[casshib] request.getRemoteUser() returns null in CASSHIB
Gokula Krishnan P
Hi Team,
Trying to convert J2EE Web Application (myapp) as federated service using Shibboleth SP, CASSHIB and Shibboleth IDP.
Problem
Facing issue integrating CASHIB with Shibboleth SP. CASSHIB unable to find the Remote User but all configured attributes are received in CASSHIB as well as in myapp (sample application).
request.getRemoteUser() returns null but request.getHeader("REMOTE_USER") returns value as expected.
Setup
SP, CasShib and myapp(secured application) are running in JBoss/Centos.
IDP is deployed in JBoss/Windows Vista. IDP uses Username/password login handler for authentication. The authentication is against Oracle DB using the login module DatabaseServerLoginModule which is configured in jboss’s login-config.xml.
Login Flow
1. When I try to access the secure URL https://mydomain.com/myapp/app1/
2. SP redirects to IDP https://idp-domain.com:8443/idp/profile/SAML2/Redirect/SSO?SAMLRequest=F97BUNELvO7b%0A5z3naYeY....&RelayState=cookie%3A93603178
3. IDP redirects to IDP Login page https://idp-domain.com.com:8443/idp/Authn/UserPassword
4. On successful authentication IDP does SAML Post to https://mydomain.com/Shibboleth.sso/SAML2/POST
5. SP redirects to my secure application URL https://mydomain.com/myapp/app1/
6. Acegi redirects back to CASSHIB https://mydomain.com/casshib/shib/app1/login?service=https://mydomain.com/myapp/app1/
7. CASSHIB throw the message - Authentication Error The system wasn't able to properly detect your authentication credentials. This could be a problem with the configuration of the system. Please contact your administrator. Please find the below logs as well.
Logs :
[edu.ucmerced.cas.web.flow.CasShibInitialFlowSetupAction] - Action 'CasShibInitialFlowSetupAction' beginning execution
[edu.ucmerced.cas.authentication.principal.CasShibWebApplicationServiceImpl] - application name or passcode = app1
[edu.ucmerced.cas.web.support.CasShibRegistrationProtectedArgumentExtractor] - Extractor generated service for: https://mydomain.com:8443/myapp/app1/
[edu.ucmerced.cas.web.flow.CasShibInitialFlowSetupAction] - Placing service in FlowScope: https://mydomain.com:8443/myapp /app1/
[edu.ucmerced.cas.web.flow.CasShibInitialFlowSetupAction] - Action 'CasShibInitialFlowSetupAction' completed execution; result is 'success'
[edu.ucmerced.cas.adaptors.casshib.web.flow.PrincipalFromHttpHeadersNonInteractiveCredentialsAction] - Action 'PrincipalFromHttpHeadersNonInteractiveCredentialsAction' beginning execution
[edu.ucmerced.cas.adaptors.casshib.web.flow.PrincipalFromHttpHeadersNonInteractiveCredentialsAction] - Remote User not found in HttpServletRequest.
[edu.ucmerced.cas.adaptors.casshib.web.flow.PrincipalFromHttpHeadersNonInteractiveCredentialsAction] - Action 'PrincipalFromHttpHeadersNonInteractiveCredentialsAction' completed execution; result is 'error'
[org.quartz.core.JobRunShell] - Calling execute on job DEFAULT.serviceRegistryReloaderJobDetail
[org.jasig.cas.services.DefaultServicesManagerImpl] - Reloading registered services.
[org.jasig.cas.services.DefaultServicesManagerImpl] - Adding registered service https://mydomain.com:8443/myapp/app1/
[org.jasig.cas.services.DefaultServicesManagerImpl] - Loaded 1 services.
Thanks & Regards,
Gokula
You received this message because you are subscribed to the Google Groups "casshib" group.
To post to this group, send email to cas...@googlegroups.com.
To unsubscribe from this group, send email to casshib+u...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/casshib?hl=en.
bkoehm
Shibboleth, which should be in the HTTP headers. Check your
Shibboleth SP logs and IDP logs to make sure that Shibboleth is
properly completing authentication. I don't know if you're using the
Shibboleth Apache module or not, but the Apache module is what is
normally used to inject the HTTP headers.
Here are the code comments from
PrincipalFromHttpHeadersNonInteractiveCredentialsAction.java:
* Modified from original to pull attributes from Shibboleth headers
and to
* add them to the principal. These headers are injected by the
Shibboleth
* service provider module (typically an Apache or IIS module) that
proxys
* requests to the CAS server.
*
* <p/>
*
* In order for this class to identify which headers are Shibboleth
* attributes and which aren't, it is necessary to employ a header
naming
* convention. Any header name that starts with a prefix string
(typically
* 'shibattr-') will be recognized as an attribute to be embedded in
the
* Principal. You configure the header names in the shibboleth2.xml
file in
* the Shibboleth service provider configuration directory (note that
the
* default Shibboleth SP configuration doesn't prepend the header
names with
* a prefix -- you must change the default names).
On Apr 18, 11:59 pm, Gokula Krishnan P <Gokula_Krish...@infosys.com>
wrote:
> Trying to convert J2EE Web Application (myapp) as federated service using Shibboleth SP, CASSHIB and Shibboleth IDP.
>
> Problem
> Facing issue integrating CASHIB with Shibboleth SP. CASSHIB unable to find the Remote User but all configured attributes are received in CASSHIB as well as in myapp (sample application).
> request.getRemoteUser() returns null but request.getHeader("REMOTE_USER") returns value as expected.
>
> Setup
> SP, CasShib and myapp(secured application) are running in JBoss/Centos.
> IDP is deployed in JBoss/Windows Vista. IDP uses Username/password login handler for authentication. The authentication is against Oracle DB using the login module DatabaseServerLoginModule which is configured in jboss's login-config.xml.
>
> Login Flow
>
>
> 2. SP redirects to IDPhttps://idp-domain.com:8443/idp/profile/SAML2/Redirect/SSO?SAMLReques...
>
> 3. IDP redirects to IDP Login pagehttps://idp-domain.com.com:8443/idp/Authn/UserPassword
>
> 4. On successful authentication IDP does SAML Post tohttps://mydomain.com/Shibboleth.sso/SAML2/POST
>
> 5. SP redirects to my secure application URLhttps://mydomain.com/myapp/app1/
>
> 6. Acegi redirects back to CASSHIBhttps://mydomain.com/casshib/shib/app1/login?service=https://mydomain...
> 7. CASSHIB throw the message - Authentication Error The system wasn't able to properly detect your authentication credentials. This could be a problem with the configuration of the system. Please contact your administrator. Please find the below logs as well.
>
> Logs :
> [edu.ucmerced.cas.web.flow.CasShibInitialFlowSetupAction] - Action 'CasShibInitialFlowSetupAction' beginning execution
> [edu.ucmerced.cas.authentication.principal.CasShibWebApplicationServiceImpl] - application name or passcode = app1
> [edu.ucmerced.cas.web.support.CasShibRegistrationProtectedArgumentExtractor] - Extractor generated service for:https://mydomain.com:8443/myapp/app1/
> [edu.ucmerced.cas.web.flow.CasShibInitialFlowSetupAction] - Placing service in FlowScope:https://mydomain.com:8443/myapp/app1/
> [edu.ucmerced.cas.web.flow.CasShibInitialFlowSetupAction] - Action 'CasShibInitialFlowSetupAction' completed execution; result is 'success'
> [edu.ucmerced.cas.adaptors.casshib.web.flow.PrincipalFromHttpHeadersNonInteractiveCredentialsAction] - Action 'PrincipalFromHttpHeadersNonInteractiveCredentialsAction' beginning execution
> [edu.ucmerced.cas.adaptors.casshib.web.flow.PrincipalFromHttpHeadersNonInteractiveCredentialsAction] - Remote User not found in HttpServletRequest.
> [edu.ucmerced.cas.adaptors.casshib.web.flow.PrincipalFromHttpHeadersNonInteractiveCredentialsAction] - Action 'PrincipalFromHttpHeadersNonInteractiveCredentialsAction' completed execution; result is 'error'
> [org.quartz.core.JobRunShell] - Calling execute on job DEFAULT.serviceRegistryReloaderJobDetail
> [org.jasig.cas.services.DefaultServicesManagerImpl] - Reloading registered services.