Hi, Jérôme: Thanks for you reply. A couple of questions, though:
* When you say sign out should work, you mean I should call /logout from my app and it should log me out of CAS, or I should go to cas/logout and that should log me out of my application? * How do I go about using the SAML validation? Is this something I should setup in shiro? On CAS? Both? Can you point me to any docs / examples? Thanks, -- Eduardo J. Ortega Tel: 57+1+2553580 Cel: 57+317+4415156 Zürich CL 72 5 83 Piso 11, Bogotá, CO. On 16/01/14 04:18, jleleu wrote:
Hi, Regarding logout, I can't remember exactly if I did the test or someone else, but I think it works. Did you try some debugging in the SingleSignOutFilter? To get user's attributes, things are a little more complex: - you need to retrieve the user's attributes inside the CAS server (should be what you did) - define that you want to push these attributes for the CAS service representing the Shiro application (*allowedAttributes* or *ignore*parameter for this CAS service) - use the SAML validation And then, the user's attributes will be available as the second principal: https://github.com/apache/shiro/blob/1.2.x/support/cas/src/main/java/org/apache/shiro/cas/CasRealm.java#L162 . Best regards, Jérôme 2014/1/15 Eduardo J. Ortega U [via Shiro User] < [email protected]>Hi, all: We are setting up out first Shiro enabled application with CAS authentication. Authentication seems to work fine, however, we have two issues: - We want to have Single Sign out, so that when a user signs out of CAS, he/she is signed out of CAS and therefore all apps. Currently, if I logout of the application (using Shiro's logout feature), and then try to access one of the protected pages, browser gets redirected to CAS, which in turn validates and redirects to http://myhost/myapp/shiro-cas and then /shiro-cas redirects it to the requested URL of the application, so effectively the user is logged back in the application. Also, if the user logs out of CAS (visiting http://myhost/CAS/logout) its CAS session ends but the application session remains, so he / she can still access the protected areas. I set up the following on myapp web.xml: <filter> <filter-name>CAS Single Sign Out Filter</filter-name> <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class> </filter> <filter-mapping> <filter-name>CAS Single Sign Out Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <listener> <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class> </listener> But it is not working. What am I missing? - We want to access some of the user attributes from inside our application. I set up CAS properties to map the attributes, setting this on CAS deployerConfigContext.xml <bean id="attributeRepository" class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao"> <property name="contextSource" ref="contextSource" /> <property name="baseDN" value="ou=People,dc=example,dc=com,dc=co" /> <property name="requireAllQueryAttributes" value="true" /> <property name="queryAttributeMapping"> <map> <entry key="username" value="uid" /> </map> </property> <property name="resultAttributeMapping"> <map> <!-- Mapping beetween LDAP entry attributes (key) and Principal's (value) --> <entry value="Name" key="displayName" /> <entry key="distinguishedName" value="dn" /> </map> </property> </bean> And then access them from inside the Shiro application like this: AttributePrincipal principal = (AttributePrincipal)request.getUserPrincipal(); Map attributes = principal.getAttributes(); But we get an error saying we cannot cast Request to AttributePrincipal. I guess I am missing something here, too. Any help is greatly appreciated. -- -- Eduardo J. Ortega Tel: 57+1+2553580 Cel: 57+317+4415156 Zürich CL 72 5 83 Piso 11, Bogotá, CO. ------------------------------ If you reply to this email, your message will be added to the discussion below: http://shiro-user.582556.n2.nabble.com/CAS-Single-Sign-Out-and-LDAP-attribute-retrieval-tp7579510.html To start a new topic under Shiro User, email [email protected] To unsubscribe from Shiro User, click here<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=582556&code=bGVsZXVqQGdtYWlsLmNvbXw1ODI1NTZ8LTExNzY2MzcxMTY=> . NAML<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>-- View this message in context: http://shiro-user.582556.n2.nabble.com/CAS-Single-Sign-Out-and-LDAP-attribute-retrieval-tp7579510p7579514.html Sent from the Shiro User mailing list archive at Nabble.com.
