Hi Garey, answers inside Zitat von Garey Mills <[email protected]>:
> Christian - > > One of my clients will be using proxy tickets. It is using the Java > CAS filters for webapps from JASIG, and we plan to simply append the > proxy ticket that we get when authorizing to the Geoserver URLs, so I > would guess that it will reuse the proxy tickets. What would be the > scenario(s) in which Geoserver would generate a 401 and how would we > handle it. I did some further investigations and had to open a ticket. http://jira.codehaus.org/browse/GEOS-5293 The consequences are: The client has to generate a proxy ticket for each request and you get an 401 error if the proxy ticket can not be validated. > > My other client will be a simple web browser using OpenLayers. So I > think that the answer to 2 is that we want to cover the standard case. > What will that entail? This means that GeoServer has to create an HTTP session, see http://jira.codehaus.org/browse/GEOS-5294. > > As for my configuration, could I ask what the 'Service' field is > for and what Geoserver expects as data for that field? The service field is the URL to be protected. The proxy ticket/service ticket is sent to this URL. The problem with the URL http://host:port/geoserver is still pending, I have to investigate. Also, would you > explain what the 'Role Source' field is used for? For an authenticated user, the roles have to be calculated. The role source specifies how to do that. - Fetch the roles from a user/group service - Fetch the roles from a role/service - Fetch the roles from an HTTP header attribute (must be filled by the client) > > Thanks; > > Garey Hoped that helped but I fear there is some work left on my side. Christian > > On 8/30/2012 2:01 AM, [email protected] wrote: >> Hi Gary >> >> The configuration looks ok. My suspicion is the following. An URL like >> http://localhost/geoserver is redirected to >> http://localhost/geoserver/web and the request misses the >> authentication filter. I will investigate on the weekend. >> >> Some facts I have to know about your scenario. >> >> 1) Do your clients reuse proxy granting tickets or do they send a >> new ticket for each request. In the first case, the tickets are >> cached by geoserver and the client hast to be prepared for HTTP 401 >> response (unauthorized). In the second case, each request causes >> an HTTP request to the CAS server. >> >> 2) Do your clients resend standard granting tickets ?. This is not >> the standard case, normally the CAS protocol works with HTTP >> redirects and the client code does not see the ticket. I assume for >> Openlayers, the browser does the this job for you. If you want >> cover the standard case, GeoServer has to create a HTTP session. Is >> this what you want ? >> >> Thanks >> Christian. >> >> >> Zitat von Garey Mills <[email protected]>: >> >>> Christian - >>> >>> I am trying to fill in the fields to configure CAS in Geoserver. >>> When I save the configuration and move CAS up to the top in the filter >>> list, I am not seeing any authentication behavior when I, for example, >>> preview layers. >>> >>> Here are the values I am entering >>> >>> for 'CAS server URL including context root' --> https://{our >>> cas server}/cas >>> for 'Service' --> I put in https://{our geoserver server, >>> with https port and geoserver context root}. Should this have a WMS or >>> WFS service name? >>> >>> for 'Proxy callback URL' --> https://{our geoserver server, >>> with https port and geoserver context root}. Is this right? >>> >>> All of the above 'test' okay, but I'm not sure what that means. >>> >>> for 'Role source' --> I chose 'Role service' and 'default' >>> but I am not sure about this either. >>> >>> Am I doing this right? >>> >>> Garey Mills >>> >>> On 8/29/2012 2:00 AM, [email protected] wrote: >>>> Hi Garey >>>> >>>> This should work out of the box since the code uses the CAS 2.0 URI >>>> >>>> proxyValidate >>>> >>>> According to the spec, this URI does the same as serviceValidate >>>> and validates proxy tickets additionally. >>>> >>>> I think there is no need to change your configuration. Please try >>>> and inform me about the result. >>>> >>>> Christian >>>> >>>> Zitat von Garey Mills <[email protected]>: >>>> >>>>> Christian - >>>>> >>>>> I have another question. I am setting up a Geoserver to use CAS >>>>> proxy tickets. But I also want to access the same layers in a protected >>>>> manner from OpenLayers. As far as I can see, that would require regular >>>>> CAS tickets. Can I use CAS proxy tickets and regular CAS tickets to >>>>> access content in the same Geoserver? >>>>> >>>>> Garey >>>>> >>>>> On 6/26/2012 2:27 AM, [email protected] wrote: >>>>>> Hi Garey >>>>>> >>>>>> I think we should stay on the user mailing list, this could be >>>>>> of interest for other users too. >>>>>> >>>>>> Regular CAS tickets are making sense if you want to >>>>>> authenticate to the GeoServer GUI. The core code is already >>>>>> finished but you cannot configure this scenario on the GUI. >>>>>> At the moment I have to wait until 2.2.0 is released. >>>>>> >>>>>> CAS is the first Single Sign-On / Single Log-Out mechanism >>>>>> introduced to GeoServer. I want to have an additional look at >>>>>> OpenID and OAuth to find the best solution for GUI integration. >>>>>> >>>>>> To answer your question, yes, there will be support for regular >>>>>> CAS tickets, but I cannot tell you a point in time at this >>>>>> moment. >>>>>> >>>>>> Christian >>>>>> >>>>>> >>>>>> >>>>>> Zitat von [email protected]: >>>>>> >>>>>>> Thank you Christian. >>>>>>> >>>>>>> I do have another question. Will Geoserver be able to handle regular >>>>>>> CAS tickets, and not just proxy tickets? >>>>>>> >>>>>>> Garey >>>>>>> >>>>>>>> Hi Garey >>>>>>>> >>>>>>>> Yes, the changes are in trunk. I think the 2.2.0 RC-1 will appear >>>>>>>> during next week, the team is currently working on it. >>>>>>>> >>>>>>>> Since the security subsystem is brand new for 2.2.x, I am still >>>>>>>> working on the documentation. There will be a tutorial how to >>>>>>>> configure digest authentication, CAS proxy auth is pretty >>>>>>>> much the same. >>>>>>>> >>>>>>>> Christian >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Zitat von Garey Mills <[email protected]>: >>>>>>>> >>>>>>>>> Christian - >>>>>>>>> >>>>>>>>> And I guess that I should also ask: are these changes in trunk? >>>>>>>>> >>>>>>>>> Garey >>>>>>>>> >>>>>>>>> >>>>>>>>> On 6/22/2012 12:52 AM, [email protected] wrote: >>>>>>>>>> Hi Garey >>>>>>>>>> >>>>>>>>>> There will be a Geoserver version 2.2.0-RC1 soon. I do not know >>>>>>>>>> about your CAS architecture, but if you can manage to send CAS >>>>>>>>>> proxy tickets to Geoserver OGC services, this will work. >>>>>>>>>> >>>>>>>>>> If you want to login into the Geoserver GUI using CAS, work is >>>>>>>>>> still in progress. The authentication filter is there but GUI >>>>>>>>>> integration is still missing. >>>>>>>>>> >>>>>>>>>> Which kind of CAS tickets do you use ? >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Zitat von garey <[email protected]>: >>>>>>>>>> >>>>>>>>>>> Christian - >>>>>>>>>>> >>>>>>>>>>> Did you get any further with integrating CAS and Geoserver? >>>>>>>>>>> >>>>>>>>>>> Garey Mills >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> View this message in context: >>>>>>>>>>> http://osgeo-org.1560.n6.nabble.com/Using-CAS-an-option-with-Geoserver-tp3790236p4983114.html >>>>>>>>>>> Sent from the GeoServer - User mailing list archive at >>>>>>>>>>> Nabble.com. >>>>>>>>>>> >>>>>>>>>>> ------------------------------------------------------------------------------ >>>>>>>>>>> Live Security >>>>>>>>>>> Virtual >>>>>>>>>>> Conference >>>>>>>>>>> Exclusive live event will cover all the ways today's security and >>>>>>>>>>> threat landscape has changed and how IT managers can respond. >>>>>>>>>>> Discussions >>>>>>>>>>> will include endpoint security, mobile security and the latest in >>>>>>>>>>> malware >>>>>>>>>>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >>>>>>>>>>> _______________________________________________ >>>>>>>>>>> Geoserver-users mailing list >>>>>>>>>>> [email protected] >>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/geoserver-users >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> ---------------------------------------------------------------- >>>>>>>>>> This message was sent using IMP, the Internet Messaging Program. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Garey Mills >>>>>>>>> Library Systems Office >>>>>>>>> UC Berkeley >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> ---------------------------------------------------------------- >>>>>>>> This message was sent using IMP, the Internet Messaging Program. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> ---------------------------------------------------------------- >>>>>> This message was sent using IMP, the Internet Messaging Program. >>>>>> >>>>>> >>>>>> >>>>> >>>>> -- >>>>> Garey Mills >>>>> Library Systems Office >>>>> UC Berkeley >>>>> >>>>> >>>> >>>> >>>> >>>> ---------------------------------------------------------------- >>>> This message was sent using IMP, the Internet Messaging Program. >>>> >>>> >>>> >>> >>> -- >>> Garey Mills >>> Library Systems Office >>> UC Berkeley >>> >>> >> >> >> >> ---------------------------------------------------------------- >> This message was sent using IMP, the Internet Messaging Program. >> >> >> > > -- > Garey Mills > Library Systems Office > UC Berkeley > > ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Geoserver-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/geoserver-users
