I'm using CAS server 4.x and I'm trying to delegate authentication using google. My idea is that a web application A redirects to CAS for login, there the user presses a "login using google" and then he gets redirected to log in using google.
To achieve that I created a client application (A).
I run A and it redirects me to the CAS login page, there I press the "login using google" link and it redirects me to login with google, there I login and consent.
On the CAS side the info from google is received ok and the TGT is created. However, the server fails to redirect to A cause it doesn't have the redirect info in the session:
ERROR [org.jasig.cas.support.oauth.web.OAuth20CallbackAuthorizeController] - oauth20_callbackUrl is missing from the session and can not be retrieved.
Any idea of what could be wrong?
This is how I configured everything:
First, I followed the steps mentioned here:
http://jasig.github.io/cas/development/integration/Delegate-Authentication.html
In the login view I added:
login using google
applicationContext:
<bean id="google" class="org.pac4j.oauth.client.Google2Client">
<property name="key" value="key" />
<property name="secret" value="secret" />
</bean>
<bean id="clients" class="org.pac4j.core.client.Clients">
<property name="callbackUrl" value="http://localhost:8080/cas/login" />
<property name="clients">
<list>
<ref bean="google" />
</list>
</property>
</bean>
cas servlet:
<bean id="clientAction" class="org.jasig.cas.support.pac4j.web.flow.ClientAction">
<constructor-arg index="0" ref="centralAuthenticationService"/>
<constructor-arg index="1" ref="clients"/>
</bean>
deployerConfigContext:
<property name="authenticationMetaDataPopulators">
<util:list>
<bean class="org.jasig.cas.support.pac4j.authentication.ClientAuthenticationMetaDataPopulator" />
</util:list>
</property>
<bean id="primaryAuthenticationHandler"
class="org.jasig.cas.support.pac4j.authentication.handler.support.ClientAuthenticationHandler">
<constructor-arg index="0" ref="clients"/>
</bean>
Then I added an OAuth client in the deployerConfigContext:
registeredServicesList:
<bean class="org.jasig.cas.support.oauth.services.OAuthRegisteredService">
<property name="id" value="1" />
<property name="name" value="serviceName" />
<property name="description" value="Service Description" />
<property name="serviceId" value="http://localhost:8080/A/" />
<property name="clientId" value="123" />
<property name="clientSecret" value="123" />
</bean>
The error you get happens only if you enable OAuth server support, but what you want is to enable OAuth client support (based on pac4j) to be able to delegate the authentication to Google. You have the right link to the documentation, but you should check you followed every steps (there is no "OAuthRegisteredService").
Related
I'm trying to use ActiveDirectory to authenticate to JasperServer , that still not working for some reason :
here is my configuration :
1. STEP 1 : access params to the AD Server :
<bean id="ldapContextSource" class="com.jaspersoft.jasperserver.api.security.externalAuth.ldap.JSLdapContextSource">
<constructor-arg value="ldap://192.10.0.190:389/dc=sifast,dc=infra"/>
<!-- manager user name and password (may not be needed) -->
<property name="userDn" value="CN=recherche,CN=Users,DC=sifast,DC=infra"/>
<property name="password" value="*******"/>
<property name="referral">
<value>follow</value>
</property>
</bean>
2.STEP 2: configuration of the access within "userDnPatterns" :
here i wanna access with the login already entered
<bean id="ldapAuthenticationProvider" class="com.jaspersoft.jasperserver.api.security.externalAuth.wrappers.spring.ldap.JSLdapAuthenticationProvider">
<constructor-arg>
<bean class="com.jaspersoft.jasperserver.api.security.externalAuth.wrappers.spring.ldap.JSBindAuthenticator">
<constructor-arg><ref local="ldapContextSource"/></constructor-arg>
<property name="userDnPatterns">
<list>
<value>CN={0},CN=Users,DC=sifast,DC=infra</value>
</list>
</property>
</bean>
</constructor-arg>
<constructor-arg>
<bean class="com.jaspersoft.jasperserver.api.security.externalAuth.wrappers.spring.ldap.JSDefaultLdapAuthoritiesPopulator">
<constructor-arg index="0"><ref local="ldapContextSource"/></constructor-arg>
</bean>
so here i'm setting it within that : CN={0},CN=Users,DC=sifast,DC=infra
3. STEP 3 : configuring the userSearch method:
<bean id="userSearch"
class="com.jaspersoft.jasperserver.api.security.externalAuth.wrappers.spring.ldap.JSFilterBasedLdapUserSearch">
<constructor-arg index="0">
<value></value>
</constructor-arg>
<constructor-arg index="1">
<value>(sAMAccountName={0})</value>
</constructor-arg>
<constructor-arg index="2">
<ref local="ldapContextSource" />
</constructor-arg>
<property name="searchSubtree">
<value>true</value>
</property>
</bean>
here i'm using the login "({0})" entered to look for the similar sAMAccountName of the right user.
that still not working.
my AD Schema looks like this:
so i wanna let simple users inside CN=USERS acquire access
Actually my authentication is still failing. Any ideas?
In your step 2 spring configuration file JSBindAuthenticator missing the following property reference:
<property name="userSearch" ref="userSearch"/>
I'm trying to create a read only user in activeMQ console, I found this and this too. the second post from stackoverflow is not helpful because it deployed the web console to an external server. The second page from pivotal looks promising and I tried with activeMQ version 5.14.1 but it didn't work too. activeMQ didn't even start whenever I try accessing the console with the user/password specified for read only user I get !role error.
Any ideas?
Thanks in advance!
found the answer in here I had to change class="org.eclipse.jetty.http.security.Constraint" to class="org.eclipse.jetty.util.security.Constraint" in step number 1
Links to Pivotal are dead. For those who want a simple solution you can change these lines from jetty.xml :
<bean id="securityConstraintMapping" class="org.eclipse.jetty.security.ConstraintMapping">
<property name="constraint" ref="securityConstraint" />
<property name="pathSpec" value="/api/*,/admin/*,*.jsp" />
</bean>
<bean id="adminSecurityConstraintMapping" class="org.eclipse.jetty.security.ConstraintMapping">
<property name="constraint" ref="adminSecurityConstraint" />
<property name="pathSpec" value="*.action" />
</bean>
to
<bean id="securityConstraintMapping" class="org.eclipse.jetty.security.ConstraintMapping">
<property name="constraint" ref="securityConstraint" />
<property name="pathSpec" value="/api/*,*.jsp,*.html,*.png,*.css,/admin/js/*" />
</bean>
<bean id="adminSecurityConstraintMapping" class="org.eclipse.jetty.security.ConstraintMapping">
<property name="constraint" ref="adminSecurityConstraint" />
<property name="pathSpec" value="*.action" />
</bean>
I deployed my CAS server with OAuth protocol support
I've added this code to my deployerConfigContext.xml
<bean class="org.jasig.cas.services.RegisteredServiceImpl">
<property name="id" value="1"/>
<property name="name" value="the_key"/>
<property name="description" value="the_secret"/>
<property name="theme" value="my great webapp for OAuth"/>
<property name="serviceId" value="http://localhost:8080/cas/login"/>
<property name="evaluationOrder" value="10000001"/>
<property name="allowedAttributes">
<list>
<!-- facebook -->
<value>the_key</value>
<value>the_secret</value>
</list>
</property>
</bean>
and
<bean id="ticketRegistry" class="org.jasig.cas.ticket.registry.DefaultTicketRegistry">
<constructor-arg index="0" value="1000"/>
<constructor-arg index="1" value="1"/>
<constructor-arg index="2" value="16"/>
</bean>
to define my ticketRegistry
So my OAuth client secret code key is the_secret and the_key
but when I load this URL http://localhost:8080/cas/oauth2.0/accessToken?client_secret=the_secret&grant_type=refresh_token&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fcas%2Flogin&code=0&client_id=the_key to test my OAuth protocol, I've got this exception
<Code Expired 0>
Why and how could I fix it?
You need to define two CAS services :
one for internal mechanism of OAuth server support (with CASservice.serviceId = http://localhost:8080/cas/oauth2.0/callbackAuthorize)
one for the each client OAuth application you want to authorize (with oauthclient.key = CASservice.name, oauthclient.secret = CASservice.description, oauthclient.redirect_uri should start with CASservice.serviceId).
The documentation : https://wiki.jasig.org/display/CASUM/OAuth+server+support, part 3...
I am trying to make Spring Security 3.05 to work with a modified UserDetailsContextMapper so that i can get a few more info out of LDAP they way i need to, a task that seems fairly straightforward, but had no success.
I have configured Spring Security to use LDAP authentication with the following beans:
<bean id="contextSource"
class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<constructor-arg value="ldaps://192.168.1.102:636" />
<property name="userDn" value="manager" />
<property name="password" value="password" />
</bean>
<bean id="ldapAuthProvider"
class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<constructor-arg>
<bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
<constructor-arg ref="contextSource" />
<property name="userSearch">
<bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<constructor-arg index="0" value="" />
<constructor-arg index="1" value="(mail={0})" />
<constructor-arg index="2" ref="contextSource" />
</bean>
</property>
</bean>
</constructor-arg>
<property name="userDetailsContextMapper" ref="myContextMapper" />
</bean>
However even though i have defined myContextMapper as:
<bean id="myContextMapper" class="com.mypackage.MyLDAPUserDetailsMapper">
<property name="rolePrefix" value="TEST_PREFIX" />
</bean>
it does not work. meaning that the custom mapper is ignored (i get no debug output whatsoever).
p.s. applicationContext-security.xml can be seen below and apart from the custom UserDetailsMapper that's been ignored, authentication and role assignment is working fine.
<authentication-manager>
<ldap-authentication-provider server-ref="contextSource"/>
</authentication-manager>
You don't need to configure the in-built UserDetailsContextMapper classes. Spring Security automatically picks up the correct UserDetailsContextMapper based on the type of LdapUserDetails class requested, which is configured by user-details-class attribute of ldap-authentication-provider. If you are using your own context mapper then configure it using the attribute user-context-mapper-ref.
I have an application that use Spring-Security framework with Jboss Server. Everything works fine. I can get account locked, bad credentials messages based on the authentication.
Now, I'm trying to move to configure the same thing with Tomcat. But, I don't get account locked, bad credentials messages. I just get "Unauthorized" for every wrong authentication. Can some body point me to What I am missing ? Here is the securitycontext.xml file content:
<bean id="exceptionTranslationFilter" class="org.springframework.security.ui.ExceptionTranslationFilter">
<property name="authenticationEntryPoint" ref="basicAuthenticationEntryPoint"/>
</bean>
<bean id="filterInvocationInterceptor" class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="accessDecisionManager">
</property>
</bean>
<bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager">
<property name="providers">
<list>
<ref local="jaasAuthenticationProvider"/>
<ref local="casAuthenticationProvider"/>
</list>
</property>
</bean>