Hi, I have setup CAS3.0[JASIG] in jboss4.0.2,requesting through http goes into infinite loop after submitting credentials in login page,but https working fine.
I want to request through http . find the attachments for server.log and client's security.xml and web.xml Even authentication happening succesfully Please find the attachments for client[security.xml] and server [deployerconfigContext.xml]configuration
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xmlns:aop="http://www.springframework.org/schema/aop"; xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-2.0.xsd"; default-lazy-init="true"> <!-- ======================== FILTER CHAIN ======================= --> <bean id="filterChainProxy" class="org.acegisecurity.util.FilterChainProxy"> <property name="filterInvocationDefinitionSource"> <value> CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON PATTERN_TYPE_APACHE_ANT /images/**=#NONE# /scripts/**=#NONE# /css/**=#NONE# /**=httpSessionContextIntegrationFilter,casProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor </value> <!-- Put channelProcessingFilter before securityContextHolderAwareRequestFilter to turn on SSL switching --> <!-- It's off by default b/c Canoo WebTest doesn't support SSL out-of-the-box --> </property> </bean> <bean id="httpSessionContextIntegrationFilter" class="org.acegisecurity.context.HttpSessionContextIntegrationFilter"/> <!-- Changed to use logout.jsp since causes 404 on WebSphere: http://issues.appfuse.org/browse/APF-566 --> <bean id="logoutFilter" class="org.acegisecurity.ui.logout.LogoutFilter"> <constructor-arg value="/login/logout.jsp"/> <constructor-arg> <list> <ref bean="rememberMeServices"/> <bean class="org.acegisecurity.ui.logout.SecurityContextLogoutHandler"/> </list> </constructor-arg> <property name="filterProcessesUrl" value="/logout.jsp"/> </bean> <bean id="authenticationProcessingFilter" class="org.egov.infstr.security.acegi.client.filter.EgovAuthenticationProcessingFilter"> <property name="authenticationManager" ref="authenticationManager"/> <property name="authenticationFailureUrl" value="/login/securityLogin.jsp?error=true"/> <property name="defaultTargetUrl" value="/"/> <property name="filterProcessesUrl" value="/j_acegi_cas_security_check"/> <property name="rememberMeServices" ref="rememberMeServices"/> <property name="credentialFields"> <list> <value>j_password</value> <value>locationId</value> <value>loginType</value> <value>counterId</value> <value>ipAddress</value> </list> </property> <property name="usrManager" ref="userEJB" /> </bean> <bean id="securityContextHolderAwareRequestFilter" class="org.acegisecurity.wrapper.SecurityContextHolderAwareRequestFilter"/> <bean id="rememberMeProcessingFilter" class="org.acegisecurity.ui.rememberme.RememberMeProcessingFilter"> <property name="authenticationManager" ref="authenticationManager"/> <property name="rememberMeServices" ref="rememberMeServices"/> </bean> <bean id="anonymousProcessingFilter" class="org.acegisecurity.providers.anonymous.AnonymousProcessingFilter"> <property name="key" value="anonymous"/> <property name="userAttribute" value="anonymous,ROLE_ANONYMOUS"/> </bean> <!-- <bean id="exceptionTranslationFilter" class="org.acegisecurity.ui.ExceptionTranslationFilter"> <property name="authenticationEntryPoint"> <bean class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint"> <property name="loginFormUrl" value="/login/securityLogin.jsp"/> <property name="forceHttps" value="false"/> </bean> </property> <property name="accessDeniedHandler"> <bean class="org.acegisecurity.ui.AccessDeniedHandlerImpl"/> </property> </bean> --> <bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor"> <property name="authenticationManager" ref="authenticationManager"/> <property name="accessDecisionManager" ref="accessDecisionManager"/> <property name="objectDefinitionSource"> <ref local="egovFilterInvocationDefinitionSource" /> </property> <!-- <property name="objectDefinitionSource"> <value> PATTERN_TYPE_APACHE_ANT /admin/*=Super User </value> </property> --> </bean> <bean id="accessDecisionManager" class="org.acegisecurity.vote.AffirmativeBased"> <property name="allowIfAllAbstainDecisions" value="false"/> <property name="decisionVoters"> <list> <bean class="org.acegisecurity.vote.RoleVoter"> <property name="rolePrefix" value="" /> </bean> </list> </property> </bean> <bean id="rememberMeServices" class="org.acegisecurity.ui.rememberme.TokenBasedRememberMeServices"> <property name="userDetailsService" ref="userDetailsService"/> <property name="key" value="23_*!cdU='612./e;NrI"/> <property name="parameter" value="rememberMe"/> </bean> <!-- <bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager"> <property name="providers"> <list> <ref local="daoAuthenticationProvider"/> <ref local="anonymousAuthenticationProvider"/> </list> </property> <property name="sessionController"> <ref bean="concurrentSessionController"/> </property> </bean> --> <!-- ConcurrentSessionController limits the number of connections a single logged in user can have--> <bean id="concurrentSessionController" class="org.acegisecurity.concurrent.ConcurrentSessionControllerImpl"> <property name="maximumSessions" value="1"/> <property name="exceptionIfMaximumExceeded" value="false"/> </bean> <bean id="daoAuthenticationProvider" class="org.egov.infstr.security.acegi.dao.EgovDaoAuthenticationProvider"> <property name="userDetailsService" ref="userDetailsService"/> <!-- <property name="passwordEncoder" ref="passwordEncoder"/> --> <!-- Uncomment and change if the login form password field name changes <property name="passwordFieldName" value="j_password"/> --> </bean> <bean id="anonymousAuthenticationProvider" class="org.acegisecurity.providers.anonymous.AnonymousAuthenticationProvider"> <property name="key" value="anonymous"/> </bean> <bean id="rememberMeAuthenticationProvider" class="org.acegisecurity.providers.rememberme.RememberMeAuthenticationProvider"> <property name="key" value="23_*!cdU='612./e;NrI"/> </bean> <!-- This bean definition must be available to ApplicationContext.getBean() so StartupListener can look for it and detect if password encryption is turned on or not --> <bean id="passwordEncoder" class="org.acegisecurity.providers.encoding.ShaPasswordEncoder"/> <!-- This bean is optional; it isn't used by any other bean as it only listens and logs --> <bean id="loggerListener" class="org.acegisecurity.event.authentication.LoggerListener"/> <!-- Apply method-level interceptor to userManager bean --> <!-- <aop:config> <aop:advisor id="managerSecurity" advice-ref="methodSecurityInterceptor" pointcut="execution(* org.egov.samp.service.UserManager.*(..))"/> </aop:config> --> <bean id="methodSecurityInterceptor" class="org.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor"> <property name="authenticationManager" ref="authenticationManager"/> <property name="accessDecisionManager" ref="accessDecisionManager"/> <property name="objectDefinitionSource"> <value> org.egov.samp.service.UserManager.getUsers=ROLE_ADMIN org.egov.samp.service.UserManager.removeUser=ROLE_ADMIN </value> </property> </bean> <!-- Enabled by default for CAS, as a CAS deployment uses HTTPS --> <bean id="channelProcessingFilter" class="org.acegisecurity.securechannel.ChannelProcessingFilter"> <property name="channelDecisionManager"><ref local="channelDecisionManager"/></property> <property name="filterInvocationDefinitionSource"> <value> <!-- CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON--> \A/secure/.*\Z=REQUIRES_SECURE_CHANNEL \A/j_acegi_cas_security_check.*\Z=REQUIRES_SECURE_CHANNEL \A.*\Z=REQUIRES_SECURE_CHANNEL \A/eGov.jsp.*\Z=REQUIRES_INSECURE_CHANNEL </value> </property> </bean> <bean id="channelDecisionManager" class="org.acegisecurity.securechannel.ChannelDecisionManagerImpl"> <property name="channelProcessors"> <list> <ref local="secureChannelProcessor"/> <ref local="insecureChannelProcessor"/> </list> </property> </bean> <bean id="secureChannelProcessor" class="org.acegisecurity.securechannel.SecureChannelProcessor"/> <bean id="insecureChannelProcessor" class="org.acegisecurity.securechannel.InsecureChannelProcessor"/> <!-- <bean id="userDetailsService" class="org.acegisecurity.userdetails.memory.InMemoryDaoImpl"> <property name="userProperties"> <bean class="org.springframework.beans.factory.config.PropertiesFactoryBean"> <property name="location" value="/WEB-INF/users.properties" /> </bean> </property> </bean> --> <bean id="userDetailsService" class="org.egov.infstr.security.acegi.UserDetailsImpl"> <property name="usrManager" ref="userEJB" /> </bean> <bean id="egovFilterInvocationDefinitionSource" class="org.egov.infstr.security.acegi.EGovFilterInvocationDefinitionSource"> <property name="rbacManager"> <ref local="rbacManagerEJB" /> </property> </bean> <bean id="userEJB" class="org.springframework.ejb.access.LocalStatelessSessionProxyFactoryBean" lazy-init="true"> <property name="jndiName"> <value>UserManagerHome</value> </property> <property name="resourceRef"> <value>false</value> </property> <property name="businessInterface"> <value>org.egov.lib.rjbac.user.ejb.api.UserManager</value> </property> </bean> <bean id="rbacManagerEJB" class="org.springframework.ejb.access.LocalStatelessSessionProxyFactoryBean" lazy-init="true"> <property name="jndiName"> <value>RbacManagerHome</value> </property> <property name="resourceRef"> <value>false</value> </property> <property name="businessInterface"> <value>org.egov.lib.rrbac.services.RbacManager</value> </property> </bean> <!-- CAS config --> <bean id="serviceProperties" class="org.acegisecurity.ui.cas.ServiceProperties"> <property name="service"><value>https://www.proll.org:8443/egi/j_acegi_cas_security_check</value></property> <property name="sendRenew"><value>false</value></property> </bean> <bean id="casProcessingFilter" class="org.acegisecurity.ui.cas.CasProcessingFilter"> <property name="authenticationManager"><ref bean="authenticationManager"/></property> <property name="authenticationFailureUrl"><value>/casfailed.jsp</value></property> <property name="defaultTargetUrl"><value>/</value></property> <property name="filterProcessesUrl"><value>/j_acegi_cas_security_check</value></property> </bean> <bean id="exceptionTranslationFilter" class="org.acegisecurity.ui.ExceptionTranslationFilter"> <property name="authenticationEntryPoint"><ref local="casProcessingFilterEntryPoint"/></property> </bean> <bean id="casProcessingFilterEntryPoint" class="org.acegisecurity.ui.cas.CasProcessingFilterEntryPoint"> <property name="loginUrl"><value>https://www.proll.org:8443/cas/login</value></property> <property name="serviceProperties"><ref bean="serviceProperties"/></property> </bean> <bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager"> <property name="providers"> <list> <ref bean="casAuthenticationProvider"/> </list> </property> </bean> <bean id="casAuthenticationProvider" class="org.acegisecurity.providers.cas.CasAuthenticationProvider"> <property name="casAuthoritiesPopulator"><ref bean="casAuthoritiesPopulator"/></property> <property name="casProxyDecider"><ref bean="casProxyDecider"/></property> <property name="ticketValidator"><ref bean="casProxyTicketValidator"/></property> <property name="statelessTicketCache"><ref bean="statelessTicketCache"/></property> <property name="key"><value>changeit</value></property> </bean> <bean id="casProxyTicketValidator" class="org.acegisecurity.providers.cas.ticketvalidator.CasProxyTicketValidator"> <property name="casValidate"><value>https://www.proll.org:8443/cas/proxyValidate</value></property> <!-- <property name="proxyCallbackUrl"><value>https://www.proll.org:8443/egi/casProxy/receptor</value></property> --> <property name="serviceProperties"><ref bean="serviceProperties"/></property> <property name="trustStore"><value>C:\\Program Files\Java\\jdk1.5.0_06\\jre\lib\\security\\cacerts</value></property> </bean> <bean id="cacheManager" class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean"> <property name="configLocation"> <value>classpath:/ehcache-failsafe.xml</value> </property> </bean> <bean id="ticketCacheBackend" class="org.springframework.cache.ehcache.EhCacheFactoryBean"> <property name="cacheManager"> <ref local="cacheManager"/> </property> <property name="cacheName"> <value>ticketCache</value> </property> </bean> <bean id="statelessTicketCache" class="org.acegisecurity.providers.cas.cache.EhCacheBasedTicketCache"> <property name="cache"><ref local="ticketCacheBackend"/></property> </bean> <bean id="casAuthoritiesPopulator" class="org.acegisecurity.providers.cas.populator.DaoCasAuthoritiesPopulator"> <property name="userDetailsService"><ref bean="userDetailsService"/></property> </bean> <bean id="casProxyDecider" class="org.acegisecurity.providers.cas.proxy.RejectProxyTickets"/> </beans>
<?xml version="1.0" encoding="UTF-8"?> <!-- | deployerConfigContext.xml centralizes into one file some of the declarative configuration that | all CAS deployers will need to modify. | | This file declares some of the Spring-managed JavaBeans that make up a CAS deployment. | The beans declared in this file are instantiated at context initialization time by the Spring | ContextLoaderListener declared in web.xml. It finds this file because this | file is among those declared in the context parameter "contextConfigLocation". | | By far the most common change you will need to make in this file is to change the last bean | declaration to replace the default SimpleTestUsernamePasswordAuthenticationHandler with | one implementing your approach for authenticating usernames and passwords. +--> <beans xmlns="http://www.springframework.org/schema/beans"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xmlns:p="http://www.springframework.org/schema/p"; xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd";> <!-- | This bean declares our AuthenticationManager. The CentralAuthenticationService service bean | declared in applicationContext.xml picks up this AuthenticationManager by reference to its id, | "authenticationManager". Most deployers will be able to use the default AuthenticationManager | implementation and so do not need to change the class of this bean. We include the whole | AuthenticationManager here in the userConfigContext.xml so that you can see the things you will | need to change in context. +--> <bean id="authenticationManager" class="org.jasig.cas.authentication.AuthenticationManagerImpl"> <!-- | This is the List of CredentialToPrincipalResolvers that identify what Principal is trying to authenticate. | The AuthenticationManagerImpl considers them in order, finding a CredentialToPrincipalResolver which | supports the presented credentials. | | AuthenticationManagerImpl uses these resolvers for two purposes. First, it uses them to identify the Principal | attempting to authenticate to CAS /login . In the default configuration, it is the DefaultCredentialsToPrincipalResolver | that fills this role. If you are using some other kind of credentials than UsernamePasswordCredentials, you will need to replace | DefaultCredentialsToPrincipalResolver with a CredentialsToPrincipalResolver that supports the credentials you are | using. | | Second, AuthenticationManagerImpl uses these resolvers to identify a service requesting a proxy granting ticket. | In the default configuration, it is the HttpBasedServiceCredentialsToPrincipalResolver that serves this purpose. | You will need to change this list if you are identifying services by something more or other than their callback URL. +--> <property name="credentialsToPrincipalResolvers"> <list> <!-- | UsernamePasswordCredentialsToPrincipalResolver supports the UsernamePasswordCredentials that we use for /login | by default and produces SimplePrincipal instances conveying the username from the credentials. | | If you've changed your LoginFormAction to use credentials other than UsernamePasswordCredentials then you will also | need to change this bean declaration (or add additional declarations) to declare a CredentialsToPrincipalResolver that supports the | Credentials you are using. +--> <bean class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" /> <!-- | HttpBasedServiceCredentialsToPrincipalResolver supports HttpBasedCredentials. It supports the CAS 2.0 approach of | authenticating services by SSL callback, extracting the callback URL from the Credentials and representing it as a | SimpleService identified by that callback URL. | | If you are representing services by something more or other than an HTTPS URL whereat they are able to | receive a proxy callback, you will need to change this bean declaration (or add additional declarations). +--> <bean class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" /> </list> </property> <!-- | Whereas CredentialsToPrincipalResolvers identify who it is some Credentials might authenticate, | AuthenticationHandlers actually authenticate credentials. Here we declare the AuthenticationHandlers that | authenticate the Principals that the CredentialsToPrincipalResolvers identified. CAS will try these handlers in turn | until it finds one that both supports the Credentials presented and succeeds in authenticating. +--> <property name="authenticationHandlers"> <list> <!-- | This is the authentication handler that authenticates services by means of callback via SSL, thereby validating | a server side SSL certificate. +--> <bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" p:httpClient-ref="httpClient" /> <!-- | This is the authentication handler declaration that every CAS deployer will need to change before deploying CAS | into production. The default SimpleTestUsernamePasswordAuthenticationHandler authenticates UsernamePasswordCredentials | where the username equals the password. You will need to replace this with an AuthenticationHandler that implements your | local authentication strategy. You might accomplish this by coding a new such handler and declaring | edu.someschool.its.cas.MySpecialHandler here, or you might use one of the handlers provided in the adaptors modules. +--> <bean class="org.acegisecurity.adapters.cas3.CasAuthenticationHandler"> <property name="authenticationManager" ref="acegiAuthenticationManager" /> </bean> </list> </property> </bean> <bean id="daoAuthenticationProvider" class="org.acegisecurity.providers.dao.DaoAuthenticationProvider"><!--org.egov.infstr.security.acegi.dao.EgovDaoAuthenticationProvider--> <property name="userDetailsService"><ref bean="userDetailsService"/></property><!--userDetailsService--> </bean> <bean id="acegiAuthenticationManager" class="org.acegisecurity.providers.ProviderManager"> <property name="providers"> <list> <ref bean="daoAuthenticationProvider"/> </list> </property> </bean> <bean id="inMemoryDaoImpl" class="org.acegisecurity.userdetails.memory.InMemoryDaoImpl"> <property name="userMap"> <value> battags=notused,ROLE_ADMIN </value> </property> </bean> <bean id="userDetailsService" class="org.egov.infstr.security.acegi.UserDetailsImpl"> <property name="usrManager" ref="userEJB" /> </bean> <bean id="userEJB" class="org.springframework.ejb.access.LocalStatelessSessionProxyFactoryBean" lazy-init="true"> <property name="jndiName"> <value>UserManagerHome</value> </property> <property name="resourceRef"> <value>false</value> </property> <property name="businessInterface"> <value>org.egov.lib.rjbac.user.ejb.api.UserManager</value> </property> </bean> </beans>
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
