Greetings,
I'm a very recent (near-messianic) convert to JA-SIG's CAS
implementation, thank you very much for your work!
I am converting an existing application from using Spring Security
(3.0.x) directly doing LDAP authentication to a CAS-based (3.3.5) LDAP
authentication system. My existing application has been deployed for
about 4 months and is working very nicely - it's just that now I want
to have SSO features for my users as I am hearing lots of grumbling at
the office water cooler about having to log in multiple times.
Here is the working Spring Security configuration:
web.xml:
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
applicationContext-security.xml:
<security:http realm="Intranet Password">
<security:intercept-url pattern="/**"
access="IS_AUTHENTICATED_REMEMBERED" />
<security:http-basic />
<security:logout logout-url="/logout"
logout-success-url="/logout-success.html" />
</security:http>
<security:ldap-server url="ldap://directory.acme.com";
root="ou=directory,o=acme.com" />
<security:authentication-manager>
<security:ldap-authentication-provider
user-search-base="ou=directory,o=acme.com"
user-search-filter="email={0}" />
</security:authentication-manager>
With this setup, when a user loads my application they are prompted
immediately by a browser-specific popup box asking for intranet
credentials; I enter my intranet credentials and am verified (I also
verify that invalid credentials are rejected). All is well. Now with
CAS, I am using the Maven overlay system and overriding just a couple
of files (I will omit messages.properties and css changes) to try and
wire in LDAP support.
deployerConfigContext.xml:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:p="http://www.springframework.org/schema/p";
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.5.xsd";>
<bean id="authenticationManager"
class="org.jasig.cas.authentication.AuthenticationManagerImpl">
<property name="credentialsToPrincipalResolvers">
<list>
<bean
class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver"/>
<bean
class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver"/>
</list>
</property>
<property name="authenticationHandlers">
<list>
<bean
class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
p:httpClient-ref="httpClient"/>
<bean class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler
">
<property name="contextSource" ref="contextSource" />
<property name="filter" value="email={%u}"/>
<property name="searchBase" value="ou=directory,o=acme.com"/>
<property name="scope" value="2" />
</bean>
</list>
</property>
</bean>
<bean id="contextSource"
class="org.springframework.ldap.core.support.LdapContextSource">
<property name="pooled" value="true"/>
<property name="urls">
<list><value>ldap://directory.acme.com</value></list>
</property>
<property name="baseEnvironmentProperties">
<map><entry>
<key><value>java.naming.security.authentication</value></key>
<value>simple</value>
</entry></map>
</property>
</bean>
<bean id="userDetailsService"
class="org.springframework.security.userdetails.memory.InMemoryDaoImpl">
<property name="userMap"><value/></property>
</bean>
<bean id="attributeRepository"
class="org.jasig.services.persondir.support.StubPersonAttributeDao">
<property name="backingMap">
<map>
<entry key="uid" value="uid"/>
<entry key="eduPersonAffiliation" value="eduPersonAffiliation"/>
<entry key="groupMembership" value="groupMembership"/>
</map>
</property>
</bean>
<bean id="serviceRegistryDao"
class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl"/>
</beans>
Finally, I use the CAS example projects, unmodified, in Spring
Security ( https://fisheye.springsource.org/browse/spring-security/samples/cas
) to run a very minimal client which authenticates itself against CAS
(I verified client applications work with default username=password
setup of CAS). When I then fire a request to be authenticated through
any browser I see that authentication is attempted on both client
(pushing to CAS) and server (contacting directory.acme.com), but the
user is never actually authenticated against LDAP. And then I get the
authentication rejected page displayed to my web browser.
It looks like CAS LDAP uses the same version of Spring LDAP that I
have wired in for Spring Security; therefore, I suspect I'm doing
something really silly, and I would be at least two beer rounds
indebted to whomever can point me in the right direction.. :-) Thank
you in advance,
-Jesse
--
There are 10 types of people in this world, those
that can read binary and those that can not.
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
