Hi everyone ! I am trying to install a CAS Server on OpenKM. I am currently able to log on OpenKM, but every user is connected under the default role set up in login-config.xml and not under the role defined in the OpenKM database.(e.g. If the field « defaultRoles » is set up to UserRole, the admin is logged under the name « admin » but he has the same rights as a simple user, and doesn't have any access to the admin settings...)
Here is my server/default/conf/login-config.xml file : [code] <application-policy name="OpenKM"> <authentication> <login-module code="org.jasig.cas.client.jaas.CasLoginModule" flag="required"> <module-option name="ticketValidatorClass">org.jasig.cas.client.validation.Saml11TicketValidator</module-option> <module-option name="casServerUrlPrefix">https://***.***.***.***:8443/cas</module-option> <module-option name="tolerance">20000</module-option> <module-option name="service">https://***.***.***.***:8443/OpenKM</module-option> <module-option name="defaultRoles">UserRole</module-option> <module-option name="roleAttributeNames">groupMembership</module-option> <module-option name="principalGroupName">CallerPrincipal</module-option> <module-option name="roleGroupName">Roles</module-option> <module-option name="cacheAssertions">true</module-option> <module-option name="cacheTimeout">480</module-option> </login-module> </authentication> </application-policy> [/code] I already tried without the line containing "defaultRoles" but it doesn't allow me to log (error 503). And the server.log shows that the CAS client can't retrieve info from OpenKM server (bad initialization of the ticketValidator?) : [code] 2012-06-07 11:48:20,374 DEBUG [org.jasig.cas.client.validation.Saml11TicketValidator] Server response: <?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";><SOAP-ENV:Header/><SOAP-ENV:Body><Response xmlns="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:xsd="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; IssueInstant="2012-06-07T09:48:20.371Z" MajorVersion="1" MinorVersion="1" Recipient="https://***.***.***.***:8443/OpenKM"; ResponseID="_aad0748e4b63949a81f442933a0128d8"><Status><StatusCode Value="samlp:Success"></StatusCode></Status><Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="_e7c4c2ed2063d1126e5f622155cd0cae" IssueInstant="2012-06-07T09:48:20.371Z" Issuer="localhost" MajorVersion="1" MinorVersion="1"><Conditions NotBefore="2012-06-07T09:48:20.371Z" NotOnOrAfter="2012-06-07T09:48:50.371Z"><AudienceRestrictionCondition><Audience>https://***.***.***.***:8443/OpenKM</Audience></AudienceRestrictionCondition></Conditions><AuthenticationStatement AuthenticationInstant="2012-06-07T09:48:11.454Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified"><Subject><NameIdentifier>admin</NameIdentifier><SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:artifact</ConfirmationMethod></SubjectConfirmation></Subject></AuthenticationStatement></Assertion></Response></SOAP-ENV:Body></SOAP-ENV:Envelope> 2012-06-07 11:48:20,375 INFO [org.jasig.cas.client.jaas.CasLoginModule] Login succeeded. 2012-06-07 11:48:20,375 DEBUG [org.jasig.cas.client.jaas.CasLoginModule] Created JAAS subject with principals: [admin, CallerPrincipal: [admin], Roles: [UserRole]] 2012-06-07 11:48:20,375 DEBUG [org.jasig.cas.client.jaas.CasLoginModule] Caching assertion for principal admin 2012-06-07 11:48:20,375 DEBUG [org.jasig.cas.client.jaas.CasLoginModule] Performing logout. 2012-06-07 11:48:20,376 INFO [org.jasig.cas.client.jaas.CasLoginModule] Logout succeeded. 2012-06-07 11:48:20,376 DEBUG [org.jasig.cas.client.jboss.authentication.WebAuthenticationFilter] Installing CAS assertion into session. 2012-06-07 11:48:20,417 DEBUG [org.jasig.cas.client.jaas.CasLoginModule] Set ticketValidatorClass=org.jasig.cas.client.validation.Saml11TicketValidator 2012-06-07 11:48:20,417 DEBUG [org.jasig.cas.client.jaas.CasLoginModule] Set roleGroupName=Roles 2012-06-07 11:48:20,417 DEBUG [org.jasig.cas.client.jaas.CasLoginModule] Set defaultRoles=[UserRole] 2012-06-07 11:48:20,417 DEBUG [org.jasig.cas.client.jaas.CasLoginModule] Set service=https://***.***.***.***:8443/OpenKM 2012-06-07 11:48:20,417 DEBUG [org.jasig.cas.client.jaas.CasLoginModule] Set principalGroupName=CallerPrincipal 2012-06-07 11:48:20,417 DEBUG [org.jasig.cas.client.jaas.CasLoginModule] Set cacheAssertions=true 2012-06-07 11:48:20,417 DEBUG [org.jasig.cas.client.jaas.CasLoginModule] Set roleAttributeNames=[groupMembership] 2012-06-07 11:48:20,417 DEBUG [org.jasig.cas.client.jaas.CasLoginModule] Set cacheTimeout=480 2012-06-07 11:48:20,417 DEBUG [org.jasig.cas.client.jaas.CasLoginModule] Cleaning assertion cache of size 3 2012-06-07 11:48:20,417 DEBUG [org.jasig.cas.client.jaas.CasLoginModule] Attempting to set TicketValidator property ticketValidatorClass 2012-06-07 11:48:20,417 WARN [org.jasig.cas.client.jaas.CasLoginModule] Cannot find property ticketValidatorClass on org.jasig.cas.client.validation.Saml11TicketValidator 2012-06-07 11:48:20,417 DEBUG [org.jasig.cas.client.jaas.CasLoginModule] Attempting to set TicketValidator property roleGroupName 2012-06-07 11:48:20,417 WARN [org.jasig.cas.client.jaas.CasLoginModule] Cannot find property roleGroupName on org.jasig.cas.client.validation.Saml11TicketValidator 2012-06-07 11:48:20,417 DEBUG [org.jasig.cas.client.jaas.CasLoginModule] Attempting to set TicketValidator property jboss.security.security_domain 2012-06-07 11:48:20,417 WARN [org.jasig.cas.client.jaas.CasLoginModule] Cannot find property jboss.security.security_domain on org.jasig.cas.client.validation.Saml11TicketValidator 2012-06-07 11:48:20,417 DEBUG [org.jasig.cas.client.jaas.CasLoginModule] Attempting to set TicketValidator property defaultRoles 2012-06-07 11:48:20,417 WARN [org.jasig.cas.client.jaas.CasLoginModule] Cannot find property defaultRoles on org.jasig.cas.client.validation.Saml11TicketValidator 2012-06-07 11:48:20,417 DEBUG [org.jasig.cas.client.jaas.CasLoginModule] Attempting to set TicketValidator property tolerance 2012-06-07 11:48:20,417 DEBUG [org.jasig.cas.client.jaas.CasLoginModule] Set tolerance=20000 2012-06-07 11:48:20,417 DEBUG [org.jasig.cas.client.jaas.CasLoginModule] Attempting to set TicketValidator property service 2012-06-07 11:48:20,417 WARN [org.jasig.cas.client.jaas.CasLoginModule] Cannot find property service on org.jasig.cas.client.validation.Saml11TicketValidator 2012-06-07 11:48:20,417 DEBUG [org.jasig.cas.client.jaas.CasLoginModule] Attempting to set TicketValidator property principalGroupName 2012-06-07 11:48:20,418 WARN [org.jasig.cas.client.jaas.CasLoginModule] Cannot find property principalGroupName on org.jasig.cas.client.validation.Saml11TicketValidator 2012-06-07 11:48:20,418 DEBUG [org.jasig.cas.client.jaas.CasLoginModule] Attempting to set TicketValidator property cacheAssertions 2012-06-07 11:48:20,418 WARN [org.jasig.cas.client.jaas.CasLoginModule] Cannot find property cacheAssertions on org.jasig.cas.client.validation.Saml11TicketValidator 2012-06-07 11:48:20,418 DEBUG [org.jasig.cas.client.jaas.CasLoginModule] Attempting to set TicketValidator property roleAttributeNames 2012-06-07 11:48:20,418 WARN [org.jasig.cas.client.jaas.CasLoginModule] Cannot find property roleAttributeNames on org.jasig.cas.client.validation.Saml11TicketValidator 2012-06-07 11:48:20,418 DEBUG [org.jasig.cas.client.jaas.CasLoginModule] Attempting to set TicketValidator property cacheTimeout 2012-06-07 11:48:20,418 WARN [org.jasig.cas.client.jaas.CasLoginModule] Cannot find property cacheTimeout on org.jasig.cas.client.validation.Saml11TicketValidator 2012-06-07 11:48:20,418 DEBUG [org.jasig.cas.client.jaas.CasLoginModule] Performing login. 2012-06-07 11:48:20,418 INFO [org.jasig.cas.client.jaas.CasLoginModule] Login failed due to unsupported callback: javax.security.auth.callback.UnsupportedCallbackException [/code] I already put the 2 cas-client .jars to the WEB-INF/lib folder, as described here : [url]http://wiki.openkm.com/index.php/Central_Authentication_Service[/url] And for more details, my web.xml : [code] <context-param> <param-name>service</param-name> <param-value>https://***.***.***.***:8443/OpenKM</param-value> </context-param> <context-param> <param-name>casServerLoginUrl</param-name> <param-value>https://***.***.***.***:8443/cas/login</param-value> </context-param> <filter> <filter-name>CASWebAuthenticationFilter</filter-name> <filter-class>org.jasig.cas.client.jboss.authentication.WebAuthenticationFilter</filter-class> </filter> <filter> <filter-name>CASAuthenticationFilter</filter-name> <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class> </filter> <filter-mapping> <filter-name>CASWebAuthenticationFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>CASAuthenticationFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> [/code] How can we log a CAS user under the role he is actually registered in OpenKM, and what is possibly wrong or missing in my files ? -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
