RESOLVED. The solution with GIS actually turned out to be very simple.
There were three basic strategies: 1) Somehow populate the container session with user credentials that are passed through to the third party application i.e. make the session "look" identical to container login. I was stuck here with the mimic tomcat inquiry, but this was made moot by the following two options... 2) Disable the second login challenge completely. In the case of ArcIMS we create a tiny access control list and put the user asterisk (*) in it and associate with the map services: <?xml version="1.0" ?> <AIMSACL> <USER name="*" services="servive_name_main, service_name_ov" /> </AIMSACL> As long the map services themselves are not directly accessible by another route (i.e. not only behind a firewall, but protected by, as in our case a JDBC Realm login through ROOT, the above solution guarantees access to map services if you can get past CAS). 3) Separate unsecured (public) and secured (private) map services. You will just to get another GIS license from ESRI for that. Not a great option. Instead we decided to do option #2 and ask the boss for a bonus corresponding to the money saved on the new license. :) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Uday Kari Sent: Thursday, April 19, 2007 8:47 AM To: Yale CAS mailing list Subject: RE: Mimic Tomcat Container Authentication Hi Luca: Thanks for tips. But my point is to mimic Tomcat. This is a relatively fundamental problem, not specific to GIS (which is a specific issue that can benefit from solving the fundamental problem). Again, the fundamental problem is to mimic container authentication, instead of Yale CAS replacing it and adding a whole slew of complexity into what is already a multilayered or multifaceted problem. This will make CAS-ification much more straightforward. Kinda like JVM makes the underlying OS irrelevant. Yale CAS (or extensions) should make the underlying container authentication irrelevant by providing applications the exact same service. As for my specific problem with GIS, I have already jumped through the hoops of proving that SSO works for a simple servlet. And, yes, we are using ArcIMS with SDE. No 9.2 yet and we have WMS connector also but still quite experimental (basically, it is legacy stuff for us). Since you seem to be knowledgeable, here is my web.xml (as you can see I am protecting the servlet connector with Yale CAS...and I have taken care to make the ArcIMS ACL have identical login/password as my Yale CAS login...but the on the return trip from Yale CAS, the application simply hangs, saying "Retrieving Map"...in this specific case I am scratching my head on how I may instantiate the UserPrincipal needed by ArcIMS...or am I on a wild goose chase...this certainly does not work out of the box as you are suggesting...or what am I missing here?! ): <!-- //////////////////////////////////////////////////////////////////////// / // Yale CAS Testing // --> <filter> <filter-name>CAS Filter</filter-name> <filter-class>edu.yale.its.tp.cas.client.filter.CASFilter</filter-class> <init-param> <param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name> <param-value>https://isdm34:8443/cas/login</param-value> </init-param> <init-param> <param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name> <param-value>https://isdm34:8443/cas/serviceValidate</param-value> </init-param> <init-param> <param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name> <param-value>mauidevas:8080</param-value> </init-param> </filter> <filter-mapping> <filter-name>CAS Filter</filter-name> <url-pattern>/servletConnector</url-pattern> </filter-mapping> </web-app> -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Luca Scotto Sent: Wednesday, April 18, 2007 10:17 PM To: Yale CAS mailing list Subject: Re: Mimic Tomcat Container Authentication I think that u are talking about 9.2 from Esri. If u develop Esri "Gis Client" there is no problem at all (it's easy enoght like any other Cas installation). If u are talking about old version consider to use a wms connector under tomcat and protect this with a Yale Cas Client. Start setup with 3 Servers. 1) cas server 2) arcims and/or connector and a simple servlet 3) A pc client with browser Try using cas as sso for the simple servlet. When all goes well, try with connector and then with arcims. What u need is just time to try. If your system use Apache as front end use mod_cas. But should be a little hard. Good work On 19/04/07, Uday Kari <[EMAIL PROTECTED]> wrote: > > > > > Yale CAS Gurus, > > > > I am looking for a good reference in the wiki or mailing lists to achieve > the following subjective strategy question: > > > > "How do I CAS-ify my tomcat deployed client application (or configure the > Yale CAS Server, although I doubt it) so as to fool the client application > to perceive the login exactly as if it were coming in as a tomcat container > login (basic non-SSL is the preferred mode, but I believe we can handle > form-based-SSL which would be the natural thing to do with Yale CAS)?" > > > > More explanation: I am delighted to report that I have succeeded in doing > SSO with "normal" tomcat servlet applications, even across multiple tomcat > instances (and self-generated certificates). However, some of our > applications feature a "servlet connector" that throws a login challenge (or > simply hangs!) if the session (or request -- not sure which - still working > this) is not populated EXACTLY as if the secure request came in through a > tomcat login. For a tomcat driven (or equivalent container driven login), > the servlet connector finds everything it needs from the environment (again > I don't know the exact mechanism, nor do I care for the purpose of this > question). > > > > More specifically, I am having to do SSO into an ArcIMS application using > its servlet connector. Please see www.esri.com if any of you are GIS gurus > as well for details on ArcIMS. I am not a GIS geek...and hence the > "service-oriented" strategy...that is I don't care what exactly ESRI does as > long as I can have Yale CAS provide a login that "looks like" a tomcat login > to the client application (and I don't care for knowing what exactly tomcat > does either). > > > > Did you guys address something like this? If yes, please enlighten me. If > not, consider this a feature request. J > > > > Regards, > > > > Uday Kari > > > > > > > > > > > > > > > > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > > _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
