hello, i have started from a working configuration with jaas for my service. now i want to upgrade the configuration to get proxy tickets, because my service needs to consume data from another service and therefore it needs proxy tickets.
my working configuration looks like: CAS-Server: avidius (tomcat7) Service-Host: seat (jboss eap6.1.1) the class org.sis.portal.Apo2CasLoginModule is only a simple wrapper to org.jasig.cas.client.jaas.CasLoginModule which adds a customer Principal object to the list of principals after successful login (postCommit). to get proxy tickets i've tried to change the ticketValidatorClass from Saml11TicketValidator to Cas20ProxyTicketValidator and registered the servlet Cas20ProxyReceivingTicketValidationFilter like below (in the web.xml comment). on cas.war side i've disabled (p:requireSecure="false") the requirement of a secure proxy-callback connection for the HttpBasedServiceCredentialsAuthenticationHandler. but now i got no attributes anymore, the response looks like: 19:02:28,484 DEBUG [org.jasig.cas.client.validation.Cas20ProxyTicketValidator] (http-/0.0.0.0:8080-4) Placing URL parameters in map. 19:02:28,485 DEBUG [org.jasig.cas.client.validation.Cas20ProxyTicketValidator] (http-/0.0.0.0:8080-4) Calling template URL attribute map. 19:02:28,485 DEBUG [org.jasig.cas.client.validation.Cas20ProxyTicketValidator] (http-/0.0.0.0:8080-4) Loading custom parameters from configuration. 19:02:28,485 DEBUG [org.jasig.cas.client.validation.Cas20ProxyTicketValidator] (http-/0.0.0.0:8080-4) Constructing validation url: https://avidius:8443/cas/proxyValidate?pgtUrl=http%3A%2F%2Fseat%3A8080%2Fapo2%2FproxyReceptorUrl&ticket=ST-23-DHXbhaJW6gvtUS6efrxL- avidius&service=http%3A%2F%2Fseat%3A8080%2Fapo2%2F 19:02:28,485 DEBUG [org.jasig.cas.client.validation.Cas20ProxyTicketValidator] (http-/0.0.0.0:8080-4) Retrieving response from server. 19:02:28,503 DEBUG [org.jasig.cas.client.validation.Cas20ProxyTicketValidator] (http-/0.0.0.0:8080-4) Server response: <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationSuccess> <cas:user>404</cas:user> <cas:proxyGrantingTicket>PGTIOU-8-sG2vALPltIZfnltaTe90-avidius</cas:proxyGrantingTicket> </cas:authenticationSuccess> </cas:serviceResponse> with saml11validator it looks like: 19:14:58,415 DEBUG [org.jasig.cas.client.validation.Saml11TicketValidator] (http-/0.0.0.0:8080-1) Placing URL parameters in map. 19:14:58,415 DEBUG [org.jasig.cas.client.validation.Saml11TicketValidator] (http-/0.0.0.0:8080-1) Calling template URL attribute map. 19:14:58,415 DEBUG [org.jasig.cas.client.validation.Saml11TicketValidator] (http-/0.0.0.0:8080-1) Loading custom parameters from configuration. 19:14:58,415 DEBUG [org.jasig.cas.client.validation.Saml11TicketValidator] (http-/0.0.0.0:8080-1) Constructing validation url: https://avidius:8443/cas/samlValidate?TARGET=http%3A%2F%2Fseat%3A8080%2Fapo2%2F 19:14:58,416 DEBUG [org.jasig.cas.client.validation.Saml11TicketValidator] (http-/0.0.0.0:8080-1) Retrieving response from server. 19:14:58,477 DEBUG [org.jasig.cas.client.validation.Saml11TicketValidator] (http-/0.0.0.0:8080-1) Server response: <?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";><SOAP-ENV:Body><saml1p:Response xmlns:saml1p="urn:oasis:names:tc:SAML:1.0:protocol" IssueInstant="2014-03-17T18:14:58.430Z" MajorVersion="1" MinorVersion="1" Recipient="http://seat:8080/apo2/"; ResponseID="_90a4bab516223567f604fbbac3ec1571"><saml1p:Status><saml1p:StatusCode Value="saml1p:Success"/></saml1p:Status><saml1:Assertion xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="_3c446eb18eeec67b590ebec3070b4f28" IssueInstant="2014-03-17T18:14:58.430Z" Issuer="localhost" MajorVersion="1" MinorVersion="1"><saml1:Conditions NotBefore="2014-03-17T18:14:58.430Z" NotOnOrAfter="2014-03-17T18:15:28.430Z"><saml1:AudienceRestrictionCondition><saml1:Audience>http://seat:8080/apo2/</saml1:Audience></saml1:AudienceRestrictionCondition></saml1:Conditions><saml1:AuthenticationStatement AuthenticationInstant="2014-03-17T18:14:58.368Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified"><saml1:Subject><saml1:NameIdentifier>404</saml1:NameIdentifier><saml1:SubjectConfirmation><saml1:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:artifact</saml1:ConfirmationMethod></saml1:SubjectConfirmation></saml1:Subject></saml1:AuthenticationStatement><saml1:AttributeStatement><saml1:Subject><saml1:NameIdentifier>404</saml1:NameIdentifier><saml1:SubjectConfirmation><saml1:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:artifact</saml1:ConfirmationMethod></saml1:SubjectConfirmation></saml1:Subject><saml1:Attribute AttributeName="memberOf" AttributeNamespace="http://www.ja-sig.org/products/cas/";><saml1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="xs:string">AppVertriebspartner</saml1:AttributeValue>....(shortened) 19:14:58,649 DEBUG [org.jasig.cas.client.validation.Saml11TicketValidator] (http-/0.0.0.0:8080-1) Current time is within the interval validity. but i need the attributes to get the roles of the subject. whats wrong here? my current config: web.xml <!-- Facilitates CAS single sign-out --> <listener> <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class> </listener> <context-param> <param-name>serverName</param-name> <param-value>http://seat:8080/</param-value> </context-param> <context-param> <param-name>casServerLoginUrl</param-name> <param-value>https://avidius:8443/cas/login</param-value> </context-param> <!-- logout url, used in logout.jsp --> <context-param> <param-name>casServerLogoutUrl</param-name> <param-value>https://avidius:8443/cas/logout</param-value> </context-param> <!-- Following is needed only if CAS single-sign out is desired --> <filter> <filter-name>CAS Single Sign Out Filter</filter-name> <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class> </filter> <filter-mapping> <filter-name>CAS Single Sign Out Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- proxy config test--> <filter> <filter-name>CAS Validation Filter</filter-name> <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class> <init-param> <param-name>casServerUrlPrefix</param-name> <param-value>https://avidius:8443/cas</param-value> </init-param> <init-param> <param-name>proxyCallbackUrl</param-name> <param-value>http://seat:8080/apo2/proxyReceptorUrl</param-value> </init-param> <init-param> <param-name>proxyReceptorUrl</param-name> <param-value>/proxyReceptorUrl</param-value> </init-param> <init-param> <param-name>redirectAfterValidation</param-name> <param-value>false</param-value> </init-param> </filter> <filter-mapping> <filter-name>CAS Validation Filter</filter-name> <url-pattern>/proxyReceptorUrl</url-pattern> <url-pattern>/proxyReceptorUrl/*</url-pattern> </filter-mapping> <!-- Only 2 CAS filters are required for JAAS support --> <filter> <filter-name>CASWebAuthenticationFilter</filter-name> <filter-class>org.jasig.cas.client.jaas.Servlet3AuthenticationFilter</filter-class> </filter> <filter-mapping> <filter-name>CASWebAuthenticationFilter</filter-name> <url-pattern>/index.jsp</url-pattern> </filter-mapping> <filter> <filter-name>CASAuthenticationFilter</filter-name> <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class> <init-param> <param-name>authenticationRedirectStrategyClass</param-name> <param-value>org.jasig.cas.client.authentication.FacesCompatibleAuthenticationRedirectStrategy</param-value> </init-param> </filter> <filter-mapping> <filter-name>CASAuthenticationFilter</filter-name> <url-pattern>/index.jsp</url-pattern> </filter-mapping> jboss-eap6 config: (jaas domain) <security-domain name="cas" cache-type="default"> <authentication> <login-module code="org.sis.portal.Apo2CasLoginModule" flag="sufficient"> <module-option name="principalClass" value="org.sis.apo2.portal.api.security.Apo2Principal"/> <module-option name="ticketValidatorClass" value="org.jasig.cas.client.validation.Cas20ProxyTicketValidator"/> <module-option name="casServerUrlPrefix" value="https://avidius:8443/cas"/> <module-option name="proxyReceptorUrl" value="/proxyReceptorUrl"/> <module-option name="proxyCallbackUrl" value="http://seat:8080/apo2/proxyReceptorUrl"/> <module-option name="acceptAnyProxy" value="true"/> <module-option name="tolerance" value="20000"/> <module-option name="roleAttributeNames" value="memberOf"/> <module-option name="defaultRoles" value="abc"/> <module-option name="cacheAssertions" value="true"/> <module-option name="cacheTimeout" value="480"/> </login-module> </authentication> </security-domain> -- regards msc -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
