Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] CAS authentication for Grouper

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] CAS authentication for Grouper

Chronological Thread 
  • From: Eileen Roach <>
  • To:
  • Subject: Re: [grouper-users] CAS authentication for Grouper
  • Date: Thu, 13 Oct 2011 10:51:19 -0700


Our CAS server returns REMOTE_USER as is normally expected, but REMOTE_USER is not configured as a subject identifier. My guess is that the problem lies in the REMOTE_USER not being picked up by the Grouper CAS component.



* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
Eileen Roach
Programmer/Analyst, Identity Management Group
California Polytechnic State University, San Luis Obispo
Phone: (805)756-6214

On 10/12/2011 11:17 AM, Baron Fujimoto wrote:
I'm trying to set up CAS authentication for Grouper 2.0 using Cal Poly's
contributed page as a reference:


I've run into a series of problems, though I'm not sure which if any are
dependent on others. (Apologies for the length.)

I'm getting the following exception reported in my browser when I try
to access the UI:

java.lang.IllegalStateException: Cannot forward after response has been
committed Source)

without ever seeing our usual CAS login page, though the URL location is
reported by the browser as "[...]";

I don't see anything that stands out in any of the Grouper logs.

If I subsequently reload the same UI URL, The UI displays with the URL:


If I click on the "Log in" link, then the CAS login page that was not
initially seen displays as expected. However, after entering username
and password credentials, I'm redirected back to a Grouper error page with
the URL:


and in the grouper_debug.log:

2011-10-11 16:59:28,647: [http-] ERROR ErrorFilter.doFilter(142)
-< - 0D23BC2ADFFD138F05C2E5514F3019F7-0005 - - -> -
javax.servlet.ServletException: org.xml.sax.SAXParseException: Content is not
allowed in prolog. yes
Staff K Teststaff


I recognize the "Content not allowed in prolog" as what our CAS server
returns for a successful authentication. i.e.: status of authentication,
UH username (uid), UH number (uhuuid, a UH unique identifier), full name,
affiliation, etc.

I understand that what the Grouper CAS authentication piece wants though
is the REMOTE_USER (the uid, in our case). The example provided is based
one the GrouperJdbcSourceAdapter2 source adapter, whereas we're using the
GrouperJndiSourceAdapter ldap adapter and are using the init-params:


I assume at least one/some of my problems is that REMOTE_USER is not being
picked up properly by the CAS component and/or is not properly properly
configured as one of the subject identifiers. We use uhuuid as our
SubjectID because it is the stable unique identifier, whereas the uid is
what is I believe being returned as the REMOTE_USER. We are able to
successfully use CAS/REMOTE_USER authentication with our Shibboleth IdP
deployment, so I'm not focusing my attention there for now.

Any suggestions or assistance would be greatly appreciated.


Archive powered by MHonArc 2.6.16.

Top of Page