CAS - difference between BindLdapAuthenticationHandler and CasAuthenticationHandler
auron
jinslee at gmail.com
Tue Dec 18 13:20:29 EST 2007
hi Scott -
Thanks for the reply, it has helped me to understand better how CAS works. I
went ahead and removed the CasAuthenticationHandler and kept my
BindLdapAuthenticationHandler. One more question - what is the purpose of
userDetailsService when using LDAP? Is there something significant I should
put in the <userMap> property of userDetailsService?
Thanks again,
Jin
scott_battaglia wrote:
>
> Jin,
>
> What that statement means is that if you have an already existing CAS
> server, you can continue to use that configuration (which includes your
> LDAP
> configuration). If on the other hand, you have existing applications
> secured using Acegi (but have never deployed a CAS server before), you can
> utilize the CasAuthenticationHandler, which allows the CAS server to
> understand an Acegi configuration (you would then modify all of your
> application's Acegi configuration to utilize CAS).
>
> CasAuthenticationHandler is an artifact of the Acegi project and has no
> relation to the CAS Server product (which is why you'll see that they are
> not configured similarly).
>
> -Scott
>
> On Dec 17, 2007 12:42 PM, Jin Lee <jinslee at gmail.com> wrote:
>
>> Hi all -
>>
>> I am trying to understand the various AuthenticationHandlers in both CAS
>> and LDAP and was wondering if you guys could give me a hand..
>>
>> I am currently trying to set up CAS with various open source products
>> such
>> as JasperServer, jTrac, and a custom in-house CMS, which all use Acegi as
>> their authorization client. For the most part I have followed the Acegi
>> CAS
>> guide at http://www.acegisecurity.org/guide/springsecurity.html#cas
>>
>> In the guide there is the following excerpt:
>>
>> "If you are already running an existing CAS 3.0 server instance, you will
>> have already established an AuthenticationHandler. If you do not already
>> have an AuthenticationHandler, you might prefer to use Acegi Security
>> CasAuthenticationHandler class. This class delegates through to the
>> standard Acegi Security AuthenticationManager, enabling you to use a
>> security configuration you might already have in place. You do not need
>> to
>> use the CasAuthenticationHandler class on your CAS server if you do not
>> wish. Acegi Security will function as a CAS client successfully
>> irrespective
>> of the AuthenticationHandler you've chosen for your CAS
>> server."
>>
>> I currently have a BindLdapAuthenticationHandler that is authenticating
>> against my LDAP server and everything is running fine on that end, so I
>> am
>> assuming that I do not need the CasAuthenticationHandler. The part that I
>> am
>> confused on is that the CasAuthenticationHandler also requires a
>> authenticationProvider, whereas the BindLdap does not. It seems almost
>> circular. It is difficult to explain so I will also post the
>> deployerConfigContext below. Right now Firefox is giving me a "Firefox
>> has
>> detected that the server is redirecting the request for this address in a
>> way that will never complete." and I believe this is related to it.
>>
>> Here is my xml:
>>
>> <?xml version="1.0" encoding="UTF-8"?>
>> <beans xmlns="http://www.springframework.org/schema/beans "
>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>> xmlns:p="http://www.springframework.org/schema/p "
>> xsi:schemaLocation="http://www.springframework.org/schema/beans
>> http://www.springframework.org/schema/beans/spring-beans-2.0.xsd">
>> <bean id="authenticationManager"
>> class="org.jasig.cas.authentication.AuthenticationManagerImpl">
>> <property name="credentialsToPrincipalResolvers">
>> <list>
>> <bean
>> class="
>> org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver"
>> />
>> <bean
>> class="
>> org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver"
>> />
>> </list>
>> </property>
>> <property name="authenticationHandlers">
>> <list>
>> <bean
>> class="
>> org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler">
>> <property name="httpClient" ref="httpClient" />
>> </bean>
>> <bean class="
>> org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler ">
>> <property name="filter" value="sAMAccountName=%u"/>
>> <property name="searchBase"
>> value="ou=ACPASP-Users,dc=ACPASP,dc=ucsd,dc=edu"/>
>> <property name="contextSource"
>> ref="contextSource"/>
>> </bean>
>>
>> <!-- not sure whether I need this or not - it asks for an
>> authenticationManager, so do we reference a new acegiAuthManager or the
>> one
>> we are currently in?
>> <bean class="
>> org.acegisecurity.adapters.cas3.CasAuthenticationHandler">
>> <property name="authenticationManager"
>> ref="acegiAuthenticationManager" />
>> </bean>
>> -->
>>
>>
>> </list>
>> </property>
>> </bean>
>>
>> <bean id="contextSource" class="
>> org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource ">
>> <property name="anonymousReadOnly" value="false" />
>> <property name="pooled" value="true" />
>> <property name="urls">
>> <list>
>> <value>[deleted]</value>
>> </list>
>> </property>
>> <property name="userName" value="[deleted]"/>
>> <property name="password" value="[deleted]" />
>> <property name="baseEnvironmentProperties">
>> <map>
>> <!--
>> <entry>
>> <key><value>java.naming.security.protocol
>> </value></key>
>> <value>ssl</value>
>> </entry>
>> -->
>> <entry>
>> <key><value>java.naming.security.authentication
>> </value></key>
>> <value>simple</value>
>> </entry>
>> </map>
>> </property>
>> </bean>
>>
>>
>> <!--
>> What do we need userDetailsService for?
>> acegiAuthenticationManager
>> requires it but what if we only use the
>> BindLdapAuthHandler?
>> -->
>> <bean id="userDetailsService" class="
>> org.acegisecurity.userdetails.memory.InMemoryDaoImpl">
>> <property name="userMap">
>> <value>
>> marissa=koala,ROLES_IGNORED_BY_CAS
>> dianne=emu,ROLES_IGNORED_BY_CAS
>> scott=wombat,ROLES_IGNORED_BY_CAS
>> peter=opal,disabled,ROLES_IGNORED_BY_CAS
>> </value>
>> </property>
>> </bean>
>> <bean id="daoAuthenticationProvider" class="
>> org.acegisecurity.providers.dao.DaoAuthenticationProvider">
>> <property name="userDetailsService"><ref
>> bean="userDetailsService"/></property>
>> </bean>
>>
>>
>> <!--
>> Bean that defines the attributes that a service may return. This
>> example uses the Stub/Mock version. A real implementation
>> may go against a database or LDAP server. The id should remain
>> "attributeRepository" though.
>> -->
>> <bean id="attributeRepository"
>>
>> class="org.jasig.services.persondir.support.StubPersonAttributeDao">
>> <property name="backingMap">
>> <map>
>> <entry key="uid" value="uid" />
>> </map>
>> </property>
>> </bean>
>>
>> <!--
>> Sample, in-memory data store for the ServiceRegistry. A real
>> implementation
>> would probably want to replace this with the JPA-backed
>> ServiceRegistry DAO
>> The name of this bean should remain "serviceRegistryDao".
>> -->
>> <bean
>> id="serviceRegistryDao"
>> class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl" />
>>
>> <!-- Not sure if we need this or not
>> <bean id="acegiAuthenticationManager" class="
>> org.acegisecurity.providers.ProviderManager">
>> <property name="providers">
>> <list>
>> <ref bean="daoAuthenticationProvider"/>
>> </list>
>> </property>
>> </bean>
>> -->
>> </beans>
>>
>>
>> _______________________________________________
>> Yale CAS mailing list
>> cas at tp.its.yale.edu
>> http://tp.its.yale.edu/mailman/listinfo/cas
>>
>>
>
>
> --
> -Scott Battaglia
>
> LinkedIn: http://www.linkedin.com/in/scottbattaglia
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
--
View this message in context: http://www.nabble.com/CAS---difference-between-BindLdapAuthenticationHandler-and-CasAuthenticationHandler-tp14381549p14402569.html
Sent from the CAS Users mailing list archive at Nabble.com.
More information about the cas
mailing list