Spnego question
Strumyla, Marius
MStrumyla at Accordant.net
Fri Dec 5 12:07:22 EST 2008
Here's a patch that I use to enabe NTLM. The patch is against CAS 3.3.
Hope this helps.
--
i5mast
diff -ru --unidirectional-new-file
cas-server-3.3/cas-server-webapp/pom.xml
cas-server-3.3-ntlm/cas-server-webapp/pom.xml
--- cas-server-3.3/cas-server-webapp/pom.xml 2008-08-14
10:39:56.000000000 -0400
+++ cas-server-3.3-ntlm/cas-server-webapp/pom.xml 2008-10-22
17:57:25.914613000 -0400
@@ -109,6 +109,12 @@
</exclusion>
</exclusions>
</dependency>
+
+ <dependency>
+ <groupId>${project.groupId}</groupId>
+
<artifactId>cas-server-support-spnego</artifactId>
+ <version>${project.version}</version>
+ </dependency>
</dependencies>
<build>
<plugins>
diff -ru --unidirectional-new-file
cas-server-3.3/cas-server-webapp/src/main/webapp/WEB-INF/cas-servlet.xml
cas-server-3.3-ntlm/cas-server-webapp/src/main/webapp/WEB-INF/cas-servle
t.xml
---
cas-server-3.3/cas-server-webapp/src/main/webapp/WEB-INF/cas-servlet.xml
2008-08-14 10:39:56.000000000 -0400
+++
cas-server-3.3-ntlm/cas-server-webapp/src/main/webapp/WEB-INF/cas-servle
t.xml 2008-10-23 18:40:10.916380000 -0400
@@ -232,4 +232,13 @@
<bean id="manageRegisteredServicesMultiActionController"
class="org.jasig.cas.services.web.ManageRegisteredServicesMultiActionCon
troller">
<constructor-arg index="0" ref="servicesManager" />
</bean>
+
+ <bean id="negociateSpnego"
class="org.jasig.cas.support.spnego.web.flow.SpnegoNegociateCredentialsA
ction">
+ <property name="ntlm" value="true"/>
+ </bean>
+
+ <bean id="spnego"
class="org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction"
+
p:centralAuthenticationService-ref="centralAuthenticationService">
+ <property name="ntlm" value="true"/>
+ </bean>
</beans>
diff -ru --unidirectional-new-file
cas-server-3.3/cas-server-webapp/src/main/webapp/WEB-INF/classes/log4j.p
roperties
cas-server-3.3-ntlm/cas-server-webapp/src/main/webapp/WEB-INF/classes/lo
g4j.properties
---
cas-server-3.3/cas-server-webapp/src/main/webapp/WEB-INF/classes/log4j.p
roperties 2008-08-14 10:39:56.000000000 -0400
+++
cas-server-3.3-ntlm/cas-server-webapp/src/main/webapp/WEB-INF/classes/lo
g4j.properties 2008-10-23 11:44:31.176545000 -0400
@@ -7,7 +7,7 @@
log4j.appender.stdout.layout.ConversionPattern=%d %p [%c] - <%m>%n
log4j.appender.logfile=org.apache.log4j.RollingFileAppender
-log4j.appender.logfile.File=cas.log
+log4j.appender.logfile.File=${catalina.base}/logs/cas.log
log4j.appender.logfile.MaxFileSize=512KB
# Keep three backup files.
log4j.appender.logfile.MaxBackupIndex=3
diff -ru --unidirectional-new-file
cas-server-3.3/cas-server-webapp/src/main/webapp/WEB-INF/deployerConfigC
ontext.xml
cas-server-3.3-ntlm/cas-server-webapp/src/main/webapp/WEB-INF/deployerCo
nfigContext.xml
---
cas-server-3.3/cas-server-webapp/src/main/webapp/WEB-INF/deployerConfigC
ontext.xml 2008-08-14 10:39:56.000000000 -0400
+++
cas-server-3.3-ntlm/cas-server-webapp/src/main/webapp/WEB-INF/deployerCo
nfigContext.xml 2008-10-23 18:23:46.028527000 -0400
@@ -43,6 +43,9 @@
+-->
<property name="credentialsToPrincipalResolvers">
<list>
+ <bean
+
class="org.jasig.cas.support.spnego.authentication.principal.SpnegoCrede
ntialsToPrincipalResolver" />
+
<!--
|
UsernamePasswordCredentialsToPrincipalResolver supports the
UsernamePasswordCredentials that we use for /login
| by default and produces
SimplePrincipal instances conveying the username from the credentials.
@@ -66,34 +69,35 @@
</list>
</property>
- <!--
- | Whereas CredentialsToPrincipalResolvers
identify who it is some Credentials might authenticate,
- | AuthenticationHandlers actually authenticate
credentials. Here we declare the AuthenticationHandlers that
- | authenticate the Principals that the
CredentialsToPrincipalResolvers identified. CAS will try these handlers
in turn
- | until it finds one that both supports the
Credentials presented and succeeds in authenticating.
- +-->
- <property name="authenticationHandlers">
- <list>
- <!--
- | This is the authentication
handler that authenticates services by means of callback via SSL,
thereby validating
- | a server side SSL certificate.
- +-->
- <bean
class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCred
entialsAuthenticationHandler"
- p:httpClient-ref="httpClient" />
- <!--
- | This is the authentication
handler declaration that every CAS deployer will need to change before
deploying CAS
- | into production. The default
SimpleTestUsernamePasswordAuthenticationHandler authenticates
UsernamePasswordCredentials
- | where the username equals the
password. You will need to replace this with an AuthenticationHandler
that implements your
- | local authentication strategy.
You might accomplish this by coding a new such handler and declaring
- |
edu.someschool.its.cas.MySpecialHandler here, or you might use one of
the handlers provided in the adaptors modules.
- +-->
- <bean
-
class="org.jasig.cas.authentication.handler.support.SimpleTestUsernamePa
sswordAuthenticationHandler" />
- </list>
- </property>
- </bean>
+ <!--
+ | Whereas CredentialsToPrincipalResolvers identify who it
is some Credentials might authenticate,
+ | AuthenticationHandlers actually authenticate credentials.
Here we declare the AuthenticationHandlers that
+ | authenticate the Principals that the
CredentialsToPrincipalResolvers identified. CAS will try these handlers
in turn
+ | until it finds one that both supports the Credentials
presented and succeeds in authenticating.
+ +-->
+ <property name="authenticationHandlers">
+ <list>
+ <!--
+ | This is authentication handler for CaremarkRx
Active Directory.
+ +-->
+ <bean
class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFS
SpnegoAuthenticationHandler">
+ <property name="authentication">
+ <bean
class="jcifs.spnego.Authentication" />
+ </property>
+ <property
name="principalWithDomainName" value="false" />
+ <property name="NTLMallowed"
value="true"/>
+ </bean>
+ </list>
+ </property>
+ </bean>
+ <bean name="jcifsConfig"
class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFS
Config">
+ <property name="loginConf" value="/WEB-INF/login.conf"
/>
+ <property name="jcifsDomain" value="<NT DOMAIN>" />
+ <property name="jcifsDomainController" value="<NT DOMAIN
CONTROLLER>" />
+ </bean>
+
<!--
This bean defines the security roles for the Services Management
application. Simple deployments can use the in-memory version.
More robust deployments will want to use another option, such as
the Jdbc version.
diff -ru --unidirectional-new-file
cas-server-3.3/cas-server-webapp/src/main/webapp/WEB-INF/login-webflow.x
ml
cas-server-3.3-ntlm/cas-server-webapp/src/main/webapp/WEB-INF/login-webf
low.xml
---
cas-server-3.3/cas-server-webapp/src/main/webapp/WEB-INF/login-webflow.x
ml 2008-08-14 10:39:56.000000000 -0400
+++
cas-server-3.3-ntlm/cas-server-webapp/src/main/webapp/WEB-INF/login-webf
low.xml 2008-10-23 15:33:47.252899000 -0400
@@ -17,7 +17,7 @@
</decision-state>
<decision-state id="gatewayRequestCheck">
- <if
test="${externalContext.requestParameterMap['gateway'] != '' &&
externalContext.requestParameterMap['gateway'] != null &&
flowScope.service != null}" then="redirect" else="viewLoginForm" />
+ <if
test="${externalContext.requestParameterMap['gateway'] != '' &&
externalContext.requestParameterMap['gateway'] != null &&
flowScope.service != null}" then="redirect" else="startAuthenticate" />
</decision-state>
<decision-state id="hasServiceCheck">
@@ -25,7 +25,7 @@
</decision-state>
<decision-state id="renewRequestCheck">
- <if test="${externalContext.requestParameterMap['renew']
!= '' && externalContext.requestParameterMap['renew'] != null}"
then="viewLoginForm" else="generateServiceTicket" />
+ <if test="${externalContext.requestParameterMap['renew']
!= '' && externalContext.requestParameterMap['renew'] != null}"
then="startAuthenticate" else="generateServiceTicket" />
</decision-state>
<!--
@@ -43,6 +43,18 @@
<transition on="error" to="viewLoginForm" />
</action-state>
-->
+
+ <action-state id="startAuthenticate">
+ <action bean="negociateSpnego" />
+ <transition on="success" to="spnego" />
+ </action-state>
+
+ <action-state id="spnego">
+ <action bean="spnego" />
+ <transition on="success" to="sendTicketGrantingTicket"
/>
+ <transition on="error" to="viewLoginForm" />
+ </action-state>
+
<view-state id="viewLoginForm" view="casLoginView">
<render-actions>
<action bean="authenticationViaFormAction"
method="setupForm"/>
diff -ru --unidirectional-new-file
cas-server-3.3/cas-server-webapp/src/main/webapp/WEB-INF/login.conf
cas-server-3.3-ntlm/cas-server-webapp/src/main/webapp/WEB-INF/login.conf
--- cas-server-3.3/cas-server-webapp/src/main/webapp/WEB-INF/login.conf
1969-12-31 19:00:00.000000000 -0500
+++
cas-server-3.3-ntlm/cas-server-webapp/src/main/webapp/WEB-INF/login.conf
2008-10-22 17:19:35.832472000 -0400
@@ -0,0 +1,6 @@
+jcifs.spnego.initiate {
+ com.sun.security.auth.module.NTLoginModule required;
+};
+jcifs.spnego.accept {
+ com.sun.security.auth.module.NTLoginModule required;
+};
More information about the cas
mailing list