CAS's LDAP implementation doesn't use the UserDetailsService. If you are referring to the UserDetailsService in the deployerConfigContext.xml in newer versions of CAS (i.e. 3.1.1), its related to the fact that our Services Management tool is secured using Acegi/Spring Security. -Scott
On Dec 18, 2007 1:20 PM, auron <[EMAIL PROTECTED]> wrote: > > hi Scott - > > Thanks for the reply, it has helped me to understand better how CAS works. > I > went ahead and removed the CasAuthenticationHandler and kept my > BindLdapAuthenticationHandler. One more question - what is the purpose of > userDetailsService when using LDAP? Is there something significant I > should > put in the <userMap> property of userDetailsService? > > Thanks again, > Jin > > > scott_battaglia wrote: > > > > Jin, > > > > What that statement means is that if you have an already existing CAS > > server, you can continue to use that configuration (which includes your > > LDAP > > configuration). If on the other hand, you have existing applications > > secured using Acegi (but have never deployed a CAS server before), you > can > > utilize the CasAuthenticationHandler, which allows the CAS server to > > understand an Acegi configuration (you would then modify all of your > > application's Acegi configuration to utilize CAS). > > > > CasAuthenticationHandler is an artifact of the Acegi project and has no > > relation to the CAS Server product (which is why you'll see that they > are > > not configured similarly). > > > > -Scott > > > > On Dec 17, 2007 12:42 PM, Jin Lee <[EMAIL PROTECTED]> wrote: > > > >> Hi all - > >> > >> I am trying to understand the various AuthenticationHandlers in both > CAS > >> and LDAP and was wondering if you guys could give me a hand.. > >> > >> I am currently trying to set up CAS with various open source products > >> such > >> as JasperServer, jTrac, and a custom in-house CMS, which all use Acegi > as > >> their authorization client. For the most part I have followed the Acegi > >> CAS > >> guide at http://www.acegisecurity.org/guide/springsecurity.html#cas > >> > >> In the guide there is the following excerpt: > >> > >> "If you are already running an existing CAS 3.0 server instance, you > will > >> have already established an AuthenticationHandler. If you do not > already > >> have an AuthenticationHandler, you might prefer to use Acegi Security > >> CasAuthenticationHandler class. This class delegates through to the > >> standard Acegi Security AuthenticationManager, enabling you to use a > >> security configuration you might already have in place. You do not need > >> to > >> use the CasAuthenticationHandler class on your CAS server if you do not > >> wish. Acegi Security will function as a CAS client successfully > >> irrespective > >> of the AuthenticationHandler you've chosen for your CAS > >> server." > >> > >> I currently have a BindLdapAuthenticationHandler that is authenticating > >> against my LDAP server and everything is running fine on that end, so I > >> am > >> assuming that I do not need the CasAuthenticationHandler. The part that > I > >> am > >> confused on is that the CasAuthenticationHandler also requires a > >> authenticationProvider, whereas the BindLdap does not. It seems almost > >> circular. It is difficult to explain so I will also post the > >> deployerConfigContext below. Right now Firefox is giving me a "Firefox > >> has > >> detected that the server is redirecting the request for this address in > a > >> way that will never complete." and I believe this is related to it. > >> > >> Here is my xml: > >> > >> <?xml version="1.0" encoding="UTF-8"?> > >> <beans xmlns="http://www.springframework.org/schema/beans " > >> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > >> xmlns:p="http://www.springframework.org/schema/p " > >> xsi:schemaLocation="http://www.springframework.org/schema/beans > >> http://www.springframework.org/schema/beans/spring-beans-2.0.xsd";> > >> <bean id="authenticationManager" > >> class="org.jasig.cas.authentication.AuthenticationManagerImpl"> > >> <property name="credentialsToPrincipalResolvers"> > >> <list> > >> <bean > >> class=" > >> > org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver > " > >> /> > >> <bean > >> class=" > >> > org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver > " > >> /> > >> </list> > >> </property> > >> <property name="authenticationHandlers"> > >> <list> > >> <bean > >> class=" > >> > org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler > "> > >> <property name="httpClient" ref="httpClient" /> > >> </bean> > >> <bean class=" > >> org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler "> > >> <property name="filter" value="sAMAccountName=%u"/> > >> <property name="searchBase" > >> value="ou=ACPASP-Users,dc=ACPASP,dc=ucsd,dc=edu"/> > >> <property name="contextSource" > >> ref="contextSource"/> > >> </bean> > >> > >> <!-- not sure whether I need this or not - it asks for > an > >> authenticationManager, so do we reference a new acegiAuthManager or the > >> one > >> we are currently in? > >> <bean class=" > >> org.acegisecurity.adapters.cas3.CasAuthenticationHandler"> > >> <property name="authenticationManager" > >> ref="acegiAuthenticationManager" /> > >> </bean> > >> --> > >> > >> > >> </list> > >> </property> > >> </bean> > >> > >> <bean id="contextSource" class=" > >> org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource "> > >> <property name="anonymousReadOnly" value="false" /> > >> <property name="pooled" value="true" /> > >> <property name="urls"> > >> <list> > >> <value>[deleted]</value> > >> </list> > >> </property> > >> <property name="userName" value="[deleted]"/> > >> <property name="password" value="[deleted]" /> > >> <property name="baseEnvironmentProperties"> > >> <map> > >> <!-- > >> <entry> > >> <key><value>java.naming.security.protocol > >> </value></key> > >> <value>ssl</value> > >> </entry> > >> --> > >> <entry> > >> <key><value>java.naming.security.authentication > >> </value></key> > >> <value>simple</value> > >> </entry> > >> </map> > >> </property> > >> </bean> > >> > >> > >> <!-- > >> What do we need userDetailsService for? > >> acegiAuthenticationManager > >> requires it but what if we only use the > >> BindLdapAuthHandler? > >> --> > >> <bean id="userDetailsService" class=" > >> org.acegisecurity.userdetails.memory.InMemoryDaoImpl"> > >> <property name="userMap"> > >> <value> > >> marissa=koala,ROLES_IGNORED_BY_CAS > >> dianne=emu,ROLES_IGNORED_BY_CAS > >> scott=wombat,ROLES_IGNORED_BY_CAS > >> peter=opal,disabled,ROLES_IGNORED_BY_CAS > >> </value> > >> </property> > >> </bean> > >> <bean id="daoAuthenticationProvider" class=" > >> org.acegisecurity.providers.dao.DaoAuthenticationProvider"> > >> <property name="userDetailsService"><ref > >> bean="userDetailsService"/></property> > >> </bean> > >> > >> > >> <!-- > >> Bean that defines the attributes that a service may return. This > >> example uses the Stub/Mock version. A real implementation > >> may go against a database or LDAP server. The id should remain > >> "attributeRepository" though. > >> --> > >> <bean id="attributeRepository" > >> > >> class="org.jasig.services.persondir.support.StubPersonAttributeDao"> > >> <property name="backingMap"> > >> <map> > >> <entry key="uid" value="uid" /> > >> </map> > >> </property> > >> </bean> > >> > >> <!-- > >> Sample, in-memory data store for the ServiceRegistry. A real > >> implementation > >> would probably want to replace this with the JPA-backed > >> ServiceRegistry DAO > >> The name of this bean should remain "serviceRegistryDao". > >> --> > >> <bean > >> id="serviceRegistryDao" > >> class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl" > /> > >> > >> <!-- Not sure if we need this or not > >> <bean id="acegiAuthenticationManager" class=" > >> org.acegisecurity.providers.ProviderManager"> > >> <property name="providers"> > >> <list> > >> <ref bean="daoAuthenticationProvider"/> > >> </list> > >> </property> > >> </bean> > >> --> > >> </beans> > >> > >> > >> _______________________________________________ > >> Yale CAS mailing list > >> cas@tp.its.yale.edu > >> http://tp.its.yale.edu/mailman/listinfo/cas > >> > >> > > > > > > -- > > -Scott Battaglia > > > > LinkedIn: http://www.linkedin.com/in/scottbattaglia > > > > _______________________________________________ > > Yale CAS mailing list > > cas@tp.its.yale.edu > > http://tp.its.yale.edu/mailman/listinfo/cas > > > > > > -- > View this message in context: > http://www.nabble.com/CAS---difference-between-BindLdapAuthenticationHandler-and-CasAuthenticationHandler-tp14381549p14402569.html > Sent from the CAS Users mailing list archive at Nabble.com<http://nabble.com/> > . > > _______________________________________________ > Yale CAS mailing list > cas@tp.its.yale.edu > http://tp.its.yale.edu/mailman/listinfo/cas > -- -Scott Battaglia LinkedIn: http://www.linkedin.com/in/scottbattaglia
_______________________________________________ Yale CAS mailing list cas@tp.its.yale.edu http://tp.its.yale.edu/mailman/listinfo/cas
