Difference between revisions of "Central Authentication Service - OpenKM 5.1"

From OpenKM Documentation
Jump to: navigation, search
 
(4 intermediate revisions by 2 users not shown)
Line 3: Line 3:
 
Once you have the CAS server up and running it is easy to set SSO in OpenKM. I wanted to keep basic authentication for the WebDav part that is why the filter mapping is complicated. I did the following changes in OpenKM:
 
Once you have the CAS server up and running it is easy to set SSO in OpenKM. I wanted to keep basic authentication for the WebDav part that is why the filter mapping is complicated. I did the following changes in OpenKM:
  
In server/default/deploy/OpenKM.war/WEB-INF/web.xml:
+
1. In server/default/deploy/OpenKM.war/WEB-INF/web.xml:
  
 
<source lang="xml">
 
<source lang="xml">
Line 103: Line 103:
 
   <!-- /CAS SSO -->
 
   <!-- /CAS SSO -->
 
</source>
 
</source>
 +
 +
2. In server/default/conf/login-config.xml:
 +
 +
<source lang="xml">
 +
<application-policy name="OpenKMWebDav">
 +
  <authentication>
 +
    <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
 +
      <module-option name="java.naming.provider.url">ldap://dokumentum2.chronossoftware.com:389</module-option>
 +
      <module-option name="java.naming.security.authentication">simple</module-option>
 +
      <module-option name="baseCtxDN">ou=Users,dc=igyuk,dc=hu</module-option>
 +
      <module-option name="baseFilter">(cn={0})</module-option>
 +
      <module-option name="rolesCtxDN">ou=Groups,dc= igyuk,dc=hu </module-option>
 +
      <module-option name="roleFilter">(uniqueMember={1})</module-option>
 +
      <module-option name="roleAttributeID">cn</module-option>
 +
      <module-option name="roleNameAttributeID">cn</module-option>
 +
      <module-option name="roleAttributeIsDN">true</module-option>
 +
      <module-option name="roleRecursion">2</module-option>
 +
      <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
 +
      <module-option name="allowEmptyPasswords">False</module-option>
 +
      <module-option name="defaultRole">UserRole</module-option>
 +
    </login-module>
 +
  </authentication>
 +
</application-policy>
 +
 +
<application-policy name="OpenKM">
 +
  <authentication>
 +
    <login-module code="org.jasig.cas.client.jaas.CasLoginModule" flag="required">
 +
      <module-option name="ticketValidatorClass">org.jasig.cas.client.validation.Saml11TicketValidator</module-option>
 +
      <module-option name="casServerUrlPrefix">https://dokumentum2.chronossoftware.com/cas</module-option>
 +
      <module-option name="service">https://dokumentum2.chronossoftware.com/OpenKM</module-option>
 +
      <module-option name="defaultRoles">UserRole</module-option>
 +
      <module-option name="roleAttributeNames">groupMembership</module-option>
 +
      <module-option name="principalGroupName">CallerPrincipal</module-option>
 +
      <module-option name="roleGroupName">Roles</module-option>
 +
      <module-option name="cacheAssertions">true</module-option>
 +
      <module-option name="tolerance">20000</module-option>
 +
      <module-option name="cacheTimeout">480</module-option>
 +
    </login-module>
 +
  </authentication>
 +
</application-policy>
 +
</source>
 +
 +
3. In repository.xml I changed the "OpenKM" to "OpenKMWebDav" at
 +
 +
<source lang="xml">
 +
<Security appName="OpenKM">
 +
</source>
 +
 +
4. Add the certificate of the CAS server to cacerts using the instructions from [[JBoss mail configuration#Adding PKI certificate]].
 +
 +
5. Copy these 2 JAR files from CAS client destribution to $JBOSS_HOME/server/default/deploy/OpenKM.war/WEB-INF/lib:
 +
 +
* cas-client-core-3.2.0.jar
 +
* cas-client-integration-jboss-3.2.0.jar
 +
 +
== Suggested changes ==
 +
SSO CAS work with Cas client-client-3.2.1, cas-server-3.4.12-release, OpenKM-5.1.10_JBoss-4.2.3.GA
 +
 +
Need to be changed in openkm/pom.xml <milton.version>, change "1.7.1" by "1.7.2"
 +
Need to be changed in cas-client-3.2.1/cas-client-core/pom.xml <spring.version> (=2.5.6) by 3.0.5.RELEASE
 +
Delete JBoss-4.2.3.GA default lib into : (server/default/lib/) ejb3-persistence.jar
 +
Add hibernate-jpa-2.0-api-1.0.0.Final.jar into JBoss-4.2.3.GA default lib (server/default/lib/)
 +
 +
== See also ==
 +
* Original forum topic at [http://forum.openkm.com/viewtopic.php?f=4&t=5388 Forum: Doc direct access URL using SSO].
 +
* Original forum topic CAS with Webservices  [http://forum.openkm.com/viewtopic.php?f=6&t=6231&p=17413#p17413 Forum: Cas with webservices]
 +
* [http://www.jasig.org/cas Home of  the Central Authentication Service project]
 +
* [http://www.jasig.org/jasig-cas-client-java-version-321-releas Jasig CAS Client for Java version 3.2.1 released]

Latest revision as of 09:28, 2 October 2013

The Central Authentication Service (CAS) is a single sign-on protocol for the web. Its purpose is to permit a user to access multiple applications while providing their credentials (such as userid and password) only once. It also allows web applications to authenticate users without gaining access to a user's security credentials, such as a password. The name CAS also refers to a software package that implements this protocol.

Once you have the CAS server up and running it is easy to set SSO in OpenKM. I wanted to keep basic authentication for the WebDav part that is why the filter mapping is complicated. I did the following changes in OpenKM:

1. In server/default/deploy/OpenKM.war/WEB-INF/web.xml:

  <!-- CAS SSO-->
  <!-- Facilitates CAS single sign-out -->
  <listener>
    <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
  </listener>

  <!-- Following is needed only if CAS single-sign out is desired -->
  <filter>
    <filter-name>CAS Single Sign Out Filter</filter-name>
    <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
  </filter>

  <!-- Only 2 CAS filters are required for JAAS support -->
  <context-param>
    <param-name>service</param-name>
    <param-value>https://openkm.chronossoftware.com/OpenKM</param-value>
  </context-param>
  <context-param>
    <param-name>casServerLoginUrl</param-name>
    <param-value>https://openkm.chronossoftware.com/cas/login</param-value>
  </context-param>

  <filter>
    <filter-name>CASWebAuthenticationFilter</filter-name>
    <filter-class>org.jasig.cas.client.jboss.authentication.WebAuthenticationFilter</filter-class>
  </filter>
  <filter>
    <filter-name>CASAuthenticationFilter</filter-name>
    <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
  </filter>

  <!-- CAS client filter mappings -->
  <!-- The order of the following filters is vitally important -->
  <filter-mapping>
    <filter-name>CAS Single Sign Out Filter</filter-name>
    <url-pattern>*.jsp</url-pattern>

    <!-- GWT -->
    <url-pattern>/frontend/*</url-pattern>

    <!-- JSPs -->
    <url-pattern>/admin/*</url-pattern>
    <url-pattern>/mobile/*</url-pattern>
    <url-pattern>/mobile-nt/*</url-pattern>

    <!-- Servlets -->
    <url-pattern>/RepositoryStartup</url-pattern>
    <url-pattern>/TextToSpeech</url-pattern>
    <url-pattern>/Test</url-pattern>
    <url-pattern>/frontend/*</url-pattern>
    <url-pattern>/extension/*</url-pattern>
    <!--url-pattern>/*</url-pattern-->
  </filter-mapping>
  <filter-mapping>
    <filter-name>CASWebAuthenticationFilter</filter-name>
    <url-pattern>*.jsp</url-pattern>

    <!-- GWT -->
    <url-pattern>/frontend/*</url-pattern>

    <!-- JSPs -->
    <url-pattern>/admin/*</url-pattern>
    <url-pattern>/mobile/*</url-pattern>
    <url-pattern>/mobile-nt/*</url-pattern>

    <!-- Servlets -->
    <url-pattern>/RepositoryStartup</url-pattern>
    <url-pattern>/TextToSpeech</url-pattern>
    <url-pattern>/Test</url-pattern>
    <url-pattern>/frontend/*</url-pattern>
    <url-pattern>/extension/*</url-pattern>

    <!--url-pattern>/*</url-pattern-->
  </filter-mapping>
  <filter-mapping>
    <filter-name>CASAuthenticationFilter</filter-name>
    <url-pattern>*.jsp</url-pattern>

    <!-- GWT -->
    <url-pattern>/frontend/*</url-pattern>

    <!-- JSPs -->
    <url-pattern>/admin/*</url-pattern>
    <url-pattern>/mobile/*</url-pattern>
    <url-pattern>/mobile-nt/*</url-pattern>

    <!-- Servlets -->
    <url-pattern>/RepositoryStartup</url-pattern>
    <url-pattern>/TextToSpeech</url-pattern>
    <url-pattern>/Test</url-pattern>
    <url-pattern>/frontend/*</url-pattern>
    <url-pattern>/extension/*</url-pattern>

    <!--url-pattern>/*</url-pattern-->
  </filter-mapping>
  <!-- /CAS SSO -->

2. In server/default/conf/login-config.xml:

<application-policy name="OpenKMWebDav">
  <authentication>
    <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
      <module-option name="java.naming.provider.url">ldap://dokumentum2.chronossoftware.com:389</module-option>
      <module-option name="java.naming.security.authentication">simple</module-option>
      <module-option name="baseCtxDN">ou=Users,dc=igyuk,dc=hu</module-option>
      <module-option name="baseFilter">(cn={0})</module-option>
      <module-option name="rolesCtxDN">ou=Groups,dc= igyuk,dc=hu </module-option>
      <module-option name="roleFilter">(uniqueMember={1})</module-option>
      <module-option name="roleAttributeID">cn</module-option>
      <module-option name="roleNameAttributeID">cn</module-option>
      <module-option name="roleAttributeIsDN">true</module-option>
      <module-option name="roleRecursion">2</module-option>
      <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
      <module-option name="allowEmptyPasswords">False</module-option>
      <module-option name="defaultRole">UserRole</module-option>
    </login-module>
  </authentication>
</application-policy>

<application-policy name="OpenKM">
  <authentication>
    <login-module code="org.jasig.cas.client.jaas.CasLoginModule" flag="required">
      <module-option name="ticketValidatorClass">org.jasig.cas.client.validation.Saml11TicketValidator</module-option>
      <module-option name="casServerUrlPrefix">https://dokumentum2.chronossoftware.com/cas</module-option>
      <module-option name="service">https://dokumentum2.chronossoftware.com/OpenKM</module-option>
      <module-option name="defaultRoles">UserRole</module-option>
      <module-option name="roleAttributeNames">groupMembership</module-option>
      <module-option name="principalGroupName">CallerPrincipal</module-option>
      <module-option name="roleGroupName">Roles</module-option>
      <module-option name="cacheAssertions">true</module-option>
      <module-option name="tolerance">20000</module-option>
      <module-option name="cacheTimeout">480</module-option>
    </login-module>
  </authentication>
</application-policy>

3. In repository.xml I changed the "OpenKM" to "OpenKMWebDav" at

<Security appName="OpenKM">

4. Add the certificate of the CAS server to cacerts using the instructions from JBoss mail configuration#Adding PKI certificate.

5. Copy these 2 JAR files from CAS client destribution to $JBOSS_HOME/server/default/deploy/OpenKM.war/WEB-INF/lib:

  • cas-client-core-3.2.0.jar
  • cas-client-integration-jboss-3.2.0.jar

Suggested changes

SSO CAS work with Cas client-client-3.2.1, cas-server-3.4.12-release, OpenKM-5.1.10_JBoss-4.2.3.GA

Need to be changed in openkm/pom.xml <milton.version>, change "1.7.1" by "1.7.2" Need to be changed in cas-client-3.2.1/cas-client-core/pom.xml <spring.version> (=2.5.6) by 3.0.5.RELEASE Delete JBoss-4.2.3.GA default lib into : (server/default/lib/) ejb3-persistence.jar Add hibernate-jpa-2.0-api-1.0.0.Final.jar into JBoss-4.2.3.GA default lib (server/default/lib/)

See also