On Fri, Oct 28, 2011 at 10:50 AM, Joel Goguen <[email protected]> wrote: > Hi Bill, > > Thanks for the advice. ClearPass is already installed and working with a > Liferay portal, but the .NET example you pointed me at really helped me > get my test CGI going. I'm now getting > org.jasig.cas.client.validation.InvalidProxyChainTicketValidationException, > which I expect because I don't (yet) have the URL of the test CGI in the > allowedProxyChains bean. > > Is there a way that I could configure allowedProxyChains to accept any URL > with a specific domain? Something that would automatically allow any path > from any sub-domain, with an end of allowing, for example, > https://**.devnet.example.edu/** but do not allow anything from > example.edu or any other subdomain of example.edu unless they are > separately specified?
No, I don't believe that kind of behavior is supported by the Java CAS Client: https://wiki.jasig.org/display/CASC/Configuring+the+JA-SIG+CAS+Client+for+Java+in+the+web.xml acceptAnyProxy (default: false) - specifies whether any proxy is OK. allowedProxyChains (default: null) - specifies the proxy chain. Each acceptable proxy chain should include a space-separated list of URLs. Each acceptable proxy chain should appear on its own line. Best, Bill > > -- > Joel Goguen > Developer > Enterprise Solutions > Integrated Technology Services > University of New Brunswick > E-mail: [email protected] > Phone: (506) 453-4872 > Fax: (506) 453-3590 > > > > > > On 11-10-28 10:07, "William G. Thompson, Jr." <[email protected]> wrote: > >>On Wed, Oct 26, 2011 at 7:25 AM, Joel Goguen <[email protected]> wrote: >>> I'm trying to figure out how to fetch a user's credentials from >>>clearPass >>> from a CGI script. Currently, this CGI script is behind a >>>CAS-authenticated >>> directory (using mod_auth_cas in Apache) but that could change if >>> needed. I'm trying to use the Perl AuthCAS module, but I'm not having >>>much >>> luck whether I let Apache handle the CAS authentication or not. >>> So far, I have been able to (outside a CAS directory) validate a service >>> ticket ($cas->validateST()) and get a proxy ticket ($cas->receivePT()) >>>and >>> validate the proxy ticket ($cas->validatePT()), but I'm uncertain of >>>where >>> to go from there. The proxy callback URL I set in the CGI is another >>>CGI I >>> wrote that only stores the PGT and PGT IOU in a file using >>>$cas->storePGT(). >>> I suspect I will need to add the URL for the CGI to the >>>allowedProxyChains >>> bean in deployerConfigContext.xml as well? >> >>To start you need to make sure you have clearPass installed and >>configured. >>https://wiki.jasig.org/display/CASUM/ClearPass >>https://github.com/wgthom/clearpass-cas >> >>Next...the CGIService needs to acquire a PGT when validating the ST. >>Using the PGT, the CGIService must request a Proxy Ticket for clearPass. >>Using the PT, CGIService requests username/password from clearPass. >> >>CasOwa provides an example of this using the .Net CAS Client: >>https://github.com/wgthom/CasOwa/blob/master/CasOwaAuthHandler.cs >> >>Also note that your CGIService doesn't need to be configured to >>accepted proxy tickets for authentication in order to use them. >> >>Best, >>Bill >> >> >>> -- >>> Joel Goguen >>> Developer >>> Enterprise Solutions >>> Integrated Technology Services >>> University of New Brunswick >>> E-mail: [email protected] >>> Phone: (506) 453-4872 >>> Fax: (506) 453-3590 >>> >>> -- >>> You are currently subscribed to [email protected] as: >>> [email protected] >>> To unsubscribe, change settings or access archives, see >>> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >>-- >>You are currently subscribed to [email protected] as: >>[email protected] >>To unsubscribe, change settings or access archives, see >>http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> > > > > -- > You are currently subscribed to [email protected] as: [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
