[NEWSENDER] - Re: The Question About Service Management - Message is from an unknown sender
Scott Battaglia
scott.battaglia at gmail.com
Fri Feb 8 08:15:56 EST 2008
If you implement your own ServiceRegistryDao you can utilize your own
database (obviously any fields that you don't use you would have to ignore).
You'll need to provide sensible defaults for the entries that you don't use
(i.e. enable SSO by default, etc.).
The JpaServiceRegistryDaoImpl creates its database structure on demand (if
the user has the appropriate privileges) as its using Hibernate under the
covers.
-Scott
On Feb 8, 2008 12:52 AM, ??? <liweinan at chinaedu.net> wrote:
> Hi Scott,
> Thank you very much for the help. Now I think I understand the whole
> scenario and using jdbc in place of InMemory config for acegi to avoid
> the same user/role appeared in config file again.
>
> Now I'm planning to use "
> org.jasig.cas.services.JpaServiceRegistryDaoImpl" instead of "
> org.jasig.cas.services.InMemoryServiceRegistryDaoImpl"
> for "serviceRegistryDao", but I could't find the database structure on
> wiki, or the database will be created automatically after I've finished
> config?
>
> Actually in our project we alreay have a table in the database that
> servers the similar purpose. The structure is as following:
>
> CREATE TABLE sps (
> id char(32) primary key,
> uri varchar(255) UNIQUE NOT NULL,
> descr text,
> enabled boolean not null default true,
> expiration date,
> created_at timestamp NOT NULL DEFAULT NOW(),
> updated_at timestamp NOT NULL DEFAULT NOW()
> );
>
> This table is to secure our webservice, if the incoming request is not
> from a registered SP, it will be rejected
> (I think that's partly the same purpose with what CAS
> ServiceRegistry).
>
> Is there any possibility, with some modifications and
> configurations, for CAS to reuse these informations?
> If not, can I use the table created by CAS to adapt all the
> informations above?
>
> It really seems boring to have two similar tables to have almost the
> same informations, because our webservice(Let's call it IdP),
> a companion project with CAS that can do user registration and
> some business specific functions(our company want all the new
> SPs to centralize the user information, no matter they have local
> database or not, they must put a copy of the profile in center
> base and CAS is doing authentication on this database for new SPs), is
> deployed on the same machine with CAS.
> And this IdP has a management console by itself, it it also has
> ServiceRegistry function, to use url checking secure the webservice.
>
> If a new SP connected in, it means we must register the service in CAS
> and IdP again. It will be perfect if there's a way for it to be uniformed.
>
> Thank you very much,
> Li Wei Nan
>
> ----- Original Message -----
>
> *From:* Scott Battaglia <scott.battaglia at gmail.com>
> *To:* Yale CAS mailing list <cas at tp.its.yale.edu>
> *Sent:* Friday, February 08, 2008 2:52 AM
> *Subject:* [NEWSENDER] - Re: The Question About Service Management -
> Message is from an unknown sender
>
> The default of the Services Management console tool is to behave as if it
> wasn't enabled (since that is the default CAS 2.0 compliance mode). The
> first time you add a service to the list it will disable access.
>
> The user details service contains the list of people are who are allowed
> to use the Services Management tool. The default version is an InMemory
> version that just has a list (since you are delegating to CAS the password
> is unimportant). You can replace that UserDetailsService with any of the
> ones included in Acegi (or write your own custom one).
>
> -Scott
>
> On Feb 7, 2008 4:04 AM, ??? <liweinan at chinaedu.net> wrote:
>
> > Hi Everyone,
> > Could anyone tell me something about how to use the service
> > management?
> > I've read the ariticles in wiki and it saids the purpose of service
> > management is to
> > "control what services are allowed to authenticate via CAS, and in
> > particular what those services can do with CAS."
> > But there's seems no problem to use it without configuring it,
> > I can still use the yale client on SP(service provider) side to
> > authenticate user with CAS (IdP side),
> > though the SP wasn't added into CAS ServiceMangement console. Could
> > anyone give me some clues?
> >
> > One more question, it seems configuring <bean
> > id="userDetailsService"
> > class="org.acegisecurity.userdetails.memory.InMemoryDaoImpl">
> > in deployerConfigContext.xml is not enough for me to logged into
> > /manage
> > section.
> > Since I use JdbcDao as data source, when the CAS redirecting me back
> > to
> > login page, and after I typed the username/password defined in
> > InMemoryDaoImpl, it will complained the "The credentials you provided
> > cannot be determined to be authentic."
> > To overcome the problem, I have to added into my database an account
> > which loginname/password is exactly the same with the one defined
> > in InMemoryDaoImpl, and then could I enter the management page. I
> > wonder
> > if there's something wrong with my configuration?
> >
> > The deployerConfigContext.xml I used is:
> > ...
> > <bean
> > class="org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler">
> > <property name="sql" value="select pass from usrs where
> > switch_to='O' and loginname=?" />
> > <property name="dataSource" ref="dataSource" />
> > <property name="passwordEncoder" ref="passwordEncoder" />
> > </bean>
> > </list>
> > </property>
> > </bean>
> >
> > <bean id="passwordEncoder"
> > class="org.jasig.cas.authentication.handler.DefaultPasswordEncoder">
> > <constructor-arg index="0"><value>MD5</value></constructor-arg>
> > </bean>
> >
> > <bean id="dataSource"
> > class="org.springframework.jdbc.datasource.DriverManagerDataSource"
> > destroy-method="close">
> > <property
> > name="driverClassName"><value>org.postgresql.Driver</value></property>
> > <property
> >
> > name="url"><value>jdbc:postgresql://localhost:5432/edupass</value></property>
> > ...
> > </bean>
> >
> > <bean id="userDetailsService"
> > class="org.acegisecurity.userdetails.memory.InMemoryDaoImpl">
> > <property name="userMap">
> > <value>
> > [my_account]=[my_password],ROLE_ADMIN
> > </value>
> > </property>
> > </bean>
> >
> >
> >
> > And I haven't changed any default config in securityContext.xml:
> >
> > <bean id="filterInvocationInterceptor"
> > class="org.acegisecurity.intercept.web.FilterSecurityInterceptor"
> > p:authenticationManager-ref="casAuthenticationManager"
> > p:accessDecisionManager-ref="accessDecisionManager">
> > <property name="objectDefinitionSource">
> > <value>
> > CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
> > PATTERN_TYPE_APACHE_ANT
> > /**=ROLE_ADMIN
> > </value>
> > </property>
> > </bean>
> >
> > <bean id="filterChainProxy"
> > class="org.acegisecurity.util.FilterChainProxy">
> > <property name="filterInvocationDefinitionSource">
> > <value>
> > CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
> > PATTERN_TYPE_APACHE_ANT
> > /**/loggedout.html=#NONE#
> >
> > /**=httpSessionContextIntegrationFilter,logoutFilter,casProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor
> > </value>
> > </property>
> > </bean>
> >
> > For me to able to enter the /manage section, I have to add
> > [my_account],[my_password] into my database. It seems redundant.
> > The version I used is: JA-SIG Central Authentication Service 3.1.1
> > And our CAS website is:
> > http://edupass.chinaedu.net (it will be redirected to https)
> >
> > Thanks for any help,
> > Li Wei Nan
> >
> >
> >
> >
> >
> > _______________________________________________
> > Yale CAS mailing list
> > cas at tp.its.yale.edu
> > http://tp.its.yale.edu/mailman/listinfo/cas
> >
>
>
>
> --
> -Scott Battaglia
> PGP Public Key Id: 0x383733AA
> LinkedIn: http://www.linkedin.com/in/scottbattaglia
>
> ------------------------------
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
--
-Scott Battaglia
PGP Public Key Id: 0x383733AA
LinkedIn: http://www.linkedin.com/in/scottbattaglia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20080208/b9aa2d2c/attachment.html
More information about the cas
mailing list