Re: [cas-user] CAS with Active Directory
Yes. Eventually these will be on different machines but as of now, I have the web and DS apps on my machine. I read the CAS and spring security documentation and made some changes to my configuration. The proxy ticket is always NULL. I am trying to get the proxy ticket with CasAuthenticationToken auth = (CasAuthenticationToken) SecurityContextHolder.getContext().getAuthentication(); String serviceUrl = "https://localhost:8443/app-web/j_spring_cas_security_check";; String proxyTicket = assertion.getPrincipal().getProxyTicketFor(serviceUrl); but the error on the console is *AttributePrincipalImpl.getProxyTicketFor(109) | No ProxyGrantingTicket was supplied, so no Proxy Ticket can be retrieved. * The proxy url is already configured with the CasAuthenticationFilter : I haven't added any filters to the web.xml. I am not sure if this is causing any problem. Regards K On 8/2/11 3:00 PM, Marvin Addison wrote: >> 1. app-web : UI application WAR (maven+spring+gwt) >> 2. app-ds: Data services WAR (maven+spring+hibernate) >> 3. app-cas: Maven overlay war. > Hopefully those are all on different hosts where SSO would be of benefit. > >> When the user logs into app-web and requests services from the app-ds, the >> user app-ds throws an exception and wants the user to authenticate again. > If app-ds is protected by CAS, this will not work without use of CAS > proxy authentication. See http://www.jasig.org/cas/protocol for more > information on the CAS 2 protocol with proxy support. In any case you > should share the exception if after study and further work the problem > persists. > >> I adding the service ticket (ST-) to the query string before sending >> post requests to the app-ds. > CAS doesn't work that way. You really should study the protocol > document or many other resources on the Web that provide a high-level > overview of the CAS authentication workflow. > > M > -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] CAS with Active Directory
> 1. app-web : UI application WAR (maven+spring+gwt) > 2. app-ds: Data services WAR (maven+spring+hibernate) > 3. app-cas: Maven overlay war. Hopefully those are all on different hosts where SSO would be of benefit. > When the user logs into app-web and requests services from the app-ds, the > user app-ds throws an exception and wants the user to authenticate again. If app-ds is protected by CAS, this will not work without use of CAS proxy authentication. See http://www.jasig.org/cas/protocol for more information on the CAS 2 protocol with proxy support. In any case you should share the exception if after study and further work the problem persists. > I adding the service ticket (ST-) to the query string before sending > post requests to the app-ds. CAS doesn't work that way. You really should study the protocol document or many other resources on the Web that provide a high-level overview of the CAS authentication workflow. M -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] ticket registry sql script for mysql?
Folks, I am working on a HA multi-node CAS setup with a clustered MySQL for the ticket registry. I'm interested in hearing about experiences with this setup and if anyone has considered or implemented a simple sql script to handle pruning of expired tickets rather than the DefaultTicketRegistryCleaner. Thanks, Bill -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] SSO over 2 applications in same Tomcat
On 08/02/2011 03:43 AM, Scott Battaglia wrote: > he only other thing that could prevent it is if you are rejecting > cookies. Other than that I've never seen the CAS server not do SSO. making all web-apps https did it. thanks -- Roland Kofler Software Architect Free Software & Open Technologies TIS innovation park Via Siemens 19 | 39100 Bolzano | Italia Siemensstraße 19 | 39100 Bozen | Italien T +39 0471 068140F +39 0471 068129 roland.kof...@tis.bz.it www.tis.bz.it Short information regarding use of personal data. According to Section 13 of Italian Legislative Decree no. 196 of 30 June 2003, we inform you that we process your personal data in order to fulfill contractual and fiscal obligations and also to send you information regarding our services and events. Your personal data are processed with and without electronic means and by respecting data subjects' rights, fundamental freedoms and dignity, particularly with regard to confidentiality, personal identity and the right to personal data protection. At any time and without formalities you can write an e-mail to priv...@tis.bz.it in order to object the processing of your personal data for the purpose of sending advertising materials and also to exercise the right to access personal data and other rights referred to in Section 7 of Decree 196/2003. The data controller is TIS -- Techno Innovation Alto Adige, via Siemens n. 19 Bolzano. You can find the complete information on the web site www.tis.bz.it -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] CAS with Active Directory
Hi I am using CAS 3.4.8 with Spring security 3.1.0.RC2. I am new to CAS and have some trouble understanding how I can use CAS for single sign-on across multiple applications. Here is my environment: 1. app-web : UI application WAR (maven+spring+gwt) 2. app-ds: Data services WAR (maven+spring+hibernate) 3. app-cas: Maven overlay war. 4. Active directory : Existing enterprise directory. Additional information a. I have made changes to deploymentConfigContext.xml , securityContext.xml in the app-cas and deployed on tomcat. I have confirmed at user is able to sign in, services configured and attributes from active directory released correctly. b. Individual applications (app-ds and app-web) are secured with spring security. I have confirmed that secure URLs and business services require the CAS login first and then redirect upon authentication. *Problem*: When the user logs into app-web and requests services from the app-ds, the user app-ds throws an exception and wants the user to authenticate again. I adding the service ticket (ST-) to the query string before sending post requests to the app-ds. Any calls to String proxyTicket = assertion.getPrincipal().getProxyTicketFor(serviceUrl); return Null where serviceUrl = https://localhost:/app-web/j_spring_cas_security_check I am not sure if I am using the SAML validator incorrectly. Using the Cas20TicketValidator does not return any attributes from Active Directory. Any help would be appreciated. *Configuration *Everything is standard configuration except for ticketValidator and UserDetailsService configuration. I am using SAML11TicketValidator else the AD attributes are not in the security context * https://localhost:8443/app-cas"; /> * c. Custom UserDetailsServiceImpl iterates over the assertion attributes -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
