Its certainly possible that I always did the change when I protected Confluence but never put it in the document ;-) But regardless, you got what I was saying. Does that look right to you?
My goal is to provide one configuration that can be used regardless of anonymous or non anonymous access. Our ultimate goal is to leverage as much of Confluence's security infrastructure as possible. We don't want people having to redo their configuration for CAS because they enabled/disabled anonymous support. Cheers, Scott On Tue, Sep 1, 2009 at 11:10 PM, John Watson <[email protected]> wrote: > I don't know if I'm grasping what you're saying but let me give it a shot. > I didn't see anything about the AuthenticationFilter in the previous > versions of the Confluence page. But this is what I'm understanding from > what you just said. > > <filter-mapping> > <filter-name>CasAuthenticationFilter</filter-name> > <url-pattern>/*</url-pattern></filter-mapping> > > Should be > > <filter-mapping> > <filter-name>CasAuthenticationFilter</filter-name> > <url-pattern>/login.action</url-pattern></filter-mapping> > > And then still modify login.url and link.login.url to point directly to the > CAS server. > > That way if someone does: > https://confluence.institution.edu/confluence/login.action > > The CAS AuthenticationFilter takes over the login page and Confluence takes > care of the rest of the pages? > > Regards, > John > > On Tue, Sep 1, 2009 at 18:43, Scott Battaglia > <[email protected]>wrote: > >> On Tue, Sep 1, 2009 at 8:29 PM, John Watson <[email protected]>wrote: >> >>> Ah, I see what you are saying. I didn't make that realization. It would >>> definitely cause issues if you follow a link to a protected page and haven't >>> logged in yet. I will fix that in the wiki pages now. >>> True, if you set the link.login.url and login.url. The downside is, that >>> leaves the login.action page open (via direct URL). So if accounts are >>> created with simple passwords that can be a large security hole. >>> >> >> I think the trick was to always protect that page with the >> AuthenticationFilter (with a hardcoded service url). If I recall correctly, >> that's what I had always recommended. So this way there is always one >> configuration. Auth Filter on the login and validation filter on everything >> else. So all the other pages rely on Confluence to determine whether to >> redirect for login or not. >> >> Cheers, >> Scott >> >> >> >>> >>> John >>> >>> On Tue, Sep 1, 2009 at 04:50, Scott Battaglia <[email protected] >>> > wrote: >>> >>>> Thanks. Took a quick look. Noticed in the validation filter you have >>>> the "service" parameter defined. I think that will cause trouble when >>>> supplying the URL dynamically (i.e. whatever page you are on). Would it >>>> make more sense to configure the serverName? >>>> >>>> Also, even if you're not using anonymous access shouldn't JIRA and >>>> Confluence still know to force you to log in without needing to configure >>>> the Authentication Filter? >>>> >>>> Thanks >>>> -Scott >>>> >>>> >>>> >>>> On Tue, Sep 1, 2009 at 2:34 AM, John Watson <[email protected]>wrote: >>>> >>>>> I updated the Confluence page to be a near copy of the Jira page since >>>>> the configuration is nearly the same. >>>>> At first I had included a tip about my confluence/jira changes because >>>>> I copied and pasted the page from our Confluence and then realized as I >>>>> was >>>>> replying that you asked to wait on that information so I hid them from the >>>>> HTML view of the Confluence pages. >>>>> >>>>> John >>>>> >>>>> On Mon, Aug 31, 2009 at 19:56, Scott Battaglia < >>>>> [email protected]> wrote: >>>>> >>>>>> On Mon, Aug 31, 2009 at 8:11 PM, John Watson >>>>>> <[email protected]>wrote: >>>>>> >>>>>>> Not a problem. >>>>>>> I just did something similar for Confluence too. >>>>>>> >>>>>>> Also regarding CAS and Confluence; should I modify your original >>>>>>> confluence page about confluence CAS configuration or should add >>>>>>> another one >>>>>>> for your review? >>>>>>> >>>>>>> >>>>>> If the changes are related to your Confluence changes, we should wait >>>>>> until we update the source and do a release. If its just more >>>>>> information >>>>>> about configuring in Confluence, you can just edit the existing page. >>>>>> >>>>>> Thanks! >>>>>> Scott >>>>>> >>>>>> >>>>>> >>>>>>> Thanks, >>>>>>> >>>>>>> John >>>>>>> >>>>>>> On Mon, Aug 31, 2009 at 14:35, Scott Battaglia < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> John, >>>>>>>> >>>>>>>> Can you open an enhancement request in our JIRA for this also >>>>>>>> (forgot to ask you to do that the other day!). >>>>>>>> >>>>>>>> Thanks >>>>>>>> Scott >>>>>>>> >>>>>>>> >>>>>>>> On Thu, Aug 27, 2009 at 11:42 PM, John Watson < >>>>>>>> [email protected]> wrote: >>>>>>>> >>>>>>>>> Hi everyone, >>>>>>>>> As in my very recent previous email, I have been trying to get CAS >>>>>>>>> Client 3.1.7 to work with Atlassian Jira. I have completed my task >>>>>>>>> but need >>>>>>>>> to make a little modification to JiraCasAuthenticator.java >>>>>>>>> >>>>>>>>> I added support for the logout function that gets called by Seraph >>>>>>>>> when a user logouts of Jira. >>>>>>>>> >>>>>>>>> Index: >>>>>>>>> cas-client-integration-atlassian/src/main/java/org/jasig/cas/client/integration/atlassian/JiraCasAuthenticator.java >>>>>>>>> =================================================================== >>>>>>>>> --- >>>>>>>>> cas-client-integration-atlassian/src/main/java/org/jasig/cas/client/integration/atlassian/JiraCasAuthenticator.java >>>>>>>>> (revision 46469) >>>>>>>>> +++ >>>>>>>>> cas-client-integration-atlassian/src/main/java/org/jasig/cas/client/integration/atlassian/JiraCasAuthenticator.java >>>>>>>>> (working copy) >>>>>>>>> @@ -6,6 +6,7 @@ >>>>>>>>> package org.jasig.cas.client.integration.atlassian; >>>>>>>>> >>>>>>>>> import com.atlassian.seraph.auth.DefaultAuthenticator; >>>>>>>>> +import com.atlassian.seraph.auth.AuthenticatorException; >>>>>>>>> import org.apache.commons.logging.Log; >>>>>>>>> import org.apache.commons.logging.LogFactory; >>>>>>>>> import org.jasig.cas.client.util.AbstractCasFilter; >>>>>>>>> @@ -33,7 +34,7 @@ >>>>>>>>> >>>>>>>>> if (session != null) { >>>>>>>>> // user already exists >>>>>>>>> - if >>>>>>>>> (session.getAttribute(ConfluenceCasAuthenticator.LOGGED_IN_KEY) != >>>>>>>>> null) { >>>>>>>>> + if (session.getAttribute(LOGGED_IN_KEY) != null) { >>>>>>>>> log.info("Session found; user already logged >>>>>>>>> in."); >>>>>>>>> return (Principal) >>>>>>>>> session.getAttribute(LOGGED_IN_KEY); >>>>>>>>> } >>>>>>>>> @@ -42,12 +43,27 @@ >>>>>>>>> >>>>>>>>> if (assertion != null) { >>>>>>>>> final Principal p = >>>>>>>>> getUser(assertion.getPrincipal().getName()); >>>>>>>>> - request.getSession().setAttribute(LOGGED_IN_KEY, >>>>>>>>> p); >>>>>>>>> - request.getSession().setAttribute(LOGGED_OUT_KEY, >>>>>>>>> null); >>>>>>>>> + session.setAttribute(LOGGED_IN_KEY, p); >>>>>>>>> + session.setAttribute(LOGGED_OUT_KEY, null); >>>>>>>>> return p; >>>>>>>>> } >>>>>>>>> } >>>>>>>>> >>>>>>>>> return super.getUser(request, response); >>>>>>>>> } >>>>>>>>> -} >>>>>>>>> \ No newline at end of file >>>>>>>>> + >>>>>>>>> + public boolean logout(final HttpServletRequest request, final >>>>>>>>> HttpServletResponse response) >>>>>>>>> + throws AuthenticatorException { >>>>>>>>> + final HttpSession session = request.getSession(); >>>>>>>>> + >>>>>>>>> + if (session != null) { >>>>>>>>> + final Principal p = (Principal) >>>>>>>>> session.getAttribute(LOGGED_IN_KEY); >>>>>>>>> + session.setAttribute(LOGGED_OUT_KEY,p); >>>>>>>>> + session.setAttribute(LOGGED_IN_KEY,null); >>>>>>>>> + >>>>>>>>> session.setAttribute(AbstractCasFilter.CONST_CAS_ASSERTION,null); >>>>>>>>> + return true; >>>>>>>>> + } >>>>>>>>> + >>>>>>>>> + return super.logout(request, response); >>>>>>>>> + } >>>>>>>>> +} >>>>>>>>> >>>>>>>>> >>>>>>>>> John Watson >>>>>>>>> Jr. Web Developer >>>>>>>>> University of California, Merced >>>>>>>>> >>>>>>>>> -- >>>>>>>>> You are currently subscribed to [email protected] as: >>>>>>>>> [email protected] >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> To unsubscribe, change settings or access archives, see >>>>>>>>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>>>>>>>> >>>>>>>>> >>>>>>>> -- >>>>>>>> You are currently subscribed to [email protected] as: >>>>>>>> [email protected] >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> To unsubscribe, change settings or access archives, see >>>>>>>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>>>>>>> >>>>>>>> >>>>>>> -- >>>>>>> You are currently subscribed to [email protected] as: >>>>>>> [email protected] >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> To unsubscribe, change settings or access archives, see >>>>>>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>>>>>> >>>>>>> >>>>>> -- >>>>>> You are currently subscribed to [email protected] as: >>>>>> [email protected] >>>>>> To unsubscribe, change settings or access archives, see >>>>>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>>>>> >>>>>> >>>>> -- >>>>> You are currently subscribed to [email protected] as: >>>>> [email protected] >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> To unsubscribe, change settings or access archives, see >>>>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>>>> >>>>> >>>> -- >>>> You are currently subscribed to [email protected] as: >>>> [email protected] >>>> To unsubscribe, change settings or access archives, see >>>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>>> >>>> >>> -- >>> You are currently subscribed to [email protected] as: >>> [email protected] >>> >>> >>> >>> >>> To unsubscribe, change settings or access archives, see >>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>> >>> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> > -- > You are currently subscribed to [email protected] as: > [email protected] > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
