In some commercial SSO products such as IBM TAM, the every request can
be filtered by the SSO first, so the group/role info can be filled in
http header.
I think it would be great if in CAS 4 the CAS protocal can be extended
to offer a similar function. This will make systems more easier to
integrate with CAS.
Regards,
Shi Yusen/Beijing Langhua Ltd.
在 2009-02-02一的 19:40 +0000,inas inassen写道:
> Thanks Shi.
>
> I agree with you, these issue is related to authorization and my ldap
> is already set and it works fine with Tomcat JNDIRealm's.
>
> So what I want is exactly reproducing with CAS what JNDIRealm does.
>
> In my CAS server I used the following objects
>
> <bean id="authenticationManager"
> class="org.jasig.cas.authentication.AuthenticationManagerImpl">
> <property name="credentialsToPrincipalResolvers">
> <list>
> <bean
> class="org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver">
> <property name="credentialsToPrincipalResolver">
> <bean
> class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver"
> />
> </property>
> <property name="filter" value="(uid=%u)" />
> <property name="principalAttributeName" value="uid" />
> <property name="searchBase"
> value="ou=people,ou=org1,o=org2,dc=ca" />
> <property name="contextSource" ref="contextSource" />
> <property name="attributeRepository"
> ref="attributeRepository" />
> </bean>
> </list>
> </property>
> <property name="authenticationHandlers">
> <list>
> <bean
> class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler">
> <property name="filter" value="uid=%u" />
> <property name="searchBase"
> value="ou=people,ou=org1,o=org2,dc=ca" />
> <property name="contextSource" ref="contextSource" />
> </bean>
> </list>
> </property>
> </bean>
>
> <bean id="attributeRepository"
> class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao">
> <property name="baseDN" value="ou=roles,ou=org1,o=org2,dc=ca" />
> <property name="query" value="(uniqueMember={0})" />
> <property name="contextSource" ref="contextSource" />
> <property name="ldapAttributesToPortalAttributes">
> <map>
> <entry key="cn" value="Role"/>
> </map>
> </property>
> </bean>
>
> And when using JNDIRealm, I have
> <Realm className="org.apache.catalina.realm.JNDIRealm"
> userPattern="uid={0},ou=people,ou=org1,o=org2,dc=ca"
> roleBase="ou=roles,ou=org1,o=org2,dc=ca"
> roleName="cn"
> roleSearch="(uniqueMember={0})">
>
> So in other word, what is the equivalente of this JNDIRealm
> configuration and CAS LDAP configuration?
>
> Regards,
>
> Inas.
>
>
>
> > Subject: RE: CAS and LDAP
> > From: [email protected]
> > To: [email protected]
> > Date: Sat, 31 Jan 2009 17:40:56 +0800
> >
> > > Basically, when I'm authenticated in CAS server, I want to have a
> way
> > > to retrieve a liste of roles to make them available to the
> > > request.isUserInRole("role") method.
> >
> > Your requirement belong to authorization, not authentication, so I
> think
> > it's beyond CAS.
> >
> > Anyway, you have to choose member and/or alias to represent your
> > user-role relationship in LDAP. After successfully authenticated in
> CAS
> > server, searching the user in members or aliases to get the
> > relationship, and then set them to the role attribute of the
> request.
> >
> > How would you refresh the role relationship when it changes if you
> set
> > it in request?
> >
> > Regards,
> >
> > Shi Yusen/Beijing Langhua Ltd.
> >
> > >
> > > regards
> > >
> > > Inas.
> > >
> > >
> > >
> > >
> ______________________________________________________________________
> > >
> > > From: [email protected]
> > > To: [email protected]
> > > Subject: Re: CAS and LDAP
> > > Date: Thu, 29 Jan 2009 17:14:14 -0500
> > >
> > >
> > > Are you using OpenLDAP or Active Directory?
> > >
> > >
> > >
> > > And, roles would not be CAS related so explain what you're trying
> to
> > > do a little more.
> > >
> > >
> > >
> > > David
> > >
> > > Sent from my iPhone
> > >
> > >
> > > On Jan 29, 2009, at 5:04 PM, inas inassen <[email protected]>
> > > wrote:
> > >
> > >
> > >
> > >
> > > Hi all,
> > >
> > > I was able to login in using CAS and LDAP authentication
> > > (BindLdapAuthenticationHandler) but I experience problems
> > > retrieving a user roles's, so is there any documentation
> > > regarding this issue.
> > >
> > > thanks a lot.
> > >
> > > Inas
> > >
> > >
> > >
> > > ______________________________________________________________
> > >
> > > From: [email protected]
> > > To: [email protected]
> > > Subject: RE: CAS and LDAP and JAAS
> > > Date: Fri, 16 Jan 2009 20:37:24 +0000
> > >
> > > Thanks Matt,
> > >
> > > Now is more clear, so I agree with you that CAS LDAP support
> > > is better but my concern is that I want to keep my
> > > applications compliant
> > > after switching from TOMCAT JNDIReal and SSO Valve to CAS
> > > server, then how can i make the expected roles available to my
> > > application
> > > in order to use the isInRole(string) method from the
> > > HttpServletRequest object?
> > >
> > > Thanks
> > >
> > > Inas
> > >
> > > > Date: Thu, 15 Jan 2009 17:54:39 -0500
> > > > From: [email protected]
> > > > To: [email protected]
> > > > Subject: Re: CAS and LDAP and JAAS
> > > >
> > > > The CAS LDAP support should be drastically better than the
> > > > JAASAuthenticationHandler using that specific LDAP JAAS
> > > module. I
> > > > wrote the JAASAuthenticationHandler and
> > > > edu.uconn.netid.jaas.LDAPLoginModule as a quick hack job due
> > > to some
> > > > historical Kerberos/LDAP/ActiveDirectory needs. Scott
> > > cleaned up the
> > > > JAASAuthenticationHandler to make it CAS-worthy, but the
> > > JAAS
> > > > LDAPLoginModule has suffered from severe bit-rot and should
> > > be purged
> > > > from this plane of existence.
> > > >
> > > > I'd recommend either using the stock CAS LDAP support, or
> > > the more
> > > > popular (at least in the Shib community) Virginia Tech
> > > LDAPLoginModule
> > > >
> > >
> http://www.middleware.vt.edu/doku.php?id=middleware:opensource:ldap#jaas_support
> > > > .
> > > >
> > > > -Matt
> > > >
> > > >
> > > > On Thu, Jan 15, 2009 at 5:13 PM, inas inassen
> > > <[email protected]> wrote:
> > > > > Thanks Andrew
> > > > >
> > > > > Yes, all my applications are role based autorization using
> > > JAAS framework
> > > > > inside strust, tiles and taglibs.
> > > > >
> > > > > So my need is that I want to have a CAS server running let
> > > say in W1 server
> > > > > site that authenticate against an ldap
> > > > > Using a CAS client, my others applications that are
> > > running in W2, W3 and
> > > > > so one will authenticate against a CAS Server in W1 and I
> > > need a JAAS
> > > > > subject to keep my application's security (autorization
> > > and authentication)
> > > > > working.
> > > > >
> > > > > thanks again
> > > > >
> > > > > Inas.
> > > > >
> > > > >
> > > > > ________________________________
> > > > > Date: Thu, 15 Jan 2009 15:01:37 -0600
> > > > > Subject: Re: CAS and LDAP and JAAS
> > > > > From: [email protected]
> > > > > To: [email protected]
> > > > >
> > > > > Inas,
> > > > >
> > > > > Is there any reason you are going through JAAS for LDAP
> > > authentication
> > > > > instead of using the LDAP authentication handler?
> > > > >
> > > > > LDAP wiki entry:
> > > http://www.ja-sig.org/wiki/display/CASUM/LDAP
> > > > > JAAS wiki entry:
> > > http://www.ja-sig.org/wiki/display/CASUM/JAAS
> > > > >
> > > > > HTH,
> > > > > A-
> > > > >
> > > > > On 1/15/09 2:51 PM, "inas inassen" <[email protected]>
> > > wrote:
> > > > >
> > > > >
> > > > >
> > > > > Hi all,
> > > > >
> > > > > I'm trying to configure CAS to authenticate against an
> > > LDAP and my
> > > > > applications are using JAAS as an Authentication and
> > > Autorization framework.
> > > > >
> > > > > Everything work fine using Tomcat JNDIRealm
> > > > >
> > > > > My Tomcat JNDIRealm
> > > > >
> > > > >
> > > > > <Realm className="org.apache.catalina.realm.JNDIRealm"
> > > > > connectionURL="ldap://ladpsrv:389/ou=ait,o=b2b,dc=net";
> > > > > userPattern="uid={0},ou=people,ou=ait,o=b2b,dc=net"
> > > > > roleBase="ou=roles,ou=ait,o=b2b,dc=net"
> > > > > roleName="cn"
> > > > > roleSearch="(uniqueMember={0})" />
> > > > >
> > > > >
> > > > > this is my jaas.conf file (configured in
> > > > > -Djava.security.auth.login.config=jaas.conf)
> > > > >
> > > > >
> > > > > CAS {
> > > > > edu.uconn.netid.jaas.LDAPLoginModule sufficient
> > > > >
> > > java.naming.provider.url="ldap://ladpsrv:389/ou=ait,o=b2b,dc=net";
> > > > >
> > > java.naming.security.principal="cn=Manager,ou=ait,o=b2b,dc=net"
> > > > > java.naming.security.credentials="secret"
> > > > > Attribute="uid"
> > > > > startTLS="true";
> > > > > };
> > > > >
> > > > >
> > > > > and this is my delpoyConfigContext file
> > > > >
> > > > > <?xml version="1.0" encoding="UTF-8"?>
> > > > > <beans xmlns="http://www.springframework.org/schema/beans";
> > > > > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> > > > > xmlns:p="http://www.springframework.org/schema/p";
> > > > >
> > > xsi:schemaLocation="http://www.springframework.org/schema/beans
> > > > >
> > > http://www.springframework.org/schema/beans/spring-beans-2.0.xsd";>
> > > > > <bean id="authenticationManager"
> > > > >
> > > class="org.jasig.cas.authentication.AuthenticationManagerImpl">
> > > > > <property name="credentialsToPrincipalResolvers">
> > > > > <list>
> > > > > <bean
> > > > >
> > >
> class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver"
> > > > > />
> > > > > <bean
> > > > >
> > >
> class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver"
> > > > > />
> > > > > </list>
> > > > > </property>
> > > > > <property name="authenticationHandlers">
> > > > > <list>
> > > > > <bean
> > > > >
> > >
> class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
> > > > > p:httpClient-ref="httpClient" />
> > > > > <bean
> > > > >
> > >
> class="org.jasig.cas.authentication.handler.support.JaasAuthenticationHandler"
> > > > > />
> > > > > <bean
> > > class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler">
> > > > > <property name="filter" value="uid=%u" />
> > > > > <property name="searchBase"
> > > value="ou=people,ou=ait,o=b2b,dc=net" />
> > > > > <property name="contextSource" ref="contextSource" />
> > > > > </bean>
> > > > > </list>
> > > > > </property>
> > > > > </bean>
> > > > >
> > > > > <bean id="userDetailsService"
> > > > >
> > >
> class="org.springframework.security.userdetails.memory.InMemoryDaoImpl">
> > > > > <property name="userMap">
> > > > > <value></value>
> > > > > </property>
> > > > > </bean>
> > > > >
> > > > > <bean id="attributeRepository"
> > > > >
> > >
> class="org.jasig.services.persondir.support.StubPersonAttributeDao">
> > > > > <property name="backingMap">
> > > > > <map>
> > > > > <entry key="uid" value="uid" />
> > > > > <entry key="eduPersonAffiliation"
> > > value="eduPersonAffiliation" />
> > > > > <entry key="groupMembership" value="groupMembership" />
> > > > > </map>
> > > > > </property>
> > > > > </bean>
> > > > >
> > > > > <bean id="serviceRegistryDao"
> > > > >
> > > class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl" />
> > > > >
> > > > > <!-- LDAP context -->
> > > > > <bean id="contextSource"
> > > > >
> > >
> class="org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource">
> > > > > <property name="pooled" value="true"/>
> > > > > <property name="urls">
> > > > > <list>
> > > > > <value>ldap://ladpsrv:389/ou=ait,o=b2b,dc=net</value>
> > > > > </list>
> > > > > </property>
> > > > > <property name="userName"
> > > value="cn=Manager,ou=ait,o=b2b,dc=net"/>
> > > > > <property name="password" value="secret"/>
> > > > > <property name="baseEnvironmentProperties">
> > > > > <map>
> > > > > <entry>
> > > > > <key>
> > > > > <value>java.naming.security.authentication</value>
> > > > > </key>
> > > > > <value>simple</value>
> > > > > </entry>
> > > > >
> > > > > <entry>
> > > > > <key>
> > > > > <value>ldap.initial.context.factory</value>
> > > > > </key>
> > > > > <value>com.sun.jndi.ldap.LdapCtxFactory</value>
> > > > > </entry>
> > > > > </map>
> > > > > </property>
> > > > > </bean>
> > > > >
> > > > > </beans>
> > > > >
> > > > >
> > > > > my ldap schema is
> > > > >
> > > > > ou=ait,o=b2b,dc=net
> > > > > ou=people
> > > > > uid=user1
> > > > > uid=user2
> > > > > ou=roles
> > > > > cn=role1
> > > > > uniqueMember: uid=user1,ou=people,ou=ait,o=b2b,dc=net
> > > > > cn=role2
> > > > > uniqueMember: uid=user2,ou=people,ou=ait,o=b2b,dc=net
> > > > >
> > > > >
> > > > >
> > > > > when I try to login I get a bad credential
> > > > >
> > > > > any help please?
> > > > >
> > > > > thanks a lot.
> > > > >
> > > > > Mezghena.
> > > > >
> > > > >
> > > > > ________________________________
> > > > > Découvrez toutes les possibilités de communication avec
> > > vos proches
> > > > >
> > > <http://www.microsoft.com/windows/windowslive/default.aspx>
> > > > >
> > > > > ________________________________
> > > > > Découvrez tout ce que Windows Live a à vous apporter !
> > > > > <http://www.microsoft.com/windows/windowslive/>
> > > > > ________________________________
> > > > > _______________________________________________
> > > > > Yale CAS mailing list
> > > > > [email protected]
> > > > > http://tp.its.yale.edu/mailman/listinfo/cas
> > > > >
> > > > > --
> > > > > Andrew Feller, Analyst
> > > > > LSU University Information Services
> > > > > 200 Frey Computing Services Center
> > > > > Baton Rouge, LA 70803
> > > > > Office: 225.578.3737
> > > > > Fax: 225.578.6400
> > > > >
> > > > > ________________________________
> > > > > Découvrez toutes les possibilités de communication avec
> > > vos proches
> > > > > _______________________________________________
> > > > > Yale CAS mailing list
> > > > > [email protected]
> > > > > http://tp.its.yale.edu/mailman/listinfo/cas
> > > > >
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > [email protected]
> > > > Key ID:D6EEC5B5
> > > > _______________________________________________
> > > > Yale CAS mailing list
> > > > [email protected]
> > > > http://tp.its.yale.edu/mailman/listinfo/cas
> > >
> > >
> > >
> > >
> > > ______________________________________________________________
> > >
> > > Vous voulez savoir ce que vous pouvez faire avec le nouveau
> > > Windows Live ? Lancez-vous !
> > >
> > >
> > > ______________________________________________________________
> > > Découvrez toutes les possibilités de communication avec vos
> > > proches
> > > _______________________________________________
> > > Yale CAS mailing list
> > > [email protected]
> > > http://tp.its.yale.edu/mailman/listinfo/cas
> > >
> > >
> > >
> > >
> ______________________________________________________________________
> > > Vous voulez savoir ce que vous pouvez faire avec le nouveau
> Windows
> > > Live ? Lancez-vous !
> > > _______________________________________________
> > > Yale CAS mailing list
> > > [email protected]
> > > http://tp.its.yale.edu/mailman/listinfo/cas
>
>
>
> ______________________________________________________________________
> Découvrez toutes les possibilités de communication avec vos proches
> _______________________________________________
> Yale CAS mailing list
> [email protected]
> http://tp.its.yale.edu/mailman/listinfo/cas
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
