Combination View Flat View Tree View
Threads [ Previous | Next ]
toggle
Michal Kalkowski
Better CAS/Liferay Integration
September 17, 2010 10:30 AM
Answer

Michal Kalkowski

Rank: New Member

Posts: 9

Join Date: July 21, 2010

Recent Posts

Hi All,

I think there are some possibilities to improve this kind of integration. I will describe my scenario below to give you an idea what I am thinking about:

Now:

0. Liferay uses CAS to authenticate users.
1. User account is not present in the LR database.
2. User logs in successfully but an enormous stack trace is being printed that basically says there is no account present for the said user. User is presented with the login form (screen_name/pass).

I know, the solution is to use LDAP import procedure which fetches data that is necessary to create a new account (name,surname,email etc) from the LDAP server. So we would need to setup firewall rules to enable this kind of traffic. Also, we would probably need to make LDAP use SSL/TLS.

Future? :

CAS is able to fetch these attributes for an application. Data would magically appear on the Liferay side after validating the ticket. LR would never have the need to access LDAP (unless you're importing groups, however I am wondering if CAS could do it as well).

A great benefit of this solution would be that Liferay would not need to store a password to LDAP.

Sample code: http://helpdesk.ugent.be/webhosting/en/cas.php#java

Regards,
MK.
Jorge Ferrer
RE: Better CAS/Liferay Integration
September 20, 2010 4:28 AM
Answer

Jorge Ferrer

LIFERAY STAFF

Rank: Liferay Legend

Posts: 2757

Join Date: August 31, 2006

Recent Posts

Hi Michal,

Thanks for your suggestion.

For 6.1, we are evaluating a deeper integration with CAS or even to implement SSO functionality inside Liferay for cases like yours in which an external user repository is not desired.

I've also known of some projects that solve a similar challenge by creating a plugin for CAS that queried users directly from Liferay's database, although I don't know the tech details about how they achieved it.
Baptiste Grenier
RE: Better CAS/Liferay Integration
September 20, 2010 6:06 AM
Answer

Baptiste Grenier

Rank: Regular Member

Posts: 100

Join Date: June 30, 2009

Recent Posts

Michal Kalkowski:
CAS is able to fetch these attributes for an application. Data would magically appear on the Liferay side after validating the ticket. LR would never have the need to access LDAP (unless you're importing groups, however I am wondering if CAS could do it as well).

Hello,
By developping a custom Liferay AutoLogin hook and updating the filters in the web.xml I was able to achieve such a behaviour (the attributes used for the creation of the local user are retrieved from the SAML assertion).

Regards,
Baptiste
Michal Kalkowski
RE: Better CAS/Liferay Integration
September 20, 2010 9:34 AM
Answer

Michal Kalkowski

Rank: New Member

Posts: 9

Join Date: July 21, 2010

Recent Posts

Hi Jorge, Baptiste,

Jorge, it is good to hear that Liferay plans to make this kind of integration better. I look forward to seeing some changes in this area. Do you know of any related Jira issues that I could subscribe to ?

Baptiste, thanks for your input. I have considered writing a custom AutoLogin hook, but decided to stick with Liferay's way of importing users. It would be nice to have an official AutoLogin hook in the distribution. Perhaps Jorge would be interested in your code.

Regards,
Michal.
T Hoon
RE: Better CAS/Liferay Integration
November 19, 2010 1:24 PM
Answer

T Hoon

Rank: New Member

Posts: 4

Join Date: November 18, 2010

Recent Posts

Baptiste Grenier:

By developping a custom Liferay AutoLogin hook and updating the filters in the web.xml I was able to achieve such a behaviour (the attributes used for the creation of the local user are retrieved from the SAML assertion).


Hello Baptiste,

Could you share how you accomplished this? Also, how are you handling the creation of new accounts? I appreciate any insight on this.
James Falkner
RE: Better CAS/Liferay Integration
November 19, 2010 1:32 PM
Answer

James Falkner

LIFERAY STAFF

Rank: Liferay Legend

Posts: 1222

Join Date: September 17, 2010

Recent Posts

Doesn't Liferay's out-of-box support for OpenSSO create the accounts by retrieving user attributes from OpenSSO? You could model the code for CAS similarly on the OpenSSO code.
Baptiste Grenier
RE: Better CAS/Liferay Integration
November 22, 2010 2:08 AM
Answer

Baptiste Grenier

Rank: Regular Member

Posts: 100

Join Date: June 30, 2009

Recent Posts

Basically I created two classes (based on how the stock CAS plugin was done I also checked org.jasig.cas.client.util.HttpServletRequestWrapperFilter)(but the opensso plugin could also be a good starting point) PandoraAuthUtil.java and PandoraAutoLogin.java.
PandoraAutoLogin implements AutoLogin, the most important code allowing to access the attributes is in the login method:
 1final HttpSession session = request.getSession();
 2final Assertion assertion = (Assertion) (session == null ? request.getAttribute(AbstractCasFilter.CONST_CAS_ASSERTION) : session.getAttribute(AbstractCasFilter.CONST_CAS_ASSERTION));
 3final Principal principal = (assertion == null ? null : assertion.getPrincipal());
 4String screenName = (principal == null ? null : principal.getName());
 5if (principal != null) {
 6  final AttributePrincipal attrsPrincipal = (AttributePrincipal) principal;
 7  final Map<String, String> attributes = attrsPrincipal.getAttributes();
 8  if (_log.isDebugEnabled()) {
 9    if (attributes != null) {
10        _log.debug("Dumping " + attributes.size() + " attributes...");
11        final Iterator<Entry<String, String>> it = attributes.entrySet().iterator();
12        while (it.hasNext()) {
13           final Map.Entry<String, String> pairs = it.next();
14           _log.debug(pairs.getKey() + " = " + pairs.getValue());
15        }
16    }
17  }
18}

Then if the user does not exist he is created, else he is updated.

These are distributed as a jar that is added to the webapps/ROOT/WEB-INF/lib dir. (the opensaml jar too)

In the portal-ext.properties:
auto.login.hooks=org.pandora.clients.liferay.auth.PandoraAutoLogin

In the WEB-INF/web.xml:
 1<filter>
 2    <filter-name>CAS Single Sign Out Filter</filter-name>
 3    <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
 4  </filter>
 5  <filter>
 6    <filter-name>CAS Authentication Filter</filter-name>
 7    <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
 8    <init-param>
 9      <param-name>casServerLoginUrl</param-name>
10      <param-value>https://XXXXXXXXXXXXXX/cas/login</param-value>
11    </init-param>
12    <init-param>
13      <param-name>serverName</param-name>
14      <param-value>YYYYYYYYYY</param-value>
15    </init-param>
16  </filter>
17  <filter>
18    <filter-name>CAS Validation Filter</filter-name>
19    <filter-class>org.jasig.cas.client.validation.Saml11TicketValidationFilter</filter-class>
20    <init-param>
21      <param-name>casServerUrlPrefix</param-name>
22      <param-value>https://XXXXXXXXXX/cas</param-value>
23    </init-param>
24    <init-param>
25      <param-name>serverName</param-name>
26      <param-value>YYYYYYYYYYYY</param-value>
27    </init-param>
28    <init-param>
29      <param-name>redirectAfterValidation</param-name>
30      <param-value>true</param-value>
31    </init-param>
32  </filter>
33(...)
34  <filter-mapping>
35    <filter-name>CAS Authentication Filter</filter-name>
36    <url-pattern>/c/portal/login</url-pattern>
37                <dispatcher>REQUEST</dispatcher>
38                <dispatcher>FORWARD</dispatcher>
39  </filter-mapping>
40  <filter-mapping>
41    <filter-name>CAS Authentication Filter</filter-name>
42    <url-pattern>/c/portal/logout</url-pattern>
43                <dispatcher>REQUEST</dispatcher>
44                <dispatcher>FORWARD</dispatcher>
45  </filter-mapping>
46  <filter-mapping>
47    <filter-name>CAS Validation Filter</filter-name>
48    <url-pattern>/c/portal/login</url-pattern>
49                <dispatcher>REQUEST</dispatcher>
50                <dispatcher>FORWARD</dispatcher>
51  </filter-mapping>
52  <filter-mapping>
53    <filter-name>CAS Validation Filter</filter-name>
54    <url-pattern>/c/portal/logout</url-pattern>
55                <dispatcher>REQUEST</dispatcher>
56                <dispatcher>FORWARD</dispatcher>
57  </filter-mapping>
58(...)
59  <listener>
60    <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
61  </listener>


And I think that's all. It's certainly not perfect but it does what we want/need.

Regards,
Baptiste
Aasif Bihari
RE: Better CAS/Liferay Integration
June 13, 2013 3:05 AM
Answer

Aasif Bihari

Rank: New Member

Posts: 7

Join Date: January 10, 2012

Recent Posts

Baptiste Grenier:
Basically I created two classes (based on how the stock CAS plugin was done I also checked org.jasig.cas.client.util.HttpServletRequestWrapperFilter)(but the opensso plugin could also be a good starting point) PandoraAuthUtil.java and PandoraAutoLogin.java.
PandoraAutoLogin implements AutoLogin, the most important code allowing to access the attributes is in the login method:
 1final HttpSession session = request.getSession();
 2final Assertion assertion = (Assertion) (session == null ? request.getAttribute(AbstractCasFilter.CONST_CAS_ASSERTION) : session.getAttribute(AbstractCasFilter.CONST_CAS_ASSERTION));
 3final Principal principal = (assertion == null ? null : assertion.getPrincipal());
 4String screenName = (principal == null ? null : principal.getName());
 5if (principal != null) {
 6  final AttributePrincipal attrsPrincipal = (AttributePrincipal) principal;
 7  final Map<String, String> attributes = attrsPrincipal.getAttributes();
 8  if (_log.isDebugEnabled()) {
 9    if (attributes != null) {
10        _log.debug("Dumping " + attributes.size() + " attributes...");
11        final Iterator<Entry<String, String>> it = attributes.entrySet().iterator();
12        while (it.hasNext()) {
13           final Map.Entry<String, String> pairs = it.next();
14           _log.debug(pairs.getKey() + " = " + pairs.getValue());
15        }
16    }
17  }
18}

Then if the user does not exist he is created, else he is updated.

These are distributed as a jar that is added to the webapps/ROOT/WEB-INF/lib dir. (the opensaml jar too)

In the portal-ext.properties:
auto.login.hooks=org.pandora.clients.liferay.auth.PandoraAutoLogin

In the WEB-INF/web.xml:
 1<filter>
 2    <filter-name>CAS Single Sign Out Filter</filter-name>
 3    <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
 4  </filter>
 5  <filter>
 6    <filter-name>CAS Authentication Filter</filter-name>
 7    <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
 8    <init-param>
 9      <param-name>casServerLoginUrl</param-name>
10      <param-value>https://XXXXXXXXXXXXXX/cas/login</param-value>
11    </init-param>
12    <init-param>
13      <param-name>serverName</param-name>
14      <param-value>YYYYYYYYYY</param-value>
15    </init-param>
16  </filter>
17  <filter>
18    <filter-name>CAS Validation Filter</filter-name>
19    <filter-class>org.jasig.cas.client.validation.Saml11TicketValidationFilter</filter-class>
20    <init-param>
21      <param-name>casServerUrlPrefix</param-name>
22      <param-value>https://XXXXXXXXXX/cas</param-value>
23    </init-param>
24    <init-param>
25      <param-name>serverName</param-name>
26      <param-value>YYYYYYYYYYYY</param-value>
27    </init-param>
28    <init-param>
29      <param-name>redirectAfterValidation</param-name>
30      <param-value>true</param-value>
31    </init-param>
32  </filter>
33(...)
34  <filter-mapping>
35    <filter-name>CAS Authentication Filter</filter-name>
36    <url-pattern>/c/portal/login</url-pattern>
37                <dispatcher>REQUEST</dispatcher>
38                <dispatcher>FORWARD</dispatcher>
39  </filter-mapping>
40  <filter-mapping>
41    <filter-name>CAS Authentication Filter</filter-name>
42    <url-pattern>/c/portal/logout</url-pattern>
43                <dispatcher>REQUEST</dispatcher>
44                <dispatcher>FORWARD</dispatcher>
45  </filter-mapping>
46  <filter-mapping>
47    <filter-name>CAS Validation Filter</filter-name>
48    <url-pattern>/c/portal/login</url-pattern>
49                <dispatcher>REQUEST</dispatcher>
50                <dispatcher>FORWARD</dispatcher>
51  </filter-mapping>
52  <filter-mapping>
53    <filter-name>CAS Validation Filter</filter-name>
54    <url-pattern>/c/portal/logout</url-pattern>
55                <dispatcher>REQUEST</dispatcher>
56                <dispatcher>FORWARD</dispatcher>
57  </filter-mapping>
58(...)
59  <listener>
60    <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
61  </listener>


And I think that's all. It's certainly not perfect but it does what we want/need.

Regards,
Baptiste


Hi Baptiste,
Can you please share the code with me of hook and also the setting you did in CAS, my email id is aasifzia786@gmail.com