Hi,
Well, I have a working servlet that is testing the attribute release
using the standard CAS Authentication/CAS Validation Filters and I did
verify that the attributes are being passed through the service registry.
In the Tomcat Container Authentication test servlet, I turned up the
logging and I'm receiving the following below. In essence, I really
don't care what group the user is under, I really just want to allow
access to all my campus users if they are authenticated successfully but
I don't know how to do that. I don't want to use the PropertiesCasRealm
or I'll have to list the user/role, which leaves the AssertionCasRealm
option in which the Saml11Authenticator is used.
I came across this mailing list thread and don't know if this is
relative: http://comments.gmane.org/gmane.comp.java.jasig.cas.user/23271
Here is my tomcat log:
Sep 25, 2013 2:26:28 PM
org.apache.catalina.authenticator.AuthenticatorBase invoke
FINE: Calling hasUserDataPermission()
Sep 25, 2013 2:26:28 PM org.apache.catalina.realm.RealmBase
hasUserDataPermission
FINE: User data constraint has no restrictions
Sep 25, 2013 2:26:28 PM
org.apache.catalina.authenticator.AuthenticatorBase invoke
FINE: Calling authenticate()
Sep 25, 2013 2:26:29 PM
org.apache.catalina.authenticator.AuthenticatorBase invoke
FINE: Calling accessControl()
Sep 25, 2013 2:26:29 PM org.apache.catalina.realm.RealmBase
hasResourcePermission
FINE: Checking roles lmccord
Sep 25, 2013 2:26:29 PM org.apache.catalina.realm.RealmBase
hasResourcePermission
FINE: No role found: staff
Sep 25, 2013 2:26:29 PM org.apache.catalina.realm.RealmBase
hasResourcePermission
FINE: No role found: faculty
Sep 25, 2013 2:26:29 PM org.apache.catalina.realm.RealmBase
hasResourcePermission
FINE: No role found: student
Sep 25, 2013 2:26:29 PM
org.apache.catalina.authenticator.AuthenticatorBase invoke
FINE: Failed accessControl() test
Thanks,
Laura
On 9/25/13 10:34 PM, Ashwath, Avinash wrote:
Can you debug and look if the attributes are coming to your application?
-----Original Message-----
From: Laura McCord [mailto:[email protected]]
Sent: Thursday, September 26, 2013 12:16 AM
To: [email protected]
Subject: [cas-user] CAS Tomcat Container Authentication
Hi,
I am trying to get CAS Tomcat Container Authentication
(https://wiki.jasig.org/display/CASC/Tomcat+Container+Authentication)
working for one of my test applications. I was able to get the example running
with the Cas20CASAuthenticator/PropertiesCasRealm. However, this particular
application needs a couple attributes passed and I'm trying to figure out how
to use Saml11Authenticator with AssertionCasRealm.
Currently, when I go to my application I get directed to my cas login and I'm able to
successfully login. However, I am receiving the "HTTP Status 403 - Access to the
requested resource has been denied" response.
I'm thinking that I don't have the "roleAttributeName" and "role-name"
values correct. I have been assuming that the "roleAttributeName" is where I would specify the ldap
attribute that stores the user's role (staff, faculty, or student). The attribute we use to store a user's
role on campus is "eduPersonPrimaryAffiliation". Then, I populated the "role-name" values
to the groups I wanted to allow access. I have also allowed my application to release attributes in the cas
service registry. I've also added the specified .jar files to my tomcat lib folder.
Does anyone have any suggestions?
Thanks,
Laura
Here's my context file:
<Realm
className="org.jasig.cas.client.tomcat.v6.AssertionCasRealm"
roleAttributeName="eduPersonPrimaryAffiliation"
/>
<Valve
className="org.jasig.cas.client.tomcat.v6.Saml11Authenticator"
encoding="UTF-8"
casServerLoginUrl="https://casserver.university.edu/cas/login";
casServerUrlPrefix="https://casserver.university.edu/cas/";
serverName="myclient.university.edu"
/>
<!-- Single sign-out support -->
<Valve
className="org.jasig.cas.client.tomcat.v6.SingleSignOutValve"
artifactParameterName="SAMLart"
/>
Here's my web.xml file:
<servlet>
<servlet-name>TestServlet</servlet-name>
<servlet-class>test.TestServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>TestServlet</servlet-name>
<url-pattern>/test</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>Wildcard means whole app requires
authentication</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>staff</role-name>
<role-name>faculty</role-name>
<role-name>student</role-name>
</auth-constraint>
<user-data-constraint>
<!-- transport-guarantee can be CONFIDENTIAL, INTEGRAL, or NONE -->
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<security-role>
<role-name>staff</role-name>
<role-name>faculty</role-name>
<role-name>student</role-name>
</security-role>
--
You are currently subscribed to [email protected] as:
[email protected] To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
