Liferay intregation with CAS and LDAP

coldwaterphewΔιακομιστές

17 Νοε 2013 (πριν από 3 χρόνια και 8 μήνες)

83 εμφανίσεις

Liferay intregation with CAS and LDAP

March 22, 2010 By

Nidhi Singh

Steps of Configure LDAP Server

www.liferay.com/web/nidhi.
singh/blog/
-
/blogs/liferay
-
integration
-
with
-
ldap

Steps for

SSL Certificate

Open Command Prompt and type given below command

keytool
-
genkey
-
alias tomcat
-
keypass changeit
-
keyalg RSA

Enter keystore password:

changeit

What is your first and last name?


[Unknown]:

localhost

What is the name of your organizational unit?


[Unknown]:

Information Systems

What is the name of your organization?


[Unknown]:

Life

What is the name of your City or Locality?


[Unknown]:

Bangalore

What is the name of your St
ate or Province?


[Unknown]:

KA

What is the two
-
letter country code for this unit?


[Unknown]:

IN

Is CN=localhost, OU=Information Systems, O=Life, L=Bangalore, ST=KA, C=IN correct?


[no]:

yes



keytool
-
export
-
alias tomcat
-
keypass changeit

-
file E:
\
server.crt

Enter keystore password: changeit

Certificate stored in file E:
\
<server.crt>



keytool
-
import
-
file E:
\
server.crt
-
keypass changeit
-
keystore ..
\
jre
\
lib
\
security
\
cacerts

Enter keystore password: changeit

Owner: CN=localhost, OU=Inform
ation Systems, O=Life, L=Bangalore, ST=KA, C=IN

Issuer: CN=localhost, OU=Information Systems, O=Life, L=Bangalore, ST=KA, C=IN

Serial number: 462030d8

Valid from: Fri Apr 13 15:39:36 HST 2010 until: Thu Jul 12 15:39:36 HST 2010

Certificate fingerprints:

MD
5: CC:3B:FB:FB:AE:12:AD:FB:3E:D 5:98:CB:2E:3B:0A:AD

SHA1: A1:16:80:68:39:C7:58:EA:2F:48:59:AA:1D:73:5F:56:78:CE:A4:CE

Trust this certificate? [no]: yes

Certificate was added to keystore



Steps for ApacheTomcat Server

Remove comments from server.xml file f
or HTTPS request which runs on port no 8443.


<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150"
scheme="https" secure="true" clientAuth="false" sslProtocol="TLS"


keystoreFile="C:/Documents and Settings/nidhi.singh/.keystore"

keystorePass="changeit"
truststoreFile="C:/Program Files/Java/jdk1.6.0_18/jre/lib/security/cacerts" />


Setting up CAS server

1.


Download the CAS Server and find the war file e.g.
\
cas
-
server
-
3.2.1
\
modules
\
cas
-
server
-
webapp
-
3.2.1.war

2.


Start the

Apache Tomcat server. Deploy the war file (cas
-
server
-
webapp
-
3.2.1.war) to the
Tomcat’s webapps folder and rename it. e.g. C:
\
apache
-
tomcat
-
6.0.14
\
webapps
\
cas
-
web

3.


Now that CAS is deployed you should have an unpacked directory in your webapps

folder
e.g. C:
\
apache
-
tomcat
-
6.0.14
\
webapps
\
cas
-
web

4.


Stop the tomcat server

5.


Add the below lines to the pom.xml file in the META
-
INF folder (e.g. C:
\
apache
-
tomcat
-
6.0.14
\
webapps
\
cas
-
web
\
META
-
INF
\
maven
\
org.jasig.cas
\
cas
-
server
-
webapp)




<dep
endency>



<groupId>${project.groupId}</groupId>


<artifactId>cas
-
server
-
support
-
ldap</artifactId>



<version>${project.version}</version>

</dependency>

6.




Add the following to the


deployerConfigContext.xml

file in the WEB
-
INF directory e.g.
C:
\
apache
-
tomcat
-
6.0.14
\
webapps
\
cas
-
web
\
WEB
-
INF (Connects to the default Apache Directory
Server configuration)

<bean id="contextSource"
class="org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource">




<property name="pooled" value="true"/>



<property name="urls">



<list>



<value>ldap://localhost:10389</value>



</list>



</property>



<property name="userName"

value="uid=admin,ou=system"/>



<property name="password" value="secret"/>



<property name="baseEnvironmentProperties">



<map>



<entry>



<key>




<value>java.naming.security.authentication</value>



</key>



<value>simple</value>



</entry>



</map>



</property>



</bean>


7. Add the correspo
nding AuthenticationHandler to the deployerConfigContext.xml file
(Remove the SimpleAuthenticationHandler) and Add the following in it's place.



<bean


class="org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler" >




<property name="filter" value="cn=%u,dc=example,dc=com" />



<property name="contextSource" ref="contextSource" />



</bean>



8. Add the cas
-
server
-
support
-
ldap
-
3.2.1.jar from the CAS installation


\
cas
-
server
-
3.2.1
\
modul
es to the web application library e.g( C:
\
apache
-
tomcat
-
6.0.14
\
webapps
\
cas
-
web
\
WEB
-
INF
\
lib)

9. Start tomcat and log in with the username and password at the url https://localhost:8443/cas
-
web/login



Setting up Liferay


1.

Create system
-
ext.properties (we
bapps
\
ROOT
\
WEB_INF
\
classes)


2.

Open system
-
ext.properties and enter and Save it.

com.liferay.filters.sso.cas.CASFilter=true


3. Open portal
-
ext.properties and enter and Save it.

auto.login.hooks=com.liferay.portal.security.auth.BasicAutoLogin

auto.login.hooks=com.liferay.portal.security.auth.BasicAutoLogin,com.liferay.portal.s
ecurity.auth.CASAutoLogin





4.

Login as administrator and go to control panel
-
>settings
-
>Authentication
-
>CAS





5.






Check Enable checkbox and Import from LDAP.

6.


Give Login URL:

https://localhost:8443/cas
-
web/login

7.


Give Logout URL:

https://localhost:8443/cas
-
web/logout

8.


Give Server
Name: localhost:8080

9.


Give Service URL:

http://localhost:8080/c/portal/login

10.


Give Validate URL: https://localhost:8443/cas
-
web/proxyValidate

11.



Save it



























digg



BlinkList



del.icio.us



Newsvine



Technorati

12584 Views, 44 Comments

Add a New Comment


Reply

Showing 44 Comments


saurabh jain

4/18/10 10:42 PM

Very nice!


saurabh s

4/18/10 10:50 PM

Thanks Nidhi for sharing This Information with us


Juan Fernández

4/19/10 12:08 AM

Nice post! Thanks a lot



Bavithra Rajendran

4/19/10 12:21 AM

Very Nice! Thanks for sharing



vikash awasthi

4/19/10 12:29 AM

very well explained, Thanks.


Srikanth Reddy Sanivarapu

4/19/10 1:15 AM

Really gud blog. thQ...


joydeep roy

4/19/10 2:02 AM

nice explanation with proper guided urls.... thanks for such nice piece of information


Freddi

Fischer

4/22/10 1:52 AM

a little hint for those how want to run LR under a other domain like "dev" or sth.:


make sure your cert is created for this host and the cert is imported to the correct cert store at %JAVA_HOME%
and/or the LR JRE store.


Nidhi Si
ngh

4/22/10 9:34 PM

Yes correct, you have to make sure that cert is created inside %JAVA_HOME% which is used by LR.


Saravanan V

4/23/10 2:34 AM

Hi,


Thanks for your blog,

In portal.properties for CAS, below comment is provided,


#

# Set the default value
s for the required CAS URLs. Set either

# "cas.server.name" or "cas.service.url". Setting "cas.server.name" allows

# deep linking. See LEP
-
4423.

#


please let me know do we need to specify cas.server.name and cas.servive.url or any one as commented in the
property file,


in my case if i provide both the values it didnt work, after CAS authentication page was blank,


if i enter only ther cas.service.url and not cas.server.name in this case Authentication works fine and i am getting the
page but here also red
irect didnt work.


coe
-
jek same

5/19/10 12:53 AM

thanks for the tutorial, but actually it didn' solve my problem in "single sign out".

I've implemented this single sign on, and it works, but when I sign out from other application which is connected to
CAS
, the session in liferay didn't invalidate this session_ID, so what's shoul I do.


thanks & regards


Daljeet Kaur

5/25/10 10:41 PM

I need urgent help on CAS+Liferay on Linux Centos.


Please help.


Nidhi Singh

5/25/10 10:46 PM

Please write your problem so that i can solve


Daljeet Kaur

5/25/10 10:52 PM

Hi Nidhi

i am trying to integrate CAS+liferay on centOS, i have created signature certificate but the problem is that i am unable
to locate jre/lib/security on centOS as it uses
OpenJDK.


I tried to integrate CAS+Liferay without doing the above step but it didnot work. Please help!

Thanks for your early response.


5/25/10 11:45 PM

Hi


I have located jre. Would contact for further help


Thanks


Daljeet Kaur

5/26/10 4:37 AM

Hi,


i

am trying to integrate Liferay+CAS. When i click on signin on Liferay portal it opens the Liferay Portal again instead
of CAS Login page.


Can anyone please help in solving this issue.


Thanks in advance

Daljeet


Nidhi Singh

5/26/10 9:56 PM

Hi,


you did
CAS setting in liferay, system
-
ext.properties file and portal
-
ext.properties file.


Nidhi


Daljeet Kaur

5/27/10 2:31 AM

Hi


I am having problem in adding authentication handler in the file deployerConfigContext.xml


When i

add the code by replacing simple authentication it gives exception of class not found for
FastBindLdapAuthenticationHandler.


Please help out.


Thanks


Nidhi Singh

5/27/10 3:50 AM

Hi,


you have added this cas
-
server
-
support
-
ldap
-
3.2.1.jar



Nidhi


5/27/10 5:49 AM

Hi,

yes i have added cas
-
server
-
support
-
ldap
-
3.2.1.jar


It is giving the following exception


Line 124 in XML document from ServletContext resource [/WEB
-
INF/deployerConfigContext.xml] is invalid; nested
exception is org.xml.sax.SAXParseExc
eption: cvc
-
complex
-
type.2.3: Element 'list' cannot have character [children],
because the type's content type is element
-
only.



Daljeet


5/27/10 5:56 AM

I have also added system
-
ext.properties file and portal
-
ext.properties file.


As I am working on Lin
ux please tell how to do settings that you mentioned by visiting control panel.


Thanks


Daljeet Kaur

5/28/10 2:46 AM

Hi Nidhi,


When i click on signin on Liferay Portal home page it takes me to url : https://server:8443/c/portal/login?p_l_id=10298


But I
nternet explorer cannot display page.


Kindly help for the needful


Thanks


DJ


Ananda Ramana

7/20/10 4:57 AM

Hi nidhi,

We have some PHP
-
Mysql based applications running on a different server. I want to sign into liferay and get access
to those applicatio
ns using single sign on. Is it possible?. I have added those URLs as embedded pages into liferay.


Ed Holderman

7/28/10 9:42 AM

Ananda,

I am sort of new at this, but I believe that if you have CAS
-
enabled the PHP
-
Mysql applications so that you can login
t
o them through CAS (without any Liferay involvement) then yes, you should be able to set up an SSO situation
between Liferay and your applications. The key point is that _all_ of them must use CAS for login before SSO will
work.


Ed


Ananda Ramana

8/3/10
2:25 AM

Hi, Iam not able to get how installing CAS would enable single sign on for an external application. How CAS will talk
to my external application? Should i install CAS in my external aplication as well???


Ed Holderman

8/3/10 5:38 AM

Yes, you would

have to integrate CAS into your other applications so that they could all have the same trust
relationship with the CAS validation ticket. If you were to use SiteMinder instead of CAS, you would have the same
situation where all of the apps would have to
be protected by SiteMinder. The other option is to not use SSO at all
and use some sort of uid/password storage mechanism in custom portlets that would send the credentials to the
external system, but that isn't as flexible.


Joe Osowski

8/3/10 1:03 PM

Is it possible to setup Liferay to use CAS without an LDAP server and without creating an autologin hook?



That is, once the user is authenticated, can liferay be configured to complete the user creation by asking the user for
the missing profile informat
ion?


Ed Holderman

8/17/10 9:27 AM

I have seen information about configuring CAS to use the Liferay database via JDBC instead of the LDAP for a user
store so that would solve your first problem: https://wiki.jasig.org/display/CASUM/JDBC. You can extend th
e
functionality of the CAS post
-
login process to ask the user for the information and store it in the portal DB before
sending them back to Liferay (something like this:
https://wiki.jasig.org/display/CASUM/Acceptable+Use+interface+for+Login+Webflow)
. You

can also modify Liferay to
extend the functionality of it's post
-
login process: http://www.liferay.com/web/guest/community/wiki/
-
/wiki/Main/Customizing+the+defa
ult+page+after+login


I've only read about any of these and they all seem fairly involved.
-
Ed


Nagendra Kumar Busam

8/25/10 10:48 PM

That's a very nice post.


Can you let me know is there any way by configuration/any simple means doing following scenario


We have a CAS + Liferay integrated environment, but it looks like that the “concurrent login

prevention” does not work

in some occasions for Liferay. For example, we have an iframe enclosing the portal menu bar and the page content.
User logs in on Browser 1 and the same User logs in on Browser 2. User then navigates on Browser 1 by clicking on
t
he menu bar (some private pages), but he did not get logged out.


Practically i think user's old token should be invalid.


Can you give me suggestion regarding the same


Apoorva Prakash

9/13/10 11:59 PM

Hi Nidhi,

Nice artice... very informative...


Apoor
va Prakash

9/14/10 5:51 AM

Hello,

I am working on a web
-
application, in which I am using Liferay and Pentaho. I wish to use CAS for aunthenticating
users. I followed all the steps, and CAS is working fine.


When I am logging in CAS, and then opening the Pe
ntaho portion, i get it signed in, as CAS is login, and when I am
logging out from CAS, it as also reflecting in Pentaho, (and vice
-
versa too). It depicts that Pentaho is sharing the login
ticket. But when I am using it with Liferay, it is giving the follo
wing problem
-

when I am logging in through Liferay Sigh In button, then its opening the CAS page and logs in properly, but when I
am logging in CAS first, and then open Liferay, then it is not getting that login ticket. () The same problem is persisting
at

the time of log out also.



Please give solution...

Thanks in advance !!!


diego santiviago

9/22/10 11:34 AM

hi,


when i am logging in through Liferay

Sign In button (dock), then its opening the CAS page and logs in properly, but
when I am logging in CAS first, and then open Liferay, then it is not getting that login ticket. but if i click in 'sign in'
link,
liferay acquire the ticket.


how i use autolo
gin, logging in cas first ?


Ed Holderman

9/23/10 6:34 AM

Diego,

I think if you are just going to the public home page, there is no need for Liferay to authenticate so it doesn't check
the ticket or try to do autologin
. Try this: create a private page and make note of the friendly URL. Log out of
everything and close browsers, in a new browser log in to CAS, then use your friendly private page URL. You should
go through the autologin.
-

Ed


kiruba garan

12/13/10 9:41 P
M

Can u please help me configuring Liferay 6.0.5 with CAS 3.0.7? CAS is working fine with validating user credentials
properly with OpenLDAP. But I am confused with the three entries i.e. Server Name, Server URL, and Service URL
on the CAS configuraton scr
een on liferay and not sure what to provide where. I tried with many combimantions but
of no use.


Please guide me!


Thanks!

Kiru


kiruba garan

12/13/10 9:42 PM

Can u please help me configuring Liferay 6.0.5 with CAS 3.0.7? CAS is working fine with valida
ting user credentials
properly with OpenLDAP. But I am confused with the three entries i.e. Server Name, Server URL, and Service URL
on the CAS configuraton screen on liferay and not sure what to provide where. I tried with many combimantions but
of no use
.


Please guide me!


Thanks!

Kiru


Jordi Torne

12/14/10 2:25 AM

Simple and straight forward explanation to setting up CAS with Liferay and LDAP.


However, I've tried but I didn't manage to get it working.

I'm stuck on a ClassNotFoundException. The authent
ication handler is not loaded because the
"org/springframework/ldap/NamingException" class is not found.


I've tried both the CAS Server 3.2.1.1 and the CAS 3.4.3.1 with identical results. The spring
-
ldap
-
*.jar are in the WEB
-
INF/lib but for some reason, t
he Tomcat does not load those jars.


Anyone with the same issue? Thanks in advance for any advice on this.


Jordi


Ed Holderman

12/14/10 6:41 AM

Kiru,

The best documentation on the use of these settings is in portal
-
ext.properties and the portal admin gui
de. If you want
people to be able to email or bookmark friendly URLs to pages other than the home page, then you should use
combination of server name and server url while leaving the service url blank. This will allow the portal to generate a
dynamic serv
ice url based on the one the user is trying to access. Here is a summary of portal 5.2.3 settings:

-

cas.server.name: This is the server name of the portal that CAS should use when calling back to the CAS client. Set
either "cas.server.name" or "cas.servic
e.url". Setting "cas.server.name" allows deep linking. See LEP
-
4423. ex:
portal.acme.com

-

cas.server.url: URL address of the CAS server. ex: https://cas.acme.com:8443/cas

-

cas.service.url: This parameter replaces the serverName parameter above. It become
s the URL that CAS redirects
to after login. If you have one specific point of entry to your web application and you want all logins to proceed
through that page, you would specify the full URL of that page here. Either this parameter or the serverName
par
ameter must be set. ex: (don't have example since we don't use this setting)

-

cas.validate.url: The URL whereat CAS offers its service ticket or proxy ticket validation service. ex:
https://cas.acme.com:8443/cas/proxyValidate

-

cas.login.url: The URL wher
eat CAS offers its Login page. ex: https://cas.acme.com:8443/cas/login

-

cas.logout.url: The CAS URL that triggers session invalidation logic. This depends on CAS functionality to redirect
the user back to the portal. ex (you may have to alter this dependi
ng on your logged out page strategy):
https://cas.acme.com:8443/cas/logout?service=http://portal.acme.com/c


Ed Holderman

12/14/10 6:59 AM

Jordi,

Are you getting the exception from Liferay/CAS Client or the CAS Server? Liferay needs to have a cas
-
client
-
c
ore.jar
installed in ROOT
\
WEB
-
INF
\
lib with a version that supports the CAS server version since they will be talking to each
other. On the CAS server side, I'm building using the maven overlay method detailed in CAS and my pom.xml has an
LDAP reference whi
ch probably brings in everything needed for the war:

<dependency>

<groupId>org.jasig.cas</groupId>

<artifactId>cas
-
server
-
support
-
ldap</artifactId>

<version>${cas.version}</version>

</dependency>


Jordi Torne

12/15/10 2:21 AM

Hi Ed,


I finally solved the

issue by reinstalling everything from scratch (Liferay, tomcat and CAS from sources). No idea what
was the problem. I have another weird issue now ("CAS is Unavailable" with no single line of error on the logs after
submitting user/password) but I'm still

working on it.


The problem was on the server (at tomcat startup). I haven't reached the point of talking to Liferay yet.


Thanks


Apoorva Prakash

12/16/10 4:22 AM

Hi All,

The BasicAutoLogin clss is renamed to RememberMeAutoLogin, I hope the following
will help you in case you
encounter 'java.lang.ClassNotFoundException: com.liferay.portal.security.auth.BasicAutoLogin' exception...

auto.login.hooks=com.liferay.portal.security.auth.RememberMeAutoLogi
n

auto.login.hooks=com.liferay.portal.security.auth.BR
ememberMeAutoLogin,com.life
-
ray.portal.security.auth.CASAutoLogin


Thanks and Regards...


jelmer kuperus

2/23/11 4:39 AM

As of CAS 3.3.2, you MUST use Spring LDAP's LdapContextSource
(org.springframework.ldap.core.support.LdapContextSource) instead of the

AuthenticatedLdapContextSource)


https://wiki.jasig.org/display/CASUM/LDAP


jelmer kuperus

2/25/11 2:12 AM

If you authenticate based on email address instead of screenname you cannot use the
FastBindLdapAuthenticationHandler instead you can use this


<be
an class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler">

<property name="filter" value="mail=%u" />

<property name="searchBase" value="dc=example,dc=com" />

<property name="contextSource" ref="contextSource" />

</bean>


Biresh Choudhury

3/28/
11 3:42 AM

Hi Nidhi,


Thanks for a nice explanation on how to integrate.


I have a little different requirement like integrating liferay 6 with CAS(already available in a web application) without
any LDAP.


Since the CAS set up is already available what ar
e the steps I need to take? As of now I am trying out the below
things without any result.


1) Added casclient.jar into ROOT
\
WEB
-
INF
\
lib

2) Added auto.login.hooks=com.liferay.portal.security.auth.BasicAutoLogin,com.liferay.por
-
tal.security.auth.CASAutoLogi
n

to portal
-
ext.properties.

3) Enabled the CAS from Administrative's control panel with values as:

(i)Enabled
-

Check box enabled by default.

(ii)Import from LDAP
-

Didn't check the check box since no LDAP in my case.

(iii) Login URL
-

http://(MACHINE NAME

WHERE CAS IS INSTALLED):9080/cas
-
web/login

(iv) Logout URL
-

http://(MACHINE NAME WHERE CAS IS INSTALLED):9080/cas
-
web/logout

(v) Server Name
-

(MACHINE NAME WHERE CAS IS INSTALLED):9080

(vi) Server URL
-

http://(MACHINE NAME WHERE CAS IS INSTALLED):9080/
cas
-
web

(vii) Service URL
-

http://localhost:8080/web/guest/reference


I am able to login into the portal page instead of me getting redirected to cas
-
web page.


Need help on anything I am missing out.


Duy Linh Nguyen

4/12/11 6:38 AM

I do step by step bu
t when start Tomcat http://localhost:8443/cas
-
web/login error. Can you help me ? i want to SSO
liferay and Sakai by CAS

http://www.liferay.com/web/nidhi.singh/blog/
-
/blogs/4745753