Central Authentication Service Configuration

Introduction

Central Authentication Service (CAS) is a Web Single Sign-On (WebSSO), developped by JA-SIG as an open-source project. CAS, like any WebSSO, is very interesting in information systems where many applications share a common users repository. When you enable CAS on all the application, a user would log once and only once and will be recognized and authentified into all the applications.

CAS documentation explains how to configure in details any environment, that is mainly a configuration of a Web application to authenticate itself against the CAS Server instead of an internal mechanism. This documentation explain how to configure eXo Platform to delegate the authentication to the CAS server and let it ensure the single-sign-one between all the applications of an IS.

CAS configuration

This article try to explain how to configure CAS server and client for exo. For this example we will use 2 the same tomcat instance, but one for it has additation CAS server.

This configuration is not very useful, but very good example for configuration CAS.

Tomcat 1 deployed on windows 2003 - this is CAS server, tomcat 2 on Ubuntu 7.10.

Configure CAS server

(DNS name: test01-srv.exoua-int)

1.1.Certificates. 

E:/Program Files>cd java
E:/Program Files/Java>cd jre1.5.0_11
E:/Program Files/Java/jre1.5.0_11>cd bin
E:/Program Files/Java/jre1.5.0_11/bin>keytool -genkey -alias tomcat -keypass 123456 -keyalg RSA
Enter keystore password:  123456
What is your first and last name?
  [Unknown]:  test01-srv.exoua-int
What is the name of your organizational unit?
  [Unknown]:  .
What is the name of your organization?
  [Unknown]:  .
What is the name of your City or Locality?
  [Unknown]:  .
What is the name of your State or Province?
  [Unknown]:  .
What is the two-letter country code for this unit?
  [Unknown]:  UA
Is CN=test01-srv.exoua-int, OU=., O=., L=., ST=., C=UA correct?
  [no]:  yes

E:/Program Files/Java/jre1.5.0_11/bin>keytool -export -alias tomcat -keypass 123456 -file server.crt
Enter keystore password: 123456
Certificate stored in file <server.crt>

This is optional, I just want to have the same password for storage %JRE_HOME%/lib/security/cacerts. 

E:/Program Files/Java/jre1.5.0_11/bin>keytool -storepasswd -keystore ../lib/security/cacerts
Enter keystore password: changeit
New keystore password: 123456
Re-enter new keystore password: 123456

Continue with certificates.

E:/Program Files/Java/jre1.5.0_11/bin>keytool -import -file server.crt -keypass 123456 -keystore ../lib/security/cacerts
Enter keystore password: 123456
Owner: CN=test01-srv.exoua-int, OU=., O=., L=., ST=., C=UA
Issuer: CN=test01-srv.exoua-int, OU=., O=., L=., ST=., C=UA
Serial number: 4810c6c5
Valid from: Fri Apr 24 20:33:36 HST 2008 until: Thu Jul 23 20:33:36 HST 2008
Certificate fingerprints:
MD5: CC:3B:FB:FB:AE:12:AD:FB:3E:D 5:98:CB:2E:3B:0A:AD
SHA1: A1:16:80:68:39:C7:58:EA:2F:48:59:AA:1D:73:5F:56:78:CE:A4:CE
Trust this certificate? [no]: yes
Certificate was added to keystore

E:/Program Files/Java/jre1.5.0_11/bin>

1.2. Now edit server.xml file for tomcat (we are using 6.0.13 everywhere).Uncomment configuration for SSL connection end edit it, it must looks as this:

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="E:/Documents and Settings/admin/.keystore"
keystorePass="123456"
keyAlias="tomcat"
truststoreFile="E:/Program Files/Java/jre1.5.0_11/lib/security/cacerts"
truststorePass="123456" />

1.3. Now configure client part of CAS, as example we will use portal/private/* .Edit file /portal/WEB-INF/web.xml.

<context-param>
  <param-name>serverName</param-name>
  <param-value>http://test01-srv.exoua-int:8080</param-value>
</context-param>

Configure client, in this example we will protect /portal/private/* resource.
Note: These filter must be add before this filter "SetCurrentIdentityFilter", the same think for filter-mapping. 

<filter>
  <filter-name>SingleSignOutFilter</filter-name>
  <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
<filter>
  <filter-name>AuthenticationFilter</filter-name>
  <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
  <init-param>
    <param-name>casServerLoginUrl</param-name>
    <param-value>https://test01-srv.exoua-int:8443/cas/login</param-value>
  </init-param>
</filter>
<filter>
  <filter-name>Cas20ProxyReceivingTicketValidationFilter</filter-name>
  <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
  <init-param>
    <param-name>casServerUrlPrefix</param-name>
    <param-value>https://test01-srv.exoua-int:8443/cas</param-value>
  </init-param>
  <init-param>
    <param-name>redirectAfterValidation</param-name>
    <param-value>true</param-value>
  </init-param>
</filter>
<filter>
  <filter-name>HttpServletRequestWrapperFilter</filter-name>
  <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<!-- eXo -->
<filter>
  <filter-name>BaseIdentityInitializerFilterImpl</filter-name>
  <filter-class>org.exoplatform.services.security.cas.client.impl.BaseIdentityInitializerFilterImpl</filter-class>
</filter>
<!-- end exo -->
....
<filter-mapping>
  <filter-name>SingleSignOutFilter</filter-name>
  <url-pattern>/private/*</url-pattern>
</filter-mapping>
<filter-mapping>
  <filter-name>AuthenticationFilter</filter-name>
  <url-pattern>/private/*</url-pattern>
</filter-mapping>
<filter-mapping>
  <filter-name>Cas20ProxyReceivingTicketValidationFilter</filter-name>
  <url-pattern>/private/*</url-pattern>
</filter-mapping>
<filter-mapping>
  <filter-name>HttpServletRequestWrapperFilter</filter-name>
  <url-pattern>/private/*</url-pattern>
</filter-mapping>
<!-- exo -->
<filter-mapping>
  <filter-name>BaseIdentityInitializerFilterImpl</filter-name>
  <url-pattern>/private/*</url-pattern>
</filter-mapping>
<!-- end exo -->
....
<listener>
  <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
....
<!-- exo -->
<servlet>
  <servlet-name>LogoutServlet</servlet-name>
  <servlet-class>org.exoplatform.services.security.cas.client.impl.LogoutServlet</servlet-class>
  <init-param>
    <param-name>casServerLogoutUrl</param-name>
    <param-value>https://test01-srv.exoua-int:8443/cas/logout</param-value>
  </init-param>
  <init-param>
    <param-name>redirectToUrl</param-name>
    <param-value>http://test01-srv.exoua-int:8080/portal/public/classic</param-value>
  </init-param>
</servlet>
<!-- end exo -->
.....
<!-- exo -->
<servlet-mapping>
  <servlet-name>LogoutServlet</servlet-name>
  <url-pattern>/logout/*</url-pattern>
</servlet-mapping>
<!-- end exo -->
....

1.4. Download and build code from http://svn.exoplatform.org/svnroot/exoplatform/projects/ws/trunk/security/cas/client

1.5. Download and put cas-client-core-3.1.1.jar in CATALINA_HOME%/lib directory.

1.6. Download CAS server source code and build it or download binary. Put cas.war in webapps directoryChange configuration in file /cas/WEB-INF/deployConfigContext.xml. Comment test authenticator and add new one.

<!--
<bean class="org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler" />
-->
<!-- will check username and password at remote host -->
<bean class="org.exoplatform.services.security.cas.server.HTTPAuthenticationHandler"
p:authenticationURL="https://ubu.exoua-int:8443/portal/login" />

1.7. Download and build code which can do remote authentication.Download and build code from http://svn.exoplatform.org/svnroot/exoplatform/projects/ws/trunk/security/cas/server, andput it cas/WEB-INF/lib directory. This CAS server side handler which can call remote eXo authenticatiob service via HTTP.In this case validation of username/password wiil be done at ubu.exoua-int, but authentication sever (CAS) will be at test01-srv.exoua-int

Configure other tomcat instance

Configure other tomcat instance, deploy it on Ubuntu 7.10 (DNS name: ubu.exoua-int).

2.1. Generate certificates for CAS client. The same as for previous but change name to ubu.exoua-int.

2.2. Edit server.xml file for tomcat.


<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/home/andrew/.keystore"
keystorePass="123456"
keyAlias="tomcat"
truststoreFile="/home/andrew/lib/java/jre/lib/security/cacerts"
truststorePass="123456" />



2.3. Edit file portal/WEB-INF/web.xml, add next strings in it. Change context parameter.

<context-param>
  <param-name>serverName</param-name>
  <param-value>http://ubu.exoua-int:8080</param-value>
</context-param>



Filters configuration must be the same as in client part on tomcat1. But add one more servlet which will check username/password.


<filter>
  <filter-name>SingleSignOutFilter</filter-name>
  <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
<filter>
  <filter-name>AuthenticationFilter</filter-name>
  <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
  <init-param>
    <param-name>casServerLoginUrl</param-name>
    <param-value>https://test01-srv.exoua-int:8443/cas/login</param-value>
  </init-param>
</filter>
<filter>
  <filter-name>Cas20ProxyReceivingTicketValidationFilter</filter-name>
  <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
  <init-param>
    <param-name>casServerUrlPrefix</param-name>
    <param-value>https://test01-srv.exoua-int:8443/cas</param-value>
  </init-param>
  <init-param>
    <param-name>redirectAfterValidation</param-name>
    <param-value>true</param-value>
  </init-param>
</filter>
<filter>
  <filter-name>HttpServletRequestWrapperFilter</filter-name>
  <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<!-- exo -->
<filter>
  <filter-name>BaseIdentityInitializerFilterImpl</filter-name>
  <filter-class>org.exoplatform.services.security.cas.client.impl.BaseIdentityInitializerFilterImpl\
</filter-class>
</filter>
<!-- end exo -->
....
<filter-mapping>
  <filter-name>SingleSignOutFilter</filter-name>
  <url-pattern>/private/&#42;</url-pattern>
</filter-mapping>
<filter-mapping>
  <filter-name>AuthenticationFilter</filter-name>
  <url-pattern>/private/&#42;</url-pattern>
</filter-mapping>
<filter-mapping>
  <filter-name>Cas20ProxyReceivingTicketValidationFilter</filter-name>
  <url-pattern>/private/&#42;</url-pattern>
</filter-mapping>
<filter-mapping>
  <filter-name>HttpServletRequestWrapperFilter</filter-name>
  <url-pattern>/private/&#42;</url-pattern>
</filter-mapping>
<!-- exo -->
<filter-mapping>
  <filter-name>BaseIdentityInitializerFilterImpl</filter-name>
  <url-pattern>/private/&#42;</url-pattern>
</filter-mapping>
<!-- end exo -->
....
<listener>
  <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
....
<!-- exo -->
<servlet>
  <servlet-name>BaseHTTPUsernamePasswordValidator</servlet-name>
  <servlet-class>org.exoplatform.services.security.cas.client.impl.BaseHTTPUsernamePasswordValidatorImpl</servlet-class>
</servlet>
<servlet>
  <servlet-name>LogoutServlet</servlet-name>
  <servlet-class>org.exoplatform.services.security.cas.client.impl.LogoutServlet</servlet-class>
  <init-param>
    <param-name>casServerLogoutUrl</param-name>
    <param-value>https://test01-srv.exoua-int:8443/cas/logout</param-value>
  </init-param>
  <init-param>
    <param-name>redirectToUrl</param-name>
    <param-value>http://ubu.exoua-int:8080/portal/public/classic</param-value>
  </init-param>
</servlet>
<!-- end exo -->
.....
<!-- exo -->
<servlet-mapping>
  <servlet-name>BaseHTTPUsernamePasswordValidator</servlet-name>
  <url-pattern>/login/&#42;</url-pattern>
</servlet-mapping>
<servlet-mapping>
  <servlet-name>LogoutServlet</servlet-name>
  <url-pattern>/logout/&#42;</url-pattern>
</servlet-mapping>
<!-- end exo -->
<!-- not use default authentification-->
<!--
<security-constraint>
    <web-resource-collection>
      <web-resource-name>user authentication</web-resource-name>
      <url-pattern>/private/&#42;</url-pattern>
      <http-method>POST</http-method>
      <http-method>GET</http-method>
    </web-resource-collection>
    <auth-constraint>
      <role-name>users</role-name>
    </auth-constraint>
    <user-data-constraint>
      <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
  </security-constraint>

  <login-config>
    <auth-method>FORM</auth-method>
    <realm-name>exo-domain</realm-name>
    <form-login-config>
      <form-login-page>/login/jsp/login.jsp</form-login-page>
      <form-error-page>/login/jsp/login.jsp</form-error-page>
    </form-login-config>
  </login-config>

  <security-role>
    <description>a simple user role</description>
    <role-name>users</role-name>
  </security-role>

  <security-role>
    <description>the admin role</description>
    <role-name>admin</role-name>
  </security-role>
-->
<!-- end web.xml file-->
....



2.4. Download and build code from http://svn.exoplatform.org/svnroot/exoplatform/projects/ws/trunk/security/cas/client

2.5. Download and put cas-client-core-3.1.1.jar in CATALINA_HOME%/lib directory.

2.6. Now get trusted certificate for CAS server instance. To do this download and compile this file: http://blogs.sun.com/andreas/resource/InstallCert.java Then run it:


java InstallCert test01-srv.exoua-int:8443 123456



Change 123456 to actual password for keystore. You can see some exception but finally you must see info about certificates and prompt about adding it in storage. Select certificate, usually type 1 end press Enter.

Finish!!!

Usage

Run both servers, and try open one of protected URLs, for example http://test01-srv.exoua-int:8080/portal/private/classic. Accept certificates, and in login page username/password: root/exo. You must get private area in portal as root, then open other protected resource on server 'ubu.exoua-int', http://ubu.exoua-int:8080/portal/private/classic. And you must get this private area in other portal without login. If you get it then SSO for login work as well.

No try logout on 'ubu.exoua-int'. To do it directly from portal one groovy script must be modified, but it is not described here.

After logout from 'ubu.exoua-int' you should be asked about login at 'test01-srv.exoua-int'. The SSO for logout work well also.

That is all!

If it works as described above, then configuration right and SSO works.

 
Products
generated on Sun Mar 14 21:09:41 UTC 2010
eXo Optional Modules
eXo Core Foundations
Recently Modified
stanozweb | maddiagirl | Spereeboorb | Enhaxfafe | Sakecewaf
Creator: Andrey Parfonov on 04/25/2008
Copyright (c) 2000-2009. Allright reserved - eXo platform SAS
1.6.13286