Feature #11
Central Authentication Service SSO support
| Status: | Closed | Start: | 10/12/2009 | |
| Priority: | Normal | Due date: | ||
| Assigned to: |  Sébastien Levesque |
% Done: | 100% |
|
| Category: | Security | |||
| Target version: | 0.7 | |||
Description
Single Sign On through Central Authentication Service must be supported
History
Updated by Sebastien Bahloul 165 days ago
- Status changed from New to Assigned
- Assigned to set to Sebastien Bahloul
- Target version set to 0.7
Need to now to improve packaging.
Updated by Guillaume Stevens 163 days ago
I'm currently testing the implementation of CAS. I've a problem. We don't use the mail as login but the ldap attribute uid (for us it's fisrt name.last name).
And I saw that you were making a ldap search with the attribute "mail" to validate the user. So our users are never validated.
I see tow possible solutions:
- do a second search with the ldap attribute 'uid' if the first one doesn't result.
- Watch if the CAS ticket returns the 'mail' attribute and, if so, retrieve it.
Perhaps the best solution would be a mix of both.
Updated by Sebastien Bahloul 163 days ago
I think that you only have to change ldap.auth.key from mail={0} to uid={0}.
Updated by Sebastien Bahloul 158 days ago
- % Done changed from 0 to 80
- though Apache integration
- by adding an IP restriction inside PreAuthenticationHeader class
Updated by Sebastien Bahloul 158 days ago
- Status changed from Assigned to Feedback
Hi Guillaume,
Can you provide us a feedback ?
Thanks,
Updated by Guillaume Stevens 142 days ago
Hi I still have a problem :
10 mars 2010 13:48:29 org.linagora.linShare.core.dao.ldap.LdapDatasource searchUserWithUid
INFO: Search uid pattern = (uid=guillaume.stevens)
Hibernate:
select
this_.user_id as user1_0_0_,
this_.login as login0_0_,
this_.first_name as first4_0_0_,
this_.last_name as last5_0_0_,
this_.encipherment_key_pass as encipher6_0_0_,
this_.mail as mail0_0_,
this_.creation_date as creation8_0_0_,
this_.role_id as role9_0_0_,
this_.can_upload as can10_0_0_,
this_.can_create_guest as can11_0_0_,
this_.password as password0_0_,
this_.locale as locale0_0_,
this_.expiry_date as expiry14_0_0_,
this_.comment as comment0_0_,
this_.owner_id as owner16_0_0_,
this_.user_type_id as user2_0_0_
from
linshare_user this_
where
lower(this_.mail)=?
Hibernate:
select
this_.user_id as user1_0_0_,
this_.login as login0_0_,
this_.first_name as first4_0_0_,
this_.last_name as last5_0_0_,
this_.encipherment_key_pass as encipher6_0_0_,
this_.mail as mail0_0_,
this_.creation_date as creation8_0_0_,
this_.role_id as role9_0_0_,
this_.can_upload as can10_0_0_,
this_.can_create_guest as can11_0_0_,
this_.password as password0_0_,
this_.locale as locale0_0_,
this_.expiry_date as expiry14_0_0_,
this_.comment as comment0_0_,
this_.owner_id as owner16_0_0_,
this_.user_type_id as user2_0_0_
from
linshare_user this_
where
this_.login=?
Hibernate:
select
nextval ('hibernate_sequence')
Hibernate:
insert
into
linshare_user
(login, first_name, last_name, encipherment_key_pass, mail, creation_date, role_id, can_upload, can_create_guest, password, locale, user_type_id, user_id)
values
(?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, '0', ?)
10 mars 2010 13:48:29 org.hibernate.util.JDBCExceptionReporter logExceptions
ATTENTION: SQL Error: 0, SQLState: null
10 mars 2010 13:48:29 org.hibernate.util.JDBCExceptionReporter logExceptions
GRAVE: L'élément du batch 0 insert into linshare_user (login, first_name, last_name, encipherment_key_pass, mail, creation_date, role_id, can_upload, can_create_guest, password, locale, user_type_id, user_id) values (guillaume.stevens, Guillaume, Stevens, NULL, guillaume.stevens, NULL, 0, 1, 1, NULL, NULL, '0', 1) a été annulé. Appeler getNextException pour en connaître la cause.
10 mars 2010 13:48:29 org.hibernate.util.JDBCExceptionReporter logExceptions
ATTENTION: SQL Error: 0, SQLState: 23505
10 mars 2010 13:48:29 org.hibernate.util.JDBCExceptionReporter logExceptions
GRAVE: ERREUR: la valeur d'une clé dupliquée rompt la contrainte unique « linshare_user_pkey »
10 mars 2010 13:48:29 org.hibernate.event.def.AbstractFlushingEventListener performExecutions
GRAVE: Could not synchronize database state with session
org.hibernate.exception.ConstraintViolationException: Could not execute JDBC batch update
at org.hibernate.exception.SQLStateConverter.convert(SQLStateConverter.java:71)
at org.hibernate.exception.JDBCExceptionHelper.convert(JDBCExceptionHelper.java:43)
at org.hibernate.jdbc.AbstractBatcher.executeBatch(AbstractBatcher.java:253)
at org.hibernate.engine.ActionQueue.executeActions(ActionQueue.java:266)
at org.hibernate.engine.ActionQueue.executeActions(ActionQueue.java:167)
at org.hibernate.event.def.AbstractFlushingEventListener.performExecutions(AbstractFlushingEventListener.java:298)
at org.hibernate.event.def.DefaultFlushEventListener.onFlush(DefaultFlushEventListener.java:27)
at org.hibernate.impl.SessionImpl.flush(SessionImpl.java:1000)
at org.hibernate.impl.SessionImpl.managedFlush(SessionImpl.java:338)
at org.hibernate.transaction.JDBCTransaction.commit(JDBCTransaction.java:106)
at org.springframework.orm.hibernate3.HibernateTransactionManager.doCommit(HibernateTransactionManager.java:655)
at org.springframework.transaction.support.AbstractPlatformTransactionManager.processCommit(AbstractPlatformTransactionManager.java:662)
at org.springframework.transaction.support.AbstractPlatformTransactionManager.commit(AbstractPlatformTransactionManager.java:632)
at org.springframework.transaction.interceptor.TransactionAspectSupport.commitTransactionAfterReturning(TransactionAspectSupport.java:314)
at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:116)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:89)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy28.loadUserDetails(Unknown Source)
at org.linagora.linShare.view.tapestry.services.impl.UserAccessAuthentity.processAuth(UserAccessAuthentity.java:52)
at org.linagora.linShare.view.tapestry.services.AppModule$2.service(AppModule.java:271)
at $RequestFilter_127481d7404.service($RequestFilter_127481d7404.java)
at $RequestHandler_127481d7409.service($RequestHandler_127481d7409.java)
at $RequestHandler_127481d73ef.service($RequestHandler_127481d73ef.java)
at org.apache.tapestry5.services.TapestryModule$HttpServletRequestHandlerTerminator.service(TapestryModule.java:197)
at org.apache.tapestry5.internal.gzip.GZipFilter.service(GZipFilter.java:53)
at $HttpServletRequestHandler_127481d73f1.service($HttpServletRequestHandler_127481d73f1.java)
at org.apache.tapestry5.upload.internal.services.MultipartServletRequestFilter.service(MultipartServletRequestFilter.java:44)
at $HttpServletRequestHandler_127481d73f1.service($HttpServletRequestHandler_127481d73f1.java)
at org.apache.tapestry5.internal.services.IgnoredPathsFilter.service(IgnoredPathsFilter.java:62)
at $HttpServletRequestFilter_127481d73ee.service($HttpServletRequestFilter_127481d73ee.java)
at $HttpServletRequestHandler_127481d73f1.service($HttpServletRequestHandler_127481d73f1.java)
at org.apache.tapestry5.services.TapestryModule$2.service(TapestryModule.java:726)
at $HttpServletRequestHandler_127481d73f1.service($HttpServletRequestHandler_127481d73f1.java)
at $HttpServletRequestHandler_127481d73ec.service($HttpServletRequestHandler_127481d73ec.java)
at org.apache.tapestry5.TapestryFilter.doFilter(TapestryFilter.java:127)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:378)
at org.springframework.security.intercept.web.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:109)
at org.springframework.security.intercept.web.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83)
at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
at org.springframework.security.ui.ExceptionTranslationFilter.doFilterHttp(ExceptionTranslationFilter.java:101)
at org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53)
at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
at org.springframework.security.context.HttpSessionContextIntegrationFilter.doFilterHttp(HttpSessionContextIntegrationFilter.java:235)
at org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53)
at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
at org.springframework.security.util.FilterChainProxy.doFilter(FilterChainProxy.java:175)
at org.springframework.security.util.FilterToBeanProxy.doFilter(FilterToBeanProxy.java:99)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:190)
at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:283)
at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:767)
at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:697)
at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:889)
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:690)
at java.lang.Thread.run(Thread.java:619)
Caused by: java.sql.BatchUpdateException: L'élément du batch 0 insert into linshare_user (login, first_name, last_name, encipherment_key_pass, mail, creation_date, role_id, can_upload, can_create_guest, password, locale, user_type_id, user_id) values (guillaume.stevens, Guillaume, Stevens, NULL, guillaume.stevens, NULL, 0, 1, 1, NULL, NULL, '0', 1) a été annulé. Appeler getNextException pour en connaître la cause.
at org.postgresql.jdbc2.AbstractJdbc2Statement$BatchResultHandler.handleError(AbstractJdbc2Statement.java:2537)
at org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExecutorImpl.java:1328)
at org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorImpl.java:351)
at org.postgresql.jdbc2.AbstractJdbc2Statement.executeBatch(AbstractJdbc2Statement.java:2674)
at org.hibernate.jdbc.BatchingBatcher.doExecuteBatch(BatchingBatcher.java:48)
at org.hibernate.jdbc.AbstractBatcher.executeBatch(AbstractBatcher.java:246)
... 63 more
My database is deleted and created on each tomcat startup.
If you look at the slq request, the mail attribute is not my mail but my uid.
Ask me if you want more informations.
Updated by Sebastien Bahloul 138 days ago
- Status changed from Feedback to Assigned
- Assigned to changed from Sebastien Bahloul to Sébastien Levesque
Hi Guillaume,
We are probably going to revert because we have already the support for such requirement through the following settings :
ldap.auth.attribute=uid
ldap.auth.key=mail={0}
Can you try this with the 0.7.2 ?
Updated by Guillaume Stevens 137 days ago
Hi,
with this settings, I've got a loop between linShare and CAS. there is nothing significant in my logs.
Updated by Stéfanie Duprey 46 days ago
- Status changed from Assigned to Closed
- % Done changed from 80 to 100