Sorry for my late to write this document. Finally I got some spare time in Chinese New Year festival. I put the doc here: http://www.ja-sig.org/wiki/pages/viewpage.action?pageId=10649670
Kind Regards, Shi Yusen/Beijing Langhua Ltd. 在 2008-01-15二的 16:36 +0800,Shi Yusen写道: > I think I can write a document on how to set up a development > environment with FedoraCore+CAS+OpenLDAP+openssl. Which catalog in the > wiki should I put it into? > > Regards, > > Shi Yusen/Beijing Langhua Ltd. > > > 在 2008-01-14一的 23:16 -0800,Sara_Abasi写道: > > Hi Scott, > > > > thanks for your help. The certificate is not signed commercially and I have > > added the certificate to my JVM's cacerts file according to > > http://www.ja-sig.org/wiki/display/CASUM/Demo > > > > keytool -import -file server.crt -keypass changeit -keystore > > ..\jre\lib\security\cacerts > > > > My ldap server is actually a Microsoft Active Directory (WIndows 2003 > > Server). It accepts connections on port 389 and 636 (tested with telnet). > > But actually I'm not sure if ssl is really supported, so I tried connecting > > to it without ssl but I got following exception: > > > > 2008-01-15 10:26:52,582 ERROR > > [org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/cas].[cas]] > > - <Servlet.service() for servlet cas threw exception> > > javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: > > LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece > > > > This is my configuration without the ssl option: > > <?xml version="1.0" encoding="UTF-8"?> > > <!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" > > "http://www.springframework.org/dtd/spring-beans.dtd";> > > <beans> > > <bean id="authenticationManager" > > class="org.jasig.cas.authentication.AuthenticationManagerImpl"> > > <property name="credentialsToPrincipalResolvers"> > > <list> > > <bean > > > > class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" > > /> > > <bean > > > > class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" > > /> > > </list> > > </property> > > <property name="authenticationHandlers"> > > <list> > > <bean > > > > class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"> > > <property > > name="httpClient" > > ref="httpClient" /> > > </bean> > > <bean > > class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler"> > > <property name="filter" value="uid=%u" > > /> > > <property name="searchBase" > > value="cn=Users,dc=test,dc=net" /> > > <property name="contextSource" > > ref="contextSource" /> > > <property name="ignorePartialResultException" > > value="yes" /> > > </bean> > > </list> > > </property> > > </bean> > > <bean id="contextSource" > > class="org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource"> > > <property name="password" value="{123}"/> > > <property name="pooled" value="true" /> > > <property name="urls"> > > <list> > > <value>ldap://test.net:389/</value> > > </list> > > </property> > > <property name="userName" value="{cn=myuser,cn=Users,dc=test,dc=net}"/> > > <property name="baseEnvironmentProperties"> > > <map> > > <entry> > > <key> > > <value>java.naming.security.authentication</value> > > </key> > > <value>simple</value> > > </entry> > > </map> > > </property> > > </bean> > > </beans> > > > > > > Thanks for your help, > > > > Sarah > > > > > > > > > > scott_battaglia wrote: > > > > > > Sarah, > > > > > > Is it a commercially signed certificate? If not, make sure its in the > > > JVM's > > > cacerts file so that it can trust it. Also, make sure your LDAP server is > > > accepting SSL connections. > > > > > > -Scott > > > > > > On Jan 14, 2008 6:41 AM, Sara_Abasi <[EMAIL PROTECTED]> wrote: > > > > > >> > > >> Hi > > >> i`m newbie in LDAP with SLL. > > >> My problem is, i connect in server LDAP from my web application and do > > >> the > > >> authentication by LDAP with SSL. > > >> when i enter user name and password throws this exception: > > >> > > >> 2008-01-14 15:04:52,074 ERROR > > >> [org.apache.catalina.core.ContainerBase > > >> .[Catalina].[localhost].[/cas].[cas]] > > >> - <Servlet.service() for servlet cas threw exception> > > >> java.io.EOFException: SSL peer shut down incorrectly > > >> at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java > > >> :333) > > >> at > > >> com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java > > >> :723) > > >> at > > >> com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake( > > >> SSLSocketImpl.java:1030) > > >> at > > >> com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java > > >> :622) > > >> at > > >> com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java > > >> :59) > > >> at java.io.BufferedOutputStream.flushBuffer( > > >> BufferedOutputStream.java:65) > > >> at java.io.BufferedOutputStream.flush(BufferedOutputStream.java > > >> :123) > > >> at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:390) > > >> at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:334) > > >> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:192) > > >> at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2637) > > >> at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:283) > > >> at > > >> com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java > > >> :175) > > >> at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs( > > >> LdapCtxFactory.java:193) > > >> at > > >> com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java > > >> :136) > > >> at > > >> com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66) > > >> at javax.naming.spi.NamingManager.getInitialContext( > > >> NamingManager.java:667) > > >> at javax.naming.InitialContext.getDefaultInitCtx( > > >> InitialContext.java:247) > > >> at javax.naming.InitialContext.init(InitialContext.java:223) > > >> at javax.naming.ldap.InitialLdapContext.<init>( > > >> InitialLdapContext.java:134) > > >> at > > >> org.springframework.ldap.support.LdapContextSource.getDirContextInstance( > > >> LdapContextSource.java:59) > > >> at > > >> org.springframework.ldap.support.AbstractContextSource.createContext( > > >> AbstractContextSource.java:193) > > >> at > > >> org.springframework.ldap.support.AbstractContextSource.getReadOnlyContext( > > >> AbstractContextSource.java:104) > > >> at org.springframework.ldap.LdapTemplate.search(LdapTemplate.java > > >> :263) > > >> at org.springframework.ldap.LdapTemplate.search(LdapTemplate.java > > >> :314) > > >> at > > >> > > >> org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler.authenticateUsernamePasswordInternal > > >> (BindLdapAuthenticationHandler.java:70) > > >> at > > >> > > >> org.jasig.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler.authenticate > > >> (AbstractUsernamePasswordAuthenticationHandler.java:58) > > >> at > > >> org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate( > > >> AuthenticationManagerImpl.java:79) > > >> at > > >> org.jasig.cas.CentralAuthenticationServiceImpl.createTicketGrantingTicket( > > >> CentralAuthenticationServiceImpl.java:282) > > >> at > > >> org.jasig.cas.web.flow.AuthenticationViaFormAction.submit( > > >> AuthenticationViaFormAction.java:116) > > >> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > >> at > > >> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java > > >> :39) > > >> at > > >> sun.reflect.DelegatingMethodAccessorImpl.invoke( > > >> DelegatingMethodAccessorImpl.java:25) > > >> at java.lang.reflect.Method.invoke(Method.java:585) > > >> at > > >> org.springframework.webflow.util.DispatchMethodInvoker.invoke( > > >> DispatchMethodInvoker.java:103) > > >> at > > >> org.springframework.webflow.action.MultiAction.doExecute(MultiAction.java > > >> :136) > > >> at > > >> org.springframework.webflow.action.AbstractAction.execute( > > >> AbstractAction.java:203) > > >> at > > >> org.springframework.webflow.engine.AnnotatedAction.execute( > > >> AnnotatedAction.java:142) > > >> at > > >> org.springframework.webflow.engine.ActionExecutor.execute( > > >> ActionExecutor.java:61) > > >> at > > >> org.springframework.webflow.engine.ActionState.doEnter(ActionState.java > > >> :180) > > >> at org.springframework.webflow.engine.State.enter(State.java:200) > > >> at > > >> org.springframework.webflow.engine.Transition.execute(Transition.java:229) > > >> at > > >> org.springframework.webflow.engine.TransitionableState.onEvent( > > >> TransitionableState.java:112) > > >> at org.springframework.webflow.engine.Flow.onEvent(Flow.java:572) > > >> at > > >> > > >> org.springframework.webflow.engine.impl.RequestControlContextImpl.signalEvent > > >> (RequestControlContextImpl.java:207) > > >> at > > >> org.springframework.webflow.engine.ActionState.doEnter(ActionState.java > > >> :185) > > >> at org.springframework.webflow.engine.State.enter(State.java:200) > > >> at > > >> org.springframework.webflow.engine.Transition.execute(Transition.java:229) > > >> at > > >> org.springframework.webflow.engine.TransitionableState.onEvent( > > >> TransitionableState.java:112) > > >> at org.springframework.webflow.engine.Flow.onEvent(Flow.java:572) > > >> at > > >> > > >> org.springframework.webflow.engine.impl.RequestControlContextImpl.signalEvent > > >> (RequestControlContextImpl.java:207) > > >> at > > >> org.springframework.webflow.engine.impl.FlowExecutionImpl.signalEvent( > > >> FlowExecutionImpl.java:214) > > >> at > > >> org.springframework.webflow.executor.FlowExecutorImpl.resume( > > >> FlowExecutorImpl.java:238) > > >> at > > >> > > >> org.springframework.webflow.executor.support.FlowRequestHandler.handleFlowRequest > > >> (FlowRequestHandler.java:115) > > >> at > > >> > > >> org.springframework.webflow.executor.mvc.FlowController.handleRequestInternal > > >> (FlowController.java:170) > > >> at > > >> org.springframework.web.servlet.mvc.AbstractController.handleRequest( > > >> AbstractController.java:153) > > >> at > > >> org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle( > > >> SimpleControllerHandlerAdapter.java:48) > > >> at > > >> org.springframework.web.servlet.DispatcherServlet.doDispatch( > > >> DispatcherServlet.java:819) > > >> at > > >> org.springframework.web.servlet.DispatcherServlet.doService( > > >> DispatcherServlet.java:754) > > >> at > > >> org.springframework.web.servlet.FrameworkServlet.processRequest( > > >> FrameworkServlet.java:399) > > >> at > > >> org.springframework.web.servlet.FrameworkServlet.doPost( > > >> FrameworkServlet.java:364) > > >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:710) > > >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:803) > > >> at > > >> org.jasig.cas.web.init.SafeDispatcherServlet.service( > > >> SafeDispatcherServlet.java:115) > > >> at > > >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter( > > >> ApplicationFilterChain.java:269) > > >> at > > >> org.apache.catalina.core.ApplicationFilterChain.doFilter( > > >> ApplicationFilterChain.java:188) > > >> at > > >> org.apache.catalina.core.StandardWrapperValve.invoke( > > >> StandardWrapperValve.java:210) > > >> at > > >> org.apache.catalina.core.StandardContextValve.invoke( > > >> StandardContextValve.java:174) > > >> at > > >> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java > > >> :127) > > >> at > > >> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java > > >> :117) > > >> at > > >> org.apache.catalina.core.StandardEngineValve.invoke( > > >> StandardEngineValve.java:108) > > >> at > > >> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java > > >> :151) > > >> at > > >> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:870) > > >> at > > >> > > >> org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection > > >> (Http11BaseProtocol.java:665) > > >> at > > >> org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket( > > >> PoolTcpEndpoint.java:528) > > >> at > > >> org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt( > > >> LeaderFollowerWorkerThread.java:81) > > >> at > > >> org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run( > > >> ThreadPool.java:685) > > >> at java.lang.Thread.run(Thread.java:595) > > >> > > >> this is my deployConfigContext.xml > > >> > > >> <?xml version="1.0" encoding="UTF-8"?> > > >> <!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" > > >> "http://www.springframework.org/dtd/spring-beans.dtd";> > > >> <!-- > > >> | deployerConfigContext.xml centralizes into one file some of the > > >> declarative configuration that > > >> | all CAS deployers will need to modify. > > >> | > > >> | This file declares some of the Spring-managed JavaBeans that > > >> make > > >> up a > > >> CAS deployment. > > >> | The beans declared in this file are instantiated at context > > >> initialization time by the Spring > > >> | ContextLoaderListener declared in web.xml. It finds this file > > >> because > > >> this > > >> | file is among those declared in the context parameter > > >> "contextConfigLocation". > > >> | > > >> | By far the most common change you will need to make in this file > > >> is to > > >> change the last bean > > >> | declaration to replace the default > > >> SimpleTestUsernamePasswordAuthenticationHandler with > > >> | one implementing your approach for authenticating usernames and > > >> passwords. > > >> +--> > > >> <beans> > > >> > > >> <!-- > > >> | This bean declares our AuthenticationManager. The > > >> CentralAuthenticationService service bean > > >> | declared in applicationContext.xml picks up this > > >> AuthenticationManager > > >> by reference to its id, > > >> | "authenticationManager". Most deployers will be able to > > >> use the default > > >> AuthenticationManager > > >> | implementation and so do not need to change the class of > > >> this bean. We > > >> include the whole > > >> | AuthenticationManager here in the > > >> userConfigContext.xmlso that you can > > >> see the things you will > > >> | need to change in context. > > >> +--> > > >> <bean id="authenticationManager" > > >> class=" > > >> org.jasig.cas.authentication.AuthenticationManagerImpl"> > > >> <!-- > > >> | This is the List of > > >> CredentialToPrincipalResolvers that identify what > > >> Principal is trying to authenticate. > > >> | The AuthenticationManagerImpl considers them in > > >> order, finding a > > >> CredentialToPrincipalResolver which > > >> | supports the presented credentials. > > >> | > > >> | AuthenticationManagerImpl uses these resolvers > > >> for two purposes. > > >> First, it uses them to identify the Principal > > >> | attempting to authenticate to CAS /login . In > > >> the default > > >> configuration, it is the DefaultCredentialsToPrincipalResolver > > >> | that fills this role. If you are using some > > >> other kind of credentials > > >> than UsernamePasswordCredentials, you will need to replace > > >> | DefaultCredentialsToPrincipalResolver with a > > >> CredentialsToPrincipalResolver that supports the credentials you are > > >> | using. > > >> | > > >> | Second, AuthenticationManagerImpl uses these > > >> resolvers to identify a > > >> service requesting a proxy granting ticket. > > >> | In the default configuration, it is the > > >> HttpBasedServiceCredentialsToPrincipalResolver that serves this purpose. > > >> | You will need to change this list if you are > > >> identifying services by > > >> something more or other than their callback URL. > > >> +--> > > >> <property name="credentialsToPrincipalResolvers"> > > >> <list> > > >> <!-- > > >> | > > >> UsernamePasswordCredentialsToPrincipalResolver supports the > > >> UsernamePasswordCredentials that we use for /login > > >> | by default and produces > > >> SimplePrincipal instances conveying the > > >> username from the credentials. > > >> | > > >> | If you've changed your > > >> LoginFormAction to use credentials other than > > >> UsernamePasswordCredentials then you will also > > >> | need to change this bean > > >> declaration (or add additional declarations) > > >> to declare a CredentialsToPrincipalResolver that supports the > > >> | Credentials you are using. > > >> +--> > > >> <bean > > >> > > >> class=" > > >> org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver > > >> " > > >> /> > > >> <!-- > > >> | > > >> HttpBasedServiceCredentialsToPrincipalResolver supports > > >> HttpBasedCredentials. It supports the CAS 2.0 approach of > > >> | authenticating services by SSL > > >> callback, extracting the callback URL > > >> from the Credentials and representing it as a > > >> | SimpleService identified by that > > >> callback URL. > > >> | > > >> | If you are representing services > > >> by something more or other than an > > >> HTTPS URL whereat they are able to > > >> | receive a proxy callback, you > > >> will need to change this bean > > >> declaration (or add additional declarations). > > >> +--> > > >> <bean > > >> > > >> class=" > > >> org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver > > >> " > > >> /> > > >> </list> > > >> </property> > > >> > > >> <!-- > > >> | Whereas CredentialsToPrincipalResolvers identify > > >> who it is some > > >> Credentials might authenticate, > > >> | AuthenticationHandlers actually authenticate > > >> credentials. Here we > > >> declare the AuthenticationHandlers that > > >> | authenticate the Principals that the > > >> CredentialsToPrincipalResolvers > > >> identified. CAS will try these handlers in turn > > >> | until it finds one that both supports the > > >> Credentials presented and > > >> succeeds in authenticating. > > >> +--> > > >> <property name="authenticationHandlers"> > > >> <list> > > >> <!-- > > >> | This is the authentication > > >> handler that authenticates services by > > >> means of callback via SSL, thereby validating > > >> | a server side SSL certificate. > > >> +--> > > >> <bean > > >> > > >> class=" > > >> org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler > > >> "> > > >> <property > > >> name="httpClient" > > >> ref="httpClient" /> > > >> </bean> > > >> > > >> <!-- > > >> | This is the authentication > > >> handler declaration that every CAS > > >> deployer will need to change before deploying CAS > > >> | into production. The default > > >> SimpleTestUsernamePasswordAuthenticationHandler authenticates > > >> UsernamePasswordCredentials > > >> | where the username equals the > > >> password. You will need to replace > > >> this with an AuthenticationHandler that implements your > > >> | local authentication strategy. > > >> You might accomplish this by coding a > > >> new such handler and declaring > > >> | > > >> edu.someschool.its.cas.MySpecialHandler here, or you might use one of > > >> the handlers provided in the adaptors modules. > > >> +--> > > >> > > >> > > >> <bean > > >> class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler"> > > >> <property name="filter" > > >> value="uid=%u" /> > > >> <property name="searchBase" > > >> value="cn=Users,dc=z,dc=z" /> > > >> <property name="contextSource" > > >> ref="contextSource" /> > > >> <property name="ignorePartialResultException" > > >> value="yes" /> > > >> </bean> > > >> </list> > > >> </property> > > >> </bean> > > >> <bean id="contextSource" > > >> class="org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource"> > > >> <property name="password" value="{11111}"/> > > >> <property name="pooled" value="true" /> > > >> <property name="urls"> > > >> <list> > > >> <value>ldaps://irisad.net/</value> > > >> </list> > > >> </property> > > >> <property name="userName" value="{cn=aa,cn=Users,dc=z,dc=z}"/> > > >> <property name="baseEnvironmentProperties"> > > >> <map> > > >> <entry> > > >> <key> > > >> <value>java.naming.security.protocol</value> > > >> </key> > > >> <value>ssl</value> > > >> </entry> > > >> <entry> > > >> <key> > > >> <value>java.naming.security.authentication</value> > > >> </key> > > >> <value>simple</value> > > >> </entry> > > >> <entry> > > >> <key> > > >> <value>java.naming.referral</value> > > >> </key> > > >> <value>follow</value> > > >> </entry> > > >> </map> > > >> </property> > > >> </bean> > > >> </beans> > > >> > > >> thanks. > > >> -- > > >> View this message in context: > > >> http://www.nabble.com/SSLHandshakeException-when-try-connect-LDAP-tp14799522p14799522.html > > >> Sent from the CAS Users mailing list archive at Nabble.com. > > >> > > >> _______________________________________________ > > >> Yale CAS mailing list > > >> [email protected] > > >> http://tp.its.yale.edu/mailman/listinfo/cas > > >> > > > > > > > > > > > > -- > > > -Scott Battaglia > > > > > > LinkedIn: http://www.linkedin.com/in/scottbattaglia > > > > > > _______________________________________________ > > > Yale CAS mailing list > > > [email protected] > > > http://tp.its.yale.edu/mailman/listinfo/cas > > > > > > > > > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
