Username/password authentication
Jonathan Hayward http://JonathansCorner.com
christos.jonathan.hayward at gmail.com
Mon Dec 3 15:00:59 EST 2007
One other question:
If I'm supposed to be building CAS, how should I be building it? The only
build.xml I found was cas-server-webapp/src/test/webtest/build.xml . Have I
checked out something other than what I should have been working off of?
On Dec 3, 2007 1:34 PM, Jonathan Hayward http://JonathansCorner.com <
christos.jonathan.hayward at gmail.com> wrote:
>
> On Dec 3, 2007 12:01 PM, Scott Battaglia <scott.battaglia at gmail.com>
> wrote:
>
> > Did you include the required dependency in the pom file, as detailed at
> > the top of the LDAP page?
> >
>
> "In the pom.xml file for your CAS webapp (the default is ${project.home}/cas-server-webapp/pom.xml)
> add the following dependency:"
>
> I looked and the only cas-server-webapp/pom.xml on my machine is from my
> SVN checkout as CAS; I haven't found a "pom.xml file for my CAS webapp"
> anywhere associated with my installation.
>
> Should I be copying the modified pom.xml (presently at the location above)
> to someplace that does not yet have any pom.xml file? The only
> cas-server-webapp directory I have is with the SVN source checkout.
>
>
> >
> > -Scott
> >
> >
> > On Dec 3, 2007 12:36 PM, Jonathan Hayward http://JonathansCorner.com <
> > christos.jonathan.hayward at gmail.com> wrote:
> >
> > > Thank you. I'm having another difficulty; I'm working from the
> > > instructions at http://www.ja-sig.org/wiki/display/CAS/Examples+to+Configure+CAS
> > > and http://www.ja-sig.org/wiki/display/CASUM/LDAP :
> > >
> > > 17:26:02,589 INFO [STDOUT] 2007-12-03 17:26:02,589 ERROR [
> > > org.apache.catalina.core.ContainerBase .[jboss.web].[localhost].[/cas-web]]
> > > - <SafeDispatcherServlet:
> > > The Spring DispatcherServlet we wrap threw on init.
> > > But for our having caught this error, the servlet would not have
> > > initialized.>
> > > org.springframework.beans.factory.BeanDefinitionStoreException : Error
> > > registering bean with name 'contextSource' defined in ServletContext
> > > resource [/WEB-INF/deployerConfigContext.xml]: Bean class [
> > > org.jasig.cas.adaptors.ldap.util.Authe
> > > nticatedLdapContextSource] not found; nested exception is
> > > java.lang.ClassNotFoundException:
> > > org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource
> > > Caused by:
> > > java.lang.ClassNotFoundException:
> > > org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource
> > > [snip]
> > >
> > > My current draft of deployerConfigContext.xml reads as below. Do any
> > > errors jump out?
> > >
> > > <?xml version="1.0" encoding="UTF-8"?>
> > > <!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "
> > > http://www.springframework.org/dtd/spring-beans.dtd">
> > > <!--
> > > | deployerConfigContext.xml centralizes into one file some of
> > > the declarative configuration that
> > > | all CAS deployers will need to modify.
> > > |
> > > | This file declares some of the Spring-managed JavaBeans that
> > > make up a CAS deployment.
> > > | The beans declared in this file are instantiated at context
> > > initialization time by the Spring
> > > | ContextLoaderListener declared in web.xml. It finds this
> > > file because this
> > > | file is among those declared in the context parameter
> > > "contextConfigLocation".
> > > |
> > > | By far the most common change you will need to make in this
> > > file is to change the last bean
> > > | declaration to replace the default
> > > SimpleTestUsernamePasswordAuthenticationHandler with
> > > | one implementing your approach for authenticating usernames
> > > and passwords.
> > > +-->
> > > <beans>
> > > <!--
> > > | This bean declares our AuthenticationManager. The
> > > CentralAuthenticationService service bean
> > > | declared in applicationContext.xml picks up this
> > > AuthenticationManager by reference to its id,
> > > | "authenticationManager". Most deployers will be
> > > able to use the default AuthenticationManager
> > > | implementation and so do not need to change the
> > > class of this bean. We include the whole
> > > | AuthenticationManager here in the
> > > userConfigContext.xml so that you can see the things you will
> > > | need to change in context.
> > > +-->
> > > <bean id="authenticationManager"
> > > class="
> > > org.jasig.cas.authentication.AuthenticationManagerImpl">
> > > <!--
> > > | This is the List of
> > > CredentialToPrincipalResolvers that identify what Principal is trying to
> > > authenticate.
> > > | The AuthenticationManagerImpl considers them
> > > in order, finding a CredentialToPrincipalResolver which
> > > | supports the presented credentials.
> > > |
> > > | AuthenticationManagerImpl uses these
> > > resolvers for two purposes. First, it uses them to identify the Principal
> > > | attempting to authenticate to CAS /login .
> > > In the default configuration, it is the
> > > DefaultCredentialsToPrincipalResolver
> > > | that fills this role. If you are using some
> > > other kind of credentials than UsernamePasswordCredentials, you will need to
> > > replace
> > > | DefaultCredentialsToPrincipalResolver with a
> > > CredentialsToPrincipalResolver that supports the credentials you are
> > > | using.
> > > |
> > > | Second, AuthenticationManagerImpl uses these
> > > resolvers to identify a service requesting a proxy granting ticket.
> > > | In the default configuration, it is the
> > > HttpBasedServiceCredentialsToPrincipalResolver that serves this purpose.
> > > | You will need to change this list if you are
> > > identifying services by something more or other than their callback URL.
> > > +-->
> > > <property name="credentialsToPrincipalResolvers">
> > > <list>
> > > <!--
> > > |
> > > UsernamePasswordCredentialsToPrincipalResolver supports the
> > > UsernamePasswordCredentials that we use for /login
> > > | by default and produces
> > > SimplePrincipal instances conveying the username from the credentials.
> > > |
> > > | If you've changed your
> > > LoginFormAction to use credentials other than UsernamePasswordCredentials
> > > then you will also
> > > | need to change this bean
> > > declaration (or add additional declarations) to declare a
> > > CredentialsToPrincipalResolver that supports the
> > > | Credentials you are using.
> > > +-->
> > > <bean
> > > class="
> > > org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" />
> > > <!--
> > > |
> > > HttpBasedServiceCredentialsToPrincipalResolver supports
> > > HttpBasedCredentials. It supports the CAS 2.0 approach of
> > > | authenticating services by
> > > SSL callback, extracting the callback URL from the Credentials and
> > > representing it as a
> > > | SimpleService identified by
> > > that callback URL.
> > > |
> > > | If you are representing
> > > services by something more or other than an HTTPS URL whereat they are able
> > > to
> > > | receive a proxy callback,
> > > you will need to change this bean declaration (or add additional
> > > declarations).
> > > +-->
> > > <bean
> > > class="
> > > org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver"
> > > />
> > > </list>
> > > </property>
> > >
> > > <!--
> > > | Whereas CredentialsToPrincipalResolvers
> > > identify who it is some Credentials might authenticate,
> > > | AuthenticationHandlers actually authenticate
> > > credentials. Here we declare the AuthenticationHandlers that
> > > | authenticate the Principals that the
> > > CredentialsToPrincipalResolvers identified. CAS will try these handlers in
> > > turn
> > > | until it finds one that both supports the
> > > Credentials presented and succeeds in authenticating.
> > > +-->
> > > <property name="authenticationHandlers">
> > > <list>
> > > <!--
> > > | This is the authentication
> > > handler that authenticates services by means of callback via SSL, thereby
> > > validating
> > > | a server side SSL
> > > certificate.
> > > +-->
> > > <bean
> > > class="
> > > org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
> > > />
> > >
> > > <!--
> > > | This is the authentication
> > > handler declaration that every CAS deployer will need to change before
> > > deploying CAS
> > > | into production. The
> > > default SimpleTestUsernamePasswordAuthenticationHandler authenticates
> > > UsernamePasswordCredentials
> > > | where the username equals
> > > the password. You will need to replace this with an AuthenticationHandler
> > > that implements your
> > > | local authentication
> > > strategy. You might accomplish this by coding a new such handler and
> > > declaring
> > > |
> > > edu.someschool.its.cas.MySpecialHandler here, or you might use one of
> > > the handlers provided in the adaptors modules.
> > > +-->
> > > <bean class="
> > > org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler ">
> > > <property name="filter"
> > > value="sAMAccountName=%u" />
> > > <property name="searchBase"
> > > value="[DELETED]" />
> > > <property name="contextSource"
> > > ref="contextSource" />
> > > <property
> > > name="ignorePartialResultException" value="yes" /> <!-- fix because of how
> > > AD returns results -->
> > > </bean>
> > >
> > >
> > > </list>
> > > </property>
> > > </bean>
> > >
> > > <bean id="contextSource" class="
> > > org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource">
> > > <property name="anonymousReadOnly" value="false" />
> > > <property name="pooled" value="true" />
> > > <property name="urls">
> > > <list>
> > > <value>ldap://[DELETED]</value>
> > > </list>
> > > </property>
> > > <property name="userName" value="[DELETED]" />
> > > <property name="password" value="[DELETED]" />
> > > <property name="baseEnvironmentProperties">
> > > <map>
> > > <entry>
> > > <key><value>
> > > java.naming.security.protocol</value></key>
> > > <value>ssl</value>
> > > </entry>
> > > <entry>
> > > <key><value>
> > > java.naming.security.authentication</value></key>
> > > <value>simple</value>
> > > </entry>
> > > </map>
> > > </property>
> > > </bean>
> > >
> > > </beans>
> > >
> > > On Dec 3, 2007 10:06 AM, Smith, Matt < matt.smith at uconn.edu> wrote:
> > >
> > > > I'd recommend either using CAS' LDAP support and doing an LDAP Bind
> > > > against AD, or using CAS' JAASAuthenticationHandler and a JAAS
> > > > config
> > > > for Kerberos similar to the one in the IBM article you referenced.
> > > > Check out the CAS wiki for more info on both of these.
> > > >
> > > > HTH,
> > > > -Matt
> > > >
> > > > On Mon, 2007-12-03 at 09:46 -0600, Jonathan Hayward
> > > > http://JonathansCorner.com wrote:
> > > > > I want to get CAS to authenticate against Active Directory
> > > > > username/password pairs.
> > > > >
> > > > > I was looking at Build and Implement a single sign-on solution at
> > > > > http://www.ibm.com/developerworks/web/library/wa-singlesign/ ; it
> > > > > seems to describe what I want, but it is from 2003 and I want to
> > > > work
> > > > > with current software versions. The author provides a ZIP at
> > > > >
> > > > http://download.boulder.ibm.com/ibmdl/pub/software/dw/library/wa-singlesign/KerberosAuthSrc.zip, and
> > > > KerberosAuthHandler.java didn't compile. (It implements interface
> > > > PasswordHandler, possibly from package edu.yale.its.tp.cas.auth ,
> > > > and I have been having trouble finding the interface.)
> > > > >
> > > > > How should I be going about this? Should I be taking another
> > > > approach,
> > > > > or can some details be changed while I use the basic approach at
> > > > > http://www.ibm.com/developerworks/web/library/wa-singlesign/ ?
> > > > >
> > > > > RTFM links would be appreciated; I've been having trouble finding
> > > > > them.
> > > > >
> > > > > --
> > > > > ++ Jonathan Hayward, jonathan.hayward at pobox.com
> > > > > ** To see an award-winning website with stories, essays, artwork,
> > > > > ** games, and a four-dimensional maze, why not visit my home page?
> > > >
> > > > > ** All of this is waiting for you at http://JonathansCorner.com
> > > > > _______________________________________________
> > > > > Yale CAS mailing list
> > > > > cas at tp.its.yale.edu
> > > > > http://tp.its.yale.edu/mailman/listinfo/cas
> > > > --
> > > > Matt Smith
> > > > matt.smith at uconn.edu
> > > > University Information Technology Services (UITS)
> > > > University of Connecticut
> > > > PGP Key ID: 0xE9C5244E
> > > >
> > > > _______________________________________________
> > > > Yale CAS mailing list
> > > > cas at tp.its.yale.edu
> > > > http://tp.its.yale.edu/mailman/listinfo/cas
> > > >
> > > >
> > >
> > >
> > > --
> > >
> > > ++ Jonathan Hayward, jonathan.hayward at pobox.com
> > > ** To see an award-winning website with stories, essays, artwork,
> > > ** games, and a four-dimensional maze, why not visit my home page?
> > > ** All of this is waiting for you at http://JonathansCorner.com
> > >
> > > _______________________________________________
> > > Yale CAS mailing list
> > > cas at tp.its.yale.edu
> > > http://tp.its.yale.edu/mailman/listinfo/cas
> > >
> > >
> >
> >
> > --
> > -Scott Battaglia
> >
> > LinkedIn: http://www.linkedin.com/in/scottbattaglia
> > _______________________________________________
> > Yale CAS mailing list
> > cas at tp.its.yale.edu
> > http://tp.its.yale.edu/mailman/listinfo/cas
> >
> >
>
>
> --
> ++ Jonathan Hayward, jonathan.hayward at pobox.com
> ** To see an award-winning website with stories, essays, artwork,
> ** games, and a four-dimensional maze, why not visit my home page?
> ** All of this is waiting for you at http://JonathansCorner.com
>
--
++ Jonathan Hayward, jonathan.hayward at pobox.com
** To see an award-winning website with stories, essays, artwork,
** games, and a four-dimensional maze, why not visit my home page?
** All of this is waiting for you at http://JonathansCorner.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20071203/af516f04/attachment-0001.html
More information about the cas
mailing list