[cas-user] 3.4.9 upgrade possibly not compatible with 3.4.8 BindLdapAuthenticationHandler config

24 views
Skip to first unread message

William G. Thompson, Jr.

unread,
Aug 8, 2011, 8:36:32 PM8/8/11
to cas-...@lists.jasig.org
Folks,

I've been working on CAS 3.4.8 Maven Overlay build for a few weeks
with a BindLdapAuthenticationHandler configured in
deployerConfigContext.xml and working well against AD. I'd like to
move to 3.4.9 as I'm running into the the Inspectr issue that was
resolved and also looking at taking advantage of the new potentially
pool searchContext.

Anyhow...I rev'd the pom to 3.4.9, mvn package, and made no other
changes. Now I'm getting the following error:

The Spring ContextLoaderListener we wrap threw on contextInitialized.
But for our having caught this error, the web application context
would not have initialized.>
org.springframework.beans.factory.BeanCreationException: Error
creating bean with name 'centralAuthenticationService' defined in
ServletContext resource
[/WEB-INF/spring-configuration/applicationContext.xml]: Cannot resolve
reference to bean 'authenticationManager' while setting bean property
'authenticationManager'; nested exception is
org.springframework.beans.factory.BeanCreationException: Error
creating bean with name 'authenticationManager' defined in
ServletContext resource [/WEB-INF/deployerConfigContext.xml]: Cannot
create inner bean
'org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler#df1cbf6' of
type [org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler] while
setting bean property 'authenticationHandlers' with key [1]; nested
exception is org.springframework.beans.factory.BeanCreationException:
Error creating bean with name
'org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler#df1cbf6'
defined in ServletContext resource
[/WEB-INF/deployerConfigContext.xml]: Initialization of bean failed;
nested exception is
org.springframework.beans.factory.BeanInitializationException: Bean
state is invalid: ldapTemplate - may not be null
at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:328)
at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:106)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyPropertyValues(AbstractAutowireCapableBeanFactory.java:1325)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:1086)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:517)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:456)
at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:291)
at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:222)
at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:288)
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:190)
at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:580)
at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:895)
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:425)
at org.springframework.web.context.ContextLoader.createWebApplicationContext(ContextLoader.java:276)

It looks like the ldapTemplate ought to be created by
AbstractLdapUsernamePasswordAuthenticationHandler in
afterPropertiesSet(), so I'm not sure why I'm getting this
BeanInitializationException: Bean state is invalid: ldapTemplate - may
not be null.

deployConfigContext.xml looks like this:
in AuthN Handlers:
<bean class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler" >
<property name="contextSource" ref="contextSource" />
<property name="searchBase" value="${ldap.searchBase}" />
<property name="filter" value="sAMAccountName=%u" />
<property name="ignorePartialResultException" value="yes" />
</bean>


<!-- LdapContextSource used by BindLdapAuthenticationHandler for
primary authentication -->
<bean id="contextSource"
class="org.springframework.ldap.core.support.LdapContextSource">

<!-- pooled should always be set to false for contexts used
for authentication. -->
<property name="pooled" value="false"/>
<property name="urls">
<!-- Authenticate requests should be over SSL to protect
the users credentials. -->
<list>
<value>${ldap.url.1}</value>
<value>${ldap.url.2}</value>
</list>
</property>
<property name="userDn" value="${ldap.cas.dn}"/>
<property name="password" value="${ldap.cas.password}"/>
<property name="baseEnvironmentProperties">
<map>
<entry key="java.naming.security.authentication"
value="simple" />
<!--
Consider ldap timeout settings for speeding up ldap
client failover if you have
multiple LDAP directories.
Set the LDAP connect and read timeout(in ms) for
the java ldap class
See
http://java.sun.com/products/jndi/tutorial/ldap/connect/create.html
<entry key="com.sun.jndi.ldap.connect.timeout" value="2000" />
<entry key="com.sun.jndi.ldap.read.timeout" value="2000" />
-->
</map>
</property>
</bean>

Did the LDAP config change in anyway for 3.4.9? Any clues?

Thanks,
Bill

--
You are currently subscribed to cas-...@lists.jasig.org as: jasig-cas-user...@googlegroups.com
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user

William G. Thompson, Jr.

unread,
Aug 8, 2011, 9:18:06 PM8/8/11
to cas-...@lists.jasig.org
Looks like a new searchContext property needs to be set on
BindLdapAuthenticationHandler if your using that and want to upgrade
to 3.4.9. I realize I'm a little ahead of the release announcement,
so perhaps a note about this was going to be included there. In any
case this config seems to be working:

<bean
class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler" >
<property name="contextSource" ref="contextSource" />

<property name="searchContextSource" ref="contextSource" />


<property name="searchBase" value="${ldap.searchBase}" />
<property name="filter" value="sAMAccountName=%u" />
<property name="ignorePartialResultException" value="yes" />
</bean>

Best,
Bill

Marvin Addison

unread,
Aug 9, 2011, 8:37:49 AM8/9/11
to cas-...@lists.jasig.org
> Looks like a new searchContext property needs to be set on
> BindLdapAuthenticationHandler if your using that and want to upgrade
> to 3.4.9.

This is an outcome of https://issues.jasig.org/browse/CAS-987. I'll
update docs today.

M

Scott Battaglia

unread,
Aug 9, 2011, 8:41:14 AM8/9/11
to cas-...@lists.jasig.org
We'll hold off the announcement until the documentation is in place.


On Tue, Aug 9, 2011 at 8:37 AM, Marvin Addison <marvin....@gmail.com> wrote:
> Looks like a new searchContext property needs to be set on
> BindLdapAuthenticationHandler if your using that and want to upgrade
> to 3.4.9.

This is an outcome of https://issues.jasig.org/browse/CAS-987.  I'll
update docs today.

M

--
You are currently subscribed to cas-...@lists.jasig.org as: scott.b...@gmail.com

To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user

Marvin Addison

unread,
Aug 9, 2011, 10:06:35 AM8/9/11
to cas-...@lists.jasig.org
LDAP documentation changes completed. I took the opportunity to
rework the content fairly heavily with some much needed discussion of
LDAP connection pooling. Please review and provide feedback,
https://wiki.jasig.org/display/CASUM/LDAP.

M

--

Scott Battaglia

unread,
Aug 9, 2011, 10:15:25 PM8/9/11
to cas-...@lists.jasig.org
Bill, see my comment on your ticket.  Can you please confirm that changing the order in which afterPropertiesSet is evaluated fixes the problem.

Thanks
Scott

On Tue, Aug 9, 2011 at 10:06 AM, Marvin Addison <marvin....@gmail.com> wrote:
LDAP documentation changes completed.  I took the opportunity to
rework the content fairly heavily with some much needed discussion of
LDAP connection pooling.  Please review and provide feedback,
https://wiki.jasig.org/display/CASUM/LDAP.

M

--
You are currently subscribed to cas-...@lists.jasig.org as: scott.b...@gmail.com

To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user

William G. Thompson, Jr.

unread,
Aug 10, 2011, 12:15:25 AM8/10/11
to cas-...@lists.jasig.org
On Tue, Aug 9, 2011 at 10:15 PM, Scott Battaglia
<scott.b...@gmail.com> wrote:
> Bill, see my comment on your ticket.  Can you please confirm that changing
> the order in which afterPropertiesSet is evaluated fixes the problem.

Well, it definitely made the error in the logs go away. Do you expect
this safe to do context wide?

Bill

> Thanks
> Scott
> On Tue, Aug 9, 2011 at 10:06 AM, Marvin Addison <marvin....@gmail.com>
> wrote:
>>
>> LDAP documentation changes completed.  I took the opportunity to
>> rework the content fairly heavily with some much needed discussion of
>> LDAP connection pooling.  Please review and provide feedback,
>> https://wiki.jasig.org/display/CASUM/LDAP.
>>
>> M
>>
>> --
>> You are currently subscribed to cas-...@lists.jasig.org as:
>> scott.b...@gmail.com
>> To unsubscribe, change settings or access archives, see
>> http://www.ja-sig.org/wiki/display/JSG/cas-user
>
> --
> You are currently subscribed to cas-...@lists.jasig.org as:

> wgt...@gmail.com

Scott Battaglia

unread,
Aug 10, 2011, 7:08:30 AM8/10/11
to cas-...@lists.jasig.org

Yes. My expectation was that was how it actually worked. It doesn't make much sense to me the other way :-)

> You are currently subscribed to cas-...@lists.jasig.org as: scott.b...@gmail.com

> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
> 
--
Reply all
Reply to author
Forward
0 new messages