Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 28 Next »

[11:22:12 CDT(-0500)] <foxnesn> hey atilling

[11:27:21 CDT(-0500)] <foxnesn> i got one of the cas clients to work with checkall in my webflow

[11:27:24 CDT(-0500)] <foxnesn> so making progress

[11:37:19 CDT(-0500)] <atilling> very nice

[12:35:32 CDT(-0500)] <codehotter> hi. Can I use mod_cas and only allow access if the user is a member of an LDAP group?

[12:36:08 CDT(-0500)] <serac> First, you want to use mod_auth_cas. mod_cas is deprecated. (and I believe has security issues)

[12:36:43 CDT(-0500)] <codehotter> ok

[12:37:35 CDT(-0500)] <codehotter> duly noted

[12:37:35 CDT(-0500)] <serac> I have a patch for that functionality.

[12:37:57 CDT(-0500)] <serac> We use it here at Virginia Tech, but it's not officially supported. There may be a Jira issue for it. One sec.

[12:38:40 CDT(-0500)] <serac> Actually, I'm conflating matters.

[12:38:58 CDT(-0500)] <serac> You can mix/match Apache directives to do what you want.

[12:39:09 CDT(-0500)] <serac> Use m-a-c for authentication, then mod_authnz_ldap for authorization.

[12:39:41 CDT(-0500)] <serac> Alternatively....

[12:40:10 CDT(-0500)] <serac> you could leverage the attribute release feature of CAS to send back attributes that it looks up about a user from LDAP and use that to authorize the user via m-a-c.

[12:40:30 CDT(-0500)] <serac> https://issues.jasig.org/browse/MAS-60 is the issue for that approach on the Apache side.

[12:42:34 CDT(-0500)] <codehotter> serac: Alright. Answers my question perfectly.

[12:43:00 CDT(-0500)] <serac> Good deal. I know Apache configuration just to be dangerous, but hopefully it's enough in this case to point you in the right direction.

[12:43:41 CDT(-0500)] <atilling> Seeing as your quick on that one, do you know mod_jk well?

[12:44:17 CDT(-0500)] <serac> Probably even more dangerous there.

[12:44:32 CDT(-0500)] <serac> The first question I ask when mod_jk comes up is why the hell do you have Apache in the mix?

[12:44:56 CDT(-0500)] <serac> Which is a pretty poor answer, I know.

[12:45:20 CDT(-0500)] <atilling> lol, have a folder, served by Tomcat, through apache and mod_jk and I need security on that folder

[12:46:00 CDT(-0500)] <atilling> but not all the folders/pages served by that war

[12:46:14 CDT(-0500)] <serac> Fair enough.

[12:47:17 CDT(-0500)] <atilling> I tried defining normal apache security to the folder and it seems it's being served by tomcat before apache checks the security context

[12:48:42 CDT(-0500)] <atilling> from what I see on tomcat it's an all or nothing approach on an app by app basis

[12:49:04 CDT(-0500)] <atilling> basically the app needs to be public and it's admin secure

[12:50:21 CDT(-0500)] <serac> I'd be surprised if the apache request pipeline put mod_jk before security constraints.

[12:50:28 CDT(-0500)] <serac> But I've been surprised before.

[12:53:01 CDT(-0500)] <atilling> surprised me as well, thought I was all slick and that apache would come to my security reascue but no dice

[12:57:46 CDT(-0500)] <serac> Cite the part of httpd.conf that's for mod_jk.

[13:17:27 CDT(-0500)] <atilling> http://www.pastie.org/2794661

[13:24:36 CDT(-0500)] <serac> Let's see the uriworkermap.properties file. The URI mappings are the interesting part.

[13:47:48 CDT(-0500)] <foxnesn> [INFO] WEB-INF/web.xml already added, skipping

[13:47:53 CDT(-0500)] <foxnesn> what does that mean?

[13:47:56 CDT(-0500)] <foxnesn> added to what?

[13:48:10 CDT(-0500)] <foxnesn> i made a change in the web.xml file and the build says that

[13:48:11 CDT(-0500)] <serac> That in the cas log file?

[13:48:21 CDT(-0500)] <foxnesn> just in the build output

[13:48:29 CDT(-0500)] <foxnesn> after mvn clean package

[13:48:58 CDT(-0500)] <serac> I would imagine it means that you're overlaying a custom web.xml, so there's no need to copy the one that's in the cas-server-webapp dependency.

[13:49:18 CDT(-0500)] <foxnesn> ahh that makes sense

[13:49:37 CDT(-0500)] <foxnesn> always wondered what it was referring to

[13:49:54 CDT(-0500)] <atilling> http://www.pastie.org/2794838

[13:50:32 CDT(-0500)] <serac> What's an example path you want served by Apache?

[13:51:41 CDT(-0500)] <atilling> in this case I want apache security to protect index.cfm under the path /CFIDE

[13:52:24 CDT(-0500)] <serac> But you mapped /*.cfm to tomcat.

[13:53:47 CDT(-0500)] <atilling> that was the point having apache protect certain folders but have the app still mapped to tomcat

[13:54:14 CDT(-0500)] <serac> I'm thinking that mapping is too broad.

[13:54:42 CDT(-0500)] <atilling> we have hundreds of *.cfm files, we only want the ones under a particular folder to be secure

[13:55:08 CDT(-0500)] <serac> Understood.

[13:55:13 CDT(-0500)] <serac> You may need an exception.

[13:55:20 CDT(-0500)] <atilling> basically cfm is like jsp

[13:55:41 CDT(-0500)] <serac> I know cfm.

[13:55:42 CDT(-0500)] <atilling> all the jsp files needs to be handled by tomcat

[13:55:45 CDT(-0500)] <atilling> ok

[13:55:46 CDT(-0500)] <serac> Here's the docs:

[13:55:47 CDT(-0500)] <serac> Inside the URI pattern three special characters can be used, '', '?' and '|'. The character '' is a wildchar that matches any number of arbitrary characters in the URI

[13:55:57 CDT(-0500)] <serac> I read that as * matches / characters as well.

[13:56:08 CDT(-0500)] <atilling> right

[13:56:56 CDT(-0500)] <atilling> I can't set the /cfide folder to not be mapped to tomcat still need the CFM processed

[13:56:56 CDT(-0500)] <serac> So a file like /CFIDE/index.cfm would be covered by that mapping.

[13:57:12 CDT(-0500)] <serac> I see.

[13:57:52 CDT(-0500)] <serac> The behavior you're seeing indicates you can't do both.

[13:58:01 CDT(-0500)] <serac> I was thinking this was static content served by Apache.

[13:58:31 CDT(-0500)] <atilling> the /CFIDE folder contains the coldfusion server settings

  • No labels