Professional Documents
Culture Documents
6-3-597/A/1/A,
Venkatramana Colony, Khairatabad,
Hyderabad - 500004.
Date: 25th August 2010
Document Type: CAS Documentation
Author: Ravi Kumar Dhara & Chandrasekhar
Version
1.0
Modified By
Chandrasekhar and Ravi Kumar
Modified Date
25-08-2010
Comments
---
Contents
Answer the questions in command prompt : (note that your firstname and lastname MUST be
hostname of your server and cannot be a IP address; this is very important as an IP address will fail
client hostname verification even if it is correct)
Enter keystore password: changeit
What is your first and last name?
[Unknown]: localhost
What is the name of your organizational unit?
[Unknown]:
What is the name of your organization?
[Unknown]:
What is the name of your City or Locality?
[Unknown]:
Page 2 of 16
Confidential
www.ityug.com
Finally import the cert into Java's keystore with this command. Tomcat uses the keystore in
your JRE (%JAVA_HOME%/jre/lib/security/cacerts)
keytool -import -alias tomcat -file %FILE_NAME% -keypass changeit -keystore "C:/Program
Files/ Java/jdk1.6/jre/lib/security/cacerts"
OR
keytool importkeystore srcalias tomcat srckeystore <location file>
-srckeypass changeit destkeystore /java/jdkl1.6/./lib/security/cacerts
Creating the certificate:
Page 3 of 16
Confidential
www.ityug.com
portal-ext.properties
Put this in portal-ext.properties.
Page 4 of 16
Confidential
www.ityug.com
Step 10: ADD the necessary jar files on lib folder of CAS Server
Liferay needs the cas-client-core-3.1.6.jar in the portal classpath for setting the Single Sign Out.. Download
the cas client form the following path:
(http://www.ja-sig.org/downloads/cas-clients/).
Page 7 of 16
Confidential
www.ityug.com
CASAutoLogin:
package com.liferay.portal.security.auth;
import java.util.List;
import javax.naming.Binding;
import javax.naming.NamingEnumeration;
import javax.naming.directory.Attributes;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.LdapContext;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import com.liferay.portal.NoSuchUserException;
import com.liferay.portal.SystemException;
import com.liferay.portal.kernel.log.Log;
import com.liferay.portal.kernel.log.LogFactoryUtil;
import com.liferay.portal.kernel.util.StringPool;
import com.liferay.portal.kernel.util.StringUtil;
import com.liferay.portal.kernel.util.Validator;
import com.liferay.portal.model.Group;
import com.liferay.portal.model.LayoutSet;
import com.liferay.portal.model.Organization;
import com.liferay.portal.model.User;
import com.liferay.portal.security.ldap.PortalLDAPUtil;
import com.liferay.portal.service.GroupLocalServiceUtil;
import com.liferay.portal.service.LayoutSetLocalServiceUtil;
import com.liferay.portal.service.OrganizationLocalServiceUtil;
import com.liferay.portal.service.UserLocalServiceUtil;
import com.liferay.portal.util.PortalUtil;
import com.liferay.portal.util.PrefsPropsUtil;
import com.liferay.portal.util.PropsKeys;
import com.liferay.portal.util.PropsUtil;
import com.liferay.portal.util.PropsValues;
import edu.yale.its.tp.cas.client.filter.CASFilter;
Page 9 of 16
Confidential
www.ityug.com
try
{
String baseDN = PrefsPropsUtil.getString(companyId, PropsKeys.LDAP_BASE_DN);
LdapContext ctx = PortalLDAPUtil.getContext(companyId);
if (ctx == null)
{
throw new SystemException("Failed to bind to the LDAP server");
}
String filter = PrefsPropsUtil.getString(companyId, PropsKeys.LDAP_AUTH_SEARCH_FILTER);
if (_log.isDebugEnabled())
{
_log.debug("Search filter before transformation " + filter);
}
filter = StringUtil.replace(filter,new String[] {"@company_id@", "@email_address@",
"@screen_name@"},
new String[] {String.valueOf(companyId), StringPool.BLANK, screenName});
if(filter != null)
System.out.println("Filter :" + filter);
if (_log.isDebugEnabled())
{
_log.debug("Search filter after transformation " + filter);
}
SearchControls cons = new SearchControls(SearchControls.SUBTREE_SCOPE, 1, 0, null, false,
false);
NamingEnumeration<SearchResult> enu = ctx.search(baseDN, filter, cons);
if (enu.hasMoreElements())
{
if (_log.isDebugEnabled())
{
_log.debug("Search filter returned at least one result");
}
Binding binding = enu.nextElement();
Attributes attrs = PortalLDAPUtil.getUserAttributes(companyId,
ctx,PortalLDAPUtil.getNameInNamespace(companyId, binding));
return PortalLDAPUtil.importLDAPUser(companyId, ctx, attrs, StringPool.BLANK, true);
}
else
{
throw new NoSuchUserException("User " + screenName + " was not found in the LDAP
server");
}
}
catch (Exception e)
{
_log.error("Problem accessing LDAP server ", e);
throw new SystemException("Problem accessign LDAP server " + e.getMessage());
}
Page 12 of 16
Confidential
www.ityug.com
CASFilter:
package com.liferay.portal.servlet.filters.sso.cas;
import com.liferay.portal.kernel.log.Log;
import com.liferay.portal.kernel.log.LogFactoryUtil;
import com.liferay.portal.kernel.servlet.BaseFilter;
import com.liferay.portal.kernel.util.Validator;
import com.liferay.portal.util.PortalUtil;
import com.liferay.portal.util.PrefsPropsUtil;
import com.liferay.portal.util.PropsKeys;
import com.liferay.portal.util.PropsValues;
import com.liferay.util.servlet.filters.DynamicFilterConfig;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URLEncoder;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.ServletContext;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
public class CASFilter extends BaseFilter
{
public static void reload(long companyId)
{
_casFilters.remove(companyId);
}
protected Filter getCASFilter(long companyId,String serviceUrl) throws Exception
{
edu.yale.its.tp.cas.client.filter.CASFilter casFilter = _casFilters.get(companyId);
if (casFilter == null)
{
casFilter = new edu.yale.its.tp.cas.client.filter.CASFilter();
}
DynamicFilterConfig config = new DynamicFilterConfig(_filterName, _servletContext);
String serverName = PrefsPropsUtil.getString(companyId,
PropsKeys.CAS_SERVER_NAME,PropsValues.CAS_SERVER_NAME);
Page 13 of 16
Confidential
www.ityug.com
config.addInitParameter(edu.yale.its.tp.cas.client.filter.CASFilter.SERVICE_INIT_PARAM,serviceUrl);
}
else
{
config.addInitParameter(edu.yale.its.tp.cas.client.filter.CASFilter.SERVERNAME_INIT_PARAM,serverName
);
}
config.addInitParameter(edu.yale.its.tp.cas.client.filter.CASFilter.VALIDATE_INIT_PARAM,
PrefsPropsUtil.getString(companyId,
PropsKeys.CAS_VALIDATE_URL,PropsValues.CAS_VALIDATE_URL));
casFilter.init(config);
_casFilters.put(companyId, casFilter);
return casFilter;
}
protected Log getLog()
{
return _log;
}
protected void processFilter(HttpServletRequest request, HttpServletResponse response,FilterChain
filterChain)
{
try
{
long companyId = PortalUtil.getCompanyId(request);
String serverName = PrefsPropsUtil.getString(companyId,
PropsKeys.CAS_SERVER_NAME,PropsValues.CAS_SERVER_NAME);
String serviceUrl = PrefsPropsUtil.getString(companyId,
PropsKeys.CAS_SERVICE_URL,PropsValues.CAS_SERVICE_URL);
try
{
URI requestURI = new URI(request.getRequestURL().toString());
if(requestURI != null)
System.out.println("requestURI :" + requestURI);
serviceUrl = requestURI.toString();
}
catch (URISyntaxException e)
{
System.out.println("Exception from the URI :" + e.getMessage());
}
Page 14 of 16
Confidential
www.ityug.com
if (PrefsPropsUtil.getBoolean(companyId,
PropsKeys.CAS_AUTH_ENABLED,PropsValues.CAS_AUTH_ENABLED))
{
String pathInfo = request.getPathInfo();
if (pathInfo.indexOf("/portal/logout") != -1)
{
HttpSession session = request.getSession();
session.invalidate();
String logoutUrl = PrefsPropsUtil.getString(companyId,
PropsKeys.CAS_LOGOUT_URL,PropsValues.CAS_LOGOUT_URL);
//Inorder to redirecting to cas logout page we need to redirect the requestedURI Home page once
the signout is clicked.
String url = "/portal/caslogout";
url = request.getContextPath() + request.getServletPath() + url;
try
{
URI requestURI = new URI(request.getRequestURL().toString());
URI redirectURI = requestURI.resolve(url);
url = redirectURI.toString();
}
catch (URISyntaxException e)
{
System.out.println("Exception :" + e.getMessage());
}
final String urlEncodedService = response.encodeURL(url);
final StringBuffer buffer = new StringBuffer(255);
buffer.append(logoutUrl).append("?
service=").append(URLEncoder.encode(urlEncodedService, "UTF-8"));
response.sendRedirect(buffer.toString());
//response.sendRedirect(logoutUrl);
}
else
{
// Add the the serviceUrl argument for getting the serviceUrl of CAS dynamically.
Filter casFilter = getCASFilter(companyId,serviceUrl);
casFilter.doFilter(request, response, filterChain);
}
}
else
{
processFilter(CASFilter.class, request, response, filterChain);
}
}
catch (Exception e) {
_log.error(e, e);
}
}
private static Log _log = LogFactoryUtil.getLog(CASFilter.class);
private static Map<Long, edu.yale.its.tp.cas.client.filter.CASFilter>
Page 15 of 16
Confidential
www.ityug.com
Step 13:
(location: D:\cygwin\java\workspace\portal\portal-web\docroot\WEB-INF)
<action path="/portal/caslogout" type="com.liferay.portal.action.LogoutAction" />
Testing the CAS server
Start tomcat and click Sign-In from Dock Menu . It will redirect to CAS server page as follows:
(Access CAS with https://localhost:8443/cas-web/login You should see the CAS login screen and no
errors in your catalina logs. )
Page 16 of 16
Confidential
www.ityug.com