Marius, Thanks for the response. Appreciate it. A quick question- Does anyone know of a way to determine the NT Domain Controller's ip address from Windows XP (or linux, if they are the same)?
Thanks. ________________________________ From: "Strumyla, Marius" <[EMAIL PROTECTED]> To: Yale CAS mailing list <[email protected]> Sent: Friday, December 5, 2008 9:07:22 AM Subject: RE: Spnego question Here's a patch that I use to enabe NTLM. The patch is against CAS 3.3. Hope this helps. -- i5mast diff -ru --unidirectional-new-file cas-server-3.3/cas-server-webapp/pom.xml cas-server-3.3-ntlm/cas-server-webapp/pom.xml --- cas-server-3.3/cas-server-webapp/pom.xml 2008-08-14 10:39:56.000000000 -0400 +++ cas-server-3.3-ntlm/cas-server-webapp/pom.xml 2008-10-22 17:57:25.914613000 -0400 @@ -109,6 +109,12 @@ </exclusion> </exclusions> </dependency> + + <dependency> + <groupId>${project.groupId}</groupId> + <artifactId>cas-server-support-spnego</artifactId> + <version>${project.version}</version> + </dependency> </dependencies> <build> <plugins> diff -ru --unidirectional-new-file cas-server-3.3/cas-server-webapp/src/main/webapp/WEB-INF/cas-servlet.xml cas-server-3.3-ntlm/cas-server-webapp/src/main/webapp/WEB-INF/cas-servle t.xml --- cas-server-3.3/cas-server-webapp/src/main/webapp/WEB-INF/cas-servlet.xml 2008-08-14 10:39:56.000000000 -0400 +++ cas-server-3.3-ntlm/cas-server-webapp/src/main/webapp/WEB-INF/cas-servle t.xml 2008-10-23 18:40:10.916380000 -0400 @@ -232,4 +232,13 @@ <bean id="manageRegisteredServicesMultiActionController" class="org.jasig.cas.services.web.ManageRegisteredServicesMultiActionCon troller"> <constructor-arg index="0" ref="servicesManager" /> </bean> + + <bean id="negociateSpnego" class="org.jasig.cas.support.spnego.web.flow.SpnegoNegociateCredentialsA ction"> + <property name="ntlm" value="true"/> + </bean> + + <bean id="spnego" class="org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction" + p:centralAuthenticationService-ref="centralAuthenticationService"> + <property name="ntlm" value="true"/> + </bean> </beans> diff -ru --unidirectional-new-file cas-server-3.3/cas-server-webapp/src/main/webapp/WEB-INF/classes/log4j.p roperties cas-server-3.3-ntlm/cas-server-webapp/src/main/webapp/WEB-INF/classes/lo g4j.properties --- cas-server-3.3/cas-server-webapp/src/main/webapp/WEB-INF/classes/log4j.p roperties 2008-08-14 10:39:56.000000000 -0400 +++ cas-server-3.3-ntlm/cas-server-webapp/src/main/webapp/WEB-INF/classes/lo g4j.properties 2008-10-23 11:44:31.176545000 -0400 @@ -7,7 +7,7 @@ log4j.appender.stdout.layout.ConversionPattern=%d %p [%c] - <%m>%n log4j.appender.logfile=org.apache.log4j.RollingFileAppender -log4j.appender.logfile.File=cas.log +log4j.appender.logfile.File=${catalina.base}/logs/cas.log log4j.appender.logfile.MaxFileSize=512KB # Keep three backup files. log4j.appender.logfile.MaxBackupIndex=3 diff -ru --unidirectional-new-file cas-server-3.3/cas-server-webapp/src/main/webapp/WEB-INF/deployerConfigC ontext.xml cas-server-3.3-ntlm/cas-server-webapp/src/main/webapp/WEB-INF/deployerCo nfigContext.xml --- cas-server-3.3/cas-server-webapp/src/main/webapp/WEB-INF/deployerConfigC ontext.xml 2008-08-14 10:39:56.000000000 -0400 +++ cas-server-3.3-ntlm/cas-server-webapp/src/main/webapp/WEB-INF/deployerCo nfigContext.xml 2008-10-23 18:23:46.028527000 -0400 @@ -43,6 +43,9 @@ +--> <property name="credentialsToPrincipalResolvers"> <list> + <bean + class="org.jasig.cas.support.spnego.authentication.principal.SpnegoCrede ntialsToPrincipalResolver" /> + <!-- | UsernamePasswordCredentialsToPrincipalResolver supports the UsernamePasswordCredentials that we use for /login | by default and produces SimplePrincipal instances conveying the username from the credentials. @@ -66,34 +69,35 @@ </list> </property> - <!-- - | Whereas CredentialsToPrincipalResolvers identify who it is some Credentials might authenticate, - | AuthenticationHandlers actually authenticate credentials. Here we declare the AuthenticationHandlers that - | authenticate the Principals that the CredentialsToPrincipalResolvers identified. CAS will try these handlers in turn - | until it finds one that both supports the Credentials presented and succeeds in authenticating. - +--> - <property name="authenticationHandlers"> - <list> - <!-- - | This is the authentication handler that authenticates services by means of callback via SSL, thereby validating - | a server side SSL certificate. - +--> - <bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCred entialsAuthenticationHandler" - p:httpClient-ref="httpClient" /> - <!-- - | This is the authentication handler declaration that every CAS deployer will need to change before deploying CAS - | into production. The default SimpleTestUsernamePasswordAuthenticationHandler authenticates UsernamePasswordCredentials - | where the username equals the password. You will need to replace this with an AuthenticationHandler that implements your - | local authentication strategy. You might accomplish this by coding a new such handler and declaring - | edu.someschool.its.cas.MySpecialHandler here, or you might use one of the handlers provided in the adaptors modules. - +--> - <bean - class="org.jasig.cas.authentication.handler.support.SimpleTestUsernamePa sswordAuthenticationHandler" /> - </list> - </property> - </bean> + <!-- + | Whereas CredentialsToPrincipalResolvers identify who it is some Credentials might authenticate, + | AuthenticationHandlers actually authenticate credentials. Here we declare the AuthenticationHandlers that + | authenticate the Principals that the CredentialsToPrincipalResolvers identified. CAS will try these handlers in turn + | until it finds one that both supports the Credentials presented and succeeds in authenticating. + +--> + <property name="authenticationHandlers"> + <list> + <!-- + | This is authentication handler for CaremarkRx Active Directory. + +--> + <bean class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFS SpnegoAuthenticationHandler"> + <property name="authentication"> + <bean class="jcifs.spnego.Authentication" /> + </property> + <property name="principalWithDomainName" value="false" /> + <property name="NTLMallowed" value="true"/> + </bean> + </list> + </property> + </bean> + <bean name="jcifsConfig" class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFS Config"> + <property name="loginConf" value="/WEB-INF/login.conf" /> + <property name="jcifsDomain" value="<NT DOMAIN>" /> + <property name="jcifsDomainController" value="<NT DOMAIN CONTROLLER>" /> + </bean> + <!-- This bean defines the security roles for the Services Management application. Simple deployments can use the in-memory version. More robust deployments will want to use another option, such as the Jdbc version. diff -ru --unidirectional-new-file cas-server-3.3/cas-server-webapp/src/main/webapp/WEB-INF/login-webflow.x ml cas-server-3.3-ntlm/cas-server-webapp/src/main/webapp/WEB-INF/login-webf low.xml --- cas-server-3.3/cas-server-webapp/src/main/webapp/WEB-INF/login-webflow.x ml 2008-08-14 10:39:56.000000000 -0400 +++ cas-server-3.3-ntlm/cas-server-webapp/src/main/webapp/WEB-INF/login-webf low.xml 2008-10-23 15:33:47.252899000 -0400 @@ -17,7 +17,7 @@ </decision-state> <decision-state id="gatewayRequestCheck"> - <if test="${externalContext.requestParameterMap['gateway'] != '' && externalContext.requestParameterMap['gateway'] != null && flowScope.service != null}" then="redirect" else="viewLoginForm" /> + <if test="${externalContext.requestParameterMap['gateway'] != '' && externalContext.requestParameterMap['gateway'] != null && flowScope.service != null}" then="redirect" else="startAuthenticate" /> </decision-state> <decision-state id="hasServiceCheck"> @@ -25,7 +25,7 @@ </decision-state> <decision-state id="renewRequestCheck"> - <if test="${externalContext.requestParameterMap['renew'] != '' && externalContext.requestParameterMap['renew'] != null}" then="viewLoginForm" else="generateServiceTicket" /> + <if test="${externalContext.requestParameterMap['renew'] != '' && externalContext.requestParameterMap['renew'] != null}" then="startAuthenticate" else="generateServiceTicket" /> </decision-state> <!-- @@ -43,6 +43,18 @@ <transition on="error" to="viewLoginForm" /> </action-state> --> + + <action-state id="startAuthenticate"> + <action bean="negociateSpnego" /> + <transition on="success" to="spnego" /> + </action-state> + + <action-state id="spnego"> + <action bean="spnego" /> + <transition on="success" to="sendTicketGrantingTicket" /> + <transition on="error" to="viewLoginForm" /> + </action-state> + <view-state id="viewLoginForm" view="casLoginView"> <render-actions> <action bean="authenticationViaFormAction" method="setupForm"/> diff -ru --unidirectional-new-file cas-server-3.3/cas-server-webapp/src/main/webapp/WEB-INF/login.conf cas-server-3.3-ntlm/cas-server-webapp/src/main/webapp/WEB-INF/login.conf --- cas-server-3.3/cas-server-webapp/src/main/webapp/WEB-INF/login.conf 1969-12-31 19:00:00.000000000 -0500 +++ cas-server-3.3-ntlm/cas-server-webapp/src/main/webapp/WEB-INF/login.conf 2008-10-22 17:19:35.832472000 -0400 @@ -0,0 +1,6 @@ +jcifs.spnego.initiate { + com.sun.security.auth.module.NTLoginModule required; +}; +jcifs.spnego.accept { + com.sun.security.auth.module.NTLoginModule required; +}; _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
