Mark,
Thanks for the help. I'm getting close. A couple of questions persist,
though. First, I notice that the class you use for CASFilter is actually
edu.yale.its.cas.tp.client.filter.CASFilter2. I do not have that class
in my version of casclient.jar. Is this a typo in the WIKI entry, or did
this class exist in the JA-SIG deployment at some point? My blocking
point right now is a Null Pointer when it is trying to deploy the realm.
Caused by: java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.jav
a:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor
Impl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at
org.securityfilter.config.SecurityConfig.addRealm(SecurityConfig.java:23
3)
... 163 more
Caused by: java.lang.NullPointerException
at org.apache.catalina.realm.RealmBase.init(RealmBase.java:1329)
at
org.apache.catalina.realm.RealmBase.start(RealmBase.java:1029)
at org.apache.catalina.realm.JDBCRealm.start(JDBCRealm.java:761)
at
org.securityfilter.realm.catalina.CatalinaRealmAdapter.setRealm(Catalina
RealmAdapter.java:79)
... 168 more
Did you run across this at some point? I believe that I've got my web
and securityfilter-config xml files set up you note, with the exception
of the filter class and the realm kept complaining prior to init when I
tried to define a realm-param named "debug". I took that one out and
used the CASFilter in casclient.jar for my filter-class.
John
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Mark McLaren
Sent: Friday, May 25, 2007 12:26 PM
To: Yale CAS mailing list
Subject: Re: Use of Oracle Granted Roles
Here you go:
<http://www.ja-sig.org/wiki/pages/viewpageattachments.action?pageId=9543
>
Attachments are kinda hidden under "Page Operations" in this version of
the Confluence (grrr).
Mark
Graves, John wrote:
> I noticed on that linked page (which is where I tripped over this, by
> the way), that you mention a couple of files that are supposed to be
> attached. I would like to see what was changed in SecurityFilter.java,
> and what the CASAuthenticator.java holds. I pulled the source from
> securityfilter.org, but the new authenticator is not in cvs. Could you
> point out where that new file is?
>
> John
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> On Behalf Of Mark McLaren
> Sent: Thursday, May 24, 2007 5:42 PM
> To: Yale CAS mailing list
> Subject: Re: Use of Oracle Granted Roles
>
> Hi John,
>
> Is this the SecurityFilter documentation that you saw?
>
> <http://www.ja-sig.org/wiki/x/RyU>
>
> I wrote this back in the summer of 2005 so there may well be better
ways
>
> to do this by now. I am afraid I don't know enough about recent
> developments in Acegi, CAS3, *SAML*, Spring (etc.) to give you a
> definitive answer of what the best approach for authorization is
> nowadays (in my day CAS only did authentication, is this still so?). I
> would be slightly worried about using SecurityFilter as it does not
> appear to have been actively maintained for some while (maybe it just
> works!).
>
> I am sorry if you found the above CAS/SecurityFilter documentation not
> clear enough. Essentially, it is two layered servlet filter approach.
It
>
> uses the CAS filter to obtain the username and then it uses
> SecurityFilter to obtain the role details from the configured realm
(be
> that a database or LDAP or whatever).
>
> The SecurityFilter is tricked into authenticating with the CAS
username
> by configuring SecurityFilter to accept username = password (this is
> still secure since to get to this point you must be CAS filter
> authenticated). The user role details are then inserted into a wrapped
> request object (**SecurityRequestWrapper)** by SecurityFilter. This is
> how it achieves a request.isUserInRole(x).
>
> At least I think that is how it works! If you have any further
queries,
> I'll do my best to answer you!
>
> Mark
>
> Graves, John wrote:
>
>> I'm trying to use CAS to authenticate access to a set of custom
>> applications that require the accessing user to have an Oracle
>> account. I've got it set up using the
>> BindModeSearchDatabaseAuthenticationHandler, and the authentication
>> portion appears to be working correctly. My next step is to authorize
>> the user, such that certain aspects of the application are available
>> (or not) depending on which Oracle Roles have been granted to the
>> user. The list of granted roles can be easily retrieved by the
>> connected user by executing a "select granted_roles from
>> user_role_privs". Unfortunately, I'm at a loss currently in figuring
>> out how to transport those roles to the point that the application
can
>>
>
>
>> perform a request.isUserInRole(x) and have it return a viable answer.
>>
>> Has anyone else used the supplied JDBC adaptors in this manner? I've
>> seen where SecurityFilter has incorporated CAS into the JDBCRealm
such
>>
>
>
>> that they are retrieving the user roles from the database (from a
>> specific table within the database, I should say) and propagating
them
>>
>
>
>> forward. Unfortunately, it's not readily apparent how they are doing
>>
> this.
>
>> John Graves
>>
>> Advanced Systems Group
>>
>> Essex
>>
>>
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
This electronic message and any files transmitted with it contain information
which may be privileged and/or proprietary. The information is intended for use
solely by the intended recipient(s). If you are not the intended recipient, be
aware that any disclosure, copying, distribution or use of this information is
prohibited. If you have received this electronic message in error, please
advise the sender by reply email or by telephone (301-939-7000) and delete the
message.
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
