shiro-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jleleu <lel...@gmail.com>
Subject Re: CAS Single Sign Out and LDAP attribute retrieval
Date Thu, 16 Jan 2014 09:18:02 GMT
Hi,

Regarding logout, I can't remember exactly if I did the test or someone
else, but I think it works. Did you try some debugging in the
SingleSignOutFilter?

To get user's attributes, things are a little more complex:
- you need to retrieve the user's attributes inside the CAS server (should
be what you did)
- define that you want to push these attributes for the CAS service
representing the Shiro application (*allowedAttributes* or
*ignore*parameter for this CAS service)
- use the SAML validation
And then, the user's attributes will be available as the second principal:
https://github.com/apache/shiro/blob/1.2.x/support/cas/src/main/java/org/apache/shiro/cas/CasRealm.java#L162
.

Best regards,
Jérôme




2014/1/15 Eduardo J. Ortega U [via Shiro User] <
ml-node+s582556n7579510h78@n2.nabble.com>

> Hi, all:
>
> We are setting up out first Shiro enabled application with CAS
> authentication. Authentication seems to work fine, however, we have two
> issues:
>
>    - We want to have Single Sign out, so that when a user signs out of
>    CAS, he/she is signed out of CAS and therefore all apps. Currently, if I
>    logout of the application (using Shiro's logout feature), and then try to
>    access one of the protected pages, browser gets redirected to CAS, which in
>    turn validates and redirects to http://myhost/myapp/shiro-cas and then
>    /shiro-cas redirects it to the requested URL of the application, so
>    effectively the user is logged back in the application. Also, if the user
>    logs out of CAS (visiting http://myhost/CAS/logout) its CAS session
>    ends but the application session remains, so he / she can still access the
>    protected areas. I set up the following on myapp web.xml:
>
>
>     <filter>
>         <filter-name>CAS Single Sign Out Filter</filter-name>
>
> <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
>     </filter>
>
>     <filter-mapping>
>         <filter-name>CAS Single Sign Out Filter</filter-name>
>         <url-pattern>/*</url-pattern>
>     </filter-mapping>
>
>     <listener>
>
> <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
>     </listener>
>
> But it is not working. What am I missing?
>
>    - We want to access some of the user attributes from inside our
>    application. I set up CAS properties to map the attributes, setting this on
>    CAS deployerConfigContext.xml
>
> <bean id="attributeRepository"
> class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao">
>         <property name="contextSource" ref="contextSource" />
>         <property name="baseDN" value="ou=People,dc=example,dc=com,dc=co"
> />
>         <property name="requireAllQueryAttributes" value="true" />
>         <property name="queryAttributeMapping">
>             <map>
>                 <entry key="username" value="uid" />
>             </map>
>         </property>
>         <property name="resultAttributeMapping">
>             <map>
>                 <!-- Mapping beetween LDAP entry attributes (key) and
> Principal's (value) -->
>                 <entry value="Name" key="displayName" />
>                 <entry key="distinguishedName" value="dn" />
>             </map>
>         </property>
>     </bean>
>  And then access them from inside the Shiro application like this:
>
> AttributePrincipal principal =
> (AttributePrincipal)request.getUserPrincipal();
> Map attributes = principal.getAttributes();
>
> But we get an error saying we cannot cast Request to AttributePrincipal. I
> guess I am missing something here, too.
>
> Any help is greatly appreciated.
>
>
> --
> --
> Eduardo J. Ortega
> Tel: 57+1+2553580
> Cel: 57+317+4415156
> Zürich
> CL 72 5 83 Piso 11, Bogotá, CO.
>
>
>
> ------------------------------
>  If you reply to this email, your message will be added to the discussion
> below:
>
> http://shiro-user.582556.n2.nabble.com/CAS-Single-Sign-Out-and-LDAP-attribute-retrieval-tp7579510.html
>  To start a new topic under Shiro User, email
> ml-node+s582556n582556h4@n2.nabble.com
> To unsubscribe from Shiro User, click here<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=582556&code=bGVsZXVqQGdtYWlsLmNvbXw1ODI1NTZ8LTExNzY2MzcxMTY=>
> .
> NAML<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>




--
View this message in context: http://shiro-user.582556.n2.nabble.com/CAS-Single-Sign-Out-and-LDAP-attribute-retrieval-tp7579510p7579514.html
Sent from the Shiro User mailing list archive at Nabble.com.

Mime
View raw message