From: Garey M. <gm...@li...> - 2012-08-30 16:19:42
|
Christian - One of my clients will be using proxy tickets. It is using the Java CAS filters for webapps from JASIG, and we plan to simply append the proxy ticket that we get when authorizing to the Geoserver URLs, so I would guess that it will reuse the proxy tickets. What would be the scenario(s) in which Geoserver would generate a 401 and how would we handle it. My other client will be a simple web browser using OpenLayers. So I think that the answer to 2 is that we want to cover the standard case. What will that entail? As for my configuration, could I ask what the 'Service' field is for and what Geoserver expects as data for that field? Also, would you explain what the 'Role Source' field is used for? Thanks; Garey On 8/30/2012 2:01 AM, chr...@nv... wrote: > Hi Gary > > The configuration looks ok. My suspicion is the following. An URL like > http://localhost/geoserver is redirected to > http://localhost/geoserver/web and the request misses the > authentication filter. I will investigate on the weekend. > > Some facts I have to know about your scenario. > > 1) Do your clients reuse proxy granting tickets or do they send a new > ticket for each request. In the first case, the tickets are cached by > geoserver and the client hast to be prepared for HTTP 401 response > (unauthorized). In the second case, each request causes an HTTP > request to the CAS server. > > 2) Do your clients resend standard granting tickets ?. This is not the > standard case, normally the CAS protocol works with HTTP redirects and > the client code does not see the ticket. I assume for Openlayers, the > browser does the this job for you. If you want cover the standard > case, GeoServer has to create a HTTP session. Is this what you want ? > > Thanks > Christian. > > > Zitat von Garey Mills <gm...@li...>: > >> Christian - >> >> I am trying to fill in the fields to configure CAS in Geoserver. >> When I save the configuration and move CAS up to the top in the filter >> list, I am not seeing any authentication behavior when I, for example, >> preview layers. >> >> Here are the values I am entering >> >> for 'CAS server URL including context root' --> https://{our >> cas server}/cas >> for 'Service' --> I put in https://{our geoserver server, >> with https port and geoserver context root}. Should this have a WMS or >> WFS service name? >> >> for 'Proxy callback URL' --> https://{our geoserver server, >> with https port and geoserver context root}. Is this right? >> >> All of the above 'test' okay, but I'm not sure what that means. >> >> for 'Role source' --> I chose 'Role service' and 'default' >> but I am not sure about this either. >> >> Am I doing this right? >> >> Garey Mills >> >> On 8/29/2012 2:00 AM, chr...@nv... wrote: >>> Hi Garey >>> >>> This should work out of the box since the code uses the CAS 2.0 URI >>> >>> proxyValidate >>> >>> According to the spec, this URI does the same as serviceValidate >>> and validates proxy tickets additionally. >>> >>> I think there is no need to change your configuration. Please try >>> and inform me about the result. >>> >>> Christian >>> >>> Zitat von Garey Mills <gm...@li...>: >>> >>>> Christian - >>>> >>>> I have another question. I am setting up a Geoserver to use CAS >>>> proxy tickets. But I also want to access the same layers in a >>>> protected >>>> manner from OpenLayers. As far as I can see, that would require >>>> regular >>>> CAS tickets. Can I use CAS proxy tickets and regular CAS tickets to >>>> access content in the same Geoserver? >>>> >>>> Garey >>>> >>>> On 6/26/2012 2:27 AM, chr...@nv... wrote: >>>>> Hi Garey >>>>> >>>>> I think we should stay on the user mailing list, this could be of >>>>> interest for other users too. >>>>> >>>>> Regular CAS tickets are making sense if you want to authenticate >>>>> to the GeoServer GUI. The core code is already finished but you >>>>> cannot configure this scenario on the GUI. At the moment I have >>>>> to wait until 2.2.0 is released. >>>>> >>>>> CAS is the first Single Sign-On / Single Log-Out mechanism >>>>> introduced to GeoServer. I want to have an additional look at >>>>> OpenID and OAuth to find the best solution for GUI integration. >>>>> >>>>> To answer your question, yes, there will be support for regular >>>>> CAS tickets, but I cannot tell you a point in time at this moment. >>>>> >>>>> Christian >>>>> >>>>> >>>>> >>>>> Zitat von gm...@li...: >>>>> >>>>>> Thank you Christian. >>>>>> >>>>>> I do have another question. Will Geoserver be able to handle >>>>>> regular >>>>>> CAS tickets, and not just proxy tickets? >>>>>> >>>>>> Garey >>>>>> >>>>>>> Hi Garey >>>>>>> >>>>>>> Yes, the changes are in trunk. I think the 2.2.0 RC-1 will appear >>>>>>> during next week, the team is currently working on it. >>>>>>> >>>>>>> Since the security subsystem is brand new for 2.2.x, I am still >>>>>>> working on the documentation. There will be a tutorial how to >>>>>>> configure digest authentication, CAS proxy auth is pretty much >>>>>>> the same. >>>>>>> >>>>>>> Christian >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> Zitat von Garey Mills <gm...@li...>: >>>>>>> >>>>>>>> Christian - >>>>>>>> >>>>>>>> And I guess that I should also ask: are these changes in trunk? >>>>>>>> >>>>>>>> Garey >>>>>>>> >>>>>>>> >>>>>>>> On 6/22/2012 12:52 AM, chr...@nv... wrote: >>>>>>>>> Hi Garey >>>>>>>>> >>>>>>>>> There will be a Geoserver version 2.2.0-RC1 soon. I do not know >>>>>>>>> about your CAS architecture, but if you can manage to send CAS >>>>>>>>> proxy tickets to Geoserver OGC services, this will work. >>>>>>>>> >>>>>>>>> If you want to login into the Geoserver GUI using CAS, work is >>>>>>>>> still in progress. The authentication filter is there but GUI >>>>>>>>> integration is still missing. >>>>>>>>> >>>>>>>>> Which kind of CAS tickets do you use ? >>>>>>>>> >>>>>>>>> >>>>>>>>> Zitat von garey <gm...@li...>: >>>>>>>>> >>>>>>>>>> Christian - >>>>>>>>>> >>>>>>>>>> Did you get any further with integrating CAS and Geoserver? >>>>>>>>>> >>>>>>>>>> Garey Mills >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> View this message in context: >>>>>>>>>> http://osgeo-org.1560.n6.nabble.com/Using-CAS-an-option-with-Geoserver-tp3790236p4983114.html >>>>>>>>>> Sent from the GeoServer - User mailing list archive at >>>>>>>>>> Nabble.com. >>>>>>>>>> >>>>>>>>>> ------------------------------------------------------------------------------ >>>>>>>>>> Live Security Virtual >>>>>>>>>> Conference >>>>>>>>>> Exclusive live event will cover all the ways today's security >>>>>>>>>> and >>>>>>>>>> threat landscape has changed and how IT managers can respond. >>>>>>>>>> Discussions >>>>>>>>>> will include endpoint security, mobile security and the >>>>>>>>>> latest in >>>>>>>>>> malware >>>>>>>>>> threats. >>>>>>>>>> http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >>>>>>>>>> _______________________________________________ >>>>>>>>>> Geoserver-users mailing list >>>>>>>>>> Geo...@li... >>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/geoserver-users >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> ---------------------------------------------------------------- >>>>>>>>> This message was sent using IMP, the Internet Messaging Program. >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Garey Mills >>>>>>>> Library Systems Office >>>>>>>> UC Berkeley >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> ---------------------------------------------------------------- >>>>>>> This message was sent using IMP, the Internet Messaging Program. >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> >>>>> ---------------------------------------------------------------- >>>>> This message was sent using IMP, the Internet Messaging Program. >>>>> >>>>> >>>>> >>>> >>>> -- >>>> Garey Mills >>>> Library Systems Office >>>> UC Berkeley >>>> >>>> >>> >>> >>> >>> ---------------------------------------------------------------- >>> This message was sent using IMP, the Internet Messaging Program. >>> >>> >>> >> >> -- >> Garey Mills >> Library Systems Office >> UC Berkeley >> >> > > > > ---------------------------------------------------------------- > This message was sent using IMP, the Internet Messaging Program. > > > -- Garey Mills Library Systems Office UC Berkeley |