Single SignOn - Integrating Liferay With CAS Server
2008-08-19 12:53
295 查看
Single SignOn - Integrating Liferay With CAS Server
Introduction
The following are a set of instructions for integrating LiferayPortal with CAS Server to setup single sign on (SSO) between Liferayand an existing web application.Note: If you are using Liferay 4.3, you may want to read the Installation Guide instead of this articleSetting up CAS server
We will begin with setting up JA-SIG CAS server on Tomcat 5.x.x.Download cas-server WAR from Liferay's download page or the whole distribution from hereand drop the cas-web.war file into Tomcat's webapps dir. In aproduction environment The CAS server should really run on its owntomcat instance but for testing purposes we'll drop it in the sameinstance as our Liferay portal.We'll need to edit the server.xml file in tomcat and uncomment the SSL section to open up port 8443.<!-- Define a SSL HTTP/1.1 Connector on port 8443 --> <Connector port="8443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" />
Setting up the CAS client
Next we need to download the Yale CAS client from here.Get cas-client-2.0.11.Place the casclient.jar in ROOT/web-inf/lib of the Liferay install.Generate the SSL cert with Java keytool
Now that we have everything we need, it's time to generate an SSL cert for our CAS server.Instructions and more information on SSL certs can be found hereBut I found some typos and errors on that page. So following the instructions below should get you what you need.In any directory ( I use my root ) enter the command:keytool -genkey -alias tomcat -keypass changeit -keyalg RSANote: Be sure to use the keytool that comes with the Java VM(%JAVA_HOME%/jre/bin/keytool), as on some systems the default points tothe GNU version of keytool, where the two seem incompatible.Answer the questions: (note that your firstname and lastname MUSTbe hostname of your server and cannot be a IP address; this is veryimportant as an IP address will fail client hostname verification evenif it is correct)
Enter keystore password: changeitWhat is your first and last name?[Unknown]: localhostWhat is the name of your organizational unit?[Unknown]:What is the name of your organization?[Unknown]:What is the name of your City or Locality?[Unknown]:What is the name of your State or Province?[Unknown]:What is the two-letter country code for this unit?[Unknown]:Is CN=localhost, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?[no]: yesThen enter the command:
keytool -export -alias tomcat -keypass changeit -file %FILE_NAME%I use server.cert for %FILE_NAME%. This command exports the cert yougenerated from your personal keystore (In windows your personalkeystore is in C:/Documents and Settings/<username>/.keystore)Finally import the cert into Java's keystore with this command.Tomcat uses the keystore in your JRE(%JAVA_HOME%/jre/lib/security/cacerts)
keytool -import -alias tomcat -file %FILE_NAME% -keypass changeit -keystore %JAVA_HOME%/jre/lib/security/cacertsStartup the CAS serverNow you are ready to startup your CAS server. Simply startup Tomcat and access CAS with https://localhost:8443/cas-web/login You should see the CAS login screen and no errors in your catalina logs.
Setting up Liferay Portal
web.xml
Note: If you are using Liferay 4.2, this filter is alreadydefined. All you have to do is modify the URL parameters, if your CASserver is at a different location.It's time to move on to configuring Liferay. In thewebapps/ROOT/WEB-INF/web.xml file you will need to add a new filter andits mapping directly above the first existing auto login filtermapping. This new filter we just added will redirect all login attemptsto the CAS server. If your hostname is different you can modify theinit-params accordingly.<filter><filter-name>CAS Filter</filter-name><filter-class>edu.yale.its.tp.cas.client.filter.CASFilter</filter-class><init-param><param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name><param-value>https://localhost:8443/cas-web/login</param-value></init-param><init-param><param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name><param-value>https://localhost:8443/cas-web/proxyValidate</param-value></init-param><init-param><param-name>edu.yale.its.tp.cas.client.filter.serviceUrl</param-name><param-value>[http://localhost:8080/c/portal/login</param-value>]</init-param></filter>If you use a ...serviceUrl param like above, after logging in withCAS, the browser will be redirected back to that serviceUrl. However,you can change it to the following and it will redirect back to thefull URL that was originally requested. This allows you to have a deeplink (e.g. to a certain layout with parameters for a portlet even) thatis preserved through the CAS login process:
<init-param><param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name><!-- omit the colon and port number if it doesn't show in the browser URL (i.e. when running on port 80) --><param-value>localhost:8080</param-value></init-param>
<filter-mapping><filter-name>CAS Filter</filter-name><url-pattern>/c/portal/login</url-pattern></filter-mapping>Then add the following to the rest of the auto login filters
<filter-mapping><filter-name>Auto Login Filter</filter-name><url-pattern>/c/portal/login</url-pattern><dispatcher>FORWARD</dispatcher><dispatcher>INCLUDE</dispatcher><dispatcher>REQUEST</dispatcher></filter-mapping>
system-ext.properties
Note: this is only needed in Liferay 4.2Set the com.liferay.filters.sso.cas.CASFilter setting to true.Place the following in system-ext.properties:## The CAS filter will redirect the user to the CAS login page for SSO. See# [http://www.ja-sig.org/products/cas] for more information.#com.liferay.filters.sso.cas.CASFilter=true
portal-ext.properties
Instructions for Liferay 4.2
Put this in portal-ext.properties.#### Auto Login##
## Input a list of comma delimited class names that implement# com.liferay.portal.security.auth.AutoLogin. These classes will run in# consecutive order for all unauthenticated users until one of them return a# valid user id and password combination. If no valid combination is# returned, then the request continues to process normally. If a valid# combination is returned, then the portal will automatically login that# user with the returned user id and password combination.## For example, com.liferay.portal.security.auth.BasicAutoLogin reads from a# cookie to automatically log in a user who previously logged in while# checking on the "Remember Me" box.## This interface allows deployers to easily configure the portal to work# with other SSO servers. See com.liferay.portal.security.auth.CASAutoLogin# for an example of how to configure the portal with Yale's SSO server.##auto.login.hooks=com.liferay.portal.security.auth.BasicAutoLoginauto.login.hooks=com.liferay.portal.security.auth.BasicAutoLogin,com.liferay.portal.security.auth.CASAutoLoginComment the first auto.login.hooks property and uncomment the secondto add CASAutoLogin to the list of AutoLogin implementations.
Instructions for Liferay 4.3
Read the Installation GuideStartup Liferay and Test
Startup the portal and when the homepage loads up hit the loginlink. If all goes well you should be redirected to the CAS server'slogin screen.Login to CAS with liferay.com.1 as your username and liferay.com.1 asyour password. You should now be logged into the portal.Next steps
If the above test worked, you already have a CAS server installedand integrated with Liferay. The next steps are more related toproperly configuring the CAS server than with Liferay. That's out ofthe scope of this article but we'll give a very brief summary.By integrating the CAS server, Liferay is no longer responsible forauthenticating the users, it just trusts that the CAS serverauthenticates them properly. The CAS server has configurable strategiesfor authenticating users. So far the default one has been used, whichjust authenticates the user if the user and password are the same.That's completely unsecure so other options need to be consideredbefore installing in a production environment. Some reasonable optionswould be:To authenticate with LDAP: The CAS server includes an authentication handler for LDAP. You can read about it in http://www.ja-sig.org/products/cas/server/ldapauthhandler/index.html or http://www.ja-sig.org/wiki/display/CASUM/LDAP.If this option is chosen it is recommended that you also configureLiferay to authenticate against LDAP using the instructions in: LDAP. Then you'll need to provide some way to synchronize the users between LDAP and Liferay's database. Two options are:Set up the automatic importer (see LDAP, available since v4.2)To authenticate with the portal's database: It ispossible to develop your own CAS authentication handler that uses theinformation present in Liferay's database. One way of doing this wouldbe using Liferay's services to authenticate the user.To authenticate against another user store: in this caseyou'll also need to write your own CAS authentication handler and alsoprovide Liferay some way to add the user entries in its own database.Some other steps that you might want to follow are:Modify the look and feel of the CAS server pages to match those provided by the portal: http://www.ja-sig.org/products/cas/server/views/index.htmlClustering: http://www.ja-sig.org/products/cas/server/cluster/index.htmlSet up real certificatesAlso, check the references at the end of the article for more information.Troubleshooting
If you created a cert with the %FILE_NAME%, you'll probably run intoproblems. Here are 2 commands to delete the tomcat alias from thekeystore so you can start fresh:keytool -delete -alias tomcat -keystore %JAVA_HOME%/jre/lib/security/cacertskeytool -delete -alias tomcat -file server.certYou may not be able to get https://localhost:8443/cas up andrunning after the cert key generation. If so, skip the test and try itafter you've finished all the steps. If you can't login at that point,you've probably generated your cert incorrectly.I've had problems with certs on IE7, make sure you try it out on Firefox and Opera.Your certificate must be trusted. If you created aself-signed certificate, you must add it to your truststore. Imistakenly thought I could define the truststore settings on my TomcatSSL Connector. That didn't work because CAS was redirecting (afterlogging in) to a non-SSL page. Since the HTTP connector didn't know totrust the self-signed certificate, I got the'sun.security.provider.certpath.SunCertPathBuilderException: unable tofind valid certification path to requested target' error. My solutionwas to follow the guidelines in the JSSE Reference Guideand define the truststore in the JAVA_OPTS(-Djavax.net.ssl.trustStore=/path/to/custom/truststore). I created botha custom keystore (needed by the SSL Connector and specified either inthe Connector config or the JAVA_OPTS) and custom truststore.
References
Lifecast: CAS Setup - Integrate Liferay Portal with a CAS server to access multiple applications with a single sign on.A short article regarding CAS, Active Directory and an example : http://www-128.ibm.com/developerworks/web/library/wa-singlesign/转自:http://www.liferay.com/web/guest/community/wiki/-/wiki/1071674/Single+SignOn+-+Integrating+Liferay+With+CAS+Server相关文章推荐
- Single SignOn - Integrating Liferay With CAS Server
- Single SignOn - Integrating Liferay With CAS Server
- Single SignOn - Integrating Liferay With CAS Server
- Integrating WorldWind Java with GeoServer WMS
- TheServerSide:Liferay Portal 4.0 released with new fine-grained security model
- Integrating SQL Server 2008 with Metatrader 5
- liferay4.3笔记之整合CAS server进行单点登录(SSO)
- Let's do our own full blown HTTP server with Netty
- HOWTO: Set up VNC server with resumable sessions
- 书评《Deploying Messaging Solutions with Microsoft Exchange Server 2007》
- 上传文件失败 Failed to load resource: the server responded with a status of 413 (Request Entity Too Large)
- 应用JSF技术开发(Developing with JavaServer Faces Technology:chapter11)《注:未完成》
- Using SOAP Interface with the SQL Server Data Services
- MySQL报错:The MySQL server is running with the --skip-grant-tables option so it cannot execute this statement
- Failed to load resource: the server responded with a status of 504 (Gateway Time-out)
- 将cas-server-3.5.2 导入到myeclipse中
- Server-side Sessions with Redis | Flask (A Python Microframework)
- 用JavaScript(JScript)写ASP程序(build asp with server-side javascript)的优缺点及经验总结。
- SQL Server orderby with some fixed values