHandler, ># (e.g. ldap://ldap.esup-portail.org). This handler authenticate by searching ># the users' DN in a LDAP directory from the username provided, next by binding ># to the LDAP directory with the retrieved DN and the password provided by the >user. ># Next the user's id is rerieved from an attribute of the LDAP directory (it is ># supposed to be stored in attribute which name is iven by property ># authentication.aliasingSearchLdap.uidAttribute. ># If this property is left empty, then the handler is not used. ># Defaults to ''. ># > >#authentication.aliasingSearchLdap.server.url= > ># ># Set this property to true if the LDAP server should skip referrals (when ># binding to AD). Defaults to 'false'. ># > >#authentication.aliasingSearchLdap.server.skipReferrals=false > ># ># The properties of a replica. If not set or set empty, no replica will be >used. ># Default to '' and 'false'. ># > >#authentication.aliasingSearchLdap.replica.url= >#authentication.aliasingSearchLdap.replica.skipReferrals=false > ># ># The location where to search in the LDAP directory. ># Defaults to 'ou=people'. ># > >#authentication.aliasingSearchLdap.searchBase=ou=people > ># ># The filter used to deduce the users' DN from the username they provide. ># See property authentication.bindLdap.filter for allowed tokens. ># Defaults to 'uid=%u'. ># > >#authentication.aliasingSearchLdap.filter=uid=%u > ># ># The scope used to search the LDAP directory. ># Defaults to 'sub'. ># > >#authentication.aliasingSearchLdap.scope=sub > ># ># The DN used to bind to the LDAP directory when searching the user's DN. When ># this property is empty, an anonymous connection is done and property ># default.authentication.aliasingSearchLdap.bindPassword is ignored (otherwise >it is ># mandatory). ># Defaults to ''. ># > >#authentication.aliasingSearchLdap.bindDn= >#authentication.aliasingSearchLdap.bindPassword= > ># ># The name of the LDAP attribute in which the user's unique id is stored. ># Defaults to 'uid'. ># > >#authentication.aliasingSearchLdap.uidAttribute=uid > >#------------------------------------------------------------------------ ># Database (bind) >#------------------------------------------------------------------------ ># This handler authenticates by trying to bind to a database server ># (authentication is successful when the connection succeeds). ># > ># ># The JDBC URL of the database server. ># If this property is left empty, then the handler is not used. ># Defaults to ''. ># > >#authentication.bindDatabase.jdbcUrl= > ># ># The JDBC driver to use to connect to the database (com.mysql.jdbc.Driver ># for MySql). ># Defaults to 'com.mysql.jdbc.Driver'. ># > >#authentication.bindDatabase.jdbcDriver=com.mysql.jdbc.Driver > >#------------------------------------------------------------------------ ># Database (search) >#------------------------------------------------------------------------ ># This handler authenticates by searching credentials (username and encrypted ># password) in a database and comparing them to the ones provided by users. ># > ># ># The JDBC URL of the database that contains the credentials. ># If this property is left empty, then the handler is not used. ># Defaults to ''. ># > >#authentication.searchDatabase.jdbcUrl= > ># ># The JDBC driver to use to connect to the database (com.mysql.jdbc.Driver ># for MySql). ># Defaults to 'com.mysql.jdbc.Driver'. ># > >#authentication.searchDatabase.jdbcDriver=com.mysql.jdbc.Driver > ># ># The credentials used to bind to the database. When this property is empty, ># an anonymous connection is used and property >default.authentication.searchDatabase.bindPassword ># is ignored (otherwise it is mandatory). ># Defaults to ''. ># > >#authentication.searchDatabase.bindUsername= >#authentication.searchDatabase.bindPassword= > ># ># The table of the database where credentials are stored. ># Defaults to 'user'. ># > >#authentication.searchDatabase.table=user > ># ># The column that contains users' uid. ># Defaults to 'uid'. ># > >#authentication.searchDatabase.uidColumn=uid > ># ># The column that contains users' password. ># Defaults to 'password'. ># > >#authentication.searchDatabase.passwordColumn=password > ># ># The password encoder that will be used to encode the password provided by >the ># user and compare it to the one stored in the database. Accepted values are: ># - plainTextPasswordEncoder ># - Md5PasswordEncoder ># - DesPasswordEncoder ># - PamMd5PasswordEncoder ># Defaults to 'plainTextpasswordEncoder'. ># > >#authentication.searchDatabase.passwordEncoder=plainTextpasswordEncoder > >#------------------------------------------------------------------------ ># Database (aliasing and search) >#------------------------------------------------------------------------ ># This handler also authenticates by searching credentials (username and >encrypted ># password) in a database and comparing them to the ones provided by users. ># Compared to aliasingSearchDatabaseHandler, it provides the "aliasing" >feature: ># - users give an alias instead of their uid; the user's password (and the uid >as ># well) is retrieved thanks to a request based on the alias, ># - once authenticated, the uid is considered as the principal. ># > ># ># The JDBC URL of the database that contains the credentials. ># If this property is left empty, then the handler is not used. ># Defaults to ''. ># > >#authentication.aliasingSearchDatabase.jdbcUrl= > ># ># The JDBC driver to use to connect to the database (com.mysql.jdbc.Driver ># for MySql). ># Defaults to 'com.mysql.jdbc.Driver'. ># > >#authentication.aliasingSearchDatabase.jdbcDriver=com.mysql.jdbc.Driver > ># ># The credentials used to bind to the database. When this property is empty, ># an anonymous connection is used and property >default.authentication.aliasingSearchDatabase.bindPassword ># is ignored (otherwise it is mandatory). ># Defaults to ''. ># > >#authentication.aliasingSearchDatabase.bindUsername= >#authentication.aliasingSearchDatabase.bindPassword= > ># ># The table of the database where credentials are stored. ># Defaults to 'user'. ># > >#authentication.aliasingSearchDatabase.table=user > ># ># The column that contains users' alias (provided by users). ># Defaults to 'alias'. ># > >#authentication.aliasingSearchDatabase.aliasColumn=alias > ># ># The column that contains users' uid (returned as the principal when ># the alias and the password match). ># Defaults to 'uid'. ># > >#authentication.aliasingSearchDatabase.uidColumn=uid > ># ># The column that contains users' password. ># Defaults to 'password'. ># > >#authentication.aliasingSearchDatabase.passwordColumn=password > ># ># The password encoder that will be used to encode the password provided by >the ># user and compare it to the one stored in the database. Accepted values are: ># - plainTextPasswordEncoder ># - Md5PasswordEncoder ># - DesPasswordEncoder ># - PamMd5PasswordEncoder ># Defaults to 'plainTextpasswordEncoder'. ># > >#authentication.aliasingSearchDatabase.passwordEncoder=plainTextpasswordEncoder > >#------------------------------------------------------------------------ ># Database (query) >#------------------------------------------------------------------------ ># This handler can be used to authenticate users by searching into a ># database (that contains the credentials), when the request to extract ># the users' password is too complex to use SearchDatabaseHandler. With ># this handler, the SQL query used is not built by the handler but ># set by configuration. ># > ># ># The JDBC URL of the database that contains the credentials. ># If this property is left empty, then the handler is not used. ># Defaults to ''. ># > >#authentication.queryDatabase.jdbcUrl= > ># ># The JDBC driver to use to connect to the database (com.mysql.jdbc.Driver ># for MySql). ># Defaults to 'com.mysql.jdbc.Driver'. ># > >#authentication.queryDatabase.jdbcDriver=com.mysql.jdbc.Driver > ># ># The credentials used to bind to the database. When this property is empty, ># an anonymous connection is used and property >default.authentication.queryDatabase.bindPassword ># is ignored (otherwise it is mandatory). ># Defaults to ''. ># > >#authentication.queryDatabase.bindUsername= >#authentication.queryDatabase.bindPassword= > ># ># The SQL query used to extract the (encrypted) password from the database. ># This query must return exactly one column named 'password'. ># Defaults to 'SELECT password FROM user WHERE uid = '%u' AND NOT locked'. ># > >#authentication.queryDatabase.sqlQuery=SELECT password FROM user WHERE uid = >'%u' AND NOT locked > ># ># The password encoder that will be used to encode the password provided by >the ># user and compare it to the one stored in the database. Accepted values are: ># - plainTextPasswordEncoder ># - Md5PasswordEncoder ># - DesPasswordEncoder ># - PamMd5PasswordEncoder ># Defaults to 'plainTextpasswordEncoder'. ># > >#authentication.queryDatabase.passwordEncoder=plainTextpasswordEncoder > >#------------------------------------------------------------------------ ># Database (aliasing & query) >#------------------------------------------------------------------------ ># This handler can be used to authenticate users by searching into a ># database (that contains the credentials) with a SQL query set by ># configuration. ># Compared to QueryDatabaseHandler, it provides the "aliasing" feature: ># - users give an alias instead of their uid; the user's password (and ># the uid as well) is retrieved thanks to a request based on the alias, ># - once authenticated, the uid is considered as the principal. ># > ># ># The JDBC URL of the database that contains the credentials. ># If this property is left empty, then the handler is not used. ># Defaults to ''. ># > >#authentication.aliasingQueryDatabase.jdbcUrl= > ># ># The JDBC driver to use to connect to the database (com.mysql.jdbc.Driver ># for MySql). ># Defaults to 'com.mysql.jdbc.Driver'. ># > >#authentication.aliasingQueryDatabase.jdbcDriver=com.mysql.jdbc.Driver > ># ># The credentials used to bind to the database. When this property is empty, ># an anonymous connection is used and property >default.authentication.aliasingQueryDatabase.bindPassword ># is ignored (otherwise it is mandatory). ># Defaults to ''. ># > >#authentication.aliasingQueryDatabase.bindUsername= >#authentication.aliasingQueryDatabase.bindPassword= > ># ># The SQL query used to extract the (encrypted) password from the database. ># This query must return exactly one two columns respectively named 'password' ># and 'uid'. ># Defaults to 'SELECT password, uid FROM user WHERE alias = '%u' AND NOT >locked'. ># > >#authentication.aliasingQueryDatabase.sqlQuery=SELECT password, uid FROM user >WHERE alias = '%u' AND NOT locked > ># ># The password encoder that will be used to encode the password provided by >the ># user and compare it to the one stored in the database. Accepted values are: ># - plainTextPasswordEncoder ># - Md5PasswordEncoder ># - DesPasswordEncoder ># - PamMd5PasswordEncoder ># Defaults to 'plainTextpasswordEncoder'. ># > >#authentication.aliasingQueryDatabase.passwordEncoder=plainTextpasswordEncoder > > > > > >------------------------------------------------------------------------ > >_______________________________________________ >cas-dev mailing list >[email protected] >http://tp.its.yale.edu/mailman/listinfo/cas-dev > > _______________________________________________ cas-dev mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas-dev
