You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by jleleu <le...@gmail.com> on 2014/03/03 12:43:49 UTC
Re: Shiro cas proxying
Hi,
I think I know what's wrong. I didn't recall it to you in my previous post,
but the proxy receptor is meant to receive the PGTIOU and PGTID as
credentials, it's a Client like the CasClient so you need to define it as a
client: *clients.clientsList = $casClient,$proxyReceptor* in addition to
setting it in the CasClient: *casClient.casProxyReceptor = $proxyReceptor*.
This way, you don't need to use the anon filter for the /proxyReceptor.jsp
url, but the *clientFilters*.
Let me know if it works after that.
Thanks.
Best regards,
Jérôme
2014-03-03 12:26 GMT+01:00 Dinabandhu [via Shiro User] <
ml-node+s582556n7579711h9@n2.nabble.com>:
> Hi Jerome,
>
> Thank you very much for your reply. I have been able to make some progress
> with the directions you provied but the proxying is still not working. From
> the logs, it looks like that even though server is sending the PGTIOU & PGT
> combo to the proxy application, the client in proxy application is not
>
> Firstly, I had to make some changes -
>
> 1. The proxyReceptor is changed with a actually existing url. I had to do
> this because server sends a request to this url and expects a HTTP 200
> response. The casFilter doesn't seem to set the response code.
> 2. I had to put proxyReceptor url under anon filter. Putting it under
> casFilter generating exceptions (exception.log).
>
> So with the chnages, my proxy application shiro.ini looks like -
>
> proxyReceptor=org.pac4j.cas.client.CasProxyReceptor
> proxyReceptor.callbackUrl=
> https://user-think:8443/shiro-cas-proxy-1/proxyReceptor.jsp?client_name=CasClient
>
>
> casClient = org.pac4j.cas.client.CasClient
> casClient.casLoginUrl = https://user-think:8443/cerberus-sso-test/login
> casClient.casProxyReceptor = $proxyReceptor
>
> clients = org.pac4j.core.client.Clients
> clients.callbackUrl = https://user-think:8443/shiro-cas-proxy-1/shiro-cas
> clients.clientsList = $casClient
>
> clientsRealm = io.buji.pac4j.ClientRealm
> clientsRealm.defaultRoles = ROLE_USER
> clientsRealm.clients = $clients
>
> clientsFilter = io.buji.pac4j.ClientFilter
> clientsFilter.clients = $clients
> clientsFilter.failureUrl = /error.jsp
>
> casUsers = io.buji.pac4j.filter.ClientUserFilter
> casUsers.client = $casClient
>
> securityManager.realms = $clientsRealm
>
> #authc.loginUrl =
> https://user-think:8443/cerberus-sso-test/login?service=https://user-think:8443/shiro-cas-proxy-1/shiro-cas
>
>
> [urls]
> /proxyReceptor.jsp = anon
> /shiro-cas = clientsFilter
> /error.jsp = anon
> /** = casUsers
>
>
> With this I can see PGTIOU and PGT getting generated in the server logs
> (server.log) and in https request logs(http.log). I am also able to
> retrieve the CasProxyProfile successfuly from the Subject. However, when I
> try to get a ticket for the proxied service, I get an error in the server
> log "No ProxyGrantingTicket was supplied, so no Proxy Ticket can be
> retrieved." and the ticket returned is null.
>
> I must be doing something wrong in configuration but not find what is
> wrong.
>
> Anything that catches your eyes would be great. I am attaching the logs in
> case you want to have a look.
>
> Thanks again for your help.
>
> Regards,
> Dinabandhu
>
> server.log<http://shiro-user.582556.n2.nabble.com/file/n7579711/server.log>
> http.log <http://shiro-user.582556.n2.nabble.com/file/n7579711/http.log>
> exception.log<http://shiro-user.582556.n2.nabble.com/file/n7579711/exception.log>
>
> ------------------------------
> If you reply to this email, your message will be added to the discussion
> below:
>
> http://shiro-user.582556.n2.nabble.com/Shiro-cas-proxying-tp7579694p7579711.html
> To start a new topic under Shiro User, email
> ml-node+s582556n582556h4@n2.nabble.com
> To unsubscribe from Shiro User, click here<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=582556&code=bGVsZXVqQGdtYWlsLmNvbXw1ODI1NTZ8LTExNzY2MzcxMTY=>
> .
> NAML<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Shiro-cas-proxying-tp7579694p7579712.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Shiro cas proxying
Posted by "jonathan.labin" <jo...@gmail.com>.
How was this resolved?
Can you link to the pull request so I can see the discussion there?
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Shiro-cas-proxying-tp7579694p7581047.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Shiro cas proxying
Posted by jleleu <le...@gmail.com>.
Hi,
You're welcome.
I appreciate your involvement. Let's continue this discussion directly on
the pull request.
Cheers,
Jérôme
2014-03-10 5:28 GMT+01:00 Dinabandhu [via Shiro User] <
ml-node+s582556n7579746h94@n2.nabble.com>:
> Hi,
>
> Thanks you very much for your help. Apologies for a late reply, my
> weekends are longer than usual , hence the delay.
>
> I have forked buji-pac4j on github made the changes and created a pull
> request. There are some doubts/concerns and I have put those in comments.
> Also, I am not very familiar with github and pull requests, in case of any
> problems please let me know.
>
> Thanks & Regards,
> Dinabandhu
>
> ------------------------------
> If you reply to this email, your message will be added to the discussion
> below:
>
> http://shiro-user.582556.n2.nabble.com/Shiro-cas-proxying-tp7579694p7579746.html
> To start a new topic under Shiro User, email
> ml-node+s582556n582556h4@n2.nabble.com
> To unsubscribe from Shiro User, click here<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=582556&code=bGVsZXVqQGdtYWlsLmNvbXw1ODI1NTZ8LTExNzY2MzcxMTY=>
> .
> NAML<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Shiro-cas-proxying-tp7579694p7579747.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Shiro cas proxying
Posted by jleleu <le...@gmail.com>.
Hi,
I think your understanding is correct. The general behaviour is to save the
requested protected url and restore it after a successful authentication,
which relies completely on the web session to save/restore the original url.
This works perfectly from a browser (with cookies). Though, from another
application, no session is kept by default, unless you do it explicitely by
storing cookies (the JSESSIONID cookie). This explains the problems you get
trying to make CAS proxification work.
Storing cookies is a good solution, but you raise a very interesting lead
with your previous post: making the ClientFilter "pass through" when it's a
proxied CAS service. It definitely makes sense to me.
Would you mind proposing a pull request that way? (some passThrough
property, false by default but which can be turned on for CAS proxied
service)
In any case, thanks for you thoroughfull usage of buji-pac4j.
Best regards,
Jérôme
2014-03-05 12:03 GMT+01:00 Dinabandhu [via Shiro User] <
ml-node+s582556n7579724h12@n2.nabble.com>:
> Hi,
>
> After a bit more thinking, managed to get it working with the original
> ClientFilter. The configuration is looking good but I am not sure whether
> correct/optimal
>
> First I changed my shiro ini in proxied application to the following -
>
>
> [main]
> casFilter = org.apache.shiro.cas.CasFilter
> casFilter.failureUrl = /error.jsp
>
>
> casRealm = org.apache.shiro.cas.CasRealm
> casRealm.defaultRoles =ROLE_USER
> casRealm.casServerUrlPrefix = https://user-think:8443/cerberus-sso-test
> casRealm.casService = https://user-think:8443/shiro-cas-proxied/shiro-cas
>
> casSubjectFactory = org.apache.shiro.cas.CasSubjectFactory
> securityManager.subjectFactory = $casSubjectFactory
>
> casClient = org.pac4j.cas.client.CasClient
> casClient.casLoginUrl = https://user-think:8443/cerberus-sso-test/login
> casClient.acceptAnyProxy=true
>
> clients = org.pac4j.core.client.Clients
> clients.callbackUrl =
> https://user-think:8443/shiro-cas-proxied/shiro-cas-proxied
> clients.clientsList = $casClient
>
> clientsRealm = io.buji.pac4j.ClientRealm
> clientsRealm.defaultRoles = ROLE_USER
> clientsRealm.clients = $clients
>
> clientsFilter = io.buji.pac4j.ClientFilter
> clientsFilter.clients = $clients
> clientsFilter.failureUrl = /error.jsp
> #clientsFilter.successUrl = /index.jsp
>
> #casUsers = io.buji.pac4j.filter.ClientUserFilter
> #casUsers.client = $casClient
>
> securityManager.realms = $casRealm, $clientsRealm
>
> authc.loginUrl =
> https://user-think:8443/cerberus-sso-test/login?service=https://user-think:8443/shiro-cas-proxied/shiro-cas
>
>
> [urls]
> /shiro-cas-proxied = clientsFilter
> /shiro-cas = casFilter
> /error.jsp = anon
> /** = authc
>
> Basically I have set up two parallel authentication mechanisms (standard
> shiro-cas and pac4j) each with its own service url. Only the service urls
> are protected by corresponding cas service filters. All other urls are
> protected by standard shiro filter (authc in this case).
>
> I changed the java client program to use a two stage mechanism. Instead of
> appending the PT to the actual web url, -
>
> 1. I set up a cookie manager.
> 2. I first make call to clients.callbackUrl and append the PT. This makes
> clientsFilter kick in which authenticates the PT and and a session
> (authenticated) is established between java client and proxied application.
> 3. Then I make call to the actual resource url without any ticket. Authc
> filter intercepts this and sees that the session is already authenticated
> and allows access to resource.
>
> Now, if I access a protected resource from proxied application then normal
> shiro-cas mechanism is kick in I get redirected to cas login url is there
> is no established sso session.
>
> Does this setup look right to you? or there is a better approach?
>
> Regards,
> Dinabandhu
>
>
>
> ------------------------------
> If you reply to this email, your message will be added to the discussion
> below:
>
> http://shiro-user.582556.n2.nabble.com/Shiro-cas-proxying-tp7579694p7579724.html
> To start a new topic under Shiro User, email
> ml-node+s582556n582556h4@n2.nabble.com
> To unsubscribe from Shiro User, click here<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=582556&code=bGVsZXVqQGdtYWlsLmNvbXw1ODI1NTZ8LTExNzY2MzcxMTY=>
> .
> NAML<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Shiro-cas-proxying-tp7579694p7579727.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Shiro cas proxying
Posted by jleleu <le...@gmail.com>.
Hi,
The RequiresHttpAction in your DEBUG logs should not be a problem. It
states that some special action is required.
Setting the Enum property is an issue indeed. I submitted a SVN patch for
that some times ago but it has not been integrated so far:
https://issues.apache.org/jira/browse/SHIRO-425.
I'm wondering if there is some interference between the *clientsFilter* and
the *casUsers *in case of a proxied authentication.
Would you mind removing the *casUsers *filter and just keep the *clientsFilter
*on the /** url (on your proxied application)?
Thanks.
Best regards,
Jérôme
2014-03-04 12:28 GMT+01:00 Dinabandhu [via Shiro User] <
ml-node+s582556n7579715h33@n2.nabble.com>:
> Hi,
>
> Made some more progress since last post. I created a servlet context
> listener in the proxied application with the following code -
>
> public void contextDestroyed(ServletContextEvent arg0)
> {
> // TODO Auto-generated method stub
> ThreadContext.unbindSecurityManager();
> ThreadContext.remove();
> }
>
> /*
> * (non-Javadoc)
> *
> * @see
> *
> javax.servlet.ServletContextListener#contextInitialized(javax.servlet
> * .ServletContextEvent)
> */
> public void contextInitialized(ServletContextEvent arg0)
> {
> CookieHandler.setDefault( new CookieManager( null,
> CookiePolicy.ACCEPT_ALL ) );
> WebEnvironment wm =
> WebUtils.getRequiredWebEnvironment(arg0.getServletContext());
> WebSecurityManager wsm = wm.getWebSecurityManager();
> ThreadContext.bind(wsm);
>
> SecurityManager mgr = SecurityUtils.getSecurityManager();
>
> Collection<Realm> realms = ((RealmSecurityManager)
> mgr).getRealms();
>
> for (Realm realm : realms)
> {
> if (realm.getClass().isAssignableFrom(ClientRealm.class))
> {
> Clients clients = ((ClientRealm) realm).getClients();
> CasClient client = (CasClient)
> clients.findClient("CasClient");
> client.setCasProtocol(CasProtocol.CAS20_PROXY);
> }
> }
>
> }
>
> This seems to solve the earlier problem and the PT is getting validated
> and I am getting following response from the server for proxy validation -
>
> <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
> <cas:authenticationSuccess>
> <cas:user>dinu</cas:user>
>
>
> <cas:proxies>
>
> <cas:proxy>
> https://user-think:8443/shiro-cas-proxy-1/proxyReceptor.jsp?client_name=CasProxyReceptor
> </cas:proxy>
>
> </cas:proxies>
>
> </cas:authenticationSuccess>
> </cas:serviceResponse>
>
> However after the proxy validation, the request is getting redirected to a
> different url than the requested url. Https access logs below. Pls see the
> bold entry-
>
> 192.168.2.202 [04/Mar/2014:16:41:35 +0530] HTTP/1.1 8443 GET
> /cerberus-sso-test/proxy?pgt=
> TGT-4-ejs15UXZaPleZra4LUd4GflBHTZe7p0XehVaaqLWYpOKArsf9B-cas01.example.org&targetService=https%3A%2F%2Fuser-think%3A8443%2Fshiro-cas-proxied%2Fshiro-cas%3Fclient_name%3DCasClient
> HTTP/1.1 200
> 192.168.2.202 [04/Mar/2014:16:41:35 +0530] HTTP/1.1 8443 GET
> /cerberus-sso-test/proxyValidate?ticket=
> ST-9-ZWaANamGV6QSVKb3pwaY-cas01.example.org&service=https%3A%2F%2Fuser-think%3A8443%2Fshiro-cas-proxied%2Fshiro-cas%3Fclient_name%3DCasClient
> HTTP/1.1 200
> 192.168.2.202 [04/Mar/2014:16:41:35 +0530] HTTP/1.1 8443 GET
> /shiro-cas-proxied/proxy-page.jsp?client_name=CasClient&ticket=
> ST-9-ZWaANamGV6QSVKb3pwaY-cas01.example.org HTTP/1.1 302
> *192.168.2.202 [04/Mar/2014:16:41:35 +0530] HTTP/1.1 8443 GET
> /shiro-cas-proxied/ HTTP/1.1* 500
> 192.168.2.202 [04/Mar/2014:16:41:35 +0530] HTTP/1.1 8443 GET
> /shiro-cas-proxy-1/ProxyServlet HTTP/1.1 500
>
> I am also getting a exception in the server log -
> org.pac4j.core.exception.TechnicalException: name cannot be blank.
>
> I am not sure what is wrong.
>
> Thanks & Regards,
> Dinabandhu
>
>
>
> ------------------------------
> If you reply to this email, your message will be added to the discussion
> below:
>
> http://shiro-user.582556.n2.nabble.com/Shiro-cas-proxying-tp7579694p7579715.html
> To start a new topic under Shiro User, email
> ml-node+s582556n582556h4@n2.nabble.com
> To unsubscribe from Shiro User, click here<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=582556&code=bGVsZXVqQGdtYWlsLmNvbXw1ODI1NTZ8LTExNzY2MzcxMTY=>
> .
> NAML<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Shiro-cas-proxying-tp7579694p7579718.html
Sent from the Shiro User mailing list archive at Nabble.com.