[cas-user] Reading cas.properties file from login-webflow
Problem: I have a URL in cas.properties file and I want to read it from within the login-webflow.xml and pass that value to some bean (java file). CAS server version 3.4.10 My login-webflow begins with: http://www.springframework.org/schema/context"; http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd";> //- Those two lines should have allowed (that's what I thought) me to use the following: But no, not so fast. I get this error: // cvc-complex-type.2.4.a: Invalid content was found starting with element 'context:property-placeholder'. One of '{"http://www.springframework.org/schema/webflow":action-state, "http://www.springframework.org/schema/webflow":view-state, . // Inside one of the "action-states", I have this piece of code: In my cas.properties file, I have this code: parentCASUrl=https://parent1.com I want to keep all my values like DB connection strings, user name, passwords, URLs of different servers, etc, in a separate (=cas.properties) file, and read it from within program. Can someone give me some pointers? Thanks. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE: [cas-user] Reading cas.properties file from login-webflow
That one I also have, exactly the same you have, and I can read values from cas.properties from inside "deployConfigContext.xml" file. No problem there. Problem is they are defined inside this bean or that bean. In login-webflow.xml, I don't have beans., the file begins with: " wrote: Here’s my propertyFileConfigurer.xml file in the spring-configuration directory: http://www.springframework.org/schema/beans"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xmlns:p="http://www.springframework.org/schema/p"; xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd";> This file lets CAS know where you've stored the cas.properties file which details some of the configuration options that are specific to your environment. You can specify the location of the file here. You may wish to place the file outside of the Servlet context if you have options that are specific to a tier (i.e. test vs. production) so that the WAR file can be moved between tiers without modification. Jonathan Liedy Middleware Administrator The Florida State University 2035 East Paul Dirac Drive Sliger, Suite 113 Tallahassee, FL 32310 jli...@fsu.edu Voice: (850) 270-7368 From: s4...@yahoo.co.jp [mailto:s4...@yahoo.co.jp] Sent: Tuesday, August 28, 2012 8:56 PM To: cas-user@lists.jasig.org Subject: [cas-user] Reading cas.properties file from login-webflow Problem: I have a URL in cas.properties file and I want to read it from within the login-webflow.xml and pass that value to some bean (java file). CAS server version 3.4.10 My login-webflow begins with: http://www.springframework.org/schema/context"; http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd";> //- Those two lines should have allowed (that's what I thought) me to use the following: But no, not so fast. I get this error: // cvc-complex-type.2.4.a: Invalid content was found starting with element 'context:property-placeholder'. One of '{"http://www.springframework.org/schema/webflow":action-state, "http://www.springframework.org/schema/webflow":view-state, . // Inside one of the "action-states", I have this piece of code: In my cas.properties file, I have this code: parentCASUrl=https://parent1.com I want to keep all my values like DB connection strings, user name, passwords, URLs of different servers, etc, in a separate (=cas.properties) file, and read it from within program. Can someone give me some pointers? Thanks. -- You are currently subscribed to cas-user@lists.jasig.org as: jli...@fsu.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: s4...@yahoo.co.jp To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] /logout 101
I read that when I issue /logout command, it destroys the TGC that has been stored by the CAS server upon establishment of a SSO session. I assume the TGC is stored on the client side. But I also see that in CAS server logs, "something" is happening.. basically ticket TGT-XXX.. is being removed. I am trying to explore a possibility where only removing local TGC would log me out from an SSO regime. But I don't know what happens that server side TGT-XXX? Would the ticket registry just grow and grow for each new SSO session? Even if there is a kind of garbage collection of ticket registries, how would the remote CAS server know if a user has deleted his or her TGC on the client side? My conclusion is that one needs to communicate with the server for the TGC removal, just removing the TGC on the clint side is not enough. Is it correct? Hope someone can demystify the logout process or point to some URLs. Thanks. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] /logout 101
Marvin, Scott Would you please comment on it? --- On Fri, 2012/8/31, s4...@yahoo.co.jp wrote: I read that when I issue /logout command, it destroys the TGC that has been stored by the CAS server upon establishment of a SSO session. I assume the TGC is stored on the client side. But I also see that in CAS server logs, "something" is happening.. basically ticket TGT-XXX.. is being removed. I am trying to explore a possibility where only removing local TGC would log me out from an SSO regime. But I don't know what happens that server side TGT-XXX? Would the ticket registry just grow and grow for each new SSO session? Even if there is a kind of garbage collection of ticket registries, how would the remote CAS server know if a user has deleted his or her TGC on the client side? My conclusion is that one needs to communicate with the server for the TGC removal, just removing the TGC on the clint side is not enough. Is it correct? Hope someone can demystify the logout process or point to some URLs. Thanks. -- You are currently subscribed to cas-user@lists.jasig.org as: s4...@yahoo.co.jp To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] /logout 101
Thank you, Marvin. --- On Sat, 2012/9/1, Marvin Addison wrote: On Fri, Aug 31, 2012 at 4:31 AM, wrote: > > I read that when I issue /logout command, it destroys the TGC that has > been stored by the CAS server upon establishment of a SSO session. I assume > the TGC is stored on the client side. But I also see that in CAS server > logs, "something" is happening.. basically ticket TGT-XXX.. is being > removed. > > I am trying to explore a possibility where only removing local TGC would > log me out from an SSO regime. Destroying the session cookie will effective log you out of CAS. > But I don't know what happens that server > side TGT-XXX? Would the ticket registry just grow and grow for each new SSO > session? Yes, until the orphaned ticket is purged either by cache expiration (cached-based ticket registries) or periodic ticket registry cleaning (driven by Quartz scheduled task.) > how would the remote CAS server know if a user has deleted his or her TGC on > the client side? Not possible. M -- You are currently subscribed to cas-user@lists.jasig.org as: s4...@yahoo.co.jp To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] reading properties file
I am trying to read a properties file ("my.properties"), which I put right under /WEB-INF when I created an eclipse project. I told Spring where the file is like this: /WEB-INF/my.properties I created a war file, and deployed under /webapps. Inside some class, which is an ordinary java class (not a servlet), I wanted to read that "my.properties" file like this: InputStream inputStream = this.getClass().getClassLoader().getResourceAsStream("WEB-INF/my.properties"); When I "System.out" inputStream, it is null. cas.log has this error: org.springframework.beans.factory.BeanInitializationException: Could not load properties; nested exception is java.io.FileNotFoundException: Could not open ServletContext resource [/my.properties] I spent a day googling, but could not make it work-- that's why I am here. What's happening? Can someone give me some pointers? Thanks! -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] reading properties file
Thanks Guy Thomas. Yes, moving the my.properties file inside /WEB-INF/classes DID help to get rid of the cas.log error. Now how do I get rid of the catalina.out error? It still says inputstream is null. PS: My spring config now looks like: /WEB-INF/classes/my.properties< /value> --- On Tue, 2012/9/18, Guy Thomas wrote: /WEB-INF/my.properties is not on your classpath. Put it for example under /WEB-INF/classes Op dinsdag 18 september 2012 13:42:45 UTC+2 schreef (onbekend) het volgende:I am trying to read a properties file ("my.properties"), which I put right under /WEB-INF when I created an eclipse project. I told Spring where the file is like this: /WEB-INF/my.properties< /value> I created a war file, and deployed under /webapps. Inside some class, which is an ordinary java class (not a servlet), I wanted to read that "my.properties" file like this: InputStream inputStream = this.getClass(). getClassLoader(). getResourceAsStream("WEB-INF/ my.properties"); When I "System.out" inputStream, it is null. cas.log has this error: org.springframework.beans. factory. BeanInitializationException: Could not load properties; nested exception is java.io.FileNotFoundException: Could not open ServletContext resource [/my.properties] I spent a day googling, but could not make it work-- that's why I am here. What's happening? Can someone give me some pointers? Thanks! -- You are currently subscribed to cas-...@lists.jasig.org as: jasig-cas-user...@ googlegroups.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/ display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] reading properties file
Latest construction: InputStream inputStream = this.getClass().getClassLoader().getResourceAsStream("classes/my.properties"); is giving me null. --- On Wed, 2012/9/19, s4...@yahoo.co.jp wrote: Thanks Guy Thomas. Yes, moving the my.properties file inside /WEB-INF/classes DID help to get rid of the cas.log error. Now how do I get rid of the catalina.out error? It still says inputstream is null. PS: My spring config now looks like: /WEB-INF/classes/my.properties< /value> --- On Tue, 2012/9/18, Guy Thomas wrote: /WEB-INF/my.properties is not on your classpath. Put it for example under /WEB-INF/classes Op dinsdag 18 september 2012 13:42:45 UTC+2 schreef (onbekend) het volgende:I am trying to read a properties file ("my.properties"), which I put right under /WEB-INF when I created an eclipse project. I told Spring where the file is like this: /WEB-INF/my.properties< /value> I created a war file, and deployed under /webapps. Inside some class, which is an ordinary java class (not a servlet), I wanted to read that "my.properties" file like this: InputStream inputStream = this.getClass(). getClassLoader(). getResourceAsStream("WEB-INF/ my.properties"); When I "System.out" inputStream, it is null. cas.log has this error: org.springframework.beans. factory. BeanInitializationException: Could not load properties; nested exception is java.io.FileNotFoundException: Could not open ServletContext resource [/my.properties] I spent a day googling, but could not make it work-- that's why I am here. What's happening? Can someone give me some pointers? Thanks! -- You are currently subscribed to cas-...@lists.jasig.org as: jasig-cas-user...@ googlegroups.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/ display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: s4...@yahoo.co.jp To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] reading properties file -> solved
/my.properties did the job. Sorry for spamming you all. Cheers, --- On Wed, 2012/9/19, s4...@yahoo.co.jp wrote: Latest construction: InputStream inputStream = this.getClass().getClassLoader().getResourceAsStream("classes/my.properties"); is giving me null. --- On Wed, 2012/9/19, s4...@yahoo.co.jp wrote: Thanks Guy Thomas. Yes, moving the my.properties file inside /WEB-INF/classes DID help to get rid of the cas.log error. Now how do I get rid of the catalina.out error? It still says inputstream is null. PS: My spring config now looks like: /WEB-INF/classes/my.properties< /value> --- On Tue, 2012/9/18, Guy Thomas wrote: /WEB-INF/my.properties is not on your classpath. Put it for example under /WEB-INF/classes Op dinsdag 18 september 2012 13:42:45 UTC+2 schreef (onbekend) het volgende:I am trying to read a properties file ("my.properties"), which I put right under /WEB-INF when I created an eclipse project. I told Spring where the file is like this: /WEB-INF/my.properties< /value> I created a war file, and deployed under /webapps. Inside some class, which is an ordinary java class (not a servlet), I wanted to read that "my.properties" file like this: InputStream inputStream = this.getClass(). getClassLoader(). getResourceAsStream("WEB-INF/ my.properties"); When I "System.out" inputStream, it is null. cas.log has this error: org.springframework.beans. factory. BeanInitializationException: Could not load properties; nested exception is java.io.FileNotFoundException: Could not open ServletContext resource [/my.properties] I spent a day googling, but could not make it work-- that's why I am here. What's happening? Can someone give me some pointers? Thanks! -- You are currently subscribed to cas-...@lists.jasig.org as: jasig-cas-user...@ googlegroups.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/ display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: s4...@yahoo.co.jp To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: s4...@yahoo.co.jp To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] using CAS with Spring
In your web.xml file, do you have something like the following? contextConfigLocation ---- /WEB-INF/my-filters.xml If yes, you might want to check my-filters.xml and see if you have a bean named "authenticationFilter" defined there, something like: HIH, --- On Tue, 2012/9/25, Qian, Yi wrote: Hello, I followed https://wiki.jasig.org/display/CASC/Configuring+the+JA-SIG+CAS+Client+for+Java+using+Spring link trying to set up my application In web.xml, I have CAS Authentication Filter org.springframework.web.filter.DelegatingFilterProxy saml1Authenticaion authenticationFilter CAS Authentication Filter /* In Spring applicationContext.xml, I have https://test.server.com:8443/cas/login"; p:renew="false" p:gateway="false" p:service="https://web.server.com:8443"; /> But Tomcat gives following error SEVERE: Exception starting filter CAS Authentication Filter org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean named 'CAS Authentication Filter' is defined I went through the linked page multiple times, did I miss anything? Regards, Yi -- You are currently subscribed to cas-user@lists.jasig.org as: s4...@yahoo.co.jp To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] Running validation tests with built-in helloworld
Hi all, I am trying to run validation test with "helloworld". This helloworld comes built-in when I install Tomcat, and is located at /webapps/examples/servlets. When I add appropriate filters in web.xml of that helloworld "application", and when I type the following url, I am taken to cas login screen. https://my.test.server.url/examples/servlets/servlet/HelloWorldExample After successful authentication, "Hello World!" is displayed. I need to rewrite the above url as follows: https://my.test.server.url/cas/login?service=foo *What would be the foo part? <<-- This is my main question. I tried: https://my.test.server.url/cas/login?service=examples/servlets/servlet/HelloWorldExample, but failed. (error message: the application is not authorized to use cas)(approx. translation) Server logs say: WARN [org.jasig.cas.CentralAuthenticationServiceImpl] - WHO: testUser WHAT: servlets/servlet/HelloWorldExample ACTION: SERVICE_TICKET_NOT_CREATED APPLICATION: CAS I want to run these steps: (from https://wiki.jasig.org/display/CAS/CAS+Functional+Tests) 1. visit /login?service=foo 2. enter correct credentials 3. you should be redirected to foo with a valid service ticket 4. visit /serviceValidate?service=foo&ticket=[ticket from Step 3] Please help. Thanks. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE: [cas-user] Running validation tests with built-in helloworld--> how to add helloworld into the service registry
Thanks, Carlos. I googled "service registry add" and came to this page: https://wiki.jasig.org/display/CASUM/Services+Management (1) When I tried "https://casURL:8443/cas/services/ I get http://localhost:8080/cas/login?service=http%3A%2F%2Flocalhost%3A8080%2Fcas%2Fservices%2Fj_acegi_cas_security_check With a warning "non-secure connection", which is understandable. At this point, I entered credentials which work perfectly fine under normal circumstances (like when I enter https://casURL/cas/login), yet I got access denied "UsernameNotFoundException::user1" Yet, when I checked catalina.out logs, I find that authentication has been successful , TGT has been created and service ticket created. Here are the logs for the last two: 2013-02-28 11:19:54,978 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - http://localhost:8080/cas/services/j_acegi_cas_security_check] for user [user1]> = WHO: user1 WHAT: ST-1-rMm40520qHy3KX6oZSur-cas01.example.org for http://localhost:8080/cas/services/j_acegi_cas_security_check ACTION: SERVICE_TICKET_CREATED APPLICATION: CAS WHEN: date stuff CLIENT IP ADDRESS: 127.0.0.1 SERVER IP ADDRESS: 127.0.0.1 = > = WHO: audit:unknown WHAT: ST-1-rMm40520qHy3KX6oZSur-cas01.example.org ACTION: SERVICE_TICKET_VALIDATED APPLICATION: CAS WHEN: date stuff CLIENT IP ADDRESS: 127.0.0.1 SERVER IP ADDRESS: 127.0.0.1 = I am interested to know why the CAS denied access to me, but more than that I want to know how I can add the "helloWorldExample" to the service registry, so that I can proceed with the validation test with pattern "https://my.test.server.url/cas/login?service=foo";. Cheers. --- On Tue, 2013/2/19, Carlos Fernandez wrote: Hello, The error message indicates that the URL specified in the /cas/login “service” parameter does not match any of the entries in the service registry. If, for example, you have an entry in the service registry with the following URL: https://my.test.server.url/examples/servlets/servlet/HelloWorldExample then the CAS login URL would be: https://my.test.server.url/cas/login?service=https%3A%2F%2Fmy.test.server.url%2Fexamples%2Fservlets%2Fservlet%2FHelloWorldExample Please note that the URL in the “service” parameter is URL-encoded. Best regards,--Carlos. From: s4...@yahoo.co.jp [mailto:s4...@yahoo.co.jp] Sent: Monday, 18 February, 2013 13:42 To: cas-user@lists.jasig.org Subject: [cas-user] Running validation tests with built-in helloworld Hi all, I am trying to run validation test with "helloworld". This helloworld comes built-in when I install Tomcat, and is located at /webapps/examples/servlets. When I add appropriate filters in web.xml of that helloworld "application", and when I type the following url, I am taken to cas login screen. https://my.test.server.url/examples/servlets/servlet/HelloWorldExample After successful authentication, "Hello World!" is displayed. I need to rewrite the above url as follows: https://my.test.server.url/cas/login?service=foo *What would be the foo part? <<-- This is my main question. I tried: https://my.test.server.url/cas/login?service=examples/servlets/servlet/HelloWorldExample, but failed. (error message: the application is not authorized to use cas)(approx. translation) Server logs say: WARN [org.jasig.cas.CentralAuthenticationServiceImpl] - WHO: testUser WHAT: servlets/servlet/HelloWorldExample ACTION: SERVICE_TICKET_NOT_CREATED APPLICATION: CAS I want to run these steps: (from https://wiki.jasig.org/display/CAS/CAS+Functional+Tests) 1. visit /login?service=foo 2. enter correct credentials 3. you should be redirected to foo with a valid service ticket 4. visit /serviceValidate?service=foo&ticket=[ticket from Step 3] Please help. Thanks.-- You are currently subscribed to cas-user@lists.jasig.org as: cfern...@sju.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: s4...@yahoo.co.jp To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] CAS 101
Hi all, How does CAS know where to direct to after successful authentication? I am asking because I am seeing "failed to properly redirect" error in Firefox. Taking a simple example, say, I type https://test.server/helloworld. Since I have my filters in the web.xml file (of that "helloworld" webapp) in place, I am taken to CAS login page, and I enter my user and password, and instead of showing me helloworld application (which just prints "hello world" in the screen), I am greeted with redirection failure. Tomcat's catalina.out does not show any error, so CAS itself is properly configured, I think. Where do I configure the "go here after authentication" part? Some pointers would be helpful. Thanks. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] CAS 101
Looks like I had made some mistakes in importing certificate(s) of the CAS server. I got it working, but I am still at dark which piece of config (or code) is responsible for redirection. --- On Wed, 2013/3/27, s4...@yahoo.co.jp wrote: Hi all, How does CAS know where to direct to after successful authentication? I am asking because I am seeing "failed to properly redirect" error in Firefox. Taking a simple example, say, I type https://test.server/helloworld. Since I have my filters in the web.xml file (of that "helloworld" webapp) in place, I am taken to CAS login page, and I enter my user and password, and instead of showing me helloworld application (which just prints "hello world" in the screen), I am greeted with redirection failure. Tomcat's catalina.out does not show any error, so CAS itself is properly configured, I think. Where do I configure the "go here after authentication" part? Some pointers would be helpful. Thanks. -- You are currently subscribed to cas-user@lists.jasig.org as: s4...@yahoo.co.jp To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] SSO at across multiple domains
I thought I was in wrong forum, so I jumped the ship :) (Marvin, please comment here when you can. Thanks.) //-- I was trying to learn how to trust a remote CAS server's authentication so that once authenticated through a local CAS, the user does not need to see that log-in screen again. Then I found J. Field's excellent paper and read it and I understood it a little better. (I have yet to do the implementation.) But I do not still have a clear picture what happens at the non-local (remote) CAS server. Let me explain below what I learnt from Field's article. 1. A locally authenticated user accesses a remote, CAS-protected application. 2. Remote application checks with remote CAS. 3. Remote CAS has an Apache front end with mod_auth_cas set up, and there is something in the URL header ("REMOTE"?) that makes the remote CAS forward the request to the origin, that is, the remote CAS asks the local CAS for a ticket. 4. Local CAS issues a service ticket (ST) to remote CAS. The key here is to treat remote CAS server as an application. So for the local CAS, it is just like issuing an ST for an "application". 5. Upon seeing that the request has an ST, the remote CAS then issues a ticket granting cookie (TGC), which is returned to the browser, and also issues an ST good for remote application. 6. Remote application is happy because for it, the authentication came form the their "local" CAS, in which they trust. Hence, SSO is realized (no second log in necessary.) Question: At no. 5 above, how does the remote CAS know how to trust the visitor? The visitor only has an ST (not for any particular application, but for "remote CAS application" as a whole), and perhaps user ID? Validation against the remote database should not be possible because the request string does not contain password. Or the remote location's user repository won't be consulted at all in this scheme? What are the necessary and sufficient conditons for the remote CAS to issue ST and TGC for visitors who are authenticated at other location(s)? (In my case, both the local and the remote domains have exact same copy of user repository.) Thank you for taking time to read and for your comments. Cheers. //- J. Field's article: http://www.google.com/url?sa=t&rct=j&q=&esrc=s&frm=1&source=web&cd=1&ved=0CBsQFjAA&url=https%3A%2F%2Fwiki.jasig.org%2Fdownload%2Fattachments%2F48596744%2FHow%2Bto%2BTrust%2BAnother%2BCAS%2BServer.pdf%3Fversion%3D1%26modificationDate%3D1321479461428&ei=0e7cTtiqGOKHmQXd4OnTCw&usg=AFQjCNH5FlhDZHU_oHBOCj-rg_WtLMT4IA or you can google for "How to Trust Another CAS Server" --o0o-- -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] SSO at across multiple domains
Hi Marvin, Did you get some time to read Field's article? Or, can you or somebody point me to some resources so that I can learn how to set up SSO across different domains sharing a common user database? Cheers, s400t --- On Tue, 2011/12/6, s400t wrote: I thought I was in wrong forum, so I jumped the ship :) (Marvin, please comment here when you can. Thanks.) //-- I was trying to learn how to trust a remote CAS server's authentication so that once authenticated through a local CAS, the user does not need to see that log-in screen again. Then I found J. Field's excellent paper and read it and I understood it a little better. (I have yet to do the implementation.) But I do not still have a clear picture what happens at the non-local (remote) CAS server. Let me explain below what I learnt from Field's article. 1. A locally authenticated user accesses a remote, CAS-protected application. 2. Remote application checks with remote CAS. 3. Remote CAS has an Apache front end with mod_auth_cas set up, and there is something in the URL header ("REMOTE"?) that makes the remote CAS forward the request to the origin, that is, the remote CAS asks the local CAS for a ticket. 4. Local CAS issues a service ticket (ST) to remote CAS. The key here is to treat remote CAS server as an application. So for the local CAS, it is just like issuing an ST for an "application". 5. Upon seeing that the request has an ST, the remote CAS then issues a ticket granting cookie (TGC), which is returned to the browser, and also issues an ST good for remote application. 6. Remote application is happy because for it, the authentication came form the their "local" CAS, in which they trust. Hence, SSO is realized (no second log in necessary.) Question: At no. 5 above, how does the remote CAS know how to trust the visitor? The visitor only has an ST (not for any particular application, but for "remote CAS application" as a whole), and perhaps user ID? Validation against the remote database should not be possible because the request string does not contain password. Or the remote location's user repository won't be consulted at all in this scheme? What are the necessary and sufficient conditons for the remote CAS to issue ST and TGC for visitors who are authenticated at other location(s)? (In my case, both the local and the remote domains have exact same copy of user repository.) Thank you for taking time to read and for your comments. Cheers. //- J. Field's article: http://www.google.com/url?sa=t&rct=j&q=&esrc=s&frm=1&source=web&cd=1&ved=0CBsQFjAA&url=https%3A%2F%2Fwiki.jasig.org%2Fdownload%2Fattachments%2F48596744%2FHow%2Bto%2BTrust%2BAnother%2BCAS%2BServer.pdf%3Fversion%3D1%26modificationDate%3D1321479461428&ei=0e7cTtiqGOKHmQXd4OnTCw&usg=AFQjCNH5FlhDZHU_oHBOCj-rg_WtLMT4IA or you can google for "How to Trust Another CAS Server" --o0o-- -- You are currently subscribed to cas-user@lists.jasig.org as: s4...@yahoo.co.jp To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] CASifying the Helloworld
Hi All, I am trying to use the "SearchModeSearchDatabaseAuthenticationHandler" instead of the "SimpleTestUsernamePasswordAuthenticationHandler". In the web.xml file of the folder C:\apache-tomcat-5.5.34\webapps\servlets-examples\WEB-INF, I added the filters as follows: CAS Filter edu.yale.its.tp.cas.client.filter.CASFilter edu.yale.its.tp.cas.client.filter.loginUrl https://localhost:8443/cas-server-3.4.11/login edu.yale.its.tp.cas.client.filter.validateUrl https://localhost:8443/cas-server-3.4.11/proxyValidate edu.yale.its.tp.cas.client.filter.serverName localhost:8443 With the SimpleTestUsernamePasswordAuthenticationHandler, I get the CAS login screen (https://localhost:8443/cas/login) all right, but with the SearchModeSearchDatabaseAuthenticationHandler, I get an HTTP 404-- The requested resource () is not available. Here is a part of my deployerConfigContex: // myusers uid password // com.mysql.jdbc.Driver jdbc:mysql://localhost:3306/spring root pass //--- Remarks: My https server is ok, and so is the MySQL server. Among other things, I don't know how to tell the CAS where to find the file that has the "com.mysql.jdbc.Driver". Also, how is https://localhost:8443/cas/login is mapped? I don't see and /login folder under my /webapp/cas folder. Any help would make my weekend better :) Thanks for taking time to read. Cheers. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] CASifying the Helloworld
Somebody, please!? --- On Fri, 2012/1/20, s4...@yahoo.co.jp wrote: Hi All, I am trying to use the "SearchModeSearchDatabaseAuthenticationHandler" instead of the "SimpleTestUsernamePasswordAuthenticationHandler". In the web.xml file of the folder C:\apache-tomcat-5.5.34\webapps\servlets-examples\WEB-INF, I added the filters as follows: CAS Filter edu.yale.its.tp.cas.client.filter.CASFilter edu.yale.its.tp.cas.client.filter.loginUrl https://localhost:8443/cas-server-3.4.11/login edu.yale.its.tp.cas.client.filter.validateUrl https://localhost:8443/cas-server-3.4.11/proxyValidate edu.yale.its.tp.cas.client.filter.serverName localhost:8443 With the SimpleTestUsernamePasswordAuthenticationHandler, I get the CAS login screen (https://localhost:8443/cas/login) all right, but with the SearchModeSearchDatabaseAuthenticationHandler, I get an HTTP 404-- The requested resource () is not available. Here is a part of my deployerConfigContex: // myusers uid password // com.mysql.jdbc.Driver jdbc:mysql://localhost:3306/spring root pass //--- Remarks: My https server is ok, and so is the MySQL server. Among other things, I don't know how to tell the CAS where to find the file that has the "com.mysql.jdbc.Driver". Also, how is https://localhost:8443/cas/login is mapped? I don't see and /login folder under my /webapp/cas folder. Any help would make my weekend better :) Thanks for taking time to read. Cheers. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] CASifying the Helloworld
Thanks Marvin for the pointers. The keyword was cas log files. I didn't see any cas.log. I only checked logs under tomcat's home folder's /log folder, and the cas.log was not there. It was under /bin, because from that folder, I ran my tomcat. So I panicked. Now I "found" it, it was very clear what was wrong: //- Cannot create inner bean 'org.jasig.cas.adaptors.jdbc.SearchModeSearchDatabaseAuthenticationHandler#6ac67a88' of type [org.jasig.cas.adaptors.jdbc.SearchModeSearchDatabaseAuthenticationHandler] while setting bean property 'authenticationHandlers' with key [1]; nested exception is org.springframework.beans.factory.CannotLoadBeanClassException: Cannot find class [org.jasig.cas.adaptors.jdbc.SearchModeSearchDatabaseAuthenticationHandler] for bean with name 'org.jasig.cas.adaptors.jdbc.SearchModeSearchDatabaseAuthenticationHandler#6ac67a88' defined in ServletContext resource [/WEB-INF/deployerConfigContext.xml]; nested exception is java.lang.ClassNotFoundException: org.jasig.cas.adaptors.jdbc.SearchModeSearchDatabaseAuthenticationHandler // No I did not have my "SearchModeSearch" class. Or I did not put it in proper place. Now, In the following page, Stephen More and Mark Rogers use that bean, and I used the construct without thinking about the jar files. Now I need to figure out which jar file has that class. I can unzip every jar thar comes with the cas and look into it, but there should be a smart way to find out. Cheers, and thanks again for the pointers. --- On Mon, 2012/1/23, Marvin Addison wrote: > With the SimpleTestUsernamePasswordAuthenticationHandler, I get the CAS login > screen (https://localhost:8443/cas/login) all right, but with the > SearchModeSearchDatabaseAuthenticationHandler, I get an HTTP 404 Likely deployment errors. Details should be in cas.log and/or tomcat logs. Post log excerpts if you want help troubleshooting specific errors. > Among other things, I don't know how to tell the CAS where to find the file > that has the "com.mysql.jdbc.Driver". Best practice is to put on container classpath, for example tomcat/lib directory. M -- You are currently subscribed to cas-user@lists.jasig.org as: s4...@yahoo.co.jp To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] CASifying the Helloworld
https://wiki.jasig.org/display/CAS/Examples+to+Configure+CAS I meant that URL. wiki.jasig.org/display/CAS/Examples+to+Configure+CAS --- On Tue, 2012/1/24, s4...@yahoo.co.jp wrote: Thanks Marvin for the pointers. The keyword was cas log files. I didn't see any cas.log. I only checked logs under tomcat's home folder's /log folder, and the cas.log was not there. It was under /bin, because from that folder, I ran my tomcat. So I panicked. Now I "found" it, it was very clear what was wrong: //- Cannot create inner bean 'org.jasig.cas.adaptors.jdbc.SearchModeSearchDatabaseAuthenticationHandler#6ac67a88' of type [org.jasig.cas.adaptors.jdbc.SearchModeSearchDatabaseAuthenticationHandler] while setting bean property 'authenticationHandlers' with key [1]; nested exception is org.springframework.beans.factory.CannotLoadBeanClassException: Cannot find class [org.jasig.cas.adaptors.jdbc.SearchModeSearchDatabaseAuthenticationHandler] for bean with name 'org.jasig.cas.adaptors.jdbc.SearchModeSearchDatabaseAuthenticationHandler#6ac67a88' defined in ServletContext resource [/WEB-INF/deployerConfigContext.xml]; nested exception is java.lang.ClassNotFoundException: org.jasig.cas.adaptors.jdbc.SearchModeSearchDatabaseAuthenticationHandler // No I did not have my "SearchModeSearch" class. Or I did not put it in proper place. Now, In the following page, Stephen More and Mark Rogers use that bean, and I used the construct without thinking about the jar files. Now I need to figure out which jar file has that class. I can unzip every jar thar comes with the cas and look into it, but there should be a smart way to find out. Cheers, and thanks again for the pointers. --- On Mon, 2012/1/23, Marvin Addison wrote: > With the SimpleTestUsernamePasswordAuthenticationHandler, I get the CAS login > screen (https://localhost:8443/cas/login) all right, but with the > SearchModeSearchDatabaseAuthenticationHandler, I get an HTTP 404 Likely deployment errors. Details should be in cas.log and/or tomcat logs. Post log excerpts if you want help troubleshooting specific errors. > Among other things, I don't know how to tell the CAS where to find the file > that has the "com.mysql.jdbc.Driver". Best practice is to put on container classpath, for example tomcat/lib directory. M -- You are currently subscribed to cas-user@lists.jasig.org as: s4...@yahoo.co.jp To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: s4...@yahoo.co.jp To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] ParentCAS and ChildCAS, one way trust
Hi All, Someone please guide me to a possible solution. I struggled with a sample/simple helloworld application, that should tell you where do I stand on things CAS. Please explain in a few sentences what/how should I be implementing this. Situation: Two CAS servers, say parentCAS and childCAS, in two different domains, both can be accessed independently. If a user is authenticated in parentCAS and visits pages protected by the childCAS, the user should NOT be asked to log in again (at the childCAS.), allowing the user to go directly to the application in question. If the user has not been authenticated at the parentCAS and access the apps at the childCAS side, s/he will need to get authenticated by the childCAS. A successful authentication at the childCAS is not good enough for the applications that are protected by parentCAS. So it is one way trust. About the user repository, all the users in childCAS's user DB have accounts at the parentCAS's user DB, only that records are not exact carbon copy. Number of fields are different and I must consider cases like the same person using different names (say, "Christopher Gibins" in parentCAS side DB and "Chris Gibings"on the other. I have a little (theoretical) understanding of trust in multi-domain CAS, thanks to John Field's article and some help from Marvin, Brian and others. But this one, where do I start? I need keywords so that I can fine tune my search. This issue may have been raised and solved!? A side question to John: is it (always?) necessary to get the ultimate authentication at the local level in case of two different-domain CASes? In your article, you mention that even though the home CAS issues an ST for the "remote CAS application", the applications at the remote end trust validation only from their own local CAS. What I am getting at is this: Would it be necessary for the childCAS to eventually authenticate a request using its own user repository? Some kind of mapping to a local record once I am dead sure that the visitor has already been authenticated at the genuine parentCAS? If I could ask more, I wish to have a "solution approach", just like John's paper. Like if I need to write my own customPrincipalResolver.. where to start? What do I need? On this though, I will also do my own search (if it is "out" there). I came across a word "gateway". Would it solve my problem? (Andrew Petro's response to Jeremy). This one also should be googleable. How do I make sure that the childCAS trust the validation ONLY from the parentCAS? (In addition to a direct log in to the server of the childCAS) Would it be possible for a bogus "parentCAS" to access a childCAS-protected application and say, " I am your parentCAS, do let me in"? How do I prevent it? Sorry for a long question. Thank you for taking time to read. Cheers. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] ParentCAS and ChildCAS, one way trust
To Andrew and Brian: Believe me if it were not necessary, I would not have written such a long email. I do not have sufficient knowledge to create a pure hypothetical case and enjoy doing it. I am sorry, but I cannot divulge where I am trying to implement this solution. For an example, how about this scenario: Several huge ("mother") institutions participate in a project. The project maintains its own independent childCAS server/ authentication database because its users are not only (some of the) members of the mother institutions (with parentCAS), but also people who are not affiliated with any parentCAS instititions, like freelancers. Now these people at the parentCAS instititions do their thing in their home application servers, but sometimes they want to check something which is available ONLY in the project with childCAS. And they don't want to be bothered by another set of log in screens. The reverse is not desirable. People who are authenticated by the childCAS of the project cannot be given the privilege to access parentCAS protected apps running at the mother institutions. The mother institutions have way more and varied applications running under their parentCAS. Does it make sense? > or is this an artifact of where your initial investigations led? No. I had not understood what I needed to do in the beginning! Now, I know better :) Cheers. --- On Wed, 2012/2/1, b savage wrote: Hi there, Just double-checking as this seems like a challenging case otherwise ... are the multiple CAS servers essential, or is this an artifact of where your initial investigations led? CAS can handle multiple domains without multiple CAS servers (and you could proceed on more travelled routes to handle some of your other requirements). Brian On Tue, Jan 31, 2012 at 2:34 PM, wrote: Hi All, Someone please guide me to a possible solution. I struggled with a sample/simple helloworld application, that should tell you where do I stand on things CAS. Please explain in a few sentences what/how should I be implementing this. Situation: Two CAS servers, say parentCAS and childCAS, in two different domains, both can be accessed independently. If a user is authenticated in parentCAS and visits pages protected by the childCAS, the user should NOT be asked to log in again (at the childCAS.), allowing the user to go directly to the application in question. If the user has not been authenticated at the parentCAS and access the apps at the childCAS side, s/he will need to get authenticated by the childCAS. A successful authentication at the childCAS is not good enough for the applications that are protected by parentCAS. So it is one way trust. About the user repository, all the users in childCAS's user DB have accounts at the parentCAS's user DB, only that records are not exact carbon copy. Number of fields are different and I must consider cases like the same person using different names (say, "Christopher Gibins" in parentCAS side DB and "Chris Gibings"on the other. I have a little (theoretical) understanding of trust in multi-domain CAS, thanks to John Field's article and some help from Marvin, Brian and others. But this one, where do I start? I need keywords so that I can fine tune my search. This issue may have been raised and solved!? A side question to John: is it (always?) necessary to get the ultimate authentication at the local level in case of two different-domain CASes? In your article, you mention that even though the home CAS issues an ST for the "remote CAS application", the applications at the remote end trust validation only from their own local CAS. What I am getting at is this: Would it be necessary for the childCAS to eventually authenticate a request using its own user repository? Some kind of mapping to a local record once I am dead sure that the visitor has already been authenticated at the genuine parentCAS? If I could ask more, I wish to have a "solution approach", just like John's paper. Like if I need to write my own customPrincipalResolver.. where to start? What do I need? On this though, I will also do my own search (if it is "out" there). I came across a word "gateway". Would it solve my problem? (Andrew Petro's response to Jeremy). This one also should be googleable. How do I make sure that the childCAS trust the validation ONLY from the parentCAS? (In addition to a direct log in to the server of the childCAS) Would it be possible for a bogus "parentCAS" to access a childCAS-protected application and say, " I am your parentCAS, do let me in"? How do I prevent it? Sorry for a long question. Thank you for taking time to read. Cheers. -- You are currently subscribed to cas-user@lists.jasig.org as: brianxsav...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org
Re: [cas-user] ParentCAS and ChildCAS, one way trust-- hello?
Hi Marvin, John Field, Brian, Andrew: How do I pique your interest? :) I got some idea from John's paper, and I have some questions. I could use REMOTE_USER header to sense that the user is coming from the parentCAS institution. Then If I could convince the childCAS to trust the parentCAS's authentication, I would be done. Would it work? How and why? Where do I start? I need to learn right from setting an environment (eclipse/tomcat/maven/spring) Well, that's what Google is for, but I still need a roadmap and I would like to ask some of the more experienced readers here to give some guidance. Some of the questions I have in mind: When an authenticated user from the parentCAS visits an URL which is childCAS-protected: what is the content of the request? Does the request have "I am so and so from so and so URL" information, besides probably a service ticket? If yes, then I could probably write a filter to allow the request from from the participating parentCAS institutions. I quoted names but of course, everyone is not only welcome, but also request to pitch in. Those people are some of the most frequest names that I came across in my previous posts. Cheers, --- On Wed, 2012/2/1, s4...@yahoo.co.jp wrote: To Andrew and Brian: Believe me if it were not necessary, I would not have written such a long email. I do not have sufficient knowledge to create a pure hypothetical case and enjoy doing it. I am sorry, but I cannot divulge where I am trying to implement this solution. For an example, how about this scenario: Several huge ("mother") institutions participate in a project. The project maintains its own independent childCAS server/ authentication database because its users are not only (some of the) members of the mother institutions (with parentCAS), but also people who are not affiliated with any parentCAS instititions, like freelancers. Now these people at the parentCAS instititions do their thing in their home application servers, but sometimes they want to check something which is available ONLY in the project with childCAS. And they don't want to be bothered by another set of log in screens. The reverse is not desirable. People who are authenticated by the childCAS of the project cannot be given the privilege to access parentCAS protected apps running at the mother institutions. The mother institutions have way more and varied applications running under their parentCAS. Does it make sense? > or is this an artifact of where your initial investigations led? No. I had not understood what I needed to do in the beginning! Now, I know better :) Cheers. --- On Wed, 2012/2/1, b savage wrote: Hi there, Just double-checking as this seems like a challenging case otherwise ... are the multiple CAS servers essential, or is this an artifact of where your initial investigations led? CAS can handle multiple domains without multiple CAS servers (and you could proceed on more travelled routes to handle some of your other requirements). Brian On Tue, Jan 31, 2012 at 2:34 PM, wrote: Hi All, Someone please guide me to a possible solution. I struggled with a sample/simple helloworld application, that should tell you where do I stand on things CAS. Please explain in a few sentences what/how should I be implementing this. Situation: Two CAS servers, say parentCAS and childCAS, in two different domains, both can be accessed independently. If a user is authenticated in parentCAS and visits pages protected by the childCAS, the user should NOT be asked to log in again (at the childCAS.), allowing the user to go directly to the application in question. If the user has not been authenticated at the parentCAS and access the apps at the childCAS side, s/he will need to get authenticated by the childCAS. A successful authentication at the childCAS is not good enough for the applications that are protected by parentCAS. So it is one way trust. About the user repository, all the users in childCAS's user DB have accounts at the parentCAS's user DB, only that records are not exact carbon copy. Number of fields are different and I must consider cases like the same person using different names (say, "Christopher Gibins" in parentCAS side DB and "Chris Gibings"on the other. I have a little (theoretical) understanding of trust in multi-domain CAS, thanks to John Field's article and some help from Marvin, Brian and others. But this one, where do I start? I need keywords so that I can fine tune my search. This issue may have been raised and solved!? A side question to John: is it (always?) necessary to get the ultimate authentication at the local level in case of two different-domain CASes? In your article, you mention that even though the home CAS issues an ST for the "remote CAS application", the applications at the remote end trust validation only from their own local CAS. What I am getting at is this: Would it be nece
[cas-user] How to use Maven to create war file, including one's changes
Hi All, I am learning how to build a war file using maven command lines. Scott Battaglia's Best Practice - Setting Up CAS Locally using the Maven2 WAR Overlay Method page was helpful to get me going.. I did exactly what is written in that page. When I ran "mvn clean package", I got a war file, which when deployed under Tomcat/webapps, works fine. My next challenge is how to add my own java files for authentication, and where to put those files. Say, if I were to add a bean like this: Where would I put the necessary java files? Where the pom.xml exists? (at the very top level? Like I would create com/mytest/cas/ folders and put my java file there?). How do I tell maven to look for java files in certain places? I mean, when I say "com.mytest.cas.xx" from where that "com" begin? There are so much resources in the internet. It is frustrating not to know how to use it to get one's job done. Learning the rope the hard way, PS: I could not make my Eclipse install maven plugin.. so I gave up using eclipse driven build for now. PPS: It seems that when I run "mvn clean package", I need to be online. May be it is necessary to download some files for the first time, but I want it to stop contacting the outside servers after the second time.. I cannot be connected to network all the times. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] How to use Maven to create war file, including one's changes
Hi Declan, Marvin: Thank you for the hints. And the examples helped. Time to move ahead! --- On Sat, 2012/2/4, Marvin Addison wrote: > How can I get the valid ED-ID certificate? You can't. It's a build for our environment that requires credentials specific to our environment. I offered it for demonstration purposes only, though it does demonstrate a number of best practices. M -- You are currently subscribed to cas-user@lists.jasig.org as: s4...@yahoo.co.jp To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] ParentCAS and ChildCAS, one way trust-- hello?
Hi All, Back with the the same question I asked earlier: is it possible to embed items in the payload (when an autheticated user visits a remore CAS server)? I want the remote server (with the childCAS) to know, by looking at the header or womewhere else (where?), that request consists of the user's Id and may be the URL of the parentCAS server. What are the keywords for this kind of scenario? Thanks for your attention, --- On Fri, 2012/2/3, s4...@yahoo.co.jp wrote: Hi Marvin, John Field, Brian, Andrew: How do I pique your interest? :) I got some idea from John's paper, and I have some questions. I could use REMOTE_USER header to sense that the user is coming from the parentCAS institution. Then If I could convince the childCAS to trust the parentCAS's authentication, I would be done. Would it work? How and why? Where do I start? I need to learn right from setting an environment (eclipse/tomcat/maven/spring) Well, that's what Google is for, but I still need a roadmap and I would like to ask some of the more experienced readers here to give some guidance. Some of the questions I have in mind: When an authenticated user from the parentCAS visits an URL which is childCAS-protected: what is the content of the request? Does the request have "I am so and so from so and so URL" information, besides probably a service ticket? If yes, then I could probably write a filter to allow the request from from the participating parentCAS institutions. I quoted names but of course, everyone is not only welcome, but also request to pitch in. Those people are some of the most frequest names that I came across in my previous posts. Cheers, --- On Wed, 2012/2/1, s4...@yahoo.co.jp wrote: To Andrew and Brian: Believe me if it were not necessary, I would not have written such a long email. I do not have sufficient knowledge to create a pure hypothetical case and enjoy doing it. I am sorry, but I cannot divulge where I am trying to implement this solution. For an example, how about this scenario: Several huge ("mother") institutions participate in a project. The project maintains its own independent childCAS server/ authentication database because its users are not only (some of the) members of the mother institutions (with parentCAS), but also people who are not affiliated with any parentCAS instititions, like freelancers. Now these people at the parentCAS instititions do their thing in their home application servers, but sometimes they want to check something which is available ONLY in the project with childCAS. And they don't want to be bothered by another set of log in screens. The reverse is not desirable. People who are authenticated by the childCAS of the project cannot be given the privilege to access parentCAS protected apps running at the mother institutions. The mother institutions have way more and varied applications running under their parentCAS. Does it make sense? > or is this an artifact of where your initial investigations led? No. I had not understood what I needed to do in the beginning! Now, I know better :) Cheers. --- On Wed, 2012/2/1, b savage wrote: Hi there, Just double-checking as this seems like a challenging case otherwise ... are the multiple CAS servers essential, or is this an artifact of where your initial investigations led? CAS can handle multiple domains without multiple CAS servers (and you could proceed on more travelled routes to handle some of your other requirements). Brian On Tue, Jan 31, 2012 at 2:34 PM, wrote: Hi All, Someone please guide me to a possible solution. I struggled with a sample/simple helloworld application, that should tell you where do I stand on things CAS. Please explain in a few sentences what/how should I be implementing this. Situation: Two CAS servers, say parentCAS and childCAS, in two different domains, both can be accessed independently. If a user is authenticated in parentCAS and visits pages protected by the childCAS, the user should NOT be asked to log in again (at the childCAS.), allowing the user to go directly to the application in question. If the user has not been authenticated at the parentCAS and access the apps at the childCAS side, s/he will need to get authenticated by the childCAS. A successful authentication at the childCAS is not good enough for the applications that are protected by parentCAS. So it is one way trust. About the user repository, all the users in childCAS's user DB have accounts at the parentCAS's user DB, only that records are not exact carbon copy. Number of fields are different and I must consider cases like the same person using different names (say, "Christopher Gibins" in parentCAS side DB and "Chris Gibings"on the other. I have a little (theoretical) understanding of trust in multi-domain CAS, thanks to John Field's article and some help from Marvin, Brian and others. But this one, where
[cas-user] How to Trust Another CAS Server
This is J. field Question: In your paper ("How to Trust Another CAS Server"), there is a small error in the hyperlink: At the very end of the subsection "Trusted Authentication Handler", you have this: "More details available here". "available here" is hyperlnked to https://wiki.jasig.org/display/CASUM/Trusted You also have hyperlinked words at the end of another subsection: Spring Web Flow. but this one also points to the same one as above, namely a link for the trusted authentication handler, https://wiki.jasig.org/display/CASUM/Trusted What would be the correct link? If you could please update the document, it would benefit many. Thanks. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] Local Visitor or a remote one? How/where to differentiate?
Hi All, How do I differentiate between a local visitor (who logs in to the CAsified app directly) and a remote visitor who has already been authenticated at some remote server? I want to display an authentication screen (login/passwod screen) only when the app in question is accessed directly or when the request is forwarded by some remote app, but it does not have the authentication at the home(remote) server. In case of loggin in using the local access way, I want to use one set of "username/PasswordCredentials" but a different set if visiting from a remote server armed with successful authentication credentials. Looks like I need to modify login-webflow file. Does anyone know a good/basic page that has some samples? Is "login-webflow" the only one that I need to care, besides the "deployerConfigContext"? Any pointer(s) would be helpful, to say the least. Thank you. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] How to Trust Another CAS Server
Hi John, could you please spare few minutes? --- On Sat, 2012/2/4, s4...@yahoo.co.jp wrote: This is J. field Question: In your paper ("How to Trust Another CAS Server"), there is a small error in the hyperlink: At the very end of the subsection "Trusted Authentication Handler", you have this: "More details available here". "available here" is hyperlnked to https://wiki.jasig.org/display/CASUM/Trusted You also have hyperlinked words at the end of another subsection: Spring Web Flow. but this one also points to the same one as above, namely a link for the trusted authentication handler, https://wiki.jasig.org/display/CASUM/Trusted What would be the correct link? If you could please update the document, it would benefit many. Thanks. -- You are currently subscribed to cas-user@lists.jasig.org as: s4...@yahoo.co.jp To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] ParentCAS and ChildCAS, one way trust-- hello?
We are thinking along these lines: Background: A user has already been authenticated by the parentCAS, and now accessing a service which is behind childCAS. The childCAS and the parentCAS do not share the user repo. 1. Once we know that the request is not local, and if the request has some kind of info (TGT or ST or PGT?) that confirtms that parentCAS has authenticated the user, we record the users name and his/her parentCAS institution in field in a database. 2. Next time around, with the same condition as above, we just check the field and if the user name and the institution name matches, we ask the childCAS to issue an ST for the application that the user is trying to access. Any holes in it? Would that work? Should that work? Architect gurus, please comment. Thanks. --- On Sat, 2012/2/4, s4...@yahoo.co.jp wrote: Hi All, Back with the the same question I asked earlier: is it possible to embed items in the payload (when an autheticated user visits a remore CAS server)? I want the remote server (with the childCAS) to know, by looking at the header or womewhere else (where?), that request consists of the user's Id and may be the URL of the parentCAS server. What are the keywords for this kind of scenario? Thanks for your attention, --- On Fri, 2012/2/3, s4...@yahoo.co.jp wrote: Hi Marvin, John Field, Brian, Andrew: How do I pique your interest? :) I got some idea from John's paper, and I have some questions. I could use REMOTE_USER header to sense that the user is coming from the parentCAS institution. Then If I could convince the childCAS to trust the parentCAS's authentication, I would be done. Would it work? How and why? Where do I start? I need to learn right from setting an environment (eclipse/tomcat/maven/spring) Well, that's what Google is for, but I still need a roadmap and I would like to ask some of the more experienced readers here to give some guidance. Some of the questions I have in mind: When an authenticated user from the parentCAS visits an URL which is childCAS-protected: what is the content of the request? Does the request have "I am so and so from so and so URL" information, besides probably a service ticket? If yes, then I could probably write a filter to allow the request from from the participating parentCAS institutions. I quoted names but of course, everyone is not only welcome, but also request to pitch in. Those people are some of the most frequest names that I came across in my previous posts. Cheers, --- On Wed, 2012/2/1, s4...@yahoo.co.jp wrote: To Andrew and Brian: Believe me if it were not necessary, I would not have written such a long email. I do not have sufficient knowledge to create a pure hypothetical case and enjoy doing it. I am sorry, but I cannot divulge where I am trying to implement this solution. For an example, how about this scenario: Several huge ("mother") institutions participate in a project. The project maintains its own independent childCAS server/ authentication database because its users are not only (some of the) members of the mother institutions (with parentCAS), but also people who are not affiliated with any parentCAS instititions, like freelancers. Now these people at the parentCAS instititions do their thing in their home application servers, but sometimes they want to check something which is available ONLY in the project with childCAS. And they don't want to be bothered by another set of log in screens. The reverse is not desirable. People who are authenticated by the childCAS of the project cannot be given the privilege to access parentCAS protected apps running at the mother institutions. The mother institutions have way more and varied applications running under their parentCAS. Does it make sense? > or is this an artifact of where your initial investigations led? No. I had not understood what I needed to do in the beginning! Now, I know better :) Cheers. --- On Wed, 2012/2/1, b savage wrote: Hi there, Just double-checking as this seems like a challenging case otherwise ... are the multiple CAS servers essential, or is this an artifact of where your initial investigations led? CAS can handle multiple domains without multiple CAS servers (and you could proceed on more travelled routes to handle some of your other requirements). Brian On Tue, Jan 31, 2012 at 2:34 PM, wrote: Hi All, Someone please guide me to a possible solution. I struggled with a sample/simple helloworld application, that should tell you where do I stand on things CAS. Please explain in a few sentences what/how should I be implementing this. Situation: Two CAS servers, say parentCAS and childCAS, in two different domains, both can be accessed independently. If a user is authenticated in parentCAS and visits pages protected by the childCAS, the user should NOT be asked to log in again (at the childCAS.), allowing the u
[cas-user] CredentialsToLDAPAttributePrincipalResolver for childCAS authentication
Hi All, May be "org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver." exists just for that? Authentication based not on username/password combination, but based on some attributes. Can anyone confirm or deny? If confirmed, I will be able to authenticate only with userId, given that I have been already authenticated by the parentCAS. Now whether confirmed or denied, I want to know if the name "CredentialsToLDAPAttributePrincipalResolver" generic. I don't see "CredentialsToMySQLAttributePrincipalResolver" when I google. I want to use mySQL not LDAP. Please comment. Thank you. --- On Wed, 2012/2/8, s4...@yahoo.co.jp wrote: We are thinking along these lines: Background: A user has already been authenticated by the parentCAS, and now accessing a service which is behind childCAS. The childCAS and the parentCAS do not share the user repo. 1. Once we know that the request is not local, and if the request has some kind of info (TGT or ST or PGT?) that confirtms that parentCAS has authenticated the user, we record the users name and his/her parentCAS institution in field in a database. 2. Next time around, with the same condition as above, we just check the field and if the user name and the institution name matches, we ask the childCAS to issue an ST for the application that the user is trying to access. Any holes in it? Would that work? Should that work? Architect gurus, please comment. Thanks. --- On Sat, 2012/2/4, s4...@yahoo.co.jp wrote: Hi All, Back with the the same question I asked earlier: is it possible to embed items in the payload (when an autheticated user visits a remore CAS server)? I want the remote server (with the childCAS) to know, by looking at the header or womewhere else (where?), that request consists of the user's Id and may be the URL of the parentCAS server. What are the keywords for this kind of scenario? Thanks for your attention, --- On Fri, 2012/2/3, s4...@yahoo.co.jp wrote: Hi Marvin, John Field, Brian, Andrew: How do I pique your interest? :) I got some idea from John's paper, and I have some questions. I could use REMOTE_USER header to sense that the user is coming from the parentCAS institution. Then If I could convince the childCAS to trust the parentCAS's authentication, I would be done. Would it work? How and why? Where do I start? I need to learn right from setting an environment (eclipse/tomcat/maven/spring) Well, that's what Google is for, but I still need a roadmap and I would like to ask some of the more experienced readers here to give some guidance. Some of the questions I have in mind: When an authenticated user from the parentCAS visits an URL which is childCAS-protected: what is the content of the request? Does the request have "I am so and so from so and so URL" information, besides probably a service ticket? If yes, then I could probably write a filter to allow the request from from the participating parentCAS institutions. I quoted names but of course, everyone is not only welcome, but also request to pitch in. Those people are some of the most frequest names that I came across in my previous posts. Cheers, --- On Wed, 2012/2/1, s4...@yahoo.co.jp wrote: To Andrew and Brian: Believe me if it were not necessary, I would not have written such a long email. I do not have sufficient knowledge to create a pure hypothetical case and enjoy doing it. I am sorry, but I cannot divulge where I am trying to implement this solution. For an example, how about this scenario: Several huge ("mother") institutions participate in a project. The project maintains its own independent childCAS server/ authentication database because its users are not only (some of the) members of the mother institutions (with parentCAS), but also people who are not affiliated with any parentCAS instititions, like freelancers. Now these people at the parentCAS instititions do their thing in their home application servers, but sometimes they want to check something which is available ONLY in the project with childCAS. And they don't want to be bothered by another set of log in screens. The reverse is not desirable. People who are authenticated by the childCAS of the project cannot be given the privilege to access parentCAS protected apps running at the mother institutions. The mother institutions have way more and varied applications running under their parentCAS. Does it make sense? > or is this an artifact of where your initial investigations led? No. I had not understood what I needed to do in the beginning! Now, I know better :) Cheers. --- On Wed, 2012/2/1, b savage wrote: Hi there, Just double-checking as this seems like a challenging case otherwise ... are the multiple CAS servers essential, or is this an artifact of where your initial investigations led? CAS can handle multiple domains withou
Re: [cas-user] CredentialsToLDAPAttributePrincipalResolver for childCAS authentication
Thanks, Marvin. It is encouraging to know that it may be possible to develop that component. --- On Wed, 2012/2/8, Marvin Addison wrote: > Authentication based not on username/password combination, but based on some > attributes. I've lost some of the context of your discussion of parent/child CAS. If you want to model access to one domain from another as an authorization decision, which seems reasonable to me at face value, then the attribute release mechanism of CAS should work nicely. One of its primary design functions is to facilitate authorization. > I don't see "CredentialsToMySQLAttributePrincipalResolver" when I google. Doesn't exist, but C-To-P resolvers are fairly straightforward components to develop to suit your needs. M -- You are currently subscribed to cas-user@lists.jasig.org as: s4...@yahoo.co.jp To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] How is the Resolver Chosen?
Hi Marvin, Let's say I have these two Resolvers in my deployerConfigContext. 1. 2. Now, how is it decided that a particular request should use (1) or (2) above? Where is that if/else? May be login-webFlow? I want to configure something like this: //- If the request has a pre-authenticated ticket from a (remote) parentCAS, use (1); else if the request does not have a ticket, use (2); else no authentication required (assume the user has already been authenticated locally) // How can I achieve this goal? Thanks for your attention. --- On Wed, 2012/2/8, s4...@yahoo.co.jp wrote: Thanks, Marvin. It is encouraging to know that it may be possible to develop that component. --- On Wed, 2012/2/8, Marvin Addison wrote: > Authentication based not on username/password combination, but based on some > attributes. I've lost some of the context of your discussion of parent/child CAS. If you want to model access to one domain from another as an authorization decision, which seems reasonable to me at face value, then the attribute release mechanism of CAS should work nicely. One of its primary design functions is to facilitate authorization. > I don't see "CredentialsToMySQLAttributePrincipalResolver" when I google. Doesn't exist, but C-To-P resolvers are fairly straightforward components to develop to suit your needs. M -- You are currently subscribed to cas-user@lists.jasig.org as: s4...@yahoo.co.jp To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: s4...@yahoo.co.jp To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] How is the Resolver Chosen?
No, I don't want to change that behavior for now. Lots of custom coding ahead.. wow. I don't like where I am heading, but I need to do it. For example, there exists org.jasig.cas.util.LdapUtils, but not org.jasig.cas.util.JdbcUtils.. so there I go. And ditto for AbstractJdbcPersonDirectoryCredentialsToPrincipalResolver, which does not exit, usw. I welcome myself to the open source :) Thanks Marvin, for the comments. --- On Thu, 2012/2/9, Marvin Addison wrote: > Now, how is it decided that a particular request should use (1) or (2) above? By default the first resolver that supports a given credential type is used. You can change that behavior by using an alternative authentication manager such as org.jasig.cas.authentication.DirectMappingAuthenticationManagerImpl. I would not be surprised if you needed to develop a custom AuthenticationManager component to suit your needs. M -- You are currently subscribed to cas-user@lists.jasig.org as: s4...@yahoo.co.jp To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] How is the Resolver Chosen?
All I am trying to do at this time is to make CAS work with mySQL as the backend authenticating database. --- On Thu, 2012/2/9, Marvin Addison wrote: > Could it be achieved through the login webflow spring xml configuration? No, at least not in itself. Based on my understanding of the problem the poster is trying to solve it's a matter of component choice at a minimum. There may be additional configuration and development required. M -- You are currently subscribed to cas-user@lists.jasig.org as: s4...@yahoo.co.jp To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] How is the Resolver Chosen?
I will be writing some custom codes if needed (like CredentialsToJdbcAttributePrincipalResolver.java or AbstractJdbcPersonDirectoryCredentialsToPrincipalResolver, etc. bec. they don't exist.) but I will also need something that separates a local request from a remote request in the login-webflow.xml file. Does anyone have a sample or may be point me to an online resource for this scenario: (1) if the user is local, show a log-in page (previous authentication does not exist) And then use "UsernamePasswordCredentialsToPrincipalResolver" for authentication. (2) if the user is remote (coming from parentCAS) and if the authentication from the parent CAS exists, authenticate the user with "CredentialsToJdbcAttributePrincipalResolver", Do NOT show the login page. Thanks. --- On Thu, 2012/2/9, Marvin Addison wrote: > Could it be achieved through the login webflow spring xml configuration? No, at least not in itself. Based on my understanding of the problem the poster is trying to solve it's a matter of component choice at a minimum. There may be additional configuration and development required. M -- You are currently subscribed to cas-user@lists.jasig.org as: s4...@yahoo.co.jp To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] How is the Resolver Chosen?
Greg: If you were to implement the following solution with the login webflow.xml, how would you do it? (1) if the visiting user is local, and previous local authentication does not exists, show the log-in page and then use "UsernamePasswordCredentialsToPrincipalResolver" for authentication. (2) if the user is remote (coming from parentCAS) and if authentication from the remore CAS (parentCAS) exists, then authenticate the user with "CredentialsToJdbcAttributePrincipalResolver", do NOT show the login page. Thanks. --- On Thu, 2012/2/9, Greg Smith wrote: Could it be achieved through the login webflow spring xml configuration? On 8 February 2012 18:32, Marvin Addison wrote: > I welcome myself to the open source :) I hope you can take solace in the nature of open source that allows you to develop for yourself the components you need from the available source. I hope you'll consider sharing anything that may be generally beneficial with the community when you're done. Good luck in the meantime. Best, M -- You are currently subscribed to cas-user@lists.jasig.org as: audi...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: s4...@yahoo.co.jp To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] How is the Resolver Chosen?
Hi Marvin, Could you please give me some guidance? Among other things, how to differentiate between a remote request and a local user? I have two resolvers in the deployerContextConfig. (1) the standard one, UsernamePasswordCredentialsToPrincipalResolver and (2) CredentialsToJdbcAttributePrincipalResolver, which I am trying to create anew (actually, based on its Ldap version) I want to modify login-webflow so that when a local user tries to access a CAS protected service, the standard resolver (1) is called. But when a user has already been authenticated in another server (I have been calling this one a "parentCAS server"), I want to call the modified resolver (2). Info: in the case of (1), I want to display a log-in screen, whereas in the case of (2), I want to "trust" the parentCAS's authentication, and do not show log0in screen. This latter category user will be authenticated using attributes. The attribute items will have been written into a file. I hope I made it clear to you what I want to do. *** One other question: In login-webflow file, I see a line like this, just after the xml namespace declaration: Now.. does this mean that only a "UsernamePasswordCredentials" type resolver (probably (1) above) is used? Thanks. 1) if the visiting user is local, and previous local authentication does not exists, show the log-in page and then use "UsernamePasswordCredentialsToPrincipalResolver" for authentication. (2) if the user is remote (coming from parentCAS) and if authentication from the remore CAS (parentCAS) exists, then authenticate the user with "CredentialsToJdbcAttributePrincipalResolver", do NOT show the login page. Thanks. --- On Thu, 2012/2/9, s4...@yahoo.co.jp wrote: All I am trying to do at this time is to make CAS work with mySQL as the backend authenticating database. --- On Thu, 2012/2/9, Marvin Addison wrote: > Could it be achieved through the login webflow spring xml configuration? No, at least not in itself. Based on my understanding of the problem the poster is trying to solve it's a matter of component choice at a minimum. There may be additional configuration and development required. M -- You are currently subscribed to cas-user@lists.jasig.org as: s4...@yahoo.co.jp To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: s4...@yahoo.co.jp To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] How is the Resolver Chosen?
Thanks, Marvin. A lot of reading ahead, but I will keep the community posted. And I'll keep on asking if stuck. --- On Wed, 2012/2/15, Marvin S. Addison wrote: > I want to modify login-webflow so that when a local user tries to access a > CAS protected service, the standard resolver (1) is called. But when a user > has already been authenticated in another server (I have been calling this one a "parentCAS server"), I want to call the modified resolver (2). I would like to clarify that resolvers are only called at authentication time, so simply accessing a CAS-protected resource won't trigger resolvers unless the user is unauthenticated. As for triggering the right resolver, I really can't provide any further guidance. You're in an advanced use case where your needs aren't met by existing components. I'd recommend you consider request/response headers, cookies, and custom request parameters as tools that may help you accomplish your objective. It's also vitally important that any mechanism you develop does not trust any data provided by the user/browser in any fashion; you could use either encryption or digital signatures to overcome message integrity issues. In any case you will likely need to build several components and integrate them into the Spring context and also likely the Spring Web flow. Best of luck on you're adventure. M -- You are currently subscribed to cas-user@lists.jasig.org as: s4...@yahoo.co.jp To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] Bean state is invalid: jdbcTemplate - may not be null; searchBase - may not be null
Hi All, I am tryting to cobble up a resolver that in my understanding returns a principal based on one single piece of id, namely user id. I am trying to modify the existing CredentialsToLdapAttributePrincipalResolver and AbstractLdapPersonDirectoryCredentialsToPrincipalResolver. First things first: Is it an accpeted practice? My modified source files retain all credits to the respective authors, and I am not making money out of them. Right now, it is in such a crude stage that I doubt it will be accepted, but I do plan to share them with the community, if I am successful, and if it is useful. Progressing very slowly, and now I am stuck with this. Trained eyes can probably tell or make a guess based on their experiences. Especially the original authors (Scott Battaglia, Jan Van der Velpen and Marvin S. Addison). Error log: //- Error creating bean with name 'org.jasig.cas.authentication.principal.CredentialsToJdbcAttributePrincipalResolver#4f5264db' defined in ServletContext resource [/WEB-INF/deployerConfigContext.xml]: Initialization of bean failed; nested exception is org.springframework.beans.factory.BeanInitializationException: Bean state is invalid: jdbcTemplate - may not be null; searchBase - may not be null // I changed a method in AbstractLdapPersonDirectoryCredentialsToPrincipalResolver.java to make a Jdbc version: //Method to set the datasource and generate a JdbcTemplate. //@param dataSource the datasource to use. public final void setContextSource(final DataSource dataSource) { this.jdbcTemplate = new JdbcTemplate(dataSource); } Earlier, I had made a name change: /** JdbcTemplate to execute jdbc queries. */ @NotNull private JdbcTemplate jdbcTemplate; Some items from the deployerConfigContext: // userTable userId email userTable userId email ... ... //-- Now, what did I do (or rather, didn't do) to deserve "Bean state is invalid" error? In the original CredentialsToLDAPAttributePrincipalResolver, I changed resolveFromLdap to make "resolveFromJdbc", basically creating a Jdbc connection, executing it and returning a principal. ** I am sorry for a long post and I thank you for taking time to read. Cheers. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Bean state is invalid: jdbcTemplate - may not be null; searchBase - may not be null
Marvin, Thank you for the comments. Unfortunately, I don't know how to implement what you said. Is it like (1) or (2) That is, "ref" or value? And, what goes in "something"? I assumed I can add this line just after below, correct? Can I also do the same for "searchBase - may not be null" error? In that case, what what should I put in "something"? ** I have renamed the setter method for dataSource, and I am learning to user the Maven overlay method. Thanks again for your guidance. --- On Thu, 2012/2/16, Marvin S. Addison wrote: > Error creating bean with name > 'org.jasig.cas.authentication.principal.CredentialsToJdbcAttributePrincipalResolver#4f5264db' > defined in > ServletContext resource [/WEB-INF/deployerConfigContext.xml]: Initialization > of bean failed; nested exception is > org.springframework.beans.factory.BeanInitializationException: > Bean state is invalid: jdbcTemplate - may not be null; searchBase - may not > be null Problem is that you didn't set the jdbcTemplate property on that bean in your Spring wiring: > > class="org.jasig.cas.authentication.principal.CredentialsToJdbcAttributePrincipalResolver"> > > > class="myorg.cas.PrincipalBearingCredentialsToPrincipalResolver" /> > > > > > > > userTable >userId >email > Hopefully it's clear to you what's missing and what's needed to fix. You might also consider renaming the setter method name to reflect that you're setting a DataSource instead of a ContextSource. I'd strongly recommend you use https://wiki.jasig.org/display/CASUM/Best+Practice+-+Setting+Up+CAS+Locally+using+the+Maven2+WAR+Overlay+Method for managing your custom components if you're not already. M -- You are currently subscribed to cas-user@lists.jasig.org as: s4...@yahoo.co.jp To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Bean state is invalid: jdbcTemplate - may not be null; searchBase - may not be null
Got at least 5 replies.. but then all said they were out of office... :) --- On Sat, 2012/2/18, s4...@yahoo.co.jp wrote: Marvin, Thank you for the comments. Unfortunately, I don't know how to implement what you said. Is it like (1) or (2) That is, "ref" or value? And, what goes in "something"? I assumed I can add this line just after below, correct? Can I also do the same for "searchBase - may not be null" error? In that case, what what should I put in "something"? ** I have renamed the setter method for dataSource, and I am learning to user the Maven overlay method. Thanks again for your guidance. --- On Thu, 2012/2/16, Marvin S. Addison wrote: > Error creating bean with name > 'org.jasig.cas.authentication.principal.CredentialsToJdbcAttributePrincipalResolver#4f5264db' > defined in > ServletContext resource [/WEB-INF/deployerConfigContext.xml]: Initialization > of bean failed; nested exception is > org.springframework.beans.factory.BeanInitializationException: > Bean state is invalid: jdbcTemplate - may not be null; searchBase - may not > be null Problem is that you didn't set the jdbcTemplate property on that bean in your Spring wiring: > > class="org.jasig.cas.authentication.principal.CredentialsToJdbcAttributePrincipalResolver"> > > > class="myorg.cas.PrincipalBearingCredentialsToPrincipalResolver" /> > > > > > > > userTable >userId >email > Hopefully it's clear to you what's missing and what's needed to fix. You might also consider renaming the setter method name to reflect that you're setting a DataSource instead of a ContextSource. I'd strongly recommend you use https://wiki.jasig.org/display/CASUM/Best+Practice+-+Setting+Up+CAS+Locally+using+the+Maven2+WAR+Overlay+Method for managing your custom components if you're not already. M -- You are currently subscribed to cas-user@lists.jasig.org as: s4...@yahoo.co.jp To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: s4...@yahoo.co.jp To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE: [cas-user] Bean state is invalid: jdbcTemplate - may not be null; searchBase - may not be null
Thank you Misagh. I will try to implement along those lines. --- On Sat, 2012/2/18, Misagh Moayyed wrote: It would be like (1), with the ref value pointing to a separately defined Spring bean that references the JdbcTemplate class. -Misagh From: s4...@yahoo.co.jp [mailto:s4...@yahoo.co.jp] Sent: Friday, February 17, 2012 11:51 AM To: cas-user@lists.jasig.org Subject: Re: [cas-user] Bean state is invalid: jdbcTemplate - may not be null; searchBase - may not be null Got at least 5 replies.. but then all said they were out of office... :) --- On Sat, 2012/2/18, s4...@yahoo.co.jp wrote: Marvin, Thank you for the comments. Unfortunately, I don't know how to implement what you said. Is it like (1) or (2) That is, "ref" or value? And, what goes in "something"? I assumed I can add this line just after below, correct? Can I also do the same for "searchBase - may not be null" error? In that case, what what should I put in "something"? ** I have renamed the setter method for dataSource, and I am learning to user the Maven overlay method. Thanks again for your guidance. --- On Thu, 2012/2/16, Marvin S. Addison wrote: > Error creating bean with name 'org.jasig.cas.authentication.principal.CredentialsToJdbcAttributePrincipalResolver#4f5264db' defined in > ServletContext resource [/WEB-INF/deployerConfigContext.xml]: Initialization > of bean failed; nested exception is > org.springframework.beans.factory.BeanInitializationException: > Bean state is invalid: jdbcTemplate - may not be null; searchBase - may not > be null Problem is that you didn't set the jdbcTemplate property on that bean in your Spring wiring: > > class="org.jasig.cas.authentication.principal.CredentialsToJdbcAttributePrincipalResolver"> > > > class="myorg.cas.PrincipalBearingCredentialsToPrincipalResolver" /> > > > > > > > userTable >userId >email > Hopefully it's clear to you what's missing and what's needed to fix. You might also consider renaming the setter method name to reflect that you're setting a DataSource instead of a ContextSource. I'd strongly recommend you use https://wiki.jasig.org/display/CASUM/Best+Practice+-+Setting+Up+CAS+Locally+using+the+Maven2+WAR+Overlay+Method for managing your custom components if you're not already. M -- You are currently subscribed to cas-user@lists.jasig.org as: s4...@yahoo.co.jp To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user-- You are currently subscribed to cas-user@lists.jasig.org as: s4...@yahoo.co.jp To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user-- You are currently subscribed to cas-user@lists.jasig.org as: mmoay...@unicon.net To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: s4...@yahoo.co.jp To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] parentCAS and childCAS revisited-- One way trust
Hello Everyone! Back from hiatus. Does anybody remember my parent/child CAS, trusting one way and all? Well, a colleague devised something that seems to work for us, for now. A helping hand: We started with a pre-condition that there exists a database at the childCAS side which stores mapping of the users from the two domain (parentCAS and childCAS). How we did it: When someone requests an item that is protected by the childCAS, the childCAS server checks with the parentCAS servers (one by one, coded inside webflow:flow-registry in cas-servlet.xml) whether there exists an SSO session for that user. If it exists, a userID is retrieved and the childCAS adds an identifier parameter, namely, "from which parent" information. Then, we create a principalBearingCredential that has our particular principal which in turn is made up of the userID and the identifier parameter representing the user's home (parent) institution. This part was accomplised by calling a bean "principalFromRemoteAction" inside cas-servlet.xml, using the standard "PrincipalFromRequestRemoteUserNonInteractiveCredentialsAction" class. Now, CAS chooses a resolver (customized one, see the next paragraph) that is "just right" (meaning using the principal from above), and since we have assumed that a user repository exists that has the external user (the one from parentCAS) and his/her institution id mapped to a local account, we are able to retrieve the childCAS's local userID. We cobbled up a principal resolver that is a stripped-down version of the original LDAP version, (my mimicking of CredentialsToLDAPAttributePrincipalResolver by the famous authors did not work, or I should say, I did not have enough experience to create it methodically so that it is presentable to the outside world as a jdbc brethren) and has a plain "Select childCAS_userID from ..." method to create a principal and a "supports" method that returns true if the class in question is the same "principalBearingCredential" from above. A successful remote authentication needs a "true". So far so good and we are happy, but not very happy: Two problems. (1) true logging out from the childCAS is not possible as long as the user is logged in (one of) the parentCASes. As described above, the childCAS checks for a pre-existing SSO session at the parentCAS for that particular user, and if the user has not logged out from the parentCAS, will instantly let him/her in because of the trusting mechanism in place. Can someone offer advice on what could be done? Is there any way to make the parentCAS aware of the situation (that the user has logged out of the childCAS)? Or, may be ..how can I set renew=true dynamically? That is, set the renew flag true when the user clicks logout, but reset to to false initially, etc? (2) If one of the parentCAS is down, our childCAS is stuck there (waits forever, and eventually dies out.) How/where to specify a timeout value, so that if there is no response within a resonable time (5s? 10s?), then forget about that parentCAS and check another parentCAS. If all fail, show a login page. May be other problems as well? Any weakness in this type of implementation? (Apart from the fact that if the parentCAS is compromised, the applications protected by the childCAS will also be compromised.) Sorry for the long post. Thought I owe it to the community, and specially to Marvin, J. Field, Brian Savage, and Andrew, update what has been going on after asking so many questions. Thank you guys. Cheers. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] one of the authentication servers is down, and stuck there
Hello All, I cannot get out from the situation when one of my casServerLoginUrl is down. The following bean: http://some.other.server"; /> is called from within web.xml: Parent1_Authentication Filter org.springframework.web.filter.DelegatingFilterProxy targetBeanName p1AuthenticationFilter I wanted to check the behavior when "https:testServer:8443/cas/login" is down. After some time, I got timedout. Elsewhere, I am checking some other casServers (I have been calling them "parentCAS") and if all stakeholders are up and running, and if no SSO is found, a login screen is shown (that's what I want!) , but I get stuck when one of the servers is down. Any comments? Thanks. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] one of the authentication servers is down, and stuck there
Marvin: (1)I have registered 3 webflows in "flowRegistry" in the file cas-servlet.xml, which I "believe" call them one by one. Each webflow tries to check with a parentCAS whether the user has been authenticated or not. .. Inside the "login-webflow-parent1.xml", after some branching off, I end up at the following "end-state": My unresponsive urlString looks just like that: https://parentCAS1:8443/cas/login?service=https%3A%2F%2FchildCAS-server%3A8443%2Fcas%2Flogin_p1&gateway=true When the parentCAS1 is up and running, and when the user has not been authenticated by the parentCAS1, another iteration takes place and this time it is "parentCAS2, ..login_p2.. etc. When the parentCAS1 is down, control is not passed to the caller, it remains with the "end-state". It may well be that my login-webflows are incorrectly implemented. I mean, if there is no point of return from the end-state in case of server down, then I will need to learn to re-write the webflow, right? Or, may be there is yet another view which does the job when "externalRedirect:contextRelative:/login?service=${flowScope.service.id" is alive and kicking, but returns the control to its caller if not. I am learning while trying to answer your questions, so it is helpful. Thank you for your contnued interest. Cheers. --- On Thu, 2012/3/29, Marvin S. Addison wrote: > I cannot get out from the situation when one of my casServerLoginUrl > is down Elsewhere, I am checking some other casServers (I have > been calling them "parentCAS") and if all stakeholders are up and > running, and if no SSO is found, a login screen is shown (that's what > I want!) , but I get stuck when one of the servers is down. Could you clarify what behavior you would like when a CAS server is unavailable? Also, it's not clear whether the problem is related to the specific parent-child CAS architecture you've developed. It would be helpful if you clarified where the cited configuration lives in the context of parent-child CAS if that's what you're talking about. M -- You are currently subscribed to cas-user@lists.jasig.org as: s4...@yahoo.co.jp To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] one of the authentication servers is down, and stuck there
Marvin, https://issues.jasig.org/browse/CAS-993 talked about hanging authentication. handler. The "hanging" part is similar to my case. https://issues.jasig.org/browse/CAS-994 also talks about "monitoring". But they were no help to me. --- On Fri, 2012/3/30, s4...@yahoo.co.jp wrote: Marvin: (1)I have registered 3 webflows in "flowRegistry" in the file cas-servlet.xml, which I "believe" call them one by one. Each webflow tries to check with a parentCAS whether the user has been authenticated or not. .. Inside the "login-webflow-parent1.xml", after some branching off, I end up at the following "end-state": My unresponsive urlString looks just like that: https://parentCAS1:8443/cas/login?service=https%3A%2F%2FchildCAS-server%3A8443%2Fcas%2Flogin_p1&gateway=true When the parentCAS1 is up and running, and when the user has not been authenticated by the parentCAS1, another iteration takes place and this time it is "parentCAS2, ..login_p2.. etc. When the parentCAS1 is down, control is not passed to the caller, it remains with the "end-state". It may well be that my login-webflows are incorrectly implemented. I mean, if there is no point of return from the end-state in case of server down, then I will need to learn to re-write the webflow, right? Or, may be there is yet another view which does the job when "externalRedirect:contextRelative:/login?service=${flowScope.service.id" is alive and kicking, but returns the control to its caller if not. I am learning while trying to answer your questions, so it is helpful. Thank you for your contnued interest. Cheers. --- On Thu, 2012/3/29, Marvin S. Addison wrote: > I cannot get out from the situation when one of my casServerLoginUrl > is down Elsewhere, I am checking some other casServers (I have > been calling them "parentCAS") and if all stakeholders are up and > running, and if no SSO is found, a login screen is shown (that's what > I want!) , but I get stuck when one of the servers is down. Could you clarify what behavior you would like when a CAS server is unavailable? Also, it's not clear whether the problem is related to the specific parent-child CAS architecture you've developed. It would be helpful if you clarified where the cited configuration lives in the context of parent-child CAS if that's what you're talking about. M -- You are currently subscribed to cas-user@lists.jasig.org as: s4...@yahoo.co.jp To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: s4...@yahoo.co.jp To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] FlowExecutionException: Exception thrown in state 'viewLoginForm' of flow 'login'
Hi, For the sake of some comfort (saving time from mvn clean package, and copt the resulting war file to tomcat's webapps folder, etc.), I am trying to use SpringSourceTool (2.8.1), but it is playing trick: Google guru found some entries, I checked some of them. One was in 'top.jsp' file, change page session from 'false' to 'true'. In my top.jso, it was already the case. One other was to make a copy of default_views.properties and rename it default_en.properties. Nope. Can someone see the error? Thanks. // 2012-04-03 02:28:16,086 INFO [org.springframework.beans.factory.support.DefaultListableBeanFactory] - 2012-04-03 02:28:16,086 DEBUG [org.springframework.webflow.engine.impl.FlowExecutionImpl] - 2012-04-03 02:28:16,086 DEBUG [org.springframework.webflow.engine.impl.FlowExecutionImpl] - 2012-04-03 02:28:16,086 DEBUG [org.springframework.web.servlet.DispatcherServlet] - org.springframework.webflow.execution.FlowExecutionException: Exception thrown in state 'viewLoginForm' of flow 'login' at org.springframework.webflow.engine.impl.FlowExecutionImpl.wrap(FlowExecutionImpl.java:569) at org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:226) at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528) at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689) at java.lang.Thread.run(Thread.java:662) Caused by: java.lang.IllegalStateException: Exception resolving view with name 'casLoginView' at org.springframework.webflow.mvc.builder.DelegatingFlowViewResolver.resolveView(DelegatingFlowViewResolver.java:55) at org.springframework.webflow.mvc.view.AbstractMvcViewFactory.getView(AbstractMvcViewFactory.java:80) at org.springframework.webflow.engine.State.enter(State.java:194) at org.springframework.webflow.engine.Flow.start(Flow.java:535) at org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:364) at org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:222) ... 37 more Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'casSamlServiceSuccessView': Instantiation of bean failed; nested exception is java.lang.NoClassDefFoundError: org/opensaml/SAMLStatement at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateBean(AbstractAutowireCapableBeanFactory.java:965) at org.springframework.web.servlet.view.AbstractCachingViewResolver.resolveViewName(AbstractCachingViewResolver.java:77) at org.springframework.webflow.mvc.builder.DelegatingFlowViewResolver.resolveView(DelegatingFlowViewResolver.java:50) ... 67 more Caused by: java.lang.NoClassDefFoundError: org/opensaml/SAMLStatement at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:65) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateBean(AbstractAutowireCapableBeanFactory.java:958) ... 82 more Caused by: java.lang.ClassNotFoundException: org.opensaml.SAMLStatement at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1438) at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1284) ... 88 more 2012-04-03 02:28:16,101 ERROR [org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/cas-test].[cas]] - java.lang.ClassNotFoundException: org.opensaml.SAMLStatement at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1438) at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665) at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528) at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689) at java.lang.Thread.run(Thread.java:662) 2012-04-03 02:28:16,101 DEBUG [org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/cas-test]] - 2012-04-03 02:28:16,117 DEBUG [org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/cas-test]] - < Path Based Forward> 2012-04-03 02:28:16,117 DEBUG [org.apache.jasper.servlet.JspServlet] - /WEB-INF/view/jsp/errors.jsp> 2012-04-03 02:28:16,117 DEBUG [org.apache.jasper.servlet.JspServlet] - < ServletPath: /WEB-INF/view/jsp/errors.jsp> 2012-04-03 02:28:16,117 DEBUG [org.apache.jasper.servlet.JspServlet] - < PathInfo: null> 2012-04-03 02:28:16,117 DEBUG [org.apache.jasper.servlet.JspServlet] - < RealPath: C:\Users\User\Documents\workspace-sts-2.8.1.RELEASE\.metadata\.plugins\org.eclipse.wst.server.core\tmp0\wtpwebapps\cas-test\WEB-INF\view\jsp\errors.jsp> 2012
Re: [cas-user] FlowExecutionException: Exception thrown in state 'viewLoginForm' of flow 'login'
Just realized that when I "mvn clean package", and copy the resulting war file to tomcat's webapps folder, my cas server works just fine... --- On Tue, 2012/4/3, s4...@yahoo.co.jp wrote: Hi, For the sake of some comfort (saving time from mvn clean package, and copt the resulting war file to tomcat's webapps folder, etc.), I am trying to use SpringSourceTool (2.8.1), but it is playing trick: Google guru found some entries, I checked some of them. One was in 'top.jsp' file, change page session from 'false' to 'true'. In my top.jso, it was already the case. One other was to make a copy of default_views.properties and rename it default_en.properties. Nope. Can someone see the error? Thanks. // 2012-04-03 02:28:16,086 INFO [org.springframework.beans.factory.support.DefaultListableBeanFactory] - 2012-04-03 02:28:16,086 DEBUG [org.springframework.webflow.engine.impl.FlowExecutionImpl] - 2012-04-03 02:28:16,086 DEBUG [org.springframework.webflow.engine.impl.FlowExecutionImpl] - 2012-04-03 02:28:16,086 DEBUG [org.springframework.web.servlet.DispatcherServlet] - org.springframework.webflow.execution.FlowExecutionException: Exception thrown in state 'viewLoginForm' of flow 'login' at org.springframework.webflow.engine.impl.FlowExecutionImpl.wrap(FlowExecutionImpl.java:569) at org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:226) at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528) at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689) at java.lang.Thread.run(Thread.java:662) Caused by: java.lang.IllegalStateException: Exception resolving view with name 'casLoginView' at org.springframework.webflow.mvc.builder.DelegatingFlowViewResolver.resolveView(DelegatingFlowViewResolver.java:55) at org.springframework.webflow.mvc.view.AbstractMvcViewFactory.getView(AbstractMvcViewFactory.java:80) at org.springframework.webflow.engine.State.enter(State.java:194) at org.springframework.webflow.engine.Flow.start(Flow.java:535) at org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:364) at org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:222) ... 37 more Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'casSamlServiceSuccessView': Instantiation of bean failed; nested exception is java.lang.NoClassDefFoundError: org/opensaml/SAMLStatement at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateBean(AbstractAutowireCapableBeanFactory.java:965) at org.springframework.web.servlet.view.AbstractCachingViewResolver.resolveViewName(AbstractCachingViewResolver.java:77) at org.springframework.webflow.mvc.builder.DelegatingFlowViewResolver.resolveView(DelegatingFlowViewResolver.java:50) ... 67 more Caused by: java.lang.NoClassDefFoundError: org/opensaml/SAMLStatement at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:65) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateBean(AbstractAutowireCapableBeanFactory.java:958) ... 82 more Caused by: java.lang.ClassNotFoundException: org.opensaml.SAMLStatement at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1438) at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1284) ... 88 more 2012-04-03 02:28:16,101 ERROR [org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/cas-test].[cas]] - java.lang.ClassNotFoundException: org.opensaml.SAMLStatement at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1438) at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665) at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528) at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689) at java.lang.Thread.run(Thread.java:662) 2012-04-03 02:28:16,101 DEBUG [org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/cas-test]] - 2012-04-03 02:28:16,117 DEBUG [org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/cas-test]] - < Path Based Forward> 2012-04-03 02:28:16,117 DEBUG [org.apache.jasper.servlet.JspServlet] - /WEB-INF/view/jsp/errors.jsp> 2012-04-03 02:28:16,117 DEBUG [org.apache.jasper.servlet.JspServlet] - < ServletPath: /WEB-INF/view/jsp/errors.jsp> 2012-04-03 02:28:16,117 DEBUG [org.apache.jasper.servlet.JspServlet] - < PathInfo: null> 2012-04-03 02:28:16,117 DEBUG [org.apache.jasper.ser
Re: [cas-user] one of the authentication servers is down, and stuck there, trying to get out
Hi All, I want to intercept the spring web flow before it reaches the end-state. Because, when I am at the end-state, and when the authenticating server down, I am stuck there, waiting for the timeout. My requirement is that if one of the servers is down, go to the other one and check, and if that is down as well, then ask the user to get authenticated locally (that is, show a login page) So, I registered two parentCAS server urls in the flow registry.(see previous mail-- also included down below) Now, let's say the first url is inquired, and the control arrives at the end-state. But before that, let's assume I devised a contraption, like: I can write a java class to check whether a server is online or offline, and return "seemsAlive" or "dead"accordingly. My problem is how to short-circuit the the rest of the flow (of the 1st url) and go to the beginning of the 2nd url in case the 1st url is down. Please share some thoughts! Thanks. --- On Fri, 2012/3/30, s4...@yahoo.co.jp wrote: Marvin, https://issues.jasig.org/browse/CAS-993 talked about hanging authentication. handler. The "hanging" part is similar to my case. https://issues.jasig.org/browse/CAS-994 also talks about "monitoring". But they were no help to me. --- On Fri, 2012/3/30, s4...@yahoo.co.jp wrote: Marvin: (1)I have registered 3 webflows in "flowRegistry" in the file cas-servlet.xml, which I "believe" call them one by one. Each webflow tries to check with a parentCAS whether the user has been authenticated or not. .. Inside the "login-webflow-parent1.xml", after some branching off, I end up at the following "end-state": My unresponsive urlString looks just like that: https://parentCAS1:8443/cas/login?service=https%3A%2F%2FchildCAS-server%3A8443%2Fcas%2Flogin_p1&gateway=true When the parentCAS1 is up and running, and when the user has not been authenticated by the parentCAS1, another iteration takes place and this time it is "parentCAS2, ..login_p2.. etc. When the parentCAS1 is down, control is not passed to the caller, it remains with the "end-state". It may well be that my login-webflows are incorrectly implemented. I mean, if there is no point of return from the end-state in case of server down, then I will need to learn to re-write the webflow, right? Or, may be there is yet another view which does the job when "externalRedirect:contextRelative:/login?service=${flowScope.service.id" is alive and kicking, but returns the control to its caller if not. I am learning while trying to answer your questions, so it is helpful. Thank you for your contnued interest. Cheers. --- On Thu, 2012/3/29, Marvin S. Addison wrote: > I cannot get out from the situation when one of my casServerLoginUrl > is down Elsewhere, I am checking some other casServers (I have > been calling them "parentCAS") and if all stakeholders are up and > running, and if no SSO is found, a login screen is shown (that's what > I want!) , but I get stuck when one of the servers is down. Could you clarify what behavior you would like when a CAS server is unavailable? Also, it's not clear whether the problem is related to the specific parent-child CAS architecture you've developed. It would be helpful if you clarified where the cited configuration lives in the context of parent-child CAS if that's what you're talking about. M -- You are currently subscribed to cas-user@lists.jasig.org as: s4...@yahoo.co.jp To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: s4...@yahoo.co.jp To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user-- You are currently subscribed to cas-user@lists.jasig.org as: s4...@yahoo.co.jp To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] FlowExecutionException: Exception thrown in state 'viewLoginForm' of flow 'login' --solved
Very good hint. Thanks Marvin. --- On Tue, 2012/4/3, Marvin S. Addison wrote: > Caused by: java.lang.NoClassDefFoundError: org/opensaml/SAMLStatement > at > org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:65) > at > org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateBean(AbstractAutowireCapableBeanFactory.java:958) > ... 82 more > > Caused by: java.lang.ClassNotFoundException: org.opensaml.SAMLStatement > at > org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1438) > at > org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1284) > ... 88 more You're missing the OpenSAML 1.1b artifact. It's not in Maven Central, but is available in the Jasig repos: http://developer.jasig.org/repo/content/groups/m2-legacy/org/opensaml/opensaml/1.1b/ M -- You are currently subscribed to cas-user@lists.jasig.org as: s4...@yahoo.co.jp To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] one of the authentication servers is down, and stuck there, trying to get out --solved (almost!)
Somesh: Thank you for the tip. Yes, it worked. I was able to intercept the web-flow before reaching the end-state. I used java (checkDeadOrAlive) to check whether the server is alive or not. if (HttpURLConnection) url.openConnection().getResponseCode() == 200) { //is alive Now my next move is how to determine "quickly" if the server is not available. It took about 15 seconds, which needs to come down to some acceptable value (may be 5/6/7 seconds?). Cheers. --- On Tue, 2012/4/3, Somesh Kumar wrote: you can create a decision state and based on the result redirect the flow to a different state or end state for eg ~s. On Mon, Apr 2, 2012 at 3:00 PM, wrote: Hi All, I want to intercept the spring web flow before it reaches the end-state. Because, when I am at the end-state, and when the authenticating server down, I am stuck there, waiting for the timeout. My requirement is that if one of the servers is down, go to the other one and check, and if that is down as well, then ask the user to get authenticated locally (that is, show a login page) So, I registered two parentCAS server urls in the flow registry.(see previous mail-- also included down below) Now, let's say the first url is inquired, and the control arrives at the end-state. But before that, let's assume I devised a contraption, like: I can write a java class to check whether a server is online or offline, and return "seemsAlive" or "dead"accordingly. My problem is how to short-circuit the the rest of the flow (of the 1st url) and go to the beginning of the 2nd url in case the 1st url is down. Please share some thoughts! Thanks. --- On Fri, 2012/3/30, s4...@yahoo.co.jp wrote: Marvin, https://issues.jasig.org/browse/CAS-993 talked about hanging authentication. handler. The "hanging" part is similar to my case. https://issues.jasig.org/browse/CAS-994 also talks about "monitoring". But they were no help to me. --- On Fri, 2012/3/30, s4...@yahoo.co.jp wrote: Marvin: (1)I have registered 3 webflows in "flowRegistry" in the file cas-servlet.xml, which I "believe" call them one by one. Each webflow tries to check with a parentCAS whether the user has been authenticated or not. .. Inside the "login-webflow-parent1.xml", after some branching off, I end up at the following "end-state": My unresponsive urlString looks just like that: https://parentCAS1:8443/cas/login?service=https%3A%2F%2FchildCAS-server%3A8443%2Fcas%2Flogin_p1&gateway=true When the parentCAS1 is up and running, and when the user has not been authenticated by the parentCAS1, another iteration takes place and this time it is "parentCAS2, ..login_p2.. etc. When the parentCAS1 is down, control is not passed to the caller, it remains with the "end-state". It may well be that my login-webflows are incorrectly implemented. I mean, if there is no point of return from the end-state in case of server down, then I will need to learn to re-write the webflow, right? Or, may be there is yet another view which does the job when "externalRedirect:contextRelative:/login?service=${flowScope.service.id" is alive and kicking, but returns the control to its caller if not. I am learning while trying to answer your questions, so it is helpful. Thank you for your contnued interest. Cheers. --- On Thu, 2012/3/29, Marvin S. Addison wrote: > I cannot get out from the situation when one of my casServerLoginUrl > is down Elsewhere, I am checking some other casServers (I have > been calling them "parentCAS") and if all stakeholders are up and > running, and if no SSO is found, a login screen is shown (that's what > I want!) , but I get stuck when one of the servers is down. Could you clarify what behavior you would like when a CAS server is unavailable? Also, it's not clear whether the problem is related to the specific parent-child CAS architecture you've developed. It would be helpful if you clarified where the cited configuration lives in the context of parent-child CAS if that's what you're talking about. M -- You are currently subscribed to cas-user@lists.jasig.org as: s4...@yahoo.co.jp To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: s4...@yahoo.co.jp To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user-- You are currently subscribed to cas-user@lists.jasig.org as: s4...@yahoo.co.jp To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user-- You are currently subscribed to cas-user@lists.jasig.org as: someshku...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed
[cas-user] java.net.URL-- does it support CAS?
I may be able to use setConnectTimeOut method. Next question: Is CAS service supported by java.net.URL? I will google and see after getting some sleep, but in the meantime, if someone knows the answer and volunteers, that would save my day! (I mean night) Thanks. --- On Wed, 2012/4/4, s4...@yahoo.co.jp wrote: Somesh: Thank you for the tip. Yes, it worked. I was able to intercept the web-flow before reaching the end-state. I used java (checkDeadOrAlive) to check whether the server is alive or not. if (HttpURLConnection) url.openConnection().getResponseCode() == 200) { //is alive Now my next move is how to determine "quickly" if the server is not available. It took about 15 seconds, which needs to come down to some acceptable value (may be 5/6/7 seconds?). Cheers. --- On Tue, 2012/4/3, Somesh Kumar wrote: you can create a decision state and based on the result redirect the flow to a different state or end state for eg ~s. On Mon, Apr 2, 2012 at 3:00 PM, wrote: Hi All, I want to intercept the spring web flow before it reaches the end-state. Because, when I am at the end-state, and when the authenticating server down, I am stuck there, waiting for the timeout. My requirement is that if one of the servers is down, go to the other one and check, and if that is down as well, then ask the user to get authenticated locally (that is, show a login page) So, I registered two parentCAS server urls in the flow registry.(see previous mail-- also included down below) Now, let's say the first url is inquired, and the control arrives at the end-state. But before that, let's assume I devised a contraption, like: I can write a java class to check whether a server is online or offline, and return "seemsAlive" or "dead"accordingly. My problem is how to short-circuit the the rest of the flow (of the 1st url) and go to the beginning of the 2nd url in case the 1st url is down. Please share some thoughts! Thanks. --- On Fri, 2012/3/30, s4...@yahoo.co.jp wrote: Marvin, https://issues.jasig.org/browse/CAS-993 talked about hanging authentication. handler. The "hanging" part is similar to my case. https://issues.jasig.org/browse/CAS-994 also talks about "monitoring". But they were no help to me. --- On Fri, 2012/3/30, s4...@yahoo.co.jp wrote: Marvin: (1)I have registered 3 webflows in "flowRegistry" in the file cas-servlet.xml, which I "believe" call them one by one. Each webflow tries to check with a parentCAS whether the user has been authenticated or not. .. Inside the "login-webflow-parent1.xml", after some branching off, I end up at the following "end-state": My unresponsive urlString looks just like that: https://parentCAS1:8443/cas/login?service=https%3A%2F%2FchildCAS-server%3A8443%2Fcas%2Flogin_p1&gateway=true When the parentCAS1 is up and running, and when the user has not been authenticated by the parentCAS1, another iteration takes place and this time it is "parentCAS2, ..login_p2.. etc. When the parentCAS1 is down, control is not passed to the caller, it remains with the "end-state". It may well be that my login-webflows are incorrectly implemented. I mean, if there is no point of return from the end-state in case of server down, then I will need to learn to re-write the webflow, right? Or, may be there is yet another view which does the job when "externalRedirect:contextRelative:/login?service=${flowScope.service.id" is alive and kicking, but returns the control to its caller if not. I am learning while trying to answer your questions, so it is helpful. Thank you for your contnued interest. Cheers. --- On Thu, 2012/3/29, Marvin S. Addison wrote: > I cannot get out from the situation when one of my casServerLoginUrl > is down Elsewhere, I am checking some other casServers (I have > been calling them "parentCAS") and if all stakeholders are up and > running, and if no SSO is found, a login screen is shown (that's what > I want!) , but I get stuck when one of the servers is down. Could you clarify what behavior you would like when a CAS server is unavailable? Also, it's not clear whether the problem is related to the specific parent-child CAS architecture you've developed. It would be helpful if you clarified where the cited configuration lives in the context of parent-child CAS if that's what you're talking about. M -- You are currently subscribed to cas-user@lists.jasig.org as: s4...@yahoo.co.jp To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: s4...@yahoo.co.jp To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user-- You are currently subscribed to cas-user@lists.jasig.org as: s4...@yahoo.co.jp To unsubscr
Re: [cas-user] one of the authentication servers is down, and stuck there, trying to get out --solved
I found a way, thanks to some java folks. In the HttpURLConnection class, there is a method to set timeout Cheers! --- On Wed, 2012/4/4, s4...@yahoo.co.jp wrote: Somesh: Thank you for the tip. Yes, it worked. I was able to intercept the web-flow before reaching the end-state. I used java (checkDeadOrAlive) to check whether the server is alive or not. if (HttpURLConnection) url.openConnection().getResponseCode() == 200) { //is alive Now my next move is how to determine "quickly" if the server is not available. It took about 15 seconds, which needs to come down to some acceptable value (may be 5/6/7 seconds?). Cheers. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] SSOut with a different flavor
Hi all, I want a remote CAS log me out (on the remote CAS server) when I log out from my local CAS. The story is that the remote CAS trusts my local CAS, so I have been successfully authenticated by a remote CAS based on my authenticated status at a home (local) CAS. Now what I want to do is when I log out from my local CAS, in addition to logging me out here, I want to send some message to the trusting remote CAS server to end my authenticated status there. Something like: https://localCAS/logout&https://remoteCAS/logout I thought the following sequence of events: 1. I am logged out successfully from my local CAS 2. A request to log me out is sent to the remote CAS 3. the remote CAS asks my CAS: is he (really) logged out? 4. my CAS server says: user is logged in no more (but does not tell who "user" is) 5. then the remote CAS logs me out Trouble: Some work has been done to get a locally authenticated user trusted by the remote CAS with the help of a convenient user registry on the remote end. A successful authentication at the local CAS provides the remote CAS a username and we used that username and a previously stored "id" to authenticate that user. But in the case of logging out, in #3 above, the remote CAS will NOT receive any username (because the user will have already logged out), so a database search to check authenticity would not be possible. The remoteCAS cannot and should not trust if somebody just says "logout thisUser", right? Can someone give me some pointers? I will read documents (if there are any!), but it would be better to start with something in mind rather than with nothing. Someone may have had similar use case and/or have some idea, even if not fully implemented/explored. I just thought while writing this message: would it be possible to send a remote logout request first, wait for the remote CAS to make inquiries, and wait a few seconds, and proceed to log out from the local server? At least until I hear some comments, I want to search in this direction. Cheers. --o0o-- -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] SSOut with a different flavor
Hi all, I found that org.jasig.cas.web.LogoutController is called when I enter the logout URL (/logout) Here, I want to send the logout command to the remote CAS. But then the remote CAS will probably ask "who is calling" and the local CAS will have to supply my username... As of now I don't know how I can send a command in the form of a URL string inside java. Or should I write that "log me out" request inside the cas-servlet.xml? Is it the right direction? Any pitfalls? I also need to make sure that only the particular user from a particular parentCAS is logged out from the remote CAS, and also only in the case that the user has a valid CAS session with the parentCAS. If the same user has logged in to the remote CAS independently (that is, before logging in to the local/parentCAS), that remote session cannot be logged out from the local/parentCAS. Please share your thoughts. Thanks. --o0o-- --- On Mon, 2012/4/16, s4...@yahoo.co.jp wrote: Hi all, I want a remote CAS log me out (on the remote CAS server) when I log out from my local CAS. The story is that the remote CAS trusts my local CAS, so I have been successfully authenticated by a remote CAS based on my authenticated status at a home (local) CAS. Now what I want to do is when I log out from my local CAS, in addition to logging me out here, I want to send some message to the trusting remote CAS server to end my authenticated status there. Something like: https://localCAS/logout&https://remoteCAS/logout I thought the following sequence of events: 1. I am logged out successfully from my local CAS 2. A request to log me out is sent to the remote CAS 3. the remote CAS asks my CAS: is he (really) logged out? 4. my CAS server says: user is logged in no more (but does not tell who "user" is) 5. then the remote CAS logs me out Trouble: Some work has been done to get a locally authenticated user trusted by the remote CAS with the help of a convenient user registry on the remote end. A successful authentication at the local CAS provides the remote CAS a username and we used that username and a previously stored "id" to authenticate that user. But in the case of logging out, in #3 above, the remote CAS will NOT receive any username (because the user will have already logged out), so a database search to check authenticity would not be possible. The remoteCAS cannot and should not trust if somebody just says "logout thisUser", right? Can someone give me some pointers? I will read documents (if there are any!), but it would be better to start with something in mind rather than with nothing. Someone may have had similar use case and/or have some idea, even if not fully implemented/explored. I just thought while writing this message: would it be possible to send a remote logout request first, wait for the remote CAS to make inquiries, and wait a few seconds, and proceed to log out from the local server? At least until I hear some comments, I want to search in this direction. Cheers. --o0o-- -- You are currently subscribed to cas-user@lists.jasig.org as: s4...@yahoo.co.jp To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] SSOut with a different flavor --> not SSO but SOS :)
Looks like calling the /logout process like: https://remoteCAS/logout won't do the job! Will it? I need to destroy the TGT, cookies, some other things?... associated with the remoteCAS, but stored in the local browser. (This is different set than the ones I have from my localCAS server.. but these ones will be taken care by the LogOutController very nicely without doing anything!) Now this is the code from LogOutController: //--- final String ticketGrantingTicketId = this.ticketGrantingTicketCookieGenerator.retrieveCookieValue(request); if (ticketGrantingTicketId != null) { this.centralAuthenticationService .destroyTicketGrantingTicket(ticketGrantingTicketId); this.ticketGrantingTicketCookieGenerator.removeCookie(response); this.warnCookieGenerator.removeCookie(response); } //--- I need to write simiar codes to retrieve and destroy TGT and Cookies which are sent by the remoteCAS. When the TGT and Cookies are sent to the browser by the (remote)CAS, is there any information that I can exploit for this purpose? I will look it myself if only I knew which file is resposible for creating such info in the first place. Scott (Creator of the LogOutController class) /Marvin/other CAS gurus, will you please comment? Thanks! --- On Tue, 2012/4/17, s4...@yahoo.co.jp wrote: Hi all, I found that org.jasig.cas.web.LogoutController is called when I enter the logout URL (/logout) Here, I want to send the logout command to the remote CAS. But then the remote CAS will probably ask "who is calling" and the local CAS will have to supply my username... As of now I don't know how I can send a command in the form of a URL string inside java. Or should I write that "log me out" request inside the cas-servlet.xml? Is it the right direction? Any pitfalls? I also need to make sure that only the particular user from a particular parentCAS is logged out from the remote CAS, and also only in the case that the user has a valid CAS session with the parentCAS. If the same user has logged in to the remote CAS independently (that is, before logging in to the local/parentCAS), that remote session cannot be logged out from the local/parentCAS. Please share your thoughts. Thanks. --o0o-- --- On Mon, 2012/4/16, s4...@yahoo.co.jp wrote: Hi all, I want a remote CAS log me out (on the remote CAS server) when I log out from my local CAS. The story is that the remote CAS trusts my local CAS, so I have been successfully authenticated by a remote CAS based on my authenticated status at a home (local) CAS. Now what I want to do is when I log out from my local CAS, in addition to logging me out here, I want to send some message to the trusting remote CAS server to end my authenticated status there. Something like: https://localCAS/logout&https://remoteCAS/logout I thought the following sequence of events: 1. I am logged out successfully from my local CAS 2. A request to log me out is sent to the remote CAS 3. the remote CAS asks my CAS: is he (really) logged out? 4. my CAS server says: user is logged in no more (but does not tell who "user" is) 5. then the remote CAS logs me out Trouble: Some work has been done to get a locally authenticated user trusted by the remote CAS with the help of a convenient user registry on the remote end. A successful authentication at the local CAS provides the remote CAS a username and we used that username and a previously stored "id" to authenticate that user. But in the case of logging out, in #3 above, the remote CAS will NOT receive any username (because the user will have already logged out), so a database search to check authenticity would not be possible. The remoteCAS cannot and should not trust if somebody just says "logout thisUser", right? Can someone give me some pointers? I will read documents (if there are any!), but it would be better to start with something in mind rather than with nothing. Someone may have had similar use case and/or have some idea, even if not fully implemented/explored. I just thought while writing this message: would it be possible to send a remote logout request first, wait for the remote CAS to make inquiries, and wait a few seconds, and proceed to log out from the local server? At least until I hear some comments, I want to search in this direction. Cheers. --o0o-- -- You are currently subscribed to cas-user@lists.jasig.org as: s4...@yahoo.co.jp To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user-- You are currently subscribed to cas-user@lists.jasig.org as: s4...@yahoo.co.jp To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To
Re: [cas-user] SSOut with a different flavor --> not SSO but SOS :)
Marvin, I don't understand what do you mean by "agent". And how do I "perform a GET on that resource" (that resource meaning remoteCAS?)? I was thinking may be I can call the remote logout url inside the LogoutController. but then I got confused: how does CAS know which sets of TGT and cookies to remove? My understanding is that there exits one set from the localCAS server, and a second set from the remoteCAS server. I was thinking the flow of events in this order: 1. User logs in to the localCAS 2. user accesses a service protected by the remoteCAS 3. remoteCAS trusts localCAS, so a TGT and cookie are sent to the users browser 4. user does his/her stuff, time to call it a day.. 5. user clicks logout button of localCAS 6. Inside LogoutController class, TGT and cookie from the remoteCAS is found and removed before finding and removing the localCAS server generated cookies. So I am stuck at #5, the first half. Thanks. --- On Wed, 2012/4/18, Marvin S. Addison wrote: > Looks like calling the /logout process like: > https://remoteCAS/logout > > won't do the job! Will it? Depends on the agent that goes there. If your agent is localCAS, then it will not work since it doesn't have the TGT to be invalided; however, everything will work as you hope if the user performs a GET on that resource in his/her browser. M -- You are currently subscribed to cas-user@lists.jasig.org as: s4...@yahoo.co.jp To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user