Jin, What that statement means is that if you have an already existing CAS server, you can continue to use that configuration (which includes your LDAP configuration). If on the other hand, you have existing applications secured using Acegi (but have never deployed a CAS server before), you can utilize the CasAuthenticationHandler, which allows the CAS server to understand an Acegi configuration (you would then modify all of your application's Acegi configuration to utilize CAS).
CasAuthenticationHandler is an artifact of the Acegi project and has no relation to the CAS Server product (which is why you'll see that they are not configured similarly). -Scott On Dec 17, 2007 12:42 PM, Jin Lee <[EMAIL PROTECTED]> wrote: > Hi all - > > I am trying to understand the various AuthenticationHandlers in both CAS > and LDAP and was wondering if you guys could give me a hand.. > > I am currently trying to set up CAS with various open source products such > as JasperServer, jTrac, and a custom in-house CMS, which all use Acegi as > their authorization client. For the most part I have followed the Acegi CAS > guide at http://www.acegisecurity.org/guide/springsecurity.html#cas > > In the guide there is the following excerpt: > > "If you are already running an existing CAS 3.0 server instance, you will > have already established an AuthenticationHandler. If you do not already > have an AuthenticationHandler, you might prefer to use Acegi Security > CasAuthenticationHandler class. This class delegates through to the > standard Acegi Security AuthenticationManager, enabling you to use a > security configuration you might already have in place. You do not need to > use the CasAuthenticationHandler class on your CAS server if you do not > wish. Acegi Security will function as a CAS client successfully irrespective > of the AuthenticationHandler you've chosen for your CAS > server." > > I currently have a BindLdapAuthenticationHandler that is authenticating > against my LDAP server and everything is running fine on that end, so I am > assuming that I do not need the CasAuthenticationHandler. The part that I am > confused on is that the CasAuthenticationHandler also requires a > authenticationProvider, whereas the BindLdap does not. It seems almost > circular. It is difficult to explain so I will also post the > deployerConfigContext below. Right now Firefox is giving me a "Firefox has > detected that the server is redirecting the request for this address in a > way that will never complete." and I believe this is related to it. > > Here is my xml: > > <?xml version="1.0" encoding="UTF-8"?> > <beans xmlns="http://www.springframework.org/schema/beans " > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > xmlns:p="http://www.springframework.org/schema/p " > xsi:schemaLocation="http://www.springframework.org/schema/beans > http://www.springframework.org/schema/beans/spring-beans-2.0.xsd";> > <bean id="authenticationManager" > class="org.jasig.cas.authentication.AuthenticationManagerImpl"> > <property name="credentialsToPrincipalResolvers"> > <list> > <bean > class=" > org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" > /> > <bean > class=" > org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" > /> > </list> > </property> > <property name="authenticationHandlers"> > <list> > <bean > class=" > org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"> > <property name="httpClient" ref="httpClient" /> > </bean> > <bean class=" > org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler "> > <property name="filter" value="sAMAccountName=%u"/> > <property name="searchBase" > value="ou=ACPASP-Users,dc=ACPASP,dc=ucsd,dc=edu"/> > <property name="contextSource" > ref="contextSource"/> > </bean> > > <!-- not sure whether I need this or not - it asks for an > authenticationManager, so do we reference a new acegiAuthManager or the one > we are currently in? > <bean class=" > org.acegisecurity.adapters.cas3.CasAuthenticationHandler"> > <property name="authenticationManager" > ref="acegiAuthenticationManager" /> > </bean> > --> > > > </list> > </property> > </bean> > > <bean id="contextSource" class=" > org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource "> > <property name="anonymousReadOnly" value="false" /> > <property name="pooled" value="true" /> > <property name="urls"> > <list> > <value>[deleted]</value> > </list> > </property> > <property name="userName" value="[deleted]"/> > <property name="password" value="[deleted]" /> > <property name="baseEnvironmentProperties"> > <map> > <!-- > <entry> > <key><value>java.naming.security.protocol > </value></key> > <value>ssl</value> > </entry> > --> > <entry> > <key><value>java.naming.security.authentication > </value></key> > <value>simple</value> > </entry> > </map> > </property> > </bean> > > > <!-- > What do we need userDetailsService for? acegiAuthenticationManager > requires it but what if we only use the > BindLdapAuthHandler? > --> > <bean id="userDetailsService" class=" > org.acegisecurity.userdetails.memory.InMemoryDaoImpl"> > <property name="userMap"> > <value> > marissa=koala,ROLES_IGNORED_BY_CAS > dianne=emu,ROLES_IGNORED_BY_CAS > scott=wombat,ROLES_IGNORED_BY_CAS > peter=opal,disabled,ROLES_IGNORED_BY_CAS > </value> > </property> > </bean> > <bean id="daoAuthenticationProvider" class=" > org.acegisecurity.providers.dao.DaoAuthenticationProvider"> > <property name="userDetailsService"><ref > bean="userDetailsService"/></property> > </bean> > > > <!-- > Bean that defines the attributes that a service may return. This > example uses the Stub/Mock version. A real implementation > may go against a database or LDAP server. The id should remain > "attributeRepository" though. > --> > <bean id="attributeRepository" > class="org.jasig.services.persondir.support.StubPersonAttributeDao"> > <property name="backingMap"> > <map> > <entry key="uid" value="uid" /> > </map> > </property> > </bean> > > <!-- > Sample, in-memory data store for the ServiceRegistry. A real > implementation > would probably want to replace this with the JPA-backed > ServiceRegistry DAO > The name of this bean should remain "serviceRegistryDao". > --> > <bean > id="serviceRegistryDao" > class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl" /> > > <!-- Not sure if we need this or not > <bean id="acegiAuthenticationManager" class=" > org.acegisecurity.providers.ProviderManager"> > <property name="providers"> > <list> > <ref bean="daoAuthenticationProvider"/> > </list> > </property> > </bean> > --> > </beans> > > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > > -- -Scott Battaglia LinkedIn: http://www.linkedin.com/in/scottbattaglia
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
