Re: CAS Single Sign Out and LDAP attribute retrieval

Thu, 16 Jan 2014 09:26:02 -0800

Just to update, SIngle Sign Out works, the problem was my Shiro application didn't have the signout filters before the rest... I moved them up and it's working. However, the attribute retrieval from CAS is still failing (When I set up SAML validation protocol, I get always redirected to casFilter.failureUrl). All required JARs are already available on classpath. Any help is greatly appeciated. 

Regards,

--
Eduardo J. Ortega
Tel: 57+1+2553580
Cel: 57+317+4415156
Zürich
CL 72 5 83 Piso 11, Bogotá, CO.

On 16/01/14 11:33, Eduardo J. Ortega U wrote:

Hi, Jérôme:
Thanks for the info on the logout, I will try and report back. About the attributes issue, I tried setting casRealm.validationProtocol = SAML but when I try to access the protected areas, I get redirected to CAS, do login and then I get redirected to my casFilter.failureUrl = /error.jsp instead of my protected page. From https://wiki.jasig.org/display/CASUM/SAML+1.1 I understand that my application should be submitting a POST request to cas/samlValidate , I did some sniffing with wireshark and see no such request taking place. Here's my shiro.ini (CAS protected areas are under protected, feel free to ignore filters applytin to other sections): 

[main]
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager
cauthc=co.com.sonria.seguridad.FiltroAutenticacion
cauthc.loginUrl = /publico/login.jsf
cauthc.successUrl = /comun/bienvenido.jsf
logout.redirectUrl = /publico/login.jsf
cauthc.usernameParam = j_username
cauthc.passwordParam = j_password
cauthc.failureKeyAttribute = loginFailure
casFilter = org.apache.shiro.cas.CasFilter
casFilter.failureUrl = /error.jsp
casRealm = org.apache.shiro.cas.CasRealm
casRealm.defaultRoles = ROLE_USER
#casRealm.defaultPermissions
#casRealm.roleAttributeNames
#casRealm.permissionAttributeNames
casRealm.validationProtocol = SAML
#casRealm.casServerUrlPrefix = http://192.168.88.207:8080/cas/
casRealm.casServerUrlPrefix = http://192.168.88.103:8080/cas-server-webapp/ casRealm.casService = http://192.168.88.103:8080/InteraccionSonriaCore/shiro-cas 
casSubjectFactory = org.apache.shiro.cas.CasSubjectFactory
securityManager.subjectFactory = $casSubjectFactory
#roles.loginUrl = https://192.168.88.207:8181/cas/login?service=http://localhost:8080/InteraccionSonriaCore/shiro-cas roles.loginUrl = http://192.168.88.103:8080/cas-server-webapp/login?service=http://192.168.88.103:8080/InteraccionSonriaCore/shiro-cas 

[users]
administrador=administrador,ADMINISTRADOR
gerente = gerente,GERENTE
profesional = profesional,PROFESIONAL
paciente = paciente,PACIENTE

[urls]
/ = authc
/publico/login.jsf=cauthc
/logout = logout
/plantillas/* = cauthc
/shiro-cas = casFilter
/protected/** = roles[ROLE_USER]
Any ideas on what might I be doing wrong and telling my app there is a CAS error instead of posting go samlValidate URL? Thanks. 

--
Eduardo J. Ortega
Tel: 57+1+2553580
Cel: 57+317+4415156
Zürich
CL 72 5 83 Piso 11, Bogotá, CO.

On 16/01/14 11:18, jleleu wrote:

Hi,
I'm talking about the CAS SLO: when calling /cas/logout, it should trigger 
the destruction of the web session of your Shiro application.
To use SAML, you need to configure SAML on the Shiro application side by
using the *setValidationProtocol* method of the *CasRealm* object
(casRealm.validationProtocol = SAML).
Unless you use CAS 4.0-RCx, the SAML validation endpoint is available
out-of-the-box in the CAS server (
https://wiki.jasig.org/display/CASUM/SAML+1.1).
Best regards,
Jérôme



2014/1/16 Eduardo J. Ortega U [via Shiro User] <
[email protected]>


Hi, Jérôme:

Thanks for you reply. A couple of questions, though:

    - When you say sign out should work, you mean I should call /logout
from my app and it should log me out of CAS, or I should go to cas/logout 
    and that should log me out of my application?
    - How do I go about using the SAML validation? Is this something I
    should setup in shiro? On CAS? Both? Can you point me to any docs /
    examples?

Thanks,

  --
Eduardo J. Ortega
Tel: 57+1+2553580
Cel: 57+317+4415156
Zürich
CL 72 5 83 Piso 11, Bogotá, CO.

On 16/01/14 04:18, jleleu wrote:

Hi,

Regarding logout, I can't remember exactly if I did the test or someone
else, but I think it works. Did you try some debugging in the
SingleSignOutFilter?

To get user's attributes, things are a little more complex:
- you need to retrieve the user's attributes inside the CAS server (should 
be what you did)
- define that you want to push these attributes for the CAS service
representing the Shiro application (*allowedAttributes* or
*ignore*parameter for this CAS service)
- use the SAML validation
And then, the user's attributes will be available as the second principal:https://github.com/apache/shiro/blob/1.2.x/support/cas/src/main/java/org/apache/shiro/cas/CasRealm.java#L162 
.

Best regards,
Jérôme
2014/1/15 Eduardo J. Ortega U [via Shiro User] <[hidden email] <http://user/SendEmail.jtp?type=node&node=7579517&i=0>> 


  Hi, all:

We are setting up out first Shiro enabled application with CAS
authentication. Authentication seems to work fine, however, we have two
issues:

    - We want to have Single Sign out, so that when a user signs out of
CAS, he/she is signed out of CAS and therefore all apps. Currently, if I logout of the application (using Shiro's logout feature), and then try to access one of the protected pages, browser gets redirected to CAS, which in turn validates and redirects to http://myhost/myapp/shiro-cas and then 
    /shiro-cas redirects it to the requested URL of the application, so
effectively the user is logged back in the application. Also, if the user 
    logs out of CAS (visiting http://myhost/CAS/logout) its CAS session
ends but the application session remains, so he / she can still access the 
    protected areas. I set up the following on myapp web.xml:


     <filter>
         <filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class> 
     </filter>

     <filter-mapping>
         <filter-name>CAS Single Sign Out Filter</filter-name>
         <url-pattern>/*</url-pattern>
     </filter-mapping>

     <listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class> 
     </listener>

But it is not working. What am I missing?

    - We want to access some of the user attributes from inside our
application. I set up CAS properties to map the attributes, setting this on 
    CAS deployerConfigContext.xml

<bean id="attributeRepository"
class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao"> 
         <property name="contextSource" ref="contextSource" />
<property name="baseDN" value="ou=People,dc=example,dc=com,dc=co" 
/>
         <property name="requireAllQueryAttributes" value="true" />
         <property name="queryAttributeMapping">
             <map>
                 <entry key="username" value="uid" />
             </map>
         </property>
         <property name="resultAttributeMapping">
             <map>
                 <!-- Mapping beetween LDAP entry attributes (key) and
Principal's (value) -->
                 <entry value="Name" key="displayName" />
                 <entry key="distinguishedName" value="dn" />
             </map>
         </property>
     </bean>
  And then access them from inside the Shiro application like this:

AttributePrincipal principal =
(AttributePrincipal)request.getUserPrincipal();
Map attributes = principal.getAttributes();
But we get an error saying we cannot cast Request to AttributePrincipal. I 
guess I am missing something here, too.

Any help is greatly appreciated.


--
--
Eduardo J. Ortega
Tel: 57+1+2553580
Cel: 57+317+4415156
Zürich
CL 72 5 83 Piso 11, Bogotá, CO.



------------------------------
If you reply to this email, your message will be added to the discussion 
below:
http://shiro-user.582556.n2.nabble.com/CAS-Single-Sign-Out-and-LDAP-attribute-retrieval-tp7579510.html To start a new topic under Shiro User, email[hidden email] <http://user/SendEmail.jtp?type=node&node=7579517&i=1> 
To unsubscribe from Shiro User, click here<
.
NAML<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.Bas 
  icNamespa
ce-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml> <http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml> 

  --
View this message in context: http://shiro-user.582556.n2.nabble.com/CAS-Single-Sign-Out-and-LDAP-attribute-retrieval-tp7579510p7579514.html 
Sent from the Shiro User mailing list archive at Nabble.com.




------------------------------
If you reply to this email, your message will be added to the discussion 
below:
http://shiro-user.582556.n2.nabble.com/CAS-Single-Sign-Out-and-LDAP-attribute-retrieval-tp7579510p7579517.html 
  To start a new topic under Shiro User, email
[email protected]
To unsubscribe from Shiro User, click here<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=582556&code=bGVsZXVqQGdtYWlsLmNvbXw1ODI1NTZ8LTExNzY2MzcxMTY=> 
.
NAML<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml> 





--
View this message in context: http://shiro-user.582556.n2.nabble.com/CAS-Single-Sign-Out-and-LDAP-attribute-retrieval-tp7579510p7579518.html 
Sent from the Shiro User mailing list archive at Nabble.com.

Reply via email to