Thanks Matt,
Now is more clear, so I agree with you that CAS LDAP support is better but my
concern is that I want to keep my applications compliant
after switching from TOMCAT JNDIReal and SSO Valve to CAS server, then how can
i make the expected roles available to my application
in order to use the isInRole(string) method from the HttpServletRequest object?
Thanks
Inas> Date: Thu, 15 Jan 2009 17:54:39 -0500> From: m...@forsetti.com> To:
cas@tp.its.yale.edu> Subject: Re: CAS and LDAP and JAAS> > The CAS LDAP support
should be drastically better than the> JAASAuthenticationHandler using that
specific LDAP JAAS module. I> wrote the JAASAuthenticationHandler and>
edu.uconn.netid.jaas.LDAPLoginModule as a quick hack job due to some>
historical Kerberos/LDAP/ActiveDirectory needs. Scott cleaned up the>
JAASAuthenticationHandler to make it CAS-worthy, but the JAAS> LDAPLoginModule
has suffered from severe bit-rot and should be purged> from this plane of
existence.> > I'd recommend either using the stock CAS LDAP support, or the
more> popular (at least in the Shib community) Virginia Tech LDAPLoginModule>
http://www.middleware.vt.edu/doku.php?id=middleware:opensource:ldap#jaas_support>
.> > -Matt> > > On Thu, Jan 15, 2009 at 5:13 PM, inas inassen
<mezgh...@hotmail.com> wrote:> > Thanks Andrew> >> > Yes, all my applications
are role based autorization using JAAS framework> > inside strust, tiles and
taglibs.> >> > So my need is that I want to have a CAS server running let say
in W1 server> > site that authenticate against an ldap> > Using a CAS client,
my others applications that are running in W2, W3 and> > so one will
authenticate against a CAS Server in W1 and I need a JAAS> > subject to keep my
application's security (autorization and authentication)> > working.> >> >
thanks again> >> > Inas.> >> >> > ________________________________> > Date:
Thu, 15 Jan 2009 15:01:37 -0600> > Subject: Re: CAS and LDAP and JAAS> > From:
afel...@lsu.edu> > To: cas@tp.its.yale.edu> >> > Inas,> >> > Is there any
reason you are going through JAAS for LDAP authentication> > instead of using
the LDAP authentication handler?> >> > LDAP wiki entry:
http://www.ja-sig.org/wiki/display/CASUM/LDAP> > JAAS wiki entry:
http://www.ja-sig.org/wiki/display/CASUM/JAAS> >> > HTH,> > A-> >> > On 1/15/09
2:51 PM, "inas inassen" <mezgh...@hotmail.com> wrote:> >> >> >> > Hi all,> >> >
I'm trying to configure CAS to authenticate against an LDAP and my> >
applications are using JAAS as an Authentication and Autorization framework.>
>> > Everything work fine using Tomcat JNDIRealm> >> > My Tomcat JNDIRealm> >>
>> > <Realm className="org.apache.catalina.realm.JNDIRealm"> >
connectionURL="ldap://ladpsrv:389/ou=ait,o=b2b,dc=net"> >
userPattern="uid={0},ou=people,ou=ait,o=b2b,dc=net"> >
roleBase="ou=roles,ou=ait,o=b2b,dc=net"> > roleName="cn"> >
roleSearch="(uniqueMember={0})" />> >> >> > this is my jaas.conf file
(configured in> > -Djava.security.auth.login.config=jaas.conf)> >> >> > CAS {>
> edu.uconn.netid.jaas.LDAPLoginModule sufficient> >
java.naming.provider.url="ldap://ladpsrv:389/ou=ait,o=b2b,dc=net"> >
java.naming.security.principal="cn=Manager,ou=ait,o=b2b,dc=net"> >
java.naming.security.credentials="secret"> > Attribute="uid"> >
startTLS="true";> > };> >> >> > and this is my delpoyConfigContext file> >> >
<?xml version="1.0" encoding="UTF-8"?>> > <beans
xmlns="http://www.springframework.org/schema/beans"> >
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> >
xmlns:p="http://www.springframework.org/schema/p"> >
xsi:schemaLocation="http://www.springframework.org/schema/beans> >
http://www.springframework.org/schema/beans/spring-beans-2.0.xsd">> > <bean
id="authenticationManager"> >
class="org.jasig.cas.authentication.AuthenticationManagerImpl">> > <property
name="credentialsToPrincipalResolvers">> > <list>> > <bean> >
class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver">
> />> > <bean> >
class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver">
> />> > </list>> > </property>> > <property name="authenticationHandlers">> >
<list>> > <bean> >
class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler">
> p:httpClient-ref="httpClient" />> > <bean> >
class="org.jasig.cas.authentication.handler.support.JaasAuthenticationHandler">
> />> > <bean
class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler">> > <property
name="filter" value="uid=%u" />> > <property name="searchBase"
value="ou=people,ou=ait,o=b2b,dc=net" />> > <property name="contextSource"
ref="contextSource" />> > </bean>> > </list>> > </property>> > </bean>> >> >
<bean id="userDetailsService"> >
class="org.springframework.security.userdetails.memory.InMemoryDaoImpl">> >
<property name="userMap">> > <value></value>> > </property>> > </bean>> >> >
<bean id="attributeRepository"> >
class="org.jasig.services.persondir.support.StubPersonAttributeDao">> >
<property name="backingMap">> > <map>> > <entry key="uid" value="uid" />> >
<entry key="eduPersonAffiliation" value="eduPersonAffiliation" />> > <entry
key="groupMembership" value="groupMembership" />> > </map>> > </property>> >
</bean>> >> > <bean id="serviceRegistryDao"> >
class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl" />> >> > <!--
LDAP context -->> > <bean id="contextSource"> >
class="org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource">> >
<property name="pooled" value="true"/>> > <property name="urls">> > <list>> >
<value>ldap://ladpsrv:389/ou=ait,o=b2b,dc=net</value>> > </list>> >
</property>> > <property name="userName"
value="cn=Manager,ou=ait,o=b2b,dc=net"/>> > <property name="password"
value="secret"/>> > <property name="baseEnvironmentProperties">> > <map>> >
<entry>> > <key>> > <value>java.naming.security.authentication</value>> >
</key>> > <value>simple</value>> > </entry>> >> > <entry>> > <key>> >
<value>ldap.initial.context.factory</value>> > </key>> >
<value>com.sun.jndi.ldap.LdapCtxFactory</value>> > </entry>> > </map>> >
</property>> > </bean>> >> > </beans>> >> >> > my ldap schema is> >> >
ou=ait,o=b2b,dc=net> > ou=people> > uid=user1> > uid=user2> > ou=roles> >
cn=role1> > uniqueMember: uid=user1,ou=people,ou=ait,o=b2b,dc=net> > cn=role2>
> uniqueMember: uid=user2,ou=people,ou=ait,o=b2b,dc=net> >> >> >> > when I try
to login I get a bad credential> >> > any help please?> >> > thanks a lot.> >>
> Mezghena.> >> >> > ________________________________> > Découvrez toutes les
possibilités de communication avec vos proches> >
<http://www.microsoft.com/windows/windowslive/default.aspx>> >> >
________________________________> > Découvrez tout ce que Windows Live a à vous
apporter !> > <http://www.microsoft.com/windows/windowslive/>> >
________________________________> >
_______________________________________________> > Yale CAS mailing list> >
cas@tp.its.yale.edu> > http://tp.its.yale.edu/mailman/listinfo/cas> >> > --> >
Andrew Feller, Analyst> > LSU University Information Services> > 200 Frey
Computing Services Center> > Baton Rouge, LA 70803> > Office: 225.578.3737> >
Fax: 225.578.6400> >> > ________________________________> > Découvrez toutes
les possibilités de communication avec vos proches> >
_______________________________________________> > Yale CAS mailing list> >
cas@tp.its.yale.edu> > http://tp.its.yale.edu/mailman/listinfo/cas> >> >> > > >
-- > m...@forsetti.com> Key ID:D6EEC5B5>
_______________________________________________> Yale CAS mailing list>
cas@tp.its.yale.edu> http://tp.its.yale.edu/mailman/listinfo/cas
_________________________________________________________________
Vous voulez savoir ce que vous pouvez faire avec le nouveau Windows Live ?
Lancez-vous !
http://www.microsoft.com/windows/windowslive/default.aspx
_______________________________________________
Yale CAS mailing list
cas@tp.its.yale.edu
http://tp.its.yale.edu/mailman/listinfo/cas