Hi Marvin, all-- I followed your suggestions but am getting the same end result. However, I did figure out the root problem: it was on the client side. Here is the Spring Security configuration for the client, how can I just get CAS LDAP + Spring Security to keep all of the defined groups/associations in the directory.acme.com and propagate them to the client (I placed a comment where I was able to get things working)?
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans"; xmlns:sec="http://www.springframework.org/schema/security"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd";> <sec:http entry-point-ref="casProcessingFilterEntryPoint"> <sec:intercept-url pattern="/secure/extreme/**" access="ROLE_SUPERVISOR" requires-channel="https"/> <sec:intercept-url pattern="/secure/**" access="ROLE_USER" /> <sec:logout logout-success-url="/cas-logout.jsp"/> <sec:custom-filter ref="casAuthenticationFilter" after="CAS_FILTER"/> </sec:http> <sec:authentication-manager alias="authenticationManager"> <sec:authentication-provider ref="casAuthenticationProvider"/> </sec:authentication-manager> <bean id="casAuthenticationFilter" class="org.springframework.security.cas.web.CasAuthenticationFilter"> <property name="authenticationManager" ref="authenticationManager"/> <property name="authenticationFailureHandler"> <bean class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"> <property name="defaultFailureUrl" value="/casfailed.jsp"/> </bean> </property> <property name="authenticationSuccessHandler"> <bean class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler"> <property name="defaultTargetUrl" value="/"/> </bean> </property> <property name="proxyGrantingTicketStorage" ref="proxyGrantingTicketStorage" /> <property name="proxyReceptorUrl" value="/secure/receptor" /> </bean> <bean id="casProcessingFilterEntryPoint" class="org.springframework.security.cas.web.CasAuthenticationEntryPoint"> <property name="loginUrl" value="https://localhost:9443/cas/login"/> <property name="serviceProperties" ref="serviceProperties"/> </bean> <bean id="casAuthenticationProvider" class="org.springframework.security.cas.authentication.CasAuthenticationProvider"> <property name="userDetailsService" ref="userService"/> <property name="serviceProperties" ref="serviceProperties" /> <property name="ticketValidator"> <bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator"> <constructor-arg index="0" value="https://localhost:9443/cas"; /> <property name="proxyGrantingTicketStorage" ref="proxyGrantingTicketStorage" /> <property name="proxyCallbackUrl" value="https://localhost:8443/cas-sample/secure/receptor"; /> </bean> </property> <property name="key" value="an_id_for_this_auth_provider_only"/> </bean> <bean id="proxyGrantingTicketStorage" class="org.jasig.cas.client.proxy.ProxyGrantingTicketStorageImpl" /> <bean id="serviceProperties" class="org.springframework.security.cas.ServiceProperties"> <property name="service" value="https://localhost:8443/cas-sample/j_spring_cas_security_check"/> <property name="sendRenew" value="false"/> </bean> <sec:user-service id="userService"> <!-- if i add [email protected] entry with all authorities then the solution works! --> <sec:user name="rod" password="rod" authorities="ROLE_SUPERVISOR,ROLE_USER" /> <sec:user name="dianne" password="dianne" authorities="ROLE_USER" /> <sec:user name="scott" password="scott" authorities="ROLE_USER" /> </sec:user-service> </beans> My organization already has put a lot of effort into hierarchy planning and the result is a very well defined, and utilized, set of LDAP authority roles. I want to exploit them! :-) Is there something on CAS configuration that needs change in order to propagate the results? Thank you very much, -Jesse On Mon, Mar 1, 2010 at 10:56 AM, Marvin Addison <[email protected]> wrote: >> <property name="filter" value="email={%u}"/> > > I don't believe you need the enclosing braces above. > > The best way to diagnose errors is to review the cas.log file on the > server. It's written to the current working directory of the Java > processing running your container by default. Please share the > relevant parts of that file if changing your filter doesn't help. > > Unrelated to authentication problems, you should consider setting > pooled=false for your LdapContextSource. When set to true, that flag > triggers JNDI context pooling for LDAP connections, which is a > security liability for connections used for authentication. > > M -- There are 10 types of people in this world, those that can read binary and those that can not. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
