Aha, thanks Scott. It's to do with the AccessDecisionManager I think. Some
class has voted against letting me in.
Will read up on the whole voting mechanism before I post any more questions :)
Thanks again
Richard
Date: Thu, 8 May 2008 10:02:12 -0400
From: [EMAIL PROTECTED]
To: [email protected]
Subject: Re: Access denied
Richard,
If you turn on DEBUG in your log4j properties for Spring Security, you'll get a
huge amount of information, which should lead you to where it is failing. I
will warn you that it is A LOT of information and can be difficult to walk
through, but it generally does eventually lead to the result (I've done it a
bunch of times).
-Scott
On Thu, May 8, 2008 at 7:43 AM, Richard Gundersen <[EMAIL PROTECTED]> wrote:
Hi, me again... :)
Got CAS working with Spring Security, providing I use an in-memory
user-service. All good.
When I use an ldap-user-service to get my roles, I authenticate OK, but I just
get dumped to a Tomcat 403 page.
To determine if my app was making the rejection, I removed all filters except
the CAS one, but added a new one to the start of the chain with some debug.
It's not getting called at all.
All looks good at the CAS side (see output below) - it's granting me a ticket
for my app. But something is blocking me at the last hurdle. Anyone know what
it could be?
**************
2008-05-08 12:37:01,360 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] -
<Granted service ticket [ST-1-XNUBA3eFkRCjIe6nTrBs-cas] for service
[http://mycomputer:8080/MQS4/j_spring_cas_security_check] for user
[richard.gundersen]>
May 8, 2008 12:37:02 PM org.apache.tomcat.util.http.Parameters processParameters
WARNING: Parameters: Invalid chunk ignored.
**************
Here's my LDAP config in case it's useful:
**************
<bean id="casAuthenticationProvider"
class="org.springframework.security.providers.cas.CasAuthenticationProvider">
<sec:custom-authentication-provider />
<property name="userDetailsService" ref="userService"/>
<property name="serviceProperties" ref="serviceProperties" />
<property name="ticketValidator">
<bean
class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
<constructor-arg index="0" value="https://mycomputer/cas"; />
</bean>
</property>
<property name="key" value="an_id_for_this_auth_provider_only"/>
</bean>
<bean id="serviceProperties"
class="org.springframework.security.ui.cas.ServiceProperties">
<property name="service"
value="http://mycomputer:8080/MQS4/j_spring_cas_security_check"/>
<property name="sendRenew" value="false"/>
</bean>
<sec:ldap-server id="ldapServer" url="ldap://mycompany.com:13060/";
manager-dn="cn=adminusername,cn=Users,dc=mycompany,dc=com"
manager-password="somepassword" />
<sec:ldap-user-service id="userService" server-ref="ldapServer"
group-search-base="cn=Groups,dc=mycompany,dc=com" group-role-attribute="cn"
group-search-filter="(uniquemember={0})"
user-search-base="cn=Users,dc=mycompany,dc=com" user-search-filter="(uid={0})"
/>
**************
Thanks (again)
Richard
Miss your Messenger buddies when on-the-go? Get Messenger on your Mobile!
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
--
-Scott Battaglia
PGP Public Key Id: 0x383733AA
LinkedIn: http://www.linkedin.com/in/scottbattaglia
_________________________________________________________________
Discover and Win with Live Search
http://clk.atdmt.com/UKM/go/msnnkmgl0010000007ukm/direct/01/_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
