Hi, Good for SLO!
Would you mind enablig *DEBUG *logs on *org.jasig* to see what's going on in your Shiro application regarding SAML? Thanks. Best regards, Jérôme 2014/1/16 Eduardo J. Ortega U [via Shiro User] < [email protected]> > Just to update, SIngle Sign Out works, the problem was my Shiro > application didn't have the signout filters before the rest... I moved > them up and it's working. However, the attribute retrieval from CAS is > still failing (When I set up SAML validation protocol, I get always > redirected to casFilter.failureUrl). All required JARs are already > available on classpath. Any help is greatly appeciated. > > Regards, > > -- > Eduardo J. Ortega > Tel: 57+1+2553580 > Cel: 57+317+4415156 > Zürich > CL 72 5 83 Piso 11, Bogotá, CO. > > On 16/01/14 11:33, Eduardo J. Ortega U wrote: > > > Hi, Jérôme: > > > > Thanks for the info on the logout, I will try and report back. About > > the attributes issue, I tried setting casRealm.validationProtocol = > > SAML but when I try to access the protected areas, I get redirected to > > CAS, do login and then I get redirected to my casFilter.failureUrl = > > /error.jsp instead of my protected page. > > From https://wiki.jasig.org/display/CASUM/SAML+1.1 I understand that > > my application should be submitting a POST request to cas/samlValidate > > , I did some sniffing with wireshark and see no such request taking > > place. Here's my shiro.ini (CAS protected areas are under protected, > > feel free to ignore filters applytin to other sections): > > > > [main] > > cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager > > securityManager.cacheManager = $cacheManager > > cauthc=co.com.sonria.seguridad.FiltroAutenticacion > > cauthc.loginUrl = /publico/login.jsf > > cauthc.successUrl = /comun/bienvenido.jsf > > logout.redirectUrl = /publico/login.jsf > > cauthc.usernameParam = j_username > > cauthc.passwordParam = j_password > > cauthc.failureKeyAttribute = loginFailure > > casFilter = org.apache.shiro.cas.CasFilter > > casFilter.failureUrl = /error.jsp > > casRealm = org.apache.shiro.cas.CasRealm > > casRealm.defaultRoles = ROLE_USER > > #casRealm.defaultPermissions > > #casRealm.roleAttributeNames > > #casRealm.permissionAttributeNames > > casRealm.validationProtocol = SAML > > #casRealm.casServerUrlPrefix = http://192.168.88.207:8080/cas/ > > casRealm.casServerUrlPrefix = > > http://192.168.88.103:8080/cas-server-webapp/ > > casRealm.casService = > > http://192.168.88.103:8080/InteraccionSonriaCore/shiro-cas > > casSubjectFactory = org.apache.shiro.cas.CasSubjectFactory > > securityManager.subjectFactory = $casSubjectFactory > > #roles.loginUrl = > > > https://192.168.88.207:8181/cas/login?service=http://localhost:8080/InteraccionSonriaCore/shiro-cas > > roles.loginUrl = > > > http://192.168.88.103:8080/cas-server-webapp/login?service=http://192.168.88.103:8080/InteraccionSonriaCore/shiro-cas > > > > [users] > > administrador=administrador,ADMINISTRADOR > > gerente = gerente,GERENTE > > profesional = profesional,PROFESIONAL > > paciente = paciente,PACIENTE > > > > [urls] > > / = authc > > /publico/login.jsf=cauthc > > /logout = logout > > /plantillas/* = cauthc > > /shiro-cas = casFilter > > /protected/** = roles[ROLE_USER] > > > > Any ideas on what might I be doing wrong and telling my app there is a > > CAS error instead of posting go samlValidate URL? Thanks. > > > > -- > > Eduardo J. Ortega > > Tel: 57+1+2553580 > > Cel: 57+317+4415156 > > Zürich > > CL 72 5 83 Piso 11, Bogotá, CO. > > > > On 16/01/14 11:18, jleleu wrote: > >> Hi, > >> > >> I'm talking about the CAS SLO: when calling /cas/logout, it should > >> trigger > >> the destruction of the web session of your Shiro application. > >> To use SAML, you need to configure SAML on the Shiro application side > by > >> using the *setValidationProtocol* method of the *CasRealm* object > >> (casRealm.validationProtocol = SAML). > >> Unless you use CAS 4.0-RCx, the SAML validation endpoint is available > >> out-of-the-box in the CAS server ( > >> https://wiki.jasig.org/display/CASUM/SAML+1.1). > >> Best regards, > >> Jérôme > >> > >> > >> > >> 2014/1/16 Eduardo J. Ortega U [via Shiro User] < > >> [hidden email] <http://user/SendEmail.jtp?type=node&node=7579521&i=0>> > >> > >>> Hi, Jérôme: > >>> > >>> Thanks for you reply. A couple of questions, though: > >>> > >>> - When you say sign out should work, you mean I should call > /logout > >>> from my app and it should log me out of CAS, or I should go to > >>> cas/logout > >>> and that should log me out of my application? > >>> - How do I go about using the SAML validation? Is this something I > >>> should setup in shiro? On CAS? Both? Can you point me to any docs > / > >>> examples? > >>> > >>> Thanks, > >>> > >>> -- > >>> Eduardo J. Ortega > >>> Tel: 57+1+2553580 > >>> Cel: 57+317+4415156 > >>> Zürich > >>> CL 72 5 83 Piso 11, Bogotá, CO. > >>> > >>> On 16/01/14 04:18, jleleu wrote: > >>> > >>> Hi, > >>> > >>> Regarding logout, I can't remember exactly if I did the test or > someone > >>> else, but I think it works. Did you try some debugging in the > >>> SingleSignOutFilter? > >>> > >>> To get user's attributes, things are a little more complex: > >>> - you need to retrieve the user's attributes inside the CAS server > >>> (should > >>> be what you did) > >>> - define that you want to push these attributes for the CAS service > >>> representing the Shiro application (*allowedAttributes* or > >>> *ignore*parameter for this CAS service) > >>> - use the SAML validation > >>> And then, the user's attributes will be available as the second > >>> principal: > https://github.com/apache/shiro/blob/1.2.x/support/cas/src/main/java/org/apache/shiro/cas/CasRealm.java#L162 > >>> . > >>> > >>> Best regards, > >>> Jérôme > >>> > >>> > >>> > >>> > >>> 2014/1/15 Eduardo J. Ortega U [via Shiro User] <[hidden email] > >>> <http://user/SendEmail.jtp?type=node&node=7579517&i=0>> > >>> > >>> > >>> Hi, all: > >>> > >>> We are setting up out first Shiro enabled application with CAS > >>> authentication. Authentication seems to work fine, however, we have > two > >>> issues: > >>> > >>> - We want to have Single Sign out, so that when a user signs out > of > >>> CAS, he/she is signed out of CAS and therefore all apps. > >>> Currently, if I > >>> logout of the application (using Shiro's logout feature), and > >>> then try to > >>> access one of the protected pages, browser gets redirected to > >>> CAS, which in > >>> turn validates and redirects to http://myhost/myapp/shiro-cas > >>> and then > >>> /shiro-cas redirects it to the requested URL of the application, > so > >>> effectively the user is logged back in the application. Also, if > >>> the user > >>> logs out of CAS (visiting http://myhost/CAS/logout) its CAS > session > >>> ends but the application session remains, so he / she can still > >>> access the > >>> protected areas. I set up the following on myapp web.xml: > >>> > >>> > >>> <filter> > >>> <filter-name>CAS Single Sign Out Filter</filter-name> > >>> > >>> > <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class> > > >>> > >>> </filter> > >>> > >>> <filter-mapping> > >>> <filter-name>CAS Single Sign Out Filter</filter-name> > >>> <url-pattern>/*</url-pattern> > >>> </filter-mapping> > >>> > >>> <listener> > >>> > >>> > <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class> > > >>> > >>> </listener> > >>> > >>> But it is not working. What am I missing? > >>> > >>> - We want to access some of the user attributes from inside our > >>> application. I set up CAS properties to map the attributes, > >>> setting this on > >>> CAS deployerConfigContext.xml > >>> > >>> <bean id="attributeRepository" > >>> > class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao"> > >>> > >>> <property name="contextSource" ref="contextSource" /> > >>> <property name="baseDN" > >>> value="ou=People,dc=example,dc=com,dc=co" > >>> /> > >>> <property name="requireAllQueryAttributes" value="true" /> > >>> <property name="queryAttributeMapping"> > >>> <map> > >>> <entry key="username" value="uid" /> > >>> </map> > >>> </property> > >>> <property name="resultAttributeMapping"> > >>> <map> > >>> <!-- Mapping beetween LDAP entry attributes (key) and > >>> Principal's (value) --> > >>> <entry value="Name" key="displayName" /> > >>> <entry key="distinguishedName" value="dn" /> > >>> </map> > >>> </property> > >>> </bean> > >>> And then access them from inside the Shiro application like this: > >>> > >>> AttributePrincipal principal = > >>> (AttributePrincipal)request.getUserPrincipal(); > >>> Map attributes = principal.getAttributes(); > >>> > >>> But we get an error saying we cannot cast Request to > >>> AttributePrincipal. I > >>> guess I am missing something here, too. > >>> > >>> Any help is greatly appreciated. > >>> > >>> > >>> -- > >>> -- > >>> Eduardo J. Ortega > >>> Tel: 57+1+2553580 > >>> Cel: 57+317+4415156 > >>> Zürich > >>> CL 72 5 83 Piso 11, Bogotá, CO. > >>> > >>> > >>> > >>> ------------------------------ > >>> If you reply to this email, your message will be added to the > >>> discussion > >>> below: > >>> > http://shiro-user.582556.n2.nabble.com/CAS-Single-Sign-Out-and-LDAP-attribute-retrieval-tp7579510.html > > >>> > >>> To start a new topic under Shiro User, email[hidden email] > >>> <http://user/SendEmail.jtp?type=node&node=7579517&i=1> > >>> To unsubscribe from Shiro User, click here< > >>> . > >>> NAML< > http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.Bas > > >>> > >>> icNamespa > >>> > ce-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml> > > >>> < > http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml> > > >>> > >>> > >>> -- > >>> View this message in context: > >>> > http://shiro-user.582556.n2.nabble.com/CAS-Single-Sign-Out-and-LDAP-attribute-retrieval-tp7579510p7579514.html > >>> Sent from the Shiro User mailing list archive at Nabble.com. > >>> > >>> > >>> > >>> > >>> ------------------------------ > >>> If you reply to this email, your message will be added to the > >>> discussion > >>> below: > >>> > >>> > http://shiro-user.582556.n2.nabble.com/CAS-Single-Sign-Out-and-LDAP-attribute-retrieval-tp7579510p7579517.html > > >>> > >>> To start a new topic under Shiro User, email > >>> [hidden email] <http://user/SendEmail.jtp?type=node&node=7579521&i=1> > >>> To unsubscribe from Shiro User, click > >>> here< > >>> . > >>> NAML< > http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml> > > >>> > >>> > >> > >> > >> > >> -- > >> View this message in context: > >> > http://shiro-user.582556.n2.nabble.com/CAS-Single-Sign-Out-and-LDAP-attribute-retrieval-tp7579510p7579518.html > >> Sent from the Shiro User mailing list archive at Nabble.com. > > > > > > > > ------------------------------ > If you reply to this email, your message will be added to the discussion > below: > > http://shiro-user.582556.n2.nabble.com/CAS-Single-Sign-Out-and-LDAP-attribute-retrieval-tp7579510p7579521.html > To start a new topic under Shiro User, email > [email protected] > To unsubscribe from Shiro User, click > here<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=582556&code=bGVsZXVqQGdtYWlsLmNvbXw1ODI1NTZ8LTExNzY2MzcxMTY=> > . > NAML<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml> > -- View this message in context: http://shiro-user.582556.n2.nabble.com/CAS-Single-Sign-Out-and-LDAP-attribute-retrieval-tp7579510p7579525.html Sent from the Shiro User mailing list archive at Nabble.com.
