You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by jleleu <le...@gmail.com> on 2013/10/14 15:59:43 UTC
Re: Cant Integrate Shiro with CAS
Hi,
I don't understand why you use the *authc* filter (you don't have any form
in your application right ?).
The login page is on the CAS server.
I'm pretty sure that it's the root cause of your problem : generating a
UsernamePasswordToken whereas the CasRealm expects a CasToken.
To use properly the CAS server, it should retrieve the attributes of the
authenticated user, not your application and push them to your app during
the service ticket validation.
Best regards,
Jérôme
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Cant-Integrate-Shiro-with-CAS-tp7579234p7579235.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Cant Integrate Shiro with CAS
Posted by jleleu <le...@gmail.com>.
Hi,
I must admit I'm often asked for support. Would you mind refreshing my
memories about the problem?
Better to do it directly on the Shiro mailing list.
Best,
Jérôme
2014-01-27 skybird [via Shiro User] <
ml-node+s582556n7579568h76@n2.nabble.com>
> Was this problem solved/fixed? I also have an application with a custom
> login page. Please post the solution/fix if available.
>
> ------------------------------
> If you reply to this email, your message will be added to the discussion
> below:
>
> http://shiro-user.582556.n2.nabble.com/Cant-Integrate-Shiro-with-CAS-tp7579234p7579568.html
> To start a new topic under Shiro User, email
> ml-node+s582556n582556h4@n2.nabble.com
> To unsubscribe from Shiro User, click here<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=582556&code=bGVsZXVqQGdtYWlsLmNvbXw1ODI1NTZ8LTExNzY2MzcxMTY=>
> .
> NAML<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Cant-Integrate-Shiro-with-CAS-tp7579234p7579570.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Cant Integrate Shiro with CAS
Posted by jleleu <le...@gmail.com>.
Hi,
Eduardo is completely right: the login form is part of the CAS server.
Though, you can brand it in your way using Spring themes:
https://wiki.jasig.org/display/CASUM/Theme+Control.
Best regards,
Jérôme
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Cant-Integrate-Shiro-with-CAS-tp7579234p7579581.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Cant Integrate Shiro with CAS
Posted by "Eduardo J. Ortega U" <ed...@zurich.co>.
Hi:
I had a similar situation before. Bottom line, this is not a Shiro
question but a CAS question. And while it can be done, it is not very
good or clean to achieve. CAS is designed to work with its own form, so
you'll have to hack it around to get it to work non-interactively by
automating the under the hood interaction between it and your app. See
https://wiki.jasig.org/display/CAS/Using+CAS+without+the+CAS+login+screen
--
Eduardo J. Ortega
Tel: 57+1+2553580
Cel: 57+317+4415156
Zürich
CL 72 5 83 Piso 11, Bogotá, CO.
On 27/01/14 07:19, skybird wrote:
> A bit more in detail... if it helps
> I have a shiro web application that has its own login page
> (http://app-server:8080/myapp/login.jsp). I would like to enter the
> credentials on my login page, under the hood it should authenticate against
> CAS and redirect me to my secured page. This thread has pretty much
> described most of the shiro.ini config that I need, except that it is
> missing a few things, heres my config, I used the github project mentioned
> above and highlighted the line I added.
>
> ----------------- START CONFIG ------------------
> [main]
> casFilter = org.apache.shiro.cas.CasFilter
> casFilter.failureUrl = /error.jsp
>
> casRealm = org.apache.shiro.cas.CasRealm
> casRealm.defaultRoles = ROLE_USER
> casRealm.casServerUrlPrefix = http://cas-server/ (no port or /cas,
> login is available at http://cas-server/login and it works fine)
> casRealm.casService = http://app-server:8080/myapp
> #casRealm.validationProtocol = SAML
>
> casSubjectFactory = org.apache.shiro.cas.CasSubjectFactory
> securityManager.subjectFactory = $casSubjectFactory
>
> user.loginUrl =
> http://cas-server/login?service=http://app-server:8080/myapp/home.jsp
> shiro.loginUrl = /login.jsp (i added this)
> authc.successUrl = /home.jsp (i added this)
>
> [urls]
> /myapp = casFilter
> /login.jsp = authc
> /logout = logout
>
>
> ----------------- END CONFIG ------------------
>
> Also what would my login form look like? An examples?
>
>
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/Cant-Integrate-Shiro-with-CAS-tp7579234p7579574.html
> Sent from the Shiro User mailing list archive at Nabble.com.
Re: Cant Integrate Shiro with CAS
Posted by skybird <sn...@gmail.com>.
A bit more in detail... if it helps
I have a shiro web application that has its own login page
(http://app-server:8080/myapp/login.jsp). I would like to enter the
credentials on my login page, under the hood it should authenticate against
CAS and redirect me to my secured page. This thread has pretty much
described most of the shiro.ini config that I need, except that it is
missing a few things, heres my config, I used the github project mentioned
above and highlighted the line I added.
----------------- START CONFIG ------------------
[main]
casFilter = org.apache.shiro.cas.CasFilter
casFilter.failureUrl = /error.jsp
casRealm = org.apache.shiro.cas.CasRealm
casRealm.defaultRoles = ROLE_USER
casRealm.casServerUrlPrefix = http://cas-server/ (no port or /cas,
login is available at http://cas-server/login and it works fine)
casRealm.casService = http://app-server:8080/myapp
#casRealm.validationProtocol = SAML
casSubjectFactory = org.apache.shiro.cas.CasSubjectFactory
securityManager.subjectFactory = $casSubjectFactory
user.loginUrl =
http://cas-server/login?service=http://app-server:8080/myapp/home.jsp
shiro.loginUrl = /login.jsp (i added this)
authc.successUrl = /home.jsp (i added this)
[urls]
/myapp = casFilter
/login.jsp = authc
/logout = logout
----------------- END CONFIG ------------------
Also what would my login form look like? An examples?
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Cant-Integrate-Shiro-with-CAS-tp7579234p7579574.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Cant Integrate Shiro with CAS
Posted by skybird <sn...@gmail.com>.
Was this problem solved/fixed? I also have an application with a custom login
page. Please post the solution/fix if available.
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Cant-Integrate-Shiro-with-CAS-tp7579234p7579568.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Cant Integrate Shiro with CAS
Posted by rayman <id...@cellebrite.com>.
I guess something wrong is with roles? I cant figure that out.
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Cant-Integrate-Shiro-with-CAS-tp7579234p7579264.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Cant Integrate Shiro with CAS
Posted by rayman <id...@cellebrite.com>.
Hi,
Yes I saw that missing port. I fixed it(aktough I never had problem reaching
to the CAS server).
but I still have the same problem - the cas is redirecting me back to the
entry page and not the secured page. What else Am I missing here?
thanks.
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Cant-Integrate-Shiro-with-CAS-tp7579234p7579263.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Cant Integrate Shiro with CAS
Posted by jleleu <le...@gmail.com>.
Hi,
It should work almost out of the box. My demo :
https://github.com/leleuj/cas-shiro-demo is close to your code and works
fine !
I've seen another typo :
/casRealm.casServerUrlPrefix = http://192.168.2.101/cas/
I think the port of your CAS server (8080) is missing.
Best regards,
Jérôme
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Cant-Integrate-Shiro-with-CAS-tp7579234p7579262.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Cant Integrate Shiro with CAS
Posted by rayman <id...@cellebrite.com>.
Hi,
I added also recent logs that mybe will help to figure this out:
Thats on startup:
CAS SHIRO DEMO APP 2013/10/16 08:48:26,801 DEBUG [RMI TCP
Connection(3)-127.0.0.1] org.apache.shiro.config.Ini - Parsing [main]
CAS SHIRO DEMO APP 2013/10/16 08:48:26,805 TRACE [RMI TCP
Connection(3)-127.0.0.1] org.apache.shiro.config.Ini - Discovered key/value
pair: casFilter=org.apache.shiro.cas.CasFilter
CAS SHIRO DEMO APP 2013/10/16 08:48:26,805 TRACE [RMI TCP
Connection(3)-127.0.0.1] org.apache.shiro.config.Ini - Discovered key/value
pair: casFilter.failureUrl=/unauthorized.jsp
CAS SHIRO DEMO APP 2013/10/16 08:48:26,805 TRACE [RMI TCP
Connection(3)-127.0.0.1] org.apache.shiro.config.Ini - Discovered key/value
pair: casRealm=org.apache.shiro.cas.CasRealm
CAS SHIRO DEMO APP 2013/10/16 08:48:26,805 TRACE [RMI TCP
Connection(3)-127.0.0.1] org.apache.shiro.config.Ini - Discovered key/value
pair: casRealm.defaultRoles=user
CAS SHIRO DEMO APP 2013/10/16 08:48:26,805 TRACE [RMI TCP
Connection(3)-127.0.0.1] org.apache.shiro.config.Ini - Discovered key/value
pair: casRealm.casServerUrlPrefix=http://192.168.2.101/cas
CAS SHIRO DEMO APP 2013/10/16 08:48:26,805 TRACE [RMI TCP
Connection(3)-127.0.0.1] org.apache.shiro.config.Ini - Discovered key/value
pair: casRealm.casService=http://192.168.108.195:8080/shiro-cas
CAS SHIRO DEMO APP 2013/10/16 08:48:26,805 TRACE [RMI TCP
Connection(3)-127.0.0.1] org.apache.shiro.config.Ini - Discovered key/value
pair: casSubjectFactory=org.apache.shiro.cas.CasSubjectFactory
CAS SHIRO DEMO APP 2013/10/16 08:48:26,806 TRACE [RMI TCP
Connection(3)-127.0.0.1] org.apache.shiro.config.Ini - Discovered key/value
pair: securityManager.subjectFactory=$casSubjectFactory
CAS SHIRO DEMO APP 2013/10/16 08:48:26,806 TRACE [RMI TCP
Connection(3)-127.0.0.1] org.apache.shiro.config.Ini - Discovered key/value
pair:
roles.loginUrl=http://192.168.2.101:8080/cas/login?service=http://192.168.108.195:8080/shiro-cas
CAS SHIRO DEMO APP 2013/10/16 08:48:26,806 TRACE [RMI TCP
Connection(3)-127.0.0.1] org.apache.shiro.config.Ini - Discovered key/value
pair: roles.unauthorizedUrl=/unauthorized.jsp
CAS SHIRO DEMO APP 2013/10/16 08:48:26,806 DEBUG [RMI TCP
Connection(3)-127.0.0.1] org.apache.shiro.config.Ini - Parsing [urls]
CAS SHIRO DEMO APP 2013/10/16 08:48:26,806 TRACE [RMI TCP
Connection(3)-127.0.0.1] org.apache.shiro.config.Ini - Discovered key/value
pair: /shiro-cas=casFilter
CAS SHIRO DEMO APP 2013/10/16 08:48:26,806 TRACE [RMI TCP
Connection(3)-127.0.0.1] org.apache.shiro.config.Ini - Discovered key/value
pair: /secure/**=roles[user]
CAS SHIRO DEMO APP 2013/10/16 08:48:26,806 TRACE [RMI TCP
Connection(3)-127.0.0.1] org.apache.shiro.config.Ini - Discovered key/value
pair: /admin/**=roles[admin]
CAS SHIRO DEMO APP 2013/10/16 08:48:26,806 TRACE [RMI TCP
Connection(3)-127.0.0.1] org.apache.shiro.config.Ini - Discovered key/value
pair: /**=anon
CAS SHIRO DEMO APP 2013/10/16 08:48:26,810 DEBUG [RMI TCP
Connection(3)-127.0.0.1] org.apache.shiro.config.IniFactorySupport -
Creating instance from Ini [sections=main,urls]
CAS SHIRO DEMO APP 2013/10/16 08:48:26,868 TRACE [RMI TCP
Connection(3)-127.0.0.1]
org.apache.shiro.web.filter.authc.FormAuthenticationFilter - Adding login
url to applied paths.
CAS SHIRO DEMO APP 2013/10/16 08:48:26,950 TRACE [RMI TCP
Connection(3)-127.0.0.1] org.apache.shiro.config.ReflectionBuilder -
Applying property [failureUrl] value [/unauthorized.jsp] on object of type
[org.apache.shiro.cas.CasFilter]
CAS SHIRO DEMO APP 2013/10/16 08:48:26,962 TRACE [RMI TCP
Connection(3)-127.0.0.1] org.apache.shiro.config.ReflectionBuilder -
Applying property [defaultRoles] value [user] on object of type
[org.apache.shiro.cas.CasRealm]
CAS SHIRO DEMO APP 2013/10/16 08:48:26,962 TRACE [RMI TCP
Connection(3)-127.0.0.1] org.apache.shiro.config.ReflectionBuilder -
Applying property [casServerUrlPrefix] value [http://192.168.2.101/cas] on
object of type [org.apache.shiro.cas.CasRealm]
CAS SHIRO DEMO APP 2013/10/16 08:48:26,962 TRACE [RMI TCP
Connection(3)-127.0.0.1] org.apache.shiro.config.ReflectionBuilder -
Applying property [casService] value [http://192.168.108.195:8080/shiro-cas]
on object of type [org.apache.shiro.cas.CasRealm]
CAS SHIRO DEMO APP 2013/10/16 08:48:26,972 DEBUG [RMI TCP
Connection(3)-127.0.0.1] org.apache.shiro.config.ReflectionBuilder -
Encountered object reference '$casSubjectFactory'. Looking up object with
id 'casSubjectFactory'
CAS SHIRO DEMO APP 2013/10/16 08:48:26,972 TRACE [RMI TCP
Connection(3)-127.0.0.1] org.apache.shiro.config.ReflectionBuilder -
Applying property [subjectFactory] value
[org.apache.shiro.cas.CasSubjectFactory@4ac1df71] on object of type
[org.apache.shiro.web.mgt.DefaultWebSecurityManager]
CAS SHIRO DEMO APP 2013/10/16 08:48:26,974 TRACE [RMI TCP
Connection(3)-127.0.0.1] org.apache.shiro.config.ReflectionBuilder -
Applying property [loginUrl] value
[http://192.168.2.101:8080/cas/login?service=http://192.168.108.195:8080/shiro-cas]
on object of type
[org.apache.shiro.web.filter.authz.RolesAuthorizationFilter]
CAS SHIRO DEMO APP 2013/10/16 08:48:26,975 TRACE [RMI TCP
Connection(3)-127.0.0.1] org.apache.shiro.config.ReflectionBuilder -
Applying property [unauthorizedUrl] value [/unauthorized.jsp] on object of
type [org.apache.shiro.web.filter.authz.RolesAuthorizationFilter]
CAS SHIRO DEMO APP 2013/10/16 08:48:26,977 DEBUG [RMI TCP
Connection(3)-127.0.0.1] org.apache.shiro.realm.AuthorizingRealm - No
authorizationCache instance set. Checking for a cacheManager...
CAS SHIRO DEMO APP 2013/10/16 08:48:26,977 INFO [RMI TCP
Connection(3)-127.0.0.1] org.apache.shiro.realm.AuthorizingRealm - No cache
or cacheManager properties have been set. Authorization cache cannot be
obtained.
CAS SHIRO DEMO APP 2013/10/16 08:48:26,984 DEBUG [RMI TCP
Connection(3)-127.0.0.1] org.apache.shiro.config.IniFactorySupport -
Creating instance from Ini [sections=main,urls]
CAS SHIRO DEMO APP 2013/10/16 08:48:26,987 TRACE [RMI TCP
Connection(3)-127.0.0.1]
org.apache.shiro.web.filter.authc.FormAuthenticationFilter - Adding login
url to applied paths.
CAS SHIRO DEMO APP 2013/10/16 08:48:26,988 TRACE [RMI TCP
Connection(3)-127.0.0.1]
org.apache.shiro.web.config.IniFilterChainResolverFactory - Before url
processing.
CAS SHIRO DEMO APP 2013/10/16 08:48:26,988 DEBUG [RMI TCP
Connection(3)-127.0.0.1]
org.apache.shiro.web.filter.mgt.DefaultFilterChainManager - Creating chain
[/shiro-cas] from String definition [casFilter]
CAS SHIRO DEMO APP 2013/10/16 08:48:26,988 DEBUG [RMI TCP
Connection(3)-127.0.0.1]
org.apache.shiro.web.filter.mgt.DefaultFilterChainManager - Attempting to
apply path [/shiro-cas] to filter [casFilter] with config [null]
CAS SHIRO DEMO APP 2013/10/16 08:48:26,989 DEBUG [RMI TCP
Connection(3)-127.0.0.1]
org.apache.shiro.web.filter.mgt.DefaultFilterChainManager - Creating chain
[/secure/**] from String definition [roles[user]]
CAS SHIRO DEMO APP 2013/10/16 08:48:26,989 DEBUG [RMI TCP
Connection(3)-127.0.0.1]
org.apache.shiro.web.filter.mgt.DefaultFilterChainManager - Attempting to
apply path [/secure/**] to filter [roles] with config [user]
CAS SHIRO DEMO APP 2013/10/16 08:48:26,990 DEBUG [RMI TCP
Connection(3)-127.0.0.1]
org.apache.shiro.web.filter.mgt.DefaultFilterChainManager - Creating chain
[/admin/**] from String definition [roles[admin]]
CAS SHIRO DEMO APP 2013/10/16 08:48:26,990 DEBUG [RMI TCP
Connection(3)-127.0.0.1]
org.apache.shiro.web.filter.mgt.DefaultFilterChainManager - Attempting to
apply path [/admin/**] to filter [roles] with config [admin]
CAS SHIRO DEMO APP 2013/10/16 08:48:26,990 DEBUG [RMI TCP
Connection(3)-127.0.0.1]
org.apache.shiro.web.filter.mgt.DefaultFilterChainManager - Creating chain
[/**] from String definition [anon]
CAS SHIRO DEMO APP 2013/10/16 08:48:26,990 DEBUG [RMI TCP
Connection(3)-127.0.0.1]
org.apache.shiro.web.filter.mgt.DefaultFilterChainManager - Attempting to
apply path [/**] to filter [anon] with config [null]
[2013-10-16 08:48:27,023] Artifact rolesecuritywithtags:war: Artifact is
deployed successfully
CAS SHIRO DEMO APP 2013/10/16 08:48:27,127 TRACE [http-apr-8080-exec-2]
org.apache.shiro.web.servlet.OncePerRequestFilter - Filter 'ShiroFilter' not
yet executed. Executing now.
CAS SHIRO DEMO APP 2013/10/16 08:48:27,137 TRACE [http-apr-8080-exec-2]
org.apache.shiro.mgt.DefaultSecurityManager - Context already contains a
SecurityManager instance. Returning.
CAS SHIRO DEMO APP 2013/10/16 08:48:27,140 TRACE [http-apr-8080-exec-2]
org.apache.shiro.mgt.DefaultSecurityManager - No identity
(PrincipalCollection) found in the context. Looking for a remembered
identity.
CAS SHIRO DEMO APP 2013/10/16 08:48:27,140 TRACE [http-apr-8080-exec-2]
org.apache.shiro.web.servlet.SimpleCookie - No value found in request
Cookies under cookie name [rememberMe]
CAS SHIRO DEMO APP 2013/10/16 08:48:27,140 TRACE [http-apr-8080-exec-2]
org.apache.shiro.mgt.DefaultSecurityManager - No remembered identity found.
Returning original context.
CAS SHIRO DEMO APP 2013/10/16 08:48:27,147 TRACE [http-apr-8080-exec-2]
org.apache.shiro.util.ThreadContext - Bound value of type
[org.apache.shiro.web.subject.support.WebDelegatingSubject] for key
[org.apache.shiro.util.ThreadContext_SUBJECT_KEY] to thread
[http-apr-8080-exec-2]
CAS SHIRO DEMO APP 2013/10/16 08:48:27,147 TRACE [http-apr-8080-exec-2]
org.apache.shiro.util.ThreadContext - Bound value of type
[org.apache.shiro.web.mgt.DefaultWebSecurityManager] for key
[org.apache.shiro.util.ThreadContext_SECURITY_MANAGER_KEY] to thread
[http-apr-8080-exec-2]
CAS SHIRO DEMO APP 2013/10/16 08:48:27,149 TRACE [http-apr-8080-exec-2]
org.apache.shiro.web.filter.mgt.PathMatchingFilterChainResolver - Matched
path pattern [/**] for requestURI [/]. Utilizing corresponding filter
chain...
CAS SHIRO DEMO APP 2013/10/16 08:48:27,150 TRACE [http-apr-8080-exec-2]
org.apache.shiro.web.servlet.AbstractShiroFilter - Resolved a configured
FilterChain for the current request.
CAS SHIRO DEMO APP 2013/10/16 08:48:27,150 TRACE [http-apr-8080-exec-2]
org.apache.shiro.web.servlet.ProxiedFilterChain - Invoking wrapped filter at
index [0]
CAS SHIRO DEMO APP 2013/10/16 08:48:27,150 TRACE [http-apr-8080-exec-2]
org.apache.shiro.web.servlet.OncePerRequestFilter - Filter 'anon' not yet
executed. Executing now.
CAS SHIRO DEMO APP 2013/10/16 08:48:27,150 TRACE [http-apr-8080-exec-2]
org.apache.shiro.web.filter.PathMatchingFilter - Attempting to match pattern
[/**] with current requestURI [/]...
CAS SHIRO DEMO APP 2013/10/16 08:48:27,150 TRACE [http-apr-8080-exec-2]
org.apache.shiro.web.filter.PathMatchingFilter - Current requestURI matches
pattern [/**]. Performing onPreHandle check...
CAS SHIRO DEMO APP 2013/10/16 08:48:27,150 TRACE [http-apr-8080-exec-2]
org.apache.shiro.web.servlet.AdviceFilter - Invoked preHandle method.
Continuing chain?: [true]
CAS SHIRO DEMO APP 2013/10/16 08:48:27,150 TRACE [http-apr-8080-exec-2]
org.apache.shiro.web.servlet.ProxiedFilterChain - Invoking original filter
chain.
CAS SHIRO DEMO APP 2013/10/16 08:48:27,821 TRACE [http-apr-8080-exec-2]
org.apache.shiro.util.ThreadContext - get() - in thread
[http-apr-8080-exec-2]
CAS SHIRO DEMO APP 2013/10/16 08:48:27,822 TRACE [http-apr-8080-exec-2]
org.apache.shiro.util.ThreadContext - Retrieved value of type
[org.apache.shiro.web.subject.support.WebDelegatingSubject] for key
[org.apache.shiro.util.ThreadContext_SUBJECT_KEY] bound to thread
[http-apr-8080-exec-2]
CAS SHIRO DEMO APP 2013/10/16 08:48:27,822 TRACE [http-apr-8080-exec-2]
org.apache.shiro.web.servlet.AdviceFilter - Successfully invoked postHandle
method
CAS SHIRO DEMO APP 2013/10/16 08:48:27,822 TRACE [http-apr-8080-exec-2]
org.apache.shiro.web.servlet.AdviceFilter - Successfully invoked
afterCompletion method.
CAS SHIRO DEMO APP 2013/10/16 08:48:27,936 TRACE [http-apr-8080-exec-7]
org.apache.shiro.web.servlet.OncePerRequestFilter - Filter 'ShiroFilter' not
yet executed. Executing now.
CAS SHIRO DEMO APP 2013/10/16 08:48:27,937 TRACE [http-apr-8080-exec-7]
org.apache.shiro.mgt.DefaultSecurityManager - Context already contains a
SecurityManager instance. Returning.
CAS SHIRO DEMO APP 2013/10/16 08:48:27,937 TRACE [http-apr-8080-exec-7]
org.apache.shiro.mgt.DefaultSecurityManager - No identity
(PrincipalCollection) found in the context. Looking for a remembered
identity.
CAS SHIRO DEMO APP 2013/10/16 08:48:27,937 TRACE [http-apr-8080-exec-7]
org.apache.shiro.web.servlet.SimpleCookie - No value found in request
Cookies under cookie name [rememberMe]
CAS SHIRO DEMO APP 2013/10/16 08:48:27,937 TRACE [http-apr-8080-exec-7]
org.apache.shiro.mgt.DefaultSecurityManager - No remembered identity found.
Returning original context.
CAS SHIRO DEMO APP 2013/10/16 08:48:27,938 TRACE [http-apr-8080-exec-7]
org.apache.shiro.util.ThreadContext - Bound value of type
[org.apache.shiro.web.subject.support.WebDelegatingSubject] for key
[org.apache.shiro.util.ThreadContext_SUBJECT_KEY] to thread
[http-apr-8080-exec-7]
CAS SHIRO DEMO APP 2013/10/16 08:48:27,938 TRACE [http-apr-8080-exec-7]
org.apache.shiro.util.ThreadContext - Bound value of type
[org.apache.shiro.web.mgt.DefaultWebSecurityManager] for key
[org.apache.shiro.util.ThreadContext_SECURITY_MANAGER_KEY] to thread
[http-apr-8080-exec-7]
CAS SHIRO DEMO APP 2013/10/16 08:48:27,938 TRACE [http-apr-8080-exec-7]
org.apache.shiro.web.filter.mgt.PathMatchingFilterChainResolver - Matched
path pattern [/**] for requestURI [/]. Utilizing corresponding filter
chain...
CAS SHIRO DEMO APP 2013/10/16 08:48:27,938 TRACE [http-apr-8080-exec-7]
org.apache.shiro.web.servlet.AbstractShiroFilter - Resolved a configured
FilterChain for the current request.
CAS SHIRO DEMO APP 2013/10/16 08:48:27,938 TRACE [http-apr-8080-exec-7]
org.apache.shiro.web.servlet.ProxiedFilterChain - Invoking wrapped filter at
index [0]
CAS SHIRO DEMO APP 2013/10/16 08:48:27,938 TRACE [http-apr-8080-exec-7]
org.apache.shiro.web.servlet.OncePerRequestFilter - Filter 'anon' not yet
executed. Executing now.
CAS SHIRO DEMO APP 2013/10/16 08:48:27,938 TRACE [http-apr-8080-exec-7]
org.apache.shiro.web.filter.PathMatchingFilter - Attempting to match pattern
[/**] with current requestURI [/]...
CAS SHIRO DEMO APP 2013/10/16 08:48:27,938 TRACE [http-apr-8080-exec-7]
org.apache.shiro.web.filter.PathMatchingFilter - Current requestURI matches
pattern [/**]. Performing onPreHandle check...
CAS SHIRO DEMO APP 2013/10/16 08:48:27,938 TRACE [http-apr-8080-exec-7]
org.apache.shiro.web.servlet.AdviceFilter - Invoked preHandle method.
Continuing chain?: [true]
CAS SHIRO DEMO APP 2013/10/16 08:48:27,938 TRACE [http-apr-8080-exec-7]
org.apache.shiro.web.servlet.ProxiedFilterChain - Invoking original filter
chain.
CAS SHIRO DEMO APP 2013/10/16 08:48:27,939 TRACE [http-apr-8080-exec-7]
org.apache.shiro.util.ThreadContext - get() - in thread
[http-apr-8080-exec-7]
CAS SHIRO DEMO APP 2013/10/16 08:48:27,939 TRACE [http-apr-8080-exec-7]
org.apache.shiro.util.ThreadContext - Retrieved value of type
[org.apache.shiro.web.subject.support.WebDelegatingSubject] for key
[org.apache.shiro.util.ThreadContext_SUBJECT_KEY] bound to thread
[http-apr-8080-exec-7]
CAS SHIRO DEMO APP 2013/10/16 08:48:27,939 TRACE [http-apr-8080-exec-7]
org.apache.shiro.web.servlet.AdviceFilter - Successfully invoked postHandle
method
CAS SHIRO DEMO APP 2013/10/16 08:48:27,939 TRACE [http-apr-8080-exec-7]
org.apache.shiro.web.servlet.AdviceFilter - Successfully invoked
afterCompletion method.
And this when going to secure resource:
CAS SHIRO DEMO APP 2013/10/16 08:48:37,718 TRACE [http-apr-8080-exec-8]
org.apache.shiro.web.servlet.OncePerRequestFilter - Filter 'ShiroFilter' not
yet executed. Executing now.
CAS SHIRO DEMO APP 2013/10/16 08:48:37,718 TRACE [http-apr-8080-exec-8]
org.apache.shiro.mgt.DefaultSecurityManager - Context already contains a
SecurityManager instance. Returning.
CAS SHIRO DEMO APP 2013/10/16 08:48:37,721 TRACE [http-apr-8080-exec-8]
org.apache.shiro.mgt.DefaultSecurityManager - No identity
(PrincipalCollection) found in the context. Looking for a remembered
identity.
CAS SHIRO DEMO APP 2013/10/16 08:48:37,722 TRACE [http-apr-8080-exec-8]
org.apache.shiro.web.servlet.SimpleCookie - No value found in request
Cookies under cookie name [rememberMe]
CAS SHIRO DEMO APP 2013/10/16 08:48:37,722 TRACE [http-apr-8080-exec-8]
org.apache.shiro.mgt.DefaultSecurityManager - No remembered identity found.
Returning original context.
CAS SHIRO DEMO APP 2013/10/16 08:48:37,724 TRACE [http-apr-8080-exec-8]
org.apache.shiro.util.ThreadContext - Bound value of type
[org.apache.shiro.web.subject.support.WebDelegatingSubject] for key
[org.apache.shiro.util.ThreadContext_SUBJECT_KEY] to thread
[http-apr-8080-exec-8]
CAS SHIRO DEMO APP 2013/10/16 08:48:37,724 TRACE [http-apr-8080-exec-8]
org.apache.shiro.util.ThreadContext - Bound value of type
[org.apache.shiro.web.mgt.DefaultWebSecurityManager] for key
[org.apache.shiro.util.ThreadContext_SECURITY_MANAGER_KEY] to thread
[http-apr-8080-exec-8]
CAS SHIRO DEMO APP 2013/10/16 08:48:37,724 TRACE [http-apr-8080-exec-8]
org.apache.shiro.web.filter.mgt.PathMatchingFilterChainResolver - Matched
path pattern [/secure/**] for requestURI [/secure/index.jsp]. Utilizing
corresponding filter chain...
CAS SHIRO DEMO APP 2013/10/16 08:48:37,724 TRACE [http-apr-8080-exec-8]
org.apache.shiro.web.servlet.AbstractShiroFilter - Resolved a configured
FilterChain for the current request.
CAS SHIRO DEMO APP 2013/10/16 08:48:37,724 TRACE [http-apr-8080-exec-8]
org.apache.shiro.web.servlet.ProxiedFilterChain - Invoking wrapped filter at
index [0]
CAS SHIRO DEMO APP 2013/10/16 08:48:37,724 TRACE [http-apr-8080-exec-8]
org.apache.shiro.web.servlet.OncePerRequestFilter - Filter 'roles' not yet
executed. Executing now.
CAS SHIRO DEMO APP 2013/10/16 08:48:37,724 TRACE [http-apr-8080-exec-8]
org.apache.shiro.web.filter.PathMatchingFilter - Attempting to match pattern
[/secure/**] with current requestURI [/secure/index.jsp]...
CAS SHIRO DEMO APP 2013/10/16 08:48:37,724 TRACE [http-apr-8080-exec-8]
org.apache.shiro.web.filter.PathMatchingFilter - Current requestURI matches
pattern [/secure/**]. Performing onPreHandle check...
CAS SHIRO DEMO APP 2013/10/16 08:48:37,724 TRACE [http-apr-8080-exec-8]
org.apache.shiro.util.ThreadContext - get() - in thread
[http-apr-8080-exec-8]
CAS SHIRO DEMO APP 2013/10/16 08:48:37,724 TRACE [http-apr-8080-exec-8]
org.apache.shiro.util.ThreadContext - Retrieved value of type
[org.apache.shiro.web.subject.support.WebDelegatingSubject] for key
[org.apache.shiro.util.ThreadContext_SUBJECT_KEY] bound to thread
[http-apr-8080-exec-8]
CAS SHIRO DEMO APP 2013/10/16 08:48:37,725 TRACE [http-apr-8080-exec-8]
org.apache.shiro.util.ThreadContext - get() - in thread
[http-apr-8080-exec-8]
CAS SHIRO DEMO APP 2013/10/16 08:48:37,725 TRACE [http-apr-8080-exec-8]
org.apache.shiro.util.ThreadContext - Retrieved value of type
[org.apache.shiro.web.subject.support.WebDelegatingSubject] for key
[org.apache.shiro.util.ThreadContext_SUBJECT_KEY] bound to thread
[http-apr-8080-exec-8]
CAS SHIRO DEMO APP 2013/10/16 08:48:37,725 TRACE [http-apr-8080-exec-8]
org.apache.shiro.util.ThreadContext - get() - in thread
[http-apr-8080-exec-8]
CAS SHIRO DEMO APP 2013/10/16 08:48:37,725 TRACE [http-apr-8080-exec-8]
org.apache.shiro.util.ThreadContext - Retrieved value of type
[org.apache.shiro.web.subject.support.WebDelegatingSubject] for key
[org.apache.shiro.util.ThreadContext_SUBJECT_KEY] bound to thread
[http-apr-8080-exec-8]
CAS SHIRO DEMO APP 2013/10/16 08:48:37,725 TRACE [http-apr-8080-exec-8]
org.apache.shiro.subject.support.DelegatingSubject - attempting to get
session; create = true; session is null = false; session has id = true
CAS SHIRO DEMO APP 2013/10/16 08:48:37,727 TRACE [http-apr-8080-exec-8]
org.apache.shiro.web.servlet.AdviceFilter - Invoked preHandle method.
Continuing chain?: [false]
CAS SHIRO DEMO APP 2013/10/16 08:48:37,727 TRACE [http-apr-8080-exec-8]
org.apache.shiro.web.servlet.AdviceFilter - Successfully invoked postHandle
method
CAS SHIRO DEMO APP 2013/10/16 08:48:37,727 TRACE [http-apr-8080-exec-8]
org.apache.shiro.web.servlet.AdviceFilter - Successfully invoked
afterCompletion method.
CAS SHIRO DEMO APP 2013/10/16 08:48:44,945 TRACE [http-apr-8080-exec-1]
org.apache.shiro.web.servlet.OncePerRequestFilter - Filter 'ShiroFilter' not
yet executed. Executing now.
CAS SHIRO DEMO APP 2013/10/16 08:48:44,945 TRACE [http-apr-8080-exec-1]
org.apache.shiro.mgt.DefaultSecurityManager - Context already contains a
SecurityManager instance. Returning.
CAS SHIRO DEMO APP 2013/10/16 08:48:44,945 TRACE [http-apr-8080-exec-1]
org.apache.shiro.mgt.DefaultSecurityManager - No identity
(PrincipalCollection) found in the context. Looking for a remembered
identity.
CAS SHIRO DEMO APP 2013/10/16 08:48:44,945 TRACE [http-apr-8080-exec-1]
org.apache.shiro.web.servlet.SimpleCookie - No value found in request
Cookies under cookie name [rememberMe]
CAS SHIRO DEMO APP 2013/10/16 08:48:44,946 TRACE [http-apr-8080-exec-1]
org.apache.shiro.mgt.DefaultSecurityManager - No remembered identity found.
Returning original context.
CAS SHIRO DEMO APP 2013/10/16 08:48:44,946 TRACE [http-apr-8080-exec-1]
org.apache.shiro.util.ThreadContext - Bound value of type
[org.apache.shiro.web.subject.support.WebDelegatingSubject] for key
[org.apache.shiro.util.ThreadContext_SUBJECT_KEY] to thread
[http-apr-8080-exec-1]
CAS SHIRO DEMO APP 2013/10/16 08:48:44,946 TRACE [http-apr-8080-exec-1]
org.apache.shiro.util.ThreadContext - Bound value of type
[org.apache.shiro.web.mgt.DefaultWebSecurityManager] for key
[org.apache.shiro.util.ThreadContext_SECURITY_MANAGER_KEY] to thread
[http-apr-8080-exec-1]
CAS SHIRO DEMO APP 2013/10/16 08:48:44,946 TRACE [http-apr-8080-exec-1]
org.apache.shiro.web.filter.mgt.PathMatchingFilterChainResolver - Matched
path pattern [/**] for requestURI [/]. Utilizing corresponding filter
chain...
CAS SHIRO DEMO APP 2013/10/16 08:48:44,946 TRACE [http-apr-8080-exec-1]
org.apache.shiro.web.servlet.AbstractShiroFilter - Resolved a configured
FilterChain for the current request.
CAS SHIRO DEMO APP 2013/10/16 08:48:44,946 TRACE [http-apr-8080-exec-1]
org.apache.shiro.web.servlet.ProxiedFilterChain - Invoking wrapped filter at
index [0]
CAS SHIRO DEMO APP 2013/10/16 08:48:44,946 TRACE [http-apr-8080-exec-1]
org.apache.shiro.web.servlet.OncePerRequestFilter - Filter 'anon' not yet
executed. Executing now.
CAS SHIRO DEMO APP 2013/10/16 08:48:44,946 TRACE [http-apr-8080-exec-1]
org.apache.shiro.web.filter.PathMatchingFilter - Attempting to match pattern
[/**] with current requestURI [/]...
CAS SHIRO DEMO APP 2013/10/16 08:48:44,946 TRACE [http-apr-8080-exec-1]
org.apache.shiro.web.filter.PathMatchingFilter - Current requestURI matches
pattern [/**]. Performing onPreHandle check...
CAS SHIRO DEMO APP 2013/10/16 08:48:44,946 TRACE [http-apr-8080-exec-1]
org.apache.shiro.web.servlet.AdviceFilter - Invoked preHandle method.
Continuing chain?: [true]
CAS SHIRO DEMO APP 2013/10/16 08:48:44,946 TRACE [http-apr-8080-exec-1]
org.apache.shiro.web.servlet.ProxiedFilterChain - Invoking original filter
chain.
CAS SHIRO DEMO APP 2013/10/16 08:48:44,947 TRACE [http-apr-8080-exec-1]
org.apache.shiro.util.ThreadContext - get() - in thread
[http-apr-8080-exec-1]
CAS SHIRO DEMO APP 2013/10/16 08:48:44,947 TRACE [http-apr-8080-exec-1]
org.apache.shiro.util.ThreadContext - Retrieved value of type
[org.apache.shiro.web.subject.support.WebDelegatingSubject] for key
[org.apache.shiro.util.ThreadContext_SUBJECT_KEY] bound to thread
[http-apr-8080-exec-1]
CAS SHIRO DEMO APP 2013/10/16 08:48:44,947 TRACE [http-apr-8080-exec-1]
org.apache.shiro.web.servlet.AdviceFilter - Successfully invoked postHandle
method
CAS SHIRO DEMO APP 2013/10/16 08:48:44,947 TRACE [http-apr-8080-exec-1]
org.apache.shiro.web.servlet.AdviceFilter - Successfully invoked
afterCompletion method.
Thanks,
ray.
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Cant-Integrate-Shiro-with-CAS-tp7579234p7579261.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Cant Integrate Shiro with CAS
Posted by rayman <id...@cellebrite.com>.
Hi,
You were right. I fixed it. Now I get the ticket again to the same
page(without being forward to the target secured page)
I almost give up;P
Current configuration:
<filter>
<filter-name>ShiroFilter</filter-name>
<filter-class>org.apache.shiro.web.servlet.IniShiroFilter</filter-class>
<init-param>
<param-name>config</param-name>
<param-value>
[main]
casFilter = org.apache.shiro.cas.CasFilter
casFilter.failureUrl = /unauthorized.jsp
casRealm = org.apache.shiro.cas.CasRealm
casRealm.defaultRoles = user
casRealm.casServerUrlPrefix = http://192.168.2.101/cas
casRealm.casService = http://192.168.108.195:8080/shiro-cas
casSubjectFactory = org.apache.shiro.cas.CasSubjectFactory
securityManager.subjectFactory = $casSubjectFactory
roles.loginUrl =
http://192.168.2.101:8080/cas/login?service=http://192.168.108.195:8080/shiro-cas
roles.unauthorizedUrl = /unauthorized.jsp
[urls]
/shiro-cas = casFilter
/secure/** = roles[user]
/admin/** = roles[admin]
/** = anon
</param-value>
</init-param>
</filter>
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Cant-Integrate-Shiro-with-CAS-tp7579234p7579259.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Cant Integrate Shiro with CAS
Posted by jleleu <le...@gmail.com>.
Hi,
I see a typo in your configuration :
//shir-cas = casFilter/
The o is missing for /shiro-cas.
Best regards,
Jérôme
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Cant-Integrate-Shiro-with-CAS-tp7579234p7579256.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Cant Integrate Shiro with CAS
Posted by rayman <id...@cellebrite.com>.
Hi,
Ok I tried your solution this time moved back to deploy under ../shiro-cas/
Same result as before. back to the original page with ticket from cas.
configuration:
<filter>
<filter-name>ShiroFilter</filter-name>
<filter-class>org.apache.shiro.web.servlet.IniShiroFilter</filter-class>
<init-param>
<param-name>config</param-name>
<param-value>
[main]
casFilter = org.apache.shiro.cas.CasFilter
casFilter.failureUrl = /unauthorized.jsp
casRealm = org.apache.shiro.cas.CasRealm
casRealm.defaultRoles = user
casRealm.casServerUrlPrefix = http://192.168.2.101/cas
casRealm.casService = http://192.168.108.195:8080/shiro-cas/
casSubjectFactory = org.apache.shiro.cas.CasSubjectFactory
securityManager.subjectFactory = $casSubjectFactory
roles.loginUrl =
http://192.168.2.101:8080/cas/login?service=http://192.168.108.195:8080/shiro-cas/
roles.unauthorizedUrl = /unauthorized.jsp
[urls]
/shir-cas = casFilter
/secure/** = roles[user]
/admin/** = roles[admin]
/** = anon
</param-value>
</init-param>
</filter>
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Cant-Integrate-Shiro-with-CAS-tp7579234p7579255.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Cant Integrate Shiro with CAS
Posted by rayman <id...@cellebrite.com>.
Hi,
Ok now I have diffrent situation. but it still dont work.
Now as soon as the server start I am directed to
http://192.168.108.195:8080/unauthorized.jsp (instead of
http://192.168.108.195:8080/index.jsp) as it always were.
Now when I go to http://192.168.108.195:8080/secure/index.jsp I am directed
to CAS but this time it's redirecting me to the same page without a result
ticket in the url ->http://192.168.108.195:8080/unauthorized.jsp
this is the current configuration:
<filter>
<filter-name>ShiroFilter</filter-name>
<filter-class>org.apache.shiro.web.servlet.IniShiroFilter</filter-class>
<init-param>
<param-name>config</param-name>
<param-value>
[main]
casFilter = org.apache.shiro.cas.CasFilter
casFilter.failureUrl = /unauthorized.jsp
casRealm = org.apache.shiro.cas.CasRealm
casRealm.defaultRoles = user
casRealm.casServerUrlPrefix = http://192.168.2.101/cas
casRealm.casService = http://192.168.108.195:8080/
casSubjectFactory = org.apache.shiro.cas.CasSubjectFactory
securityManager.subjectFactory = $casSubjectFactory
roles.loginUrl =
http://192.168.2.101:8080/cas/login?service=http://192.168.108.195:8080/
roles.unauthorizedUrl = /unauthorized.jsp
[urls]
/secure/** = roles[user]
/admin/** = roles[admin]
/ = casFilter
/** = anon
</param-value>
</init-param>
</filter>
Thanks.
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Cant-Integrate-Shiro-with-CAS-tp7579234p7579253.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Cant Integrate Shiro with CAS
Posted by jleleu <le...@gmail.com>.
Hi,
I think that the /casFilter/ is never reached as it is placed after /** :
would you mind putting it *before* /** ?
Thanks.
Best regards,
Jérôme
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Cant-Integrate-Shiro-with-CAS-tp7579234p7579251.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Cant Integrate Shiro with CAS
Posted by rayman <id...@cellebrite.com>.
Thats how my http://localhost:8080/shir-cas/index.jsp looks like:
user/index
logout </app/logout> <br />
<br />
<%@page import="org.apache.shiro.subject.Subject"%>
<%@page import="org.apache.shiro.SecurityUtils"%>
<%
Subject subject = SecurityUtils.getSubject();
%>
principal : <%=subject.getPrincipal()%><br />
principals : <%=subject.getPrincipals()%><br />
isAuthenticated : <%=subject.isAuthenticated()%><br />
isRemembered : <%=subject.isRemembered()%><br />
and before navigating to
http://192.168.108.195:8080/shiro-cas/secure/index.jsp the content look like
this:
user/index
logout
principal : null
principals : null
isAuthenticated : false
isRemembered : false
and after authenticaste at CAS i am redirected to the same url and still
the content remains the same. just the browser url has this:
http://192.168.108.195:8080/shiro-cas/?ticket=ST-124-eI1T7sKZQpllSHrwMMpy-cas01.example.org
thanks.
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Cant-Integrate-Shiro-with-CAS-tp7579234p7579249.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Cant Integrate Shiro with CAS
Posted by rayman <id...@cellebrite.com>.
Hi,
I modified my xml according to your comment this way:
<param-value>
[main]
casFilter = org.apache.shiro.cas.CasFilter
casFilter.failureUrl = /unauthorized.jsp
casRealm = org.apache.shiro.cas.CasRealm
casRealm.defaultRoles = user
casRealm.casServerUrlPrefix = http://192.168.2.101/cas
casRealm.casService = http://192.168.108.195:8080/shiro-cas
casSubjectFactory = org.apache.shiro.cas.CasSubjectFactory
securityManager.subjectFactory = $casSubjectFactory
roles.loginUrl =
http://192.168.2.101:8080/cas/login?service=http://192.168.108.195:8080/shiro-cas
roles.unauthorizedUrl = /unauthorized.jsp
[urls]
/secure/** = roles[user]
/admin/** = roles[user]
/** = anon
* / = casFilter*
</param-value>
Still same behaviour I am directed to the same page I came from with the
ticket in it's url.
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Cant-Integrate-Shiro-with-CAS-tp7579234p7579248.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Cant Integrate Shiro with CAS
Posted by jleleu <le...@gmail.com>.
Hi,
I think you might have a problem with the callback url :
//shiro-cas/ is the context of your webapp : so
/http://localhost:8080/shiro-cas// matches */* in your webapp.
In that case, the /casFilter/ must be defined for the */* url (not the
/shiro-cas url unless you define : http://localhost:8080/shiro-cas/shiro-cas
as your CAS service).
I'm surprised by your question on the admin role : what do you expect by
protecting the /admin/** urls by the roles[admin] ?
I thought you have some users with admin role who are the only one allowed
to access these urls.
Best regards,
Jérôme
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Cant-Integrate-Shiro-with-CAS-tp7579234p7579247.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Cant Integrate Shiro with CAS
Posted by rayman <id...@cellebrite.com>.
Hi,
thanks again for your reply.
two things:
1. First I modified the code this way: a. deployed in tomcat under
../shiro-cas (to be matched with the example)
b. I modified casRealm.defaultRoles = user as you suggested. still same
behaviour.
When I connect to http://192.168.108.195:8080/shiro-cas/secure/index.jsp
I am redirected to Cas and then redirected to that url:
http://192.168.108.195:8080/shiro-cas/?ticket=ST-122-wkRvMwd6sKwaoIBtsVwz-cas01.example.org
Thats my latest configuration:
<filter>
<filter-name>ShiroFilter</filter-name>
<filter-class>org.apache.shiro.web.servlet.IniShiroFilter</filter-class>
<init-param>
<param-name>config</param-name>
<param-value>
[main]
casFilter = org.apache.shiro.cas.CasFilter
casFilter.failureUrl = /unauthorized.jsp
casRealm = org.apache.shiro.cas.CasRealm
casRealm.defaultRoles = user
casRealm.casServerUrlPrefix = http://192.168.2.101/cas
casRealm.casService = http://192.168.108.195:8080/shiro-cas
casSubjectFactory = org.apache.shiro.cas.CasSubjectFactory
securityManager.subjectFactory = $casSubjectFactory
roles.loginUrl =
http://192.168.2.101:8080/cas/login?service=http://192.168.108.195:8080/shiro-cas
roles.unauthorizedUrl = /unauthorized.jsp
[urls]
/secure/** = roles[user]
/admin/** = roles[user]
/** = anon
/shiro-cas = casFilter
</param-value>
</init-param>
</filter>
3. I have no idea how to compute the admin role? I guess Iam missing some
best practice over here? will be great if you show me the right way.
Thanks.
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Cant-Integrate-Shiro-with-CAS-tp7579234p7579246.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Cant Integrate Shiro with CAS
Posted by jleleu <le...@gmail.com>.
Well, a first reply as you seem to be in a hurry.
Your CAS server works : it delivers service tickets and redirects your to
the service url with a service ticket.
The CasRealm (post CAS successful authentication) computes the default roles
ROLE_USER (in your case). But for you, as you expects the role user or
admin, it doesn't work and you get some unauthorized error page.
So first, you should change the CasRealm configuration with :
casRealm.defaultRoles = user
This way, you will be able to access the /secure/** urls.
But you won't be able to access /admin/** urls.
My question is : how do you compute the admin role ? Because if you want to
do some roles computation, you will certainly need to create a new CasRealm
with the requested behaviour for the roles computation.
Best regards,
Jérôme
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Cant-Integrate-Shiro-with-CAS-tp7579234p7579245.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Cant Integrate Shiro with CAS
Posted by rayman <id...@cellebrite.com>.
Sorry that I am overloading you with messages but we are in the middle of
POC. And the usage of this product depends on this demo.
The problem basically is that I am not getting redirected to the original
secured url after Authentication is succeeded by CAS.
So if I put this url: http://192.168.108.195:8080/admin/users.jsp
I am redirected to CAS and then getting back to
http://192.168.108.195:8080/?ticket=ST-101-xbchpsGcnvN6WuSBi5EE-cas01.example.org
And not to http://192.168.108.195:8080/admin/users.jsp.
That's my current configuration:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" id="WebApp_ID"
version="2.5">
<display-name>rlesecuritywithtags</display-name>
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
<filter>
<filter-name>ShiroFilter</filter-name>
<filter-class>org.apache.shiro.web.servlet.IniShiroFilter</filter-class>
<init-param>
<param-name>config</param-name>
<param-value>
#See Shiro API
http://shiro.apache.org/static/current/apidocs/org/apache/shiro/web/servlet/IniShiroFilter.html
#create an object of the RoleSecurityJdbcRealm
#IniShiroFilter will inject that object into the
SecurityManager
[main]
#realmA =
name.brucephillips.somesecurity.dao.RoleSecurityJdbcRealm
casFilter = org.apache.shiro.cas.CasFilter
casFilter.failureUrl = /unauthorized.jsp
casRealm = org.apache.shiro.cas.CasRealm
casRealm.defaultRoles = ROLE_ADMIN
casRealm.casServerUrlPrefix = http://192.168.2.101/cas
casRealm.casService = http://192.168.108.195:8080/
casSubjectFactory = org.apache.shiro.cas.CasSubjectFactory
securityManager.subjectFactory = $casSubjectFactory
roles.loginUrl =
http://192.168.2.101:8080/cas/login?service=http://192.168.108.195:8080/
roles.unauthorizedUrl = /unauthorized.jsp
#this application will use all the default
#filters (see link above)
#for example the default login page is /login.jsp
#users who try to access a page protected by Shiro
#will be sent to /login.jsp
#only let authenticated users
#with the appropriate role
#view the web pages in the secure
#and admin areas
[urls]
/secure/** = roles[user]
/admin/** = roles[admin]
/** = anon
/ = casFilter
</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>ShiroFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<servlet>
<description>Finds all users in the data store</description>
<display-name>GetAllUsers</display-name>
<servlet-name>GetAllUsers</servlet-name>
<servlet-class>name.brucephillips.somesecurity.servlet.GetAllUsers</servlet-class>
</servlet>
<servlet>
<description>
Log in user using username and password provided</description>
<display-name>
LoginUser</display-name>
<servlet-name>LoginUser</servlet-name>
<servlet-class>
name.brucephillips.somesecurity.servlet.LoginUser</servlet-class>
</servlet>
<servlet>
<description>
Logs user out</description>
<display-name>
LogoutUser</display-name>
<servlet-name>LogoutUser</servlet-name>
<servlet-class>
name.brucephillips.somesecurity.servlet.LogoutUser</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>GetAllUsers</servlet-name>
<url-pattern>/GetAllUsers</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>LoginUser</servlet-name>
<url-pattern>/LoginUser</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>LogoutUser</servlet-name>
<url-pattern>/LogoutUser</url-pattern>
</servlet-mapping>
<resource-ref>
<description>My DataSource Reference</description>
<res-ref-name>jdbc/security</res-ref-name>
<res-type>javax.sql.DataSource</res-type>
<res-auth>Container</res-auth>
<res-sharing-scope>Shareable</res-sharing-scope>
</resource-ref>
</web-app>
thanks you.
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Cant-Integrate-Shiro-with-CAS-tp7579234p7579244.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Cant Integrate Shiro with CAS
Posted by rayman <id...@cellebrite.com>.
I have another servlet called: GetAllUsers
Now after the auth if I go to http://localhost:8080/GetAllUsers
I am still not authorized. I debugged my code and when I reach to this
point:
Subject currentUser = SecurityUtils.getSubject();
currentUser.authenticated = false
Any idea? mybe will be easier if you see my attached example.
thanks.
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Cant-Integrate-Shiro-with-CAS-tp7579234p7579243.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Cant Integrate Shiro with CAS
Posted by rayman <id...@cellebrite.com>.
Ok I modified my web.xml this way:
[urls]
/secure/** = roles[user]
/admin/** = roles[admin]
Now when I try this url for example:
http://192.168.108.195:8080/secure/
(* 192.168.108.195 thats my local ip where Shiro is located.)
I am getting this in the cas server:
WHO: tt
WHAT: ST-11-INWnsLlidup4zIKTbV1P-cas01.example.org for
http://192.168.108.195:8080/
ACTION: SERVICE_TICKET_CREATED
APPLICATION: CAS
WHEN: Tue Oct 15 10:32:44 IST 2013
CLIENT IP ADDRESS: 192.168.108.195
SERVER IP ADDRESS: 192.168.2.101
and then I am redirected to here:
http://192.168.108.195:8080/?ticket=ST-9-7usYqhvnsk3fbf5DbeoY-cas01.example.org
And I see that page:
Welcome to The Role Security Home Page
Our web site does have security and it includes security by ROLE, so NOT
everyone who is logged in can visit all our pages.
Please login.
So what's wrong over here? why the process is not taking me to the cas login
form and come back to Shiro authorized ?
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Cant-Integrate-Shiro-with-CAS-tp7579234p7579242.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Cant Integrate Shiro with CAS
Posted by jleleu <le...@gmail.com>.
OK. I see.
You have defined the ROLE_USER to be granted when the user is authenticated
:
/casRealm.defaultRoles = ROLE_USER /
But this does not match the roles defined in your roles filters.
Best regards,
Jérôme
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Cant-Integrate-Shiro-with-CAS-tp7579234p7579241.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Cant Integrate Shiro with CAS
Posted by rayman <id...@cellebrite.com>.
Hi,
I moved the autch filter:
...
#only let authenticated users
#with the appropriate role
#view the web pages in the secure
#and admin areas
[urls]
/secure/** = roles[user]
/admin/** = roles[admin]
/ = casFilter
..
Still when I connect locally to: http://localhost:8080 I am redirected to
http://localhost:8080/unauthorized.jsp
:
Welcome to The Role Security Unauthorized Page
You must login to visit pages in our secure and admin areas
You must have the correct role to view pages in our admin area.
You have attempted to visit an area of our web site that you are not
authorized to view.
Home | Login
and when I press the login button I am red rolesecuritywithtags.rar
<http://shiro-user.582556.n2.nabble.com/file/n7579240/rolesecuritywithtags.rar>
irect to the local login page: http://localhost:8080/login.jsp
It's not evening contacting the cas server.
Any idea?
I attached my project to the post if it could do be any help.
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Cant-Integrate-Shiro-with-CAS-tp7579234p7579240.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Cant Integrate Shiro with CAS
Posted by jleleu <le...@gmail.com>.
Hi,
If you use CAS, the login page to fill in credentials will be held in the
CAS server.
Your configuration is already correct : if you are not authenticated, the
*roles* filter will be called and redirect you to the *loginUrl* for
authentication, which is in fact the CAS login page.
I think you just need to remove the *authc* filter.
Best regards,
Jérôme
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Cant-Integrate-Shiro-with-CAS-tp7579234p7579239.html
Sent from the Shiro User mailing list archive at Nabble.com.