CAS Java Client 3.0.0 Install ERROR Report
Scott Battaglia
scott.battaglia at gmail.com
Wed May 9 17:50:22 EDT 2007
Uday,
The Assertion class is part of the CAS "domain". Because of that, it
returns a CAS Principal (which is also part of the CAS domain). CAS has no
interaction within the Java Security framework (as it doesn't need to).
However, its trivial to write a filter that does the wrapping of the CAS
Principals into something the HttpServletRequest expects. This has been done
in order to override the Remote User method. It could easily be done to
have the UserPrincipal return a java.security.Principal.
As for isUserInRole overriding and always returning true, I know that is
something the CAS client would never do. A user may decide to override that
method and utilize it with our authorization deciders but a CAS client would
never return true for any role.
However, most non-trivial security products do not deal with the
HttpServletRequest's methods. They are often not expressive enough for an
enterprise security system. If you are looking for an enterprise security
framework, I would recommend Acegi Security (www.acegisecurity.org) which
has CAS integration.
While the CAS client probably does not have every feature you need, it
should be flexible enough with a rich enough domain to allow you to extend
it however you need.
This is an excellent example of integrating the CAS response with the
HttpServletRequest:
http://developer.ja-sig.org/source/browse/jasigsvn/cas-clients/java-client/trunk/cas-client-core/src/main/java/org/jasig/cas/client/web/filter/HttpServletRequestWrapperFilter.java?r=11729
Thanks
-Scott
On 5/9/07, Uday Kari <ukari at pdc.org> wrote:
>
> Hmmm…I was thinking may be we were now able to do some vague equivalent
> of get*User*Principal (i.e. return java.security.Principal). Not to be.
> The Assertion class has a getPrincipal method which returns a
> org.jasig.cas.authentication.principal.Principal object which does not in
> any way relate to the java.security.Principal interface (or does it?...I
> think it should).
>
>
>
> Actually, instead of doing the above, the CAS client should be able to
> populate the HTTP request (just like it does with request.getRemoteUser()
> so that :
>
> 1. request.getUserPrincipal() will generate an object implementing
> the java.security.Principal interface (and perhaps more), which is
> probably possible only if
> 2. request.isUserInRole("role name") is true for perhaps any string
> (and specific role name if there is some way to build roles awareness into
> the login)
>
> This will go a long way in compliance with servlet standard…even if B
> would be "pseudo-compliance". But way out of my league already…
>
> *Scott*: This is already in the cards with SAML (right?). Or should I
> open an enhancement request in JIRA?
>
>
>
> Let me know, otherwise I am done with this 3.0.0 will move on to
> production with Yale client 2.1.1 instead. Reason: it seems have a much
> less overhead in terms of jars and surgery within WEB-INF (web.xml).
>
>
>
>
> ------------------------------
>
> *From:* cas-bounces at tp.its.yale.edu [mailto:cas-bounces at tp.its.yale.edu] *On
> Behalf Of *Uday Kari
> *Sent:* Wednesday, May 09, 2007 10:36 AM
> *To:* Yale CAS mailing list
> *Subject:* RE: CAS Java Client 3.0.0 Install ERROR Report
>
>
>
> <%@ page import="*org.jasig.cas.client.validation.Assertion*" %>
>
> <%@ page import="*org.jasig.cas.client.web.filter.AbstractCasFilter*" %>
>
>
> ------------------------------
>
> *From:* cas-bounces at tp.its.yale.edu [mailto:cas-bounces at tp.its.yale.edu] *On
> Behalf Of *Uday Kari
> *Sent:* Wednesday, May 09, 2007 10:26 AM
> *To:* Yale CAS mailing list
> *Subject:* RE: CAS Java Client 3.0.0 Install ERROR Report
>
>
>
> Thanks, Scott. JIRA is done.
>
>
>
> Continuing this 3.0.0 install though, I am at the very last step…
>
>
>
> final Assertion assertion = (Assertion) session.getAttribute(
> AbstractCasFilter.CONST_ASSERTION);
>
>
>
> Perhaps I am the only one who has never heard of a java class called
> "Assertion" and no amount of googling is helping me! Specifically, in order
> to use this in my jsp, what class do I need to import into my jsp?
> ------------------------------
>
> *From:* cas-bounces at tp.its.yale.edu [mailto:cas-bounces at tp.its.yale.edu] *On
> Behalf Of *Scott Battaglia
> *Sent:* Wednesday, May 09, 2007 9:36 AM
> *To:* Yale CAS mailing list
> *Subject:* Re: CAS Java Client 3.0.0 Install ERROR Report
>
>
>
> Most servers enforce SSL at the server level (i.e. Apache rewrite rules,
> etc.).
>
> Neither the CAS client from Yale or JA-SIG require SSL (whether your
> application needs SSL is a local decision) and will respond accordingly to
> both http and https. That's why the CAS clients try to best "guess" whether
> you need http or https.
>
> If you need to specify SSL, you can specify the complete service url.
>
> Also, if you submit a JIRA issue I can try and add a feature such that the
> CAS client accepts either (a) service url, (b) host and port, or (c)
> protocol + host + port. We can attempt to get that in for the 3.1release.
>
> Thanks
> -Scott
>
> On 5/9/07, *Uday Kari* <ukari at pdc.org> wrote:
>
> Thanks. Yes, I figured that. I am no expert in SSL, but I believe that
> is indeed expected application behavior from a common sense user
> perspective. For instance, go to www.bankofamerica.com or fidelity.comthey immediately morph from http to https (everything, including unsecured
> portions of the website is then served up over SSL). Unclear if this
> should be done enforced by the client…(that is for you to judge)…but the
> "other" CAS client…"Yale?" (*casclient-2.1.1.jar* ) certainly seems to
> work that way.
>
>
> ------------------------------
>
> *From:* cas-bounces at tp.its.yale.edu [mailto: cas-bounces at tp.its.yale.edu]
> *On Behalf Of *Scott Battaglia
> *Sent:* Wednesday, May 09, 2007 1:59 AM
> *To:* Yale CAS mailing list
> *Subject:* Re: CAS Java Client 3.0.0 Install ERROR Report
>
>
>
> The CAS clients (both the 2.x and the 3.x version) obtain the http or
> https prefix from the url provided when attempting to access a page. So if
> you want your application access securely you have two options:
>
> 1. provide an exact service url that is https
> 2. always access your application over https
>
> In your case you accessed the page via http and when the client
> constructed the service url it grabbed "http".
>
> -Scott
>
> On 5/8/07, *Uday Kari* <ukari at pdc.org> wrote:
>
> OK, got past all the below, but still no cigar. I'll to explain.
>
> Basically, after SSO login, the returned URL has http instead of https
> in it.
>
> Is this a documentation doo-dah? Here is my cas-client.properties file:
> cas.server.gateway=false
> cas.server.renew=false
> cas.server.url=https://cas-server:8443/cas/
> cas.server.proxyCallbackUrl=https://cas-server:8443/manager/proxy/Recept
> or
> cas.client.serverName=client-host:8443
> cas.client.proxyCallbackUrl=https://client-host:8443/test/casProxyRecept
> or
>
> Everything else is as below. Specifically, web.xml and
> securityConfiguration.xml same as instructions in the URL, but for the
> mods below.
>
>
> Reproduce steps:
> 1. Try http://client-host:8080/test/protected/hw.jsp
> 2. Go to login page.
> 3. Login as userid=password
> 4. returned to http://client-host:8443/test/protected/hw.jsp?ticket...
>
> PLEASE NOTE THAT https is missing and adding that "s" to the url above
> makes it work.
>
> What gives? My brain is fried...any help appreciated...
>
>
>
>
> -----Original Message-----
> From: cas-bounces at tp.its.yale.edu [mailto: cas-bounces at tp.its.yale.edu]
> On Behalf Of Uday Kari
> Sent: Tuesday, May 08, 2007 4:34 PM
> To: Yale CAS mailing list
> Subject: RE: CAS Java Client 3.0.0 Install ERROR Report
>
> 1. Contents of securityConfiguration.xml identical to
> http://www.ja-sig.org/products/cas/client/client-java/index.html
>
> 2. Seems like version mismatch between the illustrative XML in the
> example and the version in CAS Java Client 3.0.0 for the following
> class:
> org.jasig.cas.client.validation.Cas20ProxyTicketValidator
>
> Specifically, example on above URL has six (6) number of constructor
> args in the securityConfiguration.xml and the actual code accepts either
> five (5) or eight (8). Ugh! Sloppy, sloppy...I guess that URL needs to
> be updated)...
>
> XML Sample
> -----------
>
> <bean id="ticketValidator"
> class="org.jasig.cas.client.validation.Cas20ProxyTicketValidator">
> <constructor-arg index="0" value="${cas.server.url}"/>
> <constructor-arg index="1" value="${ cas.server.renew}"/>
> <constructor-arg index="2" ref="httpClient"/>
> <!--
>
> ////////////////////////////////////////////////////////
> // Looks like we need to comment this bad boy out
> //
>
> <constructor-arg index="3">
> <bean class="org.jasig.cas.authentication.principal.SimpleService">
> <constructor-arg value="${cas.client.proxyCallbackUrl }"/>
> </bean>
> </constructor-arg>
>
>
> ////////////////////////////////////////////////////////
> // And change the following to 3, 4 respectively
> //
> -->
>
> <constructor-arg index="3"><list></list></constructor-arg>
> <constructor-arg index="4" value="true"/>
> </bean>
>
>
> Code within CAS Java Client 3.0.0
> -----------------------------------
> public Cas20ProxyTicketValidator(final String casServerUrl,
> final boolean renew,
> final HttpClient httpClient,
> List proxyChains,
> boolean acceptAnyProxy)
>
> public Cas20ProxyTicketValidator(final String casServerUrl,
> final boolean renew,
> final HttpClient httpClient,
> final Service proxyCallbackUrl,
> List proxyChains,
> boolean acceptAnyProxy,
> final ProxyGrantingTicketStorage
> proxyGrantingTicketStorage,
> final ProxyRetriever proxyRetriever)
>
>
>
> -----Original Message-----
> From: cas-bounces at tp.its.yale.edu [mailto: cas-bounces at tp.its.yale.edu]
> On Behalf Of Uday Kari
> Sent: Tuesday, May 08, 2007 3:52 PM
> To: Yale CAS mailing list
> Subject: CAS Java Client 3.0.0 Install ERROR Report
>
> Please note the error below:
>
> Exception sending context initialized event to listener instance of
> class org.springframework.web.context.ContextLoaderListener
>
> org.springframework.beans.factory.BeanCreationException:
> Error creating bean with name 'ticketValidator' defined in
> ServletContext resource [/WEB-INF/securityConfiguration.xml]: 6
> constructor arguments specified but no matching constructor found in
> bean 'ticketValidator'
> (hint: specify index and/or type arguments for simple parameters to
> avoid type ambiguities)...
>
> SORRY: WHAT DID I MISS? SIMPLE DETAILED REPROCUTION BELOW
>
>
> 1. Download apache-tomcat-5.5.23.exe
> Install as Windows Service on XP machine.
> 2. Create a new "test" context with the following directory structure
> under webapps using instructions for contents under WEB-INF
> from "JA-SIG CAS Client for Java"; URL:
> http://www.ja-sig.org/products/cas/client/client-java/index.html
>
> (the hw.jsp just says out.print("Hello World")...
> but this is irrelevant)
>
>
>
> test
> |
> |__ hw.jsp
> |
> |__ protected
> | |
> | |__ hw.jsp
> |
> |__ WEB-INF
> |
> |__ cas-client.properties
> |
> |__ securityConfiguration.xml
> |
> |__ web.xml
> |
> |__ lib
> |
> |__ (drop all jars from
> cas-client-java-3.0.0.zip...RIGHT?)
>
>
> 3. Stop Tomcat, Clean Logs, Start Tomcat
> 4. This is what I see in localhost.2007-05-08.log
> (all other log files are size zero):
>
> May 8, 2007 3:41:18 PM org.apache.catalina.core.ApplicationContext log
> INFO: org.apache.webapp.balancer.BalancerFilter: init(): ruleChain:
> [org.apache.webapp.balancer.RuleChain :
> [org.apache.webapp.balancer.rules.URLStringMatchRule:
> Target string: News / Redirect URL: http://www.cnn.com],
> [org.apache.webapp.balancer.rules.RequestParameterRule: Target param
> name: paramName / Target param value: paramValue / Redirect URL:
> http://www.yahoo.com],
> [org.apache.webapp.balancer.rules.AcceptEverythingRule: Redirect URL:
> http://jakarta.apache.org] <http://jakarta.apache.org%5d>]
> May 8, 2007 3:41:19 PM org.apache.catalina.core.ApplicationContext log
> INFO: ContextListener: contextInitialized()
> May 8, 2007 3:41:19 PM org.apache.catalina.core.ApplicationContext log
> INFO: SessionListener: contextInitialized()
> May 8, 2007 3:41:19 PM org.apache.catalina.core.ApplicationContext log
> INFO: ContextListener: contextInitialized()
> May 8, 2007 3:41:19 PM org.apache.catalina.core.ApplicationContext log
> INFO: SessionListener: contextInitialized()
> May 8, 2007 3:41:20 PM org.apache.catalina.core.ApplicationContext log
> INFO: Loading Spring root WebApplicationContext
> May 8, 2007 3:41:21 PM
> org.apache.catalina.core.StandardContextlistenerStart
> SEVERE: Exception sending context initialized event to listener instance
> of class org.springframework.web.context.ContextLoaderListener
> org.springframework.beans.factory.BeanCreationException: Error creating
> bean with name 'ticketValidator' defined in ServletContext resource
> [/WEB-INF/securityConfiguration.xml]: 6 constructor arguments specified
> but no matching constructor found in bean 'ticketValidator' (hint:
> specify index and/or type arguments for simple parameters to avoid type
> ambiguities)
> at
> org.springframework.beans.factory.support.ConstructorResolver.autowireCo
> nstructor(ConstructorResolver.java:117)
> at
> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFac
> tory.autowireConstructor(AbstractAutowireCapableBeanFactory.java:683)
> at
> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFac
> tory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:621)
> at
> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFac
> tory.createBean(AbstractAutowireCapableBeanFactory.java :380)
> at
> org.springframework.beans.factory.support.AbstractBeanFactory$1.getObjec
> t(AbstractBeanFactory.java:245)
> at
> org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.g
> etSingleton(DefaultSingletonBeanRegistry.java:141)
> at
> org.springframework.beans.factory.support.AbstractBeanFactory.getBean(Ab
> stractBeanFactory.java:242)
> at
> org.springframework.beans.factory.support.AbstractBeanFactory.getBean (Ab
> stractBeanFactory.java:156)
> at
> org.springframework.beans.factory.support.DefaultListableBeanFactory.pre
> InstantiateSingletons(DefaultListableBeanFactory.java:290)
> at
> org.springframework.context.support.AbstractApplicationContext.refresh (A
> bstractApplicationContext.java:348)
> at
> org.springframework.web.context.support.AbstractRefreshableWebApplicatio
> nContext.refresh(AbstractRefreshableWebApplicationContext.java:156)
> at
> org.springframework.web.context.ContextLoader.createWebApplicationContex
> t(ContextLoader.java:246)
> at
> org.springframework.web.context.ContextLoader.initWebApplicationContext(
> ContextLoader.java:184)
> at
> org.springframework.web.context.ContextLoaderListener.contextInitialized
> (ContextLoaderListener.java:49)
> at
> org.apache.catalina.core.StandardContext.listenerStart(StandardContext.j
> ava:3764)
> at
> org.apache.catalina.core.StandardContext.start(StandardContext.java :4216
> )
> at
> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.ja
> va:760)
> at
> org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:740)
> at
> org.apache.catalina.core.StandardHost.addChild (StandardHost.java:544)
> at
> org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:9
> 20)
> at
> org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java
> :883)
> at
> org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:492)
> at
> org.apache.catalina.startup.HostConfig.start(HostConfig.java:1138)
> at
> org.apache.catalina.startup.HostConfig.lifecycleEvent (HostConfig.java:31
> 1)
> at
> org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSu
> pport.java:120)
> at
> org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1022)
> at
> org.apache.catalina.core.StandardHost.start(StandardHost.java:736)
> at
> org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1014)
> at
> org.apache.catalina.core.StandardEngine.start (StandardEngine.java:443)
> at
> org.apache.catalina.core.StandardService.start(StandardService.java:448)
> at
> org.apache.catalina.core.StandardServer.start(StandardServer.java:700)
> at org.apache.catalina.startup.Catalina.start (Catalina.java:552)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.jav
> a:39)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessor
> Impl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:585)
> at
> org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:295)
> at
> org.apache.catalina.startup.Bootstrap.main (Bootstrap.java:433)
> May 8, 2007 3:41:21 PM org.apache.catalina.core.ApplicationContext log
> INFO: Closing Spring root WebApplicationContext
>
>
> (END OF ERROR REPORT)
>
>
>
>
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
>
>
> --
> -Scott Battaglia
>
> LinkedIn: http://www.linkedin.com/in/scottbattaglia
>
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
>
>
> --
> -Scott Battaglia
>
> LinkedIn: http://www.linkedin.com/in/scottbattaglia
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
--
-Scott Battaglia
LinkedIn: http://www.linkedin.com/in/scottbattaglia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20070509/ad3bde47/attachment.html
More information about the cas
mailing list