Well, finally I could achieve what I asked. Thank for CAS development team
for the functionality provided; although, I had to merge some blogs ,
how-to's and stackoverflow questions to achieve this. For any one who would
like to use same approach I wrote my resolution below (please notify me if
there exists any inconvenience; since I am new to CAS my soln may be
incomplete; but it works for cas v5.0.5 , openldap and spring-security )
:
Firstly CAS clients need to be updated for CAS protocol version 3 , to
provide additional attributes. (in my case 'gidNumber' )
Then adding
cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].ldapUrl=ldap://....
cas.authn.ldap[0].useSsl=false
cas.authn.ldap[0].baseDn=ou=Users,dc=...
cas.authn.ldap[0].userFilter=uid={user}
cas.authn.ldap[0].bindDn=cn=admin,dc=...
cas.authn.ldap[0].bindCredential=
cas.authn.attributeRepository.ldap.ldapUrl=ldap://:...
cas.authn.attributeRepository.ldap.useSsl=false
cas.authn.attributeRepository.ldap.useStartTls=false
cas.authn.attributeRepository.ldap.connectTimeout=5000
cas.authn.attributeRepository.ldap.baseDn=ou=Users,dc=...
cas.authn.attributeRepository.ldap.userFilter=uid={user}
cas.authn.attributeRepository.ldap.subtreeSearch=true
cas.authn.attributeRepository.ldap.bindDn=cn=admin,dc=....
cas.authn.attributeRepository.ldap.bindCredential=.....
cas.authn.attributeRepository.ldap.minPoolSize=3
cas.authn.attributeRepository.ldap.maxPoolSize=10
cas.authn.attributeRepository.ldap.validateOnCheckout=true
cas.authn.attributeRepository.ldap.validatePeriodically=true
cas.authn.attributeRepository.ldap.validatePeriod=600
cas.authn.attributeRepository.ldap.failFast=true
cas.authn.attributeRepository.ldap.idleTime=500
cas.authn.attributeRepository.ldap.prunePeriod=600
cas.authn.attributeRepository.ldap.blockWaitTime=5000
cas.authn.attributeRepository.attributes.uid=uid
cas.authn.attributeRepository.attributes.displayName=displayName
cas.authn.attributeRepository.attributes.cn=commonName
cas.authn.attributeRepository.attributes.gidNumber=groupNumber
cas.authn.attributeRepository.defaultAttributesToRelease=groupNumber,displayName
resolved my problem.
Spring boot side of my application is as follows:
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter
implements ServletContextAware {
private final Logger logger =
LoggerFactory.getLogger(WebSecurityConfig.class);
private ServletContext servletContext;
@Override
protected void configure(HttpSecurity http) throws Exception {
http.addFilter(casAuthenticationFilter());
http.exceptionHandling().authenticationEntryPoint(casAuthenticationEntryPoint());
http.csrf().disable();
http.authorizeRequests().antMatchers("/....").authenticated();
};
@Bean
public CasAuthenticationEntryPoint casAuthenticationEntryPoint() {
CasAuthenticationEntryPoint casAuthenticationEntryPoint = new
CasAuthenticationEntryPoint();
casAuthenticationEntryPoint.setLoginUrl("https://onculk:6443/cas/login";);
casAuthenticationEntryPoint.setServiceProperties(serviceProperties());
return casAuthenticationEntryPoint;
}
@Bean
public ServiceProperties serviceProperties() {
ServiceProperties serviceProperties = new ServiceProperties();
serviceProperties.setService("https://onculk:2222/login/cas";);
serviceProperties.setSendRenew(false);
return serviceProperties;
}
@Bean
public CasAuthenticationProvider casAuthenticationProvider() {
CasAuthenticationProvider casAuthenticationProvider = new
CasAuthenticationProvider();
casAuthenticationProvider.setAuthenticationUserDetailsService(casUserDetailsService());
casAuthenticationProvider.setServiceProperties(serviceProperties());
casAuthenticationProvider.setTicketValidator(cas30ServiceTicketValidator());
casAuthenticationProvider.setKey("an_id_for_this_auth_provider_only");
return casAuthenticationProvider;
}
@Bean
public CasUserDetailsService casUserDetailsService() {
return new CasUserDetailsService();
}
@Bean
public Cas30ServiceTicketValidator cas30ServiceTicketValidator() {
return new Cas30ServiceTicketValidator("https://onculk:6443/cas";);
}
@Bean
public CasAuthenticationFilter casAuthenticationFilter() throws
Exception {
CasAuthenticationFilter casAuthenticationFilter = new
CasAuthenticationFilter();
casAuthenticationFilter.setAuthenticationManager(authenticationManager());
//
casAuthenticationFilter.setAuthenticationSuccessHandler(successHandler());
casAuthenticationFilter.setAuthenticationFailureHandler(failureHandler());
return casAuthenticationFilter;
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws
Exception {
auth.authenticationProvider(casAuthenticationProvider());
}
@Override
public void setServletContext(ServletContext servletContext) {
this.servletContext = servletContext;
}
@Bean
LoginAuthenticationFailureHandler failureHandler() {
final LoginAuthenticationFailureHandler failureHandler = new
LoginAuthenticationFailureHandler();
failureHandler.setDefaultFailureUrl("https://onculk:2222";);
return failureHandler;
}
20 Haziran 2017 Salı 11:20:52 UTC+3 tarihinde öncül korkut yazdı:
>
> Hi,
> I just started using CAS (v5.0.5), so if this is a silly question, please
> lead me to the right way.
>
> I created a docker image for openldap (without tls) and add some ldif
> files for groups and users (some of them are at the end of this post, if it
> is required *)
> I have managed to configure and login from CAS using ldap. After that I
> also implement a basic SpringBoot application, configure SSL, and also can
> login from spring-boot application (using spring-security-cas).
> The next thing for me to achive is to get user groups from CAS (as far I
> understood from docs, this could be achievable) and map them to
> spring-security constructs (within spring-boot application). With some
> googling, I read some posts (i.e. JA-SIG CAS with Ldap attributes |
> BowerStudios.com <https://bowerstudios.com/node/645> ) that shows how to
> code this functionality.
>
> Isn't it possible to get ldap group membership (or other attributes /
> links) from configuration and provide them to clients by tokens?
>
> If I inferred right, it should be possible ( since it is possible in
> management server using '*cas.mgmt.authzAttributes[]' keyword to find out
> the user privileges with conjunction cas.mgmt.adminRoles); *and (from
> https://apereo.github.io/cas/5.1.x/installation/Configuration-Properties.html#ldap-authentication-1
>
> ) there are some attributes in configuration (such as
> cas.authn.ldap[0].additionalAttributes
> or cas.authn.ldap[0].credentialCriteria -which I could not find any
> documentation of what are those-)*.*
>
>
>
> *Thanks in advance. *
>
> *
> dn: cn=appadmins,ou=Groups,dc=...
> cn: appadmins
> objectClass: top
> objectClass: posixGroup
> gidNumber: 1000
> ---
> dn: cn=appoperators,ou=Groups,dc...
> cn: appoperators
> objectClass: top
> objectClass: posixGroup
> gidNumber: 2000
> ....
> dn: cn=appadmin1,ou=Users,dc=....
> cn: appadmin1
> objectClass: top
> objectClass: account
> objectClass: posixAccount
> objectClass: shadowAccount
> cn: appadmin-1
> uid: appadmin1
> uidNumber: 16005
> gidNumber: 1000
> homeDirectory: /home/appadmin1
> loginShell: /bin/bash
> ....
> dn: cn=operator1,ou=Users,dc....
> cn: operator1
> objectClass: top
> objectClass: account
> objectClass: posixAccount
> objectClass: shadowAccount
> cn: operator1
> uid: operator1
> uidNumber: 16003
> gidNumber: 2000
> homeDirectory: /home/operator1
> loginShell: /bin/bash
> ....
>
--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/e02b61eb-22f0-4980-be8b-4bb80cf08438%40apereo.org.
