Re: [cas-user] CAS MultipleAuthentication Sources
Aaron, I think you'll have to do it: https://www.apereo.org/cas/mailing-lists John --- *John Gasper* IAM Consultant Unicon, Inc. PGP/GPG Key: 0xbafee3ef On 12/15/14 9:12 AM, Owens, Patricia wrote: Same here unsubscribe me from this list From: Aaron [aaron.e...@sungardhe.com] Sent: Tuesday, August 12, 2014 10:21 AM To: cas-user@lists.jasig.org Subject: [cas-user] CAS MultipleAuthentication Sources Using CAS 3.5.2 I have multiple Authentication Handlers each with their own ContextSource as well. What I would like it to do is this. UserA exist in ldapA and LdapB But with different passwords. The multiple Auth handlers are working fine... If UserA logs in with ldapA password it works fine... But if UserA logs in with LdapB password it fails... I would like it to fall through to the second AuthenticationHandler if the password Fails. Is there any way to do this at all. The fall through works... If USERB does not exist in ldapA the authentication falls through to LdapB. The only issue I have is if users exist in both ldap servers... I would like it to fall through to the second if the wrong password is entered. Thank you in advance -- You are currently subscribed to cas-user@lists.jasig.org as: pow...@liberty.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE: [cas-user] CAS MultipleAuthentication Sources
Same here unsubscribe me from this list From: Aaron [aaron.e...@sungardhe.com] Sent: Tuesday, August 12, 2014 10:21 AM To: cas-user@lists.jasig.org Subject: [cas-user] CAS MultipleAuthentication Sources Using CAS 3.5.2 I have multiple Authentication Handlers each with their own ContextSource as well. What I would like it to do is this. UserA exist in ldapA and LdapB But with different passwords. The multiple Auth handlers are working fine... If UserA logs in with ldapA password it works fine... But if UserA logs in with LdapB password it fails... I would like it to fall through to the second AuthenticationHandler if the password Fails. Is there any way to do this at all. The fall through works... If USERB does not exist in ldapA the authentication falls through to LdapB. The only issue I have is if users exist in both ldap servers... I would like it to fall through to the second if the wrong password is entered. Thank you in advance -- You are currently subscribed to cas-user@lists.jasig.org as: pow...@liberty.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE: [cas-user] CAS MultipleAuthentication Sources
Don’t think you can unfortunately. At least not without forking the authn manager and letting it go through completely. -Original Message- From: Aaron [mailto:aaron.e...@sungardhe.com] Sent: Tuesday, August 12, 2014 9:22 AM To: cas-user@lists.jasig.org Subject: [cas-user] CAS MultipleAuthentication Sources Using CAS 3.5.2 I have multiple Authentication Handlers each with their own ContextSource as well. What I would like it to do is this. UserA exist in ldapA and LdapB But with different passwords. The multiple Auth handlers are working fine... If UserA logs in with ldapA password it works fine... But if UserA logs in with LdapB password it fails... I would like it to fall through to the second AuthenticationHandler if the password Fails. Is there any way to do this at all. The fall through works... If USERB does not exist in ldapA the authentication falls through to LdapB. The only issue I have is if users exist in both ldap servers... I would like it to fall through to the second if the wrong password is entered. Thank you in advance -- You are currently subscribed to cas-user@lists.jasig.org as: mmoay...@unicon.net To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
re:[cas-user] CAS MultipleAuthentication Sources
Here is my deployerConfigContext.xml for reference... -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user?xml version=1.0 encoding=UTF-8? !-- \%%templatized-file\%% -- !-- | deployerConfigContext.xml centralizes into one file some of the declarative configuration that | all CAS deployers will need to modify. | | This file declares some of the Spring-managed JavaBeans that make up a CAS deployment. | The beans declared in this file are instantiated at context initialization time by the Spring | ContextLoaderListener declared in web.xml. It finds this file because this | file is among those declared in the context parameter contextConfigLocation. | | By far the most common change you will need to make in this file is to change the last bean | declaration to replace the default SimpleTestUsernamePasswordAuthenticationHandler with | one implementing your approach for authenticating usernames and passwords. +-- beans xmlns=http://www.springframework.org/schema/beans; xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance; xmlns:tx=http://www.springframework.org/schema/tx; xmlns:p=http://www.springframework.org/schema/p; xsi:schemaLocation=http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-2.0.xsd; !-- | This bean declares our AuthenticationManager. The CentralAuthenticationService service bean | declared in applicationContext.xml picks up this AuthenticationManager by reference to its id, | authenticationManager. Most deployers will be able to use the default AuthenticationManager | implementation and so do not need to change the class of this bean. We include the whole | AuthenticationManager here in the userConfigContext.xml so that you can see the things you will | need to change in context. +-- bean id=authenticationManager class=org.jasig.cas.authentication.AuthenticationManagerImpl !-- | This is the List of CredentialToPrincipalResolvers that identify what Principal is trying to authenticate. | The AuthenticationManagerImpl considers them in order, finding a CredentialToPrincipalResolver which | supports the presented credentials. | | AuthenticationManagerImpl uses these resolvers for two purposes. First, it uses them to identify the Principal | attempting to authenticate to CAS /login . In the default configuration, it is the DefaultCredentialsToPrincipalResolver | that fills this role. If you are using some other kind of credentials than UsernamePasswordCredentials, you will need to replace | DefaultCredentialsToPrincipalResolver with a CredentialsToPrincipalResolver that supports the credentials you are | using. | | Second, AuthenticationManagerImpl uses these resolvers to identify a service requesting a proxy granting ticket. | In the default configuration, it is the HttpBasedServiceCredentialsToPrincipalResolver that serves this purpose. | You will need to change this list if you are identifying services by something more or other than their callback URL. +-- property name=credentialsToPrincipalResolvers list !-- | UsernamePasswordCredentialsToPrincipalResolver supports the UsernamePasswordCredentials that we use for /login | by default and produces SimplePrincipal instances conveying the username from the credentials. | | If you've changed your LoginFormAction to use credentials other than UsernamePasswordCredentials then you will also | need to change this bean declaration (or add additional declarations) to declare a CredentialsToPrincipalResolver that supports the | Credentials you are using.+-- !-- bean class=org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver / -- !--bean class=org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver --!-- The Principal resolver form the credentials -- !-- property name=credentialsToPrincipalResolver bean class=org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver / /property --!-- The query made to find the Principal ID. %u will be replaced by the resolved Principal -- !--
Re: [cas-user] CAS MultipleAuthentication Sources
Attached is a FastBind handler with the fix applied.
Also attached is an exert of a modified BindLdap handler. (sorry don't
have the full thing in front of me.) You'll need to pull the appropriate
version from github and make the change to the exception handler.
In either case, just add the file to src/main/java/[package location]
(net/unicon/cas... in the FastBind case). Then update the
deployerConfig, etc to point to the new package instead of org.jasig.
You may need to add the cas-core as a compile dependency in the pom.xml.
Something like:
dependency
groupIdorg.jasig.cas/groupId
artifactIdcas-server-core/artifactId
version${cas.version}/version
scopecompile/scope
/dependency
On 8/12/14, 10:22 AM, Misagh Moayyed wrote:
Don’t think you can unfortunately. At least not without forking the authn
manager and letting it go through completely.
-Original Message-
From: Aaron [mailto:aaron.e...@sungardhe.com]
Sent: Tuesday, August 12, 2014 9:22 AM
To: cas-user@lists.jasig.org
Subject: [cas-user] CAS MultipleAuthentication Sources
Using CAS 3.5.2
I have multiple Authentication Handlers each with their own ContextSource as
well.
What I would like it to do is this.
UserA exist in ldapA and LdapB But with different passwords.
The multiple Auth handlers are working fine... If UserA logs in with ldapA
password it works fine... But if UserA logs in with LdapB password it
fails...
I would like it to fall through to the second AuthenticationHandler if the
password Fails. Is there any way to do this at all.
The fall through works... If USERB does not exist in ldapA the
authentication falls through to LdapB. The only issue I have is if users
exist in both ldap servers... I would like it to fall through to the second
if the wrong password is entered.
Thank you in advance
--
You are currently subscribed to cas-user@lists.jasig.org as:
mmoay...@unicon.net To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
*John Gasper*
IAM Consultant
Unicon, Inc.
PGP/GPG Key: 0xbafee3ef
--
You are currently subscribed to cas-user@lists.jasig.org as:
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user/*
* Licensed to Jasig under one or more contributor license
* agreements. See the NOTICE file distributed with this work
* for additional information regarding copyright ownership.
* Jasig licenses this file to you under the Apache License,
* Version 2.0 (the License); you may not use this file
* except in compliance with the License. You may obtain a
* copy of the License at the following location:
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* AS IS BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package net.unicon.cas.adaptors.ldap;
import javax.naming.directory.DirContext;
import
org.jasig.cas.adaptors.ldap.AbstractLdapUsernamePasswordAuthenticationHandler;
import org.jasig.cas.authentication.handler.AuthenticationException;
import
org.jasig.cas.authentication.handler.BadCredentialsAuthenticationException;
import org.jasig.cas.authentication.principal.UsernamePasswordCredentials;
import org.jasig.cas.util.LdapUtils;
import org.springframework.ldap.NamingException;
/**
* Implementation of an LDAP handler to do a fast bind. A fast bind skips the
* normal two step binding process to determine validity by providing before
* hand the path to the uid.
*
* @author John Gasper, Unicon
* @author Scott Battaglia
* @version $Revision$ $Date$
* @since 3.0.3
*/
public class FastBindLdapAuthenticationHandler extends
AbstractLdapUsernamePasswordAuthenticationHandler {
protected final boolean authenticateUsernamePasswordInternal(final
UsernamePasswordCredentials credentials) throws AuthenticationException {
DirContext dirContext = null;
try {
final String transformedUsername =
getPrincipalNameTransformer().transform(credentials.getUsername());
final String bindDn = LdapUtils.getFilterWithValues(getFilter(),
transformedUsername);
this.log.debug(Performing LDAP bind with credential: + bindDn);
dirContext = this.getContextSource().getContext(bindDn,
getPasswordEncoder().encode(credentials.getPassword()));
return true;
} catch (final NamingException e) {
log.info(Failed to authenticate user {} with error {},
credentials.getUsername(), e.getMessage());
try {
throw handleLdapError(e);
} catch(final BadCredentialsAuthenticationException ex) {
Re:[cas-user] CAS MultipleAuthentication Sources
What about using PolicyBasedAuthenticationManager would this work? If so does anyone have an example https://github.com/Jasig/cas/wiki/Configuring-Authentication-Components -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] CAS MultipleAuthentication Sources
Aaron, that is a v4 component and I do not believe it will work with CAS 3.5.x line. Best, Dmitriy. On Aug 12, 2014, at 2:17 PM, Aaron aaron.e...@sungardhe.com wrote: What about using PolicyBasedAuthenticationManager would this work? If so does anyone have an example https://github.com/Jasig/cas/wiki/Configuring-Authentication-Components -- You are currently subscribed to cas-user@lists.jasig.org as: dkopyle...@unicon.net To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
