> I've added the org.jasig.cas.client.authentication.AuthenticationFilter > after the SingleSignOutFilter and before the CAS WebAuthenticationFilter.
Whoops! I misspoke when I mentioned that WebAuthenticationFilter is responsible for the initial redirect to CAS. That's the responsibility of AuthenticationFilter. I believe I need to make the necessity of AuthenticationFilter clearer in https://wiki.jasig.org/display/CASC/JAAS+Integration. > 2010-11-16 17:01:04,000 DEBUG > [org.jasig.cas.client.jboss.authentication.WebAuthenticationFilter] > (http-127.0.0.1-8443-1) JBoss Web authentication failed. That follows immediately after the programmatic JAAS login attempt, so it could be failing anywhere in the JAAS provider chain. Do you have the entire org.jasig.cas.client package in debug? If so and you don't see debug output from org.jasig.cas.client.jaas.CasLoginModule, then you're not getting that far. > How can I debug this? Debugging JAAS is a pain, and I can't really offer any additional suggestions for more logging. It will likely be a trial-and-error effort. > Perhaps > the server notices a role requirement, but due to the lack of > <login-config/> in web.xml it returns 403 immediately. Sounds reasonable. > Is is possible at all > to use the CasLoginModule in both EJB and web layers? Possible, but not supported out of the box. You'll need a custom component that can extract the service and ticket from the CAS server redirect and inject them into the JAAS pipeline for username and password. WebAuthenticationFilter and WebAuthentication classes perform this functionality in a JBoss-specific way, but it should be possible to do this for other JAAS providers. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
