[daisy] CAS as an authentication scheme in daisy

Frank Taffelt frank.taffelt at interface-business.de
Mon Oct 8 05:20:25 CDT 2007 

Hello,

i started to integrate CAS http://www.ja-sig.org/products/cas/ as an 
authentication scheme into daisy.

CAS provides an infrastructure for authenticating users and helps to 
provide SingleSignOn for applications (mostly webapplications). For a 
multilayered application like daisy with the daisywiki and the 
daisyrepository - CAS provides a solution where a proxying application 
(daisywiki) acquires a Proxyticket and this proxyticket is handed to the 
proxied application (daisyrepository) for the real login process. So i 
created the needed components to implement this scenario and act as an 
daisy authentication scheme.

In the daisywiki i'm using an CocoonAction which retrieves the 
proxyticket and uses it as the password:

if(currentUser.equals("guest")){
...
     WikiHelper.login(user, proxyTicket, request, serviceManager);
...
}

It's important to know that this proxyticket can only be used once (it's 
a ONE TIME TICKET for security reasons) for authentications.

in generally it works. But sometimes i see exceptions like the following:

Stacktrace:
org.outerj.daisy.repository.clientimpl.infrastructure.DaisyHttpClient.handleNotOkResponse 
(DaisyHttpClient.java:155)
org.outerj.daisy.repository.clientimpl.infrastructure.DaisyHttpClient.executeMethod 
(DaisyHttpClient.java:83)
org.outerj.daisy.repository.clientimpl.acl.RemoteAclStrategy.filterDocuments 
(RemoteAclStrategy.java:146)
org.outerj.daisy.repository.commonimpl.acl.CommonAccessManager.filterDocuments 
(CommonAccessManager.java:80)
org.outerj.daisy.repository.commonimpl.acl.AccessManagerImpl.filterDocuments 
(AccessManagerImpl.java:94)
org.outerj.daisy.frontend.IndexPageApple.processInternal 
(IndexPageApple.java:60)
org.outerj.daisy.frontend.util.AbstractDaisyApple.process 
(AbstractDaisyApple.java:58)

i tracked the code down to following:

org.outerj.daisy.repository.clientimpl.infrastructure.AbstractRemoteStrategy 
which does in getClient something like this:

UsernamePasswordCredentials credentials =
                 new UsernamePasswordCredentials(login + "@" + 
getActiveRoleString(user.getActiveRoleIds()), user.getPassword());

this means in some cases new credentials are created and the password, 
which is in my case a INVALIDT proxyticket, is reused?

If i'm on the right track, is there some way to avoid this?

Thanks,
Frank

More information about the daisy mailing list