Hi all - I am trying to understand the various AuthenticationHandlers in both CAS and LDAP and was wondering if you guys could give me a hand..
I am currently trying to set up CAS with various open source products such as JasperServer, jTrac, and a custom in-house CMS, which all use Acegi as their authorization client. For the most part I have followed the Acegi CAS guide at http://www.acegisecurity.org/guide/springsecurity.html#cas In the guide there is the following excerpt: "If you are already running an existing CAS 3.0 server instance, you will have already established an AuthenticationHandler. If you do not already have an AuthenticationHandler, you might prefer to use Acegi Security CasAuthenticationHandler class. This class delegates through to the standard Acegi Security AuthenticationManager, enabling you to use a security configuration you might already have in place. You do not need to use the CasAuthenticationHandler class on your CAS server if you do not wish. Acegi Security will function as a CAS client successfully irrespective of the AuthenticationHandler you've chosen for your CAS server." I currently have a BindLdapAuthenticationHandler that is authenticating against my LDAP server and everything is running fine on that end, so I am assuming that I do not need the CasAuthenticationHandler. The part that I am confused on is that the CasAuthenticationHandler also requires a authenticationProvider, whereas the BindLdap does not. It seems almost circular. It is difficult to explain so I will also post the deployerConfigContext below. Right now Firefox is giving me a "Firefox has detected that the server is redirecting the request for this address in a way that will never complete." and I believe this is related to it. Here is my xml: <?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xmlns:p="http://www.springframework.org/schema/p"; xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd";> <bean id="authenticationManager" class="org.jasig.cas.authentication.AuthenticationManagerImpl"> <property name="credentialsToPrincipalResolvers"> <list> <bean class=" org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" /> <bean class=" org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" /> </list> </property> <property name="authenticationHandlers"> <list> <bean class=" org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler "> <property name="httpClient" ref="httpClient" /> </bean> <bean class=" org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler"> <property name="filter" value="sAMAccountName=%u"/> <property name="searchBase" value="ou=ACPASP-Users,dc=ACPASP,dc=ucsd,dc=edu"/> <property name="contextSource" ref="contextSource"/> </bean> <!-- not sure whether I need this or not - it asks for an authenticationManager, so do we reference a new acegiAuthManager or the one we are currently in? <bean class=" org.acegisecurity.adapters.cas3.CasAuthenticationHandler"> <property name="authenticationManager" ref="acegiAuthenticationManager" /> </bean> --> </list> </property> </bean> <bean id="contextSource" class=" org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource"> <property name="anonymousReadOnly" value="false" /> <property name="pooled" value="true" /> <property name="urls"> <list> <value>[deleted]</value> </list> </property> <property name="userName" value="[deleted]"/> <property name="password" value="[deleted]" /> <property name="baseEnvironmentProperties"> <map> <!-- <entry> <key><value>java.naming.security.protocol </value></key> <value>ssl</value> </entry> --> <entry> <key><value>java.naming.security.authentication </value></key> <value>simple</value> </entry> </map> </property> </bean> <!-- What do we need userDetailsService for? acegiAuthenticationManager requires it but what if we only use the BindLdapAuthHandler? --> <bean id="userDetailsService" class=" org.acegisecurity.userdetails.memory.InMemoryDaoImpl"> <property name="userMap"> <value> marissa=koala,ROLES_IGNORED_BY_CAS dianne=emu,ROLES_IGNORED_BY_CAS scott=wombat,ROLES_IGNORED_BY_CAS peter=opal,disabled,ROLES_IGNORED_BY_CAS </value> </property> </bean> <bean id="daoAuthenticationProvider" class=" org.acegisecurity.providers.dao.DaoAuthenticationProvider"> <property name="userDetailsService"><ref bean="userDetailsService"/></property> </bean> <!-- Bean that defines the attributes that a service may return. This example uses the Stub/Mock version. A real implementation may go against a database or LDAP server. The id should remain "attributeRepository" though. --> <bean id="attributeRepository" class="org.jasig.services.persondir.support.StubPersonAttributeDao"> <property name="backingMap"> <map> <entry key="uid" value="uid" /> </map> </property> </bean> <!-- Sample, in-memory data store for the ServiceRegistry. A real implementation would probably want to replace this with the JPA-backed ServiceRegistry DAO The name of this bean should remain "serviceRegistryDao". --> <bean id="serviceRegistryDao" class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl" /> <!-- Not sure if we need this or not <bean id="acegiAuthenticationManager" class=" org.acegisecurity.providers.ProviderManager"> <property name="providers"> <list> <ref bean="daoAuthenticationProvider"/> </list> </property> </bean> --> </beans>
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
