Nabble - CAS

Multiple SSO Sessions

2008-10-10T11:09:59Z

Hi.
Is it possible to have multiple SSO sessions simultaneously within a single CAS server instance? I am looking at a scenario where say, ApplicationA and ApplicationB need to share one SSO login, and ApplicationC and ApplicationD need to share another SSO login, and all applications are active together.
The case arises if we have internal apps which share one SSO, and external (customer-facing) apps which share another SSO. Employees may be logged into the internal apps (say thru LDAP), but they may also want to log into the external apps (using their account no/password), and check their account as a customer. Each SSO would obviously have its own Auth handlers/login webflows etc.
I guess one option is to have separate CAS instances (e.g. /cas1 and /cas2), but can this be done with a single CAS instance ? Any pointers accepted gratefully. Thanx

From forum: CAS Users

Re: Best practice for CAS load balance/failover

2008-10-10T10:03:58Z

On Fri, Oct 10, 2008 at 12:47 PM, Kim Cary <Kim.Cary@...> wrote:

On Oct 10, 2008, at 5:34 AM, Andrew Ralph Feller, afelle1 wrote:

> NOTE: All of these options require you to configure the cookie
> generators to set CAS cookies for a domain reachable by all machines
> within your cluster / fail over environment.

Read that 3x and its not sinking in. Can you help me?

If they're all behind the same domain name (i.e. cas.yourinstitution.edu) then you're fine. We do that at RU.

-Scott

Let's say I put some CAS servers on two different class C nets and
somehow put them behind a load balancer, then if they're both within
my overall netblock and on the same domain, is there anything I need
to configure to make SSOn work? How 'bout SSOut?

KC

_______________________________________________
Yale CAS mailing list
cas@...
http://tp.its.yale.edu/mailman/listinfo/cas

_______________________________________________
Yale CAS mailing list
cas@...
http://tp.its.yale.edu/mailman/listinfo/cas

From forum: CAS Users

Re: Best practice for CAS load balance/failover

2008-10-10T09:47:00Z

On Oct 10, 2008, at 5:34 AM, Andrew Ralph Feller, afelle1 wrote:

> NOTE: All of these options require you to configure the cookie
> generators to set CAS cookies for a domain reachable by all machines
> within your cluster / fail over environment.

Read that 3x and its not sinking in. Can you help me?

Let's say I put some CAS servers on two different class C nets and
somehow put them behind a load balancer, then if they're both within
my overall netblock and on the same domain, is there anything I need
to configure to make SSOn work? How 'bout SSOut?

KC
_______________________________________________
Yale CAS mailing list
cas@...
http://tp.its.yale.edu/mailman/listinfo/cas

From forum: CAS Users

Re: Building CAS

2008-10-10T09:41:29Z

We probably need to do a better job of documenting when something changes in the deployerConfigContext.xml. For the most part it doesn't change between releases, but when Spring Security changes their package name, it does :-)

If you can think of a good spot, let me know.

-Scott

-Scott Battaglia
PGP Public Key Id: 0x383733AA
LinkedIn: http://www.linkedin.com/in/scottbattaglia

On Fri, Oct 10, 2008 at 12:22 PM, Matthew Jones <matthew.jones@...> wrote:

Hi David,

You're having the "CAS-that-I-built-deployment-problem" :-) That's
why I still recommend you put the logging, the UI, the LDAP, etc.
aside. Use your newly installed Maven 2.0.9 and build the CAS
download overall. It automatically pulls the authenticator and builds
a CAS.war for you. When that deploys, add the logging. Do it again.
If you're successful, modify the UI for your CAS.war. Deploy. Test.

All those done and all work
Next I modified the pom.xml file and it still works and the sping LDAP jars are pulled in and appear in the libs folder.
Next, I edited deployerContextConfig.xml first just adding AuthenticatedLdapContextSource without enabling it as the authentication handler and then enabling it.

On each occasion, I stopped Tomcat (after un-deploying) and cleared the log files so I could see that there were no errors. So I ended up producing the correctly configured & working .war file.

When I was differencing my deployer config with one from one of my the previous installs, I finally saw the difference in the file (which I have just seen that Scott diagnosed, thanks Scott). I had obviously managed to pull a 3.2.1 config file into my 3.3 tree. (I think I know why that happened too, someone switched off my 3.3 test server!)

I'm purposely not trying to tell you what the error is. I want you to
understand how to find the reason why your Spring bean won't
instantiate. And, when your Spring bean doesn't instantiate, your
application that you built doesn't work. I'll look over these files
and reply if I see something obvious. I understand your pain there,
but if you start simple and add you'll be able to ask the list why
"this" configuration for this bean "classA" doesn't instantiate.

Simplify your CAS.war and deploy that successfully. You're building it.

I'm not sure I am that much the wiser but I got to deploy my war file loads of times and it does now work.

Thanks

--
Matthew Jones
Interactive Data Managed Solutions Ltd
-----------------------------------------------------------------------
Registered in England Company Number 3691868
Registered Office: Fitzroy House, 13-17 Epworth Street, London, EC2A 4DL
Tel: +44 (0)1242 694133 | Fax: +44 (0)1242 694109
matthew.jones@...
http://www.interactivedata-ms.com/694133

This message (including any files transmitted with it) may contain confidential and/or proprietary information, is the property of Interactive Data Corporation and/or its subsidiaries, and is directed only to the addressee(s). If you are not the designated recipient or have reason to believe you received this message in error, please delete this message from your system and notify the sender immediately. An unintended recipient's disclosure, copying, distribution, or use of this message or any attachments is prohibited and may be unlawful.
Interactive Data (Europe) Ltd Registered No. 949387 England Registered Office: Fitzroy House 13-17 Epworth Street. London. EC2A 4DL

_______________________________________________
Yale CAS mailing list
cas@...
http://tp.its.yale.edu/mailman/listinfo/cas

_______________________________________________
Yale CAS mailing list
cas@...
http://tp.its.yale.edu/mailman/listinfo/cas

From forum: CAS Users

Re: Building CAS

2008-10-10T09:22:19Z

Hi David,

> You're having the "CAS-that-I-built-deployment-problem" :-) That's
> why I still recommend you put the logging, the UI, the LDAP, etc.
> aside. Use your newly installed Maven 2.0.9 and build the CAS
> download overall. It automatically pulls the authenticator and builds
> a CAS.war for you. When that deploys, add the logging. Do it again.
> If you're successful, modify the UI for your CAS.war. Deploy. Test.

All those done and all work
Next I modified the pom.xml file and it still works and the sping LDAP
jars are pulled in and appear in the libs folder.
Next, I edited deployerContextConfig.xml first just adding
AuthenticatedLdapContextSource without enabling it as the authentication
handler and then enabling it.

On each occasion, I stopped Tomcat (after un-deploying) and cleared the
log files so I could see that there were no errors. So I ended up
producing the correctly configured & working .war file.

When I was differencing my deployer config with one from one of my the
previous installs, I finally saw the difference in the file (which I
have just seen that Scott diagnosed, thanks Scott). I had obviously
managed to pull a 3.2.1 config file into my 3.3 tree. (I think I know
why that happened too, someone switched off my 3.3 test server!)

> I'm purposely not trying to tell you what the error is. I want you to
> understand how to find the reason why your Spring bean won't
> instantiate. And, when your Spring bean doesn't instantiate, your
> application that you built doesn't work. I'll look over these files
> and reply if I see something obvious. I understand your pain there,
> but if you start simple and add you'll be able to ask the list why
> "this" configuration for this bean "classA" doesn't instantiate.
>
> Simplify your CAS.war and deploy that successfully. You're building it.

I'm not sure I am that much the wiser but I got to deploy my war file
loads of times and it does now work.

Thanks

--
Matthew Jones
Interactive Data Managed Solutions Ltd
-----------------------------------------------------------------------
Registered in England Company Number 3691868
Registered Office: Fitzroy House, 13-17 Epworth Street, London, EC2A 4DL
Tel: +44 (0)1242 694133 | Fax: +44 (0)1242 694109
matthew.jones@...
http://www.interactivedata-ms.com/694133

This message (including any files transmitted with it) may contain
confidential and/or proprietary information, is the property of
Interactive Data Corporation and/or its subsidiaries, and is directed
only to the addressee(s). If you are not the designated recipient or
have reason to believe you received this message in error, please delete
this message from your system and notify the sender immediately. An
unintended recipient's disclosure, copying, distribution, or use of this
message or any attachments is prohibited and may be unlawful.
Interactive Data (Europe) Ltd Registered No. 949387 England Registered
Office: Fitzroy House 13-17 Epworth Street. London. EC2A 4DL

_______________________________________________
Yale CAS mailing list
cas@...
http://tp.its.yale.edu/mailman/listinfo/cas

smime.p7s (3K) Download Attachment

From forum: CAS Users

Re: CASFilter configuration and environment-specific artifacts

2008-10-10T09:04:53Z

Forgot to send the link:

http://www.ja-sig.org/wiki/display/CASC/CAS+Client+for+Java+3.1

You'll find ways to configure via web.xml, JNDI and Spring.

-Scott

-Scott Battaglia
PGP Public Key Id: 0x383733AA
LinkedIn: http://www.linkedin.com/in/scottbattaglia

On Thu, Oct 9, 2008 at 12:12 PM, Scott Battaglia <scott.battaglia@...> wrote:

Mark,

You may want to look at the new JASIG CAS Client for Java which can read from Spring config files, web.xml or JNDI.

-Scott

-Scott Battaglia
PGP Public Key Id: 0x383733AA
LinkedIn: http://www.linkedin.com/in/scottbattaglia

On Thu, Oct 9, 2008 at 10:26 AM, McEahern, Mark S <mceahems@...> wrote:
Hi, it looks like the CASFilter configuration requires that I place
environment-specific artifacts into my web.xml (which is then packed
into my .war).

http://www.ja-sig.org/wiki/display/CASC/Using+CASFilter

That is, I need to set one of the following:

edu.yale.its.tp.cas.client.filter.serverName
edu.yale.its.tp.cas.client.filter.serviceUrl

How do I then take my .war and drop it into successive environments
(dev, test, ultimately prod) without having to edit web.xml with
environment-specific differences?

How have others addressed this issue?

Thanks,

Mark McEahern
Lead Architect
Division of Public Health Informatics and Surveillance
Wisconsin State Lab of Hygiene

_______________________________________________
Yale CAS mailing list
cas@...
http://tp.its.yale.edu/mailman/listinfo/cas

_______________________________________________
Yale CAS mailing list
cas@...
http://tp.its.yale.edu/mailman/listinfo/cas

From forum: CAS Users

Re: Building CAS

2008-10-10T08:31:00Z

Matthew,

Looks like you pulled in your old deployerConfigContext.xml? Would that be correct? CAS 3.3 uses the latest version of Spring Security (well latest at the time) which replaced org.acegisecurity with org.springframework.security.

You probably just need to update your entries.

-Scott

-Scott Battaglia
PGP Public Key Id: 0x383733AA
LinkedIn: http://www.linkedin.com/in/scottbattaglia

On Fri, Oct 10, 2008 at 6:40 AM, Matthew Jones <matthew.jones@...> wrote:

I am still unable to successfully deploy the CAS server I have tried to build using Maven2. I enclose the details of my building and the errors from the logs when I try to run it. Please can anyone spot what I have missed out or forgotten to do? The LDAP authentication is identical to that of the downloaded .war file that previously had running.

Here is a find showing the files that I have changed under the cas-server-webapp directory where I run the build from:

# find . -newer src -type f -print
./src/main/webapp/images/logo_IDC.jpg
./src/main/webapp/css/cas.css
./src/main/webapp/WEB-INF/classes/log4j.properties
./src/main/webapp/WEB-INF/deployerConfigContext.xml
./src/main/webapp/WEB-INF/view/jsp/default/ui/includes/bottom.jsp
./pom.xml

I have hacked in a logo into the default scheme rather than properly skinning it. Other than that, I have changed the pom.xml and deployerConfixContext.xml files to use our LDAP server for authentication and put the correct value into log4j.properties so that cas.log appears in the same place as catalina.out (thus fixing the file create errors)

Version information:

# mvn --version
Maven version: 2.0.9

Java version: 1.6.0_06
OS name: "linux" version: "2.6.24-19-generic" arch: "amd64" Family: "unix"

Now here is the build

# mvn package
[INFO] Scanning for projects...
[INFO] ------------------------------------------------------------------------
[INFO] Building JA-SIG CAS Web Application
[INFO] task-segment: [package]
[INFO] ------------------------------------------------------------------------
[INFO] [resources:resources]
[INFO] Using default encoding to copy filtered resources.
Downloading: http://developer.ja-sig.org/maven2/org/apache/santuario/xmlsec/1.4.0/xmlsec-1.4.0.pom
Downloading: http://repo1.maven.org/maven2/org/apache/santuario/xmlsec/1.4.0/xmlsec-1.4.0.pom
Downloading: http://developer.ja-sig.org/maven2/org/opensaml/opensaml/1.1b/opensaml-1.1b.pom
Downloading: http://repo1.maven.org/maven2/org/opensaml/opensaml/1.1b/opensaml-1.1b.pom
[INFO] [compiler:compile]
[INFO] No sources to compile
[INFO] [resources:testResources]
[INFO] Using default encoding to copy filtered resources.
[INFO] [compiler:testCompile]
[INFO] No sources to compile
[INFO] [surefire:test]
[INFO] No tests to run.
[INFO] [war:war]
[INFO] Packaging webapp
[INFO] Assembling webapp[cas-server-webapp] in [/home/dj/workspace/cas-server-3.3/cas-server-webapp/target/cas-server-webapp-3.3]
[INFO] Processing war project
[INFO] Webapp assembled in[1132 msecs]
[INFO] Building war: /home/dj/workspace/cas-server-3.3/cas-server-webapp/target/cas.war
[INFO] Preparing source:jar
[WARNING] Removing: jar from forked lifecycle, to prevent recursive invocation.
[INFO] No goals needed for project - skipping
[INFO] [source:jar {execution: attach-sources}]
[INFO] Building jar: /home/dj/workspace/cas-server-3.3/cas-server-webapp/target/cas-server-webapp-3.3-sources.jar
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESSFUL
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 15 seconds
[INFO] Finished at: Fri Oct 10 11:17:25 BST 2008
[INFO] Final Memory: 19M/47M
[INFO] ------------------------------------------------------------------------

I then deploy the created file target/cas.war onto the server using the Tomcat Web Application Manager on the server (running CentOS 5.2, Tomcat 5.5.23 and Sun Java JVM 1.6.0_06-b02). Prior to doing this I have un-deployed any old versions of CAS that were running, stopped Tomcat and truncated the log files. I then start Tomcat again and check that it is running correctly. No errors in catalina.out and nothing in cas.log.

The message displayed in the Tomcat Web Application Manager is 'OK' and the cas application appears at /cas but is not running.

Here is the contents of catalina.out from the start until the first error, I then remove the traceback information. The resulting errors are repeated too.

Using CATALINA_BASE: /usr/share/tomcat5
Using CATALINA_HOME: /usr/share/tomcat5
Using CATALINA_TMPDIR: /usr/share/tomcat5/temp
Using JRE_HOME:
Oct 7, 2008 5:08:23 PM org.apache.catalina.core.AprLifecycleListener lifecycleEvent
INFO: The Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: /usr/java/jdk1.6.0_06/jre/lib/i386/client:/usr/java/jdk1.6.0_06/jre/lib/i386:/usr/java/jdk1.6.0_06/jre/../lib/i386:/usr/java/packages/lib/i386:/lib:/usr/lib
Oct 7, 2008 5:08:23 PM org.apache.coyote.http11.Http11BaseProtocol init
INFO: Initializing Coyote HTTP/1.1 on http-8080
Oct 7, 2008 5:08:24 PM org.apache.coyote.http11.Http11BaseProtocol init
INFO: Initializing Coyote HTTP/1.1 on http-8443
Oct 7, 2008 5:08:24 PM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 2969 ms
Oct 7, 2008 5:08:24 PM org.apache.catalina.core.StandardService start
INFO: Starting service Catalina
Oct 7, 2008 5:08:24 PM org.apache.catalina.core.StandardEngine start
INFO: Starting Servlet Engine: Apache Tomcat/5.5.23
Oct 7, 2008 5:08:24 PM org.apache.catalina.core.StandardHost start
INFO: XML validation disabled
Oct 7, 2008 5:08:26 PM org.apache.catalina.core.ApplicationContext log
INFO: ContextListener: contextInitialized()
Oct 7, 2008 5:08:26 PM org.apache.catalina.core.ApplicationContext log
INFO: SessionListener: contextInitialized()
Oct 7, 2008 5:08:27 PM org.apache.catalina.core.ApplicationContext log
INFO: ContextListener: contextInitialized()
Oct 7, 2008 5:08:27 PM org.apache.catalina.core.ApplicationContext log
INFO: SessionListener: contextInitialized()
Oct 7, 2008 5:08:27 PM org.apache.catalina.core.ApplicationContext log
INFO: org.apache.webapp.balancer.BalancerFilter: init(): ruleChain: [org.apache.webapp.balancer.RuleChain: [org.apache.webapp.balancer.rules.URLStringMatchRule: Target string: News / Redirect URL: http://www.cnn.com], [org.apache.webapp.balancer.rules.RequestParameterRule: Target param name: paramName / Target param value: paramValue / Redirect URL: http://www.yahoo.com], [org.apache.webapp.balancer.rules.AcceptEverythingRule: Redirect URL: http://jakarta.apache.org]]
Oct 7, 2008 5:08:27 PM org.apache.coyote.http11.Http11BaseProtocol start
INFO: Starting Coyote HTTP/1.1 on http-8080
Oct 7, 2008 5:08:27 PM org.apache.coyote.http11.Http11BaseProtocol start
INFO: Starting Coyote HTTP/1.1 on http-8443
Oct 7, 2008 5:08:27 PM org.apache.jk.common.ChannelSocket init
INFO: JK: ajp13 listening on /0.0.0.0:8009
Oct 7, 2008 5:08:27 PM org.apache.jk.server.JkMain start
INFO: Jk running ID=0 time=0/93 config=null
Oct 7, 2008 5:08:27 PM org.apache.catalina.storeconfig.StoreLoader load
INFO: Find registry server-registry.xml at classpath resource
Oct 7, 2008 5:08:28 PM org.apache.catalina.startup.Catalina start
INFO: Server startup in 3514 ms
Oct 7, 2008 5:25:05 PM org.apache.catalina.core.ApplicationContext log
INFO: HTMLManager: init: Associated with Deployer 'Catalina:type=Deployer,host=localhost'
Oct 7, 2008 5:25:05 PM org.apache.catalina.core.ApplicationContext log
INFO: HTMLManager: init: Global resources are available
Oct 7, 2008 5:25:05 PM org.apache.catalina.core.ApplicationContext log
INFO: HTMLManager: list: Listing contexts for virtual host 'localhost'
Oct 7, 2008 5:25:45 PM org.apache.catalina.startup.HostConfig deployWAR
INFO: Deploying web application archive cas.war
2008-10-07 17:25:52,210 ERROR [org.springframework.web.context.ContextLoader] - <Context initialization failed>
org.springframework.beans.factory.BeanCreationException: Error creating bean with name '_authenticationManager': Cannot resolve reference to bean 'casAuthenticationProvider' while setting bean property 'providers' with key [0]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'casAuthenticationProvider' defined in ServletContext resource [/WEB-INF/spring-configuration/securityContext.xml]: Cannot resolve reference to bean 'userDetailsService' while setting bean property 'userDetailsService'; nested exception is org.springframework.beans.factory.CannotLoadBeanClassException: Cannot find class [org.acegisecurity.userdetails.memory.InMemoryDaoImpl] for bean with name 'userDetailsService' defined in ServletContext resource [/WEB-INF/deployerConfigContext.xml]; nested exception is java.lang.ClassNotFoundException: org.acegisecurity.userdetails.memory.InMemoryDaoImpl
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'casAuthenticationProvider' defined in ServletContext resource [/WEB-INF/spring-configuration/securityContext.xml]: Cannot resolve reference to bean 'userDetailsService' while setting bean property 'userDetailsService'; nested exception is org.springframework.beans.factory.CannotLoadBeanClassException: Cannot find class [org.acegisecurity.userdetails.memory.InMemoryDaoImpl] for bean with name 'userDetailsService' defined in ServletContext resource [/WEB-INF/deployerConfigContext.xml]; nested exception is java.lang.ClassNotFoundException: org.acegisecurity.userdetails.memory.InMemoryDaoImpl

2008-10-07 17:25:52,220 FATAL [org.jasig.cas.web.init.SafeContextLoaderListener] - <SafeContextLoaderListener:

The Spring ContextLoaderListener we wrap threw on contextInitialized.
But for our having caught this error, the web application context would not have initialized.>
org.springframework.beans.factory.BeanCreationException: Error creating bean with name '_authenticationManager': Cannot resolve reference to bean 'casAuthenticationProvider' while setting bean property 'providers' with key [0]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'casAuthenticationProvider' defined in ServletContext resource [/WEB-INF/spring-configuration/securityContext.xml]: Cannot resolve reference to bean 'userDetailsService' while setting bean property 'userDetailsService'; nested exception is org.springframework.beans.factory.CannotLoadBeanClassException: Cannot find class [org.acegisecurity.userdetails.memory.InMemoryDaoImpl] for bean with name 'userDetailsService' defined in ServletContext resource [/WEB-INF/deployerConfigContext.xml]; nested exception is java.lang.ClassNotFoundException: org.acegisecurity.userdetails.memory.InMemoryDaoImpl
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'casAuthenticationProvider' defined in ServletContext resource [/WEB-INF/spring-configuration/securityContext.xml]: Cannot resolve reference to bean 'userDetailsService' while setting bean property 'userDetailsService'; nested exception is org.springframework.beans.factory.CannotLoadBeanClassException: Cannot find class [org.acegisecurity.userdetails.memory.InMemoryDaoImpl] for bean with name 'userDetailsService' defined in ServletContext resource [/WEB-INF/deployerConfigContext.xml]; nested exception is java.lang.ClassNotFoundException: org.acegisecurity.userdetails.memory.InMemoryDaoImpl

Caused by: org.springframework.beans.factory.CannotLoadBeanClassException: Cannot find class [org.acegisecurity.userdetails.memory.InMemoryDaoImpl] for bean with name 'userDetailsService' defined in ServletContext resource [/WEB-INF/deployerConfigContext.xml]; nested exception is java.lang.ClassNotFoundException:

SafeContextLoaderListener:
The Spring ContextLoaderListener we wrap threw on contextInitialized.
But for our having caught this error, the web application context would not have initialized.
org.springframework.beans.factory.BeanCreationException: Error creating bean with name '_authenticationManager': Cannot resolve reference to bean 'casAuthenticationProvider' while setting bean property 'providers' with key [0]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'casAuthenticationProvider' defined in ServletContext resource [/WEB-INF/spring-configuration/securityContext.xml]: Cannot resolve reference to bean 'userDetailsService' while setting bean property 'userDetailsService'; nested exception is org.springframework.beans.factory.CannotLoadBeanClassException: Cannot find class [org.acegisecurity.userdetails.memory.InMemoryDaoImpl] for bean with name 'userDetailsService' defined in ServletContext resource [/WEB-INF/deployerConfigContext.xml]; nested exception is java.lang.ClassNotFoundException:

SEVERE: Error filterStart
Oct 7, 2008 5:25:52 PM org.apache.catalina.core.StandardContext start

SEVERE: Context [/cas] startup failed due to previous errors
Oct 7, 2008 5:25:52 PM org.apache.catalina.core.ApplicationContext log
INFO: HTMLManager: list: Listing contexts for virtual host 'localhost'

cas.log seems to have pretty much the same information in it starting with the following:

2008-10-07 17:25:52,210 ERROR [org.springframework.web.context.ContextLoader] - Context initialization failed
org.springframework.beans.factory.BeanCreationException: Error creating bean with name '_authenticationManager': Cannot resolve reference to bean 'casAuthenticationProvider' while setting bean property 'providers' with key [0]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'casAuthenticationProvider' defined in ServletContext resource [/WEB-INF/spring-configuration/securityContext.xml]: Cannot resolve reference to bean 'userDetailsService' while setting bean property 'userDetailsService'; nested exception is org.springframework.beans.factory.CannotLoadBeanClassException: Cannot find class [org.acegisecurity.userdetails.memory.InMemoryDaoImpl] for bean with name 'userDetailsService' defined in ServletContext resource [/WEB-INF/deployerConfigContext.xml]; nested exception is
[/WEB-INF/spring-configuration/securityContext.xml]: Cannot resolve reference to bean 'userDetailsService' while setting bean property 'userDetailsService'; nested exception is org.springframework.beans.factory.CannotLoadBeanClassException: Cannot find class [org.acegisecurity.userdetails.memory.InMemoryDaoImpl] for bean with name 'userDetailsService' defined in ServletContext resource [/WEB-INF/deployerConfigContext.xml]; nested exception is java.lang.ClassNotFoundException: --

All help gratefully received.

Thanks

--
Matthew Jones
Interactive Data Managed Solutions Ltd
-----------------------------------------------------------------------
Registered in England Company Number 3691868
Registered Office: Fitzroy House, 13-17 Epworth Street, London, EC2A 4DL
Tel: +44 (0)1242 694133 | Fax: +44 (0)1242 694109
matthew.jones@...
http://www.interactivedata-ms.com/694133

This message (including any files transmitted with it) may contain confidential and/or proprietary information, is the property of Interactive Data Corporation and/or its subsidiaries, and is directed only to the addressee(s). If you are not the designated recipient or have reason to believe you received this message in error, please delete this message from your system and notify the sender immediately. An unintended recipient's disclosure, copying, distribution, or use of this message or any attachments is prohibited and may be unlawful.
Interactive Data (Europe) Ltd Registered No. 949387 England Registered Office: Fitzroy House 13-17 Epworth Street. London. EC2A 4DL

_______________________________________________
Yale CAS mailing list
cas@...
http://tp.its.yale.edu/mailman/listinfo/cas

_______________________________________________
Yale CAS mailing list
cas@...
http://tp.its.yale.edu/mailman/listinfo/cas

From forum: CAS Users

Re: Best practice for CAS load balance/failover

2008-10-10T08:28:38Z

Andrew's assessment is correct:

We currently support four methods:

1. Memcached/repcache
2. Terraccotta
3. JBossCache
4. Database

#1 is what we use here at Rutgers. We've been relatively happy with it. We did significant load testing with it and its been in production for about a month now. We'll know more in another month when the peak period hits ;-)

#2 is used by some people and they were kind enough to include their configuration in the CAS distribution. It is a little more involved to set up.

#3 is used by a few people. Some people have had great luck. Others like Andrew, haven't been as lucky :-) We were never able to get the performance we wanted out of it, though some people in France had no problems.

#4. A few people in Europe use this. It seems to work well. It only clusters CAS though. Its up to you whether you care/want your database replicated.

-Scott

-Scott Battaglia
PGP Public Key Id: 0x383733AA
LinkedIn: http://www.linkedin.com/in/scottbattaglia

On Fri, Oct 10, 2008 at 8:34 AM, Andrew Ralph Feller, afelle1 <afelle1@...> wrote:

Bin,

This is going to depend on which route you go: clustering, clustering with replication, or fail over.

CLUSTERING WITH REPLICATION

We have been struggling to get a clustering with replication environment setup using the JBoss Cache solution (JbossCacheTicketRegistry), which was outlined in the link you mentioned. However, there have been some unexpected problems maintaining a stable JBoss Cache replication cluster. Though it is maintained by JA-SIG, there aren't many people you will find that are very experienced with it much less managing JBoss Cache; there are a number of people who will probably agree with me on that. Another option for doing clustering with replication is to use the MemCacheTicketRegistry available in CAS 3.3.0. This is the option favored by Rutgers, who is the primary maintainer of the CAS code base. Scott B can testify about it being lightweight, however I don't know anyone else that has deployed it in their environments.

CLUSTERING WITHOUT REPLICATION

If you want plain clustering without replication, then you could either go with a backend data store holding users SSO information and have the CAS servers be dummies by using the JpaTicketRegistry. This would allow your users to hit any of the CAS servers and remove the need for replicating data, however you would have a single point of failure (data store).

FAIL OVER

However, most CAS deployments appear to use a active/passive fail over setup where you have two deployments and have your load balancer direct traffic to the primary and fail over to the secondary when necessary. This option requires little / no major customization.

NOTE: All of these options require you to configure the cookie generators to set CAS cookies for a domain reachable by all machines within your cluster / fail over environment.

HTH,
A-

On 10/10/08 12:01 AM, "Bin Rong" <bin@...> wrote:

Hi all,

I am a newbie to CAS, and in our production environment, we have two apahche servers running behind a hardware load balancer, using ajp to balance
out to several tomcat instances. Sticky session is used, and only one of the backend tomcat is used for CAS.

Now we want to load balance/failover CAS, the options are:

1. Clustering CAS
2. Have database-backed registry, so that multiple CAS can validate the ticket vended by other CAS servers.

Just wondering what is the best practise?

We think the database-backed is a good one, and I've searched the web, there is very little information in this regard, except
http://www.ja-sig.org/wiki/display/CASUM/Clustering+CAS. Could anyone point to any source of information or any detailed howto guide?

Any advise is appreciated.

Bin

_______________________________________________
Yale CAS mailing list
cas@...
http://tp.its.yale.edu/mailman/listinfo/cas

--
Andrew R. Feller, Analyst
Information Technology Services
200 Fred Frey Building
Louisiana State University
Baton Rouge, LA 70803
(225) 578-3737 (Office)
(225) 578-6400 (Fax)

_______________________________________________
Yale CAS mailing list
cas@...
http://tp.its.yale.edu/mailman/listinfo/cas

_______________________________________________
Yale CAS mailing list
cas@...
http://tp.its.yale.edu/mailman/listinfo/cas

From forum: CAS Users

Re: Building CAS

2008-10-10T06:48:28Z

Matthew:

You're having the "CAS-that-I-built-deployment-problem" :-) That's
why I still recommend you put the logging, the UI, the LDAP, etc.
aside. Use your newly installed Maven 2.0.9 and build the CAS
download overall. It automatically pulls the authenticator and builds
a CAS.war for you. When that deploys, add the logging. Do it again.
If you're successful, modify the UI for your CAS.war. Deploy. Test.

I'm purposely not trying to tell you what the error is. I want you to
understand how to find the reason why your Spring bean won't
instantiate. And, when your Spring bean doesn't instantiate, your
application that you built doesn't work. I'll look over these files
and reply if I see something obvious. I understand your pain there,
but if you start simple and add you'll be able to ask the list why
"this" configuration for this bean "classA" doesn't instantiate.

Simplify your CAS.war and deploy that successfully. You're building it.

Let me know that goes,

David

On 10/10/08, Matthew Jones <matthew.jones@...> wrote:

> Hi David,
>
> > Also, did you configure the Maven build of the CAS server to include
> > the LDAP authentication module?
> >
>
> I have modified the pom.xml file to include:
> <dependency>
> <groupId>org.jasig.cas</groupId>
>
> <artifactId>cas-server-support-ldap</artifactId>
>
> <version>${project.version}</version>
> </dependency>
> I am not aware of any additional build (as opposed to deployment)
> configuration that I need to do.
>
> > If you didn't, I still recommend that
> > you deploy CAS unaltered first and then customize.
> >
>
> I have deployed the war file that is shipped with the 3.3 download and then
> configured it to use LDAP and the Spring LDAP jars by manually copying them.
> The changes I have made are identical to that system I had running. The only
> difference now is that I am trying to build my own war file and deploy that.
> I could just run a vanilla build and deploy the resulting war file and see
> if that works but I had hoped that I was only taking a small step. Indeed, I
> have had to upgrade maven to 2.09 and then run the build. The log file was a
> change that I had forgotten about and easily fixed. The war file I deploy
> does have the LDAP jars as part of it which I was told would be added for me
> having changed to LDAP authentication. Maven is not a system I have any
> previous experience with but have assumed, form what I have been told,
> should just work once you have the right version of course. Obviously, I am
> experiencing some other basic error which I had hoped would be obvious from
> the log files.
>
> Do you recommend that I do indeed try and build a vanilla 3.3 war file?
> Obviously, that will need the change to the log file location to work but
> shouldn't need anything else right?
>
> >
> > > Hi. I've been implementing a CAS solution using 3.1.1 and LDAP to an
> > > Active Directory and unless you're a CAS expert I would recommend that
> > > you do things in steps.
> > >
> > > From your stacktrace, it's evident that you haven't configured
> > > something properly. If you have the time, you should back up on
> > > customizing anything until you've successfully deployed CAS with the
> > > InMemoryDaoImpl (without LDAP) and been able to navigate to /cas/login
> > > and get a successful banner.
> > >
> > > If you do not want to do things in steps, you need to start with the
> > > trace. Find the culprit Spring bean and start there. It's not
> > > obvious from the trace what you've done wrong. I'll say from
> > > experience that once you get CAS to work in it's default
> > > configuration, LDAP is next and it can be difficult. I think too that
> > > everyone's situation is always a little different than the how-to's
> > > that you find in the wiki. Or, you need to chose the right
> > > configuration for your house.
> > >
> > > Post your deployerConfigContext.xml and cas.properties here and I'll
> > > try to help.
> > >
> >
>
> Attached - deployerConfigContext.xml has obscured URL & OU (hence the XXX
> extension).
>
> In reality, I am trying to build a deployable .war file that has our
> configuration in having already gone through the "pain" of getting that
> configuration to work. That is, the LDAP authentication handler is working
> and with a changed image displayed on the login & logout pages. This is just
> the first step on the way to having to write a specific authentication
> handler to deal with certificate & username/password credentials and
> properly skinning CAS.
>
>
> Thanks
>
> --
> Matthew Jones
> Interactive Data Managed Solutions Ltd
> -----------------------------------------------------------------------
> Registered in England Company Number 3691868
> Registered Office: Fitzroy House, 13-17 Epworth Street, London, EC2A 4DL
> Tel: +44 (0)1242 694133 | Fax: +44 (0)1242 694109
> matthew.jones@...
> http://www.interactivedata-ms.com/694133
>
> This message (including any files transmitted with it) may contain
> confidential and/or proprietary information, is the property of Interactive
> Data Corporation and/or its subsidiaries, and is directed only to the
> addressee(s). If you are not the designated recipient or have reason to
> believe you received this message in error, please delete this message from
> your system and notify the sender immediately. An unintended recipient's
> disclosure, copying, distribution, or use of this message or any attachments
> is prohibited and may be unlawful.
> Interactive Data (Europe) Ltd Registered No. 949387 England Registered
> Office: Fitzroy House 13-17 Epworth Street. London. EC2A 4DL
>
>
> cas.securityContext.serviceProperties.service=https://localhost:8443/cas/services/j_acegi_cas_security_check
> cas.securityContext.casProcessingFilterEntryPoint.loginUrl=https://localhost:8443/cas/login
> cas.securityContext.ticketValidator.casServerUrlPrefix=https://localhost:8443/cas
>
> cas.themeResolver.defaultThemeName=default
> cas.viewResolver.basename=default_views
>
> host.name=cas
>
> #database.hibernate.dialect=org.hibernate.dialect.OracleDialect
> #database.hibernate.dialect=org.hibernate.dialect.MySQLDialect
> database.hibernate.dialect=org.hibernate.dialect.HSQLDialect
>
> _______________________________________________
> Yale CAS mailing list
> cas@...
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
>

_______________________________________________
Yale CAS mailing list
cas@...
http://tp.its.yale.edu/mailman/listinfo/cas

From forum: CAS Users

Re: Best practice for CAS load balance/failover

2008-10-10T05:34:07Z

Re: Best practice for CAS load balance/failover Bin,

This is going to depend on which route you go: clustering, clustering with replication, or fail over.

CLUSTERING WITH REPLICATION

We have been struggling to get a clustering with replication environment setup using the JBoss Cache solution (JbossCacheTicketRegistry), which was outlined in the link you mentioned. However, there have been some unexpected problems maintaining a stable JBoss Cache replication cluster. Though it is maintained by JA-SIG, there aren’t many people you will find that are very experienced with it much less managing JBoss Cache; there are a number of people who will probably agree with me on that. Another option for doing clustering with replication is to use the MemCacheTicketRegistry available in CAS 3.3.0. This is the option favored by Rutgers, who is the primary maintainer of the CAS code base. Scott B can testify about it being lightweight, however I don’t know anyone else that has deployed it in their environments.

CLUSTERING WITHOUT REPLICATION

If you want plain clustering without replication, then you could either go with a backend data store holding users SSO information and have the CAS servers be dummies by using the JpaTicketRegistry. This would allow your users to hit any of the CAS servers and remove the need for replicating data, however you would have a single point of failure (data store).

FAIL OVER

However, most CAS deployments appear to use a active/passive fail over setup where you have two deployments and have your load balancer direct traffic to the primary and fail over to the secondary when necessary. This option requires little / no major customization.

NOTE: All of these options require you to configure the cookie generators to set CAS cookies for a domain reachable by all machines within your cluster / fail over environment.

HTH,
A-

On 10/10/08 12:01 AM, "Bin Rong" <bin@...> wrote:

Hi all,

I am a newbie to CAS, and in our production environment, we have two apahche servers running behind a hardware load balancer, using ajp to balance
out to several tomcat instances. Sticky session is used, and only one of the backend tomcat is used for CAS.

Now we want to load balance/failover CAS, the options are:

1. Clustering CAS
2. Have database-backed registry, so that multiple CAS can validate the ticket vended by other CAS servers.

Just wondering what is the best practise?

We think the database-backed is a good one, and I've searched the web, there is very little information in this regard, except
http://www.ja-sig.org/wiki/display/CASUM/Clustering+CAS. Could anyone point to any source of information or any detailed howto guide?

Any advise is appreciated.

Bin

_______________________________________________
Yale CAS mailing list
cas@...
http://tp.its.yale.edu/mailman/listinfo/cas

--
Andrew R. Feller, Analyst
Information Technology Services
200 Fred Frey Building
Louisiana State University
Baton Rouge, LA 70803
(225) 578-3737 (Office)
(225) 578-6400 (Fax)

_______________________________________________
Yale CAS mailing list
cas@...
http://tp.its.yale.edu/mailman/listinfo/cas

From forum: CAS Users

Re: Building CAS

2008-10-10T05:28:26Z

Hi David,

> Also, did you configure the Maven build of the CAS server to include
> the LDAP authentication module?

I have modified the pom.xml file to include:
<dependency>
<groupId>org.jasig.cas</groupId>
<artifactId>cas-server-support-ldap</artifactId>
<version>${project.version}</version>
</dependency>
I am not aware of any additional build (as opposed to deployment)
configuration that I need to do.

> If you didn't, I still recommend that
> you deploy CAS unaltered first and then customize.

I have deployed the war file that is shipped with the 3.3 download and
then configured it to use LDAP and the Spring LDAP jars by manually
copying them. The changes I have made are identical to that system I had
running. The only difference now is that I am trying to build my own war
file and deploy that. I could just run a vanilla build and deploy the
resulting war file and see if that works but I had hoped that I was only
taking a small step. Indeed, I have had to upgrade maven to 2.09 and
then run the build. The log file was a change that I had forgotten about
and easily fixed. The war file I deploy does have the LDAP jars as part
of it which I was told would be added for me having changed to LDAP
authentication. Maven is not a system I have any previous experience
with but have assumed, form what I have been told, should just work once
you have the right version of course. Obviously, I am experiencing some
other basic error which I had hoped would be obvious from the log files.

Do you recommend that I do indeed try and build a vanilla 3.3 war file?
Obviously, that will need the change to the log file location to work
but shouldn't need anything else right?

>> Hi. I've been implementing a CAS solution using 3.1.1 and LDAP to an
>> Active Directory and unless you're a CAS expert I would recommend that
>> you do things in steps.
>>
>> From your stacktrace, it's evident that you haven't configured
>> something properly. If you have the time, you should back up on
>> customizing anything until you've successfully deployed CAS with the
>> InMemoryDaoImpl (without LDAP) and been able to navigate to /cas/login
>> and get a successful banner.
>>
>> If you do not want to do things in steps, you need to start with the
>> trace. Find the culprit Spring bean and start there. It's not
>> obvious from the trace what you've done wrong. I'll say from
>> experience that once you get CAS to work in it's default
>> configuration, LDAP is next and it can be difficult. I think too that
>> everyone's situation is always a little different than the how-to's
>> that you find in the wiki. Or, you need to chose the right
>> configuration for your house.
>>
>> Post your deployerConfigContext.xml and cas.properties here and I'll
>> try to help.

Attached - deployerConfigContext.xml has obscured URL & OU (hence the
XXX extension).

In reality, I am trying to build a deployable .war file that has our
configuration in having already gone through the "pain" of getting that
configuration to work. That is, the LDAP authentication handler is
working and with a changed image displayed on the login & logout pages.
This is just the first step on the way to having to write a specific
authentication handler to deal with certificate & username/password
credentials and properly skinning CAS.

Thanks

--
Matthew Jones
Interactive Data Managed Solutions Ltd
-----------------------------------------------------------------------
Registered in England Company Number 3691868
Registered Office: Fitzroy House, 13-17 Epworth Street, London, EC2A 4DL
Tel: +44 (0)1242 694133 | Fax: +44 (0)1242 694109
matthew.jones@...
http://www.interactivedata-ms.com/694133

This message (including any files transmitted with it) may contain
confidential and/or proprietary information, is the property of
Interactive Data Corporation and/or its subsidiaries, and is directed
only to the addressee(s). If you are not the designated recipient or
have reason to believe you received this message in error, please delete
this message from your system and notify the sender immediately. An
unintended recipient's disclosure, copying, distribution, or use of this
message or any attachments is prohibited and may be unlawful.
Interactive Data (Europe) Ltd Registered No. 949387 England Registered
Office: Fitzroy House 13-17 Epworth Street. London. EC2A 4DL

cas.securityContext.serviceProperties.service=https://localhost:8443/cas/services/j_acegi_cas_security_check
cas.securityContext.casProcessingFilterEntryPoint.loginUrl=https://localhost:8443/cas/login
cas.securityContext.ticketValidator.casServerUrlPrefix=https://localhost:8443/cas

cas.themeResolver.defaultThemeName=default
cas.viewResolver.basename=default_views

host.name=cas

#database.hibernate.dialect=org.hibernate.dialect.OracleDialect
#database.hibernate.dialect=org.hibernate.dialect.MySQLDialect
database.hibernate.dialect=org.hibernate.dialect.HSQLDialect

<?xml version="1.0" encoding="UTF-8"?>

<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:p="http://www.springframework.org/schema/p"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd">

<bean id="authenticationManager"
class="org.jasig.cas.authentication.AuthenticationManagerImpl">

<property name="credentialsToPrincipalResolvers">
<list>

<bean
class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" />

<bean
class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" />
</list>
</property>


<property name="authenticationHandlers">
<list>

<bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
p:httpClient-ref="httpClient" />

<bean class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler">
<property name="filter" value="uid=%u" />
<property name="searchBase" value="ou=OUR-OU,dc=interactivedata,dc=com" />
<property name="contextSource" ref="contextSource" />
</bean>
</list>
</property>
</bean>


<bean id="userDetailsService" class="org.acegisecurity.userdetails.memory.InMemoryDaoImpl">
<property name="userMap">
<value>

</value>
</property>
</bean>


<bean id="attributeRepository"
class="org.jasig.services.persondir.support.StubPersonAttributeDao">
<property name="backingMap">
<map>
<entry key="uid" value="uid" />
<entry key="eduPersonAffiliation" value="eduPersonAffiliation" />
<entry key="groupMembership" value="groupMembership" />
</map>
</property>
</bean>


<bean
id="serviceRegistryDao"
class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl" />


<bean id="contextSource" class="org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource">
<property name="pooled" value="true"/>
<property name="urls">
<list>
<value>ldaps://OUR-LDAP-SERVER-URL/</value>
</list>
</property>
<property name="anonymousReadOnly" value="false"/>
<property name="userName" value="uid=ldapbrowser,ou=idms,dc=interactivedata,dc=com"/>
<property name="password" value="br0ws3r$"/>


<property name="baseEnvironmentProperties">
<map>
<entry>
<key>
<value>java.naming.security.authentication</value>
</key>
<value>simple</value>
</entry>
</map>
</property>
</bean>

</beans>

_______________________________________________
Yale CAS mailing list
cas@...
http://tp.its.yale.edu/mailman/listinfo/cas

smime.p7s (3K) Download Attachment

From forum: CAS Users

Re: Best practice for CAS load balance/failover

2008-10-10T05:07:28Z

Bin:

I don't know of any more information than what's already there on the
CAS wiki, but if your list of CAS enabled applications is small, use
an in-memory solution. You can configure their registration on both
machines and you're really not hurting much by duplicating an
ArrayList e.g. with 8-10 applications on both servers.

A database registry would be a little trickier. You'd probably have
to customize the CAS code and develop something where the "keys" to
your persisted registry were kept in session on both machines. Then
if one went out, the other would at least have the keys. I'm not sure
if CAS can do this and someone else may inteject here.

I would use in-memory storage if I could. Also, remember that the
data is not dynamic. You, the server administrator know what apps are
CASified. This fixed number and their URL's can be held in memory
very easily if you're not storing too many. And, if you're
clustering, I don't suppose the initial cluster was created for CAS.
So, that would mean that if you have the hardware, you probably have
the memory as well.

HTH

David
On 10/10/08, Bin Rong <bin@...> wrote:

> Hi all,
>
> I am a newbie to CAS, and in our production environment, we have two apahche
> servers running behind a hardware load balancer, using ajp to balance
> out to several tomcat instances. Sticky session is used, and only one of the
> backend tomcat is used for CAS.
>
> Now we want to load balance/failover CAS, the options are:
>
> 1. Clustering CAS
> 2. Have database-backed registry, so that multiple CAS can validate the
> ticket vended by other CAS servers.
>
> Just wondering what is the best practise?
>
> We think the database-backed is a good one, and I've searched the web, there
> is very little information in this regard, except
> http://www.ja-sig.org/wiki/display/CASUM/Clustering+CAS.
> Could anyone point to any source of information or any detailed howto guide?
>
> Any advise is appreciated.
>
> Bin
>
> _______________________________________________
> Yale CAS mailing list
> cas@...
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>

_______________________________________________
Yale CAS mailing list
cas@...
http://tp.its.yale.edu/mailman/listinfo/cas

From forum: CAS Users