Central Authentication Service Configuration
Central Authentication Service Configuration
Introduction
Central Authentication Service (CAS) is a Web Single Sign-On (WebSSO), developped by JA-SIG as an open-source project. CAS, like any WebSSO, is very interesting in information systems where many applications share a common users repository. When you enable CAS on all the application, a user would log once and only once and will be recognized and authentified into all the applications. CAS documentation explains how to configure in details any environment, that is mainly a configuration of a Web application to authenticate itself against the CAS Server instead of an internal mechanism. This documentation explain how to configure eXo Platform to delegate the authentication to the CAS server and let it ensure the single-sign-one between all the applications of an IS.CAS configuration
This article try to explain how to configure CAS server and client for exo. For this example we will use 2 the same tomcat instance, but one for it has additation CAS server. This configuration is not very useful, but very good example for configuration CAS. Tomcat 1 deployed on windows 2003 - this is CAS server, tomcat 2 on Ubuntu 7.10.Configure CAS server
(DNS name: test01-srv.exoua-int) 1.1.Certificates.E:/Program Files>cd java E:/Program Files/Java>cd jre1.5.0_11 E:/Program Files/Java/jre1.5.0_11>cd bin E:/Program Files/Java/jre1.5.0_11/bin>keytool -genkey -alias tomcat -keypass 123456 -keyalg RSA Enter keystore password: 123456 What is your first and last name? [Unknown]: test01-srv.exoua-int What is the name of your organizational unit? [Unknown]: . What is the name of your organization? [Unknown]: . What is the name of your City or Locality? [Unknown]: . What is the name of your State or Province? [Unknown]: . What is the two-letter country code for this unit? [Unknown]: UA Is CN=test01-srv.exoua-int, OU=., O=., L=., ST=., C=UA correct? [no]: yes E:/Program Files/Java/jre1.5.0_11/bin>keytool -export -alias tomcat -keypass 123456 -file server.crt Enter keystore password: 123456 Certificate stored in file <server.crt>
E:/Program Files/Java/jre1.5.0_11/bin>keytool -storepasswd -keystore ../lib/security/cacerts
Enter keystore password: changeit
New keystore password: 123456
Re-enter new keystore password: 123456E:/Program Files/Java/jre1.5.0_11/bin>keytool -import -file server.crt -keypass 123456 -keystore ../lib/security/cacerts Enter keystore password: 123456 Owner: CN=test01-srv.exoua-int, OU=., O=., L=., ST=., C=UA Issuer: CN=test01-srv.exoua-int, OU=., O=., L=., ST=., C=UA Serial number: 4810c6c5 Valid from: Fri Apr 24 20:33:36 HST 2008 until: Thu Jul 23 20:33:36 HST 2008 Certificate fingerprints: MD5: CC:3B:FB:FB:AE:12:AD:FB:3E:D 5:98:CB:2E:3B:0A:AD SHA1: A1:16:80:68:39:C7:58:EA:2F:48:59:AA:1D:73:5F:56:78:CE:A4:CE Trust this certificate? [no]: yes Certificate was added to keystore E:/Program Files/Java/jre1.5.0_11/bin>
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="E:/Documents and Settings/admin/.keystore" keystorePass="123456" keyAlias="tomcat" truststoreFile="E:/Program Files/Java/jre1.5.0_11/lib/security/cacerts" truststorePass="123456" />
<context-param>
<param-name>serverName</param-name>
<param-value>http://test01-srv.exoua-int:8080</param-value>
</context-param>Note: These filter must be add before this filter "SetCurrentIdentityFilter", the same think for filter-mapping.
<filter>
<filter-name>SingleSignOutFilter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
<filter>
<filter-name>AuthenticationFilter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>https://test01-srv.exoua-int:8443/cas/login</param-value>
</init-param>
</filter>
<filter>
<filter-name>Cas20ProxyReceivingTicketValidationFilter</filter-name>
<filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://test01-srv.exoua-int:8443/cas</param-value>
</init-param>
<init-param>
<param-name>redirectAfterValidation</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter>
<filter-name>HttpServletRequestWrapperFilter</filter-name>
<filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<!-- eXo -->
<filter>
<filter-name>BaseIdentityInitializerFilterImpl</filter-name>
<filter-class>org.exoplatform.services.security.cas.client.impl.BaseIdentityInitializerFilterImpl</filter-class>
</filter>
<!-- end exo -->
....
<filter-mapping>
<filter-name>SingleSignOutFilter</filter-name>
<url-pattern>/private/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>AuthenticationFilter</filter-name>
<url-pattern>/private/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Cas20ProxyReceivingTicketValidationFilter</filter-name>
<url-pattern>/private/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>HttpServletRequestWrapperFilter</filter-name>
<url-pattern>/private/*</url-pattern>
</filter-mapping>
<!-- exo -->
<filter-mapping>
<filter-name>BaseIdentityInitializerFilterImpl</filter-name>
<url-pattern>/private/*</url-pattern>
</filter-mapping>
<!-- end exo -->
....
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
....
<!-- exo -->
<servlet>
<servlet-name>LogoutServlet</servlet-name>
<servlet-class>org.exoplatform.services.security.cas.client.impl.LogoutServlet</servlet-class>
<init-param>
<param-name>casServerLogoutUrl</param-name>
<param-value>https://test01-srv.exoua-int:8443/cas/logout</param-value>
</init-param>
<init-param>
<param-name>redirectToUrl</param-name>
<param-value>http://test01-srv.exoua-int:8080/portal/public/classic</param-value>
</init-param>
</servlet>
<!-- end exo -->
.....
<!-- exo -->
<servlet-mapping>
<servlet-name>LogoutServlet</servlet-name>
<url-pattern>/logout/*</url-pattern>
</servlet-mapping>
<!-- end exo -->
....<!-- <bean class="org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler" /> --> <!-- will check username and password at remote host --> <bean class="org.exoplatform.services.security.cas.server.HTTPAuthenticationHandler" p:authenticationURL="https://ubu.exoua-int:8443/portal/login" />
Configure other tomcat instance
Configure other tomcat instance, deploy it on Ubuntu 7.10 (DNS name: ubu.exoua-int). 2.1. Generate certificates for CAS client. The same as for previous but change name to ubu.exoua-int. 2.2. Edit server.xml file for tomcat.<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="/home/andrew/.keystore" keystorePass="123456" keyAlias="tomcat" truststoreFile="/home/andrew/lib/java/jre/lib/security/cacerts" truststorePass="123456" />
2.3. Edit file portal/WEB-INF/web.xml, add next strings in it. Change context parameter.
<context-param>
<param-name>serverName</param-name>
<param-value>http://ubu.exoua-int:8080</param-value>
</context-param>Filters configuration must be the same as in client part on tomcat1. But add one more servlet which will check username/password.
<filter>
<filter-name>SingleSignOutFilter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
<filter>
<filter-name>AuthenticationFilter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>https://test01-srv.exoua-int:8443/cas/login</param-value>
</init-param>
</filter>
<filter>
<filter-name>Cas20ProxyReceivingTicketValidationFilter</filter-name>
<filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://test01-srv.exoua-int:8443/cas</param-value>
</init-param>
<init-param>
<param-name>redirectAfterValidation</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter>
<filter-name>HttpServletRequestWrapperFilter</filter-name>
<filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<!-- exo -->
<filter>
<filter-name>BaseIdentityInitializerFilterImpl</filter-name>
<filter-class>org.exoplatform.services.security.cas.client.impl.BaseIdentityInitializerFilterImpl\
</filter-class>
</filter>
<!-- end exo -->
....
<filter-mapping>
<filter-name>SingleSignOutFilter</filter-name>
<url-pattern>/private/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>AuthenticationFilter</filter-name>
<url-pattern>/private/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Cas20ProxyReceivingTicketValidationFilter</filter-name>
<url-pattern>/private/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>HttpServletRequestWrapperFilter</filter-name>
<url-pattern>/private/*</url-pattern>
</filter-mapping>
<!-- exo -->
<filter-mapping>
<filter-name>BaseIdentityInitializerFilterImpl</filter-name>
<url-pattern>/private/*</url-pattern>
</filter-mapping>
<!-- end exo -->
....
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
....
<!-- exo -->
<servlet>
<servlet-name>BaseHTTPUsernamePasswordValidator</servlet-name>
<servlet-class>org.exoplatform.services.security.cas.client.impl.BaseHTTPUsernamePasswordValidatorImpl</servlet-class>
</servlet>
<servlet>
<servlet-name>LogoutServlet</servlet-name>
<servlet-class>org.exoplatform.services.security.cas.client.impl.LogoutServlet</servlet-class>
<init-param>
<param-name>casServerLogoutUrl</param-name>
<param-value>https://test01-srv.exoua-int:8443/cas/logout</param-value>
</init-param>
<init-param>
<param-name>redirectToUrl</param-name>
<param-value>http://ubu.exoua-int:8080/portal/public/classic</param-value>
</init-param>
</servlet>
<!-- end exo -->
.....
<!-- exo -->
<servlet-mapping>
<servlet-name>BaseHTTPUsernamePasswordValidator</servlet-name>
<url-pattern>/login/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>LogoutServlet</servlet-name>
<url-pattern>/logout/*</url-pattern>
</servlet-mapping>
<!-- end exo -->
<!-- not use default authentification-->
<!--
<security-constraint>
<web-resource-collection>
<web-resource-name>user authentication</web-resource-name>
<url-pattern>/private/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>users</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>exo-domain</realm-name>
<form-login-config>
<form-login-page>/login/jsp/login.jsp</form-login-page>
<form-error-page>/login/jsp/login.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>a simple user role</description>
<role-name>users</role-name>
</security-role>
<security-role>
<description>the admin role</description>
<role-name>admin</role-name>
</security-role>
-->
<!-- end web.xml file-->
....2.4. Download and build code from http://svn.exoplatform.org/svnroot/exoplatform/projects/ws/trunk/security/cas/client 2.5. Download and put cas-client-core-3.1.1.jar in CATALINA_HOME%/lib directory. 2.6. Now get trusted certificate for CAS server instance. To do this download and compile this file: http://blogs.sun.com/andreas/resource/InstallCert.java Then run it:
java InstallCert test01-srv.exoua-int:8443 123456Change 123456 to actual password for keystore. You can see some exception but finally you must see info about certificates and prompt about adding it in storage. Select certificate, usually type 1 end press Enter. Finish!!!