Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 21 Next »

[11:22:12 CDT(-0500)] <foxnesn> hey atilling

[11:27:21 CDT(-0500)] <foxnesn> i got one of the cas clients to work with checkall in my webflow

[11:27:24 CDT(-0500)] <foxnesn> so making progress

[11:37:19 CDT(-0500)] <atilling> very nice

[12:35:32 CDT(-0500)] <codehotter> hi. Can I use mod_cas and only allow access if the user is a member of an LDAP group?

[12:36:08 CDT(-0500)] <serac> First, you want to use mod_auth_cas. mod_cas is deprecated. (and I believe has security issues)

[12:36:43 CDT(-0500)] <codehotter> ok

[12:37:35 CDT(-0500)] <codehotter> duly noted

[12:37:35 CDT(-0500)] <serac> I have a patch for that functionality.

[12:37:57 CDT(-0500)] <serac> We use it here at Virginia Tech, but it's not officially supported. There may be a Jira issue for it. One sec.

[12:38:40 CDT(-0500)] <serac> Actually, I'm conflating matters.

[12:38:58 CDT(-0500)] <serac> You can mix/match Apache directives to do what you want.

[12:39:09 CDT(-0500)] <serac> Use m-a-c for authentication, then mod_authnz_ldap for authorization.

[12:39:41 CDT(-0500)] <serac> Alternatively....

[12:40:10 CDT(-0500)] <serac> you could leverage the attribute release feature of CAS to send back attributes that it looks up about a user from LDAP and use that to authorize the user via m-a-c.

[12:40:30 CDT(-0500)] <serac> https://issues.jasig.org/browse/MAS-60 is the issue for that approach on the Apache side.

[12:42:34 CDT(-0500)] <codehotter> serac: Alright. Answers my question perfectly.

[12:43:00 CDT(-0500)] <serac> Good deal. I know Apache configuration just to be dangerous, but hopefully it's enough in this case to point you in the right direction.

[12:43:41 CDT(-0500)] <atilling> Seeing as your quick on that one, do you know mod_jk well?

[12:44:17 CDT(-0500)] <serac> Probably even more dangerous there.

[12:44:32 CDT(-0500)] <serac> The first question I ask when mod_jk comes up is why the hell do you have Apache in the mix?

[12:44:56 CDT(-0500)] <serac> Which is a pretty poor answer, I know.

[12:45:20 CDT(-0500)] <atilling> lol, have a folder, served by Tomcat, through apache and mod_jk and I need security on that folder

[12:46:00 CDT(-0500)] <atilling> but not all the folders/pages served by that war

[12:46:14 CDT(-0500)] <serac> Fair enough.

[12:47:17 CDT(-0500)] <atilling> I tried defining normal apache security to the folder and it seems it's being served by tomcat before apache checks the security context

[12:48:42 CDT(-0500)] <atilling> from what I see on tomcat it's an all or nothing approach on an app by app basis

[12:49:04 CDT(-0500)] <atilling> basically the app needs to be public and it's admin secure

[12:50:21 CDT(-0500)] <serac> I'd be surprised if the apache request pipeline put mod_jk before security constraints.

[12:50:28 CDT(-0500)] <serac> But I've been surprised before.

[12:53:01 CDT(-0500)] <atilling> surprised me as well, thought I was all slick and that apache would come to my security reascue but no dice

[12:57:46 CDT(-0500)] <serac> Cite the part of httpd.conf that's for mod_jk.

[13:17:27 CDT(-0500)] <atilling> http://www.pastie.org/2794661

[13:24:36 CDT(-0500)] <serac> Let's see the uriworkermap.properties file. The URI mappings are the interesting part.

[13:47:48 CDT(-0500)] <foxnesn> [INFO] WEB-INF/web.xml already added, skipping

[13:47:53 CDT(-0500)] <foxnesn> what does that mean?

[13:47:56 CDT(-0500)] <foxnesn> added to what?

[13:48:10 CDT(-0500)] <foxnesn> i made a change in the web.xml file and the build says that

[13:48:11 CDT(-0500)] <serac> That in the cas log file?

[13:48:21 CDT(-0500)] <foxnesn> just in the build output

[13:48:29 CDT(-0500)] <foxnesn> after mvn clean package

  • No labels