Username/password authentication
Scott Battaglia
scott.battaglia at gmail.com
Mon Dec 3 13:01:16 EST 2007
Did you include the required dependency in the pom file, as detailed at the
top of the LDAP page?
-Scott
On Dec 3, 2007 12:36 PM, Jonathan Hayward http://JonathansCorner.com <
christos.jonathan.hayward at gmail.com> wrote:
> Thank you. I'm having another difficulty; I'm working from the
> instructions at http://www.ja-sig.org/wiki/display/CAS/Examples+to+Configure+CAS
> and http://www.ja-sig.org/wiki/display/CASUM/LDAP :
>
> 17:26:02,589 INFO [STDOUT] 2007-12-03 17:26:02,589 ERROR [
> org.apache.catalina.core.ContainerBase .[jboss.web].[localhost].[/cas-web]]
> - <SafeDispatcherServlet:
> The Spring DispatcherServlet we wrap threw on init.
> But for our having caught this error, the servlet would not have
> initialized.>
> org.springframework.beans.factory.BeanDefinitionStoreException : Error
> registering bean with name 'contextSource' defined in ServletContext
> resource [/WEB-INF/deployerConfigContext.xml]: Bean class [
> org.jasig.cas.adaptors.ldap.util.Authe
> nticatedLdapContextSource] not found; nested exception is
> java.lang.ClassNotFoundException:
> org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource
> Caused by:
> java.lang.ClassNotFoundException:
> org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource
> [snip]
>
> My current draft of deployerConfigContext.xml reads as below. Do any
> errors jump out?
>
> <?xml version="1.0" encoding="UTF-8"?>
> <!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "
> http://www.springframework.org/dtd/spring-beans.dtd">
> <!--
> | deployerConfigContext.xml centralizes into one file some of the
> declarative configuration that
> | all CAS deployers will need to modify.
> |
> | This file declares some of the Spring-managed JavaBeans that
> make up a CAS deployment.
> | The beans declared in this file are instantiated at context
> initialization time by the Spring
> | ContextLoaderListener declared in web.xml. It finds this file
> because this
> | file is among those declared in the context parameter
> "contextConfigLocation".
> |
> | By far the most common change you will need to make in this file
> is to change the last bean
> | declaration to replace the default
> SimpleTestUsernamePasswordAuthenticationHandler with
> | one implementing your approach for authenticating usernames and
> passwords.
> +-->
> <beans>
> <!--
> | This bean declares our AuthenticationManager. The
> CentralAuthenticationService service bean
> | declared in applicationContext.xml picks up this
> AuthenticationManager by reference to its id,
> | "authenticationManager". Most deployers will be able to
> use the default AuthenticationManager
> | implementation and so do not need to change the class of
> this bean. We include the whole
> | AuthenticationManager here in the userConfigContext.xmlso that you can see the things you will
> | need to change in context.
> +-->
> <bean id="authenticationManager"
> class="
> org.jasig.cas.authentication.AuthenticationManagerImpl">
> <!--
> | This is the List of
> CredentialToPrincipalResolvers that identify what Principal is trying to
> authenticate.
> | The AuthenticationManagerImpl considers them in
> order, finding a CredentialToPrincipalResolver which
> | supports the presented credentials.
> |
> | AuthenticationManagerImpl uses these resolvers
> for two purposes. First, it uses them to identify the Principal
> | attempting to authenticate to CAS /login . In
> the default configuration, it is the DefaultCredentialsToPrincipalResolver
> | that fills this role. If you are using some
> other kind of credentials than UsernamePasswordCredentials, you will need to
> replace
> | DefaultCredentialsToPrincipalResolver with a
> CredentialsToPrincipalResolver that supports the credentials you are
> | using.
> |
> | Second, AuthenticationManagerImpl uses these
> resolvers to identify a service requesting a proxy granting ticket.
> | In the default configuration, it is the
> HttpBasedServiceCredentialsToPrincipalResolver that serves this purpose.
> | You will need to change this list if you are
> identifying services by something more or other than their callback URL.
> +-->
> <property name="credentialsToPrincipalResolvers">
> <list>
> <!--
> |
> UsernamePasswordCredentialsToPrincipalResolver supports the
> UsernamePasswordCredentials that we use for /login
> | by default and produces
> SimplePrincipal instances conveying the username from the credentials.
> |
> | If you've changed your
> LoginFormAction to use credentials other than UsernamePasswordCredentials
> then you will also
> | need to change this bean
> declaration (or add additional declarations) to declare a
> CredentialsToPrincipalResolver that supports the
> | Credentials you are using.
> +-->
> <bean
> class="
> org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" />
> <!--
> |
> HttpBasedServiceCredentialsToPrincipalResolver supports
> HttpBasedCredentials. It supports the CAS 2.0 approach of
> | authenticating services by SSL
> callback, extracting the callback URL from the Credentials and representing
> it as a
> | SimpleService identified by that
> callback URL.
> |
> | If you are representing services
> by something more or other than an HTTPS URL whereat they are able to
> | receive a proxy callback, you
> will need to change this bean declaration (or add additional declarations).
> +-->
> <bean
> class="
> org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver"
> />
> </list>
> </property>
>
> <!--
> | Whereas CredentialsToPrincipalResolvers identify
> who it is some Credentials might authenticate,
> | AuthenticationHandlers actually authenticate
> credentials. Here we declare the AuthenticationHandlers that
> | authenticate the Principals that the
> CredentialsToPrincipalResolvers identified. CAS will try these handlers in
> turn
> | until it finds one that both supports the
> Credentials presented and succeeds in authenticating.
> +-->
> <property name="authenticationHandlers">
> <list>
> <!--
> | This is the authentication
> handler that authenticates services by means of callback via SSL, thereby
> validating
> | a server side SSL certificate.
> +-->
> <bean
> class="
> org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
> />
>
> <!--
> | This is the authentication
> handler declaration that every CAS deployer will need to change before
> deploying CAS
> | into production. The default
> SimpleTestUsernamePasswordAuthenticationHandler authenticates
> UsernamePasswordCredentials
> | where the username equals the
> password. You will need to replace this with an AuthenticationHandler that
> implements your
> | local authentication strategy.
> You might accomplish this by coding a new such handler and declaring
> |
> edu.someschool.its.cas.MySpecialHandler here, or you might use one of the
> handlers provided in the adaptors modules.
> +-->
> <bean class="
> org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler ">
> <property name="filter"
> value="sAMAccountName=%u" />
> <property name="searchBase"
> value="[DELETED]" />
> <property name="contextSource"
> ref="contextSource" />
> <property
> name="ignorePartialResultException" value="yes" /> <!-- fix because of how
> AD returns results -->
> </bean>
>
>
> </list>
> </property>
> </bean>
>
> <bean id="contextSource" class="
> org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource">
> <property name="anonymousReadOnly" value="false" />
> <property name="pooled" value="true" />
> <property name="urls">
> <list>
> <value>ldap://[DELETED]</value>
> </list>
> </property>
> <property name="userName" value="[DELETED]" />
> <property name="password" value="[DELETED]" />
> <property name="baseEnvironmentProperties">
> <map>
> <entry>
> <key><value>
> java.naming.security.protocol</value></key>
> <value>ssl</value>
> </entry>
> <entry>
> <key><value>
> java.naming.security.authentication</value></key>
> <value>simple</value>
> </entry>
> </map>
> </property>
> </bean>
>
> </beans>
>
> On Dec 3, 2007 10:06 AM, Smith, Matt < matt.smith at uconn.edu> wrote:
>
> > I'd recommend either using CAS' LDAP support and doing an LDAP Bind
> > against AD, or using CAS' JAASAuthenticationHandler and a JAAS config
> > for Kerberos similar to the one in the IBM article you referenced.
> > Check out the CAS wiki for more info on both of these.
> >
> > HTH,
> > -Matt
> >
> > On Mon, 2007-12-03 at 09:46 -0600, Jonathan Hayward
> > http://JonathansCorner.com wrote:
> > > I want to get CAS to authenticate against Active Directory
> > > username/password pairs.
> > >
> > > I was looking at Build and Implement a single sign-on solution at
> > > http://www.ibm.com/developerworks/web/library/wa-singlesign/ ; it
> > > seems to describe what I want, but it is from 2003 and I want to work
> > > with current software versions. The author provides a ZIP at
> > >
> > http://download.boulder.ibm.com/ibmdl/pub/software/dw/library/wa-singlesign/KerberosAuthSrc.zip, and
> > KerberosAuthHandler.java didn't compile. (It implements interface
> > PasswordHandler, possibly from package edu.yale.its.tp.cas.auth , and I
> > have been having trouble finding the interface.)
> > >
> > > How should I be going about this? Should I be taking another approach,
> > > or can some details be changed while I use the basic approach at
> > > http://www.ibm.com/developerworks/web/library/wa-singlesign/ ?
> > >
> > > RTFM links would be appreciated; I've been having trouble finding
> > > them.
> > >
> > > --
> > > ++ Jonathan Hayward, jonathan.hayward at pobox.com
> > > ** To see an award-winning website with stories, essays, artwork,
> > > ** games, and a four-dimensional maze, why not visit my home page?
> > > ** All of this is waiting for you at http://JonathansCorner.com
> > > _______________________________________________
> > > Yale CAS mailing list
> > > cas at tp.its.yale.edu
> > > http://tp.its.yale.edu/mailman/listinfo/cas
> > --
> > Matt Smith
> > matt.smith at uconn.edu
> > University Information Technology Services (UITS)
> > University of Connecticut
> > PGP Key ID: 0xE9C5244E
> >
> > _______________________________________________
> > Yale CAS mailing list
> > cas at tp.its.yale.edu
> > http://tp.its.yale.edu/mailman/listinfo/cas
> >
> >
>
>
> --
>
> ++ Jonathan Hayward, jonathan.hayward at pobox.com
> ** To see an award-winning website with stories, essays, artwork,
> ** games, and a four-dimensional maze, why not visit my home page?
> ** All of this is waiting for you at http://JonathansCorner.com
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
--
-Scott Battaglia
LinkedIn: http://www.linkedin.com/in/scottbattaglia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20071203/e787956c/attachment.html
More information about the cas
mailing list