Hi All,
I have a 3.4.12 CAS Server and have it pointing to Active Directory
for Authentication and I setup TestApp1 and TestApp2 according to this
doc
https://wiki.jasig.org/display/CASUM/End-to-end+Windows+Example#End-to-endWindowsExample-DeploytheProtectedApplications
and in the screen shots they show attributes being released but in my
case it shows "None". I'm not sure if it is a flaw in the test app(s)
or a flaw in my setup. Here is what it looks likes inside my
"deployerConfigContext.xml" (with the appropriate data scrubbed with
the phrase "<SCRUBBED>"
<?xml version="1.0" encoding="UTF-8"?>
<!--
| deployerConfigContext.xml centralizes into one file some of the
declarative configuration that
| all CAS deployers will need to modify.
|
| This file declares some of the Spring-managed JavaBeans that
make up a CAS deployment.
| The beans declared in this file are instantiated at context
initialization time by the Spring
| ContextLoaderListener declared in web.xml. It finds this file
because this
| file is among those declared in the context parameter
"contextConfigLocation".
|
| By far the most common change you will need to make in this file
is to change the last bean
| declaration to replace the default
SimpleTestUsernamePasswordAuthenticationHandler with
| one implementing your approach for authenticating usernames and
passwords.
+-->
<beans xmlns="http://www.springframework.org/schema/beans";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:p="http://www.springframework.org/schema/p";
xmlns:sec="http://www.springframework.org/schema/security";
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd";>
<!--
| This bean declares our AuthenticationManager. The
CentralAuthenticationService service bean
| declared in applicationContext.xml picks up this
AuthenticationManager by reference to its id,
| "authenticationManager". Most deployers will be able to use
the default AuthenticationManager
| implementation and so do not need to change the class of
this bean. We include the whole
| AuthenticationManager here in the userConfigContext.xml so
that you can see the things you will
| need to change in context.
+-->
<bean id="authenticationManager"
class="org.jasig.cas.authentication.AuthenticationManagerImpl">
<!--
| This is the List of CredentialToPrincipalResolvers that
identify what Principal is trying to authenticate.
| The AuthenticationManagerImpl considers them in order,
finding a CredentialToPrincipalResolver which
| supports the presented credentials.
|
| AuthenticationManagerImpl uses these resolvers for two
purposes. First, it uses them to identify the Principal
| attempting to authenticate to CAS /login . In the
default configuration, it is the DefaultCredentialsToPrincipalResolver
| that fills this role. If you are using some other kind
of credentials than UsernamePasswordCredentials, you will need to replace
| DefaultCredentialsToPrincipalResolver with a
CredentialsToPrincipalResolver that supports the credentials you are
| using.
|
| Second, AuthenticationManagerImpl uses these resolvers
to identify a service requesting a proxy granting ticket.
| In the default configuration, it is the
HttpBasedServiceCredentialsToPrincipalResolver that serves this purpose.
| You will need to change this list if you are identifying
services by something more or other than their callback URL.
+-->
<property name="credentialsToPrincipalResolvers">
<list>
<!--
| UsernamePasswordCredentialsToPrincipalResolver
supports the UsernamePasswordCredentials that we use for /login
| by default and produces SimplePrincipal
instances conveying the username from the credentials.
|
| If you've changed your LoginFormAction to use
credentials other than UsernamePasswordCredentials then you will also
| need to change this bean declaration (or add
additional declarations) to declare a CredentialsToPrincipalResolver
that supports the
| Credentials you are using.
+-->
<bean
class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver">
<property name="attributeRepository"
ref="attributeRepository" />
</bean>
<!--
| HttpBasedServiceCredentialsToPrincipalResolver
supports HttpBasedCredentials. It supports the CAS 2.0 approach of
| authenticating services by SSL callback,
extracting the callback URL from the Credentials and representing it as a
| SimpleService identified by that callback URL.
|
| If you are representing services by something
more or other than an HTTPS URL whereat they are able to
| receive a proxy callback, you will need to
change this bean declaration (or add additional declarations).
+-->
<bean
class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver"
/>
</list>
</property>
<!--
| Whereas CredentialsToPrincipalResolvers identify who it
is some Credentials might authenticate,
| AuthenticationHandlers actually authenticate
credentials. Here we declare the AuthenticationHandlers that
| authenticate the Principals that the
CredentialsToPrincipalResolvers identified. CAS will try these
handlers in turn
| until it finds one that both supports the Credentials
presented and succeeds in authenticating.
+-->
<property name="authenticationHandlers">
<list>
<!--
| This is the authentication handler that
authenticates services by means of callback via SSL, thereby validating
| a server side SSL certificate.
+-->
<bean
class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
p:httpClient-ref="httpClient" />
<!-- Added by bgibson on 4/15/14 -->
<bean
class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler"
p:filter="sAMAccountName=%u"
p:searchBase="OU=<SCRUBBED>,DC=wheatonma,DC=edu"
p:contextSource-ref="contextSource" />
<!--
| This is the authentication handler declaration
that every CAS deployer will need to change before deploying CAS
| into production. The default
SimpleTestUsernamePasswordAuthenticationHandler authenticates
UsernamePasswordCredentials
| where the username equals the password. You
will need to replace this with an AuthenticationHandler that
implements your
| local authentication strategy. You might
accomplish this by coding a new such handler and declaring
| edu.someschool.its.cas.MySpecialHandler here, or
you might use one of the handlers provided in the adaptors modules.
+-->
<!-- <bean
class="org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler"
/> -->
</list>
</property>
</bean>
<!--
This bean defines the security roles for the Services Management
application. Simple deployments can use the in-memory version.
More robust deployments will want to use another option, such as
the Jdbc version.
The name of this should remain "userDetailsService" in order for
Spring Security to find it.
-->
<!-- <sec:user name="@@THIS SHOULD BE REPLACED@@"
password="notused" authorities="ROLE_ADMIN" />-->
<sec:user-service id="userDetailsService">
<sec:user name="<SCRUBBED>" password="notused"
authorities="ROLE_ADMIN" />
<sec:user name="<SCRUBBED>" password="notused"
authorities="ROLE_ADMIN" />
</sec:user-service>
<!--
Bean that defines the attributes that a service may return. This
example uses the Stub/Mock version. A real implementation
may go against a database or LDAP server. The id should remain
"attributeRepository" though.
-->
<!-- This next section was added by bgibson on 4/16/14 -->
<bean id="attributeRepository"
class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao">
<property name="contextSource" ref="contextSource" />
<property name="baseDN" value="OU=<SCRUBBED>,DC=wheatonma,DC=edu" />
<property name="requireAllQueryAttributes" value="true" />
<property name="ldapTemplate" ref="ldapTemplate" />
<!--
Attribute mapping between principal (key) and LDAP (value) names
used to perform the LDAP search.
-->
<property name="queryAttributeMapping">
<map>
<entry key="username" value="sAMAccountName" />
</map>
</property>
<property name="resultAttributeMapping">
<map>
<!-- Mapping between LDAP attributes (key) and Principal's
(value) -->
<entry value="CN" key="cn" />
<entry value="DN" key="distinguishedName" />
</map>
</property>
</bean>
<bean id="ldapTemplate"
class="org.springframework.ldap.core.LdapTemplate">
<constructor-arg ref="contextSource" />
<property name="ignorePartialResultException" value="true" />
</bean>
<!--
Sample, in-memory data store for the ServiceRegistry. A real
implementation
would probably want to replace this with the JPA-backed
ServiceRegistry DAO
The name of this bean should remain "serviceRegistryDao".
-->
<!-- this section edited by bgibson on 4/17/14 so only wheaton
web services can
point to this CAS server -->
<bean id="serviceRegistryDao"
class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl">
<property name="registeredServices">
<list>
<bean
class="org.jasig.cas.services.RegexRegisteredService">
<property name="id" value="1" />
<property name="name" value="HTTP and IMAP on
wheatonma.edu" />
<property name="description" value="Allows
HTTP(S) and IMAP(S) protocols on wheatonma.edu" />
<property name="serviceId"
value="^(https?|imaps?)://([A-Za-z0-9_-]+\.)*wheatonma\.edu/.*" />
<property name="evaluationOrder" value="0" />
<property name="allowedAttributes">
<list>
<value>CN</value>
<value>DN</value>
</list>
</property>
</bean>
<bean
class="org.jasig.cas.services.RegexRegisteredService">
<property name="id" value="2" />
<property name="name" value="HTTP and IMAP on
wheatoncollege.edu" />
<property name="description" value="Allows
HTTP(S) and IMAP(S) protocols on wheatoncollege.edu" />
<property name="serviceId"
value="^(https?|imaps?)://([A-Za-z0-9_-]+\.)*wheatoncollege\.edu/.*" />
<property name="evaluationOrder" value="1" />
<property name="allowedAttributes">
<list>
<value>CN</value>
<value>DN</value>
</list>
</property>
</bean>
</list>
</property>
</bean>
<bean id="auditTrailManager"
class="com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager" />
<!-- Added by bgibson 4/15/14 for LDAP connectivity -->
<bean id="contextSource"
class="org.springframework.ldap.core.support.LdapContextSource">
<!-- DO NOT enable JNDI pooling for context sources that perform
LDAP bind operations. -->
<property name="pooled" value="false"/>
<!--
Although multiple URLs may defined, it's strongly recommended to
avoid this configuration
since the implementation attempts hosts in sequence and requires a
connection timeout
prior to attempting the next host, which incurs unacceptable
latency on node failure.
A proper HA setup for LDAP directories should use a single virtual
host that maps to multiple
real hosts using a hardware load balancer.
-->
<property name="url" value="ldaps://<SCRUBBED>.wheatonma.edu" />
<!--
Manager credentials are only required if your directory does not
support anonymous searches.
Never provide these credentials for
FastBindLdapAuthenticationHandler since the user's
credentials are used for the bind operation.
-->
<property name="userDn"
value="CN=<SCRUBBED>,CN=Users,DC=wheatonma,DC=edu"/>
<property name="password" value="<SCRUBBED>"/>
<!-- Place JNDI environment properties here. -->
<property name="baseEnvironmentProperties">
<map>
<!-- Three seconds is an eternity to users. -->
<entry key="com.sun.jndi.ldap.connect.timeout" value="3000" />
<entry key="com.sun.jndi.ldap.read.timeout" value="3000" />
<!-- Explained at
http://download.oracle.com/javase/1.3/docs/api/javax/naming/Context.html#SECURITY_AUTHENTICATION
-->
<entry key="java.naming.security.authentication" value="simple" />
</map>
</property>
</bean>
</beans>
