On Thu, Nov 6, 2008 at 12:55 PM, Robert Lewis <[EMAIL PROTECTED]> wrote: > Hi, > > Historically, with cas2 in production we have been using a customized > xml response returned by casServiceValidationSuccess.jsp. Now we are > wanting to move up to cas3.2.1 and the customized xml response breaks > the services management servlet. Which services management servlet? CAS doesn't care what the JSP page is.
Specifically, the cas client in acegi > security is wanting the xml tag to be "<cas:user>" and we are sending > "<cas:NetID>". I am investigating the approach of customizing the > cas3.2.1 server so as not to break the existing webapps on campus that > are expecting NetID in the xml response. To do this it looks like the > cas client used by acegi security has to be customized. > > In searching the net I came across an exchange where someone else had a > similar issue in March 2008. Scott submitted the following advice. > > "The custom attributes you defined are not recognized by the CAS client > used by Acegi (because, well, they're custom). The CAS client used by > Acegi by default interprets the protocol exactly and ignores anything > that's extra. > > The upcoming Spring Security 2 will utilize the newer CAS Client for > Java 3.1.1 which would make it easier to inject a custom ticket > validator to retrieve those attributes. In addition, the Assertion > (which holds the Principal and the attributes) will be available as part > of the CasAuthenticationToken. This won't be ready until Spring > Security 2.0 comes out though." Spring Security 2.0.4 also uses CAS Client for Java 3.1.3 now (that's an old email ;-)) > > So, I have been trying to follow up on this advice and I have run into > an obstacle I need help with. When I upgrade to Spring Security 2 I see > the bean casAuthoritiesPopulator in securityContext.xml is still needed, > but the class DaoCasAuthoritiesPopulator does not seem to be available > in Spring Security 2. So, what do I replace it with? Do I have to write > a class that returns a UserDetailsService ? The documentation for Spring Security should include everything on how to configure CAS. In addition, there is a sample CASified web application included with Spring Security (it may only be available from SVN) that you can use as a starting point (the Spring Security documentation is based off of it). -Scott > > > Thanks, > > Robert Lewis > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
