Problem with DotNetCasClient getting additional attributes from CAS-Server response

I’m usin CAS-JASIG server with Active Directory for authentication. But I found a problem with the DotNetCasClient-1.0.1. I was not able to retrieve the user parameters that CAS-Server send in the XML response after a success authentication.

I knew that my CAS-Server response was sending those parameters. Because my PHP-CAS Client applications read those parameters without any problem. In fact the response looks like this:

<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
 <cas:authenticationSuccess>
 <cas:user>janedoe</cas:user>
 <cas:attribute name="mail" value="janedoe@test.com" />
 <cas:attribute name="sn" value="Doe Doe" />
 <cas:attribute name="cn" value="Jane Doe" />
 <cas:attribute name="givenName" value="Jane" />
 </cas:authenticationSuccess>
 </cas:serviceResponse>

NOTE: To send additional user parameters from CAS-Server to CAS-Clients. You need to modify your “deployerConfigContext.xml”. Let me know if you are having problems whit LDAP configuration.

How did I note that DotnetCasClient was not retrieving those additional attributes? Well, from my own C# code when the user was successfully authenticated against CAS-Server I ask to DotnetCasClient for those additional attributes:

CasPrincipal tmpUser = (CasPrincipal)System.Web.HttpContext.Current.User;
if (tmpUser.Assertion.Attributes != null && tmpUser.Assertion.Attributes.Count > 0)
{

     //NEVER MET THIS CONDITION BECAUSE "tmpUser.Assertion.Attributes" WAS ALWAYS NULL

}

How did I solve my problem? Well, after debugging a lot I found out that It was not a configuration problem. That the problem came from the DotNetCasClient code. Because those attributes were never set. So I modified the “DotNetCasClient\Validation\TicketValidator\Cas20ServiceTicketValidator [Line 134] method ParseResponseFromServer” and add the following code :

if (authSuccessResponse.Proxies != null && authSuccessResponse.Proxies.Length > 0)</pre>
{
     :
     :
     //I didn't modified anything here!
     :
     :
     :
}
else
{
     /* HERE STARTS MY CHANGE */
     IDictionary<string, IList<string>> attributes =
               new Dictionary<string, IList<string>>();
     try
     {
          XmlDocument doc = new XmlDocument();
          doc.LoadXml(response);
          XmlNamespaceManager namespaceManager = new XmlNamespaceManager(doc.NameTable);
          namespaceManager.AddNamespace("cas", "http://www.yale.edu/tp/cas");
          XmlNode GeneralInformationNode = doc.SelectSingleNode("/cas:serviceResponse/cas:authenticationSuccess/cas:attributes", namespaceManager);
          XmlNodeList attri = GeneralInformationNode.SelectNodes("cas:attribute",namespaceManager);

         if (attri != null)
         {
             foreach (XmlNode node in attri)
             {
                 XmlElement z = (XmlElement)node;

                 IList<string> values = new List<string>();
                 values.Add(z.GetAttribute("value").ToString());
                 attributes.Add(z.GetAttribute("name").ToString(), values);
             }
         }
         return new CasPrincipal(new Assertion(authSuccessResponse.User, attributes), proxyGrantingTicketIou);
    }
    catch (Exception e)
    {
        throw new TicketValidationException("CUSTOM CODE EXCEPTION["+e.Message+"]: "+e.StackTrace);
    }
    /* HERE ENDS MY CHANGE */

    //I didn't touch anything from here either
             :
             :
             :
             :
}

This is just I problem that I face with DotnetCasClient for this very specific case. I don’t know if is just me but I wanna share my solution (my way). Perhaps if you have a better one, please share 🙂

PART I: CAS-JASIG installation under Ubuntu 12.04 (without SSL)

I. TOMCAT INSTALLATION

1.- Open a terminal as root:

# sudo su

2.- Download Tomcat:

# cd /opt
# wget http://apache.mesi.com.ar/tomcat/tomcat-6/v6.0.36/bin/apache-tomcat-6.0.36.zip

3.- Unzip the tomcat file:

# unzip  apache-tomcat-6.0.36.zip

4.- Rename your TOMCAT installation:

# mv apache-tomcat-6.0.36 tomcat-server

5.- Assign permissions to “bin” folder content:

# cd tomcat-server/bin/
# chmod u+x *

6.- We also need to add a new user in order to be able to access to the “Tomcat Manager”:

# cd ..
# gedit ./conf/tomcat-users.xml

And it should looks like this:

<?xml version='1.0' encoding='utf-8'?>
<tomcat-users>
<role rolename="admin"/>
<role rolename="manage"/>
<user username="tomcat" password="tomcat" roles="admin,manager"/>
</tomcat-users>

7.- Now you can start your TOMCAT server:

# sh /opt/tomcat-server/bin/catalina.sh start

II. CAS-JASIG INSTALLATION 1.- Download “CAS-Jasig” server:

# cd /opt/tomcat-server/webapps/
# wget http://downloads.jasig.org/cas/cas-server-3.5.2-release.zip

2.- Unzip the CAS-Jasig zip file:

# unzip cas-server-3.5.2-release.zip
# mv cas-server-3.5.2 cas-server-source

<strong>3.- Extract the .war file into your Tomcat webapps:</strong>

# cp cas-server/modules/cas-server-webapp-3.5.2.war .
# mv cas-server-webapp-3.5.2.war cas-server.war

4.- Restart the Tomcat server:

# sh /opt/tomcat-server/bin/catalina.sh stop
# sh /opt/tomcat-server/bin/catalina.sh start

5.- Finally you can access to cas-server through: http://localhost:8080/cas-server/login
cas1

NOTE: By default you should be able to make simple login by using the same word for username and password (E.g.: USERNAME:hello PASSWORD:hello

CentOS+PHPCAS: CURL error #77: Problem with the SSL CA cert (path? access rights?

CentOS Version: 6.3
PHPCAS Client Version: 1.3.1

It takes me at least 3 days to solve this error !!!… So i need to share!!.. It may help someone!!!…

You should edit your phpCAS Client code.  Find the “CurlRequest.php” file in your phpCAS Client:

# find | grep CurlRequest.php

I’m using CentOS.  So i edit this file with:

# nano  /usr/share/pear/CAS/Request/CurlRequest.php

At this point you should find the “protected function sendRequest”. And add the following code before the curl_exec invocation:

curl_setopt($ch,CURLOPT_CAINFO, "/etc/pki/tls/certs/apachekey.pem");
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);//be carefull with this line

It works for me!.. But i’m in test environmet maybe you shouldn’t use “CURLOPT_SSL_VERIFYPEER”.

Good Luck!!!…