You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by "Eduardo J. Ortega U" <ed...@zurich.co> on 2014/01/15 20:46:56 UTC
CAS Single Sign Out and LDAP attribute retrieval
Hi, all:
We are setting up out first Shiro enabled application with CAS
authentication. Authentication seems to work fine, however, we have two
issues:
* We want to have Single Sign out, so that when a user signs out of
CAS, he/she is signed out of CAS and therefore all apps. Currently,
if I logout of the application (using Shiro's logout feature), and
then try to access one of the protected pages, browser gets
redirected to CAS, which in turn validates and redirects to
http://myhost/myapp/shiro-cas and then /shiro-cas redirects it to
the requested URL of the application, so effectively the user is
logged back in the application. Also, if the user logs out of CAS
(visiting http://myhost/CAS/logout) its CAS session ends but the
application session remains, so he / she can still access the
protected areas. I set up the following on myapp web.xml:
<filter>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Single Sign Out Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
But it is not working. What am I missing?
* We want to access some of the user attributes from inside our
application. I set up CAS properties to map the attributes, setting
this on CAS deployerConfigContext.xml
<bean id="attributeRepository"
class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao">
<property name="contextSource" ref="contextSource" />
<property name="baseDN"
value="ou=People,dc=example,dc=com,dc=co" />
<property name="requireAllQueryAttributes" value="true" />
<property name="queryAttributeMapping">
<map>
<entry key="username" value="uid" />
</map>
</property>
<property name="resultAttributeMapping">
<map>
<!-- Mapping beetween LDAP entry attributes (key) and
Principal's (value) -->
<entry value="Name" key="displayName" />
<entry key="distinguishedName" value="dn" />
</map>
</property>
</bean>
And then access them from inside the Shiro application like this:
AttributePrincipal principal =
(AttributePrincipal)request.getUserPrincipal();
Map attributes = principal.getAttributes();
But we get an error saying we cannot cast Request to AttributePrincipal.
I guess I am missing something here, too.
Any help is greatly appreciated.
--
--
Eduardo J. Ortega
Tel: 57+1+2553580
Cel: 57+317+4415156
Zürich
CL 72 5 83 Piso 11, Bogotá, CO.
Re: CAS Single Sign Out and LDAP attribute retrieval
Posted by "Eduardo J. Ortega U" <ed...@zurich.co>.
Hi, Jérôme:
After fiddling around with CAS configuration and adding a couple of
missing libraries to my application (whose ClassNotFoundException
messages were not getting to the server log), I finally got it working.
Thanks!
--
Eduardo J. Ortega
Tel: 57+1+2553580
Cel: 57+317+4415156
Zürich
CL 72 5 83 Piso 11, Bogotá, CO.
On 20/01/14 01:51, jleleu wrote:
> Hi,
>
> In fact, I'm retrieving the user identity using the *getPrincipals *method
> of the *Subject *class:
> https://github.com/leleuj/buji-pac4j-demo/blob/master/src/main/webapp/index.jsp#L33
> .
> The first principal is the uid, the second one if the pac4j user profile
> (FacebookProfile, TwitterProfile...)
> Best regards,
> Jérôme
>
>
>
> 2014/1/17 Eduardo J. Ortega U [via Shiro User] <
> ml-node+s582556n7579529h67@n2.nabble.com>
>
>> Hi, Jérôme:
>>
>> I set up debut and read this:
>>
>> INFO: 2014-01-17 10:39:35,529 DEBUG
>> [org.jasig.cas.authentication.AuthenticationManagerImpl] - <Attribute map
>> for administrator: {Name=Administrator}>
>>
>> It seems like the attribute is being mapped, but for some reason I cannot
>> access it. Or perhaps I am trying to access it in the wrong way. This is
>> what I am doing:
>>
>> Subject currentUser = SecurityUtils.getSubject();
>> AttributePrincipal principal =
>> (AttributePrincipal)request.getUserPrincipal();
>> Map attributes = principal.getAttributes();
>>
>> But the cast from request to AttributePrincipal fails:
>>
>> java.lang.ClassCastException:
>> org.apache.shiro.web.servlet.ShiroHttpServletRequest$ObjectPrincipal cannot
>> be cast to org.jasig.cas.client.authentication.AttributePrincipal
>>
>> Is this the right way to do it?
>>
>> Below is the full log from CAS. Thans for any guide you can provide.
>>
>> INFO: 2014-01-17 10:39:22,169 DEBUG
>> [org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor generated
>> service for: http://localhost:8080/InteraccionSonriaCore/shiro-cas>
>> INFO: 2014-01-17 10:39:22,195 DEBUG
>> [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to
>> retrieve ticket [
>> TGT-27-ilyCEfM7aAHpE7dQfaAEYeh69s5GItx3Yc6tdTqPTZ1np0TdFu-cas01.example.org
>> ]>
>> INFO: 2014-01-17 10:39:22,200 DEBUG
>> [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to
>> retrieve ticket [
>> TGT-27-ilyCEfM7aAHpE7dQfaAEYeh69s5GItx3Yc6tdTqPTZ1np0TdFu-cas01.example.org
>> ]>
>> INFO: 2014-01-17 10:39:22,212 INFO
>> [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit
>> trail record BEGIN
>> =============================================================
>> WHO: audit:unknown
>> WHAT: http://localhost:8080/InteraccionSonriaCore/shiro-cas
>> ACTION: SERVICE_TICKET_NOT_CREATED
>> APPLICATION: CAS
>> WHEN: Fri Jan 17 10:39:22 COT 2014
>> CLIENT IP ADDRESS: 127.0.0.1
>> SERVER IP ADDRESS: 127.0.0.1
>> =============================================================
>> INFO: 2014-01-17 10:39:22,215 DEBUG
>> [org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor generated
>> service for: http://localhost:8080/InteraccionSonriaCore/shiro-cas>
>> INFO: 2014-01-17 10:39:35,443 DEBUG
>> [org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler] -
>> <Performing LDAP bind with credential:
>> uid=administrator,ou=People,dc=example,dc=com,dc=co>
>> INFO: 2014-01-17 10:39:35,474 INFO
>> [org.jasig.cas.authentication.AuthenticationManagerImpl] -
>> <org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler successfully
>> authenticated [username: administrator]>
>> INFO: 2014-01-17 10:39:35,474 DEBUG
>> [org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver]
>> - <Attempting to resolve a principal...>
>> INFO: 2014-01-17 10:39:35,474 DEBUG
>> [org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver]
>> - <Creating SimplePrincipal for [administrator]>
>> INFO: 2014-01-17 10:39:35,474 DEBUG
>> [org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao] -
>> <Created seed map='{username=[administrator]}' for uid='administrator'>
>> INFO: 2014-01-17 10:39:35,475 DEBUG
>> [org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao] -
>> <Adding attribute 'uid' with value '[administrator]' to query builder
>> 'null'>
>> INFO: 2014-01-17 10:39:35,482 DEBUG
>> [org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao] -
>> <Generated query builder '(uid=administrator)' from query Map
>> {username=[administrator]}.>
>> INFO: 2014-01-17 10:39:35,528 INFO
>> [org.jasig.cas.authentication.AuthenticationManagerImpl] - <Resolved
>> principal administrator>
>> INFO: 2014-01-17 10:39:35,528 INFO
>> [org.jasig.cas.authentication.AuthenticationManagerImpl] - [hidden email]<http://user/SendEmail.jtp?type=node&node=7579529&i=0>
>> INFO: 2014-01-17 10:39:35,529 DEBUG
>> [org.jasig.cas.authentication.AuthenticationManagerImpl] - <Attribute map
>> for administrator: {Name=Administrator}>
>> INFO: 2014-01-17 10:39:35,532 INFO
>> [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit
>> trail record BEGIN
>> =============================================================
>> WHO: [username: administrator]
>> WHAT: supplied credentials: [username: administrator]
>> ACTION: AUTHENTICATION_SUCCESS
>> APPLICATION: CAS
>> WHEN: Fri Jan 17 10:39:35 COT 2014
>> CLIENT IP ADDRESS: 127.0.0.1
>> SERVER IP ADDRESS: 127.0.0.1
>> =============================================================
>> INFO: 2014-01-17 10:39:35,537 DEBUG
>> [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Added ticket [
>> TGT-1-Hr6RBu62I5Ws41yj1LT1B2YtCQLtv2YceaWrow6zyuPBSKiv1G-cas01.example.org]
>> to registry.>
>> INFO: 2014-01-17 10:39:35,537 INFO
>> [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit
>> trail record BEGIN
>> =============================================================
>> WHO: [username: administrator]
>> WHAT:
>> TGT-1-Hr6RBu62I5Ws41yj1LT1B2YtCQLtv2YceaWrow6zyuPBSKiv1G-cas01.example.org
>> ACTION: TICKET_GRANTING_TICKET_CREATED
>> APPLICATION: CAS
>> WHEN: Fri Jan 17 10:39:35 COT 2014
>> CLIENT IP ADDRESS: 127.0.0.1
>> SERVER IP ADDRESS: 127.0.0.1
>> =============================================================
>> INFO: 2014-01-17 10:39:35,538 DEBUG
>> [org.jasig.cas.web.support.CookieRetrievingCookieGenerator] - <Removed
>> cookie with name [CASPRIVACY]>
>> INFO: 2014-01-17 10:39:35,538 DEBUG
>> [org.jasig.cas.web.support.CookieRetrievingCookieGenerator] - <Added cookie
>> with name [CASTGC] and value [
>> TGT-1-Hr6RBu62I5Ws41yj1LT1B2YtCQLtv2YceaWrow6zyuPBSKiv1G-cas01.example.org
>> ]>
>> INFO: 2014-01-17 10:39:35,539 DEBUG
>> [org.jasig.cas.CentralAuthenticationServiceImpl] - <Removing ticket [
>> TGT-27-ilyCEfM7aAHpE7dQfaAEYeh69s5GItx3Yc6tdTqPTZ1np0TdFu-cas01.example.org]
>> from registry.>
>> INFO: 2014-01-17 10:39:35,539 DEBUG
>> [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to
>> retrieve ticket [
>> TGT-27-ilyCEfM7aAHpE7dQfaAEYeh69s5GItx3Yc6tdTqPTZ1np0TdFu-cas01.example.org
>> ]>
>> INFO: 2014-01-17 10:39:35,539 DEBUG
>> [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to
>> retrieve ticket [
>> TGT-27-ilyCEfM7aAHpE7dQfaAEYeh69s5GItx3Yc6tdTqPTZ1np0TdFu-cas01.example.org
>> ]>
>> INFO: 2014-01-17 10:39:35,539 INFO
>> [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit
>> trail record BEGIN
>> =============================================================
>> WHO: audit:unknown
>> WHAT:
>> TGT-27-ilyCEfM7aAHpE7dQfaAEYeh69s5GItx3Yc6tdTqPTZ1np0TdFu-cas01.example.org
>> ACTION: TICKET_GRANTING_TICKET_DESTROYED
>> APPLICATION: CAS
>> WHEN: Fri Jan 17 10:39:35 COT 2014
>> CLIENT IP ADDRESS: 127.0.0.1
>> SERVER IP ADDRESS: 127.0.0.1
>> =============================================================
>> INFO: 2014-01-17 10:39:35,540 DEBUG
>> [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to
>> retrieve ticket [
>> TGT-1-Hr6RBu62I5Ws41yj1LT1B2YtCQLtv2YceaWrow6zyuPBSKiv1G-cas01.example.org
>> ]>
>> INFO: 2014-01-17 10:39:35,540 DEBUG
>> [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Ticket [
>> TGT-1-Hr6RBu62I5Ws41yj1LT1B2YtCQLtv2YceaWrow6zyuPBSKiv1G-cas01.example.org]
>> found in registry.>
>> INFO: 2014-01-17 10:39:35,543 DEBUG
>> [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Added ticket [
>> ST-1-evdgwpfSen9mPhEt2OxN-cas01.example.org] to registry.>
>> INFO: 2014-01-17 10:39:35,543 INFO
>> [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket [
>> ST-1-evdgwpfSen9mPhEt2OxN-cas01.example.org] for service [
>> http://localhost:8080/InteraccionSonriaCore/shiro-cas] for user
>> [administrator]>
>> INFO: 2014-01-17 10:39:35,543 DEBUG
>> [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to
>> retrieve ticket [
>> TGT-1-Hr6RBu62I5Ws41yj1LT1B2YtCQLtv2YceaWrow6zyuPBSKiv1G-cas01.example.org
>> ]>
>> INFO: 2014-01-17 10:39:35,543 DEBUG
>> [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Ticket [
>> TGT-1-Hr6RBu62I5Ws41yj1LT1B2YtCQLtv2YceaWrow6zyuPBSKiv1G-cas01.example.org]
>> found in registry.>
>> INFO: 2014-01-17 10:39:35,544 INFO
>> [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit
>> trail record BEGIN
>> =============================================================
>> WHO: administrator
>> WHAT: ST-1-evdgwpfSen9mPhEt2OxN-cas01.example.org for
>> http://localhost:8080/InteraccionSonriaCore/shiro-cas
>> ACTION: SERVICE_TICKET_CREATED
>> APPLICATION: CAS
>> WHEN: Fri Jan 17 10:39:35 COT 2014
>> CLIENT IP ADDRESS: 127.0.0.1
>> SERVER IP ADDRESS: 127.0.0.1
>> =============================================================
>> INFO: 2014-01-17 10:39:35,568 DEBUG
>> [org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor generated
>> service for: http://localhost:8080/InteraccionSonriaCore/shiro-cas>
>> INFO: 2014-01-17 10:39:35,570 DEBUG
>> [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to
>> retrieve ticket [ST-1-evdgwpfSen9mPhEt2OxN-cas01.example.org]>
>> INFO: 2014-01-17 10:39:35,570 DEBUG
>> [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Ticket [
>> ST-1-evdgwpfSen9mPhEt2OxN-cas01.example.org] found in registry.>
>> INFO: 2014-01-17 10:39:35,570 DEBUG
>> [org.jasig.cas.CentralAuthenticationServiceImpl] - <Principal id to return
>> for service [HTTP and IMAP] is [administrator]. The default principal id is
>> [administrator].>
>> INFO: 2014-01-17 10:39:35,575 DEBUG
>> [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Removing ticket [
>> ST-1-evdgwpfSen9mPhEt2OxN-cas01.example.org] from registry>
>> INFO: 2014-01-17 10:39:35,575 DEBUG
>> [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to
>> retrieve ticket [ST-1-evdgwpfSen9mPhEt2OxN-cas01.example.org]>
>> INFO: 2014-01-17 10:39:35,575 INFO
>> [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit
>> trail record BEGIN
>> =============================================================
>> WHO: audit:unknown
>> WHAT: ST-1-evdgwpfSen9mPhEt2OxN-cas01.example.org
>> ACTION: SERVICE_TICKET_VALIDATED
>> APPLICATION: CAS
>> WHEN: Fri Jan 17 10:39:35 COT 2014
>> CLIENT IP ADDRESS: 127.0.0.1
>> SERVER IP ADDRESS: 127.0.0.1
>> =============================================================
>> INFO: 2014-01-17 10:39:35,600 DEBUG
>> [org.jasig.cas.web.ServiceValidateController] - <Successfully validated
>> service ticket: ST-1-evdgwpfSen9mPhEt2OxN-cas01.example.org>
>> INFO: 2014-01-17 10:40:29,819 INFO
>> [org.jasig.cas.services.DefaultServicesManagerImpl] - <Reloading registered
>> services.>
>> INFO: 2014-01-17 10:40:29,821 DEBUG
>> [org.jasig.cas.services.DefaultServicesManagerImpl] - <Adding registered
>> service ^(https?|imaps?)://.*>
>> INFO: 2014-01-17 10:40:29,821 INFO
>> [org.jasig.cas.services.DefaultServicesManagerImpl] - <Loaded 1 services.>
>>
>>
>> --
>> Eduardo J. Ortega
>> Tel: 57+1+2553580
>> Cel: 57+317+4415156
>> Zürich
>> CL 72 5 83 Piso 11, Bogotá, CO.
>>
>> On 17/01/14 02:03, jleleu wrote:
>>
>> Hi,
>>
>> Good for SLO!
>>
>> Would you mind enablig *DEBUG *logs on *org.jasig* to see what's going on
>> in your Shiro application regarding SAML?
>>
>> Thanks.
>> Best regards,
>> Jérôme
>>
>>
>>
>> 2014/1/16 Eduardo J. Ortega U [via Shiro User] <[hidden email] <http://user/SendEmail.jtp?type=node&node=7579529&i=1>>
>>
>>
>> Just to update, SIngle Sign Out works, the problem was my Shiro
>> application didn't have the signout filters before the rest... I moved
>> them up and it's working. However, the attribute retrieval from CAS is
>> still failing (When I set up SAML validation protocol, I get always
>> redirected to casFilter.failureUrl). All required JARs are already
>> available on classpath. Any help is greatly appeciated.
>>
>> Regards,
>>
>> --
>> Eduardo J. Ortega
>> Tel: 57+1+2553580
>> Cel: 57+317+4415156
>> Zürich
>> CL 72 5 83 Piso 11, Bogotá, CO.
>>
>> On 16/01/14 11:33, Eduardo J. Ortega U wrote:
>>
>>
>> Hi, Jérôme:
>>
>> Thanks for the info on the logout, I will try and report back. About
>> the attributes issue, I tried setting casRealm.validationProtocol =
>> SAML but when I try to access the protected areas, I get redirected to
>> CAS, do login and then I get redirected to my casFilter.failureUrl =
>> /error.jsp instead of my protected page.
>> From https://wiki.jasig.org/display/CASUM/SAML+1.1 I understand that
>> my application should be submitting a POST request to cas/samlValidate
>> , I did some sniffing with wireshark and see no such request taking
>> place. Here's my shiro.ini (CAS protected areas are under protected,
>> feel free to ignore filters applytin to other sections):
>>
>> [main]
>> cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
>> securityManager.cacheManager = $cacheManager
>> cauthc=co.com.sonria.seguridad.FiltroAutenticacion
>> cauthc.loginUrl = /publico/login.jsf
>> cauthc.successUrl = /comun/bienvenido.jsf
>> logout.redirectUrl = /publico/login.jsf
>> cauthc.usernameParam = j_username
>> cauthc.passwordParam = j_password
>> cauthc.failureKeyAttribute = loginFailure
>> casFilter = org.apache.shiro.cas.CasFilter
>> casFilter.failureUrl = /error.jsp
>> casRealm = org.apache.shiro.cas.CasRealm
>> casRealm.defaultRoles = ROLE_USER
>> #casRealm.defaultPermissions
>> #casRealm.roleAttributeNames
>> #casRealm.permissionAttributeNames
>> casRealm.validationProtocol = SAML
>> #casRealm.casServerUrlPrefix = http://192.168.88.207:8080/cas/
>> casRealm.casServerUrlPrefix =http://192.168.88.103:8080/cas-server-webapp/
>> casRealm.casService =http://192.168.88.103:8080/InteraccionSonriaCore/shiro-cas
>> casSubjectFactory = org.apache.shiro.cas.CasSubjectFactory
>> securityManager.subjectFactory = $casSubjectFactory
>> #roles.loginUrl =
>>
>>
>> https://192.168.88.207:8181/cas/login?service=http://localhost:8080/InteraccionSonriaCore/shiro-cas
>>
>> roles.loginUrl =
>>
>>
>> http://192.168.88.103:8080/cas-server-webapp/login?service=http://192.168.88.103:8080/InteraccionSonriaCore/shiro-cas
>>
>> [users]
>> administrador=administrador,ADMINISTRADOR
>> gerente = gerente,GERENTE
>> profesional = profesional,PROFESIONAL
>> paciente = paciente,PACIENTE
>>
>> [urls]
>> / = authc
>> /publico/login.jsf=cauthc
>> /logout = logout
>> /plantillas/* = cauthc
>> /shiro-cas = casFilter
>> /protected/** = roles[ROLE_USER]
>>
>> Any ideas on what might I be doing wrong and telling my app there is a
>> CAS error instead of posting go samlValidate URL? Thanks.
>>
>> --
>> Eduardo J. Ortega
>> Tel: 57+1+2553580
>> Cel: 57+317+4415156
>> Zürich
>> CL 72 5 83 Piso 11, Bogotá, CO.
>>
>> On 16/01/14 11:18, jleleu wrote:
>>
>> Hi,
>>
>> I'm talking about the CAS SLO: when calling /cas/logout, it should
>> trigger
>> the destruction of the web session of your Shiro application.
>> To use SAML, you need to configure SAML on the Shiro application side
>>
>> by
>>
>> using the *setValidationProtocol* method of the *CasRealm* object
>> (casRealm.validationProtocol = SAML).
>> Unless you use CAS 4.0-RCx, the SAML validation endpoint is available
>> out-of-the-box in the CAS server (https://wiki.jasig.org/display/CASUM/SAML+1.1).
>> Best regards,
>> Jérôme
>>
>>
>>
>> 2014/1/16 Eduardo J. Ortega U [via Shiro User] <
>> [hidden email] <http://user/SendEmail.jtp?type=node&node=7579521&i=0> <http://user/SendEmail.jtp?type=node&node=7579521&i=0>>
>>
>>
>> Hi, Jérôme:
>>
>> Thanks for you reply. A couple of questions, though:
>>
>> - When you say sign out should work, you mean I should call
>>
>> /logout
>>
>> from my app and it should log me out of CAS, or I should go to
>> cas/logout
>> and that should log me out of my application?
>> - How do I go about using the SAML validation? Is this something I
>> should setup in shiro? On CAS? Both? Can you point me to any docs
>>
>> /
>>
>> examples?
>>
>> Thanks,
>>
>> --
>> Eduardo J. Ortega
>> Tel: 57+1+2553580
>> Cel: 57+317+4415156
>> Zürich
>> CL 72 5 83 Piso 11, Bogotá, CO.
>>
>> On 16/01/14 04:18, jleleu wrote:
>>
>> Hi,
>>
>> Regarding logout, I can't remember exactly if I did the test or
>>
>> someone
>>
>> else, but I think it works. Did you try some debugging in the
>> SingleSignOutFilter?
>>
>> To get user's attributes, things are a little more complex:
>> - you need to retrieve the user's attributes inside the CAS server
>> (should
>> be what you did)
>> - define that you want to push these attributes for the CAS service
>> representing the Shiro application (*allowedAttributes* or
>> *ignore*parameter for this CAS service)
>> - use the SAML validation
>> And then, the user's attributes will be available as the second
>> principal:
>>
>> https://github.com/apache/shiro/blob/1.2.x/support/cas/src/main/java/org/apache/shiro/cas/CasRealm.java#L162
>>
>> .
>>
>> Best regards,
>> Jérôme
>>
>>
>>
>>
>> 2014/1/15 Eduardo J. Ortega U [via Shiro User] <[hidden email]<http://user/SendEmail.jtp?type=node&node=7579517&i=0> <http://user/SendEmail.jtp?type=node&node=7579517&i=0>>
>>
>>
>> Hi, all:
>>
>> We are setting up out first Shiro enabled application with CAS
>> authentication. Authentication seems to work fine, however, we have
>>
>> two
>>
>> issues:
>>
>> - We want to have Single Sign out, so that when a user signs out
>>
>> of
>>
>> CAS, he/she is signed out of CAS and therefore all apps.
>> Currently, if I
>> logout of the application (using Shiro's logout feature), and
>> then try to
>> access one of the protected pages, browser gets redirected to
>> CAS, which in
>> turn validates and redirects to http://myhost/myapp/shiro-cas
>> and then
>> /shiro-cas redirects it to the requested URL of the application,
>>
>> so
>>
>> effectively the user is logged back in the application. Also, if
>> the user
>> logs out of CAS (visiting http://myhost/CAS/logout) its CAS
>>
>> session
>>
>> ends but the application session remains, so he / she can still
>> access the
>> protected areas. I set up the following on myapp web.xml:
>>
>>
>> <filter>
>> <filter-name>CAS Single Sign Out Filter</filter-name>
>>
>>
>>
>> <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
>>
>>
>> </filter>
>>
>> <filter-mapping>
>> <filter-name>CAS Single Sign Out Filter</filter-name>
>> <url-pattern>/*</url-pattern>
>> </filter-mapping>
>>
>> <listener>
>>
>>
>>
>> <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
>>
>>
>> </listener>
>>
>> But it is not working. What am I missing?
>>
>> - We want to access some of the user attributes from inside our
>> application. I set up CAS properties to map the attributes,
>> setting this on
>> CAS deployerConfigContext.xml
>>
>> <bean id="attributeRepository"
>>
>>
>> class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao">
>>
>> <property name="contextSource" ref="contextSource" />
>> <property name="baseDN"
>> value="ou=People,dc=example,dc=com,dc=co"
>> />
>> <property name="requireAllQueryAttributes" value="true" />
>> <property name="queryAttributeMapping">
>> <map>
>> <entry key="username" value="uid" />
>> </map>
>> </property>
>> <property name="resultAttributeMapping">
>> <map>
>> <!-- Mapping beetween LDAP entry attributes (key) and
>> Principal's (value) -->
>> <entry value="Name" key="displayName" />
>> <entry key="distinguishedName" value="dn" />
>> </map>
>> </property>
>> </bean>
>> And then access them from inside the Shiro application like this:
>>
>> AttributePrincipal principal =
>> (AttributePrincipal)request.getUserPrincipal();
>> Map attributes = principal.getAttributes();
>>
>> But we get an error saying we cannot cast Request to
>> AttributePrincipal. I
>> guess I am missing something here, too.
>>
>> Any help is greatly appreciated.
>>
>>
>> --
>> --
>> Eduardo J. Ortega
>> Tel: 57+1+2553580
>> Cel: 57+317+4415156
>> Zürich
>> CL 72 5 83 Piso 11, Bogotá, CO.
>>
>>
>>
>> ------------------------------
>> If you reply to this email, your message will be added to the
>> discussion
>> below:
>>
>>
>> http://shiro-user.582556.n2.nabble.com/CAS-Single-Sign-Out-and-LDAP-attribute-retrieval-tp7579510.html
>>
>> To start a new topic under Shiro User, email[hidden email]<http://user/SendEmail.jtp?type=node&node=7579517&i=1> <http://user/SendEmail.jtp?type=node&node=7579517&i=1>
>> To unsubscribe from Shiro User, click here<
>> .
>> NAML<
>>
>> http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.Bas
>>
>> icNamespa
>>
>>
>> ce-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>>
>>
>> <
>>
>> http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.n
>> amespaces
>> .BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml <http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>>
>>
>>
>>
>> --
>> View this message in context:
>>
>>
>> http://shiro-user.582556.n2.nabble.com/CAS-Single-Sign-Out-and-LDAP-attribute-retrieval-tp7579510p7579514.html
>>
>> Sent from the Shiro User mailing list archive at Nabble.com.
>>
>>
>>
>>
>> ------------------------------
>> If you reply to this email, your message will be added to the
>> discussion
>> below:
>>
>>
>>
>> http://shiro-user.582556.n2.nabble.com/CAS-Single-Sign-Out-and-LDAP-attribute-retrieval-tp7579510p7579517.html
>>
>> To start a new topic under Shiro User, email
>> [hidden email] <http://user/SendEmail.jtp?type=node&node=7579521&i=1> <http://user/SendEmail.jtp?type=node&node=7579521&i=1>
>> To unsubscribe from Shiro User, click
>> here<
>> .
>> NAML<
>>
>> http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.n
>> amespaces
>> .BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml <http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>>
>>
>>
>>
>>
>> --
>> View this message in context:
>>
>>
>> http://shiro-user.582556.n2.nabble.com/CAS-Single-Sign-Out-and-LDAP-attribute-retrieval-tp7579510p7579518.html
>>
>> Sent from the Shiro User mailing list archive at Nabble.com.
>>
>>
>>
>> ------------------------------
>> If you reply to this email, your message will be added to the discussion
>> below:
>> http://shiro-user.582556.n2.nabble.com/CAS-Single-Sign-Out-and-LDAP-attribute-retrieval-tp7579510p7579521.html
>> To start a new topic under Shiro User, email[hidden email] <http://user/SendEmail.jtp?type=node&node=7579529&i=2>
>> To unsubscribe from Shiro User, click here<
>> .
>> NAML<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.Bas
>> icNamespa
>> ce-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml> <http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>>
>>
>>
>>
>> --
>> View this message in context: http://shiro-user.582556.n2.nabble.com/CAS-Single-Sign-Out-and-LDAP-attribute-retrieval-tp7579510p7579525.html
>> Sent from the Shiro User mailing list archive at Nabble.com.
>>
>>
>>
>>
>> ------------------------------
>> If you reply to this email, your message will be added to the discussion
>> below:
>>
>> http://shiro-user.582556.n2.nabble.com/CAS-Single-Sign-Out-and-LDAP-attribute-retrieval-tp7579510p7579529.html
>> To start a new topic under Shiro User, email
>> ml-node+s582556n582556h4@n2.nabble.com
>> To unsubscribe from Shiro User, click here<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=582556&code=bGVsZXVqQGdtYWlsLmNvbXw1ODI1NTZ8LTExNzY2MzcxMTY=>
>> .
>> NAML<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>>
>
>
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/CAS-Single-Sign-Out-and-LDAP-attribute-retrieval-tp7579510p7579532.html
> Sent from the Shiro User mailing list archive at Nabble.com.
Re: CAS Single Sign Out and LDAP attribute retrieval
Posted by jleleu <le...@gmail.com>.
Hi,
In fact, I'm retrieving the user identity using the *getPrincipals *method
of the *Subject *class:
https://github.com/leleuj/buji-pac4j-demo/blob/master/src/main/webapp/index.jsp#L33
.
The first principal is the uid, the second one if the pac4j user profile
(FacebookProfile, TwitterProfile...)
Best regards,
Jérôme
2014/1/17 Eduardo J. Ortega U [via Shiro User] <
ml-node+s582556n7579529h67@n2.nabble.com>
> Hi, Jérôme:
>
> I set up debut and read this:
>
> INFO: 2014-01-17 10:39:35,529 DEBUG
> [org.jasig.cas.authentication.AuthenticationManagerImpl] - <Attribute map
> for administrator: {Name=Administrator}>
>
> It seems like the attribute is being mapped, but for some reason I cannot
> access it. Or perhaps I am trying to access it in the wrong way. This is
> what I am doing:
>
> Subject currentUser = SecurityUtils.getSubject();
> AttributePrincipal principal =
> (AttributePrincipal)request.getUserPrincipal();
> Map attributes = principal.getAttributes();
>
> But the cast from request to AttributePrincipal fails:
>
> java.lang.ClassCastException:
> org.apache.shiro.web.servlet.ShiroHttpServletRequest$ObjectPrincipal cannot
> be cast to org.jasig.cas.client.authentication.AttributePrincipal
>
> Is this the right way to do it?
>
> Below is the full log from CAS. Thans for any guide you can provide.
>
> INFO: 2014-01-17 10:39:22,169 DEBUG
> [org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor generated
> service for: http://localhost:8080/InteraccionSonriaCore/shiro-cas>
> INFO: 2014-01-17 10:39:22,195 DEBUG
> [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to
> retrieve ticket [
> TGT-27-ilyCEfM7aAHpE7dQfaAEYeh69s5GItx3Yc6tdTqPTZ1np0TdFu-cas01.example.org
> ]>
> INFO: 2014-01-17 10:39:22,200 DEBUG
> [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to
> retrieve ticket [
> TGT-27-ilyCEfM7aAHpE7dQfaAEYeh69s5GItx3Yc6tdTqPTZ1np0TdFu-cas01.example.org
> ]>
> INFO: 2014-01-17 10:39:22,212 INFO
> [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit
> trail record BEGIN
> =============================================================
> WHO: audit:unknown
> WHAT: http://localhost:8080/InteraccionSonriaCore/shiro-cas
> ACTION: SERVICE_TICKET_NOT_CREATED
> APPLICATION: CAS
> WHEN: Fri Jan 17 10:39:22 COT 2014
> CLIENT IP ADDRESS: 127.0.0.1
> SERVER IP ADDRESS: 127.0.0.1
> =============================================================
> >
> INFO: 2014-01-17 10:39:22,215 DEBUG
> [org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor generated
> service for: http://localhost:8080/InteraccionSonriaCore/shiro-cas>
> INFO: 2014-01-17 10:39:35,443 DEBUG
> [org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler] -
> <Performing LDAP bind with credential:
> uid=administrator,ou=People,dc=example,dc=com,dc=co>
> INFO: 2014-01-17 10:39:35,474 INFO
> [org.jasig.cas.authentication.AuthenticationManagerImpl] -
> <org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler successfully
> authenticated [username: administrator]>
> INFO: 2014-01-17 10:39:35,474 DEBUG
> [org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver]
> - <Attempting to resolve a principal...>
> INFO: 2014-01-17 10:39:35,474 DEBUG
> [org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver]
> - <Creating SimplePrincipal for [administrator]>
> INFO: 2014-01-17 10:39:35,474 DEBUG
> [org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao] -
> <Created seed map='{username=[administrator]}' for uid='administrator'>
> INFO: 2014-01-17 10:39:35,475 DEBUG
> [org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao] -
> <Adding attribute 'uid' with value '[administrator]' to query builder
> 'null'>
> INFO: 2014-01-17 10:39:35,482 DEBUG
> [org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao] -
> <Generated query builder '(uid=administrator)' from query Map
> {username=[administrator]}.>
> INFO: 2014-01-17 10:39:35,528 INFO
> [org.jasig.cas.authentication.AuthenticationManagerImpl] - <Resolved
> principal administrator>
> INFO: 2014-01-17 10:39:35,528 INFO
> [org.jasig.cas.authentication.AuthenticationManagerImpl] - [hidden email]<http://user/SendEmail.jtp?type=node&node=7579529&i=0>
> INFO: 2014-01-17 10:39:35,529 DEBUG
> [org.jasig.cas.authentication.AuthenticationManagerImpl] - <Attribute map
> for administrator: {Name=Administrator}>
> INFO: 2014-01-17 10:39:35,532 INFO
> [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit
> trail record BEGIN
> =============================================================
> WHO: [username: administrator]
> WHAT: supplied credentials: [username: administrator]
> ACTION: AUTHENTICATION_SUCCESS
> APPLICATION: CAS
> WHEN: Fri Jan 17 10:39:35 COT 2014
> CLIENT IP ADDRESS: 127.0.0.1
> SERVER IP ADDRESS: 127.0.0.1
> =============================================================
> >
> INFO: 2014-01-17 10:39:35,537 DEBUG
> [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Added ticket [
> TGT-1-Hr6RBu62I5Ws41yj1LT1B2YtCQLtv2YceaWrow6zyuPBSKiv1G-cas01.example.org]
> to registry.>
> INFO: 2014-01-17 10:39:35,537 INFO
> [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit
> trail record BEGIN
> =============================================================
> WHO: [username: administrator]
> WHAT:
> TGT-1-Hr6RBu62I5Ws41yj1LT1B2YtCQLtv2YceaWrow6zyuPBSKiv1G-cas01.example.org
> ACTION: TICKET_GRANTING_TICKET_CREATED
> APPLICATION: CAS
> WHEN: Fri Jan 17 10:39:35 COT 2014
> CLIENT IP ADDRESS: 127.0.0.1
> SERVER IP ADDRESS: 127.0.0.1
> =============================================================
> >
> INFO: 2014-01-17 10:39:35,538 DEBUG
> [org.jasig.cas.web.support.CookieRetrievingCookieGenerator] - <Removed
> cookie with name [CASPRIVACY]>
> INFO: 2014-01-17 10:39:35,538 DEBUG
> [org.jasig.cas.web.support.CookieRetrievingCookieGenerator] - <Added cookie
> with name [CASTGC] and value [
> TGT-1-Hr6RBu62I5Ws41yj1LT1B2YtCQLtv2YceaWrow6zyuPBSKiv1G-cas01.example.org
> ]>
> INFO: 2014-01-17 10:39:35,539 DEBUG
> [org.jasig.cas.CentralAuthenticationServiceImpl] - <Removing ticket [
> TGT-27-ilyCEfM7aAHpE7dQfaAEYeh69s5GItx3Yc6tdTqPTZ1np0TdFu-cas01.example.org]
> from registry.>
> INFO: 2014-01-17 10:39:35,539 DEBUG
> [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to
> retrieve ticket [
> TGT-27-ilyCEfM7aAHpE7dQfaAEYeh69s5GItx3Yc6tdTqPTZ1np0TdFu-cas01.example.org
> ]>
> INFO: 2014-01-17 10:39:35,539 DEBUG
> [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to
> retrieve ticket [
> TGT-27-ilyCEfM7aAHpE7dQfaAEYeh69s5GItx3Yc6tdTqPTZ1np0TdFu-cas01.example.org
> ]>
> INFO: 2014-01-17 10:39:35,539 INFO
> [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit
> trail record BEGIN
> =============================================================
> WHO: audit:unknown
> WHAT:
> TGT-27-ilyCEfM7aAHpE7dQfaAEYeh69s5GItx3Yc6tdTqPTZ1np0TdFu-cas01.example.org
> ACTION: TICKET_GRANTING_TICKET_DESTROYED
> APPLICATION: CAS
> WHEN: Fri Jan 17 10:39:35 COT 2014
> CLIENT IP ADDRESS: 127.0.0.1
> SERVER IP ADDRESS: 127.0.0.1
> =============================================================
> >
> INFO: 2014-01-17 10:39:35,540 DEBUG
> [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to
> retrieve ticket [
> TGT-1-Hr6RBu62I5Ws41yj1LT1B2YtCQLtv2YceaWrow6zyuPBSKiv1G-cas01.example.org
> ]>
> INFO: 2014-01-17 10:39:35,540 DEBUG
> [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Ticket [
> TGT-1-Hr6RBu62I5Ws41yj1LT1B2YtCQLtv2YceaWrow6zyuPBSKiv1G-cas01.example.org]
> found in registry.>
> INFO: 2014-01-17 10:39:35,543 DEBUG
> [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Added ticket [
> ST-1-evdgwpfSen9mPhEt2OxN-cas01.example.org] to registry.>
> INFO: 2014-01-17 10:39:35,543 INFO
> [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket [
> ST-1-evdgwpfSen9mPhEt2OxN-cas01.example.org] for service [
> http://localhost:8080/InteraccionSonriaCore/shiro-cas] for user
> [administrator]>
> INFO: 2014-01-17 10:39:35,543 DEBUG
> [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to
> retrieve ticket [
> TGT-1-Hr6RBu62I5Ws41yj1LT1B2YtCQLtv2YceaWrow6zyuPBSKiv1G-cas01.example.org
> ]>
> INFO: 2014-01-17 10:39:35,543 DEBUG
> [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Ticket [
> TGT-1-Hr6RBu62I5Ws41yj1LT1B2YtCQLtv2YceaWrow6zyuPBSKiv1G-cas01.example.org]
> found in registry.>
> INFO: 2014-01-17 10:39:35,544 INFO
> [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit
> trail record BEGIN
> =============================================================
> WHO: administrator
> WHAT: ST-1-evdgwpfSen9mPhEt2OxN-cas01.example.org for
> http://localhost:8080/InteraccionSonriaCore/shiro-cas
> ACTION: SERVICE_TICKET_CREATED
> APPLICATION: CAS
> WHEN: Fri Jan 17 10:39:35 COT 2014
> CLIENT IP ADDRESS: 127.0.0.1
> SERVER IP ADDRESS: 127.0.0.1
> =============================================================
> >
> INFO: 2014-01-17 10:39:35,568 DEBUG
> [org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor generated
> service for: http://localhost:8080/InteraccionSonriaCore/shiro-cas>
> INFO: 2014-01-17 10:39:35,570 DEBUG
> [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to
> retrieve ticket [ST-1-evdgwpfSen9mPhEt2OxN-cas01.example.org]>
> INFO: 2014-01-17 10:39:35,570 DEBUG
> [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Ticket [
> ST-1-evdgwpfSen9mPhEt2OxN-cas01.example.org] found in registry.>
> INFO: 2014-01-17 10:39:35,570 DEBUG
> [org.jasig.cas.CentralAuthenticationServiceImpl] - <Principal id to return
> for service [HTTP and IMAP] is [administrator]. The default principal id is
> [administrator].>
> INFO: 2014-01-17 10:39:35,575 DEBUG
> [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Removing ticket [
> ST-1-evdgwpfSen9mPhEt2OxN-cas01.example.org] from registry>
> INFO: 2014-01-17 10:39:35,575 DEBUG
> [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to
> retrieve ticket [ST-1-evdgwpfSen9mPhEt2OxN-cas01.example.org]>
> INFO: 2014-01-17 10:39:35,575 INFO
> [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit
> trail record BEGIN
> =============================================================
> WHO: audit:unknown
> WHAT: ST-1-evdgwpfSen9mPhEt2OxN-cas01.example.org
> ACTION: SERVICE_TICKET_VALIDATED
> APPLICATION: CAS
> WHEN: Fri Jan 17 10:39:35 COT 2014
> CLIENT IP ADDRESS: 127.0.0.1
> SERVER IP ADDRESS: 127.0.0.1
> =============================================================
> >
> INFO: 2014-01-17 10:39:35,600 DEBUG
> [org.jasig.cas.web.ServiceValidateController] - <Successfully validated
> service ticket: ST-1-evdgwpfSen9mPhEt2OxN-cas01.example.org>
> INFO: 2014-01-17 10:40:29,819 INFO
> [org.jasig.cas.services.DefaultServicesManagerImpl] - <Reloading registered
> services.>
> INFO: 2014-01-17 10:40:29,821 DEBUG
> [org.jasig.cas.services.DefaultServicesManagerImpl] - <Adding registered
> service ^(https?|imaps?)://.*>
> INFO: 2014-01-17 10:40:29,821 INFO
> [org.jasig.cas.services.DefaultServicesManagerImpl] - <Loaded 1 services.>
>
>
> --
> Eduardo J. Ortega
> Tel: 57+1+2553580
> Cel: 57+317+4415156
> Zürich
> CL 72 5 83 Piso 11, Bogotá, CO.
>
> On 17/01/14 02:03, jleleu wrote:
>
> Hi,
>
> Good for SLO!
>
> Would you mind enablig *DEBUG *logs on *org.jasig* to see what's going on
> in your Shiro application regarding SAML?
>
> Thanks.
> Best regards,
> Jérôme
>
>
>
> 2014/1/16 Eduardo J. Ortega U [via Shiro User] <[hidden email] <http://user/SendEmail.jtp?type=node&node=7579529&i=1>>
>
>
> Just to update, SIngle Sign Out works, the problem was my Shiro
> application didn't have the signout filters before the rest... I moved
> them up and it's working. However, the attribute retrieval from CAS is
> still failing (When I set up SAML validation protocol, I get always
> redirected to casFilter.failureUrl). All required JARs are already
> available on classpath. Any help is greatly appeciated.
>
> Regards,
>
> --
> Eduardo J. Ortega
> Tel: 57+1+2553580
> Cel: 57+317+4415156
> Zürich
> CL 72 5 83 Piso 11, Bogotá, CO.
>
> On 16/01/14 11:33, Eduardo J. Ortega U wrote:
>
>
> Hi, Jérôme:
>
> Thanks for the info on the logout, I will try and report back. About
> the attributes issue, I tried setting casRealm.validationProtocol =
> SAML but when I try to access the protected areas, I get redirected to
> CAS, do login and then I get redirected to my casFilter.failureUrl =
> /error.jsp instead of my protected page.
> From https://wiki.jasig.org/display/CASUM/SAML+1.1 I understand that
> my application should be submitting a POST request to cas/samlValidate
> , I did some sniffing with wireshark and see no such request taking
> place. Here's my shiro.ini (CAS protected areas are under protected,
> feel free to ignore filters applytin to other sections):
>
> [main]
> cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
> securityManager.cacheManager = $cacheManager
> cauthc=co.com.sonria.seguridad.FiltroAutenticacion
> cauthc.loginUrl = /publico/login.jsf
> cauthc.successUrl = /comun/bienvenido.jsf
> logout.redirectUrl = /publico/login.jsf
> cauthc.usernameParam = j_username
> cauthc.passwordParam = j_password
> cauthc.failureKeyAttribute = loginFailure
> casFilter = org.apache.shiro.cas.CasFilter
> casFilter.failureUrl = /error.jsp
> casRealm = org.apache.shiro.cas.CasRealm
> casRealm.defaultRoles = ROLE_USER
> #casRealm.defaultPermissions
> #casRealm.roleAttributeNames
> #casRealm.permissionAttributeNames
> casRealm.validationProtocol = SAML
> #casRealm.casServerUrlPrefix = http://192.168.88.207:8080/cas/
> casRealm.casServerUrlPrefix =http://192.168.88.103:8080/cas-server-webapp/
> casRealm.casService =http://192.168.88.103:8080/InteraccionSonriaCore/shiro-cas
> casSubjectFactory = org.apache.shiro.cas.CasSubjectFactory
> securityManager.subjectFactory = $casSubjectFactory
> #roles.loginUrl =
>
>
> https://192.168.88.207:8181/cas/login?service=http://localhost:8080/InteraccionSonriaCore/shiro-cas
>
> roles.loginUrl =
>
>
> http://192.168.88.103:8080/cas-server-webapp/login?service=http://192.168.88.103:8080/InteraccionSonriaCore/shiro-cas
>
> [users]
> administrador=administrador,ADMINISTRADOR
> gerente = gerente,GERENTE
> profesional = profesional,PROFESIONAL
> paciente = paciente,PACIENTE
>
> [urls]
> / = authc
> /publico/login.jsf=cauthc
> /logout = logout
> /plantillas/* = cauthc
> /shiro-cas = casFilter
> /protected/** = roles[ROLE_USER]
>
> Any ideas on what might I be doing wrong and telling my app there is a
> CAS error instead of posting go samlValidate URL? Thanks.
>
> --
> Eduardo J. Ortega
> Tel: 57+1+2553580
> Cel: 57+317+4415156
> Zürich
> CL 72 5 83 Piso 11, Bogotá, CO.
>
> On 16/01/14 11:18, jleleu wrote:
>
> Hi,
>
> I'm talking about the CAS SLO: when calling /cas/logout, it should
> trigger
> the destruction of the web session of your Shiro application.
> To use SAML, you need to configure SAML on the Shiro application side
>
> by
>
> using the *setValidationProtocol* method of the *CasRealm* object
> (casRealm.validationProtocol = SAML).
> Unless you use CAS 4.0-RCx, the SAML validation endpoint is available
> out-of-the-box in the CAS server (https://wiki.jasig.org/display/CASUM/SAML+1.1).
> Best regards,
> Jérôme
>
>
>
> 2014/1/16 Eduardo J. Ortega U [via Shiro User] <
> [hidden email] <http://user/SendEmail.jtp?type=node&node=7579521&i=0> <http://user/SendEmail.jtp?type=node&node=7579521&i=0>>
>
>
> Hi, Jérôme:
>
> Thanks for you reply. A couple of questions, though:
>
> - When you say sign out should work, you mean I should call
>
> /logout
>
> from my app and it should log me out of CAS, or I should go to
> cas/logout
> and that should log me out of my application?
> - How do I go about using the SAML validation? Is this something I
> should setup in shiro? On CAS? Both? Can you point me to any docs
>
> /
>
> examples?
>
> Thanks,
>
> --
> Eduardo J. Ortega
> Tel: 57+1+2553580
> Cel: 57+317+4415156
> Zürich
> CL 72 5 83 Piso 11, Bogotá, CO.
>
> On 16/01/14 04:18, jleleu wrote:
>
> Hi,
>
> Regarding logout, I can't remember exactly if I did the test or
>
> someone
>
> else, but I think it works. Did you try some debugging in the
> SingleSignOutFilter?
>
> To get user's attributes, things are a little more complex:
> - you need to retrieve the user's attributes inside the CAS server
> (should
> be what you did)
> - define that you want to push these attributes for the CAS service
> representing the Shiro application (*allowedAttributes* or
> *ignore*parameter for this CAS service)
> - use the SAML validation
> And then, the user's attributes will be available as the second
> principal:
>
> https://github.com/apache/shiro/blob/1.2.x/support/cas/src/main/java/org/apache/shiro/cas/CasRealm.java#L162
>
> .
>
> Best regards,
> Jérôme
>
>
>
>
> 2014/1/15 Eduardo J. Ortega U [via Shiro User] <[hidden email]<http://user/SendEmail.jtp?type=node&node=7579517&i=0> <http://user/SendEmail.jtp?type=node&node=7579517&i=0>>
>
>
> Hi, all:
>
> We are setting up out first Shiro enabled application with CAS
> authentication. Authentication seems to work fine, however, we have
>
> two
>
> issues:
>
> - We want to have Single Sign out, so that when a user signs out
>
> of
>
> CAS, he/she is signed out of CAS and therefore all apps.
> Currently, if I
> logout of the application (using Shiro's logout feature), and
> then try to
> access one of the protected pages, browser gets redirected to
> CAS, which in
> turn validates and redirects to http://myhost/myapp/shiro-cas
> and then
> /shiro-cas redirects it to the requested URL of the application,
>
> so
>
> effectively the user is logged back in the application. Also, if
> the user
> logs out of CAS (visiting http://myhost/CAS/logout) its CAS
>
> session
>
> ends but the application session remains, so he / she can still
> access the
> protected areas. I set up the following on myapp web.xml:
>
>
> <filter>
> <filter-name>CAS Single Sign Out Filter</filter-name>
>
>
>
> <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
>
>
> </filter>
>
> <filter-mapping>
> <filter-name>CAS Single Sign Out Filter</filter-name>
> <url-pattern>/*</url-pattern>
> </filter-mapping>
>
> <listener>
>
>
>
> <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
>
>
> </listener>
>
> But it is not working. What am I missing?
>
> - We want to access some of the user attributes from inside our
> application. I set up CAS properties to map the attributes,
> setting this on
> CAS deployerConfigContext.xml
>
> <bean id="attributeRepository"
>
>
> class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao">
>
> <property name="contextSource" ref="contextSource" />
> <property name="baseDN"
> value="ou=People,dc=example,dc=com,dc=co"
> />
> <property name="requireAllQueryAttributes" value="true" />
> <property name="queryAttributeMapping">
> <map>
> <entry key="username" value="uid" />
> </map>
> </property>
> <property name="resultAttributeMapping">
> <map>
> <!-- Mapping beetween LDAP entry attributes (key) and
> Principal's (value) -->
> <entry value="Name" key="displayName" />
> <entry key="distinguishedName" value="dn" />
> </map>
> </property>
> </bean>
> And then access them from inside the Shiro application like this:
>
> AttributePrincipal principal =
> (AttributePrincipal)request.getUserPrincipal();
> Map attributes = principal.getAttributes();
>
> But we get an error saying we cannot cast Request to
> AttributePrincipal. I
> guess I am missing something here, too.
>
> Any help is greatly appreciated.
>
>
> --
> --
> Eduardo J. Ortega
> Tel: 57+1+2553580
> Cel: 57+317+4415156
> Zürich
> CL 72 5 83 Piso 11, Bogotá, CO.
>
>
>
> ------------------------------
> If you reply to this email, your message will be added to the
> discussion
> below:
>
>
> http://shiro-user.582556.n2.nabble.com/CAS-Single-Sign-Out-and-LDAP-attribute-retrieval-tp7579510.html
>
> To start a new topic under Shiro User, email[hidden email]<http://user/SendEmail.jtp?type=node&node=7579517&i=1> <http://user/SendEmail.jtp?type=node&node=7579517&i=1>
> To unsubscribe from Shiro User, click here<
> .
> NAML<
>
> http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.Bas
>
> icNamespa
>
>
> ce-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>
>
> <
>
> http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.n
> amespaces
> .BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml <http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>>
>
>
>
> --
> View this message in context:
>
>
> http://shiro-user.582556.n2.nabble.com/CAS-Single-Sign-Out-and-LDAP-attribute-retrieval-tp7579510p7579514.html
>
> Sent from the Shiro User mailing list archive at Nabble.com.
>
>
>
>
> ------------------------------
> If you reply to this email, your message will be added to the
> discussion
> below:
>
>
>
> http://shiro-user.582556.n2.nabble.com/CAS-Single-Sign-Out-and-LDAP-attribute-retrieval-tp7579510p7579517.html
>
> To start a new topic under Shiro User, email
> [hidden email] <http://user/SendEmail.jtp?type=node&node=7579521&i=1> <http://user/SendEmail.jtp?type=node&node=7579521&i=1>
> To unsubscribe from Shiro User, click
> here<
> .
> NAML<
>
> http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.n
> amespaces
> .BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml <http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>>
>
>
>
>
> --
> View this message in context:
>
>
> http://shiro-user.582556.n2.nabble.com/CAS-Single-Sign-Out-and-LDAP-attribute-retrieval-tp7579510p7579518.html
>
> Sent from the Shiro User mailing list archive at Nabble.com.
>
>
>
> ------------------------------
> If you reply to this email, your message will be added to the discussion
> below:
> http://shiro-user.582556.n2.nabble.com/CAS-Single-Sign-Out-and-LDAP-attribute-retrieval-tp7579510p7579521.html
> To start a new topic under Shiro User, email[hidden email] <http://user/SendEmail.jtp?type=node&node=7579529&i=2>
> To unsubscribe from Shiro User, click here<
> .
> NAML<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.Bas
> icNamespa
> ce-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml> <http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>
>
>
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/CAS-Single-Sign-Out-and-LDAP-attribute-retrieval-tp7579510p7579525.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>
>
>
>
> ------------------------------
> If you reply to this email, your message will be added to the discussion
> below:
>
> http://shiro-user.582556.n2.nabble.com/CAS-Single-Sign-Out-and-LDAP-attribute-retrieval-tp7579510p7579529.html
> To start a new topic under Shiro User, email
> ml-node+s582556n582556h4@n2.nabble.com
> To unsubscribe from Shiro User, click here<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=582556&code=bGVsZXVqQGdtYWlsLmNvbXw1ODI1NTZ8LTExNzY2MzcxMTY=>
> .
> NAML<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>
--
View this message in context: http://shiro-user.582556.n2.nabble.com/CAS-Single-Sign-Out-and-LDAP-attribute-retrieval-tp7579510p7579532.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: CAS Single Sign Out and LDAP attribute retrieval
Posted by "Eduardo J. Ortega U" <ed...@zurich.co>.
Hi, Jérôme:
I set up debut and read this:
INFO: 2014-01-17 10:39:35,529 DEBUG
[org.jasig.cas.authentication.AuthenticationManagerImpl] - <Attribute
map for administrator: {Name=Administrator}>
It seems like the attribute is being mapped, but for some reason I
cannot access it. Or perhaps I am trying to access it in the wrong way.
This is what I am doing:
Subject currentUser = SecurityUtils.getSubject();
AttributePrincipal principal =
(AttributePrincipal)request.getUserPrincipal();
Map attributes = principal.getAttributes();
But the cast from request to AttributePrincipal fails:
java.lang.ClassCastException:
org.apache.shiro.web.servlet.ShiroHttpServletRequest$ObjectPrincipal
cannot be cast to org.jasig.cas.client.authentication.AttributePrincipal
Is this the right way to do it?
Below is the full log from CAS. Thans for any guide you can provide.
INFO: 2014-01-17 10:39:22,169 DEBUG
[org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor generated
service for: http://localhost:8080/InteraccionSonriaCore/shiro-cas>
INFO: 2014-01-17 10:39:22,195 DEBUG
[org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to
retrieve ticket
[TGT-27-ilyCEfM7aAHpE7dQfaAEYeh69s5GItx3Yc6tdTqPTZ1np0TdFu-cas01.example.org]>
INFO: 2014-01-17 10:39:22,200 DEBUG
[org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to
retrieve ticket
[TGT-27-ilyCEfM7aAHpE7dQfaAEYeh69s5GItx3Yc6tdTqPTZ1np0TdFu-cas01.example.org]>
INFO: 2014-01-17 10:39:22,212 INFO
[com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] -
<Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: http://localhost:8080/InteraccionSonriaCore/shiro-cas
ACTION: SERVICE_TICKET_NOT_CREATED
APPLICATION: CAS
WHEN: Fri Jan 17 10:39:22 COT 2014
CLIENT IP ADDRESS: 127.0.0.1
SERVER IP ADDRESS: 127.0.0.1
=============================================================
>
INFO: 2014-01-17 10:39:22,215 DEBUG
[org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor generated
service for: http://localhost:8080/InteraccionSonriaCore/shiro-cas>
INFO: 2014-01-17 10:39:35,443 DEBUG
[org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler] -
<Performing LDAP bind with credential:
uid=administrator,ou=People,dc=example,dc=com,dc=co>
INFO: 2014-01-17 10:39:35,474 INFO
[org.jasig.cas.authentication.AuthenticationManagerImpl] -
<org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler
successfully authenticated [username: administrator]>
INFO: 2014-01-17 10:39:35,474 DEBUG
[org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver]
- <Attempting to resolve a principal...>
INFO: 2014-01-17 10:39:35,474 DEBUG
[org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver]
- <Creating SimplePrincipal for [administrator]>
INFO: 2014-01-17 10:39:35,474 DEBUG
[org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao] -
<Created seed map='{username=[administrator]}' for uid='administrator'>
INFO: 2014-01-17 10:39:35,475 DEBUG
[org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao] -
<Adding attribute 'uid' with value '[administrator]' to query builder
'null'>
INFO: 2014-01-17 10:39:35,482 DEBUG
[org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao] -
<Generated query builder '(uid=administrator)' from query Map
{username=[administrator]}.>
INFO: 2014-01-17 10:39:35,528 INFO
[org.jasig.cas.authentication.AuthenticationManagerImpl] - <Resolved
principal administrator>
INFO: 2014-01-17 10:39:35,528 INFO
[org.jasig.cas.authentication.AuthenticationManagerImpl] -
<org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler@13c12e4e
authenticated administrator with credential [username: administrator].>
INFO: 2014-01-17 10:39:35,529 DEBUG
[org.jasig.cas.authentication.AuthenticationManagerImpl] - <Attribute
map for administrator: {Name=Administrator}>
INFO: 2014-01-17 10:39:35,532 INFO
[com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] -
<Audit trail record BEGIN
=============================================================
WHO: [username: administrator]
WHAT: supplied credentials: [username: administrator]
ACTION: AUTHENTICATION_SUCCESS
APPLICATION: CAS
WHEN: Fri Jan 17 10:39:35 COT 2014
CLIENT IP ADDRESS: 127.0.0.1
SERVER IP ADDRESS: 127.0.0.1
=============================================================
>
INFO: 2014-01-17 10:39:35,537 DEBUG
[org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Added ticket
[TGT-1-Hr6RBu62I5Ws41yj1LT1B2YtCQLtv2YceaWrow6zyuPBSKiv1G-cas01.example.org]
to registry.>
INFO: 2014-01-17 10:39:35,537 INFO
[com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] -
<Audit trail record BEGIN
=============================================================
WHO: [username: administrator]
WHAT:
TGT-1-Hr6RBu62I5Ws41yj1LT1B2YtCQLtv2YceaWrow6zyuPBSKiv1G-cas01.example.org
ACTION: TICKET_GRANTING_TICKET_CREATED
APPLICATION: CAS
WHEN: Fri Jan 17 10:39:35 COT 2014
CLIENT IP ADDRESS: 127.0.0.1
SERVER IP ADDRESS: 127.0.0.1
=============================================================
>
INFO: 2014-01-17 10:39:35,538 DEBUG
[org.jasig.cas.web.support.CookieRetrievingCookieGenerator] - <Removed
cookie with name [CASPRIVACY]>
INFO: 2014-01-17 10:39:35,538 DEBUG
[org.jasig.cas.web.support.CookieRetrievingCookieGenerator] - <Added
cookie with name [CASTGC] and value
[TGT-1-Hr6RBu62I5Ws41yj1LT1B2YtCQLtv2YceaWrow6zyuPBSKiv1G-cas01.example.org]>
INFO: 2014-01-17 10:39:35,539 DEBUG
[org.jasig.cas.CentralAuthenticationServiceImpl] - <Removing ticket
[TGT-27-ilyCEfM7aAHpE7dQfaAEYeh69s5GItx3Yc6tdTqPTZ1np0TdFu-cas01.example.org]
from registry.>
INFO: 2014-01-17 10:39:35,539 DEBUG
[org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to
retrieve ticket
[TGT-27-ilyCEfM7aAHpE7dQfaAEYeh69s5GItx3Yc6tdTqPTZ1np0TdFu-cas01.example.org]>
INFO: 2014-01-17 10:39:35,539 DEBUG
[org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to
retrieve ticket
[TGT-27-ilyCEfM7aAHpE7dQfaAEYeh69s5GItx3Yc6tdTqPTZ1np0TdFu-cas01.example.org]>
INFO: 2014-01-17 10:39:35,539 INFO
[com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] -
<Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT:
TGT-27-ilyCEfM7aAHpE7dQfaAEYeh69s5GItx3Yc6tdTqPTZ1np0TdFu-cas01.example.org
ACTION: TICKET_GRANTING_TICKET_DESTROYED
APPLICATION: CAS
WHEN: Fri Jan 17 10:39:35 COT 2014
CLIENT IP ADDRESS: 127.0.0.1
SERVER IP ADDRESS: 127.0.0.1
=============================================================
>
INFO: 2014-01-17 10:39:35,540 DEBUG
[org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to
retrieve ticket
[TGT-1-Hr6RBu62I5Ws41yj1LT1B2YtCQLtv2YceaWrow6zyuPBSKiv1G-cas01.example.org]>
INFO: 2014-01-17 10:39:35,540 DEBUG
[org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Ticket
[TGT-1-Hr6RBu62I5Ws41yj1LT1B2YtCQLtv2YceaWrow6zyuPBSKiv1G-cas01.example.org]
found in registry.>
INFO: 2014-01-17 10:39:35,543 DEBUG
[org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Added ticket
[ST-1-evdgwpfSen9mPhEt2OxN-cas01.example.org] to registry.>
INFO: 2014-01-17 10:39:35,543 INFO
[org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service
ticket [ST-1-evdgwpfSen9mPhEt2OxN-cas01.example.org] for service
[http://localhost:8080/InteraccionSonriaCore/shiro-cas] for user
[administrator]>
INFO: 2014-01-17 10:39:35,543 DEBUG
[org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to
retrieve ticket
[TGT-1-Hr6RBu62I5Ws41yj1LT1B2YtCQLtv2YceaWrow6zyuPBSKiv1G-cas01.example.org]>
INFO: 2014-01-17 10:39:35,543 DEBUG
[org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Ticket
[TGT-1-Hr6RBu62I5Ws41yj1LT1B2YtCQLtv2YceaWrow6zyuPBSKiv1G-cas01.example.org]
found in registry.>
INFO: 2014-01-17 10:39:35,544 INFO
[com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] -
<Audit trail record BEGIN
=============================================================
WHO: administrator
WHAT: ST-1-evdgwpfSen9mPhEt2OxN-cas01.example.org for
http://localhost:8080/InteraccionSonriaCore/shiro-cas
ACTION: SERVICE_TICKET_CREATED
APPLICATION: CAS
WHEN: Fri Jan 17 10:39:35 COT 2014
CLIENT IP ADDRESS: 127.0.0.1
SERVER IP ADDRESS: 127.0.0.1
=============================================================
>
INFO: 2014-01-17 10:39:35,568 DEBUG
[org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor generated
service for: http://localhost:8080/InteraccionSonriaCore/shiro-cas>
INFO: 2014-01-17 10:39:35,570 DEBUG
[org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to
retrieve ticket [ST-1-evdgwpfSen9mPhEt2OxN-cas01.example.org]>
INFO: 2014-01-17 10:39:35,570 DEBUG
[org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Ticket
[ST-1-evdgwpfSen9mPhEt2OxN-cas01.example.org] found in registry.>
INFO: 2014-01-17 10:39:35,570 DEBUG
[org.jasig.cas.CentralAuthenticationServiceImpl] - <Principal id to
return for service [HTTP and IMAP] is [administrator]. The default
principal id is [administrator].>
INFO: 2014-01-17 10:39:35,575 DEBUG
[org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Removing ticket
[ST-1-evdgwpfSen9mPhEt2OxN-cas01.example.org] from registry>
INFO: 2014-01-17 10:39:35,575 DEBUG
[org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to
retrieve ticket [ST-1-evdgwpfSen9mPhEt2OxN-cas01.example.org]>
INFO: 2014-01-17 10:39:35,575 INFO
[com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] -
<Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: ST-1-evdgwpfSen9mPhEt2OxN-cas01.example.org
ACTION: SERVICE_TICKET_VALIDATED
APPLICATION: CAS
WHEN: Fri Jan 17 10:39:35 COT 2014
CLIENT IP ADDRESS: 127.0.0.1
SERVER IP ADDRESS: 127.0.0.1
=============================================================
>
INFO: 2014-01-17 10:39:35,600 DEBUG
[org.jasig.cas.web.ServiceValidateController] - <Successfully validated
service ticket: ST-1-evdgwpfSen9mPhEt2OxN-cas01.example.org>
INFO: 2014-01-17 10:40:29,819 INFO
[org.jasig.cas.services.DefaultServicesManagerImpl] - <Reloading
registered services.>
INFO: 2014-01-17 10:40:29,821 DEBUG
[org.jasig.cas.services.DefaultServicesManagerImpl] - <Adding registered
service ^(https?|imaps?)://.*>
INFO: 2014-01-17 10:40:29,821 INFO
[org.jasig.cas.services.DefaultServicesManagerImpl] - <Loaded 1 services.>
--
Eduardo J. Ortega
Tel: 57+1+2553580
Cel: 57+317+4415156
Zürich
CL 72 5 83 Piso 11, Bogotá, CO.
On 17/01/14 02:03, jleleu wrote:
> Hi,
>
> Good for SLO!
>
> Would you mind enablig *DEBUG *logs on *org.jasig* to see what's going on
> in your Shiro application regarding SAML?
>
> Thanks.
> Best regards,
> Jérôme
>
>
>
> 2014/1/16 Eduardo J. Ortega U [via Shiro User] <
> ml-node+s582556n7579521h19@n2.nabble.com>
>
>> Just to update, SIngle Sign Out works, the problem was my Shiro
>> application didn't have the signout filters before the rest... I moved
>> them up and it's working. However, the attribute retrieval from CAS is
>> still failing (When I set up SAML validation protocol, I get always
>> redirected to casFilter.failureUrl). All required JARs are already
>> available on classpath. Any help is greatly appeciated.
>>
>> Regards,
>>
>> --
>> Eduardo J. Ortega
>> Tel: 57+1+2553580
>> Cel: 57+317+4415156
>> Zürich
>> CL 72 5 83 Piso 11, Bogotá, CO.
>>
>> On 16/01/14 11:33, Eduardo J. Ortega U wrote:
>>
>>> Hi, Jérôme:
>>>
>>> Thanks for the info on the logout, I will try and report back. About
>>> the attributes issue, I tried setting casRealm.validationProtocol =
>>> SAML but when I try to access the protected areas, I get redirected to
>>> CAS, do login and then I get redirected to my casFilter.failureUrl =
>>> /error.jsp instead of my protected page.
>>> From https://wiki.jasig.org/display/CASUM/SAML+1.1 I understand that
>>> my application should be submitting a POST request to cas/samlValidate
>>> , I did some sniffing with wireshark and see no such request taking
>>> place. Here's my shiro.ini (CAS protected areas are under protected,
>>> feel free to ignore filters applytin to other sections):
>>>
>>> [main]
>>> cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
>>> securityManager.cacheManager = $cacheManager
>>> cauthc=co.com.sonria.seguridad.FiltroAutenticacion
>>> cauthc.loginUrl = /publico/login.jsf
>>> cauthc.successUrl = /comun/bienvenido.jsf
>>> logout.redirectUrl = /publico/login.jsf
>>> cauthc.usernameParam = j_username
>>> cauthc.passwordParam = j_password
>>> cauthc.failureKeyAttribute = loginFailure
>>> casFilter = org.apache.shiro.cas.CasFilter
>>> casFilter.failureUrl = /error.jsp
>>> casRealm = org.apache.shiro.cas.CasRealm
>>> casRealm.defaultRoles = ROLE_USER
>>> #casRealm.defaultPermissions
>>> #casRealm.roleAttributeNames
>>> #casRealm.permissionAttributeNames
>>> casRealm.validationProtocol = SAML
>>> #casRealm.casServerUrlPrefix = http://192.168.88.207:8080/cas/
>>> casRealm.casServerUrlPrefix =
>>> http://192.168.88.103:8080/cas-server-webapp/
>>> casRealm.casService =
>>> http://192.168.88.103:8080/InteraccionSonriaCore/shiro-cas
>>> casSubjectFactory = org.apache.shiro.cas.CasSubjectFactory
>>> securityManager.subjectFactory = $casSubjectFactory
>>> #roles.loginUrl =
>>>
>> https://192.168.88.207:8181/cas/login?service=http://localhost:8080/InteraccionSonriaCore/shiro-cas
>>> roles.loginUrl =
>>>
>> http://192.168.88.103:8080/cas-server-webapp/login?service=http://192.168.88.103:8080/InteraccionSonriaCore/shiro-cas
>>> [users]
>>> administrador=administrador,ADMINISTRADOR
>>> gerente = gerente,GERENTE
>>> profesional = profesional,PROFESIONAL
>>> paciente = paciente,PACIENTE
>>>
>>> [urls]
>>> / = authc
>>> /publico/login.jsf=cauthc
>>> /logout = logout
>>> /plantillas/* = cauthc
>>> /shiro-cas = casFilter
>>> /protected/** = roles[ROLE_USER]
>>>
>>> Any ideas on what might I be doing wrong and telling my app there is a
>>> CAS error instead of posting go samlValidate URL? Thanks.
>>>
>>> --
>>> Eduardo J. Ortega
>>> Tel: 57+1+2553580
>>> Cel: 57+317+4415156
>>> Zürich
>>> CL 72 5 83 Piso 11, Bogotá, CO.
>>>
>>> On 16/01/14 11:18, jleleu wrote:
>>>> Hi,
>>>>
>>>> I'm talking about the CAS SLO: when calling /cas/logout, it should
>>>> trigger
>>>> the destruction of the web session of your Shiro application.
>>>> To use SAML, you need to configure SAML on the Shiro application side
>> by
>>>> using the *setValidationProtocol* method of the *CasRealm* object
>>>> (casRealm.validationProtocol = SAML).
>>>> Unless you use CAS 4.0-RCx, the SAML validation endpoint is available
>>>> out-of-the-box in the CAS server (
>>>> https://wiki.jasig.org/display/CASUM/SAML+1.1).
>>>> Best regards,
>>>> Jérôme
>>>>
>>>>
>>>>
>>>> 2014/1/16 Eduardo J. Ortega U [via Shiro User] <
>>>> [hidden email] <http://user/SendEmail.jtp?type=node&node=7579521&i=0>>
>>>>
>>>>> Hi, Jérôme:
>>>>>
>>>>> Thanks for you reply. A couple of questions, though:
>>>>>
>>>>> - When you say sign out should work, you mean I should call
>> /logout
>>>>> from my app and it should log me out of CAS, or I should go to
>>>>> cas/logout
>>>>> and that should log me out of my application?
>>>>> - How do I go about using the SAML validation? Is this something I
>>>>> should setup in shiro? On CAS? Both? Can you point me to any docs
>> /
>>>>> examples?
>>>>>
>>>>> Thanks,
>>>>>
>>>>> --
>>>>> Eduardo J. Ortega
>>>>> Tel: 57+1+2553580
>>>>> Cel: 57+317+4415156
>>>>> Zürich
>>>>> CL 72 5 83 Piso 11, Bogotá, CO.
>>>>>
>>>>> On 16/01/14 04:18, jleleu wrote:
>>>>>
>>>>> Hi,
>>>>>
>>>>> Regarding logout, I can't remember exactly if I did the test or
>> someone
>>>>> else, but I think it works. Did you try some debugging in the
>>>>> SingleSignOutFilter?
>>>>>
>>>>> To get user's attributes, things are a little more complex:
>>>>> - you need to retrieve the user's attributes inside the CAS server
>>>>> (should
>>>>> be what you did)
>>>>> - define that you want to push these attributes for the CAS service
>>>>> representing the Shiro application (*allowedAttributes* or
>>>>> *ignore*parameter for this CAS service)
>>>>> - use the SAML validation
>>>>> And then, the user's attributes will be available as the second
>>>>> principal:
>> https://github.com/apache/shiro/blob/1.2.x/support/cas/src/main/java/org/apache/shiro/cas/CasRealm.java#L162
>>>>> .
>>>>>
>>>>> Best regards,
>>>>> Jérôme
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> 2014/1/15 Eduardo J. Ortega U [via Shiro User] <[hidden email]
>>>>> <http://user/SendEmail.jtp?type=node&node=7579517&i=0>>
>>>>>
>>>>>
>>>>> Hi, all:
>>>>>
>>>>> We are setting up out first Shiro enabled application with CAS
>>>>> authentication. Authentication seems to work fine, however, we have
>> two
>>>>> issues:
>>>>>
>>>>> - We want to have Single Sign out, so that when a user signs out
>> of
>>>>> CAS, he/she is signed out of CAS and therefore all apps.
>>>>> Currently, if I
>>>>> logout of the application (using Shiro's logout feature), and
>>>>> then try to
>>>>> access one of the protected pages, browser gets redirected to
>>>>> CAS, which in
>>>>> turn validates and redirects to http://myhost/myapp/shiro-cas
>>>>> and then
>>>>> /shiro-cas redirects it to the requested URL of the application,
>> so
>>>>> effectively the user is logged back in the application. Also, if
>>>>> the user
>>>>> logs out of CAS (visiting http://myhost/CAS/logout) its CAS
>> session
>>>>> ends but the application session remains, so he / she can still
>>>>> access the
>>>>> protected areas. I set up the following on myapp web.xml:
>>>>>
>>>>>
>>>>> <filter>
>>>>> <filter-name>CAS Single Sign Out Filter</filter-name>
>>>>>
>>>>>
>> <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
>>
>>>>> </filter>
>>>>>
>>>>> <filter-mapping>
>>>>> <filter-name>CAS Single Sign Out Filter</filter-name>
>>>>> <url-pattern>/*</url-pattern>
>>>>> </filter-mapping>
>>>>>
>>>>> <listener>
>>>>>
>>>>>
>> <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
>>
>>>>> </listener>
>>>>>
>>>>> But it is not working. What am I missing?
>>>>>
>>>>> - We want to access some of the user attributes from inside our
>>>>> application. I set up CAS properties to map the attributes,
>>>>> setting this on
>>>>> CAS deployerConfigContext.xml
>>>>>
>>>>> <bean id="attributeRepository"
>>>>>
>> class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao">
>>>>> <property name="contextSource" ref="contextSource" />
>>>>> <property name="baseDN"
>>>>> value="ou=People,dc=example,dc=com,dc=co"
>>>>> />
>>>>> <property name="requireAllQueryAttributes" value="true" />
>>>>> <property name="queryAttributeMapping">
>>>>> <map>
>>>>> <entry key="username" value="uid" />
>>>>> </map>
>>>>> </property>
>>>>> <property name="resultAttributeMapping">
>>>>> <map>
>>>>> <!-- Mapping beetween LDAP entry attributes (key) and
>>>>> Principal's (value) -->
>>>>> <entry value="Name" key="displayName" />
>>>>> <entry key="distinguishedName" value="dn" />
>>>>> </map>
>>>>> </property>
>>>>> </bean>
>>>>> And then access them from inside the Shiro application like this:
>>>>>
>>>>> AttributePrincipal principal =
>>>>> (AttributePrincipal)request.getUserPrincipal();
>>>>> Map attributes = principal.getAttributes();
>>>>>
>>>>> But we get an error saying we cannot cast Request to
>>>>> AttributePrincipal. I
>>>>> guess I am missing something here, too.
>>>>>
>>>>> Any help is greatly appreciated.
>>>>>
>>>>>
>>>>> --
>>>>> --
>>>>> Eduardo J. Ortega
>>>>> Tel: 57+1+2553580
>>>>> Cel: 57+317+4415156
>>>>> Zürich
>>>>> CL 72 5 83 Piso 11, Bogotá, CO.
>>>>>
>>>>>
>>>>>
>>>>> ------------------------------
>>>>> If you reply to this email, your message will be added to the
>>>>> discussion
>>>>> below:
>>>>>
>> http://shiro-user.582556.n2.nabble.com/CAS-Single-Sign-Out-and-LDAP-attribute-retrieval-tp7579510.html
>>
>>>>> To start a new topic under Shiro User, email[hidden email]
>>>>> <http://user/SendEmail.jtp?type=node&node=7579517&i=1>
>>>>> To unsubscribe from Shiro User, click here<
>>>>> .
>>>>> NAML<
>> http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.Bas
>>
>>>>> icNamespa
>>>>>
>> ce-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>>
>>>>> <
>> http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>>
>>>>>
>>>>> --
>>>>> View this message in context:
>>>>>
>> http://shiro-user.582556.n2.nabble.com/CAS-Single-Sign-Out-and-LDAP-attribute-retrieval-tp7579510p7579514.html
>>>>> Sent from the Shiro User mailing list archive at Nabble.com.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> ------------------------------
>>>>> If you reply to this email, your message will be added to the
>>>>> discussion
>>>>> below:
>>>>>
>>>>>
>> http://shiro-user.582556.n2.nabble.com/CAS-Single-Sign-Out-and-LDAP-attribute-retrieval-tp7579510p7579517.html
>>
>>>>> To start a new topic under Shiro User, email
>>>>> [hidden email] <http://user/SendEmail.jtp?type=node&node=7579521&i=1>
>>>>> To unsubscribe from Shiro User, click
>>>>> here<
>>>>> .
>>>>> NAML<
>> http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>>
>>>>>
>>>>
>>>>
>>>> --
>>>> View this message in context:
>>>>
>> http://shiro-user.582556.n2.nabble.com/CAS-Single-Sign-Out-and-LDAP-attribute-retrieval-tp7579510p7579518.html
>>>> Sent from the Shiro User mailing list archive at Nabble.com.
>>>
>>
>>
>> ------------------------------
>> If you reply to this email, your message will be added to the discussion
>> below:
>>
>> http://shiro-user.582556.n2.nabble.com/CAS-Single-Sign-Out-and-LDAP-attribute-retrieval-tp7579510p7579521.html
>> To start a new topic under Shiro User, email
>> ml-node+s582556n582556h4@n2.nabble.com
>> To unsubscribe from Shiro User, click here<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=582556&code=bGVsZXVqQGdtYWlsLmNvbXw1ODI1NTZ8LTExNzY2MzcxMTY=>
>> .
>> NAML<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>>
>
>
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/CAS-Single-Sign-Out-and-LDAP-attribute-retrieval-tp7579510p7579525.html
> Sent from the Shiro User mailing list archive at Nabble.com.
Re: CAS Single Sign Out and LDAP attribute retrieval
Posted by jleleu <le...@gmail.com>.
Hi,
Good for SLO!
Would you mind enablig *DEBUG *logs on *org.jasig* to see what's going on
in your Shiro application regarding SAML?
Thanks.
Best regards,
Jérôme
2014/1/16 Eduardo J. Ortega U [via Shiro User] <
ml-node+s582556n7579521h19@n2.nabble.com>
> Just to update, SIngle Sign Out works, the problem was my Shiro
> application didn't have the signout filters before the rest... I moved
> them up and it's working. However, the attribute retrieval from CAS is
> still failing (When I set up SAML validation protocol, I get always
> redirected to casFilter.failureUrl). All required JARs are already
> available on classpath. Any help is greatly appeciated.
>
> Regards,
>
> --
> Eduardo J. Ortega
> Tel: 57+1+2553580
> Cel: 57+317+4415156
> Zürich
> CL 72 5 83 Piso 11, Bogotá, CO.
>
> On 16/01/14 11:33, Eduardo J. Ortega U wrote:
>
> > Hi, Jérôme:
> >
> > Thanks for the info on the logout, I will try and report back. About
> > the attributes issue, I tried setting casRealm.validationProtocol =
> > SAML but when I try to access the protected areas, I get redirected to
> > CAS, do login and then I get redirected to my casFilter.failureUrl =
> > /error.jsp instead of my protected page.
> > From https://wiki.jasig.org/display/CASUM/SAML+1.1 I understand that
> > my application should be submitting a POST request to cas/samlValidate
> > , I did some sniffing with wireshark and see no such request taking
> > place. Here's my shiro.ini (CAS protected areas are under protected,
> > feel free to ignore filters applytin to other sections):
> >
> > [main]
> > cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
> > securityManager.cacheManager = $cacheManager
> > cauthc=co.com.sonria.seguridad.FiltroAutenticacion
> > cauthc.loginUrl = /publico/login.jsf
> > cauthc.successUrl = /comun/bienvenido.jsf
> > logout.redirectUrl = /publico/login.jsf
> > cauthc.usernameParam = j_username
> > cauthc.passwordParam = j_password
> > cauthc.failureKeyAttribute = loginFailure
> > casFilter = org.apache.shiro.cas.CasFilter
> > casFilter.failureUrl = /error.jsp
> > casRealm = org.apache.shiro.cas.CasRealm
> > casRealm.defaultRoles = ROLE_USER
> > #casRealm.defaultPermissions
> > #casRealm.roleAttributeNames
> > #casRealm.permissionAttributeNames
> > casRealm.validationProtocol = SAML
> > #casRealm.casServerUrlPrefix = http://192.168.88.207:8080/cas/
> > casRealm.casServerUrlPrefix =
> > http://192.168.88.103:8080/cas-server-webapp/
> > casRealm.casService =
> > http://192.168.88.103:8080/InteraccionSonriaCore/shiro-cas
> > casSubjectFactory = org.apache.shiro.cas.CasSubjectFactory
> > securityManager.subjectFactory = $casSubjectFactory
> > #roles.loginUrl =
> >
> https://192.168.88.207:8181/cas/login?service=http://localhost:8080/InteraccionSonriaCore/shiro-cas
> > roles.loginUrl =
> >
> http://192.168.88.103:8080/cas-server-webapp/login?service=http://192.168.88.103:8080/InteraccionSonriaCore/shiro-cas
> >
> > [users]
> > administrador=administrador,ADMINISTRADOR
> > gerente = gerente,GERENTE
> > profesional = profesional,PROFESIONAL
> > paciente = paciente,PACIENTE
> >
> > [urls]
> > / = authc
> > /publico/login.jsf=cauthc
> > /logout = logout
> > /plantillas/* = cauthc
> > /shiro-cas = casFilter
> > /protected/** = roles[ROLE_USER]
> >
> > Any ideas on what might I be doing wrong and telling my app there is a
> > CAS error instead of posting go samlValidate URL? Thanks.
> >
> > --
> > Eduardo J. Ortega
> > Tel: 57+1+2553580
> > Cel: 57+317+4415156
> > Zürich
> > CL 72 5 83 Piso 11, Bogotá, CO.
> >
> > On 16/01/14 11:18, jleleu wrote:
> >> Hi,
> >>
> >> I'm talking about the CAS SLO: when calling /cas/logout, it should
> >> trigger
> >> the destruction of the web session of your Shiro application.
> >> To use SAML, you need to configure SAML on the Shiro application side
> by
> >> using the *setValidationProtocol* method of the *CasRealm* object
> >> (casRealm.validationProtocol = SAML).
> >> Unless you use CAS 4.0-RCx, the SAML validation endpoint is available
> >> out-of-the-box in the CAS server (
> >> https://wiki.jasig.org/display/CASUM/SAML+1.1).
> >> Best regards,
> >> Jérôme
> >>
> >>
> >>
> >> 2014/1/16 Eduardo J. Ortega U [via Shiro User] <
> >> [hidden email] <http://user/SendEmail.jtp?type=node&node=7579521&i=0>>
> >>
> >>> Hi, Jérôme:
> >>>
> >>> Thanks for you reply. A couple of questions, though:
> >>>
> >>> - When you say sign out should work, you mean I should call
> /logout
> >>> from my app and it should log me out of CAS, or I should go to
> >>> cas/logout
> >>> and that should log me out of my application?
> >>> - How do I go about using the SAML validation? Is this something I
> >>> should setup in shiro? On CAS? Both? Can you point me to any docs
> /
> >>> examples?
> >>>
> >>> Thanks,
> >>>
> >>> --
> >>> Eduardo J. Ortega
> >>> Tel: 57+1+2553580
> >>> Cel: 57+317+4415156
> >>> Zürich
> >>> CL 72 5 83 Piso 11, Bogotá, CO.
> >>>
> >>> On 16/01/14 04:18, jleleu wrote:
> >>>
> >>> Hi,
> >>>
> >>> Regarding logout, I can't remember exactly if I did the test or
> someone
> >>> else, but I think it works. Did you try some debugging in the
> >>> SingleSignOutFilter?
> >>>
> >>> To get user's attributes, things are a little more complex:
> >>> - you need to retrieve the user's attributes inside the CAS server
> >>> (should
> >>> be what you did)
> >>> - define that you want to push these attributes for the CAS service
> >>> representing the Shiro application (*allowedAttributes* or
> >>> *ignore*parameter for this CAS service)
> >>> - use the SAML validation
> >>> And then, the user's attributes will be available as the second
> >>> principal:
> https://github.com/apache/shiro/blob/1.2.x/support/cas/src/main/java/org/apache/shiro/cas/CasRealm.java#L162
> >>> .
> >>>
> >>> Best regards,
> >>> Jérôme
> >>>
> >>>
> >>>
> >>>
> >>> 2014/1/15 Eduardo J. Ortega U [via Shiro User] <[hidden email]
> >>> <http://user/SendEmail.jtp?type=node&node=7579517&i=0>>
> >>>
> >>>
> >>> Hi, all:
> >>>
> >>> We are setting up out first Shiro enabled application with CAS
> >>> authentication. Authentication seems to work fine, however, we have
> two
> >>> issues:
> >>>
> >>> - We want to have Single Sign out, so that when a user signs out
> of
> >>> CAS, he/she is signed out of CAS and therefore all apps.
> >>> Currently, if I
> >>> logout of the application (using Shiro's logout feature), and
> >>> then try to
> >>> access one of the protected pages, browser gets redirected to
> >>> CAS, which in
> >>> turn validates and redirects to http://myhost/myapp/shiro-cas
> >>> and then
> >>> /shiro-cas redirects it to the requested URL of the application,
> so
> >>> effectively the user is logged back in the application. Also, if
> >>> the user
> >>> logs out of CAS (visiting http://myhost/CAS/logout) its CAS
> session
> >>> ends but the application session remains, so he / she can still
> >>> access the
> >>> protected areas. I set up the following on myapp web.xml:
> >>>
> >>>
> >>> <filter>
> >>> <filter-name>CAS Single Sign Out Filter</filter-name>
> >>>
> >>>
> <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
>
> >>>
> >>> </filter>
> >>>
> >>> <filter-mapping>
> >>> <filter-name>CAS Single Sign Out Filter</filter-name>
> >>> <url-pattern>/*</url-pattern>
> >>> </filter-mapping>
> >>>
> >>> <listener>
> >>>
> >>>
> <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
>
> >>>
> >>> </listener>
> >>>
> >>> But it is not working. What am I missing?
> >>>
> >>> - We want to access some of the user attributes from inside our
> >>> application. I set up CAS properties to map the attributes,
> >>> setting this on
> >>> CAS deployerConfigContext.xml
> >>>
> >>> <bean id="attributeRepository"
> >>>
> class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao">
> >>>
> >>> <property name="contextSource" ref="contextSource" />
> >>> <property name="baseDN"
> >>> value="ou=People,dc=example,dc=com,dc=co"
> >>> />
> >>> <property name="requireAllQueryAttributes" value="true" />
> >>> <property name="queryAttributeMapping">
> >>> <map>
> >>> <entry key="username" value="uid" />
> >>> </map>
> >>> </property>
> >>> <property name="resultAttributeMapping">
> >>> <map>
> >>> <!-- Mapping beetween LDAP entry attributes (key) and
> >>> Principal's (value) -->
> >>> <entry value="Name" key="displayName" />
> >>> <entry key="distinguishedName" value="dn" />
> >>> </map>
> >>> </property>
> >>> </bean>
> >>> And then access them from inside the Shiro application like this:
> >>>
> >>> AttributePrincipal principal =
> >>> (AttributePrincipal)request.getUserPrincipal();
> >>> Map attributes = principal.getAttributes();
> >>>
> >>> But we get an error saying we cannot cast Request to
> >>> AttributePrincipal. I
> >>> guess I am missing something here, too.
> >>>
> >>> Any help is greatly appreciated.
> >>>
> >>>
> >>> --
> >>> --
> >>> Eduardo J. Ortega
> >>> Tel: 57+1+2553580
> >>> Cel: 57+317+4415156
> >>> Zürich
> >>> CL 72 5 83 Piso 11, Bogotá, CO.
> >>>
> >>>
> >>>
> >>> ------------------------------
> >>> If you reply to this email, your message will be added to the
> >>> discussion
> >>> below:
> >>>
> http://shiro-user.582556.n2.nabble.com/CAS-Single-Sign-Out-and-LDAP-attribute-retrieval-tp7579510.html
>
> >>>
> >>> To start a new topic under Shiro User, email[hidden email]
> >>> <http://user/SendEmail.jtp?type=node&node=7579517&i=1>
> >>> To unsubscribe from Shiro User, click here<
> >>> .
> >>> NAML<
> http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.Bas
>
> >>>
> >>> icNamespa
> >>>
> ce-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>
> >>> <
> http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>
> >>>
> >>>
> >>> --
> >>> View this message in context:
> >>>
> http://shiro-user.582556.n2.nabble.com/CAS-Single-Sign-Out-and-LDAP-attribute-retrieval-tp7579510p7579514.html
> >>> Sent from the Shiro User mailing list archive at Nabble.com.
> >>>
> >>>
> >>>
> >>>
> >>> ------------------------------
> >>> If you reply to this email, your message will be added to the
> >>> discussion
> >>> below:
> >>>
> >>>
> http://shiro-user.582556.n2.nabble.com/CAS-Single-Sign-Out-and-LDAP-attribute-retrieval-tp7579510p7579517.html
>
> >>>
> >>> To start a new topic under Shiro User, email
> >>> [hidden email] <http://user/SendEmail.jtp?type=node&node=7579521&i=1>
> >>> To unsubscribe from Shiro User, click
> >>> here<
> >>> .
> >>> NAML<
> http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>
> >>>
> >>>
> >>
> >>
> >>
> >> --
> >> View this message in context:
> >>
> http://shiro-user.582556.n2.nabble.com/CAS-Single-Sign-Out-and-LDAP-attribute-retrieval-tp7579510p7579518.html
> >> Sent from the Shiro User mailing list archive at Nabble.com.
> >
> >
>
>
>
> ------------------------------
> If you reply to this email, your message will be added to the discussion
> below:
>
> http://shiro-user.582556.n2.nabble.com/CAS-Single-Sign-Out-and-LDAP-attribute-retrieval-tp7579510p7579521.html
> To start a new topic under Shiro User, email
> ml-node+s582556n582556h4@n2.nabble.com
> To unsubscribe from Shiro User, click here<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=582556&code=bGVsZXVqQGdtYWlsLmNvbXw1ODI1NTZ8LTExNzY2MzcxMTY=>
> .
> NAML<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>
--
View this message in context: http://shiro-user.582556.n2.nabble.com/CAS-Single-Sign-Out-and-LDAP-attribute-retrieval-tp7579510p7579525.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: CAS Single Sign Out and LDAP attribute retrieval
Posted by "Eduardo J. Ortega U" <ed...@zurich.co>.
Just to update, SIngle Sign Out works, the problem was my Shiro
application didn't have the signout filters before the rest... I moved
them up and it's working. However, the attribute retrieval from CAS is
still failing (When I set up SAML validation protocol, I get always
redirected to casFilter.failureUrl). All required JARs are already
available on classpath. Any help is greatly appeciated.
Regards,
--
Eduardo J. Ortega
Tel: 57+1+2553580
Cel: 57+317+4415156
Zürich
CL 72 5 83 Piso 11, Bogotá, CO.
On 16/01/14 11:33, Eduardo J. Ortega U wrote:
> Hi, Jérôme:
>
> Thanks for the info on the logout, I will try and report back. About
> the attributes issue, I tried setting casRealm.validationProtocol =
> SAML but when I try to access the protected areas, I get redirected to
> CAS, do login and then I get redirected to my casFilter.failureUrl =
> /error.jsp instead of my protected page.
> From https://wiki.jasig.org/display/CASUM/SAML+1.1 I understand that
> my application should be submitting a POST request to cas/samlValidate
> , I did some sniffing with wireshark and see no such request taking
> place. Here's my shiro.ini (CAS protected areas are under protected,
> feel free to ignore filters applytin to other sections):
>
> [main]
> cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
> securityManager.cacheManager = $cacheManager
> cauthc=co.com.sonria.seguridad.FiltroAutenticacion
> cauthc.loginUrl = /publico/login.jsf
> cauthc.successUrl = /comun/bienvenido.jsf
> logout.redirectUrl = /publico/login.jsf
> cauthc.usernameParam = j_username
> cauthc.passwordParam = j_password
> cauthc.failureKeyAttribute = loginFailure
> casFilter = org.apache.shiro.cas.CasFilter
> casFilter.failureUrl = /error.jsp
> casRealm = org.apache.shiro.cas.CasRealm
> casRealm.defaultRoles = ROLE_USER
> #casRealm.defaultPermissions
> #casRealm.roleAttributeNames
> #casRealm.permissionAttributeNames
> casRealm.validationProtocol = SAML
> #casRealm.casServerUrlPrefix = http://192.168.88.207:8080/cas/
> casRealm.casServerUrlPrefix =
> http://192.168.88.103:8080/cas-server-webapp/
> casRealm.casService =
> http://192.168.88.103:8080/InteraccionSonriaCore/shiro-cas
> casSubjectFactory = org.apache.shiro.cas.CasSubjectFactory
> securityManager.subjectFactory = $casSubjectFactory
> #roles.loginUrl =
> https://192.168.88.207:8181/cas/login?service=http://localhost:8080/InteraccionSonriaCore/shiro-cas
> roles.loginUrl =
> http://192.168.88.103:8080/cas-server-webapp/login?service=http://192.168.88.103:8080/InteraccionSonriaCore/shiro-cas
>
> [users]
> administrador=administrador,ADMINISTRADOR
> gerente = gerente,GERENTE
> profesional = profesional,PROFESIONAL
> paciente = paciente,PACIENTE
>
> [urls]
> / = authc
> /publico/login.jsf=cauthc
> /logout = logout
> /plantillas/* = cauthc
> /shiro-cas = casFilter
> /protected/** = roles[ROLE_USER]
>
> Any ideas on what might I be doing wrong and telling my app there is a
> CAS error instead of posting go samlValidate URL? Thanks.
>
> --
> Eduardo J. Ortega
> Tel: 57+1+2553580
> Cel: 57+317+4415156
> Zürich
> CL 72 5 83 Piso 11, Bogotá, CO.
>
> On 16/01/14 11:18, jleleu wrote:
>> Hi,
>>
>> I'm talking about the CAS SLO: when calling /cas/logout, it should
>> trigger
>> the destruction of the web session of your Shiro application.
>> To use SAML, you need to configure SAML on the Shiro application side by
>> using the *setValidationProtocol* method of the *CasRealm* object
>> (casRealm.validationProtocol = SAML).
>> Unless you use CAS 4.0-RCx, the SAML validation endpoint is available
>> out-of-the-box in the CAS server (
>> https://wiki.jasig.org/display/CASUM/SAML+1.1).
>> Best regards,
>> Jérôme
>>
>>
>>
>> 2014/1/16 Eduardo J. Ortega U [via Shiro User] <
>> ml-node+s582556n7579517h95@n2.nabble.com>
>>
>>> Hi, Jérôme:
>>>
>>> Thanks for you reply. A couple of questions, though:
>>>
>>> - When you say sign out should work, you mean I should call /logout
>>> from my app and it should log me out of CAS, or I should go to
>>> cas/logout
>>> and that should log me out of my application?
>>> - How do I go about using the SAML validation? Is this something I
>>> should setup in shiro? On CAS? Both? Can you point me to any docs /
>>> examples?
>>>
>>> Thanks,
>>>
>>> --
>>> Eduardo J. Ortega
>>> Tel: 57+1+2553580
>>> Cel: 57+317+4415156
>>> Zürich
>>> CL 72 5 83 Piso 11, Bogotá, CO.
>>>
>>> On 16/01/14 04:18, jleleu wrote:
>>>
>>> Hi,
>>>
>>> Regarding logout, I can't remember exactly if I did the test or someone
>>> else, but I think it works. Did you try some debugging in the
>>> SingleSignOutFilter?
>>>
>>> To get user's attributes, things are a little more complex:
>>> - you need to retrieve the user's attributes inside the CAS server
>>> (should
>>> be what you did)
>>> - define that you want to push these attributes for the CAS service
>>> representing the Shiro application (*allowedAttributes* or
>>> *ignore*parameter for this CAS service)
>>> - use the SAML validation
>>> And then, the user's attributes will be available as the second
>>> principal:https://github.com/apache/shiro/blob/1.2.x/support/cas/src/main/java/org/apache/shiro/cas/CasRealm.java#L162
>>> .
>>>
>>> Best regards,
>>> Jérôme
>>>
>>>
>>>
>>>
>>> 2014/1/15 Eduardo J. Ortega U [via Shiro User] <[hidden email]
>>> <http://user/SendEmail.jtp?type=node&node=7579517&i=0>>
>>>
>>>
>>> Hi, all:
>>>
>>> We are setting up out first Shiro enabled application with CAS
>>> authentication. Authentication seems to work fine, however, we have two
>>> issues:
>>>
>>> - We want to have Single Sign out, so that when a user signs out of
>>> CAS, he/she is signed out of CAS and therefore all apps.
>>> Currently, if I
>>> logout of the application (using Shiro's logout feature), and
>>> then try to
>>> access one of the protected pages, browser gets redirected to
>>> CAS, which in
>>> turn validates and redirects to http://myhost/myapp/shiro-cas
>>> and then
>>> /shiro-cas redirects it to the requested URL of the application, so
>>> effectively the user is logged back in the application. Also, if
>>> the user
>>> logs out of CAS (visiting http://myhost/CAS/logout) its CAS session
>>> ends but the application session remains, so he / she can still
>>> access the
>>> protected areas. I set up the following on myapp web.xml:
>>>
>>>
>>> <filter>
>>> <filter-name>CAS Single Sign Out Filter</filter-name>
>>>
>>> <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
>>>
>>> </filter>
>>>
>>> <filter-mapping>
>>> <filter-name>CAS Single Sign Out Filter</filter-name>
>>> <url-pattern>/*</url-pattern>
>>> </filter-mapping>
>>>
>>> <listener>
>>>
>>> <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
>>>
>>> </listener>
>>>
>>> But it is not working. What am I missing?
>>>
>>> - We want to access some of the user attributes from inside our
>>> application. I set up CAS properties to map the attributes,
>>> setting this on
>>> CAS deployerConfigContext.xml
>>>
>>> <bean id="attributeRepository"
>>> class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao">
>>>
>>> <property name="contextSource" ref="contextSource" />
>>> <property name="baseDN"
>>> value="ou=People,dc=example,dc=com,dc=co"
>>> />
>>> <property name="requireAllQueryAttributes" value="true" />
>>> <property name="queryAttributeMapping">
>>> <map>
>>> <entry key="username" value="uid" />
>>> </map>
>>> </property>
>>> <property name="resultAttributeMapping">
>>> <map>
>>> <!-- Mapping beetween LDAP entry attributes (key) and
>>> Principal's (value) -->
>>> <entry value="Name" key="displayName" />
>>> <entry key="distinguishedName" value="dn" />
>>> </map>
>>> </property>
>>> </bean>
>>> And then access them from inside the Shiro application like this:
>>>
>>> AttributePrincipal principal =
>>> (AttributePrincipal)request.getUserPrincipal();
>>> Map attributes = principal.getAttributes();
>>>
>>> But we get an error saying we cannot cast Request to
>>> AttributePrincipal. I
>>> guess I am missing something here, too.
>>>
>>> Any help is greatly appreciated.
>>>
>>>
>>> --
>>> --
>>> Eduardo J. Ortega
>>> Tel: 57+1+2553580
>>> Cel: 57+317+4415156
>>> Zürich
>>> CL 72 5 83 Piso 11, Bogotá, CO.
>>>
>>>
>>>
>>> ------------------------------
>>> If you reply to this email, your message will be added to the
>>> discussion
>>> below:
>>> http://shiro-user.582556.n2.nabble.com/CAS-Single-Sign-Out-and-LDAP-attribute-retrieval-tp7579510.html
>>>
>>> To start a new topic under Shiro User, email[hidden email]
>>> <http://user/SendEmail.jtp?type=node&node=7579517&i=1>
>>> To unsubscribe from Shiro User, click here<
>>> .
>>> NAML<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.Bas
>>>
>>> icNamespa
>>> ce-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>>> <http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>>>
>>>
>>> --
>>> View this message in context:
>>> http://shiro-user.582556.n2.nabble.com/CAS-Single-Sign-Out-and-LDAP-attribute-retrieval-tp7579510p7579514.html
>>> Sent from the Shiro User mailing list archive at Nabble.com.
>>>
>>>
>>>
>>>
>>> ------------------------------
>>> If you reply to this email, your message will be added to the
>>> discussion
>>> below:
>>>
>>> http://shiro-user.582556.n2.nabble.com/CAS-Single-Sign-Out-and-LDAP-attribute-retrieval-tp7579510p7579517.html
>>>
>>> To start a new topic under Shiro User, email
>>> ml-node+s582556n582556h4@n2.nabble.com
>>> To unsubscribe from Shiro User, click
>>> here<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=582556&code=bGVsZXVqQGdtYWlsLmNvbXw1ODI1NTZ8LTExNzY2MzcxMTY=>
>>> .
>>> NAML<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>>>
>>>
>>
>>
>>
>> --
>> View this message in context:
>> http://shiro-user.582556.n2.nabble.com/CAS-Single-Sign-Out-and-LDAP-attribute-retrieval-tp7579510p7579518.html
>> Sent from the Shiro User mailing list archive at Nabble.com.
>
>
Re: CAS Single Sign Out and LDAP attribute retrieval
Posted by "Eduardo J. Ortega U" <ed...@zurich.co>.
Hi, Jérôme:
Thanks for the info on the logout, I will try and report back. About the
attributes issue, I tried setting casRealm.validationProtocol = SAML but
when I try to access the protected areas, I get redirected to CAS, do
login and then I get redirected to my casFilter.failureUrl = /error.jsp
instead of my protected page.
From https://wiki.jasig.org/display/CASUM/SAML+1.1 I understand that my
application should be submitting a POST request to cas/samlValidate , I
did some sniffing with wireshark and see no such request taking place.
Here's my shiro.ini (CAS protected areas are under protected, feel free
to ignore filters applytin to other sections):
[main]
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager
cauthc=co.com.sonria.seguridad.FiltroAutenticacion
cauthc.loginUrl = /publico/login.jsf
cauthc.successUrl = /comun/bienvenido.jsf
logout.redirectUrl = /publico/login.jsf
cauthc.usernameParam = j_username
cauthc.passwordParam = j_password
cauthc.failureKeyAttribute = loginFailure
casFilter = org.apache.shiro.cas.CasFilter
casFilter.failureUrl = /error.jsp
casRealm = org.apache.shiro.cas.CasRealm
casRealm.defaultRoles = ROLE_USER
#casRealm.defaultPermissions
#casRealm.roleAttributeNames
#casRealm.permissionAttributeNames
casRealm.validationProtocol = SAML
#casRealm.casServerUrlPrefix = http://192.168.88.207:8080/cas/
casRealm.casServerUrlPrefix = http://192.168.88.103:8080/cas-server-webapp/
casRealm.casService =
http://192.168.88.103:8080/InteraccionSonriaCore/shiro-cas
casSubjectFactory = org.apache.shiro.cas.CasSubjectFactory
securityManager.subjectFactory = $casSubjectFactory
#roles.loginUrl =
https://192.168.88.207:8181/cas/login?service=http://localhost:8080/InteraccionSonriaCore/shiro-cas
roles.loginUrl =
http://192.168.88.103:8080/cas-server-webapp/login?service=http://192.168.88.103:8080/InteraccionSonriaCore/shiro-cas
[users]
administrador=administrador,ADMINISTRADOR
gerente = gerente,GERENTE
profesional = profesional,PROFESIONAL
paciente = paciente,PACIENTE
[urls]
/ = authc
/publico/login.jsf=cauthc
/logout = logout
/plantillas/* = cauthc
/shiro-cas = casFilter
/protected/** = roles[ROLE_USER]
Any ideas on what might I be doing wrong and telling my app there is a
CAS error instead of posting go samlValidate URL? Thanks.
--
Eduardo J. Ortega
Tel: 57+1+2553580
Cel: 57+317+4415156
Zürich
CL 72 5 83 Piso 11, Bogotá, CO.
On 16/01/14 11:18, jleleu wrote:
> Hi,
>
> I'm talking about the CAS SLO: when calling /cas/logout, it should trigger
> the destruction of the web session of your Shiro application.
> To use SAML, you need to configure SAML on the Shiro application side by
> using the *setValidationProtocol* method of the *CasRealm* object
> (casRealm.validationProtocol = SAML).
> Unless you use CAS 4.0-RCx, the SAML validation endpoint is available
> out-of-the-box in the CAS server (
> https://wiki.jasig.org/display/CASUM/SAML+1.1).
> Best regards,
> Jérôme
>
>
>
> 2014/1/16 Eduardo J. Ortega U [via Shiro User] <
> ml-node+s582556n7579517h95@n2.nabble.com>
>
>> Hi, Jérôme:
>>
>> Thanks for you reply. A couple of questions, though:
>>
>> - When you say sign out should work, you mean I should call /logout
>> from my app and it should log me out of CAS, or I should go to cas/logout
>> and that should log me out of my application?
>> - How do I go about using the SAML validation? Is this something I
>> should setup in shiro? On CAS? Both? Can you point me to any docs /
>> examples?
>>
>> Thanks,
>>
>> --
>> Eduardo J. Ortega
>> Tel: 57+1+2553580
>> Cel: 57+317+4415156
>> Zürich
>> CL 72 5 83 Piso 11, Bogotá, CO.
>>
>> On 16/01/14 04:18, jleleu wrote:
>>
>> Hi,
>>
>> Regarding logout, I can't remember exactly if I did the test or someone
>> else, but I think it works. Did you try some debugging in the
>> SingleSignOutFilter?
>>
>> To get user's attributes, things are a little more complex:
>> - you need to retrieve the user's attributes inside the CAS server (should
>> be what you did)
>> - define that you want to push these attributes for the CAS service
>> representing the Shiro application (*allowedAttributes* or
>> *ignore*parameter for this CAS service)
>> - use the SAML validation
>> And then, the user's attributes will be available as the second principal:https://github.com/apache/shiro/blob/1.2.x/support/cas/src/main/java/org/apache/shiro/cas/CasRealm.java#L162
>> .
>>
>> Best regards,
>> Jérôme
>>
>>
>>
>>
>> 2014/1/15 Eduardo J. Ortega U [via Shiro User] <[hidden email] <http://user/SendEmail.jtp?type=node&node=7579517&i=0>>
>>
>>
>> Hi, all:
>>
>> We are setting up out first Shiro enabled application with CAS
>> authentication. Authentication seems to work fine, however, we have two
>> issues:
>>
>> - We want to have Single Sign out, so that when a user signs out of
>> CAS, he/she is signed out of CAS and therefore all apps. Currently, if I
>> logout of the application (using Shiro's logout feature), and then try to
>> access one of the protected pages, browser gets redirected to CAS, which in
>> turn validates and redirects to http://myhost/myapp/shiro-cas and then
>> /shiro-cas redirects it to the requested URL of the application, so
>> effectively the user is logged back in the application. Also, if the user
>> logs out of CAS (visiting http://myhost/CAS/logout) its CAS session
>> ends but the application session remains, so he / she can still access the
>> protected areas. I set up the following on myapp web.xml:
>>
>>
>> <filter>
>> <filter-name>CAS Single Sign Out Filter</filter-name>
>>
>> <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
>> </filter>
>>
>> <filter-mapping>
>> <filter-name>CAS Single Sign Out Filter</filter-name>
>> <url-pattern>/*</url-pattern>
>> </filter-mapping>
>>
>> <listener>
>>
>> <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
>> </listener>
>>
>> But it is not working. What am I missing?
>>
>> - We want to access some of the user attributes from inside our
>> application. I set up CAS properties to map the attributes, setting this on
>> CAS deployerConfigContext.xml
>>
>> <bean id="attributeRepository"
>> class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao">
>> <property name="contextSource" ref="contextSource" />
>> <property name="baseDN" value="ou=People,dc=example,dc=com,dc=co"
>> />
>> <property name="requireAllQueryAttributes" value="true" />
>> <property name="queryAttributeMapping">
>> <map>
>> <entry key="username" value="uid" />
>> </map>
>> </property>
>> <property name="resultAttributeMapping">
>> <map>
>> <!-- Mapping beetween LDAP entry attributes (key) and
>> Principal's (value) -->
>> <entry value="Name" key="displayName" />
>> <entry key="distinguishedName" value="dn" />
>> </map>
>> </property>
>> </bean>
>> And then access them from inside the Shiro application like this:
>>
>> AttributePrincipal principal =
>> (AttributePrincipal)request.getUserPrincipal();
>> Map attributes = principal.getAttributes();
>>
>> But we get an error saying we cannot cast Request to AttributePrincipal. I
>> guess I am missing something here, too.
>>
>> Any help is greatly appreciated.
>>
>>
>> --
>> --
>> Eduardo J. Ortega
>> Tel: 57+1+2553580
>> Cel: 57+317+4415156
>> Zürich
>> CL 72 5 83 Piso 11, Bogotá, CO.
>>
>>
>>
>> ------------------------------
>> If you reply to this email, your message will be added to the discussion
>> below:
>> http://shiro-user.582556.n2.nabble.com/CAS-Single-Sign-Out-and-LDAP-attribute-retrieval-tp7579510.html
>> To start a new topic under Shiro User, email[hidden email] <http://user/SendEmail.jtp?type=node&node=7579517&i=1>
>> To unsubscribe from Shiro User, click here<
>> .
>> NAML<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.Bas
>> icNamespa
>> ce-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml> <http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>>
>> --
>> View this message in context: http://shiro-user.582556.n2.nabble.com/CAS-Single-Sign-Out-and-LDAP-attribute-retrieval-tp7579510p7579514.html
>> Sent from the Shiro User mailing list archive at Nabble.com.
>>
>>
>>
>>
>> ------------------------------
>> If you reply to this email, your message will be added to the discussion
>> below:
>>
>> http://shiro-user.582556.n2.nabble.com/CAS-Single-Sign-Out-and-LDAP-attribute-retrieval-tp7579510p7579517.html
>> To start a new topic under Shiro User, email
>> ml-node+s582556n582556h4@n2.nabble.com
>> To unsubscribe from Shiro User, click here<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=582556&code=bGVsZXVqQGdtYWlsLmNvbXw1ODI1NTZ8LTExNzY2MzcxMTY=>
>> .
>> NAML<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>>
>
>
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/CAS-Single-Sign-Out-and-LDAP-attribute-retrieval-tp7579510p7579518.html
> Sent from the Shiro User mailing list archive at Nabble.com.
Re: CAS Single Sign Out and LDAP attribute retrieval
Posted by jleleu <le...@gmail.com>.
Hi,
I'm talking about the CAS SLO: when calling /cas/logout, it should trigger
the destruction of the web session of your Shiro application.
To use SAML, you need to configure SAML on the Shiro application side by
using the *setValidationProtocol* method of the *CasRealm* object
(casRealm.validationProtocol = SAML).
Unless you use CAS 4.0-RCx, the SAML validation endpoint is available
out-of-the-box in the CAS server (
https://wiki.jasig.org/display/CASUM/SAML+1.1).
Best regards,
Jérôme
2014/1/16 Eduardo J. Ortega U [via Shiro User] <
ml-node+s582556n7579517h95@n2.nabble.com>
> Hi, Jérôme:
>
> Thanks for you reply. A couple of questions, though:
>
> - When you say sign out should work, you mean I should call /logout
> from my app and it should log me out of CAS, or I should go to cas/logout
> and that should log me out of my application?
> - How do I go about using the SAML validation? Is this something I
> should setup in shiro? On CAS? Both? Can you point me to any docs /
> examples?
>
> Thanks,
>
> --
> Eduardo J. Ortega
> Tel: 57+1+2553580
> Cel: 57+317+4415156
> Zürich
> CL 72 5 83 Piso 11, Bogotá, CO.
>
> On 16/01/14 04:18, jleleu wrote:
>
> Hi,
>
> Regarding logout, I can't remember exactly if I did the test or someone
> else, but I think it works. Did you try some debugging in the
> SingleSignOutFilter?
>
> To get user's attributes, things are a little more complex:
> - you need to retrieve the user's attributes inside the CAS server (should
> be what you did)
> - define that you want to push these attributes for the CAS service
> representing the Shiro application (*allowedAttributes* or
> *ignore*parameter for this CAS service)
> - use the SAML validation
> And then, the user's attributes will be available as the second principal:https://github.com/apache/shiro/blob/1.2.x/support/cas/src/main/java/org/apache/shiro/cas/CasRealm.java#L162
> .
>
> Best regards,
> Jérôme
>
>
>
>
> 2014/1/15 Eduardo J. Ortega U [via Shiro User] <[hidden email] <http://user/SendEmail.jtp?type=node&node=7579517&i=0>>
>
>
> Hi, all:
>
> We are setting up out first Shiro enabled application with CAS
> authentication. Authentication seems to work fine, however, we have two
> issues:
>
> - We want to have Single Sign out, so that when a user signs out of
> CAS, he/she is signed out of CAS and therefore all apps. Currently, if I
> logout of the application (using Shiro's logout feature), and then try to
> access one of the protected pages, browser gets redirected to CAS, which in
> turn validates and redirects to http://myhost/myapp/shiro-cas and then
> /shiro-cas redirects it to the requested URL of the application, so
> effectively the user is logged back in the application. Also, if the user
> logs out of CAS (visiting http://myhost/CAS/logout) its CAS session
> ends but the application session remains, so he / she can still access the
> protected areas. I set up the following on myapp web.xml:
>
>
> <filter>
> <filter-name>CAS Single Sign Out Filter</filter-name>
>
> <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
> </filter>
>
> <filter-mapping>
> <filter-name>CAS Single Sign Out Filter</filter-name>
> <url-pattern>/*</url-pattern>
> </filter-mapping>
>
> <listener>
>
> <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
> </listener>
>
> But it is not working. What am I missing?
>
> - We want to access some of the user attributes from inside our
> application. I set up CAS properties to map the attributes, setting this on
> CAS deployerConfigContext.xml
>
> <bean id="attributeRepository"
> class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao">
> <property name="contextSource" ref="contextSource" />
> <property name="baseDN" value="ou=People,dc=example,dc=com,dc=co"
> />
> <property name="requireAllQueryAttributes" value="true" />
> <property name="queryAttributeMapping">
> <map>
> <entry key="username" value="uid" />
> </map>
> </property>
> <property name="resultAttributeMapping">
> <map>
> <!-- Mapping beetween LDAP entry attributes (key) and
> Principal's (value) -->
> <entry value="Name" key="displayName" />
> <entry key="distinguishedName" value="dn" />
> </map>
> </property>
> </bean>
> And then access them from inside the Shiro application like this:
>
> AttributePrincipal principal =
> (AttributePrincipal)request.getUserPrincipal();
> Map attributes = principal.getAttributes();
>
> But we get an error saying we cannot cast Request to AttributePrincipal. I
> guess I am missing something here, too.
>
> Any help is greatly appreciated.
>
>
> --
> --
> Eduardo J. Ortega
> Tel: 57+1+2553580
> Cel: 57+317+4415156
> Zürich
> CL 72 5 83 Piso 11, Bogotá, CO.
>
>
>
> ------------------------------
> If you reply to this email, your message will be added to the discussion
> below:
> http://shiro-user.582556.n2.nabble.com/CAS-Single-Sign-Out-and-LDAP-attribute-retrieval-tp7579510.html
> To start a new topic under Shiro User, email[hidden email] <http://user/SendEmail.jtp?type=node&node=7579517&i=1>
> To unsubscribe from Shiro User, click here<
> .
> NAML<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.Bas
> icNamespa
> ce-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml> <http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/CAS-Single-Sign-Out-and-LDAP-attribute-retrieval-tp7579510p7579514.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>
>
>
>
> ------------------------------
> If you reply to this email, your message will be added to the discussion
> below:
>
> http://shiro-user.582556.n2.nabble.com/CAS-Single-Sign-Out-and-LDAP-attribute-retrieval-tp7579510p7579517.html
> To start a new topic under Shiro User, email
> ml-node+s582556n582556h4@n2.nabble.com
> To unsubscribe from Shiro User, click here<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=582556&code=bGVsZXVqQGdtYWlsLmNvbXw1ODI1NTZ8LTExNzY2MzcxMTY=>
> .
> NAML<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>
--
View this message in context: http://shiro-user.582556.n2.nabble.com/CAS-Single-Sign-Out-and-LDAP-attribute-retrieval-tp7579510p7579518.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: CAS Single Sign Out and LDAP attribute retrieval
Posted by "Eduardo J. Ortega U" <ed...@zurich.co>.
Hi, Jérôme:
Thanks for you reply. A couple of questions, though:
* When you say sign out should work, you mean I should call /logout
from my app and it should log me out of CAS, or I should go to
cas/logout and that should log me out of my application?
* How do I go about using the SAML validation? Is this something I
should setup in shiro? On CAS? Both? Can you point me to any docs /
examples?
Thanks,
--
Eduardo J. Ortega
Tel: 57+1+2553580
Cel: 57+317+4415156
Zürich
CL 72 5 83 Piso 11, Bogotá, CO.
On 16/01/14 04:18, jleleu wrote:
> Hi,
>
> Regarding logout, I can't remember exactly if I did the test or someone
> else, but I think it works. Did you try some debugging in the
> SingleSignOutFilter?
>
> To get user's attributes, things are a little more complex:
> - you need to retrieve the user's attributes inside the CAS server (should
> be what you did)
> - define that you want to push these attributes for the CAS service
> representing the Shiro application (*allowedAttributes* or
> *ignore*parameter for this CAS service)
> - use the SAML validation
> And then, the user's attributes will be available as the second principal:
> https://github.com/apache/shiro/blob/1.2.x/support/cas/src/main/java/org/apache/shiro/cas/CasRealm.java#L162
> .
>
> Best regards,
> Jérôme
>
>
>
>
> 2014/1/15 Eduardo J. Ortega U [via Shiro User] <
> ml-node+s582556n7579510h78@n2.nabble.com>
>
>> Hi, all:
>>
>> We are setting up out first Shiro enabled application with CAS
>> authentication. Authentication seems to work fine, however, we have two
>> issues:
>>
>> - We want to have Single Sign out, so that when a user signs out of
>> CAS, he/she is signed out of CAS and therefore all apps. Currently, if I
>> logout of the application (using Shiro's logout feature), and then try to
>> access one of the protected pages, browser gets redirected to CAS, which in
>> turn validates and redirects to http://myhost/myapp/shiro-cas and then
>> /shiro-cas redirects it to the requested URL of the application, so
>> effectively the user is logged back in the application. Also, if the user
>> logs out of CAS (visiting http://myhost/CAS/logout) its CAS session
>> ends but the application session remains, so he / she can still access the
>> protected areas. I set up the following on myapp web.xml:
>>
>>
>> <filter>
>> <filter-name>CAS Single Sign Out Filter</filter-name>
>>
>> <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
>> </filter>
>>
>> <filter-mapping>
>> <filter-name>CAS Single Sign Out Filter</filter-name>
>> <url-pattern>/*</url-pattern>
>> </filter-mapping>
>>
>> <listener>
>>
>> <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
>> </listener>
>>
>> But it is not working. What am I missing?
>>
>> - We want to access some of the user attributes from inside our
>> application. I set up CAS properties to map the attributes, setting this on
>> CAS deployerConfigContext.xml
>>
>> <bean id="attributeRepository"
>> class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao">
>> <property name="contextSource" ref="contextSource" />
>> <property name="baseDN" value="ou=People,dc=example,dc=com,dc=co"
>> />
>> <property name="requireAllQueryAttributes" value="true" />
>> <property name="queryAttributeMapping">
>> <map>
>> <entry key="username" value="uid" />
>> </map>
>> </property>
>> <property name="resultAttributeMapping">
>> <map>
>> <!-- Mapping beetween LDAP entry attributes (key) and
>> Principal's (value) -->
>> <entry value="Name" key="displayName" />
>> <entry key="distinguishedName" value="dn" />
>> </map>
>> </property>
>> </bean>
>> And then access them from inside the Shiro application like this:
>>
>> AttributePrincipal principal =
>> (AttributePrincipal)request.getUserPrincipal();
>> Map attributes = principal.getAttributes();
>>
>> But we get an error saying we cannot cast Request to AttributePrincipal. I
>> guess I am missing something here, too.
>>
>> Any help is greatly appreciated.
>>
>>
>> --
>> --
>> Eduardo J. Ortega
>> Tel: 57+1+2553580
>> Cel: 57+317+4415156
>> Zürich
>> CL 72 5 83 Piso 11, Bogotá, CO.
>>
>>
>>
>> ------------------------------
>> If you reply to this email, your message will be added to the discussion
>> below:
>>
>> http://shiro-user.582556.n2.nabble.com/CAS-Single-Sign-Out-and-LDAP-attribute-retrieval-tp7579510.html
>> To start a new topic under Shiro User, email
>> ml-node+s582556n582556h4@n2.nabble.com
>> To unsubscribe from Shiro User, click here<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=582556&code=bGVsZXVqQGdtYWlsLmNvbXw1ODI1NTZ8LTExNzY2MzcxMTY=>
>> .
>> NAML<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>>
>
>
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/CAS-Single-Sign-Out-and-LDAP-attribute-retrieval-tp7579510p7579514.html
> Sent from the Shiro User mailing list archive at Nabble.com.
Re: CAS Single Sign Out and LDAP attribute retrieval
Posted by jleleu <le...@gmail.com>.
Hi,
Regarding logout, I can't remember exactly if I did the test or someone
else, but I think it works. Did you try some debugging in the
SingleSignOutFilter?
To get user's attributes, things are a little more complex:
- you need to retrieve the user's attributes inside the CAS server (should
be what you did)
- define that you want to push these attributes for the CAS service
representing the Shiro application (*allowedAttributes* or
*ignore*parameter for this CAS service)
- use the SAML validation
And then, the user's attributes will be available as the second principal:
https://github.com/apache/shiro/blob/1.2.x/support/cas/src/main/java/org/apache/shiro/cas/CasRealm.java#L162
.
Best regards,
Jérôme
2014/1/15 Eduardo J. Ortega U [via Shiro User] <
ml-node+s582556n7579510h78@n2.nabble.com>
> Hi, all:
>
> We are setting up out first Shiro enabled application with CAS
> authentication. Authentication seems to work fine, however, we have two
> issues:
>
> - We want to have Single Sign out, so that when a user signs out of
> CAS, he/she is signed out of CAS and therefore all apps. Currently, if I
> logout of the application (using Shiro's logout feature), and then try to
> access one of the protected pages, browser gets redirected to CAS, which in
> turn validates and redirects to http://myhost/myapp/shiro-cas and then
> /shiro-cas redirects it to the requested URL of the application, so
> effectively the user is logged back in the application. Also, if the user
> logs out of CAS (visiting http://myhost/CAS/logout) its CAS session
> ends but the application session remains, so he / she can still access the
> protected areas. I set up the following on myapp web.xml:
>
>
> <filter>
> <filter-name>CAS Single Sign Out Filter</filter-name>
>
> <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
> </filter>
>
> <filter-mapping>
> <filter-name>CAS Single Sign Out Filter</filter-name>
> <url-pattern>/*</url-pattern>
> </filter-mapping>
>
> <listener>
>
> <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
> </listener>
>
> But it is not working. What am I missing?
>
> - We want to access some of the user attributes from inside our
> application. I set up CAS properties to map the attributes, setting this on
> CAS deployerConfigContext.xml
>
> <bean id="attributeRepository"
> class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao">
> <property name="contextSource" ref="contextSource" />
> <property name="baseDN" value="ou=People,dc=example,dc=com,dc=co"
> />
> <property name="requireAllQueryAttributes" value="true" />
> <property name="queryAttributeMapping">
> <map>
> <entry key="username" value="uid" />
> </map>
> </property>
> <property name="resultAttributeMapping">
> <map>
> <!-- Mapping beetween LDAP entry attributes (key) and
> Principal's (value) -->
> <entry value="Name" key="displayName" />
> <entry key="distinguishedName" value="dn" />
> </map>
> </property>
> </bean>
> And then access them from inside the Shiro application like this:
>
> AttributePrincipal principal =
> (AttributePrincipal)request.getUserPrincipal();
> Map attributes = principal.getAttributes();
>
> But we get an error saying we cannot cast Request to AttributePrincipal. I
> guess I am missing something here, too.
>
> Any help is greatly appreciated.
>
>
> --
> --
> Eduardo J. Ortega
> Tel: 57+1+2553580
> Cel: 57+317+4415156
> Zürich
> CL 72 5 83 Piso 11, Bogotá, CO.
>
>
>
> ------------------------------
> If you reply to this email, your message will be added to the discussion
> below:
>
> http://shiro-user.582556.n2.nabble.com/CAS-Single-Sign-Out-and-LDAP-attribute-retrieval-tp7579510.html
> To start a new topic under Shiro User, email
> ml-node+s582556n582556h4@n2.nabble.com
> To unsubscribe from Shiro User, click here<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=582556&code=bGVsZXVqQGdtYWlsLmNvbXw1ODI1NTZ8LTExNzY2MzcxMTY=>
> .
> NAML<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>
--
View this message in context: http://shiro-user.582556.n2.nabble.com/CAS-Single-Sign-Out-and-LDAP-attribute-retrieval-tp7579510p7579514.html
Sent from the Shiro User mailing list archive at Nabble.com.