Difference between revisions of "Central Authentication Service - OpenKM 6.2"

From OpenKM Documentation
Jump to: navigation, search
m (Spring Security configuration)
 
(18 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 
The Central Authentication Service (CAS) is a single sign-on protocol for the web. Its purpose is to permit a user to access multiple applications while providing their credentials (such as userid and password) only once. It also allows web applications to authenticate users without gaining access to a user's security credentials, such as a password. The name CAS also refers to a software package that implements this protocol.
 
The Central Authentication Service (CAS) is a single sign-on protocol for the web. Its purpose is to permit a user to access multiple applications while providing their credentials (such as userid and password) only once. It also allows web applications to authenticate users without gaining access to a user's security credentials, such as a password. The name CAS also refers to a software package that implements this protocol.
 +
 +
{{Warning|In lastest 6.x version has been found some problem with opensaml-2.5.1-1.jar what is included by default in OpenKM build. For more information take a look [[http://forum.openkm.com/viewtopic.php?f=4&t=12769 here]].}}
  
 
First of all you should read about how CAS works. So I recommend to read these articles:
 
First of all you should read about how CAS works. So I recommend to read these articles:
Line 86: Line 88:
 
         <beans:property name="searchSubtree" value="true" />
 
         <beans:property name="searchSubtree" value="true" />
 
     </beans:bean>
 
     </beans:bean>
  <beans:bean id="serviceProperties"
+
    <beans:bean id="serviceProperties" class="org.springframework.security.cas.ServiceProperties">
        class="org.springframework.security.cas.ServiceProperties">
+
        <beans:property name="service" value="http://URLOPENKM:8080/OpenKM/j_spring_cas_security_check"/>
    <beans:property name="service"
+
        <beans:property name="sendRenew" value="false"/>
        value="http://URLOPENKM:8080/OpenKM/j_spring_cas_security_check"/>
+
    </beans:bean>
    <beans:property name="sendRenew" value="false"/>
 
  </beans:bean>
 
  
  <beans:bean id="casAuthenticationProvider"
+
    <beans:bean id="casAuthenticationProvider" class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
      class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
+
        <beans:property name="authenticationUserDetailsService">
    <beans:property name="authenticationUserDetailsService">
+
            <beans:bean class="org.springframework.security.cas.userdetails.GrantedAuthorityFromAssertionAttributesUserDetailsService">
      <beans:bean class="org.springframework.security.cas.userdetails.GrantedAuthorityFromAssertionAttributesUserDetailsService">
+
                <beans:constructor-arg>
<beans:constructor-arg>
+
                    <beans:array>
                        <beans:array>
+
                        <beans:value>groupe</beans:value>
                                <beans:value>groupe</beans:value>
+
                    </beans:array>
                        </beans:array>
 
 
                 </beans:constructor-arg>
 
                 </beans:constructor-arg>
      </beans:bean>
+
            </beans:bean>
    </beans:property>
+
        </beans:property>
  
    <beans:property name="serviceProperties" ref="serviceProperties" />
+
        <beans:property name="serviceProperties" ref="serviceProperties" />
    <beans:property name="ticketValidator">
+
        <beans:property name="ticketValidator">
      <beans:bean class="org.jasig.cas.client.validation.Saml11TicketValidator">
+
            <beans:bean class="org.jasig.cas.client.validation.Saml11TicketValidator">
        <beans:constructor-arg index="0" value="https://URLSERVEURCAS:8443/cas" />
+
                <beans:constructor-arg index="0" value="https://URLSERVEURCAS:8443/cas" />
      </beans:bean>
+
            </beans:bean>
    </beans:property>
+
        </beans:property>
    <beans:property name="key" value="an_id_for_this_auth_provider_only"/>
+
        <beans:property name="key" value="an_id_for_this_auth_provider_only"/>
  </beans:bean>
+
    </beans:bean>
  
  <beans:bean id="casFilter"
+
    <beans:bean id="casFilter" class="org.springframework.security.cas.web.CasAuthenticationFilter">
        class="org.springframework.security.cas.web.CasAuthenticationFilter">
+
        <beans:property name="authenticationManager" ref="authenticationManager"/>
    <beans:property name="authenticationManager" ref="authenticationManager"/>
+
     </beans:bean>
  </beans:bean>
 
 
 
  <beans:bean id="casEntryPoint"
 
      class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">
 
    <beans:property name="loginUrl" value="https://URLSERVEURCAS:8443/cas/login"/>
 
     <beans:property name="serviceProperties" ref="serviceProperties"/>
 
  </beans:bean>
 
 
 
<!--
 
<security:user-service id="userService">
 
    <security:user name="m.edlich" password="user" authorities="ROLE_USER"></security:user>
 
</security:user-service>
 
 
 
-->
 
  
 +
    <beans:bean id="casEntryPoint" class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">
 +
        <beans:property name="loginUrl" value="https://URLSERVEURCAS:8443/cas/login"/>
 +
        <beans:property name="serviceProperties" ref="serviceProperties"/>
 +
    </beans:bean>
 
</beans:beans>
 
</beans:beans>
 
</source>
 
</source>
 +
 +
'''Note:''' This documentation is based in forum post http://forum.openkm.com/viewtopic.php?f=4&t=10711.
  
 
[[Category: Installation Guide]]
 
[[Category: Installation Guide]]

Latest revision as of 11:52, 24 January 2015

The Central Authentication Service (CAS) is a single sign-on protocol for the web. Its purpose is to permit a user to access multiple applications while providing their credentials (such as userid and password) only once. It also allows web applications to authenticate users without gaining access to a user's security credentials, such as a password. The name CAS also refers to a software package that implements this protocol.


Nota advertencia.png In lastest 6.x version has been found some problem with opensaml-2.5.1-1.jar what is included by default in OpenKM build. For more information take a look [here].

First of all you should read about how CAS works. So I recommend to read these articles:

According to the CAS documentation, it only works in secured HTTPS connections. For this reasong you need to configure HTTPS under Tomcat. Uncomment the "SSL HTTP/1.1 Connector" entry in $TOMCAT_HOME/conf/server.xml. Once you have modified it, start Tomcat and access https://localhost:8443/ to check it works fine.

Now go to the CAS web site and download the package with the server from http://www.jasig.org/cas_server_3_5_2_release. Once downloaded unpack it and copy the cas-server-3.5.2/modules/cas-server-webapp-3.5.2.war file to $TOMCAT_HOME/webapps/cas-server.war (so the access to this webapp module will be easier to remember and write). Start Tomcat and check it has been deployed ok accessing to https://localhost:8443/cas-server. You can use any user to login with this unique restriction: the user and password should be the same. For example, try "foo" / "foo".

Remember these two URLs:

Spring Security configuration

In order to use CAS with Spring Security, you need to edit the pom.xml descriptor and add this dependency:

<dependency>
  <groupId>org.springframework.security</groupId>
  <artifactId>spring-security-cas</artifactId>
  <version>${spring.security.version}</version>
</dependency>

Once compiled, modify the applicationContext.xml (line 117):

<security:http access-denied-page="/unauthorized.jsp" entry-point-ref="casEntryPoint" >
<security:custom-filter position="CAS_FILTER" ref="casFilter" />

And OpenKM.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:security="http://www.springframework.org/schema/security"
             xmlns:task="http://www.springframework.org/schema/task"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
                                 http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
                                 http://www.springframework.org/schema/security
                                 http://www.springframework.org/schema/security/spring-security-3.1.xsd
                                 http://www.springframework.org/schema/task
                                 http://www.springframework.org/schema/task/spring-task-3.1.xsd">


    <security:authentication-manager alias="authenticationManager">
        <security:authentication-provider ref="casAuthenticationProvider" />
        <security:authentication-provider ref="ldapAuthProvider" />
    </security:authentication-manager>

    <beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
        <beans:constructor-arg value="ldap://URLSERVEURLDAP:389/ou=sde,dc=SITE,dc=fr"/>
        <beans:property name="userDn" value="cn=admin,dc=SITE,dc=fr"/>
        <beans:property name="password" value="PASSLDAP"/>
    </beans:bean>

    <beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
        <beans:constructor-arg>
            <beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
                <beans:constructor-arg ref="contextSource"/>
                <beans:property name="userSearch" ref="userSearch"></beans:property>
            </beans:bean>
        </beans:constructor-arg>
        <beans:constructor-arg>
            <beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
                <beans:constructor-arg ref="contextSource"/>
                <beans:constructor-arg value="ou=groups"/>
                <beans:property name="groupSearchFilter" value="memberUid={1}"/>
                <beans:property name="groupRoleAttribute" value="cn"/>
                <beans:property name="searchSubtree" value="true" />
                <beans:property name="convertToUpperCase" value="true" />
                <beans:property name="rolePrefix" value="" />
            </beans:bean>
        </beans:constructor-arg>
    </beans:bean>
    <beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
        <beans:constructor-arg index="0" value="ou=people" />
        <beans:constructor-arg index="1" value="cn={0}" />
        <beans:constructor-arg index="2" ref="contextSource" />
        <beans:property name="searchSubtree" value="true" />
    </beans:bean>
    <beans:bean id="serviceProperties" class="org.springframework.security.cas.ServiceProperties">
        <beans:property name="service" value="http://URLOPENKM:8080/OpenKM/j_spring_cas_security_check"/>
        <beans:property name="sendRenew" value="false"/>
    </beans:bean>

    <beans:bean id="casAuthenticationProvider" class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
        <beans:property name="authenticationUserDetailsService">
            <beans:bean class="org.springframework.security.cas.userdetails.GrantedAuthorityFromAssertionAttributesUserDetailsService">
                <beans:constructor-arg>
                    <beans:array>
                        <beans:value>groupe</beans:value>
                    </beans:array>
                </beans:constructor-arg>
            </beans:bean>
        </beans:property>

        <beans:property name="serviceProperties" ref="serviceProperties" />
        <beans:property name="ticketValidator">
            <beans:bean class="org.jasig.cas.client.validation.Saml11TicketValidator">
                <beans:constructor-arg index="0" value="https://URLSERVEURCAS:8443/cas" />
            </beans:bean>
        </beans:property>
        <beans:property name="key" value="an_id_for_this_auth_provider_only"/>
    </beans:bean>

    <beans:bean id="casFilter" class="org.springframework.security.cas.web.CasAuthenticationFilter">
        <beans:property name="authenticationManager" ref="authenticationManager"/>
    </beans:bean>

    <beans:bean id="casEntryPoint" class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">
        <beans:property name="loginUrl" value="https://URLSERVEURCAS:8443/cas/login"/>
        <beans:property name="serviceProperties" ref="serviceProperties"/>
    </beans:bean>
</beans:beans>

Note: This documentation is based in forum post http://forum.openkm.com/viewtopic.php?f=4&t=10711.