Username/password authentication
Jonathan Hayward http://JonathansCorner.com
christos.jonathan.hayward at gmail.com
Mon Dec 3 12:36:15 EST 2007
Thank you. I'm having another difficulty; I'm working from the instructions
at http://www.ja-sig.org/wiki/display/CAS/Examples+to+Configure+CAS and
http://www.ja-sig.org/wiki/display/CASUM/LDAP :
17:26:02,589 INFO [STDOUT] 2007-12-03 17:26:02,589 ERROR [
org.apache.catalina.core.ContainerBase.[jboss.web].[localhost].[/cas-web]] -
<SafeDispatcherServlet:
The Spring DispatcherServlet we wrap threw on init.
But for our having caught this error, the servlet would not have
initialized.>
org.springframework.beans.factory.BeanDefinitionStoreException: Error
registering bean with name 'contextSource' defined in ServletContext
resource [/WEB-INF/deployerConfigContext.xml]: Bean class [
org.jasig.cas.adaptors.ldap.util.Authe
nticatedLdapContextSource] not found; nested exception is
java.lang.ClassNotFoundException:
org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource
Caused by:
java.lang.ClassNotFoundException:
org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource
[snip]
My current draft of deployerConfigContext.xml reads as below. Do any errors
jump out?
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "
http://www.springframework.org/dtd/spring-beans.dtd">
<!--
| deployerConfigContext.xml centralizes into one file some of the
declarative configuration that
| all CAS deployers will need to modify.
|
| This file declares some of the Spring-managed JavaBeans that make
up a CAS deployment.
| The beans declared in this file are instantiated at context
initialization time by the Spring
| ContextLoaderListener declared in web.xml. It finds this file
because this
| file is among those declared in the context parameter
"contextConfigLocation".
|
| By far the most common change you will need to make in this file
is to change the last bean
| declaration to replace the default
SimpleTestUsernamePasswordAuthenticationHandler with
| one implementing your approach for authenticating usernames and
passwords.
+-->
<beans>
<!--
| This bean declares our AuthenticationManager. The
CentralAuthenticationService service bean
| declared in applicationContext.xml picks up this
AuthenticationManager by reference to its id,
| "authenticationManager". Most deployers will be able to
use the default AuthenticationManager
| implementation and so do not need to change the class of
this bean. We include the whole
| AuthenticationManager here in the userConfigContext.xml so
that you can see the things you will
| need to change in context.
+-->
<bean id="authenticationManager"
class="
org.jasig.cas.authentication.AuthenticationManagerImpl">
<!--
| This is the List of CredentialToPrincipalResolvers
that identify what Principal is trying to authenticate.
| The AuthenticationManagerImpl considers them in
order, finding a CredentialToPrincipalResolver which
| supports the presented credentials.
|
| AuthenticationManagerImpl uses these resolvers for
two purposes. First, it uses them to identify the Principal
| attempting to authenticate to CAS /login . In the
default configuration, it is the DefaultCredentialsToPrincipalResolver
| that fills this role. If you are using some other
kind of credentials than UsernamePasswordCredentials, you will need to
replace
| DefaultCredentialsToPrincipalResolver with a
CredentialsToPrincipalResolver that supports the credentials you are
| using.
|
| Second, AuthenticationManagerImpl uses these
resolvers to identify a service requesting a proxy granting ticket.
| In the default configuration, it is the
HttpBasedServiceCredentialsToPrincipalResolver that serves this purpose.
| You will need to change this list if you are
identifying services by something more or other than their callback URL.
+-->
<property name="credentialsToPrincipalResolvers">
<list>
<!--
|
UsernamePasswordCredentialsToPrincipalResolver supports the
UsernamePasswordCredentials that we use for /login
| by default and produces
SimplePrincipal instances conveying the username from the credentials.
|
| If you've changed your
LoginFormAction to use credentials other than UsernamePasswordCredentials
then you will also
| need to change this bean
declaration (or add additional declarations) to declare a
CredentialsToPrincipalResolver that supports the
| Credentials you are using.
+-->
<bean
class="
org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver"
/>
<!--
|
HttpBasedServiceCredentialsToPrincipalResolver supports
HttpBasedCredentials. It supports the CAS 2.0 approach of
| authenticating services by SSL
callback, extracting the callback URL from the Credentials and representing
it as a
| SimpleService identified by that
callback URL.
|
| If you are representing services
by something more or other than an HTTPS URL whereat they are able to
| receive a proxy callback, you will
need to change this bean declaration (or add additional declarations).
+-->
<bean
class="
org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver"
/>
</list>
</property>
<!--
| Whereas CredentialsToPrincipalResolvers identify
who it is some Credentials might authenticate,
| AuthenticationHandlers actually authenticate
credentials. Here we declare the AuthenticationHandlers that
| authenticate the Principals that the
CredentialsToPrincipalResolvers identified. CAS will try these handlers in
turn
| until it finds one that both supports the
Credentials presented and succeeds in authenticating.
+-->
<property name="authenticationHandlers">
<list>
<!--
| This is the authentication handler
that authenticates services by means of callback via SSL, thereby validating
| a server side SSL certificate.
+-->
<bean
class="
org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
/>
<!--
| This is the authentication handler
declaration that every CAS deployer will need to change before deploying CAS
| into production. The default
SimpleTestUsernamePasswordAuthenticationHandler authenticates
UsernamePasswordCredentials
| where the username equals the
password. You will need to replace this with an AuthenticationHandler that
implements your
| local authentication strategy.
You might accomplish this by coding a new such handler and declaring
|
edu.someschool.its.cas.MySpecialHandler here, or you might use one of the
handlers provided in the adaptors modules.
+-->
<bean class="
org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler">
<property name="filter"
value="sAMAccountName=%u" />
<property name="searchBase"
value="[DELETED]" />
<property name="contextSource"
ref="contextSource" />
<property
name="ignorePartialResultException" value="yes" /> <!-- fix because of how
AD returns results -->
</bean>
</list>
</property>
</bean>
<bean id="contextSource" class="
org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource">
<property name="anonymousReadOnly" value="false" />
<property name="pooled" value="true" />
<property name="urls">
<list>
<value>ldap://[DELETED]</value>
</list>
</property>
<property name="userName" value="[DELETED]" />
<property name="password" value="[DELETED]" />
<property name="baseEnvironmentProperties">
<map>
<entry>
<key><value>
java.naming.security.protocol</value></key>
<value>ssl</value>
</entry>
<entry>
<key><value>
java.naming.security.authentication</value></key>
<value>simple</value>
</entry>
</map>
</property>
</bean>
</beans>
On Dec 3, 2007 10:06 AM, Smith, Matt <matt.smith at uconn.edu> wrote:
> I'd recommend either using CAS' LDAP support and doing an LDAP Bind
> against AD, or using CAS' JAASAuthenticationHandler and a JAAS config
> for Kerberos similar to the one in the IBM article you referenced.
> Check out the CAS wiki for more info on both of these.
>
> HTH,
> -Matt
>
> On Mon, 2007-12-03 at 09:46 -0600, Jonathan Hayward
> http://JonathansCorner.com wrote:
> > I want to get CAS to authenticate against Active Directory
> > username/password pairs.
> >
> > I was looking at Build and Implement a single sign-on solution at
> > http://www.ibm.com/developerworks/web/library/wa-singlesign/ ; it
> > seems to describe what I want, but it is from 2003 and I want to work
> > with current software versions. The author provides a ZIP at
> >
> http://download.boulder.ibm.com/ibmdl/pub/software/dw/library/wa-singlesign/KerberosAuthSrc.zip, and
> KerberosAuthHandler.java didn't compile. (It implements interface
> PasswordHandler, possibly from package edu.yale.its.tp.cas.auth , and I
> have been having trouble finding the interface.)
> >
> > How should I be going about this? Should I be taking another approach,
> > or can some details be changed while I use the basic approach at
> > http://www.ibm.com/developerworks/web/library/wa-singlesign/ ?
> >
> > RTFM links would be appreciated; I've been having trouble finding
> > them.
> >
> > --
> > ++ Jonathan Hayward, jonathan.hayward at pobox.com
> > ** To see an award-winning website with stories, essays, artwork,
> > ** games, and a four-dimensional maze, why not visit my home page?
> > ** All of this is waiting for you at http://JonathansCorner.com
> > _______________________________________________
> > Yale CAS mailing list
> > cas at tp.its.yale.edu
> > http://tp.its.yale.edu/mailman/listinfo/cas
> --
> Matt Smith
> matt.smith at uconn.edu
> University Information Technology Services (UITS)
> University of Connecticut
> PGP Key ID: 0xE9C5244E
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
--
++ Jonathan Hayward, jonathan.hayward at pobox.com
** To see an award-winning website with stories, essays, artwork,
** games, and a four-dimensional maze, why not visit my home page?
** All of this is waiting for you at http://JonathansCorner.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20071203/c2c41ff0/attachment.html
More information about the cas
mailing list