Fórum
Jasig Cas Client for Java 3.x and Liferay 5.x
William G Thompson, modificado 14 Anos atrás.
Jasig Cas Client for Java 3.x and Liferay 5.x
New Member Postagens: 7 Data de Entrada: 22/02/10 Postagens Recentes
Liferay 5.x CAS support is based on wrapping the very old (but venerable), and I believe unmaintained Yale Cas Client. While this works for the simple CAS authentication case, it doesn't fully support CAS Proxy Tickets, or newer features of CAS such as the ClearPass Extension, not to mention SAML Support, Single Sign Off, etc.
Proxy Tickets are very powerful in a portal scenario, and provide a secure mechanism for consuming downstream services within a Portlet without having access to the user's password. The new CAS ClearPass Extension provides a secure method to retrieve the user's password for cases where Proxy Tickets can't be used. Questions related to this kind of behavior have been raised a number of times on the Liferay forums.
I am very interested in working to get Liferay 5.x using the latest Jasig CAS Client for Java (3.1.x). The new client is shipped as a set of modular filters. These filters provide all the necessary flexibly for achieving any CAS Client behavior one would want, and can present the web app (i.e. Liferay Portal) with the RemoteUser and UserPrincipal on
the Request, Session, or Threadlocal. The RemoteUser can then be used to establish a Liferay session. The UserPrincipal can be used to get Proxy Tickets and other interesting details about the Cas Assertion. What's the best way to configure Liferay to initiate the login sequence based on having the username (aka screenName) already available in RemoteUser?
Using Proxy Tickets, one can request the clear text password from Cas via ClearPass. I'd like to do this during the initial Liferay login sequence, so that the password is available for all Portlets that need it. Looks like this might be an extension to the AutoLoginFilter behavior so that it sets WebKeys.USER_PASSWORD in the Session and then PortalUtil.getUserPassword() would work. Does this sounds like the right path?
I've been reading all the forums, blogs, docs I could find at liferay.com and elsewhere, as well as the source code. I've got Liferay 5.2.3 setup and I'm able to debug in Eclipse, but I'm still a bit unclear on the best way to go forward and if there's a clean extension (ext) path for this or deeper kernel hacking is required. Any thoughts, tips, pointers would be greatly appreciated.
My current thinking is to configure the Cas Client filters by hand in web.xml and then use the ext to layer in the ProxyTicket and Clearpass behavior, but I'm not entirely clear how to do this. Does this sound like it lines up? Other suggestions?
I have a long history of contributing to CAS and uPortal, but I am new to the Liferay community. I'm interested in contributing any resulting work to the community and providing first-class CAS support for Liferay.
Best,
Bill Thompson
Jasig CAS Client for Java 3.1
http://www.ja-sig.org/wiki/display/CASC/CAS+Client+for+Java+3.1
Proxy Tickets are very powerful in a portal scenario, and provide a secure mechanism for consuming downstream services within a Portlet without having access to the user's password. The new CAS ClearPass Extension provides a secure method to retrieve the user's password for cases where Proxy Tickets can't be used. Questions related to this kind of behavior have been raised a number of times on the Liferay forums.
I am very interested in working to get Liferay 5.x using the latest Jasig CAS Client for Java (3.1.x). The new client is shipped as a set of modular filters. These filters provide all the necessary flexibly for achieving any CAS Client behavior one would want, and can present the web app (i.e. Liferay Portal) with the RemoteUser and UserPrincipal on
the Request, Session, or Threadlocal. The RemoteUser can then be used to establish a Liferay session. The UserPrincipal can be used to get Proxy Tickets and other interesting details about the Cas Assertion. What's the best way to configure Liferay to initiate the login sequence based on having the username (aka screenName) already available in RemoteUser?
Using Proxy Tickets, one can request the clear text password from Cas via ClearPass. I'd like to do this during the initial Liferay login sequence, so that the password is available for all Portlets that need it. Looks like this might be an extension to the AutoLoginFilter behavior so that it sets WebKeys.USER_PASSWORD in the Session and then PortalUtil.getUserPassword() would work. Does this sounds like the right path?
I've been reading all the forums, blogs, docs I could find at liferay.com and elsewhere, as well as the source code. I've got Liferay 5.2.3 setup and I'm able to debug in Eclipse, but I'm still a bit unclear on the best way to go forward and if there's a clean extension (ext) path for this or deeper kernel hacking is required. Any thoughts, tips, pointers would be greatly appreciated.
My current thinking is to configure the Cas Client filters by hand in web.xml and then use the ext to layer in the ProxyTicket and Clearpass behavior, but I'm not entirely clear how to do this. Does this sound like it lines up? Other suggestions?
I have a long history of contributing to CAS and uPortal, but I am new to the Liferay community. I'm interested in contributing any resulting work to the community and providing first-class CAS support for Liferay.
Best,
Bill Thompson
Jasig CAS Client for Java 3.1
http://www.ja-sig.org/wiki/display/CASC/CAS+Client+for+Java+3.1
William G Thompson, modificado 14 Anos atrás.
RE: Jasig Cas Client for Java 3.x and Liferay 5.x
New Member Postagens: 7 Data de Entrada: 22/02/10 Postagens Recentes
I'll post my status on this thread in case anyone wants to follow along or lend a hand or suggestion. I'm working in the ext environment with Liferay 5.2.3 and Cas Client for Java 3.1.9.
I have a first pass of this just barely working. It would be great to get some input from more experienced Liferay devs to know I'm heading in the right direction. Below are the initial steps I took to get it working.
0. Login to Liferay admin and set it to authentication by screenName.
1. Configured Cas Client for Java 3.1 filters in web.xml. The filter mappings must come first before any other Liferay filters.
2. Add cas-client-core-3.1.9.jar to ext/ext-lib/portal/
3. Create a new CAS3AutoLogin class based off of CASAutoLogin. In CAS3 you get an Assertion from the Session rather than the just screenName.
4. Configure CAS3AutoLogin hook in ext/ext-impl/src/portal-ext.properties
6. The CAS Server is configured to authenticate joebloggs/test.
7. For the CAS ProxyCallback to work, Liferay must be running under SSL.
Notice you don't set any CAS setting in the Liferay Admin portlet. All the CAS settings are in the web.xml. And the hooks are in portal-ext.properties.
This seems to be working, although I have to do some more testing, and add the ClearPass extension support. Any tips on where to stash the clear text password?
Bill
I have a first pass of this just barely working. It would be great to get some input from more experienced Liferay devs to know I'm heading in the right direction. Below are the initial steps I took to get it working.
0. Login to Liferay admin and set it to authentication by screenName.
1. Configured Cas Client for Java 3.1 filters in web.xml. The filter mappings must come first before any other Liferay filters.
<!-- CAS Filters -->
<filter>
<filter-name>CAS Authentication Filter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>https://${cas.hostname}/cas/login</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>https://${liferay.hostname}</param-value>
</init-param>
<init-param>
<param-name>renew</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>gateway</param-name>
<param-value>false</param-value>
</init-param>
</filter>
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://${cas.hostname}/cas/</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>https://${liferay.hostname}</param-value>
</init-param>
<init-param>
<param-name>proxyCallbackUrl</param-name>
<param-value>https://${liferay.hostname}/proxyCallback</param-value>
</init-param>
<init-param>
<param-name>proxyReceptorUrl</param-name>
<param-value>/proxyCallback</param-value>
</init-param>
</filter>
<!-- End of CAS Filters -->
<!-- CAS Filter Mappings -->
<filter-mapping>
<filter-name>CAS Authentication Filter</filter-name>
<url-pattern>/c/portal/login</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/proxyCallback</url-pattern>
</filter-mapping>
<!-- End of CAS Filter Mappings -->
2. Add cas-client-core-3.1.9.jar to ext/ext-lib/portal/
3. Create a new CAS3AutoLogin class based off of CASAutoLogin. In CAS3 you get an Assertion from the Session rather than the just screenName.
// Old Yale Cas Client
// String screenName = (String)session.getAttribute(CASFilter.CAS_FILTER_USER);
// New Jasig CAS 3.1 Client
Assertion assertion = (Assertion) request.getSession().getAttribute("_const_cas_assertion_");
String screenName = assertion.getPrincipal().getName();
4. Configure CAS3AutoLogin hook in ext/ext-impl/src/portal-ext.properties
auto.login.hooks=com.liferay.portal.security.auth.CAS3AutoLogin,com.liferay.portal.security.auth.RememberMeAutoLogin
6. The CAS Server is configured to authenticate joebloggs/test.
7. For the CAS ProxyCallback to work, Liferay must be running under SSL.
Notice you don't set any CAS setting in the Liferay Admin portlet. All the CAS settings are in the web.xml. And the hooks are in portal-ext.properties.
This seems to be working, although I have to do some more testing, and add the ClearPass extension support. Any tips on where to stash the clear text password?
Bill
K R, modificado 14 Anos atrás.
RE: Jasig Cas Client for Java 3.x and Liferay 5.x
New Member Postagens: 5 Data de Entrada: 03/06/09 Postagens Recentes
Agree with Bill that it would be nice to see this functionality baked into Liferay. Any help from Liferay developers would help. We have been trying to get this going for us too for a while now.
William G Thompson, modificado 14 Anos atrás.
RE: Jasig Cas Client for Java 3.x and Liferay 5.x
New Member Postagens: 7 Data de Entrada: 22/02/10 Postagens Recentes
OK, Authentication seems to be working well with the CAS 3.x filters and the new CAS3AutoLogin.java class. I also added ClearPass behavior so that we get the clear-text password back from CAS the first time through.
* added cas.clearpass.enabled and cas.clearpass.url to PropsKeys.java and PropsValues.java (Anyone know how to get the new PropsKeys/Values into the Admin Portlet?)
* added Cas Assertion and ClearPass logic to CAS3AutoLogin.java
* remove Liferay SSO Filters from web.xml (CAS, Ntlm, OpenSSO)
Next step is to see how we can expose the password and the Assertion to Portlets. Anyone know what the best way is?
I've started keeping the required artifacts from my ext environment on github in case anyone wants to try it out.
* drop github bits into your ext dir
* updated the CAS URLs in web.xml and portal-ext.properties
* ant deploy, and you should be good to go.
http://github.com/wgthom/Cas3Liferay5
Cheers,
Bill
* added cas.clearpass.enabled and cas.clearpass.url to PropsKeys.java and PropsValues.java (Anyone know how to get the new PropsKeys/Values into the Admin Portlet?)
* added Cas Assertion and ClearPass logic to CAS3AutoLogin.java
* remove Liferay SSO Filters from web.xml (CAS, Ntlm, OpenSSO)
Next step is to see how we can expose the password and the Assertion to Portlets. Anyone know what the best way is?
I've started keeping the required artifacts from my ext environment on github in case anyone wants to try it out.
* drop github bits into your ext dir
* updated the CAS URLs in web.xml and portal-ext.properties
* ant deploy, and you should be good to go.
http://github.com/wgthom/Cas3Liferay5
Cheers,
Bill
William G Thompson, modificado 14 Anos atrás.
RE: Jasig Cas Client for Java 3.x and Liferay 5.x
New Member Postagens: 7 Data de Entrada: 22/02/10 Postagens Recentes
More progress...
Using the approach above to integrate the CAS3 Client and the CAS3AutoLogin class, I'm able to get the username and clear-text password in a JSPPortlet by adding these three lines to the view.jsp.
<%
long userid = PortalUtil.getUserId(request);
String username = PortalUtil.getUserName(userid,null,"user.login.id");
String password = PortalUtil.getUserPassword(request);
%>
Using the approach above to integrate the CAS3 Client and the CAS3AutoLogin class, I'm able to get the username and clear-text password in a JSPPortlet by adding these three lines to the view.jsp.
<%
long userid = PortalUtil.getUserId(request);
String username = PortalUtil.getUserName(userid,null,"user.login.id");
String password = PortalUtil.getUserPassword(request);
%>
William G Thompson, modificado 14 Anos atrás.
RE: Jasig Cas Client for Java 3.x and Liferay 5.x
New Member Postagens: 7 Data de Entrada: 22/02/10 Postagens Recentes
More progress...
I've added an example portlet to the Cas3Liferay5 GitHub respository demonstrating how to get the username and password from Liferay once CAS3AutoLogin has done its thing.
You should be able to drop Cas3ClearpassExample-portlet into your plugins/portlets/ directory, do a '/plugins/ant deploy', and be good to go.
I've added an example portlet to the Cas3Liferay5 GitHub respository demonstrating how to get the username and password from Liferay once CAS3AutoLogin has done its thing.
You should be able to drop Cas3ClearpassExample-portlet into your plugins/portlets/ directory, do a '/plugins/ant deploy', and be good to go.
Alex Rocha, modificado 14 Anos atrás.
RE: Jasig Cas Client for Java 3.x and Liferay 5.x
New Member Postagens: 8 Data de Entrada: 29/07/09 Postagens Recentes
Hi Bill, I was able to use your source on github to retrieve the clear text password from CAS via clearpass. I built and and deployed CAS with the clearpass extension on my local machine then set the clearpasscontrollerurl and the proxy callback url and voila, I was able to pull the clear text password with "PortalUtil.getUserPassword(request)".
In cas-servlet.xml:
<!-- implementation of the clear pass vending service -->
<bean id="clearPassController" class="edu.csus.cas.clearpass.ClearPassController"
p:centralAuthenticationService-ref="centralAuthenticationService"
p:proxyHandler-ref="proxy20Handler"
p:credentialsCache-ref="credentialsCache"
p:serviceValidator-ref="clearPassServiceValidator"
p:argumentExtractor-ref="casArgumentExtractor"
p:clearPassControllerUrl="https://mylocalmachine:8443/cas-web/clearPass" />
<!-- A bean listing services (proxy callback URLs) that are allowed to receive cleartext passwords -->
<bean id="clearPassServiceValidator" class="edu.csus.cas.clearpass.ClearPassServiceValidatorImpl">
<property name="enabledServices">
<set>
<value>https://mylocalmachine:8443/proxyCallback</value>
</set>
</property>
</bean>
Great work Bill! I'll continue testing and see if I can put this to work with CAS validating against LDAP.
In cas-servlet.xml:
<!-- implementation of the clear pass vending service -->
<bean id="clearPassController" class="edu.csus.cas.clearpass.ClearPassController"
p:centralAuthenticationService-ref="centralAuthenticationService"
p:proxyHandler-ref="proxy20Handler"
p:credentialsCache-ref="credentialsCache"
p:serviceValidator-ref="clearPassServiceValidator"
p:argumentExtractor-ref="casArgumentExtractor"
p:clearPassControllerUrl="https://mylocalmachine:8443/cas-web/clearPass" />
<!-- A bean listing services (proxy callback URLs) that are allowed to receive cleartext passwords -->
<bean id="clearPassServiceValidator" class="edu.csus.cas.clearpass.ClearPassServiceValidatorImpl">
<property name="enabledServices">
<set>
<value>https://mylocalmachine:8443/proxyCallback</value>
</set>
</property>
</bean>
Great work Bill! I'll continue testing and see if I can put this to work with CAS validating against LDAP.
Björn Ryding, modificado 14 Anos atrás.
RE: Jasig Cas Client for Java 3.x and Liferay 5.x
Liferay Master Postagens: 582 Data de Entrada: 16/05/07 Postagens Recentes
Hi Bill,
Thanks for sharing your work. I need to use Proxy Tickets in a current project and I was just about to try out your code when I saw that Liferay already had migrated from the Yale CAS Client to the Jasig 3.1 Client. The change took place in LPS-4664.
Have you had a chance to take a look at the current CAS support in trunk?
Cheers,
Björn
Thanks for sharing your work. I need to use Proxy Tickets in a current project and I was just about to try out your code when I saw that Liferay already had migrated from the Yale CAS Client to the Jasig 3.1 Client. The change took place in LPS-4664.
Have you had a chance to take a look at the current CAS support in trunk?
Cheers,
Björn
William G Thompson, modificado 14 Anos atrás.
RE: Jasig Cas Client for Java 3.x and Liferay 5.x
New Member Postagens: 7 Data de Entrada: 22/02/10 Postagens Recentes
Hello Björn,
I have not seen the CAS support in trunk. Is this for 6x? I need proper CAS support for the 5x tree. I looked at the JIRA issue, but didn't see an easy way to relate it to the change set. Is there an easy way to see what the changes were made for this issue? Any idea when this would available in a production release?
I had updated http://issues.liferay.com/browse/LPS-7441 in hopes that core developers would pick up the work and add it to the main distribution.
Best,
Bill
I have not seen the CAS support in trunk. Is this for 6x? I need proper CAS support for the 5x tree. I looked at the JIRA issue, but didn't see an easy way to relate it to the change set. Is there an easy way to see what the changes were made for this issue? Any idea when this would available in a production release?
I had updated http://issues.liferay.com/browse/LPS-7441 in hopes that core developers would pick up the work and add it to the main distribution.
Best,
Bill
Björn Ryding, modificado 14 Anos atrás.
RE: Jasig Cas Client for Java 3.x and Liferay 5.x
Liferay Master Postagens: 582 Data de Entrada: 16/05/07 Postagens Recentes
Hi Bill,
Yes, trunk is the upcoming version 6 release. The improved CAS support is also included in the current 5.2 EE release (SP3).
You can access the changes directly from JIRA in the FishEye tab below the issue description or use http://svn.liferay.com/qsearch/?q=lps-4664
Best,
Björn
Yes, trunk is the upcoming version 6 release. The improved CAS support is also included in the current 5.2 EE release (SP3).
You can access the changes directly from JIRA in the FishEye tab below the issue description or use http://svn.liferay.com/qsearch/?q=lps-4664
Best,
Björn
William G Thompson, modificado 14 Anos atrás.
RE: Jasig Cas Client for Java 3.x and Liferay 5.x
New Member Postagens: 7 Data de Entrada: 22/02/10 Postagens RecentesBjörn Ryding:
Hi Bill,
Yes, trunk is the upcoming version 6 release. The improved CAS support is also included in the current 5.2 EE release (SP3).
You can access the changes directly from JIRA in the FishEye tab below the issue description or use http://svn.liferay.com/qsearch/?q=lps-4664
Best,
Björn
Björn, Both of those paths come up: "No related commits found.".
Bill
Björn Ryding, modificado 14 Anos atrás.
RE: Jasig Cas Client for Java 3.x and Liferay 5.x
Liferay Master Postagens: 582 Data de Entrada: 16/05/07 Postagens RecentesWilliam G Thompson:
Björn Ryding:Hi Bill,
Yes, trunk is the upcoming version 6 release. The improved CAS support is also included in the current 5.2 EE release (SP3).
You can access the changes directly from JIRA in the FishEye tab below the issue description or use http://svn.liferay.com/qsearch/?q=lps-4664
Best,
Björn
Björn, Both of those paths come up: "No related commits found.".
Bill
There was something wrong with the Liferay SVN yesterday, try again today.
Björn
Nagendra Kumar Busam, modificado 13 Anos atrás.
RE: Jasig Cas Client for Java 3.x and Liferay 5.x
Liferay Master Postagens: 678 Data de Entrada: 07/07/09 Postagens Recentes
Hi William,
We have a CAS + Liferay integrated environment, but it looks like that the “concurrent login prevention” does not work in some occasions for Liferay. For example, we have an iframe enclosing the portal menu bar and the page content. User logs in on Browser 1 and the same User logs in on Browser 2. User then navigates on Browser 1 by clicking on the menu bar (some private pages), but he did not get logged out.
Practically i think user's old token should be invalid.
Can you give me suggestion regarding the same - how to achieve above functionality either by programmatically OR configuration wise
Thanks in advance
Regards,
- Nagendra Kumar
We have a CAS + Liferay integrated environment, but it looks like that the “concurrent login prevention” does not work in some occasions for Liferay. For example, we have an iframe enclosing the portal menu bar and the page content. User logs in on Browser 1 and the same User logs in on Browser 2. User then navigates on Browser 1 by clicking on the menu bar (some private pages), but he did not get logged out.
Practically i think user's old token should be invalid.
Can you give me suggestion regarding the same - how to achieve above functionality either by programmatically OR configuration wise
Thanks in advance
Regards,
- Nagendra Kumar
Johann Kneringer, modificado 10 Anos atrás.
RE: Jasig Cas Client for Java 3.x and Liferay 5.x
Junior Member Postagens: 42 Data de Entrada: 10/11/11 Postagens Recentes
Is the ext-plugin for Liferay 6.x compatible/tested with 6.1 GA 2?
I tried to install it...The deployment on my server (tomcat bundle) went well, but after that I was not able to start the server.
There were some exceptions regarding some filters in the web.xml (.FTL, etc...)...Is there a fix for this?
I tried to install it...The deployment on my server (tomcat bundle) went well, but after that I was not able to start the server.
There were some exceptions regarding some filters in the web.xml (.FTL, etc...)...Is there a fix for this?
Alex Rocha, modificado 14 Anos atrás.
RE: Jasig Cas Client for Java 3.x and Liferay 5.x
New Member Postagens: 8 Data de Entrada: 29/07/09 Postagens Recentes
Thanks for the post Bill. I've also noticed Liferay implementation of CAS is lacking. Full proxy ticket support and clearpass implementation are key to a complete portal solution. Can any liferay devs offer assistance/direction on this?