Here you are my working (W2003 - AD) deployerConfigContext.xml:
-----------------------------------------
<?xml version="1.0" encoding="UTF-8"?>
<!--
| deployerConfigContext.xml centralizes into one file some of
the declarative configuration that
| all CAS deployers will need to modify.
|
| This file declares some of the Spring-managed JavaBeans that
make up a CAS deployment.
| The beans declared in this file are instantiated at context
initialization time by the Spring
| ContextLoaderListener declared in web.xml. It finds this file
because this
| file is among those declared in the context parameter
"contextConfigLocation".
|
| By far the most common change you will need to make in this
file is to change the last bean
| declaration to replace the default
SimpleTestUsernamePasswordAuthenticationHandler with
| one implementing your approach for authenticating usernames
and passwords.
+-->
<beans xmlns="http://www.springframework.org/schema/beans";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:p="http://www.springframework.org/schema/p";
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.0.xsd";>
<!--
| This bean declares our AuthenticationManager. The
CentralAuthenticationService service bean
| declared in applicationContext.xml picks up this
AuthenticationManager by reference to its id,
| "authenticationManager". Most deployers will be
able to use the default AuthenticationManager
| implementation and so do not need to change the
class of this bean. We include the whole
| AuthenticationManager here in the
userConfigContext.xml so that you can see the things
you will
| need to change in context.
+-->
<bean id="authenticationManager"
class="org.jasig.cas.authentication.AuthenticationManagerImpl">
<!--
| This is the List of
CredentialToPrincipalResolvers that identify
what Principal is trying to authenticate.
| The AuthenticationManagerImpl considers
them in order, finding a
CredentialToPrincipalResolver which
| supports the presented credentials.
|
| AuthenticationManagerImpl uses these
resolvers for two purposes. First, it uses
them to identify the Principal
| attempting to authenticate to CAS /login .
In the default configuration, it is the
DefaultCredentialsToPrincipalResolver
| that fills this role. If you are using
some other kind of credentials than
UsernamePasswordCredentials, you will need
to replace
| DefaultCredentialsToPrincipalResolver with
a CredentialsToPrincipalResolver that
supports the credentials you are
| using.
|
| Second, AuthenticationManagerImpl uses
these resolvers to identify a service
requesting a proxy granting ticket.
| In the default configuration, it is the
HttpBasedServiceCredentialsToPrincipalResolver
that serves this purpose.
| You will need to change this list if you
are identifying services by something more
or other than their callback URL.
+-->
<property name="credentialsToPrincipalResolvers">
<list>
<!--
|
UsernamePasswordCredentialsToPrincipalResolver
supports the
UsernamePasswordCredentials
that we use for /login
| by default and
produces SimplePrincipal
instances conveying the
username from the
credentials.
|
| If you've changed your
LoginFormAction to use
credentials other than
UsernamePasswordCredentials
then you will also
| need to change this
bean declaration (or add
additional declarations)
to declare a
CredentialsToPrincipalResolver
that supports the
| Credentials you are
using.
+-->
<bean
class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver"
/>
<!--
|
HttpBasedServiceCredentialsToPrincipalResolver
supports
HttpBasedCredentials.
It supports the CAS 2.0
approach of
| authenticating
services by SSL
callback, extracting the
callback URL from the
Credentials and
representing it as a
| SimpleService
identified by that
callback URL.
|
| If you are
representing services by
something more or other
than an HTTPS URL
whereat they are able to
| receive a proxy
callback, you will need
to change this bean
declaration (or add
additional
declarations).
+-->
<bean
class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver"
/>
<!-- SPNEGO -->
<bean
class="org.jasig.cas.support.spnego.authentication.principal.SpnegoCredentialsToPrincipalResolver"
/>
</list>
</property>
<!--
| Whereas CredentialsToPrincipalResolvers identify
who it is some Credentials might authenticate,
| AuthenticationHandlers actually authenticate
credentials. Here we declare the
AuthenticationHandlers that
| authenticate the Principals that the
CredentialsToPrincipalResolvers identified. CAS
will try these handlers in turn
| until it finds one that both supports the
Credentials presented and succeeds in
authenticating.
+-->
<property name="authenticationHandlers">
<list>
<!-- SPNEGO -->
<bean
class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler">
<property
name="authentication">
<bean
class="jcifs.spnego.Authentication"
/>
</property>
<property
name="principalWithDomainName"
value="false" />
<property
name="NTLMallowed"
value="true"/>
</bean>
<!--
| This is the authentication
handler that authenticates
services by means of callback via
SSL, thereby validating
| a server side SSL certificate.
+-->
<bean
class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
p:httpClient-ref="httpClient"
/>
<!-- LDAP - AD -->
<bean
class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler">
<property name="filter"
value="sAMAccountName=%u"
/>
<property name="searchBase"
value="cn=Users,dc=demoaj,dc=mju,dc=es"
/>
<property
name="contextSource"
ref="contextSource" />
<property
name="ignorePartialResultException"
value="yes" /> <!-- fix
because of how AD returns
results -->
</bean>
</list>
</property>
</bean>
<!--
This bean defines the security roles for the Services Management
application. Simple deployments can use the in-memory version.
More robust deployments will want to use another option, such as
the Jdbc version.
The name of this should remain "userDetailsService" in order for
Acegi to find it.
To use this, you should add an entry similar to the following
between the two value tags:
battags=notused,ROLE_ADMIN
where battags is the username you want to grant access to. You
can put one entry per line.
-->
<bean id="userDetailsService"
class="org.springframework.security.userdetails.memory.InMemoryDaoImpl">
<property name="userMap">
<value>
</value>
</property>
</bean>
<!--
Bean that defines the attributes that a service may return.
This example uses the Stub/Mock version. A real implementation
may go against a database or LDAP server. The id should remain
"attributeRepository" though.
-->
<bean id="attributeRepository"
class="org.jasig.services.persondir.support.StubPersonAttributeDao">
<property name="backingMap">
<map>
<entry key="uid" value="uid" />
<entry key="eduPersonAffiliation"
value="eduPersonAffiliation" />
<entry key="groupMembership"
value="groupMembership" />
</map>
</property>
</bean>
<!--
Sample, in-memory data store for the ServiceRegistry. A real
implementation
would probably want to replace this with the JPA-backed
ServiceRegistry DAO
The name of this bean should remain "serviceRegistryDao".
-->
<bean
id="serviceRegistryDao"
class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl"
/>
<!-- SPNEGO -->
<bean name="jcifsConfig"
class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig">
<property name="jcifsServicePrincipal"
value="HTTP/[email protected]" />
<property name="jcifsServicePassword" value="salta666" />
<property name="kerberosDebug" value="true" />
<property name="kerberosRealm" value="DEMOJ.DEMO.COM" />
<property name="kerberosKdc" value="10.12.99.111" />
<property name="loginConf" value="c:/Archivos de
programa/Apache Software Foundation/Tomcat
5.5/webapps/cas33/WEB-INF/login.conf" />
</bean>
<!-- AD / LDAP -->
<bean name="contextSource"
class="org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource">
<property name="urls">
<list>
<value>ldap://serv5demo/</value>
<value>ldap://serv4demo/</value>
</list>
</property>
<property name="userName"
value="cn=adacc,cn=Users,dc=demoaj,dc=demo,dc=com" />
<property name="password" value="fakepasswd" />
<property name="baseEnvironmentProperties">
<map>
<entry>
<key>
<value>java.naming.security.authentication</value>
</key>
<value>simple</value>
</entry>
</map>
</property>
</bean>
</beans>
-----------------------------------------
And there I was trying to figure out why exactly CAS authentication via
SPNEGO was working more or less fine in Firefox and not so well in IE8
... and I hadn't seen the recent changes to the wiki yet. I just figured
my configuration was (partially) wrong.
Has anyone ever configured CAS to use SPNEGO when CAS is running on a
Windows Server? The settings are somewhat different (because it's not a
Unix server obviously) from what I could gather but I had no real point
of reference. (other than the API's of the libraries themselves) An
example of a jcifsConfig bean in particular would be interesting.
On 11/02/2010 16:28, Scott Battaglia wrote:
> I'm not Dean, but there were prior emails on the cas-user or cas-dev
> list that a recent patch from Microsoft broke SPNEGO with existing
> JVMs. JDK 1.7 was already compatible. I thought they were going to
> backport the change to the latest 1.6 JVMs. I'm not sure if they did
> yet.
>
> Dean could be talking about something completely different though.
>
>
> On Thu, Feb 11, 2010 at 10:22 AM, Marvin Addison
> <[email protected] <mailto:[email protected]>> wrote:
>
> > Is the underlying cause of the alleged incompatibility known?
> > Perhaps the author of that CASUM page can offer some insight here?
>
> Care to jump in here, Dean?
>
> M
>
> --
> You are currently subscribed to [email protected]
> <mailto:[email protected]> as: [email protected]
> <mailto:[email protected]>
> To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-user
>
>
> --
> You are currently subscribed to [email protected] as:
> [email protected]
> To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
