Combination View Flat View Tree View
Threads [ Previous | Next ]
toggle
Kerberos Authentication william montaz October 20, 2008 2:38 AM
RE: Kerberos Authentication robain massey October 21, 2008 12:35 PM
Re: [Liferay Forums][1. Installation / Deployment / Setup] RE: Kerberos Aut william montaz October 22, 2008 5:57 AM
RE: Re: [Liferay Forums][1. Installation / Deployment / Setup] RE: Kerberos Sriram Gopalan October 26, 2008 1:08 PM
RE: Re: [Liferay Forums][1. Installation / Deployment / Setup] RE: Kerberon william montaz October 27, 2008 2:40 AM
RE: Re: [Liferay Forums][1. Installation / Deployment / Setup] RE: Kerberon Sriram Gopalan October 28, 2008 6:35 PM
RE: Re: [Liferay Forums][1. Installation / Deployment / Setup] RE: Kerberon Sriram Gopalan October 28, 2008 6:39 PM
Re: Re: [Liferay Forums][1. Installation / Deployment / Setup] RE: Kerberon william montaz October 29, 2008 12:05 PM
RE: Re: [Liferay Forums][1. Installation / Deployment / Setup] RE: Kerberon Kamal Pasha Shaikh March 23, 2010 2:13 PM
RE: Re: [Liferay Forums][1. Installation / Deployment / Setup] RE: Kerberon Sriram Gopalan March 24, 2010 10:01 AM
RE: Re: [Liferay Forums][1. Installation / Deployment / Setup] RE: Kerberon Sriram Gopalan March 24, 2010 10:01 AM
RE: Re: [Liferay Forums][1. Installation / Deployment / Setup] RE: Kerberon Kamal Pasha Shaikh March 24, 2010 10:08 AM
RE: Re: [Liferay Forums][1. Installation / Deployment / Setup] RE: Kerberon Sriram Gopalan March 24, 2010 10:58 AM
RE: Re: [Liferay Forums][1. Installation / Deployment / Setup] RE: Kerberon Kamal Pasha Shaikh March 24, 2010 11:05 AM
RE: Re: [Liferay Forums][1. Installation / Deployment / Setup] RE: Kerberon Kamal Pasha Shaikh March 24, 2010 11:09 AM
RE: Re: [Liferay Forums][1. Installation / Deployment / Setup] RE: Kerberon Sriram Gopalan March 24, 2010 11:08 AM
RE: Re: [Liferay Forums][1. Installation / Deployment / Setup] RE: Kerberon Kamal Pasha Shaikh March 24, 2010 11:17 AM
RE: Re: [Liferay Forums][1. Installation / Deployment / Setup] RE: Kerberon Kamal Pasha Shaikh March 24, 2010 12:03 PM
RE: Re: [Liferay Forums][1. Installation / Deployment / Setup] RE: Kerberon Sriram Gopalan March 24, 2010 12:11 PM
RE: Re: [Liferay Forums][1. Installation / Deployment / Setup] RE: Kerberon Kamal Pasha Shaikh March 24, 2010 12:19 PM
RE: Re: [Liferay Forums][1. Installation / Deployment / Setup] RE: Kerberon Sriram Gopalan March 24, 2010 1:41 PM
RE: Re: [Liferay Forums][1. Installation / Deployment / Setup] RE: Kerberon Kamal Pasha Shaikh March 25, 2010 12:21 PM
RE: Re: [Liferay Forums][1. Installation / Deployment / Setup] RE: Kerberon Kamal Pasha Shaikh March 29, 2010 5:41 PM
RE: Re: [Liferay Forums][1. Installation / Deployment / Setup] RE: Kerberon Jayson Ilagan August 16, 2012 7:08 PM
RE: Re: [Liferay Forums][1. Installation / Deployment / Setup] RE: Kerberon Thomas Ludescher October 25, 2012 6:56 AM
RE: Re: [Liferay Forums][1. Installation / Deployment / Setup] RE: Kerberon Jayson Ilagan January 21, 2013 9:49 PM
william montaz
Kerberos Authentication
October 20, 2008 2:38 AM
Answer

william montaz

Rank: New Member

Posts: 4

Join Date: September 24, 2008

Recent Posts

Hi everybody,

I would like to know if Liferay provides connectors for Kerberos authentication ? If so, how to implement it ?

I've been looking almost everywhere without success...

Thanks for reply

Bye
robain massey
RE: Kerberos Authentication
October 21, 2008 12:35 PM
Answer

robain massey

Rank: New Member

Posts: 3

Join Date: October 21, 2008

Recent Posts

Hi, were you able to get this resolved? am trying to authenticate with kerberos myself. Please post if you get somewhere on this.

Thanks
robain
william montaz
Re: [Liferay Forums][1. Installation / Deployment / Setup] RE: Kerberos Aut
October 22, 2008 5:57 AM
Answer

william montaz

Rank: New Member

Posts: 4

Join Date: September 24, 2008

Recent Posts

Unfortunatly not, I'm sick of never getting answers to what I'm looking for.
By the way, don't upgrade o 5.1.2, it's too buggy....

(Sorry, but right now I have to make a demo to a customer and I'm having
many bugs occuring since upgrading....and It makes me really angry)

On Tue, Oct 21, 2008 at 9:35 PM, robain maskey from liferay.com <
no-reply@liferay.com> wrote:

> Hi, were you able to get this resolved? am trying to authenticate with
> kerberos myself. Please post if you get somewhere on this.
>
> Thanks
> robain
> --
> Liferay Message Boards
>
> https://www.liferay.com/web/guest/community/forums/message_boards/message/1469492
> mb.239393.1469492@events.liferay.com
> http://www.liferay.com
Sriram Gopalan
RE: Re: [Liferay Forums][1. Installation / Deployment / Setup] RE: Kerberos
October 26, 2008 1:08 PM
Answer

Sriram Gopalan

Rank: Junior Member

Posts: 39

Join Date: July 13, 2008

Recent Posts

I implemented thru apache mod_auth_kerb and authentication thru our corporate active directory.

My setup is like this:
Linux,
Apache httpd 2.x,
mod_auth_kerb,
mod_jk,
LR on tomcat
customized auth

If you stack is similar to mine, I can help you to setup seamless sso.

--Sriram
william montaz
RE: Re: [Liferay Forums][1. Installation / Deployment / Setup] RE: Kerberon
October 27, 2008 2:40 AM
Answer

william montaz

Rank: New Member

Posts: 4

Join Date: September 24, 2008

Recent Posts

Hy, thanks for your answer.

Your setup seems quite classic except the "customized auth" section emoticon

Could you give some clues about what you had to change on Liferay to be able to do that ?

Thanks
Sriram Gopalan
RE: Re: [Liferay Forums][1. Installation / Deployment / Setup] RE: Kerberon
October 28, 2008 6:35 PM
Answer

Sriram Gopalan

Rank: Junior Member

Posts: 39

Join Date: July 13, 2008

Recent Posts

1. Start with apache setup using mod_auth_kerb
http://modauthkerb.sourceforge.net/
http://grolmsnet.de/kerbtut/

This will enable apache to collect the kerb ticket and do seamless SSO.

2. Next using mod_jk redirect the requests to tomcat (liferay).
Make sure you have JkEnvVar passed over.
JkEnvVar REMOTE_USER "<UNSET>"
JkEnvVar AUTH_TYPE "<UNSET>"

3. Write a custom auth class and configure it in portal-ext.properties
https://www.liferay.com/web/guest/community/wiki/-/wiki/Main/Integration%20with%20Siteminder%20SSO

The above URL is for SiteMinder, but the procedure for Kerberos is not much different.

String aUsername = req.getHeader("SM_USERDN"); should be replace by
String aUsername = req.getHeader("REMOTE_USER");


In my setup I have done auto user creation too.

--Sriram
Sriram Gopalan
RE: Re: [Liferay Forums][1. Installation / Deployment / Setup] RE: Kerberon
October 28, 2008 6:39 PM
Answer
william montaz
Re: Re: [Liferay Forums][1. Installation / Deployment / Setup] RE: Kerberon
October 29, 2008 12:05 PM
Answer

william montaz

Rank: New Member

Posts: 4

Join Date: September 24, 2008

Recent Posts

Thanks a lot. I should be able to do something with that.
Anyway I think Liferay community should work on that because Kerberos is a
real enterprise standard and it is really missing with Liferay.

Bye

On Wed, Oct 29, 2008 at 2:39 AM, Sriram Gopalan from liferay.com <
no-reply@liferay.com> wrote:

>
> http://lportal.svn.sourceforge.net/viewvc/lportal/portal/branches/5.1.x/portal-impl/src/com/liferay/portal/security/auth/SiteMinderAutoLogin.java?revision=21190&view=markup
>
> Will be helpful to get started...
> --
> Liferay Message Boards
>
> http://www.liferay.com/web/guest/community/forums/message_boards/message/1503655
> mb.239393.1503655@events.liferay.com
> http://www.liferay.com
Kamal Pasha Shaikh
RE: Re: [Liferay Forums][1. Installation / Deployment / Setup] RE: Kerberon
March 23, 2010 2:13 PM
Answer

Kamal Pasha Shaikh

Rank: New Member

Posts: 20

Join Date: March 16, 2010

Recent Posts

Hi Sriram,

I am using the SpnegoHttpFilter from http://spnego.sourceforge.net/ in my jboss 4.2.3 CP06.
The sample tests for the filter and keytab went fine on jboss. Now, I am trying to use the filter and keytab in my jboss with liferay. In addition to adding the filter in web.xml, I have the following entries in my portal-ext.properties.

portal.ctx=/liferay-ext
jdbc.default.jndi.name=jdbc/LiferayPool
auto.login.hooks=com.custom.liferay.portal.security.auth.SpnegoAutoLogin
auth.forward.by.last.path=true
default.landing.page.path=/liferay-ext/web/guest/
login.events.post=com.liferay.portal.events.LoginPostAction,com.liferay.portal.events.DefaultLandingPageAction

When I access the url http://localhost:8080/liferay-ext, I see the following error in my server.log. The logs indicate that the filter is being invoked but I don't see the SpnegoAutoLogin class (configured in portal-ext.properties) being called. I looked through wiki and forums to check if I am missing any configuration for SSO. But, I couldn't see anything new that I missed. I would like to know how the SpnegoAutoLogin class gets called after the Filter processing is done. Please share your thoughts.
I am attaching the SpnegoAutoLogin.java file for your reference.
Also, the entries for the SpnegoHttpFilter in web.xml is as below.
<filter>
<filter-name>SpnegoHttpFilter</filter-name>
<filter-class>net.sourceforge.spnego.SpnegoHttpFilter</filter-class>
<init-param>
<param-name>spnego.allow.basic</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>spnego.allow.localhost</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>spnego.allow.unsecure.basic</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>spnego.login.client.module</param-name>
<param-value>spnego-client</param-value>
</init-param>
<init-param>
<param-name>spnego.krb5.conf</param-name>
<param-value>krb5.conf</param-value>
</init-param>
<init-param>
<param-name>spnego.login.conf</param-name>
<param-value>login.conf</param-value>
</init-param>
<init-param>
<param-name>spnego.preauth.username</param-name>
<param-value/>
</init-param>
<init-param>
<param-name>spnego.preauth.password</param-name>
<param-value/>
</init-param>
<init-param>
<param-name>spnego.login.server.module</param-name>
<param-value>spnego-server</param-value>
</init-param>
<init-param>
<param-name>spnego.prompt.ntlm</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>spnego.logger.level</param-name>
<param-value>1</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>SpnegoHttpFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

20:43:21,245 ERROR Mar 23, 2010 8:43:21 PM net.sourceforge.spnego.SpnegoHttpFilter doFilter
FINE: principal=XXXXXX@XXXX.XX.XXXXXXXXXXXXX.COM
20:43:21,463 ERROR Mar 23, 2010 8:43:21 PM net.sourceforge.spnego.SpnegoHttpFilter doFilter
FINE: principal=XXXXXX@XXXX.XX.XXXXXXXXXXXXX.COM
20:43:21,588 INFO 20:43:21,588 DEBUG [ApplicationDispatcher:185] servletPath=/c, pathInfo=/portal/layout, queryString=p_l_id=10139, name=null
20:43:21,588 INFO 20:43:21,588 DEBUG [ApplicationDispatcher:375] Path Based Forward
20:43:21,620 INFO 20:43:21,620 ERROR [MainServlet:794] com.liferay.portal.NoSuchUserException: No User exists with the primary key 0
com.liferay.portal.NoSuchUserException: No User exists with the primary key 0
at com.liferay.portal.service.persistence.UserPersistenceImpl.findByPrimaryKey(UserPersistenceImpl.java:622)
at com.liferay.portal.service.impl.UserLocalServiceImpl.getUserById(UserLocalServiceImpl.java:1305)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:106)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:89)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy136.getUserById(Unknown Source)
at com.liferay.portal.service.UserLocalServiceUtil.getUserById(UserLocalServiceUtil.java:474)
at com.liferay.portal.servlet.MainServlet.service(MainServlet.java:772)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:687)
at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:469)
at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:403)
at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:301)
at com.liferay.portal.servlet.FriendlyURLServlet.service(FriendlyURLServlet.java:143)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:154)
at com.liferay.portal.servlet.filters.strip.StripFilter.processFilter(StripFilter.java:142)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:91)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:154)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:94)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:154)
at com.liferay.portal.servlet.filters.gzip.GZipFilter.processFilter(GZipFilter.java:140)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:91)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:154)
at com.liferay.portal.servlet.filters.secure.SecureFilter.processFilter(SecureFilter.java:282)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:91)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:154)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:94)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:154)
at com.liferay.portal.servlet.filters.cache.CacheFilter.processFilter(CacheFilter.java:425)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:91)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:154)
at com.liferay.portal.servlet.filters.autologin.AutoLoginFilter.processFilter(AutoLoginFilter.java:257)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:91)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:154)
at com.liferay.portal.servlet.filters.sso.opensso.OpenSSOFilter.processFilter(OpenSSOFilter.java:73)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:91)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:154)
at com.liferay.portal.sharepoint.SharepointFilter.processFilter(SharepointFilter.java:193)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:91)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:154)
at com.liferay.portal.servlet.filters.virtualhost.VirtualHostFilter.doFilter(VirtualHostFilter.java:271)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:154)
at com.liferay.portal.servlet.filters.threadlocalcache.ThreadLocalCacheFilter.processFilter(ThreadLocalCacheFilter.java:55)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:91)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:154)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:94)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:738)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterCh
20:43:21,620 INFO ain.doFilter(ApplicationFilterChain.java:206)
at net.sourceforge.spnego.SpnegoHttpFilter.doFilter(SpnegoHttpFilter.java:250)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:173)
at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:182)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:433)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:104)
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:241)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Thread.java:619)
20:43:21,635 INFO 20:43:21,635 DEBUG [ApplicationDispatcher:412] Disabling the response for futher output
20:43:21,635 INFO 20:43:21,635 DEBUG [ApplicationDispatcher:420] The Response is vehiculed using a wrapper: com.liferay.portal.servlet.filters.strip.StripResponse
Attachments: SpnegoAutoLogin.java (3.0k)
Sriram Gopalan
RE: Re: [Liferay Forums][1. Installation / Deployment / Setup] RE: Kerberon
March 24, 2010 10:01 AM
Answer

Sriram Gopalan

Rank: Junior Member

Posts: 39

Join Date: July 13, 2008

Recent Posts

I have not used spnego filter, so I might not have a complete picture on what's going on.
I didn't have a chance to go over your code.

Based on the stack trace, i would suggest to check the following.


Kerberos would give the login as "<username>@fully-qualified-domainname", so its up-to to your login filter to take it and map it to LR user.

I mapped <username> part to ScreenName
So What I do is take the <username> and first check if user is already there, if not retrieve other properties from LDAP and create the user.
If user is already there, I simply create the LR session.

Hope this helps, please post back your findings.

--Sriram
Sriram Gopalan
RE: Re: [Liferay Forums][1. Installation / Deployment / Setup] RE: Kerberon
March 24, 2010 10:01 AM
Answer

Sriram Gopalan

Rank: Junior Member

Posts: 39

Join Date: July 13, 2008

Recent Posts

Also which version of Liferay you are using ?
Kamal Pasha Shaikh
RE: Re: [Liferay Forums][1. Installation / Deployment / Setup] RE: Kerberon
March 24, 2010 10:08 AM
Answer

Kamal Pasha Shaikh

Rank: New Member

Posts: 20

Join Date: March 16, 2010

Recent Posts

Hi Sriram,

Thanks for your response.

I am able to see from the logs that kerberos is giving me the login correctly as you said.

"<username>@fully-qualified-domainname

The SpnegoAutoLogin class is supposed to map the kerberos principal returned to Liferay screen name. I might need to make some changes based on my troubleshooting. But, somehow right now SpnegoAutoLogin is not being called even though auto.login.hooks has a reference to that class. This is where I need some help. I don't know how the filter configured in web.xml calls the AutoLogin class configured in auto.login.hooks property in portal-ext.properties.

I am using Liferay 5.2.3 and Jboss 4.3 GA CP06.

Let me know if you need more info.

Thanks,
Kamal
Sriram Gopalan
RE: Re: [Liferay Forums][1. Installation / Deployment / Setup] RE: Kerberon
March 24, 2010 10:58 AM
Answer

Sriram Gopalan

Rank: Junior Member

Posts: 39

Join Date: July 13, 2008

Recent Posts

I see that you have AutoLoginFilter setup. So it should work.

I would download the LR source and setup a debug session to walk thru.

The AutoLogin.java in the LR source calls the auto login hooks. So I am not sure whats happening here. I would definitely love the see the execution path in debugger.

AutoLogin

106 if ((remoteUser == null) && (jUserName == null)) {
107 for (String autoLoginHook : PropsValues.AUTO_LOGIN_HOOKS) {
108 AutoLogin autoLogin = (AutoLogin)InstancePool.get(
109 autoLoginHook);
110
111 try {
Kamal Pasha Shaikh
RE: Re: [Liferay Forums][1. Installation / Deployment / Setup] RE: Kerberon
March 24, 2010 11:05 AM
Answer

Kamal Pasha Shaikh

Rank: New Member

Posts: 20

Join Date: March 16, 2010

Recent Posts

Hi Sriram,

Thanks for your response. I am debugging the LR source code and spnego-filter source code in eclipse as we speak. I'll post my findings. The AutoLogin.java in the LR source code is an interface with login method signature. All the AutoLogin implementation classes that LR provides (e.g. CASAutoLogin, SiteMinderAutoLogin etc.) implements this interface. Can you double check which file it is that you are referring to?

Thanks again.

Kamal
Sriram Gopalan
RE: Re: [Liferay Forums][1. Installation / Deployment / Setup] RE: Kerberon
March 24, 2010 11:08 AM
Answer

Sriram Gopalan

Rank: Junior Member

Posts: 39

Join Date: July 13, 2008

Recent Posts

http://svn.liferay.com/browse/portal/trunk/portal-impl/src/com/liferay/portal/servlet/filters/autologin/AutoLoginFilter.java?r=47025

1. Read thru processFilter method, it might give you some valuable points for troubleshooting.
2. Enable DEBUG settings for com.liferay.portal.servlet.filters.autologin
3. A quick debug with breakpoint on AutoLoginFilter.java will help you to narrow down.

What is the filter mapping for "Auto Login Filter" on web.xml.

From my understanding, AutoLoginFilter calls your custom hook.
Kamal Pasha Shaikh
RE: Re: [Liferay Forums][1. Installation / Deployment / Setup] RE: Kerberon
March 24, 2010 11:09 AM
Answer

Kamal Pasha Shaikh

Rank: New Member

Posts: 20

Join Date: March 16, 2010

Recent Posts

This is the source code from AutoLogin.java

/**
* Copyright (c) 2000-2009 Liferay, Inc. All rights reserved.
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in
* all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/

package com.liferay.portal.security.auth;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

/**
* <a href="AutoLogin.java.html"><b><i>View Source</i></b></a>
*
* @author Brian Wing Shun Chan
*
*/
public interface AutoLogin {

/**
* Set a request attribute with this variable to tell the AutoLoginFilter to
* redirect the user to a specified location.
*/
public static final String AUTO_LOGIN_REDIRECT = "AUTO_LOGIN_REDIRECT";

public String[] login(
HttpServletRequest request, HttpServletResponse response)
throws AutoLoginException;

}

It looks like it expects to set the value for AUTO_LOGIN_REDIRECT using request.setAttribute. I am wondering whether it has to be done in the filter code or the code that implements AutoLogin interface. Also, what should be the value of this attribute?
Any ideas.
Kamal Pasha Shaikh
RE: Re: [Liferay Forums][1. Installation / Deployment / Setup] RE: Kerberon
March 24, 2010 11:17 AM
Answer

Kamal Pasha Shaikh

Rank: New Member

Posts: 20

Join Date: March 16, 2010

Recent Posts

Hi Sriram,

Thanks for your response.

Ok. It's AutoLoginFilter.java that you were referring to. I got confused with AutoLogin.java. I'll put a debug on that. Thanks for your suggestions.

The filter-mapping in web.xml for AutoLoginFilter is as below.

<filter-mapping>
<filter-name>Auto Login Filter</filter-name>
<url-pattern>/c/portal/fckeditor</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Auto Login Filter</filter-name>
<url-pattern>/c/portal/layout</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Auto Login Filter</filter-name>
<url-pattern>/c/portal/login</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Auto Login Filter</filter-name>
<url-pattern>/c/portal/render_portlet</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Auto Login Filter</filter-name>
<url-pattern>/c/portal/update_password</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Auto Login Filter</filter-name>
<url-pattern>/c/portal/update_reminder_query</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Auto Login Filter</filter-name>
<url-pattern>/group/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>Auto Login Filter</filter-name>
<url-pattern>/user/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>Auto Login Filter</filter-name>
<url-pattern>/web/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
Kamal Pasha Shaikh
RE: Re: [Liferay Forums][1. Installation / Deployment / Setup] RE: Kerberon
March 24, 2010 12:03 PM
Answer

Kamal Pasha Shaikh

Rank: New Member

Posts: 20

Join Date: March 16, 2010

Recent Posts

Hi Sriram,

While debugging I found that I am getting "Basic" as the authentication scheme in the http header instead of "Negotiate". I checked my browser settings and the "Enable Integrated Windows Authentication" checkbox is selected. Is there anything else I need to set to change the authentication scheme from Basic to Negotiate?

Thanks,
Kamal
Sriram Gopalan
RE: Re: [Liferay Forums][1. Installation / Deployment / Setup] RE: Kerberon
March 24, 2010 12:11 PM
Answer

Sriram Gopalan

Rank: Junior Member

Posts: 39

Join Date: July 13, 2008

Recent Posts

Are you getting prompted on the browser for Authentication ? or it Auto login you ?
Kamal Pasha Shaikh
RE: Re: [Liferay Forums][1. Installation / Deployment / Setup] RE: Kerberon
March 24, 2010 12:19 PM
Answer

Kamal Pasha Shaikh

Rank: New Member

Posts: 20

Join Date: March 16, 2010

Recent Posts

I am getting prompted for the first time if I open a new IE window.

Also, I had a question regarding AutoLoginFilter. When you wrote your SPNEGO filter, did you extend the AutoLoginFilter or just Filter class. I was looking at other SSO filters that LR provides (e.g. NtlmFilter, CASFilter etc.) and they are extending some other filters but not AutoLoginFilter.

Let me know what you think.
Sriram Gopalan
RE: Re: [Liferay Forums][1. Installation / Deployment / Setup] RE: Kerberon
March 24, 2010 1:41 PM
Answer

Sriram Gopalan

Rank: Junior Member

Posts: 39

Join Date: July 13, 2008

Recent Posts

If the browser is prompting then the SPENGO filter is not doing its job. It should not prompt. I would first troubleshoot that.

Liferay provides filters to support some standard SSO(LDAP, NTLM, SiteMinder,etc..)
If your needs are to implement some custom sso then you use AutoLogin Filter and auto login hooks.

I run 4.2.2 in PRD. At that time we didn't have Kerberos support so I used AutoLogin Filter and autologin hooks to provide sso support.

We are in Development for 5.2 upgrade. Here I am using NTLM so no autologin hooks.
In your case since you are using SPENGO you have use auto login hooks method. I believe liferay has a kerberos filter with limited support. Sharepoint support is one i want to try out and there is no Kerberos support for it.

Hope this explains.
Kamal Pasha Shaikh
RE: Re: [Liferay Forums][1. Installation / Deployment / Setup] RE: Kerberon
March 25, 2010 12:21 PM
Answer

Kamal Pasha Shaikh

Rank: New Member

Posts: 20

Join Date: March 16, 2010

Recent Posts

Hi Sriram,

Since the spnego was not working correctly with the SpnegoHttpFilter from sourceforge, I am now using the IIS forwarding (using isapi_redirect) for the same. SPNEGO is working now as I don't get a login dialog box and I can see the request.getRemoteUser returning <DOMAIN_NAME>\<my user id>.

I started the jboss in debug mode and put a break point on AutoLoginFilter. The line
String remoteUser = request.getRemoteUser();
in AutoLoginFilter.java is returning <DOMAIN_NAME>\<my user id> as expected.

However, after that it calls the BaseFilter and returns a blank page and does not go to the SpnegoAutoLogin configured through auto.login.hooks. Looking at the code below from AutoLoginFilter.java, you will notice that the reason it doesn't call auto.login.hooks is because of the if condition. The if condition allows the AutoLoginFilter to call the SpnegoAutoLogin class configured in auto.login.hooks only when remoteUser is null. This doesn't make any sense to me. Let me know your thoughts.

String remoteUser = request.getRemoteUser();
String jUserName = (String)session.getAttribute("j_username");

if ((remoteUser == null) && (jUserName == null)) {
for (AutoLogin autoLogin : _autoLogins) {
try {
String[] credentials = autoLogin.login(request, response);
Kamal Pasha Shaikh
RE: Re: [Liferay Forums][1. Installation / Deployment / Setup] RE: Kerberon
March 29, 2010 5:41 PM
Answer

Kamal Pasha Shaikh

Rank: New Member

Posts: 20

Join Date: March 16, 2010

Recent Posts

Hi Sriram,

I made a custom AutoLogin filter and changed the if condition in AutoLoginFilter.java from

if ((remoteUser == null) && (jUserName == null))

to

if ((remoteUser != null) || (jUserName != null))

By doing the above change, I was able to call my custom auto.login.hooks implementation when remoteUser was passed via the HTTP header. My SSO is working now using Kerberos SPNEGO.

The problem that I am having now is that when I sign out, I get the error message

ERROR [MainServlet:794] com.liferay.portal.NoSuchUserException: No User exists with the primary key 0

I have posted more details about this problem in another similar thread.

http://www.liferay.com/community/forums/-/message_boards/message/2564292?_19_redirect=%2Fcommunity%2Fforums%2F-%2Fmessage_boards%2Fsearch%3F_19_redirect%3D%252Fcommunity%252Fforums%26_19_breadcrumbsCategoryId%3D0%26_19_searchCategoryId%3D0%26_19_keywords%3DAntti%2BAhvenlampi

Any thoughts or ideas?
Jayson Ilagan
RE: Re: [Liferay Forums][1. Installation / Deployment / Setup] RE: Kerberon
August 16, 2012 7:08 PM
Answer

Jayson Ilagan

Rank: New Member

Posts: 7

Join Date: December 1, 2011

Recent Posts

We successfully implemented this configuration. Liferay -> CAS + SPNEGO + Kerberos ->LDAP

We are using:

Microsoft Windows Server 2008 R2 (Application Server)
Active Directory
Liferay 6.1 CE
CAS 3.4.11
Tomcat 7.0
JRE 1.6.19

1. First step, you must have or someone have access with the Domain Controller to set SPN at the same time creating of keytab file this is necessary to have trust link between the CAS server and KDC.

2. Prepare needed files such as: login.conf, kbr5.conf., Look for sample configuration then configure it as fit to your needs.

3. Configuration of your CAS. You need to configure your login-webflow.xml, cas-servlet, deployerConfigContext and lastly pom.xml that is located in Maven.
You also need to add necessary jar file to your CAS lib. That is being used in all the configuration you've done in CAS.

4. Configure your Liferay to CAS.

That all the step we did to accomplish this.
Thomas Ludescher
RE: Re: [Liferay Forums][1. Installation / Deployment / Setup] RE: Kerberon
October 25, 2012 6:56 AM
Answer

Thomas Ludescher

Rank: New Member

Posts: 1

Join Date: October 25, 2012

Recent Posts

Hello Jayson,

can you please give some more details about the file changes, especially the /WEB-INF/login-webflow.xml file.

At https://wiki.jasig.org/display/CASUM/SPNEGO CAS wrote the following:
And 2 existing transitions need to be update:
In the decision-state gatewayRequestCheck, replace reference to viewLoginForm by startAuthenticate
In the decision-state renewRequestCheck, replace reference to viewLoginForm by startAuthenticate


I am not sure what I should do with this. Can you give me a hint?

I get no error while starting, but during authentication I see some messages in the cas.log:
=============================================================
WHO: [username: user@OWNREALM]
WHAT: supplied credentials: [username:user@OWNREALM]
ACTION: AUTHENTICATION_FAILED
APPLICATION: CAS
WHEN: Thu Oct 25 15:55:36 CEST 2012
CLIENT IP ADDRESS: 172.16.84.220
SERVER IP ADDRESS: 172.16.84.162
=============================================================

>
2012-10-25 15:55:36,845 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: [username: user@OWNREALM]
WHAT: error.authentication.credentials.bad
ACTION: TICKET_GRANTING_TICKET_NOT_CREATED
APPLICATION: CAS
WHEN: Thu Oct 25 15:55:36 CEST 2012
CLIENT IP ADDRESS: 172.16.84.220
SERVER IP ADDRESS: 172.16.84.162
=============================================================



Thanks a lot
Ludi
Jayson Ilagan
RE: Re: [Liferay Forums][1. Installation / Deployment / Setup] RE: Kerberon
January 21, 2013 9:49 PM
Answer

Jayson Ilagan

Rank: New Member

Posts: 7

Join Date: December 1, 2011

Recent Posts

Hi Ludi,

for desicion state gatewayRequestCheck you can change else = generateLoginTicket
for desicion state renewRequestCheck you can change then = generateLoginTicket

Since we need to point them to startAuthenticate, And as you can see generateLoginTicket is pointing to startAuthenticate

Regards,
Jayson