Re: [cas-user] CAS SPNEGO headache

Tue, 24 Sep 2013 08:12:49 -0700 

Le 09/09/2013 19:27, Tom Mendenhall a écrit :

I am not able utilize SPNEGO with CAS (3.4.n/3.5.n). Computers/mobile devices 
not configured for SPNEGO or outside AD are not redirected to the fallback 
login form page. I get a 401 error page instead.

I have been able to make it work in a dev cluster by creating a custom 
user-agent string and adding the string to 
SpnegoNegociateCredentialsAction.java.

public void afterPropertiesSet() throws Exception {
         if (this.supportedBrowser == null) {
             this.supportedBrowser = new ArrayList<String>();
             this.supportedBrowser.add("my-custom-string");
         }

Desktop support does not want to modify user-agent string in GPO because of the 
multiple browsers on each computer. Also every browser update resets the 
user-agent string.

List of related SPNEGO problems.
https://issues.jasig.org/browse/CAS/component/10340

Questions.
Is there anyone using SPNEGO in a production environment?

Yes for a year now, two nodes clustered behind apache + mod_jk

Did you make any modifications to the CAS source code?
yes, as stated in my comment on https://issues.jasig.org/browse/CAS-1166 : I've modified SpnegoNegociateCredentialsAction.java to return a new transition "negotiate" when 401 status is sent back to the browser.
But our use case is different : SPNEGO is only used inside our hospital, access from outside is done via standard login page. I've identified three use cases of spnego : 

Kerberized computer with properly configured browser :
  - works out of the box with directions from CASUM page.

Non-kerberized computer with properly configured browser :
- triggers spnego each time although the first "blank ticket" has been sent by browser, a little annoyance that can be easily mitigated with modification of login-webflow. 

any computer with misconfigured browser :
- Show a customized error page, not the login/password page. achieved with modification of SpnegoNegociateCredentialsAction class and modification of login-webflow. 



If so could you share your documentation?

I am wondering if adding a cas entry to the local /etc/hosts file on AD 
computers that would redirect the browsers to a SPNEGO only host(s) in a 
cluster would work using maybe a LB rewrite rule?

Thanks,
Tom


Rgds.

--
Philippe MARASSE

Pôle Infrastructures - Direction du Systèmes d'Informations et de l'Organisation
Centre Hospitalier Henri Laborit
CS 10587 - 370 avenue Jacques Coeur
86021 Poitiers Cedex
Tel : 05.49.44.57.19

Attachment: smime.p7s
Description: Signature cryptographique S/MIME

Reply via email to