Difference between revisions of "Central Authentication Service - OpenKM 6.2"

From OpenKM Documentation
Jump to: navigation, search
Line 25: Line 25:
 
   <version>${spring.security.version}</version>
 
   <version>${spring.security.version}</version>
 
</dependency>
 
</dependency>
 +
</source>
 +
 +
Once compiled, modify the applicationContext.xml (line 117):
 +
 +
<source lang="xml">
 +
<security:http access-denied-page="/unauthorized.jsp" entry-point-ref="casEntryPoint" >
 +
<security:custom-filter position="CAS_FILTER" ref="casFilter" />
 +
</source>
 +
 +
And OpenKM.xml
 +
 +
<source lang="xml">
 +
<?xml version="1.0" encoding="UTF-8"?>
 +
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
 +
            xmlns:security="http://www.springframework.org/schema/security"
 +
            xmlns:task="http://www.springframework.org/schema/task"
 +
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 +
            xsi:schemaLocation="http://www.springframework.org/schema/beans
 +
                                http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
 +
                                http://www.springframework.org/schema/security
 +
                                http://www.springframework.org/schema/security/spring-security-3.1.xsd
 +
                                http://www.springframework.org/schema/task
 +
                                http://www.springframework.org/schema/task/spring-task-3.1.xsd">
 +
 +
 +
<security:authentication-manager alias="authenticationManager">
 +
    <security:authentication-provider ref="casAuthenticationProvider" />
 +
    <security:authentication-provider ref="ldapAuthProvider" />
 +
  </security:authentication-manager>
 +
 +
  <beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
 +
        <beans:constructor-arg value="ldap://URLSERVEURLDAP:389/ou=sde,dc=SITE,dc=fr"/>
 +
                <beans:property name="userDn" value="cn=admin,dc=SITE,dc=fr"/>
 +
        <beans:property name="password" value="PASSLDAP"/>
 +
  </beans:bean>
 +
 +
        <beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
 +
                <beans:constructor-arg>
 +
                        <beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
 +
                                <beans:constructor-arg ref="contextSource"/>
 +
                                <beans:property name="userSearch" ref="userSearch"></beans:property>
 +
                        </beans:bean>
 +
                </beans:constructor-arg>
 +
                <beans:constructor-arg>
 +
                        <beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
 +
                        <beans:constructor-arg ref="contextSource"/>
 +
                                <beans:constructor-arg value="ou=groups"/>
 +
                                <beans:property name="groupSearchFilter" value="memberUid={1}"/>
 +
                                <beans:property name="groupRoleAttribute" value="cn"/>
 +
                                <beans:property name="searchSubtree" value="true" />
 +
                                <beans:property name="convertToUpperCase" value="true" />
 +
                                <beans:property name="rolePrefix" value="" />
 +
                        </beans:bean>
 +
                </beans:constructor-arg>
 +
        </beans:bean>
 +
 +
  <beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
 +
    <beans:constructor-arg index="0" value="ou=people" />
 +
    <beans:constructor-arg index="1" value="cn={0}" />
 +
    <beans:constructor-arg index="2" ref="contextSource" />
 +
    <beans:property name="searchSubtree" value="true" />
 +
  </beans:bean>
 +
  <beans:bean id="serviceProperties"
 +
        class="org.springframework.security.cas.ServiceProperties">
 +
    <beans:property name="service"
 +
        value="http://URLOPENKM:8080/OpenKM/j_spring_cas_security_check"/>
 +
    <beans:property name="sendRenew" value="false"/>
 +
  </beans:bean>
 +
 +
  <beans:bean id="casAuthenticationProvider"
 +
      class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
 +
    <beans:property name="authenticationUserDetailsService">
 +
      <beans:bean class="org.springframework.security.cas.userdetails.GrantedAuthorityFromAssertionAttributesUserDetailsService">
 +
<beans:constructor-arg>
 +
                        <beans:array>
 +
                                <beans:value>groupe</beans:value>
 +
                        </beans:array>
 +
                </beans:constructor-arg>
 +
      </beans:bean>
 +
    </beans:property>
 +
 +
    <beans:property name="serviceProperties" ref="serviceProperties" />
 +
    <beans:property name="ticketValidator">
 +
      <beans:bean class="org.jasig.cas.client.validation.Saml11TicketValidator">
 +
        <beans:constructor-arg index="0" value="https://URLSERVEURCAS:8443/cas" />
 +
      </beans:bean>
 +
    </beans:property>
 +
    <beans:property name="key" value="an_id_for_this_auth_provider_only"/>
 +
  </beans:bean>
 +
 +
  <beans:bean id="casFilter"
 +
        class="org.springframework.security.cas.web.CasAuthenticationFilter">
 +
    <beans:property name="authenticationManager" ref="authenticationManager"/>
 +
  </beans:bean>
 +
 +
  <beans:bean id="casEntryPoint"
 +
      class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">
 +
    <beans:property name="loginUrl" value="https://URLSERVEURCAS:8443/cas/login"/>
 +
    <beans:property name="serviceProperties" ref="serviceProperties"/>
 +
  </beans:bean>
 +
 +
<!--
 +
<security:user-service id="userService">
 +
    <security:user name="m.edlich" password="user" authorities="ROLE_USER"></security:user>
 +
</security:user-service>
 +
 +
-->
 +
 +
</beans:beans>
 
</source>
 
</source>
  
 
[[Category: Installation Guide]]
 
[[Category: Installation Guide]]

Revision as of 09:49, 2 October 2013

The Central Authentication Service (CAS) is a single sign-on protocol for the web. Its purpose is to permit a user to access multiple applications while providing their credentials (such as userid and password) only once. It also allows web applications to authenticate users without gaining access to a user's security credentials, such as a password. The name CAS also refers to a software package that implements this protocol.

First of all you should read about how CAS works. So I recommend to read these articles:

According to the CAS documentation, it only works in secured HTTPS connections. For this reasong you need to configure HTTPS under Tomcat. Uncomment the "SSL HTTP/1.1 Connector" entry in $TOMCAT_HOME/conf/server.xml. Once you have modified it, start Tomcat and access https://localhost:8443/ to check it works fine.

Now go to the CAS web site and download the package with the server from http://www.jasig.org/cas_server_3_5_2_release. Once downloaded unpack it and copy the cas-server-3.5.2/modules/cas-server-webapp-3.5.2.war file to $TOMCAT_HOME/webapps/cas-server.war (so the access to this webapp module will be easier to remember and write). Start Tomcat and check it has been deployed ok accessing to https://localhost:8443/cas-server. You can use any user to login with this unique restriction: the user and password should be the same. For example, try "foo" / "foo".

Remember these two URLs:

Spring Security configuration

In order to use CAS with Spring Security, you need to edit the pom.xml descriptor and add this dependency:

<dependency>
  <groupId>org.springframework.security</groupId>
  <artifactId>spring-security-cas</artifactId>
  <version>${spring.security.version}</version>
</dependency>

Once compiled, modify the applicationContext.xml (line 117):

<security:http access-denied-page="/unauthorized.jsp" entry-point-ref="casEntryPoint" >
<security:custom-filter position="CAS_FILTER" ref="casFilter" />

And OpenKM.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:security="http://www.springframework.org/schema/security"
             xmlns:task="http://www.springframework.org/schema/task"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
                                 http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
                                 http://www.springframework.org/schema/security
                                 http://www.springframework.org/schema/security/spring-security-3.1.xsd
                                 http://www.springframework.org/schema/task
                                 http://www.springframework.org/schema/task/spring-task-3.1.xsd">


<security:authentication-manager alias="authenticationManager">
    <security:authentication-provider ref="casAuthenticationProvider" />
    <security:authentication-provider ref="ldapAuthProvider" />
  </security:authentication-manager>

  <beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
        <beans:constructor-arg value="ldap://URLSERVEURLDAP:389/ou=sde,dc=SITE,dc=fr"/>
                <beans:property name="userDn" value="cn=admin,dc=SITE,dc=fr"/>
        <beans:property name="password" value="PASSLDAP"/>
  </beans:bean>

        <beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
                <beans:constructor-arg>
                        <beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
                                <beans:constructor-arg ref="contextSource"/>
                                <beans:property name="userSearch" ref="userSearch"></beans:property>
                        </beans:bean>
                </beans:constructor-arg>
                <beans:constructor-arg>
                        <beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
                        <beans:constructor-arg ref="contextSource"/>
                                <beans:constructor-arg value="ou=groups"/>
                                <beans:property name="groupSearchFilter" value="memberUid={1}"/>
                                <beans:property name="groupRoleAttribute" value="cn"/>
                                <beans:property name="searchSubtree" value="true" />
                                <beans:property name="convertToUpperCase" value="true" />
                                <beans:property name="rolePrefix" value="" />
                        </beans:bean>
                </beans:constructor-arg>
        </beans:bean>

   <beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
    <beans:constructor-arg index="0" value="ou=people" />
    <beans:constructor-arg index="1" value="cn={0}" />
    <beans:constructor-arg index="2" ref="contextSource" />
    <beans:property name="searchSubtree" value="true" />
  </beans:bean>
  <beans:bean id="serviceProperties"
        class="org.springframework.security.cas.ServiceProperties">
    <beans:property name="service"
        value="http://URLOPENKM:8080/OpenKM/j_spring_cas_security_check"/>
    <beans:property name="sendRenew" value="false"/>
  </beans:bean>

  <beans:bean id="casAuthenticationProvider"
      class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
    <beans:property name="authenticationUserDetailsService">
      <beans:bean class="org.springframework.security.cas.userdetails.GrantedAuthorityFromAssertionAttributesUserDetailsService">
<beans:constructor-arg>
                        <beans:array>
                                <beans:value>groupe</beans:value>
                        </beans:array>
                </beans:constructor-arg>
      </beans:bean>
    </beans:property>

    <beans:property name="serviceProperties" ref="serviceProperties" />
    <beans:property name="ticketValidator">
      <beans:bean class="org.jasig.cas.client.validation.Saml11TicketValidator">
        <beans:constructor-arg index="0" value="https://URLSERVEURCAS:8443/cas" />
      </beans:bean>
    </beans:property>
    <beans:property name="key" value="an_id_for_this_auth_provider_only"/>
  </beans:bean>

  <beans:bean id="casFilter"
        class="org.springframework.security.cas.web.CasAuthenticationFilter">
    <beans:property name="authenticationManager" ref="authenticationManager"/>
  </beans:bean>

  <beans:bean id="casEntryPoint"
      class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">
    <beans:property name="loginUrl" value="https://URLSERVEURCAS:8443/cas/login"/>
    <beans:property name="serviceProperties" ref="serviceProperties"/>
  </beans:bean>

<!--
<security:user-service id="userService">
    <security:user name="m.edlich" password="user" authorities="ROLE_USER"></security:user>
</security:user-service>

-->

</beans:beans>