Friday, November 5, 2010

SSO (Single Sign-on) Using CAS

Single Sign-on (SSO) is a method to allow users to access multiple related but independent software systems while only needing to authenticate once. Many different single sign-on systems can be integrated with Liferay, and articles that describe this process are linked to below.

Setting up CAS server 

We will begin with setting up JA-SIG CAS server on Tomcat 5.x.x.
Download cas-server WAR from Liferay's download page or the whole distribution from here and drop the cas-web.war file into Tomcat's webapps dir. In a production environment The CAS server should really run on its own tomcat instance but for testing purposes we'll drop it in the same instance as our Liferay portal.
We'll need to edit the server.xml file in tomcat and uncomment the SSL section to open up port 8443.
<!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />

Setting up the CAS client

Next we need to download the Yale CAS client from here. Get cas-client-2.0.11. Place the casclient.jar in ROOT/web-inf/lib of the Liferay install.

Generate the SSL cert with Java keytool

Now that we have everything we need, it's time to generate an SSL cert for our CAS server. Instructions and more information on SSL certs can be found here
But I found some typos and errors on that page. So following the instructions below should get you what you need.
In any directory (I use my root) enter the command:
keytool -genkey -alias tomcat -keypass changeit -keyalg RSA
Note: Be sure to use the keytool that comes with the Java VM (%JAVA_HOME%/jre/bin/keytool), as on some systems the default points to the GNU version of keytool, where the two seem incompatible.
Answer the questions: (note that your firstname and lastname MUST be hostname of your server and cannot be a IP address; this is very important as an IP address will fail client hostname verification even if it is correct)
Enter keystore password:  changeit
What is your first and last name?
[Unknown]:  localhost
What is the name of your organizational unit?
[Unknown]:
What is the name of your organization?
[Unknown]:
What is the name of your City or Locality?
[Unknown]:
What is the name of your State or Province?
[Unknown]:
What is the two-letter country code for this unit?
[Unknown]:
Is CN=localhost, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
[no]: yes
Then enter the command:
keytool -export -alias tomcat -keypass changeit -file %FILE_NAME% 
I use server.cert for %FILE_NAME%. This command exports the cert you generated from your personal keystore (In windows your personal keystore is in C:\Documents and Settings\<username>\.keystore)
Finally import the cert into Java's keystore with this command. Tomcat uses the keystore in your JRE (%JAVA_HOME%/jre/lib/security/cacerts)
keytool -import -alias tomcat -file %FILE_NAME% -keypass changeit -keystore %JAVA_HOME%/jre/lib/security/cacerts
Startup the CAS server
Now you are ready to startup your CAS server. Simply startup Tomcat and access CAS with https://localhost:8443/cas-web/login You should see the CAS login screen and no errors in your catalina logs.

Setting up Liferay Portal

web.xml 

Note: If you are using Liferay 4.2, this filter is already defined. All you have to do is modify the URL parameters, if your CAS server is at a different location. It's time to move on to configuring Liferay. In the webapps/ROOT/WEB-INF/web.xml file you will need to add a new filter and its mapping directly above the first existing auto login filter mapping. This new filter we just added will redirect all login attempts to the CAS server. If your hostname is different you can modify the init-params accordingly.

<filter> 
 <filter-name>CAS Filter</filter-name> 
 <filter-class>edu.yale.its.tp.cas.client.filter.CASFilter</filter-class> 
 <init-param> 
  <param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name> 
  <param-value>https://localhost:8443/cas-web/login</param-value> 
 </init-param> 
 <init-param> 
  <param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name> 
  <param-value>https://localhost:8443/cas-web/proxyValidate</param-value> 
 </init-param> 
 <init-param> 
  <param-name>edu.yale.its.tp.cas.client.filter.serviceUrl</param-name> 
  <param-value>[http://localhost:8080/c/portal/login</param-value>] 
 </init-param> 
</filter>
If you use a ...serviceUrl param like above, after logging in with CAS, the browser will be redirected back to that serviceUrl. However, you can change it to the following and it will redirect back to the full URL that was originally requested. This allows you to have a deep link (e.g. to a certain layout with parameters for a portlet even) that is preserved through the CAS login process:
<init-param> 
       <param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name> 
       <!-- omit the colon and port number if it doesn't show in the browser URL (i.e. when running on port 80) -->
       <param-value>localhost:8080</param-value> 
    </init-param> 
 <filter-mapping> 
    <filter-name>CAS Filter</filter-name> 
    <url-pattern>/c/portal/login</url-pattern> 
 </filter-mapping>

Then add the following to the rest of the auto login filters
 <filter-mapping> 
    <filter-name>Auto Login Filter</filter-name> 
    <url-pattern>/c/portal/login</url-pattern> 
    <dispatcher>FORWARD</dispatcher> 
    <dispatcher>INCLUDE</dispatcher> 
    <dispatcher>REQUEST</dispatcher> 
 </filter-mapping>

1 comments:

Anonymous said...

i need help. please :(

Post a Comment

Share & Enjoy

Twitter Delicious Facebook Digg Stumbleupon Favorites More