Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] CAS authentication for Grouper

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] CAS authentication for Grouper

Chronological Thread 
  • From: "GW Brown, Information Systems and Computing" <>
  • To: Baron Fujimoto <>,
  • Subject: Re: [grouper-users] CAS authentication for Grouper
  • Date: Thu, 13 Oct 2011 21:17:28 +0100

--On 12 October 2011 08:17 -1000 Baron Fujimoto

I'm trying to set up CAS authentication for Grouper 2.0 using Cal Poly's
contributed page as a reference:


I've run into a series of problems, though I'm not sure which if any are
dependent on others. (Apologies for the length.)

I'm getting the following exception reported in my browser when I try
to access the UI:

java.lang.IllegalStateException: Cannot forward after response has been
committed Source)

without ever seeing our usual CAS login page, though the URL location is
reported by the browser as "[...]";
That looks like an error at the CAS side

I don't see anything that stands out in any of the Grouper logs.

If I subsequently reload the same UI URL, The UI displays with the URL:


If I click on the "Log in" link, then the CAS login page that was not
initially seen displays as expected. However, after entering username
and password credentials, I'm redirected back to a Grouper error page with
the URL:


and in the grouper_debug.log:

2011-10-11 16:59:28,647: [http-] ERROR
ErrorFilter.doFilter(142) - < - 0D23BC2ADFFD138F05C2E5514F3019F7-0005 - -
- > - javax.servlet.ServletException: org.xml.sax.SAXParseException:
Content is not allowed in prolog. yes teststaf
Staff K Teststaff

at at

I recognize the "Content not allowed in prolog" as what our CAS server
returns for a successful authentication. i.e.: status of authentication,
UH username (uid), UH number (uhuuid, a UH unique identifier), full name,
affiliation, etc.
What version of the CAS server are you using and which 'validate'. Looks like you are passing several attributes back - which would not be supported by the 'old' casclient.jar supplied

I understand that what the Grouper CAS authentication piece wants though
is the REMOTE_USER (the uid, in our case). The example provided is based
one the GrouperJdbcSourceAdapter2 source adapter, whereas we're using the
GrouperJndiSourceAdapter ldap adapter and are using the init-params:


I assume at least one/some of my problems is that REMOTE_USER is not being
picked up properly by the CAS component and/or is not properly properly
configured as one of the subject identifiers. We use uhuuid as our
SubjectID because it is the stable unique identifier, whereas the uid is
what is I believe being returned as the REMOTE_USER. We are able to
successfully use CAS/REMOTE_USER authentication with our Shibboleth IdP
deployment, so I'm not focusing my attention there for now.
What is your searchSubjectByIdentifier definition? I think this gives you the flexibility to set an arbitrary filter to map the REMOTE_USER to the appropriate LDAP attribute.


Any suggestions or assistance would be greatly appreciated.

Baron Fujimoto
:: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum

GW Brown, IT Services

Archive powered by MHonArc 2.6.16.

Top of Page