Hi Luca: Thanks for tips. But my point is to mimic Tomcat.
This is a relatively fundamental problem, not specific to GIS (which is a specific issue that can benefit from solving the fundamental problem). Again, the fundamental problem is to mimic container authentication, instead of Yale CAS replacing it and adding a whole slew of complexity into what is already a multilayered or multifaceted problem. This will make CAS-ification much more straightforward. Kinda like JVM makes the underlying OS irrelevant. Yale CAS (or extensions) should make the underlying container authentication irrelevant by providing applications the exact same service. As for my specific problem with GIS, I have already jumped through the hoops of proving that SSO works for a simple servlet. And, yes, we are using ArcIMS with SDE. No 9.2 yet and we have WMS connector also but still quite experimental (basically, it is legacy stuff for us). Since you seem to be knowledgeable, here is my web.xml (as you can see I am protecting the servlet connector with Yale CAS...and I have taken care to make the ArcIMS ACL have identical login/password as my Yale CAS login...but the on the return trip from Yale CAS, the application simply hangs, saying "Retrieving Map"...in this specific case I am scratching my head on how I may instantiate the UserPrincipal needed by ArcIMS...or am I on a wild goose chase...this certainly does not work out of the box as you are suggesting...or what am I missing here?! ): <!-- //////////////////////////////////////////////////////////////////////// / // Yale CAS Testing // --> <filter> <filter-name>CAS Filter</filter-name> <filter-class>edu.yale.its.tp.cas.client.filter.CASFilter</filter-class> <init-param> <param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name> <param-value>https://isdm34:8443/cas/login</param-value> </init-param> <init-param> <param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name> <param-value>https://isdm34:8443/cas/serviceValidate</param-value> </init-param> <init-param> <param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name> <param-value>mauidevas:8080</param-value> </init-param> </filter> <filter-mapping> <filter-name>CAS Filter</filter-name> <url-pattern>/servletConnector</url-pattern> </filter-mapping> </web-app> -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Luca Scotto Sent: Wednesday, April 18, 2007 10:17 PM To: Yale CAS mailing list Subject: Re: Mimic Tomcat Container Authentication I think that u are talking about 9.2 from Esri. If u develop Esri "Gis Client" there is no problem at all (it's easy enoght like any other Cas installation). If u are talking about old version consider to use a wms connector under tomcat and protect this with a Yale Cas Client. Start setup with 3 Servers. 1) cas server 2) arcims and/or connector and a simple servlet 3) A pc client with browser Try using cas as sso for the simple servlet. When all goes well, try with connector and then with arcims. What u need is just time to try. If your system use Apache as front end use mod_cas. But should be a little hard. Good work On 19/04/07, Uday Kari <[EMAIL PROTECTED]> wrote: > > > > > Yale CAS Gurus, > > > > I am looking for a good reference in the wiki or mailing lists to achieve > the following subjective strategy question: > > > > "How do I CAS-ify my tomcat deployed client application (or configure the > Yale CAS Server, although I doubt it) so as to fool the client application > to perceive the login exactly as if it were coming in as a tomcat container > login (basic non-SSL is the preferred mode, but I believe we can handle > form-based-SSL which would be the natural thing to do with Yale CAS)?" > > > > More explanation: I am delighted to report that I have succeeded in doing > SSO with "normal" tomcat servlet applications, even across multiple tomcat > instances (and self-generated certificates). However, some of our > applications feature a "servlet connector" that throws a login challenge (or > simply hangs!) if the session (or request -- not sure which - still working > this) is not populated EXACTLY as if the secure request came in through a > tomcat login. For a tomcat driven (or equivalent container driven login), > the servlet connector finds everything it needs from the environment (again > I don't know the exact mechanism, nor do I care for the purpose of this > question). > > > > More specifically, I am having to do SSO into an ArcIMS application using > its servlet connector. Please see www.esri.com if any of you are GIS gurus > as well for details on ArcIMS. I am not a GIS geek...and hence the > "service-oriented" strategy...that is I don't care what exactly ESRI does as > long as I can have Yale CAS provide a login that "looks like" a tomcat login > to the client application (and I don't care for knowing what exactly tomcat > does either). > > > > Did you guys address something like this? If yes, please enlighten me. If > not, consider this a feature request. J > > > > Regards, > > > > Uday Kari > > > > > > > > > > > > > > > > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > > _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
