Hi,
I am trying to get CAS Tomcat Container Authentication
(https://wiki.jasig.org/display/CASC/Tomcat+Container+Authentication)
working for one of my test applications. I was able to get the example
running with the Cas20CASAuthenticator/PropertiesCasRealm. However, this
particular application needs a couple attributes passed and I'm trying
to figure out how to use Saml11Authenticator with AssertionCasRealm.
Currently, when I go to my application I get directed to my cas login
and I'm able to successfully login. However, I am receiving the "HTTP
Status 403 - Access to the requested resource has been denied" response.
I'm thinking that I don't have the "roleAttributeName" and "role-name"
values correct. I have been assuming that the "roleAttributeName" is
where I would specify the ldap attribute that stores the user's role
(staff, faculty, or student). The attribute we use to store a user's
role on campus is "eduPersonPrimaryAffiliation". Then, I populated the
"role-name" values to the groups I wanted to allow access. I have also
allowed my application to release attributes in the cas service
registry. I've also added the specified .jar files to my tomcat lib folder.
Does anyone have any suggestions?
Thanks,
Laura
Here's my context file:
<Realm
className="org.jasig.cas.client.tomcat.v6.AssertionCasRealm"
roleAttributeName="eduPersonPrimaryAffiliation"
/>
<Valve
className="org.jasig.cas.client.tomcat.v6.Saml11Authenticator"
encoding="UTF-8"
casServerLoginUrl="https://casserver.university.edu/cas/login";
casServerUrlPrefix="https://casserver.university.edu/cas/";
serverName="myclient.university.edu"
/>
<!-- Single sign-out support -->
<Valve
className="org.jasig.cas.client.tomcat.v6.SingleSignOutValve"
artifactParameterName="SAMLart"
/>
Here's my web.xml file:
<servlet>
<servlet-name>TestServlet</servlet-name>
<servlet-class>test.TestServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>TestServlet</servlet-name>
<url-pattern>/test</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>Wildcard means whole app requires
authentication</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>staff</role-name>
<role-name>faculty</role-name>
<role-name>student</role-name>
</auth-constraint>
<user-data-constraint>
<!-- transport-guarantee can be CONFIDENTIAL, INTEGRAL, or NONE -->
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<security-role>
<role-name>staff</role-name>
<role-name>faculty</role-name>
<role-name>student</role-name>
</security-role>
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
