Hi, I'm trying to get clearPass to work. I think I followed all the steps correctly, but now it is not really clear to me how to use it.
>From the documentation on http://www.ja-sig.org/wiki/display/CAS/Proxying+clear-text+credentialsI suspected that to acquire a password, one should simply call the /clearPass url giving it the Proxy Ticket with a ticket= parameter, but when I do this, clearPass will eventually redirect to the /clearPass url without parameters, which returns "No authentication information provided." Should the /clearPass be called with additional parameters? What are they? I couldn't find the documentation for this. All other CAS functionalities seem to work fine. Attached you'll find my CAS configuration and clearPass test php application. Also an capture of the network flow to the CAS server is attached in file tcpflow.log.txt. Am I doing something wrong? Thanks! Willem -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
127.000.000.001.50082-127.000.000.001.08180: GET /login?service=http%3A%2F%2Fuportal3.ahk.nl%2Fphp%2Fcasproxy.php HTTP/1.1 Host: localhost:8180 User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.43 Safari/532.5 Referer: http://uportal3.ahk.nl/php/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Cookie: JSESSIONID=CD2FC8D22142873A5F08E58EB062C3DC Accept-Language: nl-NL,nl;q=0.8,en-US;q=0.6,en;q=0.4 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 X-Forwarded-For: 10.39.0.1 X-Forwarded-Host: login.ahk.nl X-Forwarded-Server: login.ahk.nl Connection: Keep-Alive 127.000.000.001.08180-127.000.000.001.50082: HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Pragma: No-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Cache-Control: no-cache Cache-Control: no-store Content-Type: text/html;charset=UTF-8 Content-Language: nl-NL Content-Length: 5686 Date: Wed, 20 Jan 2010 15:35:10 GMT <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd";> <html xmlns="http://www.w3.org/1999/xhtml"; lang="en"> .<head> . <title>CAS – Central Authentication Service</title> . <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> . <style type="text/css" media="screen">@import 'css/cas.css'/**/;</style> . <!--[if gte IE 6]><style type="text/css" media="screen">@import 'css/ie_cas.css';</style><![endif]--> . <script type="text/javascript" src="js/common_rosters.js"></script> . <link rel="icon" href="/favicon.ico" type="image/x-icon" /> .</head> .<body id="cas" onload="init();"> . <div id="header"> . <h1 id="app-name">Central Authentication Service (CAS)</h1> . </div> . <div id="content"> ...<form id="fm1" class="fm-v clearfix" method="post" action="/login?service=http%3A%2F%2Fuportal3.ahk.nl%2Fphp%2Fcasproxy.php"> ... <div class="box" id="login"> <!-- Proficiat met de succesvolle installatie van CAS! Met de standaard "authentication handler" kan je ingeloggen als de gebruikersnaam gelijk is aan het wachtwoord. Je kan het nu proberen. --> <h2>Om verder te gaan dien je jezelf te authenticeren.</h2> <div class="row"> <label for="username"><span class="accesskey">G</span>ebruikersnaam:</label> ...... ...... ...... ...... ......<input id="username" name="username" class="required" tabindex="1" accesskey="g" type="text" value="" size="25" autocomplete="false"/> ...... </div> <div class="row"> <label for="password"><span class="accesskey">W</span>achtwoord:</label> ...... ...... ......<input id="password" name="password" class="required" tabindex="2" accesskey="w" type="password" value="" size="25" autocomplete="off"/> </div> <div class="row check"> <input id="warn" name="warn" value="true" tabindex="3" accesskey="v" type="checkbox" /> <label for="warn"><span class="accesskey">V</span>raag toestemming vooraleer me ingelogd door te sturen naar andere sites.</label> </div> <div class="row btn-row"> ......<input type="hidden" name="lt" value="_c564D0CF3-48FE-B44C-E16F-2B64A365C86B_k6F33936A-C123-758C-2579-B6386A13ECE0" /> ......<input type="hidden" name="_eventId" value="submit" /> <input class="btn-submit" name="submit" accesskey="l" value="LOGIN" tabindex="4" type="submit" /> <input class="btn-reset" name="reset" accesskey="c" value="CLEAR" tabindex="5" type="reset" /> </div> </div> . <div id="sidebar"> . <p>Voor de veiligheid moet je uitloggen en je browser sluiten wanneer je geen toegang meer nodig hebt tot afgeschermde applicaties!</p> . <div id="list-languages"> . ...... ...... . <h3>Languages:</h3> ......<ul .......><li class="first"><a href="login?service=http%3A%2F%2Fuportal3.ahk.nl%2Fphp%2Fcasproxy.php&locale=en">English</a></li .......><li><a href="login?service=http%3A%2F%2Fuportal3.ahk.nl%2Fphp%2Fcasproxy.php&locale=es">Spanish</a></li.... .......><li><a href="login?service=http%3A%2F%2Fuportal3.ahk.nl%2Fphp%2Fcasproxy.php&locale=fr">French</a></li .......><li><a href="login?service=http%3A%2F%2Fuportal3.ahk.nl%2Fphp%2Fcasproxy.php&locale=ru">Russian</a></li .......><li><a href="login?service=http%3A%2F%2Fuportal3.ahk.nl%2Fphp%2Fcasproxy.php&locale=nl">Nederlands</a></li .......><li><a href="login?service=http%3A%2F%2Fuportal3.ahk.nl%2Fphp%2Fcasproxy.php&locale=sv">Svenskt</a></li .......><li><a href="login?service=http%3A%2F%2Fuportal3.ahk.nl%2Fphp%2Fcasproxy.php&locale=it">Italiano</a></li .......><li><a href="login?service=http%3A%2F%2Fuportal3.ahk.nl%2Fphp%2Fcasproxy.php&locale=ur">Urdu</a></li .......><li><a href="login?service=http%3A%2F%2Fuportal3.ahk.nl%2Fphp%2Fcasproxy.php&locale=zh_CN">Chinese (Simplified)</a></li .......><li><a href="login?service=http%3A%2F%2Fuportal3.ahk.nl%2Fphp%2Fcasproxy.php&locale=de">Deutsch</a></li .......><li><a href="login?service=http%3A%2F%2Fuportal3.ahk.nl%2Fphp%2Fcasproxy.php&locale=ja">Japanese</a></li .......><li><a href="login?service=http%3A%2F%2Fuportal3.ahk.nl%2Fphp%2Fcasproxy.php&locale=hr">Croatian</a></li .......><li><a href="login?service=http%3A%2F%2Fuportal3.ahk.nl%2Fphp%2Fcasproxy.php&locale=cs">Czech</a></li .......><li><a href="login?service=http%3A%2F%2Fuportal3.ahk.nl%2Fphp%2Fcasproxy.php&locale=sl">Slovenian</a></li .......><li><a href="login?service=http%3A%2F%2Fuportal3.ahk.nl%2Fphp%2Fcasproxy.php&locale=pl">Polish</a></li ><li><a href="login?service=http%3A%2F%2Fuportal3.ahk.nl%2Fphp%2Fcasproxy.php&locale=pt_BR">Portuguese (Brazil)</a></li .......><li class="last"><a href="login?service=http%3A%2F%2Fuportal3.ahk.nl%2Fphp%2Fcasproxy.php&locale=tr">Turkish</a></li ......></ul> . </div> . </div> .</form> ..</div> . <div id="footer"> . <div> . <p>Copyright © 2005-2007 JA-SIG. All rights reserved.</p> . <p>Powered by <a href="http://www.ja-sig.org/products/cas/";>JA-SIG Central Authentication Service 3.3.5</a></p> . </div> . <a href="http://www.ja-sig.org"; title="go to JA-SIG home page"><img id="logo" src="images/ja-sig-logo.gif" width="118" height="31" alt="JA-SIG" title="go to JA-SIG home page" /></a> . </div> .</body> </html> 127.000.000.001.50082-127.000.000.001.08180: POST /login?service=http%3A%2F%2Fuportal3.ahk.nl%2Fphp%2Fcasproxy.php HTTP/1.1 Host: localhost:8180 User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.43 Safari/532.5 Referer: https://login.ahk.nl/login?service=http%3A%2F%2Fuportal3.ahk.nl%2Fphp%2Fcasproxy.php Cache-Control: max-age=0 Origin: https://login.ahk.nl Content-Type: application/x-www-form-urlencoded Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Cookie: JSESSIONID=CD2FC8D22142873A5F08E58EB062C3DC Accept-Language: nl-NL,nl;q=0.8,en-US;q=0.6,en;q=0.4 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 X-Forwarded-For: 10.39.0.1 X-Forwarded-Host: login.ahk.nl X-Forwarded-Server: login.ahk.nl Connection: Keep-Alive Content-Length: 144 username=w.toorop&password=ERASED<=_c564D0CF3-48FE-B44C-E16F-2B64A365C86B_k6F33936A-C123-758C-2579-B6386A13ECE0&_eventId=submit&submit=LOGIN 127.000.000.001.08180-127.000.000.001.50082: HTTP/1.1 302 Moved Temporarily Server: Apache-Coyote/1.1 Pragma: No-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Cache-Control: no-cache Cache-Control: no-store Set-Cookie: CASPRIVACY=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/ Set-Cookie: CASTGC=TGT-15-bmns5TnDkxN2mq2hssCHq0I9V47CiHoJzLiAjonNdbCwZ2JgKe-cas; Path=/; Secure Location: http://uportal3.ahk.nl/php/casproxy.php?ticket=ST-74-lX5jK4md31c7cf1jsEzG-cas Content-Language: nl-NL Content-Length: 0 Date: Wed, 20 Jan 2010 15:35:16 GMT 127.000.000.001.50087-127.000.000.001.08180: GET /proxyValidate?service=http%3A%2F%2Fuportal3.ahk.nl%2Fphp%2Fcasproxy.php&ticket=ST-74-lX5jK4md31c7cf1jsEzG-cas&pgtUrl=https://uportal3.ahk.nl/php/casproxy.php HTTP/1.1 Host: localhost:8180 Accept: */* X-Forwarded-For: 145.102.112.89 X-Forwarded-Host: login.ahk.nl X-Forwarded-Server: login.ahk.nl Connection: Keep-Alive 127.000.000.001.50090-127.000.000.001.08180: GET /login?service=https%3A%2F%2Fuportal3.ahk.nl%2Fphp%2Fcasproxy.php HTTP/1.1 Host: localhost:8180 User-Agent: Java/1.6.0_12 Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 X-Forwarded-For: 145.102.112.89 X-Forwarded-Host: login.ahk.nl X-Forwarded-Server: login.ahk.nl Connection: Keep-Alive 127.000.000.001.08180-127.000.000.001.50090: HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Pragma: No-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Cache-Control: no-cache Cache-Control: no-store Set-Cookie: JSESSIONID=9771A7536B103E552D0658A5A79982C6; Path=/ Content-Type: text/html;charset=UTF-8 Content-Language: en-US Content-Length: 5645 Date: Wed, 20 Jan 2010 15:35:16 GMT <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd";> <html xmlns="http://www.w3.org/1999/xhtml"; lang="en"> .<head> . <title>CAS – Central Authentication Service</title> . <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> . <style type="text/css" media="screen">@import 'css/cas.css'/**/;</style> . <!--[if gte IE 6]><style type="text/css" media="screen">@import 'css/ie_cas.css';</style><![endif]--> . <script type="text/javascript" src="js/common_rosters.js"></script> . <link rel="icon" href="/favicon.ico" type="image/x-icon" /> .</head> .<body id="cas" onload="init();"> . <div id="header"> . <h1 id="app-name">Central Authentication Service (CAS)</h1> . </div> . <div id="content"> ...<form id="fm1" class="fm-v clearfix" method="post" action="/login;jsessionid=9771A7536B103E552D0658A5A79982C6?service=https%3A%2F%2Fuportal3.ahk.nl%2Fphp%2Fcasproxy.php"> ... <div class="box" id="login"> <!-- Congratulations on bringing CAS online! The default authentication handler authenticates where usernames equal passwords: go ahead, try it out. --> <h2>Enter your NetID and Password</h2> <div class="row"> <label for="username"><span class="accesskey">N</span>etID:</label> ...... ...... ...... ...... ......<input id="username" name="username" class="required" tabindex="1" accesskey="n" type="text" value="" size="25" autocomplete="false"/> ...... </div> <div class="row"> <label for="password"><span class="accesskey">P</span>assword:</label> ...... ...... ......<input id="password" name="password" class="required" tabindex="2" accesskey="p" type="password" value="" size="25" autocomplete="off"/> </div> <div class="row check"> <input id="warn" name="warn" value="true" tabindex="3" accesskey="w" type="checkbox" /> <label for="warn"><span class="accesskey">W</span>arn me before logging me into other sites.</label> </div> <div class="row btn-row"> ......<input type="hidden" name="lt" value="_c44598235-CF9D-1671-E7B9-60B6F9113F5C_k6E274382-F9E3-BDDB-A8CA-E54712B0320E" /> ......<input type="hidden" name="_eventId" value="submit" /> <input class="btn-submit" name="submit" accesskey="l" value="LOGIN" tabindex="4" type="submit" /> <input class="btn-reset" name="reset" accesskey="c" value="CLEAR" tabindex="5" type="reset" /> </div> </div> . <div id="sidebar"> . <p>For security reasons, please Log Out and Exit your web browser when you are done accessing services that require authentication!</p> . <div id="list-languages"> . ...... ...... . <h3>Languages:</h3> ......<ul .......><li class="first"><a href="login?service=https%3A%2F%2Fuportal3.ahk.nl%2Fphp%2Fcasproxy.php&locale=en">English</a></li .......><li><a href="login?service=https%3A%2F%2Fuportal3.ahk.nl%2Fphp%2Fcasproxy.php&locale=es">Spanish</a></li.... .......><li><a href="login?service=https%3A%2F%2Fuportal3.ahk.nl%2Fphp%2Fcasproxy.php&locale=fr">French</a></li .......><li><a href="login?service=https%3A%2F%2Fuportal3.ahk.nl%2Fphp%2Fcasproxy.php&locale=ru">Russian</a></li .......><li><a href="login?service=https%3A%2F%2Fuportal3.ahk.nl%2Fphp%2Fcasproxy.php&locale=nl">Nederlands</a></li .......><li><a href="login?service=https%3A%2F%2Fuportal3.ahk.nl%2Fphp%2Fcasproxy.php&locale=sv">Svenskt</a></li .......><li><a href="login?service=https%3A%2F%2Fuportal3.ahk.nl%2Fphp%2Fcasproxy.php&locale=it">Italiano</a></li .......><li><a href="login?service=https%3A%2F%2Fuportal3.ahk.nl%2Fphp%2Fcasproxy.php&locale=ur">Urdu</a></li .......><li><a href="login?service=https%3A%2F%2Fuportal3.ahk.nl%2Fphp%2Fcasproxy.php&locale=zh_CN">Chinese (Simplified)</a></li .......><li><a href="login?service=https%3A%2F%2Fuportal3.ahk.nl%2Fphp%2Fcasproxy.php&locale=de">Deutsch</a></li .......><li><a href="login?service=https%3A%2F%2Fuportal3.ahk.nl%2Fphp%2Fcasproxy.php&locale=ja">Japanese</a></li .......><li><a href="login?service=https%3A%2F%2Fuportal3.ahk.nl%2Fphp%2Fcasproxy.php&locale=hr">Croatian</a></li .......><li><a href="login?service=https%3A%2F%2Fuportal3.ahk.nl%2Fphp%2Fcasproxy.php&locale=cs">Czech</a></li .......><li><a href="login?service=https%3A%2F%2Fuportal3.ahk.nl%2Fphp%2Fcasproxy.php&locale=sl">Slovenian</a></li .......><li><a href="login?service=https%3A%2F%2Fuportal3.ahk.nl%2Fphp%2Fcasproxy.php&locale=pl">Polish</a></li ><li><a href="login?service=https%3A%2F%2Fuportal3.ahk.nl%2Fphp%2Fcasproxy.php&locale=pt_BR">Portuguese (Brazil)</a></li .......><li class="last"><a href="login?service=https%3A%2F%2Fuportal3.ahk.nl%2Fphp%2Fcasproxy.php&locale=tr">Turkish</a></li ......></ul> . </div> . </div> .</form> ..</div> . <div id="footer"> . <div> . <p>Copyright © 2005-2007 JA-SIG. All rights reserved.</p> . <p>Powered by <a href="http://www.ja-sig.org/products/cas/";>JA-SIG Central Authentication Service 3.3.5</a></p> . </div> . <a href="http://www.ja-sig.org"; title="go to JA-SIG home page"><img id="logo" src="images/ja-sig-logo.gif" width="118" height="31" alt="JA-SIG" title="go to JA-SIG home page" /></a> . </div> .</body> </html> 127.000.000.001.08180-127.000.000.001.50087: HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 265 Date: Wed, 20 Jan 2010 15:35:16 GMT <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> .<cas:authenticationSuccess> ..<cas:user>w.toorop</cas:user> ..<cas:proxyGrantingTicket>PGTIOU-7-VuGc0kMaiLiJHLfkg7oB-cas</cas:proxyGrantingTicket> .</cas:authenticationSuccess> </cas:serviceResponse> 127.000.000.001.50093-127.000.000.001.08180: GET /proxy?targetService=https%3A%2F%2Flogin.ahk.nl%2FclearPass&pgt=TGT-16-NWKpxG7UgwmfWCsfmKY2mXdtyIqRA4Mkz7fS5qe2gi1kXNgFcY-cas HTTP/1.1 Host: localhost:8180 Accept: */* X-Forwarded-For: 145.102.112.89 X-Forwarded-Host: login.ahk.nl X-Forwarded-Server: login.ahk.nl Connection: Keep-Alive 127.000.000.001.08180-127.000.000.001.50093: HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Pragma: No-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Cache-Control: no-cache Cache-Control: no-store Content-Type: text/plain;charset=ISO-8859-1 Content-Language: en-US Content-Length: 193 Date: Wed, 20 Jan 2010 15:35:16 GMT <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> .<cas:proxySuccess> ..<cas:proxyTicket>ST-75-whldTmQwieOHqhFbFCEd-cas</cas:proxyTicket> .</cas:proxySuccess> </cas:serviceResponse> 127.000.000.001.50095-127.000.000.001.08180: GET /clearPass?ticket=ST-75-whldTmQwieOHqhFbFCEd-cas HTTP/1.1 Host: localhost:8180 X-Forwarded-For: 145.102.112.89 X-Forwarded-Host: login.ahk.nl X-Forwarded-Server: login.ahk.nl Connection: Keep-Alive 127.000.000.001.50082-127.000.000.001.08180: GET /proxyValidate?&ticket=ST-75-whldTmQwieOHqhFbFCEd-cas&service=https%3A%2F%2Flogin.ahk.nl%2FclearPass HTTP/1.1 Host: localhost:8180 User-Agent: Java/1.6.0_12 Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 X-Forwarded-For: 145.102.112.89 X-Forwarded-Host: login.ahk.nl X-Forwarded-Server: login.ahk.nl Connection: Keep-Alive 127.000.000.001.08180-127.000.000.001.50082: HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 280 Date: Wed, 20 Jan 2010 15:35:16 GMT <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> .<cas:authenticationSuccess> ..<cas:user>w.toorop</cas:user> ..<cas:proxies> ...<cas:proxy>https://uportal3.ahk.nl/php/casproxy.php</cas:proxy> ..</cas:proxies> .</cas:authenticationSuccess> </cas:serviceResponse> 127.000.000.001.08180-127.000.000.001.50095: HTTP/1.1 302 Moved Temporarily Server: Apache-Coyote/1.1 Location: https://login.ahk.nl/clearPass Content-Length: 0 Date: Wed, 20 Jan 2010 15:35:16 GMT 127.000.000.001.50098-127.000.000.001.08180: GET /clearPass HTTP/1.1 Host: localhost:8180 X-Forwarded-For: 145.102.112.89 X-Forwarded-Host: login.ahk.nl X-Forwarded-Server: login.ahk.nl Connection: Keep-Alive 127.000.000.001.08180-127.000.000.001.50098: HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Type: text/plain;charset=ISO-8859-1 Content-Language: en-US Content-Length: 177 Date: Wed, 20 Jan 2010 15:35:16 GMT <cas:clearPassResponse xmlns:cas='http://www.yale.edu/tp/cas'> .<cas:clearPassFailure>No authentication information provided.</cas:clearPassFailure> </cas:clearPassResponse> 127.000.000.001.50087-127.000.000.001.08180: GET /proxy?targetService=https%3A%2F%2Flogin.ahk.nl%2FclearPass&pgt=TGT-16-NWKpxG7UgwmfWCsfmKY2mXdtyIqRA4Mkz7fS5qe2gi1kXNgFcY-cas HTTP/1.1 Host: localhost:8180 Accept: */* X-Forwarded-For: 145.102.112.89 X-Forwarded-Host: login.ahk.nl X-Forwarded-Server: login.ahk.nl Connection: Keep-Alive 127.000.000.001.08180-127.000.000.001.50087: HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Pragma: No-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Cache-Control: no-cache Cache-Control: no-store Content-Type: text/plain;charset=ISO-8859-1 Content-Language: en-US Content-Length: 193 Date: Wed, 20 Jan 2010 15:35:16 GMT <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> .<cas:proxySuccess> ..<cas:proxyTicket>ST-76-rxzPAmygLLbXoY0YxZWF-cas</cas:proxyTicket> .</cas:proxySuccess> </cas:serviceResponse> 127.000.000.001.50093-127.000.000.001.08180: GET /clearPass?ticket=ST-76-rxzPAmygLLbXoY0YxZWF-cas HTTP/1.1 Host: localhost:8180 X-Forwarded-For: 145.102.112.89 X-Forwarded-Host: login.ahk.nl X-Forwarded-Server: login.ahk.nl Connection: Keep-Alive 127.000.000.001.50082-127.000.000.001.08180: GET /proxyValidate?&ticket=ST-76-rxzPAmygLLbXoY0YxZWF-cas&service=https%3A%2F%2Flogin.ahk.nl%2FclearPass HTTP/1.1 Host: localhost:8180 User-Agent: Java/1.6.0_12 Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 X-Forwarded-For: 145.102.112.89 X-Forwarded-Host: login.ahk.nl X-Forwarded-Server: login.ahk.nl Connection: Keep-Alive 127.000.000.001.08180-127.000.000.001.50082: HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 280 Date: Wed, 20 Jan 2010 15:35:16 GMT <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> .<cas:authenticationSuccess> ..<cas:user>w.toorop</cas:user> ..<cas:proxies> ...<cas:proxy>https://uportal3.ahk.nl/php/casproxy.php</cas:proxy> ..</cas:proxies> .</cas:authenticationSuccess> </cas:serviceResponse> 127.000.000.001.08180-127.000.000.001.50093: HTTP/1.1 302 Moved Temporarily Server: Apache-Coyote/1.1 Location: https://login.ahk.nl/clearPass Content-Length: 0 Date: Wed, 20 Jan 2010 15:35:16 GMT 127.000.000.001.50095-127.000.000.001.08180: GET /clearPass HTTP/1.1 Host: localhost:8180 X-Forwarded-For: 145.102.112.89 X-Forwarded-Host: login.ahk.nl X-Forwarded-Server: login.ahk.nl Connection: Keep-Alive 127.000.000.001.08180-127.000.000.001.50095: HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Type: text/plain;charset=ISO-8859-1 Content-Language: en-US Content-Length: 177 Date: Wed, 20 Jan 2010 15:35:16 GMT <cas:clearPassResponse xmlns:cas='http://www.yale.edu/tp/cas'> .<cas:clearPassFailure>No authentication information provided.</cas:clearPassFailure> </cas:clearPassResponse>
<?xml version="1.0" encoding="ISO-8859-1"?> <web-app xmlns="http://java.sun.com/xml/ns/j2ee"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"; version="2.4"> <display-name>Central Authentication System (CAS) 3.0</display-name> <context-param> <param-name>contextConfigLocation</param-name> <param-value> /WEB-INF/spring-configuration/*.xml /WEB-INF/deployerConfigContext.xml </param-value> </context-param> <!-- place this into the contextConfigLocation to enable remote services /WEB-INF/remoteServices.xml, classpath:org/codehaus/xfire/spring/xfire.xml place this into the contextConfigLocation to enable the event publishing --> <!-- - Location of the Log4J config file, for initialization and refresh checks. - Applied by Log4jConfigListener. --> <context-param> <param-name>log4jConfigLocation</param-name> <param-value>classpath:log4j.properties</param-value> </context-param> <context-param> <param-name>log4jExposeWebAppRoot</param-name> <param-value>false</param-value> </context-param> <filter> <filter-name>CAS Client Info Logging Filter</filter-name> <filter-class>org.inspektr.common.web.ClientInfoThreadLocalFilter</filter-class> </filter> <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter> <filter-name>CAS Validation Filter</filter-name> <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class> <init-param> <param-name>casServerUrlPrefix</param-name> <param-value>https://login.ahk.nl</param-value> </init-param> <init-param> <param-name>serverName</param-name> <param-value>https://login.ahk.nl</param-value> </init-param> <init-param> <param-name>exceptionOnValidationFailure</param-name> <param-value>false</param-value> </init-param> <init-param> <param-name>allowedProxyChains</param-name> <param-value> http://uportal3.ahk.nl/php/casproxy.php https://uportal3.ahk.nl/php/casproxy.php https://uportal3.ahk.nl/php/hopsakidee.php </param-value> </init-param> <init-param> <param-name>useSession</param-name> <param-value>false</param-value> </init-param> </filter> <filter> <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/services/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>CAS Client Info Logging Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>CAS Validation Filter</filter-name> <url-pattern>/clearPass</url-pattern> </filter-mapping> <filter-mapping> <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> <url-pattern>/clearPass</url-pattern> </filter-mapping> <!-- - Configures Log4J for this web app. - As this context specifies a context-param "log4jConfigLocation", its file path - is used to load the Log4J configuration, including periodic refresh checks. - - Would fall back to default Log4J initialization (non-refreshing) if no special - context-params are given. - - Exports a "web app root key", i.e. a system property that specifies the root - directory of this web app, for usage in log file paths. - This web app specifies "cas.root" (see log4j.properties file). --> <!-- Leave the listener commented-out if using JBoss --> <listener> <listener-class> org.springframework.web.util.Log4jConfigListener </listener-class> </listener> <!-- - Loads the CAS ApplicationContext. - The deployer choice here is how to handle Throwables thrown by Spring's - ContextLoaderListener. The Spring ContextLoaderListener will throw an exception when the - application context cannot be loaded, say because the bean XML files are not valid XML or do not - refer to real classes and properties or because a bean configured via Spring throws an exception - at construction, property setting, or on an afterPropertiesSet() lifecycle method. - - If you'd like these errors to be fatal and prevent the CAS servlet context from loading at all, - use org.springframework.web.context.ContextLoaderListener. - - If you'd like these errors to result in all requests for CAS getting a "CAS is Unavailable" response, - use org.jasig.cas.web.init.SafeContextLoaderListener --> <listener> <listener-class> org.jasig.cas.web.init.SafeContextLoaderListener </listener-class> </listener> <!-- - This is the Spring dispatcher servlet which delegates all requests to the - Spring WebMVC controllers as configured in cas-servlet.xml. - - The choice made above about how to handle a broken ApplicationContext at - context initialization applies here as well, since this servlet is load-on-startup. - - If you'd like these errors to be fatal and prevent the CAS servlet from loading at all, - use org.springframework.web.servlet.DispatcherServlet. - - If you'd like these errors to result in all requests for CAS getting a "CAS is Unavailable" response, - use org.jasig.cas.web.init.SafeDispatcherServlet --> <servlet> <servlet-name>cas</servlet-name> <servlet-class> org.jasig.cas.web.init.SafeDispatcherServlet </servlet-class> <init-param> <param-name>publishContext</param-name> <param-value>false</param-value> </init-param> <load-on-startup>1</load-on-startup> </servlet> <servlet-mapping> <servlet-name>cas</servlet-name> <url-pattern>/login</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>cas</servlet-name> <url-pattern>/logout</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>cas</servlet-name> <url-pattern>/validate</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>cas</servlet-name> <url-pattern>/serviceValidate</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>cas</servlet-name> <url-pattern>/samlValidate</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>cas</servlet-name> <url-pattern>/proxy</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>cas</servlet-name> <url-pattern>/proxyValidate</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>cas</servlet-name> <url-pattern>/CentralAuthenticationService</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>cas</servlet-name> <url-pattern>/services/add.html</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>cas</servlet-name> <url-pattern>/services/viewStatistics.html</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>cas</servlet-name> <url-pattern>/services/logout.html</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>cas</servlet-name> <url-pattern>/services/loggedOut.html</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>cas</servlet-name> <url-pattern>/services/manage.html</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>cas</servlet-name> <url-pattern>/services/edit.html</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>cas</servlet-name> <url-pattern>/openid/*</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>cas</servlet-name> <url-pattern>/services/deleteRegisteredService.html</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>cas</servlet-name> <url-pattern>/clearPass</url-pattern> </servlet-mapping> <session-config> <!-- Default to 5 minute session timeouts --> <session-timeout>5</session-timeout> </session-config> <error-page> <exception-type>org.springframework.context.ApplicationContextException</exception-type> <location>/WEB-INF/view/jsp/brokenContext.jsp</location> </error-page> <error-page> <error-code>500</error-code> <location>/WEB-INF/view/jsp/errors.jsp</location> </error-page> <error-page> <error-code>404</error-code> <location>/</location> </error-page> <error-page> <error-code>403</error-code> <location>/WEB-INF/view/jsp/default/ui/casBlockedView.jsp</location> </error-page> <welcome-file-list> <welcome-file>index.jsp</welcome-file> </welcome-file-list> </web-app>
<<attachment: casproxy.php>>
<?xml version="1.0" encoding="UTF-8"?> <!-- | deployerConfigContext.xml centralizes into one file some of the declarative configuration that | all CAS deployers will need to modify. | | This file declares some of the Spring-managed JavaBeans that make up a CAS deployment. | The beans declared in this file are instantiated at context initialization time by the Spring | ContextLoaderListener declared in web.xml. It finds this file because this | file is among those declared in the context parameter "contextConfigLocation". | | By far the most common change you will need to make in this file is to change the last bean | declaration to replace the default SimpleTestUsernamePasswordAuthenticationHandler with | one implementing your approach for authenticating usernames and passwords. +--> <beans xmlns="http://www.springframework.org/schema/beans"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xmlns:p="http://www.springframework.org/schema/p"; xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd";> <bean id="contextSource" class="org.springframework.ldap.core.support.LdapContextSource"> <property name="pooled" value="true"/> <property name="urls"> <list> <value>ldap://pepijn.ahk.nl/</value> </list> </property> <property name="userDn" value="cn=PosixAccess,ou=Special Users,o=ahk.nl,o=ahk"/> <property name="password" value="ERASED"/> <property name="baseEnvironmentProperties"> <map> <entry> <key> <value>java.naming.security.authentication</value> </key> <value>simple</value> </entry> </map> </property> </bean> <!-- | This bean declares our AuthenticationManager. The CentralAuthenticationService service bean | declared in applicationContext.xml picks up this AuthenticationManager by reference to its id, | "authenticationManager". Most deployers will be able to use the default AuthenticationManager | implementation and so do not need to change the class of this bean. We include the whole | AuthenticationManager here in the userConfigContext.xml so that you can see the things you will | need to change in context. +--> <bean id="authenticationManager" class="org.jasig.cas.authentication.AuthenticationManagerImpl"> <property name="authenticationMetaDataPopulators"> <list> <bean class="org.jasig.cas3.extensions.clearpass.CacheCredentialsMetaDataPopulator"> <constructor-arg index="0" ref="credentialsCache" /> </bean> </list> </property> <!-- | This is the List of CredentialToPrincipalResolvers that identify what Principal is trying to authenticate. | The AuthenticationManagerImpl considers them in order, finding a CredentialToPrincipalResolver which | supports the presented credentials. | | AuthenticationManagerImpl uses these resolvers for two purposes. First, it uses them to identify the Principal | attempting to authenticate to CAS /login . In the default configuration, it is the DefaultCredentialsToPrincipalResolver | that fills this role. If you are using some other kind of credentials than UsernamePasswordCredentials, you will need to replace | DefaultCredentialsToPrincipalResolver with a CredentialsToPrincipalResolver that supports the credentials you are | using. | | Second, AuthenticationManagerImpl uses these resolvers to identify a service requesting a proxy granting ticket. | In the default configuration, it is the HttpBasedServiceCredentialsToPrincipalResolver that serves this purpose. | You will need to change this list if you are identifying services by something more or other than their callback URL. +--> <property name="credentialsToPrincipalResolvers"> <list> <!-- | UsernamePasswordCredentialsToPrincipalResolver supports the UsernamePasswordCredentials that we use for /login | by default and produces SimplePrincipal instances conveying the username from the credentials. | | If you've changed your LoginFormAction to use credentials other than UsernamePasswordCredentials then you will also | need to change this bean declaration (or add additional declarations) to declare a CredentialsToPrincipalResolver that supports the | Credentials you are using. +--> <bean class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" /> <!-- | HttpBasedServiceCredentialsToPrincipalResolver supports HttpBasedCredentials. It supports the CAS 2.0 approach of | authenticating services by SSL callback, extracting the callback URL from the Credentials and representing it as a | SimpleService identified by that callback URL. | | If you are representing services by something more or other than an HTTPS URL whereat they are able to | receive a proxy callback, you will need to change this bean declaration (or add additional declarations). +--> <bean class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" /> </list> </property> <!-- | Whereas CredentialsToPrincipalResolvers identify who it is some Credentials might authenticate, | AuthenticationHandlers actually authenticate credentials. Here we declare the AuthenticationHandlers that | authenticate the Principals that the CredentialsToPrincipalResolvers identified. CAS will try these handlers in turn | until it finds one that both supports the Credentials presented and succeeds in authenticating. +--> <property name="authenticationHandlers"> <list> <!-- | This is the authentication handler that authenticates services by means of callback via SSL, thereby validating | a server side SSL certificate. +--> <bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" p:httpClient-ref="httpClient" /> <!-- | This is the authentication handler declaration that every CAS deployer will need to change before deploying CAS | into production. The default SimpleTestUsernamePasswordAuthenticationHandler authenticates UsernamePasswordCredentials | where the username equals the password. You will need to replace this with an AuthenticationHandler that implements your | local authentication strategy. You might accomplish this by coding a new such handler and declaring | edu.someschool.its.cas.MySpecialHandler here, or you might use one of the handlers provided in the adaptors modules. <bean class="org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler" /> +--> <bean class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler"> <property name="filter" value="uid=%u" /> <property name="searchBase" value="ou=People,o=ahk.nl,o=ahk" /> <property name="contextSource" ref="contextSource" /> </bean> </list> </property> </bean> <!-- This bean defines the security roles for the Services Management application. Simple deployments can use the in-memory version. More robust deployments will want to use another option, such as the Jdbc version. The name of this should remain "userDetailsService" in order for Acegi to find it. To use this, you should add an entry similar to the following between the two value tags: battags=notused,ROLE_ADMIN where battags is the username you want to grant access to. You can put one entry per line. --> <bean id="userDetailsService" class="org.springframework.security.userdetails.memory.InMemoryDaoImpl"> <property name="userMap"> <value> </value> </property> </bean> <!-- Bean that defines the attributes that a service may return. This example uses the Stub/Mock version. A real implementation may go against a database or LDAP server. The id should remain "attributeRepository" though. --> <bean id="attributeRepository" class="org.jasig.services.persondir.support.StubPersonAttributeDao"> <property name="backingMap"> <map> <entry key="uid" value="uid" /> <entry key="eduPersonAffiliation" value="eduPersonAffiliation" /> <entry key="groupMembership" value="groupMembership" /> </map> </property> </bean> <!-- Sample, in-memory data store for the ServiceRegistry. A real implementation would probably want to replace this with the JPA-backed ServiceRegistry DAO The name of this bean should remain "serviceRegistryDao". --> <bean id="serviceRegistryDao" class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl" /> </beans>
