I am using the following to register a user which is called in authenticate
method:
private boolean registerUser(String netid)
throws ClassNotFoundException, SQLException
{
final String host = ConfigurationManager.getProperty("authentication-cas",
"ldap.hostname");
final String searchBase =
ConfigurationManager.getProperty("authentication-cas", "ldap.search_context");
final String firstNameAttr =
ConfigurationManager.getProperty("authentication-cas", "ldap.givenname_field");
final String lastNameAttr =
ConfigurationManager.getProperty("authentication-cas", "ldap.surname_field");
final String emailNameAttr =
ConfigurationManager.getProperty("authentication-cas", "ldap.email_field");
final String searchFilter =
ConfigurationManager.getProperty("authentication-cas", "ldap.id_field") + "=" +
netid;
LDAPConnection lc = new LDAPConnection();
int ldapPort = LDAPConnection.DEFAULT_PORT;
int searchScope = LDAPConnection.SCOPE_SUB;
int ldapVersion = LDAPConnection.LDAP_V3;
try {
lc.connect(host, ldapPort); // bind to the server
LDAPSearchResults searchResults = lc.search(searchBase, searchScope,
searchFilter, null, false); // return attrs and values
if (searchResults.hasMore()) {
LDAPEntry nextEntry = null;
nextEntry = searchResults.next();
LDAPAttribute gnAttr = nextEntry.getAttribute(firstNameAttr);
LDAPAttribute snAttr = nextEntry.getAttribute(lastNameAttr);
LDAPAttribute emailAttr = nextEntry.getAttribute(emailNameAttr);
firstName = gnAttr.getStringValue();
lastName = snAttr.getStringValue();
email = emailAttr.getStringValue();
log.info("email: " + email);
} else {
firstName=null;
lastName=null;
email=null;
return false;
}
} catch (LDAPException ex) {
log.error("LDAP exception caught", ex);
}
return true;
}
This the authenticate method:
public int authenticate(Context context,
String netid,
String password,
String realm,
HttpServletRequest request)
throws SQLException
{
final String ticket = request.getParameter("ticket");
final String service = request.getRequestURL().toString();
log.info(LogManager.getHeader(context, "login", " ticket: " + ticket));
log.info(LogManager.getHeader(context, "login", "service: " + service));
if (ticket != null)
{
try
{
String validate = ConfigurationManager.getProperty("authentication-cas",
"cas.validate.url");
log.info(LogManager.getHeader(context, "login", "CAS ticket: " + ticket));
log.info(LogManager.getHeader(context, "login", "CAS service: " + service));
if (validate == null)
{
throw new ServletException("No CAS validation URL specified. You need to set
property 'cas.validate.url'");
}
// Validate ticket (it is assumed that CAS validator returns the user network
ID)
netid = validate(service, ticket, validate);
if (netid == null)
{
throw new ServletException("Ticket '" + ticket + "' is not valid");
}
registerUser(netid); // this method retrieve firstname, lastname, email info
from LDAP
// Locate the eperson in DSpace
EPerson eperson = null;
try
{
// eperson = EPerson.findByNetid(context, netid.toLowerCase());
eperson = EPerson.findByEmail(context, email);
}
catch (SQLException e)
{
log.error("cas findbynetid failed");
log.error(e.getStackTrace());
}
// if they entered a netd that matches an eperson and they are allowed to login
if (eperson != null)
{
// e-mail address corresponds to active account
if (eperson.getRequireCertificate())
{
// they must use a certificate
return CERT_REQUIRED;
}
else if (!eperson.canLogIn()) {
return BAD_ARGS;
}
// Logged in OK.
HttpSession session = request.getSession(false);
if (session!=null) {
session.setAttribute("loginType", "CAS");
}
context.setCurrentUser(eperson);
log.info(LogManager.getHeader(context, "authenticate", "type=CAS"));
return SUCCESS;
}
// the user does not exist in DSpace so create an eperson
else
{
if (canSelfRegister(context, request, netid) )
{
// TEMPORARILY turn off authorisation
// Register the new user automatically
context.setIgnoreAuthorization(true);
eperson = EPerson.create(context);
// use netid only but this implies that user has to manually update their
profile
eperson.setNetid(netid);
// if you wish to automatically extract further user details: email, first_name
and last_name
// enter your method here: e.g. query LDAP or RDBMS etc.
/* e.g.
* registerUser(netid);
* */
eperson.setEmail(email);
eperson.setFirstName(firstName);
eperson.setLastName(lastName);
eperson.setLanguage("en");
eperson.setRequireCertificate(false);
eperson.setSelfRegistered(false);
eperson.setCanLogIn(true);
AuthenticationManager.initEPerson(context, request, eperson);
eperson.update();
context.commit();
context.setIgnoreAuthorization(false);
context.setCurrentUser(eperson);
log.warn(LogManager.getHeader(context, "authenticate",
netid + " type=CAS auto-register"));
return SUCCESS;
}
else
{
// No auto-registration for valid netid
log.warn(LogManager.getHeader(context, "authenticate",
netid + " type=netid_but_no_record, cannot auto-register"));
return NO_SUCH_USER;
}
}
} catch (Exception e)
{
log.error(e.getStackTrace()[0]);
}
}
return BAD_ARGS;
}
Hongxing Geng
Library Services
Athabasca University
Phone: 780-675-6589
----- "Graham Faulkner" <graham.faulk...@uwaterloo.ca> wrote:
>
>
Hi Hongxing,
Thanks for the reply. Would you be able to provide a code snippet for your
CASAuthentication.java’s authenticate() function. Our 3.1 instance that does
work is not using the jldap packages you are talking about, so I had tried
using its approach in 5.1.
Specifically, in our 3.1 instance we have the following code in
CASAuthentication’s authenticate() method that successfully retrieves the
user’s email, firstName and lastName values:
public int authenticate(Context context, String username, String password,
String realm, HttpServletRequest request)
throws SQLException {
try{
if ( request.getUserPrincipal() != null ) {
AttributePrincipal principal = (AttributePrincipal) request.getUserPrincipal();
if (principal != null) {
Map attributes = principal.getAttributes();
String netid = request.getUserPrincipal().getName();
String email = (String) attributes.get("mail");
String firstName = (String) attributes.get("givenName");
String lastName = (String) attributes.get("sn");
log.info("UserPrincipal.email: " + email);
log.info("UserPrincipal.firstName: " + firstName);
log.info("UserPrincipal.lastName: " + lastName);
EPerson eperson = findEPersonByNetID(context, netid);
// if they entered a netd that matches an eperson and they are allowed to login
if (eperson != null){
log.info(" EPerson!=null ");
if (eperson.getRequireCertificate()) return CERT_REQUIRED;
else if (!eperson.canLogIn()) return BAD_ARGS;
// Logged in OK.
context.setCurrentUser(eperson);
log.info(LogManager.getHeader(context, "authenticate", "type=CAS"));
return SUCCESS;
}
// the user does not exist or doesn't have netid set
else{
log.info("EPerson==null ");
eperson = getEpersonByEmail(context, email);
log.info(" EPerson.getEpersonByEmail(context, getEmail(request)); ==> " +
eperson);
if(eperson!=null){
log.info(" EPerson!=null ");
eperson.setNetid(netid);
eperson.update();
context.setCurrentUser(eperson);
log.info(LogManager.getHeader(context, "authenticate", "type=CAS"));
return SUCCESS;
}
// Eperson doens't exist in Dspace
else if (canSelfRegister()){
log.info(" canSelfRegister() ");
context.turnOffAuthorisationSystem();
eperson = EPerson.create(context);
// use netid only but this implies that user has to manually update their
profile
eperson.setNetid(netid);
eperson.setEmail(email);
eperson.setFirstName(firstName);
eperson.setLastName(lastName);
log.info(" EPerson Created. ");
eperson.setCanLogIn(true);
AuthenticationManager.initEPerson(context, request, eperson);
eperson.update();
context.commit();
context.restoreAuthSystemState();
context.setCurrentUser(eperson);
log.info(" return SUCCESS ");
return SUCCESS;
}
else{
// No auto-registration for valid netid
log.warn(LogManager.getHeader(context, "authenticate",
"type=netid_but_no_record, cannot auto-register"));
log.info(" return NO_SUCH_USER ");
return NO_SUCH_USER;
}
}
}
}
}catch (Exception e){
log.error("Unexpected exception caught", e);
}
return BAD_ARGS;
}
However, in my attempts to implement this in 5.1 the call to
request.getUserPrincipal() always returns null, so I can’t proceed with the
functions to get a Map of the attributes.
Thanks in advance for any help in this matter.
Cheers,
Graham
>
From: Hongxing Geng [mailto:bi...@athabascau.ca]
> Sent: Monday, May 04, 2015 11:35 AM
> To: Graham Faulkner
> Cc: dspace-tech@lists.sourceforge.net
> Subject: Re: [Dspace-tech] CAS for DSpace 5.1 XMLUI (Mirage 2)
Hi Graham,
Sorry for missing your last email. I got firstName, etc information from a LDAP
server. Thus, in my dspace-api/pom.xml, the following is also included:
<dependency>
<groupId>com.novell.ldap</groupId>
<artifactId>jldap</artifactId>
<version>4.3</version>
</dependency>
And the CASAuthentication.java has:
import com.novell.ldap.LDAPAttribute;
import com.novell.ldap.LDAPConnection;
import com.novell.ldap.LDAPEntry;
import com.novell.ldap.LDAPException;
import com.novell.ldap.LDAPSearchResults;
Hope this help.
> Hongxing Geng
> Library Services
> Athabasca University
> Phone: 780-675-6589
>
> ----- "Graham Faulkner" < graham.faulk...@uwaterloo.ca > wrote:
> >
>
Hi all,
Just circling back on this to see if anyone has some pointers in the right
direction on extracting firstName, lastName and email using CAS & DS 5.1
(please see details below).
Cheers,
Graham
>
>
From: Graham Faulkner [ mailto:graham.faulk...@uwaterloo.ca ]
> > Sent: Tuesday, April 28, 2015 9:51 AM
> > To: Hongxing Geng
> > Cc: dspace-tech@lists.sourceforge.net
> > Subject: Re: [Dspace-tech] CAS for DSpace 5.1 XMLUI (Mirage 2)
Hi Hongxing,
Thanks again for your assistance. I have CAS * mostly * working now – i.e. I
authenticate users using CAS and auto-register them with a custom group at
their first login. As per the code snippets at
https://github.com/DSpace/DSpace/pull/222/files?diff=unified , I populate their
eperson account with fixed firstName and lastName values that they have to
change manually in their profile. I would like to populate these with their
real name values via the authentication process.
In our 3.1 instance we retrieve the values of firstName, lastName and email via
CAS, but my attempts in 5.1 are failing. One noticeable difference I see is
that in our 3.1 instance we have multiple <filter>/<filter-mapping> entries in
xmlui’s web.xml file. When I introduce these <filter>’s and <filter-mapping>’s
in 5.1 DSpace it shows “authentication failed” on the page, and in the DSpace
log I get an error like:
2015-04-28 08:51:12,278 INFO
org.jasig.cas.client.proxy.ProxyGrantingTicketStorageImpl @ No Proxy Ticket
found for [] .
2 2015-04-28 08:51:12,310 INFO org.dspace.app.xmlui.utils.AuthenticationUtil @
anonymous:session_id=89D79CD05A27E0343FE
618B6E5ED66DB:ip_addr=129.97.58.43:failed_login:email=null, realm=null,
result=5
What did you have in your web.xml when you implemented CAS in DSpace 5.x? It
would be great to retrieve the user’s name and email from our authentication
server when they login for the first time. Any advice is greatly appreciated.
Cheers,
Graham
>
>
From: Hongxing Geng [ mailto:bi...@athabascau.ca ]
> > Sent: Thursday, April 23, 2015 11:04 AM
> > To: Graham Faulkner
> > Cc: dspace-tech@lists.sourceforge.net
> > Subject: Re: [Dspace-tech] CAS for DSpace 5.1 XMLUI (Mirage 2)
Have you include the following in your dspace-api/pom.xml?
<dependency>
<groupId>cas</groupId>
<artifactId>casclient</artifactId>
<version>2.1.1</version>
</dependency>
cheers!
> > Hongxing Geng
> > Library Services
> > Athabasca University
> > Phone: 780-675-6589
> >
> > ----- "Graham Faulkner" < graham.faulk...@uwaterloo.ca > wrote:
> > >
>
Hi Hongxing,
I tried to rebuild with the changes, and I’m getting a “package
edu.yale.its.tp.cas.client does not exist” error. Are you able to build using
that package?
Graham
>
>
>
From: Hongxing Geng [ mailto:bi...@athabascau.ca ]
> > > Sent: Wednesday, April 22, 2015 3:25 PM
> > > To: Graham Faulkner
> > > Cc: dspace-tech@lists.sourceforge.net
> > > Subject: Re: [Dspace-tech] CAS for DSpace 5.1 XMLUI (Mirage 2)
Hi Graham,
I was using this link for reference
https://github.com/DSpace/DSpace/pull/222/files?diff=split and successfully
implemented CAS authentication for DSpace 5.0. I believe the same code works
for DSpace 5.1 as well. Authentication does not deal with themes, so whether
the theme is Mirage 2 does not matter.
Thanks
> > >
> > > Hongxing Geng
> > > Library Services
> > > Athabasca University
> > > Phone: 780-675-6589
> > >
> > > ----- "Graham Faulkner" < graham.faulk...@uwaterloo.ca > wrote:
> > > >
>
Hi there,
We are trying to set up CAS authentication for a DSpace 5.1 instance running
XMLUI (Mirage 2).
I have taken some cues from this GitHub pull request (
https://github.com/DSpace/DSpace/pull/804 ) and from a custom CAS
implementation from our DS 3.1 instance. We have installed a certificate and
can view things via https on port 8443.
However, upon performing the CAS login and returning to the website, we
encounter this error: “HTTP Status 500 - javax.net.ssl.SSLProtocolException:
handshake alert: unrecognized_name”
Doing some Googling, it seems like this is an issue with the newer JVM, and
that we need to disable SNI, by setting this flag:
“-Djsse.enableSNIExtension=false”. (e.g.
https://wiki.jasig.org/display/CASUM/SSL+Troubleshooting+and+Reference+Guide )
I added it to JAVA_OPTS value in the /dspace-source/dspace/bin/dspace file, and
rebuilt everything. However, I’m still encountering the error when attempting a
CAS login.
Has anyone successfully got CAS working with DSpace 5.1, XMLUI (Mirage 2), or
have pointers in the right direction?
Cheers,
Graham
-----------------------------------------
Graham Faulkner
Web Developer / Programmer
Digital Initiatives, Library
University of Waterloo
Waterloo, Ontario N2L 3G1 CANADA
519-888-4567 x32461
graham.faulk...@uwaterloo.ca
> > > > ------------------------------------------------------------------------------
> > > > BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT Develop
> > > > your own process in accordance with the BPMN 2 standard Learn Process
> > > > modeling best practices with Bonita BPM through live exercises
> > > > http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual-
> > > > event?utm_
> > > > source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
> > > > _______________________________________________ DSpace-tech mailing
> > > > list DSpace-tech@lists.sourceforge.net
> > > > https://lists.sourceforge.net/lists/listinfo/dspace-tech List
> > > > Etiquette:
> > > > https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette
>
>
>
This communication is intended for the use of the recipient to whom it is
addressed, and may contain confidential, personal, and or privileged
information. Please contact us immediately if you are not the intended
recipient of this communication, and do not copy, distribute, or take action
relying on it. Any communications received in error, or subsequent reply,
should be deleted or destroyed.
>
>
>
> > ------------------------------------------------------------------------------
> > One dashboard for servers and applications across Physical-Virtual-Cloud
> > Widest out-of-the-box monitoring support with 50+ applications Performance
> > metrics, stats and reports that give you Actionable Insights Deep dive
> > visibility with transaction tracing using APM Insight.
> > http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> > _______________________________________________ DSpace-tech mailing list
> > DSpace-tech@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/dspace-tech List Etiquette:
> > https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
DSpace-tech mailing list
DSpace-tech@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dspace-tech
List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette
