Combination View Flat View Tree View
Threads [ Previous | Next ]
toggle
Enrique José Cabal González
CAS and Liferay users
January 21, 2010 4:26 AM
Answer

Enrique José Cabal González

Rank: New Member

Posts: 12

Join Date: January 11, 2010

Recent Posts

Hi,

I am trying to integrate CAS and Liferay. My problem is that I can't login with my liferay previous users. So I need to integrate CAS with Liferay database (lportal). I am using Mysql.

Someone who helps me?

Thans.
Shagul Khajamohideen
RE: CAS and Liferay users
January 21, 2010 7:03 AM
Answer

Shagul Khajamohideen

Rank: Liferay Master

Posts: 759

Join Date: September 27, 2007

Recent Posts

Hi,

The below link may be useful.

CAS SSO Liferay

One option is to configure CAS and Liferay to use LDAP. If not you may have to write your own handler to authenticate against Liferay database as explained in the above document.


Best Regards,
Shagul
Enrique José Cabal González
RE: CAS and Liferay users
January 22, 2010 12:51 AM
Answer

Enrique José Cabal González

Rank: New Member

Posts: 12

Join Date: January 11, 2010

Recent Posts

Hi,

Thanks for your answer. I am developing a small prototipe in a test server, so I don't need to import users from LDAP, I only need users from "lportal".

Are you sure that I have to write my own handler? I've found this thread in the ja-sig wiki:

http://www.ja-sig.org/wiki/display/CASUM/Using+JDBC+for+Authentication

In theory we have to configure CAS server to use JDBC, so we can use our own database (in that case liferay's one). I hope it works, I will post when I try it.

Thanks.
Shagul Khajamohideen
RE: CAS and Liferay users
January 22, 2010 1:45 AM
Answer

Shagul Khajamohideen

Rank: Liferay Master

Posts: 759

Join Date: September 27, 2007

Recent Posts

If you are storing the password in Liferay in encrypted form (which is the default), you may have to encrypt the user entered password in CAS in a similar way before you can compare.

I think for your prototype you could just have Liferay store clear text password.

 1
 2## Passwords
 3##
 4
 5    #
 6    # Set the following encryption algorithm to encrypt passwords. The default
 7    # algorithm is SHA (SHA-1). If set to NONE, passwords are stored in the
 8    # database as plain text. The SHA-512 algorithm is currently unsupported.
 9    #
10    #passwords.encryption.algorithm=CRYPT
11    #passwords.encryption.algorithm=MD2
12    #passwords.encryption.algorithm=MD5
13    #passwords.encryption.algorithm=NONE
14    passwords.encryption.algorithm=SHA
15    #passwords.encryption.algorithm=SHA-256
16    #passwords.encryption.algorithm=SHA-384
17    #passwords.encryption.algorithm=SSHA



Best Regards,
Shagul
Enrique José Cabal González
RE: CAS and Liferay users
January 22, 2010 2:31 AM
Answer

Enrique José Cabal González

Rank: New Member

Posts: 12

Join Date: January 11, 2010

Recent Posts

I suppose that I have to write it in the portal-ext.properties.

If I quit the encryption, What happens with the users that are already in the database? Their passwords are decrypted? Or it happens only with the new users that will be inserted in the database?

This is a well solution for a test environment, but if I work in a real one, can I encrypt the password in the CAS Server?

Sorry, I know that I make a lot of questions...

Thanks!
Shagul Khajamohideen
RE: CAS and Liferay users
January 22, 2010 4:59 AM
Answer

Shagul Khajamohideen

Rank: Liferay Master

Posts: 759

Join Date: September 27, 2007

Recent Posts

Yes, the properties go in portal-ext.properties.

There is no decryption in place. Changing the algorithm will only affect the new users and may require others to change password.

As I mentioned earlier, you may have to write your own handler that will encrypt the password using the same algorithm as that of lportal before comparing with the string in database. You could borrow the classes from Liferay.

Take a look at UserLocalServiceImpl and other places (authenticators) where PwdEncryptor is used.

1
2if (!user.isPasswordEncrypted()) {
3            user.setPassword(PwdEncryptor.encrypt(user.getPassword()));
4            user.setPasswordEncrypted(true);
5
6            userPersistence.update(user, false);
7        }


Best Regards,
Shagul
Enrique José Cabal González
RE: CAS and Liferay users
January 25, 2010 12:51 AM
Answer

Enrique José Cabal González

Rank: New Member

Posts: 12

Join Date: January 11, 2010

Recent Posts

Now I am working without encryption but I am very interested in encrypting the password in the future. As I read in several forums there is a default handler in CAS Server.

1
2<bean class="org.jasig.cas.authentication.handler.DefaultPasswordEncoder">
3    <constructor-arg index="0" value="MD5"/>
4</bean>


Do you know if it works fine? And which algorithms implements?

Thank you.
Shagul Khajamohideen
RE: CAS and Liferay users
January 25, 2010 4:44 AM
Answer

Shagul Khajamohideen

Rank: Liferay Master

Posts: 759

Join Date: September 27, 2007

Recent Posts

I don't think this would work. As I stated in my previous post you have encrypt, encode the password in a similar way it is done in Liferay code before you can compare.



-Shagul
Enrique José Cabal González
RE: CAS and Liferay users
January 25, 2010 5:36 AM
Answer

Enrique José Cabal González

Rank: New Member

Posts: 12

Join Date: January 11, 2010

Recent Posts

I've been trying and it doesn't work, so finally I will have to write my own handler. Now I have to solve other problems, because CAS doesn't work fine.

Thank you very much for your help Shagul!
Shagul Khajamohideen
RE: CAS and Liferay users
January 25, 2010 7:22 AM
Answer

Shagul Khajamohideen

Rank: Liferay Master

Posts: 759

Join Date: September 27, 2007

Recent Posts

Most Welcome. We usually integrate CAS with LDAP and I don't have a sample or something to share with you.

Best,
Shagul
Bernardo Riveira Faraldo
RE: CAS and Liferay users
January 25, 2010 12:20 PM
Answer

Bernardo Riveira Faraldo

Rank: Regular Member

Posts: 136

Join Date: October 30, 2008

Recent Posts

We have made it; don't need to change Liferay password encryption from default

but you have to implement it in CAS; you need to use the SQL query adaptor for user+pass combination check that just makes a SELECT from the liferay User_ table, and add a java class that implements the Liferay password encryption

you just use that class instead of the org.jasig.cas.authentication.handler.DefaultPasswordEncoder CAS default

let me see if I can get it from here (I'm at home now)
Bernardo Riveira Faraldo
RE: CAS and Liferay users
January 25, 2010 1:49 PM
Answer

Bernardo Riveira Faraldo

Rank: Regular Member

Posts: 136

Join Date: October 30, 2008

Recent Posts

This is it; you just have to implement the SHA algorithm in the "encode()" method (in your class implementing the CAS PasswordEncoder interface)

 1import java.security.MessageDigest;
 2import java.security.NoSuchAlgorithmException;
 3import java.io.UnsupportedEncodingException;
 4import org.jasig.cas.authentication.handler.*;
 5
 6public final class LiferayPasswordEncoder implements PasswordEncoder {
 7   
 8    public String encode(final String password) {
 9        MessageDigest digester = null;
10
11        try{
12            digester = MessageDigest.getInstance("SHA");
13            digester.update(password.getBytes("UTF-8"));
14        }
15        catch (NoSuchAlgorithmException nsae) {
16            System.out.println("LiferayPasswordEncoder - error algoritmo SHA no encontrado");
17            nsae.printStackTrace();
18        }
19        catch (UnsupportedEncodingException uee) {
20            System.out.println("LiferayPasswordEncoder - error codificando texto");
21            uee.printStackTrace();
22        }
23
24        byte[] bytes = digester.digest();
25
26        return encodeBase64(bytes);
27        }
28
29
30    private static char getChar(int sixbit) {
31        if (sixbit >= 0 && sixbit <= 25) {
32            return (char)(65 + sixbit);
33        }
34   
35        if (sixbit >= 26 && sixbit <= 51) {
36            return (char)(97 + (sixbit - 26));
37        }
38   
39        if (sixbit >= 52 && sixbit <= 61) {
40            return (char)(48 + (sixbit - 52));
41        }
42   
43        if (sixbit == 62) {
44            return '+';
45        }
46   
47        return sixbit != 63 ? '?' : '/';
48    }
49   
50   
51    private static String encodeBase64(byte raw[]) {
52        StringBuilder encoded = new StringBuilder();
53   
54        for (int i = 0; i < raw.length; i += 3) {
55            encoded.append(encodeBlock(raw, i));
56        }
57   
58        return encoded.toString();
59    }
60   
61    private static char[] encodeBlock(byte raw[], int offset) {
62        int block = 0;
63        int slack = raw.length - offset - 1;
64        int end = slack < 2 ? slack : 2;
65   
66        for (int i = 0; i <= end; i++) {
67            byte b = raw[offset + i];
68   
69            int neuter = b >= 0 ? ((int) (b)) : b + 256;
70            block += neuter << 8 * (2 - i);
71        }
72   
73        char base64[] = new char[4];
74   
75        for (int i = 0; i < 4; i++) {
76            int sixbit = block >>> 6 * (3 - i) & 0x3f;
77            base64[ i ] = getChar(sixbit);
78        }
79   
80        if (slack < 1) {
81            base64[2] = '=';
82        }
83   
84        if (slack < 2) {
85            base64[3] = '=';
86        }
87   
88        return base64;
89    }
90   
91}



For checking the Liferay database you use the QueryDatabaseAuthenticationHandler:

1<bean class="org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler">
2                        <property name="dataSource" ref="dataSource" />
3                        <property name="sql" value="SELECT password_ FROM User_ WHERE screenName=?" />
4                        <property name="passwordEncoder" ref="passwordEncoder"/>
5        </bean>



And the passwordEncoder:

1<bean id="passwordEncoder" class="class.name.from.above.code.LiferayPasswordEncoder" />


And of course the database connection for the QueryDatabaseAuth....

 1<bean id="dataSource" class="org.apache.commons.dbcp.BasicDataSource">
 2    <property name="driverClassName">
 3      <value>com.mysql.jdbc.Driver</value>
 4    </property>
 5    <property name="url">
 6      <value>jdbc:mysql://your.database.server/liferay.database?useUnicode=true&amp;characterEncoding=UTF-8&amp;autoReconnect=true</value>
 7    </property>
 8    <property name="username"><value>your.liferay.db.username</value></property>
 9    <property name="password"><value>your.liferay.db.password</value></property>
10  </bean>



Of course, change values for YOUR values (database name, user, pass, name of class above...)

Hope this helps!
Bernardo Riveira

UPDATED: liferay forum system is changing the code up there in unknown ways; emoticon it will not work if just copied and pasted because it changes an array index into italic emoticon "[ i ]"

so to be safe I just added a file to the post; remember to change the package name to where you're going to have it
Attachments: LiferayPasswordEncoder.java (2.1k)
Enrique José Cabal González
RE: CAS and Liferay users
January 26, 2010 12:53 AM
Answer

Enrique José Cabal González

Rank: New Member

Posts: 12

Join Date: January 11, 2010

Recent Posts

Thank you very much Bernardo,

I'm sure that it will be helpfull for me and other people. What do you think about writing it in the wiki? sometimes it's dificult to find this kind of things in the forums.

I will try it as soon as posible and I will write my results here.

Regards.
Nidhi Singh
RE: CAS and Liferay users
April 19, 2010 12:06 AM
Answer

Nidhi Singh

LIFERAY STAFF

Rank: Regular Member

Posts: 155

Join Date: October 7, 2009

Recent Posts

Hi,

You can check this blog

Thanks
Nidhi Singh
Carlo Altarelli
RE: CAS and Liferay users
August 23, 2011 12:30 AM
Answer

Carlo Altarelli

Rank: New Member

Posts: 1

Join Date: August 23, 2011

Recent Posts

Hi,
Another way is to convert Liferay password (ASCII representation of Base64 encoded SHA1) in SHA1 string used by CAS.
And you can make this using directly some Database function, if your Database Metadata Repository permit this.
For istance, if you deployed Liferay on Oracle Database, you can change the query of Authentication Handler in the following:

select lower(UTL_ENCODE.BASE64_DECODE(utl_raw.CAST_TO_RAW(PASSWORD_))) from USER_ where lower(SCREENNAME) = lower(?)

So with CAS, Liferay on Oracle DB you can simple change your deployerConfigContext.xml with:

<bean class="org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler">
<property name="dataSource" ref="dataSource" />
<property name="sql" value="select lower(UTL_ENCODE.BASE64_DECODE(utl_raw.CAST_TO_RAW(PASSWORD_))) from USER_ where lower(SCREENNAME) = lower(?)" />
<property name="passwordEncoder" ref="LFPasswordEncoder" />
</bean>

<bean id="LFPasswordEncoder" class="org.jasig.cas.authentication.handler.DefaultPasswordEncoder" p:characterEncoding="UTF-8" >
<constructor-arg index="0" value="SHA1" />
</bean>

Regards,
Carlo
Ajay Saharan
RE: CAS and Liferay users
April 19, 2013 1:26 AM
Answer

Ajay Saharan

Rank: New Member

Posts: 17

Join Date: February 25, 2009

Recent Posts

In which xml file i have to enter above configurations.