Vidyayug Soft Technologies Private Limited
6-3-597/A/1/A,
Venkatramana Colony, Khairatabad,
Hyderabad - 500004.
Date: 25th August 2010Document Type: CAS DocumentationAuthor:
Ravi Kumar Dhara & ChandrasekharVersionModified ByModified
DateComments
1.0Chandrasekhar and Ravi Kumar25-08-2010---
Contents
2CENTRAL AUTHENTICATION SERVICE (CAS) with Liferay
2Setting up CAS server
2Step 1: Downloadcas-web.war
2Step 2: Copycas-web.warfile intotomcat\webapps
2Step 3: Editserver.xml(tomcat/conf/server.xml)
3Step 4: Set up in properties files
3system-ext.properties
3portal-ext.properties
3Step 5: Password in Plain Text
3Step 6: Configure the SSL port no and certificate
information.
4Step 7: Database Configuration : CAS with lportal database
5Step 8: Enabling the Single Sign Out in
argumentExtractorsConfiguration.xml
5Step 9: Single Sign Out
5Step 10: ADD the necessary jar files on lib folder of CAS
Server
6Step 11: Configuring the CAS properties through GUI
6Step 12: Modify the following classes accordingly
7CASAutoLogin:
11CASFilter:
14Step 13: Add the new action path in struts-config.xml
CENTRAL AUTHENTICATION SERVICE (CAS) with Liferay
CAS is an authentication system that was originally created at
Yale University. It is a widely-used open source single sign-on
solution, and was the first SSO product to be supported by
Liferay.
The CAS Server application requires a properly configured Secure
Socket Layer certificate on your server in order to work.
If you wish to generate one yourself, you will need to use the
keytool utility that comes with the JDK. Your first step is to
generate the key. Next, you export the key into a file. Finally,
you import the key into your local Java key store.
Setting up CAS server
Step 1: Downloadcas-web.war
Step 2: Copycas-web.warfile intotomcat\webapps
Step 3: Editserver.xml(tomcat/conf/server.xml)
Uncomment this part :
Replace the above line with the following:
Generate the SSL cert with Java keytool Go
totomcat/webapps/Rootin command prompt, enter the command:
keytool -genkey -alias localhost -keypass changeit -keyalg
RSANote: Be sure to use the keytool that comes with the Java VM
(%JAVA_HOME%/jre/bin/keytool), as on some systems the default
points to the GNU version of keytool, where the two seem
incompatible.
Answer the questions in command prompt : (note that your
firstname and lastnameMUSTbe hostname of your server and cannot be
a IP address; this is very important as an IP address will fail
client hostname verification even if it is correct)
Enter keystore password: changeit
What is your first and last name?
[Unknown]: localhost
What is the name of your organizational unit?
[Unknown]:
What is the name of your organization?
[Unknown]:
What is the name of your City or Locality?
[Unknown]:
What is the name of your State or Province?
[Unknown]:
What is the two-letter country code for this unit?
[Unknown]:
Is CN=localhost, OU=Unknown, O=Unknown, L=Unknown,
ST=Unknown,
C=Unknown correct?
[no]: yes
Finally import the cert into Java's keystore with this command.
Tomcat uses the keystore in your JRE
(%JAVA_HOME%/jre/lib/security/cacerts)
keytool -import -alias tomcat -file %FILE_NAME% -keypass
changeit -keystore "C:/Program Files/
Java/jdk1.6/jre/lib/security/cacerts"
OR
keytool importkeystore srcalias tomcat srckeystore
-srckeypass changeit destkeystore
/java/jdkl1.6/./lib/security/cacertsCreating the certificate:
See the created certificate:
Import the created certificate into java cacerts:
See the created list of certificates:
Step 4: Set up in properties files
system-ext.properties
#
# The CAS filter will redirect the user to the CAS login page
for SSO.
# See [http://www.ja-sig.org/products/cas] for more
information.
#
com.liferay.filters.sso.cas.CASFilter=true
portal-ext.properties
Put this in portal-ext.properties.For Liferay-5.1.2:
------------------------
cas.auth.enabled=true
auto.login.hooks=com.liferay.portal.security.auth.RememberMeAutoLogin,com.liferay.portal.security.auth.CASAutoLogin
For Liferay-5.2.3:--------------------------
cas.auth.enabled=true
auto.login.hooks=com.liferay.portal.security.auth.BasicAuthHeaderAutoLogin,com.liferay.portal.security.auth.CASAutoLogin
Step 5: Password in Plain Text (For testing the cas initially we
need to configure password to store in plain text)
Put this in portal-ext.properties.
Passwords are stored in the plain text on lportal database.
##
## Passwords
##
passwords.encrypted=false
passwords.encryption.algorithm=NONE
Step 6: Configure the SSL port no and certificate
information.
(location: tomcat/conf/server.xml )
Step 7: Database Configuration : CAS with lportal database
Comment the following line : SimpleTestUsername
To read the simple plain text as password
user_
emailAddress
password_
To read the encrypted password:
For reading encrypted password we need to write the out own
class with SHA encrypted algorithm and place the
class(QueryDatabaseAuthenticationSHA1Base64) in the following
package of the cas-client :(org.jasig.cas.adaptors.jdbc)
Add the following database information on
deployerConfigContext.xml of CAS (location:
tomcat\webapps\cas-web\WEB-INF)
com.mysql.jdbc.Driver
jdbc:mysql://localhost/lportal
root
ityug123
Step 8: Enabling the Single Sign Out in
argumentExtractorsConfiguration.xml
(location:
tomcat\webapps\cas-web\WEB-INF\spring-configuration)
Replace the above with the following for enabling the Single
Sign Out.
false
Step 9: Single Sign Out
Update the web.xml file for Single Sign Out:
/tomcat-6.0.16/webapps/ROOT/WEB-INF/web.xml
CAS Single Sign Out Filter
org.jasig.cas.client.session.SingleSignOutFilter
CAS Single Sign Out Filter /*
org.jasig.cas.client.session.SingleSignOutHttpSessionListener
Step 10: ADD the necessary jar files on lib folder of CAS
Server
Liferay needs the cas-client-core-3.1.6.jar in the portal
classpath for setting the Single Sign Out.. Download the cas client
form the following path:
(http://www.ja-sig.org/downloads/cas-clients/).
Step 11: Configuring the CAS properties through GUI
Step 12: Modify the following classes accordingly
CASAutoLogin:
File Path :
D:\cygwin\java\workspace\portal\portal-impl\src\com\liferay\portal\security\auth
Modification in CASAutoLogin:
1.) Adding the email address as authentication
2.) User specific login
CASFilter:
File Path :
D:\cygwin\java\workspace\portal\portal-impl\src\com\liferay\portal\servlet\filters\sso\cas
Modification in CASFilter :
1) Getting the CAS serviceURL name as dynamic.
2) Instead of redirecting to CAS logout URL we made changes to
navigate to the requestURI of Home page.
Note : To see the changes done in the above files, refer to the
same color, in the following code.
CASFilter & CASAutoLogin:
----------------------------------------
We are setting the the follwing property true in
system-ext.properties
com.liferay.filters.sso.cas.CASFilter=true
So CASFilter class will redirect the user to the CAS login page
for SSO.
The following are the detailed steps:
a. User logs in to liferay portal.
b. Because of configured CASFilter, it leads to CAS login
screen. We also send the service url.
c. After successful authentication, CAS server redirects the
request to this service url. The generated ticket is set in the
request.
d. The redirection to service url again goes through
CASFilter.
e. CASFilter finds the ticket in the request and tries to
validate it.
f. It sends validation request to CAS server.
g. Upon successful validation, the CASFilter will set the
CAS_FILTER_USER attribute in session.
h. Now control goes to CASAutoLogin where it successfully gets
the userId.
i. Now we will get the organizationIds by passing the userId as
a parameter to validate users with organization. If validation is
successful we are allowing the user to login to that particular
Organization.
CASAutoLogin:
package com.liferay.portal.security.auth;import
java.util.List;import javax.naming.Binding;import
javax.naming.NamingEnumeration;import
javax.naming.directory.Attributes;import
javax.naming.directory.SearchControls;import
javax.naming.directory.SearchResult;import
javax.naming.ldap.LdapContext;import
javax.servlet.http.HttpServletRequest;import
javax.servlet.http.HttpServletResponse;import
javax.servlet.http.HttpSession;import
com.liferay.portal.NoSuchUserException;import
com.liferay.portal.SystemException;import
com.liferay.portal.kernel.log.Log;import
com.liferay.portal.kernel.log.LogFactoryUtil;import
com.liferay.portal.kernel.util.StringPool;import
com.liferay.portal.kernel.util.StringUtil;import
com.liferay.portal.kernel.util.Validator;import
com.liferay.portal.model.Group;import
com.liferay.portal.model.LayoutSet;import
com.liferay.portal.model.Organization;import
com.liferay.portal.model.User;import
com.liferay.portal.security.ldap.PortalLDAPUtil;import
com.liferay.portal.service.GroupLocalServiceUtil;import
com.liferay.portal.service.LayoutSetLocalServiceUtil;import
com.liferay.portal.service.OrganizationLocalServiceUtil;import
com.liferay.portal.service.UserLocalServiceUtil;import
com.liferay.portal.util.PortalUtil;import
com.liferay.portal.util.PrefsPropsUtil;import
com.liferay.portal.util.PropsKeys;
import com.liferay.portal.util.PropsUtil;
import com.liferay.portal.util.PropsValues;import
edu.yale.its.tp.cas.client.filter.CASFilter;public class
CASAutoLogin implements AutoLogin { public String[]
login(HttpServletRequest request, HttpServletResponse response)
{
String[] credentials = null;
try
{
long companyId = PortalUtil.getCompanyId(request);
if (!PrefsPropsUtil.getBoolean(companyId,
PropsKeys.CAS_AUTH_ENABLED,PropsValues.CAS_AUTH_ENABLED))
{
return credentials;
}
HttpSession session = request.getSession();
String userName =
(String)session.getAttribute(CASFilter.CAS_FILTER_USER);
if (Validator.isNull(userName))
{
return credentials;
}
User user = null;try //Authenthentication based on screenName or
emailAddress or userId
{
if(authType.equals("emailAddress"))
{
user = UserLocalServiceUtil.getUserByEmailAddress(companyId,
userName);
}
else if(authType.equals("screenName"))
{
user = UserLocalServiceUtil.getUserByScreenName(companyId,
userName);
}
else if(authType.equals("userId"))
{
user = UserLocalServiceUtil.getUserById(companyId,
Long.parseLong(userName));
}
}
catch (NoSuchUserException nsue)
{
if (PrefsPropsUtil.getBoolean(companyId,
PropsKeys.CAS_IMPORT_FROM_LDAP,PropsValues.CAS_IMPORT_FROM_LDAP))
{
user = addUser(companyId, userName);
}
else
{
throw nsue;
}
}
credentials = new String[3];
String serverName = request.getServerName();
//In order to validate the user with organizations to login
if(user != null)
{
if(serverName.equalsIgnoreCase("www.localhost.com"))
{
credentials[0] = String.valueOf(user.getUserId());
credentials[1] = user.getPassword();
credentials[2] = Boolean.TRUE.toString();
return credentials;
}
else
{
try
{
List organizations =
OrganizationLocalServiceUtil.getUserOrganizations(user.getUserId());
LayoutSet layout =
LayoutSetLocalServiceUtil.getLayoutSet(serverName);
long layoutGroupId = layout.getGroupId();
for (int i = 0; i < organizations.size(); i++)
{
Organization organization =
(Organization)organizations.get(i);
long organizationId = organization.getOrganizationId();
Group group =
GroupLocalServiceUtil.getOrganizationGroup(companyId,
organizationId);
long groupId = group.getGroupId();
try
{
if(groupId == layoutGroupId )
{
credentials[0] = String.valueOf(user.getUserId());
credentials[1] = user.getPassword();
credentials[2] = Boolean.TRUE.toString();
return credentials;
}
}
catch (Exception e)
{
System.out.println("Exception from CASAutoLogin" +
e.getMessage());
}
}//End of for loop
credentials = null;
return credentials;
}
catch (Exception e)
{
_log.warn("User does not have belong to an organization");
}
}}}catch (Exception e) {
_log.error(e, e);}
return credentials;}protected User addUser(long companyId,
String screenName)throws SystemException {try {
String baseDN = PrefsPropsUtil.getString(companyId,
PropsKeys.LDAP_BASE_DN);
LdapContext ctx = PortalLDAPUtil.getContext(companyId);
if (ctx == null)
{
throw new SystemException("Failed to bind to the LDAP
server");
}
String filter = PrefsPropsUtil.getString(companyId,
PropsKeys.LDAP_AUTH_SEARCH_FILTER);
if (_log.isDebugEnabled())
{
_log.debug("Search filter before transformation " + filter);
}
filter = StringUtil.replace(filter,new String[] {"@company_id@",
"@email_address@", "@screen_name@"},
new String[] {String.valueOf(companyId), StringPool.BLANK,
screenName});
if(filter != null)
System.out.println("Filter :" + filter);if
(_log.isDebugEnabled())
{
_log.debug("Search filter after transformation " + filter);
}
SearchControls cons = new
SearchControls(SearchControls.SUBTREE_SCOPE, 1, 0, null, false,
false);
NamingEnumeration enu = ctx.search(baseDN, filter, cons);
if (enu.hasMoreElements())
{
if (_log.isDebugEnabled())
{
_log.debug("Search filter returned at least one result");
}
Binding binding = enu.nextElement();
Attributes attrs = PortalLDAPUtil.getUserAttributes(companyId,
ctx,PortalLDAPUtil.getNameInNamespace(companyId, binding));
return PortalLDAPUtil.importLDAPUser(companyId, ctx, attrs,
StringPool.BLANK, true);
}
else
{
throw new NoSuchUserException("User " + screenName + " was not
found in the LDAP server");
}}catch (Exception e) {
_log.error("Problem accessing LDAP server ", e);throw new
SystemException("Problem accessign LDAP server " +
e.getMessage());}}
private static Log _log =
LogFactoryUtil.getLog(CASAutoLogin.class);}
CASFilter:
package com.liferay.portal.servlet.filters.sso.cas;import
com.liferay.portal.kernel.log.Log;import
com.liferay.portal.kernel.log.LogFactoryUtil;import
com.liferay.portal.kernel.servlet.BaseFilter;import
com.liferay.portal.kernel.util.Validator;import
com.liferay.portal.util.PortalUtil;import
com.liferay.portal.util.PrefsPropsUtil;import
com.liferay.portal.util.PropsKeys;import
com.liferay.portal.util.PropsValues;import
com.liferay.util.servlet.filters.DynamicFilterConfig;import
java.net.URI;import java.net.URISyntaxException;import
java.net.URLEncoder;import java.util.Map;import
java.util.concurrent.ConcurrentHashMap;import
javax.servlet.Filter;import javax.servlet.FilterChain;import
javax.servlet.ServletContext;import
javax.servlet.http.HttpServletRequest;import
javax.servlet.http.HttpServletResponse;import
javax.servlet.http.HttpSession;public class CASFilter extends
BaseFilter {
public static void reload(long companyId)
{
_casFilters.remove(companyId);
}
protected Filter getCASFilter(long companyId,String serviceUrl)
throws Exception
{
edu.yale.its.tp.cas.client.filter.CASFilter casFilter =
_casFilters.get(companyId);
if (casFilter == null)
{
casFilter = new
edu.yale.its.tp.cas.client.filter.CASFilter();
}
DynamicFilterConfig config = new
DynamicFilterConfig(_filterName, _servletContext);
String serverName = PrefsPropsUtil.getString(companyId,
PropsKeys.CAS_SERVER_NAME,PropsValues.CAS_SERVER_NAME);
System.out.println("ServiceURL requested: " +serviceUrl);
config.addInitParameter(edu.yale.its.tp.cas.client.filter.CASFilter.LOGIN_INIT_PARAM,
PrefsPropsUtil.getString(companyId,
PropsKeys.CAS_LOGIN_URL,PropsValues.CAS_LOGIN_URL));if
(Validator.isNotNull(serviceUrl)) {
config.addInitParameter(edu.yale.its.tp.cas.client.filter.CASFilter.SERVICE_INIT_PARAM,serviceUrl);}else
{
config.addInitParameter(edu.yale.its.tp.cas.client.filter.CASFilter.SERVERNAME_INIT_PARAM,serverName);}
config.addInitParameter(edu.yale.its.tp.cas.client.filter.CASFilter.VALIDATE_INIT_PARAM,
PrefsPropsUtil.getString(companyId,
PropsKeys.CAS_VALIDATE_URL,PropsValues.CAS_VALIDATE_URL));
casFilter.init(config);
_casFilters.put(companyId, casFilter);
return casFilter;}protected Log getLog() {
return _log;}protected void processFilter(HttpServletRequest
request, HttpServletResponse response,FilterChain filterChain) {try
{
long companyId = PortalUtil.getCompanyId(request);
String serverName = PrefsPropsUtil.getString(companyId,
PropsKeys.CAS_SERVER_NAME,PropsValues.CAS_SERVER_NAME);
String serviceUrl = PrefsPropsUtil.getString(companyId,
PropsKeys.CAS_SERVICE_URL,PropsValues.CAS_SERVICE_URL);try {URI
requestURI = new URI(request.getRequestURL().toString());
if(requestURI != null)
System.out.println("requestURI :" + requestURI);
serviceUrl = requestURI.toString();}catch (URISyntaxException e)
{
System.out.println("Exception from the URI :" +
e.getMessage());}if (PrefsPropsUtil.getBoolean(companyId,
PropsKeys.CAS_AUTH_ENABLED,PropsValues.CAS_AUTH_ENABLED)) {
String pathInfo = request.getPathInfo();
if (pathInfo.indexOf("/portal/logout") != -1) {
HttpSession session = request.getSession();
session.invalidate();
String logoutUrl = PrefsPropsUtil.getString(companyId,
PropsKeys.CAS_LOGOUT_URL,PropsValues.CAS_LOGOUT_URL);//Inorder to
redirecting to cas logout page we need to redirect the requestedURI
Home page once the signout is clicked.
String url = "/portal/caslogout";
url = request.getContextPath() + request.getServletPath() +
url;
try
{
URI requestURI = new
URI(request.getRequestURL().toString());
URI redirectURI = requestURI.resolve(url);
url = redirectURI.toString();
}
catch (URISyntaxException e)
{
System.out.println("Exception :" + e.getMessage());
}
final String urlEncodedService = response.encodeURL(url);
final StringBuffer buffer = new StringBuffer(255);
buffer.append(logoutUrl).append("?service=").append(URLEncoder.encode(urlEncodedService,
"UTF-8"));
response.sendRedirect(buffer.toString());
//response.sendRedirect(logoutUrl);
}
else {
// Add the the serviceUrl argument for getting the serviceUrl of
CAS dynamically.
Filter casFilter = getCASFilter(companyId,serviceUrl);
casFilter.doFilter(request, response, filterChain);}}else
{
processFilter(CASFilter.class, request, response,
filterChain);}}catch (Exception e) {
_log.error(e, e);}}private static Log _log =
LogFactoryUtil.getLog(CASFilter.class);private static Map
_casFilters = new ConcurrentHashMap();private String
_filterName;private ServletContext _servletContext;}Step 13: Add
the new action path in struts-config.xml
(location:
D:\cygwin\java\workspace\portal\portal-web\docroot\WEB-INF)
Testing the CAS server
Starttomcatand clickSign-InfromDockMenu . It will redirect
toCASserver page as follows:
(Access CAS withhttps://localhost:8443/cas-web/loginYou should
see theCAS login screenand no errors in your catalina logs. )
Page 5 of 16 Confidential www.ityug.com
