Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] CAS Authentication Help

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] CAS Authentication Help


Chronological Thread 
  • From: "Redman, Chad" <>
  • To: Grouper Users <>, Jonathan Keller <>, "Hyzer, Chris" <>
  • Subject: Re: [grouper-users] CAS Authentication Help
  • Date: Sat, 19 Sep 2020 23:37:30 +0000
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=unc.edu; dmarc=pass action=none header.from=unc.edu; dkim=pass header.d=unc.edu; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=XhtD2etw/kzMUqJJtgGRB6/pwZ7hIQ5DKUWMoWu+UkY=; b=Mg97ep/lDR3BQAjB+Vb+B3ktkiczOrLc2SQQew3sp4s5jMxkT3xTWYQ834prkJwMiN9jPuMwA5x/lAAngWg4MObdwYRzbfYA4fuHJpLAbC2wEGruwH62jGxI+mqxy7ylXlWBYClK1ddkWiwaoyma2bhbX8umYmDJkqjzu+9KxeqTHPPXyO16i/hNf2fiJdTpmh+XFZOiZvHzswJeYM+avTrOt/ej9JNfuUV7SOj6fTiZyDXsOzHAEau5DjgmzP2fwmn3+TSVOdaOU2m1uMYtsi5HeqMb1SMWMUGZObrBRBO2ZyXj3lv+ioi5U0kfPj4E6N2yIfqumlNAr2i3KrUjPw==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=DW5nXyxNuQWvRy7IOLeF+4la3xaFmw6NQhCGb38xfD0odSsV9YTl+Gix/YwlU92Nyo+OSpDEXbHD2bkjnyzntRACvL3JVRskspJkm/OZRn+Uotb5/Q2Q1FJWjwS05fKzKmL0q/RYg3GkG+CaPMFsr+9dxfVhwYOCycpVIwP+izupSAQSxjOQKAb36jxySDWq43GbBcE0bAlCT7c5F2xCMgA/6XVJyH8H8iz/vwgTJEEpYtTRxgqGPVFq2jk8eNbZgZyKUFx45rQ44QO7DUmslaUD6PnR9BbVAiF4SDH05z38NUnxHB/8zvZdAMoFfyUS+IivI1+HdVsE9z72rNS45Q==

I can confirm that the "CAS Authentication Method 2: Client Configuration Using web.xml" method no longer works in 2.5. Any CAS filters put into web.xml will be run after the Grouper authorization filter which is now injected via classes at startup. There is no way to trigger the custom jsp file that boots the CAS session, since access to all jsp files requires an existing Grouper session. I will update the wiki with a note on it.

The other method, using Tomcat authentication realms, does work with TomEE in the container. Some of the file locations have changed due to the use of containers, so I will update the wiki.

The mod_auth_cas directions look great, and I would say it should be the preferred way to implement CAS auth. The Tomcat realms could be an alternative, for installations that use TomEE without Apache.

-Chad


From: <> on behalf of Hyzer, Chris <>
Sent: Tuesday, September 1, 2020 3:57 PM
To: Grouper Users <>; Jonathan Keller <>
Subject: Re: [grouper-users] CAS Authentication Help
 
do you have access to the grouper wiki to edit the CAS page for grouper with more specifics on the getting mod_auth_cas working?  🙂  If you are on slack, ping me and we can coordinate .  Thanks!

From: <> on behalf of Jonathan Keller <>
Sent: Tuesday, September 1, 2020 3:51 PM
To: Grouper Users <>
Subject: Re: [grouper-users] CAS Authentication Help
 
Just following up on my earlier email.

TL;DR - never got web.xml AuthN working - fell back to mod_auth_cas in the Apache server which did work.

Writing up my findings for others on the authN issue with the 2.5+ containers:

First, the web.xml version seems to be broken.  The changes to the container whereas the servlet config is driven by the file:

/opt/grouper/grouperWebapp/WEB-INF/classes/META-INF/services/javax.servlet.ServletContainerInitializer 

and the https://github.com/Internet2/grouper/blob/master/grouper/src/grouper/edu/internet2/middleware/grouper/j2ee/CommonServletContainerInitializer.java  class it points to results in the filters which you would add in web.xml being processed after the other components of the system, so the user ID is not available at the time the grouper components are reading the HTTP request headers.

I also could not get the Tomcat Valve method to work.  I am not sure why.  I installed the valve as documented and added the login-config and security-constraints to the web.xml, but the redirect to the CAS server would never happen.  (I've never used Tomcat AuthN via Valves before - so I'm assuming I just missed something here.)

I DID finally get CAS AuthN working by installing mod_auth_cas into the container via yum and then pushing in the configuration it via grouperScriptHooks_setupFilesPost() so that I could limit it to the UI server container.  (We do have Shib at UCD, but was not ready to attempt that setup at the current stage.)

--
Jonathan Keller
Application Architect - Administrative IT


On Aug 28, 2020, at 2:49 PM, Jonathan Keller <> wrote:

I'm hoping this is a quick question for someone.  I am trying to get our local campus CAS authentication integrated with the Grouper UI.  I've been following the setup instructions here:


And using the Tomcat web.xml version of the setup.

I have the redirect working, and the CAS servers are redirecting back.  Debug logging shows that the ticket validation is working - I can see my user ID coming back in the XML response from our servers.

However, the resulting user ID does not seem to be getting extracted into the servlet request by the HttpServletRequestWrapperFilter.  I've checked the code of that class, and it attempting to extract the assertion into the getRemoteUser() method of the request, which the above documentation says will be used by the Grouper UI.  However, I'm getting the (dreaded?) 

"You have an anonymous session since you are not logged in,..." message.

Given what I am seeing, it would appear that either the filter is not running, or is not instrumenting the servlet request which is executing the UI.  I'm hoping there is just some additional configuration that I'm missing.  My setup is pretty much like the documentation except for using these for the init params:

<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://${casHost}/cas</param-value>
</init-param>
<init-param>
<param-name>service</param-name>
<param-value>${serverName}/grouper/</param-value>
</init-param>

I also upgraded to the Cas30ProxyReceivingTicketValidationFilter - but the problem existed with the 2.0 proxy as well.

Any help would be appreciated.

Thanks.

--
Jonathan Keller
Application Architect - Administrative IT

<image001.png>





Archive powered by MHonArc 2.6.19.

Top of Page