CAS with acegi client

Hi, me again... :)

Got CAS working with Spring Security, providing I use an in-memory user-service. All good.

When I use an ldap-user-service to get my roles, I authenticate OK, but I just get dumped to a Tomcat 403 page.

To determine if my app was making the rejection, I removed all filters except the CAS one, but added a new one to the start of the chain with some debug. It's not getting called at all.

All looks good at the CAS side (see output below) - it's granting me a ticket for my app. But something is blocking me at the last hurdle. Anyone know what it could be?

**************
2008-05-08 12:37:01,360 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket [ST-1-XNUBA3eFkRCjIe6nTrBs-cas] for service [http://mycomputer:8080/MQS4/j_spring_cas_security_check] for user [richard.gundersen]>
May 8, 2008 12:37:02 PM org.apache.tomcat.util.http.Parameters processParameters
WARNING: Parameters: Invalid chunk ignored.
**************

Here's my LDAP config in case it's useful:

**************
    <bean id="casAuthenticationProvider" class="org.springframework.security.providers.cas.CasAuthenticationProvider">
        <sec:custom-authentication-provider />
        <property name="userDetailsService" ref="userService"/>
        <property name="serviceProperties" ref="serviceProperties" />
        <property name="ticketValidator">
            <bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
                <constructor-arg index="0" value="https://mycomputer/cas" />
            </bean>
        </property>
        <property name="key" value="an_id_for_this_auth_provider_only"/>
    </bean>

    <bean id="serviceProperties" class="org.springframework.security.ui.cas.ServiceProperties">
        <property name="service" value="http://mycomputer:8080/MQS4/j_spring_cas_security_check"/>
        <property name="sendRenew" value="false"/>
    </bean>

    <sec:ldap-server id="ldapServer" url="ldap://mycompany.com:13060/" manager-dn="cn=adminusername,cn=Users,dc=mycompany,dc=com" manager-password="somepassword" />

    <sec:ldap-user-service id="userService" server-ref="ldapServer" group-search-base="cn=Groups,dc=mycompany,dc=com" group-role-attribute="cn" group-search-filter="(uniquemember={0})" user-search-base="cn=Users,dc=mycompany,dc=com" user-search-filter="(uid={0})" />
**************

Thanks (again)

Richard

---

Miss your Messenger buddies when on-the-go? Get Messenger on your Mobile!

_______________________________________________
Yale CAS mailing list
cas@...
http://tp.its.yale.edu/mailman/listinfo/cas

Hi folks

I need to cassify spring app using acegi 1.0.6.

I think I had setted up all right in application xml as follows

?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN"
"http://www.springframework.org/dtd/spring-beans.dtd">
<beans default-autowire="byName" >

       <bean id="filterChainProxy"
class="org.acegisecurity.util.FilterChainProxy" lazy-init="false">
               <property name="filterInvocationDefinitionSource">
                       <value>
                               CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
                               PATTERN_TYPE_APACHE_ANT
                               /**=httpSessionContextIntegrationFilter,logoutFilter,casProcessingFilter,securityContextHolderAwareRequestFilter,exceptionTranslationFilter,filterInvocationInterceptor
                       </value>
               </property>
       </bean>

       <bean id="serviceProperties"
class="org.acegisecurity.ui.cas.ServiceProperties">
 <property name="service"><value>https://sreghenzixp:8443/LIT-Profile_Web/j_acegi_cas_security_check</value></property>
 <property name="sendRenew"><value>false</value></property>
</bean>
<bean id="casProcessingFilter"
class="org.acegisecurity.ui.cas.CasProcessingFilter">
 <property name="authenticationManager"><ref
bean="authenticationManager"/></property>
 <property name="authenticationFailureUrl"><value>/acegijsp/accessDenied.jsp</value></property>
 <property name="defaultTargetUrl"><value>/</value></property>
 <property name="filterProcessesUrl"><value>/j_acegi_cas_security_check</value></property>
</bean>

<bean id="casProcessingFilterEntryPoint"
class="org.acegisecurity.ui.cas.CasProcessingFilterEntryPoint">
 <property name="loginUrl"><value>https://sreghenzixp:8443/CAS/login</value></property>
 <property name="serviceProperties"><ref bean="serviceProperties"/></property>
</bean>

       <bean id="httpSessionContextIntegrationFilter"
class="org.acegisecurity.context.HttpSessionContextIntegrationFilter"/>

       <bean id="logoutFilter" class="org.acegisecurity.ui.logout.LogoutFilter">
               <constructor-arg value="/home.htm"/> <!-- URL redirected to after logout -->
               <constructor-arg>
                       <list>

                               <bean class="org.acegisecurity.ui.logout.SecurityContextLogoutHandler"/>
                       </list>
               </constructor-arg>
       </bean>



       <bean id="securityContextHolderAwareRequestFilter"
class="org.acegisecurity.wrapper.SecurityContextHolderAwareRequestFilter"/>
<bean id="exceptionTranslationFilter"
class="org.acegisecurity.ui.ExceptionTranslationFilter">
 <property name="authenticationEntryPoint"><ref
local="casProcessingFilterEntryPoint"/></property>
</bean>

       <bean id="filterInvocationInterceptor"
class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
               <property name="authenticationManager" ref="authenticationManager"/>
               <property name="accessDecisionManager">
                       <bean class="org.acegisecurity.vote.AffirmativeBased">
                               <property name="allowIfAllAbstainDecisions" value="false"/>
                               <property name="decisionVoters">
                                       <list>
                                               <bean class="org.acegisecurity.vote.RoleVoter"/>
                                               <bean class="org.acegisecurity.vote.AuthenticatedVoter"/>
                                       </list>
                               </property>
                       </bean>
               </property>
               <property name="objectDefinitionSource">
                       <value>
                               CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
                               PATTERN_TYPE_APACHE_ANT
                               /**=IS_AUTHENTICATED_ANONYMOUSLY
                       </value>
               </property>
       </bean>
<!--
       <bean id="rememberMeServices"
class="org.acegisecurity.ui.rememberme.TokenBasedRememberMeServices">
               <property name="userDetailsService" ref="userDetailsService"/>
               <property name="key" value="changeThis"/>
       </bean>
 -->
       <bean id="authenticationManager"
class="org.acegisecurity.providers.ProviderManager">
 <property name="providers">
   <list>
     <ref bean="casAuthenticationProvider"/>
   </list>
 </property>
</bean>

<bean id="casAuthenticationProvider"
class="org.acegisecurity.providers.cas.CasAuthenticationProvider">
 <property name="casAuthoritiesPopulator"><ref
bean="casAuthoritiesPopulator"/></property>
 <property name="casProxyDecider"><ref bean="casProxyDecider"/></property>
 <property name="ticketValidator"><ref
bean="casProxyTicketValidator"/></property>
 <property name="statelessTicketCache"><ref
bean="statelessTicketCache"/></property>
 <property name="key"><value>my_password_for_this_auth_provider_only</value></property>
</bean>

<bean id="casProxyTicketValidator"
class="org.acegisecurity.providers.cas.ticketvalidator.CasProxyTicketValidator">
 <property name="casValidate"><value>https://sreghenzixp:8443/CAS/proxyValidate</value></property>
 <property name="proxyCallbackUrl"><value>https://sreghenzixp:8443/LIT-Profile_Web/casProxy/receptor</value></property>
 <property name="serviceProperties"><ref bean="serviceProperties"/></property>
 <!-- <property
name="trustStore"><value>/some/path/to/your/lib/security/cacerts</value></property>
-->
</bean>

<bean id="cacheManager"
class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean">
 <property name="configLocation">
   <value>classpath:/ehcache-failsafe.xml</value>
 </property>
</bean>

<bean id="ticketCacheBackend"
class="org.springframework.cache.ehcache.EhCacheFactoryBean">
 <property name="cacheManager">
   <ref local="cacheManager"/>
 </property>
 <property name="cacheName">
   <value>ticketCache</value>
 </property>
</bean>

<bean id="statelessTicketCache"
class="org.acegisecurity.providers.cas.cache.EhCacheBasedTicketCache">
 <property name="cache"><ref local="ticketCacheBackend"/></property>
</bean>

<bean id="casAuthoritiesPopulator"
class="org.acegisecurity.providers.cas.populator.DaoCasAuthoritiesPopulator">
 <property name="userDetailsService"><ref
bean="userDetailsService"/></property>
</bean>

<bean id="casProxyDecider"
class="org.acegisecurity.providers.cas.proxy.RejectProxyTickets"/>

       <bean id="userDetailsService"
class="it.trend.lit.acegisecurity.UserDetailsService">

       </bean>


</beans>

cert is installe right in my jboss 4.0.5, calling the webapp with the
right hostname I'm redirected to cas login, it execute authentication
right, but then I' redirected I fall on the "cassfailed page" with
this log in the consolle




12:09:34,858 DEBUG [ProviderManager] Authentication attempt using
org.acegisecurity.providers.cas.CasAuthenticationProvider
12:09:34,858 DEBUG [XmlWebApplicationContext] Publishing event in
context [org.springframework.web.context.support.XmlWebApplicationContext@1ef3d12]:
org.acegisecurity.event.authentication.AuthenticationFailureServiceExceptionEvent[source=org.acegisecurity.providers.UsernamePasswordAuthenticationToken@f9b29b47:
Username: _cas_stateful_; Password: [PROTECTED]; Authenticated: false;
Details: org.acegisecurity.ui.WebAuthenticationDetails@1c07a:
RemoteIpAddress: 10.1.225.123; SessionId:
534E2A0064A4F867EA0570B381A4F709; Not granted any authorities]
12:09:34,858 DEBUG [CasProcessingFilter] Updated SecurityContextHolder
to contain null Authentication
12:09:34,858 DEBUG [CasProcessingFilter] Authentication request
failed: org.acegisecurity.AuthenticationServiceException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
12:09:34,858 DEBUG [HttpSessionContextIntegrationFilter]
SecurityContextHolder set to new context, as request processing
completed
12:09:34,873 INFO  [ResourceBundleThemeSource] Theme created: name
'theme', basename [theme]
12:14:40,879 DEBUG [other] CallbackHandler:
org.jboss.security.auth.callback.SecurityAssociationHandler@dce479
12:14:40,879 DEBUG [JaasSecurityManagerService] Created
securityMgr=org.jboss.security.plugins.JaasSecurityManager@1c2cbee
12:14:40,879 DEBUG [other] CachePolicy set to:
org.jboss.util.TimedCachePolicy@1da89a0

casProxyTicketValidator is configured and active... I think I'm
missing something...


--
::SammyRulez::
http://www.kyub.com/
pownce & twitter: sammyrulez
_______________________________________________
Yale CAS mailing list
cas@...
http://tp.its.yale.edu/mailman/listinfo/cas