Difference between revisions of "Central Authentication Service - OpenKM 6.2"
Line 25: | Line 25: | ||
<version>${spring.security.version}</version> | <version>${spring.security.version}</version> | ||
</dependency> | </dependency> | ||
+ | </source> | ||
+ | |||
+ | Once compiled, modify the applicationContext.xml (line 117): | ||
+ | |||
+ | <source lang="xml"> | ||
+ | <security:http access-denied-page="/unauthorized.jsp" entry-point-ref="casEntryPoint" > | ||
+ | <security:custom-filter position="CAS_FILTER" ref="casFilter" /> | ||
+ | </source> | ||
+ | |||
+ | And OpenKM.xml | ||
+ | |||
+ | <source lang="xml"> | ||
+ | <?xml version="1.0" encoding="UTF-8"?> | ||
+ | <beans:beans xmlns:beans="http://www.springframework.org/schema/beans" | ||
+ | xmlns:security="http://www.springframework.org/schema/security" | ||
+ | xmlns:task="http://www.springframework.org/schema/task" | ||
+ | xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | ||
+ | xsi:schemaLocation="http://www.springframework.org/schema/beans | ||
+ | http://www.springframework.org/schema/beans/spring-beans-3.1.xsd | ||
+ | http://www.springframework.org/schema/security | ||
+ | http://www.springframework.org/schema/security/spring-security-3.1.xsd | ||
+ | http://www.springframework.org/schema/task | ||
+ | http://www.springframework.org/schema/task/spring-task-3.1.xsd"> | ||
+ | |||
+ | |||
+ | <security:authentication-manager alias="authenticationManager"> | ||
+ | <security:authentication-provider ref="casAuthenticationProvider" /> | ||
+ | <security:authentication-provider ref="ldapAuthProvider" /> | ||
+ | </security:authentication-manager> | ||
+ | |||
+ | <beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource"> | ||
+ | <beans:constructor-arg value="ldap://URLSERVEURLDAP:389/ou=sde,dc=SITE,dc=fr"/> | ||
+ | <beans:property name="userDn" value="cn=admin,dc=SITE,dc=fr"/> | ||
+ | <beans:property name="password" value="PASSLDAP"/> | ||
+ | </beans:bean> | ||
+ | |||
+ | <beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider"> | ||
+ | <beans:constructor-arg> | ||
+ | <beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator"> | ||
+ | <beans:constructor-arg ref="contextSource"/> | ||
+ | <beans:property name="userSearch" ref="userSearch"></beans:property> | ||
+ | </beans:bean> | ||
+ | </beans:constructor-arg> | ||
+ | <beans:constructor-arg> | ||
+ | <beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator"> | ||
+ | <beans:constructor-arg ref="contextSource"/> | ||
+ | <beans:constructor-arg value="ou=groups"/> | ||
+ | <beans:property name="groupSearchFilter" value="memberUid={1}"/> | ||
+ | <beans:property name="groupRoleAttribute" value="cn"/> | ||
+ | <beans:property name="searchSubtree" value="true" /> | ||
+ | <beans:property name="convertToUpperCase" value="true" /> | ||
+ | <beans:property name="rolePrefix" value="" /> | ||
+ | </beans:bean> | ||
+ | </beans:constructor-arg> | ||
+ | </beans:bean> | ||
+ | |||
+ | <beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch"> | ||
+ | <beans:constructor-arg index="0" value="ou=people" /> | ||
+ | <beans:constructor-arg index="1" value="cn={0}" /> | ||
+ | <beans:constructor-arg index="2" ref="contextSource" /> | ||
+ | <beans:property name="searchSubtree" value="true" /> | ||
+ | </beans:bean> | ||
+ | <beans:bean id="serviceProperties" | ||
+ | class="org.springframework.security.cas.ServiceProperties"> | ||
+ | <beans:property name="service" | ||
+ | value="http://URLOPENKM:8080/OpenKM/j_spring_cas_security_check"/> | ||
+ | <beans:property name="sendRenew" value="false"/> | ||
+ | </beans:bean> | ||
+ | |||
+ | <beans:bean id="casAuthenticationProvider" | ||
+ | class="org.springframework.security.cas.authentication.CasAuthenticationProvider"> | ||
+ | <beans:property name="authenticationUserDetailsService"> | ||
+ | <beans:bean class="org.springframework.security.cas.userdetails.GrantedAuthorityFromAssertionAttributesUserDetailsService"> | ||
+ | <beans:constructor-arg> | ||
+ | <beans:array> | ||
+ | <beans:value>groupe</beans:value> | ||
+ | </beans:array> | ||
+ | </beans:constructor-arg> | ||
+ | </beans:bean> | ||
+ | </beans:property> | ||
+ | |||
+ | <beans:property name="serviceProperties" ref="serviceProperties" /> | ||
+ | <beans:property name="ticketValidator"> | ||
+ | <beans:bean class="org.jasig.cas.client.validation.Saml11TicketValidator"> | ||
+ | <beans:constructor-arg index="0" value="https://URLSERVEURCAS:8443/cas" /> | ||
+ | </beans:bean> | ||
+ | </beans:property> | ||
+ | <beans:property name="key" value="an_id_for_this_auth_provider_only"/> | ||
+ | </beans:bean> | ||
+ | |||
+ | <beans:bean id="casFilter" | ||
+ | class="org.springframework.security.cas.web.CasAuthenticationFilter"> | ||
+ | <beans:property name="authenticationManager" ref="authenticationManager"/> | ||
+ | </beans:bean> | ||
+ | |||
+ | <beans:bean id="casEntryPoint" | ||
+ | class="org.springframework.security.cas.web.CasAuthenticationEntryPoint"> | ||
+ | <beans:property name="loginUrl" value="https://URLSERVEURCAS:8443/cas/login"/> | ||
+ | <beans:property name="serviceProperties" ref="serviceProperties"/> | ||
+ | </beans:bean> | ||
+ | |||
+ | <!-- | ||
+ | <security:user-service id="userService"> | ||
+ | <security:user name="m.edlich" password="user" authorities="ROLE_USER"></security:user> | ||
+ | </security:user-service> | ||
+ | |||
+ | --> | ||
+ | |||
+ | </beans:beans> | ||
</source> | </source> | ||
[[Category: Installation Guide]] | [[Category: Installation Guide]] |
Revision as of 09:49, 2 October 2013
The Central Authentication Service (CAS) is a single sign-on protocol for the web. Its purpose is to permit a user to access multiple applications while providing their credentials (such as userid and password) only once. It also allows web applications to authenticate users without gaining access to a user's security credentials, such as a password. The name CAS also refers to a software package that implements this protocol.
First of all you should read about how CAS works. So I recommend to read these articles:
- A detailed walk through a CAS authentication
- Spring Security: CAS Authentication
- And te mother-of-all-documentation at Spring Security 3.1 (Chapter 9).
According to the CAS documentation, it only works in secured HTTPS connections. For this reasong you need to configure HTTPS under Tomcat. Uncomment the "SSL HTTP/1.1 Connector" entry in $TOMCAT_HOME/conf/server.xml. Once you have modified it, start Tomcat and access https://localhost:8443/ to check it works fine.
Now go to the CAS web site and download the package with the server from http://www.jasig.org/cas_server_3_5_2_release. Once downloaded unpack it and copy the cas-server-3.5.2/modules/cas-server-webapp-3.5.2.war file to $TOMCAT_HOME/webapps/cas-server.war (so the access to this webapp module will be easier to remember and write). Start Tomcat and check it has been deployed ok accessing to https://localhost:8443/cas-server. You can use any user to login with this unique restriction: the user and password should be the same. For example, try "foo" / "foo".
Remember these two URLs:
- CAS Login: https://localhost:8443/cas-server/login
- CAS Logout: https://localhost:8443/cas-server/logout
Spring Security configuration
In order to use CAS with Spring Security, you need to edit the pom.xml descriptor and add this dependency:
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-cas</artifactId>
<version>${spring.security.version}</version>
</dependency>
Once compiled, modify the applicationContext.xml (line 117):
<security:http access-denied-page="/unauthorized.jsp" entry-point-ref="casEntryPoint" >
<security:custom-filter position="CAS_FILTER" ref="casFilter" />
And OpenKM.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:task="http://www.springframework.org/schema/task"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd
http://www.springframework.org/schema/task
http://www.springframework.org/schema/task/spring-task-3.1.xsd">
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="casAuthenticationProvider" />
<security:authentication-provider ref="ldapAuthProvider" />
</security:authentication-manager>
<beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<beans:constructor-arg value="ldap://URLSERVEURLDAP:389/ou=sde,dc=SITE,dc=fr"/>
<beans:property name="userDn" value="cn=admin,dc=SITE,dc=fr"/>
<beans:property name="password" value="PASSLDAP"/>
</beans:bean>
<beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<beans:constructor-arg>
<beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
<beans:constructor-arg ref="contextSource"/>
<beans:property name="userSearch" ref="userSearch"></beans:property>
</beans:bean>
</beans:constructor-arg>
<beans:constructor-arg>
<beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
<beans:constructor-arg ref="contextSource"/>
<beans:constructor-arg value="ou=groups"/>
<beans:property name="groupSearchFilter" value="memberUid={1}"/>
<beans:property name="groupRoleAttribute" value="cn"/>
<beans:property name="searchSubtree" value="true" />
<beans:property name="convertToUpperCase" value="true" />
<beans:property name="rolePrefix" value="" />
</beans:bean>
</beans:constructor-arg>
</beans:bean>
<beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<beans:constructor-arg index="0" value="ou=people" />
<beans:constructor-arg index="1" value="cn={0}" />
<beans:constructor-arg index="2" ref="contextSource" />
<beans:property name="searchSubtree" value="true" />
</beans:bean>
<beans:bean id="serviceProperties"
class="org.springframework.security.cas.ServiceProperties">
<beans:property name="service"
value="http://URLOPENKM:8080/OpenKM/j_spring_cas_security_check"/>
<beans:property name="sendRenew" value="false"/>
</beans:bean>
<beans:bean id="casAuthenticationProvider"
class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
<beans:property name="authenticationUserDetailsService">
<beans:bean class="org.springframework.security.cas.userdetails.GrantedAuthorityFromAssertionAttributesUserDetailsService">
<beans:constructor-arg>
<beans:array>
<beans:value>groupe</beans:value>
</beans:array>
</beans:constructor-arg>
</beans:bean>
</beans:property>
<beans:property name="serviceProperties" ref="serviceProperties" />
<beans:property name="ticketValidator">
<beans:bean class="org.jasig.cas.client.validation.Saml11TicketValidator">
<beans:constructor-arg index="0" value="https://URLSERVEURCAS:8443/cas" />
</beans:bean>
</beans:property>
<beans:property name="key" value="an_id_for_this_auth_provider_only"/>
</beans:bean>
<beans:bean id="casFilter"
class="org.springframework.security.cas.web.CasAuthenticationFilter">
<beans:property name="authenticationManager" ref="authenticationManager"/>
</beans:bean>
<beans:bean id="casEntryPoint"
class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">
<beans:property name="loginUrl" value="https://URLSERVEURCAS:8443/cas/login"/>
<beans:property name="serviceProperties" ref="serviceProperties"/>
</beans:bean>
<!--
<security:user-service id="userService">
<security:user name="m.edlich" password="user" authorities="ROLE_USER"></security:user>
</security:user-service>
-->
</beans:beans>