Am Tuesday, 18. March 2014 schrieb Markus Schulz:
> okay,
> i've found out that the CAS-procotol don't support attributes on
> default. (CAS-738)
>
> But how can i get proxy tickets with the SamlValidator (i need proxy
> tickets and attributes)?
okay, i've made some progress:
to get attributes from cas 2 protocol i added them to the protocol in
casServiceValidationSuccess.jsp with:
<c:if test="${fn:length(assertion.chainedAuthentications) > 0}">
<cas:attributes>
<c:forEach var="auth"
items="${assertion.chainedAuthentications}">
<c:forEach var="attr"
items="${auth.principal.attributes}">
<c:forEach var="val" items="${attr.value}">
<cas:${fn:escapeXml(attr.key)}>${fn:escapeXml(val)}</cas:${fn:escapeXml(attr.key)}>
</c:forEach>
</c:forEach>
</c:forEach>
</cas:attributes>
</c:if>
the inner c:forEach needs to be check if attr.value is a list or not. but thats
a todo on my list.
next problem: the ticketValidator instance created from CasLoginModule need to
share the same ProxyGrantingTicketStorage instance like the
proxy ticket receiver (previously i've used the
Cas20ProxyReceivingTicketValidationFilter
to receive the ticket).
i found no configuration way to share the same instance of
ProxyGrantingTicketStorage between proxy-ticket-receiver and CasLoginModule.
Therefore i've choosen another way:
i removed the usage of Cas20ProxyReceivingTicketValidationFilter from web.xml
(ticket validation was executed from CasLoginModule) and created a
simple servlet as proxy ticket receiver like:
<servlet>
<servlet-name>CasProxyTicketReceiver</servlet-name>
<servlet-class>org.sis.portal.authn.CasProxyTicketReceiver</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>CasProxyTicketReceiver</servlet-name>
<url-pattern>/proxyReceptorUrl</url-pattern>
</servlet-mapping>
public class CasProxyTicketReceiver extends HttpServlet {
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp)
throws ServletException, IOException {
fetchTicket(req, resp);
}
@Override
protected void doPost(HttpServletRequest req, HttpServletResponse resp)
throws ServletException, IOException {
fetchTicket(req, resp);
}
void fetchTicket(HttpServletRequest req, HttpServletResponse resp) {
try {
CommonUtils.readAndRespondToProxyReceptorRequest(req,
resp,
Apo2CasLoginModule.getProxyGrantingTicketStorage());
}
catch (Exception e) {
throw new RuntimeException(e.getMessage(), e);
}
}
}
the shared proxy-ticket-storage was taken from static
Apo2CasLoginModule.getProxyGrantingTicketStorage().
my login module looks like:
public class Apo2CasLoginModule extends CasLoginModule {
static final ProxyGrantingTicketStorageImpl proxyGrantingTicketStorage
= new ProxyGrantingTicketStorageImpl();
@Override
protected boolean preLogin() {
//the ugly initialization of setProxyGrantingTicketStorage is a bug in the
Cas20ServiceTicketValidator i've reported under CASC-222.
if (ticketValidator instanceof Cas20ProxyTicketValidator) {
((Cas20ProxyTicketValidator)ticketValidator).setProxyGrantingTicketStorage(proxyGrantingTicketStorage);
}
return super.preLogin();
}
public static ProxyGrantingTicketStorageImpl
getProxyGrantingTicketStorage() {
return proxyGrantingTicketStorage;
}
}
this way the proxy-ticket-receiver servlet shares the same proxy-storage
instance as the CasLoginModule and i got finally my PGT and can create
Service-Proxy-Tickets from the AttributePrincipal object.
looks like a dirty hack but i see no other way to get proxy support with
Jaas-LoginModules.
any suggestions or possible problems/security leaks in my solution?
regards,
msc
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
