« Back to Single Sign-on

CAS Integration (Legacy)

(Redirected from Single SignOn - Integrating Liferay With CAS Server)

Introduction #

The following are a set of instructions for integrating Liferay Portal with CAS Server to setup single sign on (SSO) between Liferay and an existing web application.

Note: If you are using Liferay 4.3, you may want to read the Installation Guide instead of this article

Setting up CAS server #

We will begin with setting up JA-SIG CAS server on Tomcat 5.x.x.

Download cas-server WAR from Liferay's download page or the whole distribution from here and drop the cas-web.war file into Tomcat's webapps dir. In a production environment The CAS server should really run on its own tomcat instance but for testing purposes we'll drop it in the same instance as our Liferay portal.

We'll need to edit the server.xml file in tomcat and uncomment the SSL section to open up port 8443.

<!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />

Setting up the CAS client #

Next we need to download the Yale CAS client from here. Get cas-client-2.0.11. Place the casclient.jar in ROOT/web-inf/lib of the Liferay install.

Generate the SSL cert with Java keytool #

Now that we have everything we need, it's time to generate an SSL cert for our CAS server. Instructions and more information on SSL certs can be found here

But I found some typos and errors on that page. So following the instructions below should get you what you need.

In any directory (I use my root) enter the command:

keytool -genkey -alias tomcat -keypass changeit -keyalg RSA

Note: Be sure to use the keytool that comes with the Java VM (%JAVA_HOME%/jre/bin/keytool), as on some systems the default points to the GNU version of keytool, where the two seem incompatible.

Answer the questions: (note that your firstname and lastname MUST be hostname of your server and cannot be a IP address; this is very important as an IP address will fail client hostname verification even if it is correct)

Enter keystore password:  changeit
What is your first and last name?
[Unknown]:  localhost
What is the name of your organizational unit?
[Unknown]:
What is the name of your organization?
[Unknown]:
What is the name of your City or Locality?
[Unknown]:
What is the name of your State or Province?
[Unknown]:
What is the two-letter country code for this unit?
[Unknown]:
Is CN=localhost, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
[no]: yes

Then enter the command:

keytool -export -alias tomcat -keypass changeit -file %FILE_NAME% 

I use server.cert for %FILE_NAME%. This command exports the cert you generated from your personal keystore (In windows your personal keystore is in C:\Documents and Settings\<username>\.keystore)

Finally import the cert into Java's keystore with this command. Tomcat uses the keystore in your JRE (%JAVA_HOME%/jre/lib/security/cacerts)

keytool -import -alias tomcat -file %FILE_NAME% -keypass changeit -keystore %JAVA_HOME%/jre/lib/security/cacerts

Startup the CAS server

Now you are ready to startup your CAS server. Simply startup Tomcat and access CAS with https://localhost:8443/cas-web/login You should see the CAS login screen and no errors in your catalina logs.

Setting up Liferay Portal #

web.xml #

Note: If you are using Liferay 4.2, this filter is already defined. All you have to do is modify the URL parameters, if your CAS server is at a different location.

It's time to move on to configuring Liferay. In the webapps/ROOT/WEB-INF/web.xml file you will need to add a new filter and its mapping directly above the first existing auto login filter mapping. This new filter we just added will redirect all login attempts to the CAS server. If your hostname is different you can modify the init-params accordingly.

<filter> 
	<filter-name>CAS Filter</filter-name> 
	<filter-class>edu.yale.its.tp.cas.client.filter.CASFilter</filter-class> 
	<init-param> 
		<param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name> 
		<param-value>https://localhost:8443/cas-web/login</param-value> 
	</init-param> 
	<init-param> 
		<param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name> 
		<param-value>https://localhost:8443/cas-web/proxyValidate</param-value> 
	</init-param> 
	<init-param> 
		<param-name>edu.yale.its.tp.cas.client.filter.serviceUrl</param-name> 
		<param-value>http://localhost:8080/c/portal/login</param-value> 
	</init-param> 
</filter>

If you use a ...serviceUrl param like above, after logging in with CAS, the browser will be redirected back to that serviceUrl. However, you can change it to the following and it will redirect back to the full URL that was originally requested. This allows you to have a deep link (e.g. to a certain layout with parameters for a portlet even) that is preserved through the CAS login process:

    <init-param> 
       <param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name> 
       <!-- omit the colon and port number if it doesn't show in the browser URL (i.e. when running on port 80) -->
       <param-value>localhost:8080</param-value> 
    </init-param> 
 <filter-mapping> 
    <filter-name>CAS Filter</filter-name> 
    <url-pattern>/c/portal/login</url-pattern> 
 </filter-mapping>

Then add the following to the rest of the auto login filters

 <filter-mapping> 
    <filter-name>Auto Login Filter</filter-name> 
    <url-pattern>/c/portal/login</url-pattern> 
    <dispatcher>FORWARD</dispatcher> 
    <dispatcher>INCLUDE</dispatcher> 
    <dispatcher>REQUEST</dispatcher> 
 </filter-mapping>

system-ext.properties #

Note: this is only needed in Liferay 4.2

Set the com.liferay.filters.sso.cas.CASFilter setting to true.

Place the following in system-ext.properties:

    #
    # The CAS filter will redirect the user to the CAS login page for SSO. See
    # http://www.ja-sig.org/products/cas for more information.
    #
    com.liferay.filters.sso.cas.CASFilter=true

portal-ext.properties #

Instructions for Liferay 4.2 #

Put this in portal-ext.properties.

 ##
 ## Auto Login
 ##
 #
 # Input a list of comma delimited class names that implement
 # com.liferay.portal.security.auth.AutoLogin. These classes will run in
 # consecutive order for all unauthenticated users until one of them return a
 # valid user id and password combination. If no valid combination is
 # returned, then the request continues to process normally. If a valid
 # combination is returned, then the portal will automatically login that
 # user with the returned user id and password combination.
 #
 # For example, com.liferay.portal.security.auth.BasicAutoLogin reads from a
 # cookie to automatically log in a user who previously logged in while
 # checking on the "Remember Me" box.
 #
 # This interface allows deployers to easily configure the portal to work
 # with other SSO servers. See com.liferay.portal.security.auth.CASAutoLogin
 # for an example of how to configure the portal with Yale's SSO server.
 #
 #auto.login.hooks=com.liferay.portal.security.auth.BasicAutoLogin
 auto.login.hooks=com.liferay.portal.security.auth.BasicAutoLogin,com.liferay.portal.security.auth.CASAutoLogin

Comment the first auto.login.hooks property and uncomment the second to add CASAutoLogin to the list of AutoLogin implementations.

Instructions for Liferay 4.3 #

Read the Installation Guide

Startup Liferay and Test #

Startup the portal and when the homepage loads up hit the login link. If all goes well you should be redirected to the CAS server's login screen. Login to CAS with liferay.com.1 as your username and liferay.com.1 as your password. You should now be logged into the portal.

Next steps #

If the above test worked, you already have a CAS server installed and integrated with Liferay. The next steps are more related to properly configuring the CAS server than with Liferay. That's out of the scope of this article but we'll give a very brief summary.

By integrating the CAS server, Liferay is no longer responsible for authenticating the users, it just trusts that the CAS server authenticates them properly. The CAS server has configurable strategies for authenticating users. So far the default one has been used, which just authenticates the user if the user and password are the same. That's completely unsecure so other options need to be considered before installing in a production environment. Some reasonable options would be:

  • To authenticate with LDAP: The CAS server includes an authentication handler for LDAP. You can read about it in http://www.ja-sig.org/products/cas/server/ldapauthhandler/index.html or http://www.ja-sig.org/wiki/display/CASUM/LDAP. If this option is chosen it is recommended that you also configure Liferay to authenticate against LDAP using the instructions in: LDAP. Then you'll need to provide some way to synchronize the users between LDAP and Liferay's database. Two options are:
    • Set up the automatic importer (see LDAP, available since v4.2)
  • To authenticate with the portal's database: It is possible to develop your own CAS authentication handler that uses the information present in Liferay's database. One way of doing this would be using Liferay's services to authenticate the user.
  • To authenticate against another user store: in this case you'll also need to write your own CAS authentication handler and also provide Liferay some way to add the user entries in its own database.

Some other steps that you might want to follow are:

Also, check the references at the end of the article for more information.

Troubleshooting #

If you have the following error when you introduce user and password in CAS page:

[ERROR] CASReceipt - edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate ProxyTicketValidator
[ERROR] CASFilter - edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate ProxyTicketValidator
ERROR [CASFilter:148] javax.servlet.ServletException: Unable to validate ProxyTicketValidator
javax.servlet.ServletException: Unable to validate ProxyTicketValidator

The problem is the digital certificate. You must check the version of JVM that Tomcat uses, you can see that in the log when you type startup to start Tomcat, and you must export the digital certificate in the cacerts of that JVM.

Note: By default in Windows Liferay uses its JVM that you can find in %LIFERAY_HOME%\tomcatxx\jre1.5_17, so you must export the digital certificate in %LIFERAY_HOME%\tomcatxx\jre1.5_17\win\lib\security\cacerts

If you created a cert with the %FILE_NAME%, you'll probably run into problems. Here are 2 commands to delete the tomcat alias from the keystore so you can start fresh:

 keytool -delete -alias tomcat -keystore %JAVA_HOME%/jre/lib/security/cacerts
 keytool -delete -alias tomcat -file server.cert
  • You may not be able to get https://localhost:8443/cas up and running after the cert key generation. If so, skip the test and try it after you've finished all the steps. If you can't login at that point, you've probably generated your cert incorrectly.
  • I've had problems with certs on IE7, make sure you try it out on Firefox and Opera.
  • Your certificate must be trusted. If you created a self-signed certificate, you must add it to your truststore. I mistakenly thought I could define the truststore settings on my Tomcat SSL Connector. That didn't work because CAS was redirecting (after logging in) to a non-SSL page. Since the HTTP connector didn't know to trust the self-signed certificate, I got the 'sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target' error. My solution was to follow the guidelines in the JSSE Reference Guide and define the truststore in the JAVA_OPTS (-Djavax.net.ssl.trustStore=/path/to/custom/truststore). I created both a custom keystore (needed by the SSL Connector and specified either in the Connector config or the JAVA_OPTS) and custom truststore.

References #

  • Lifecast: CAS Setup - Integrate Liferay Portal with a CAS server to access multiple applications with a single sign on.

Related Articles #

Liferay 4.x.x Portal Architecture

LDAP

Acegi Security for Liferay

CAS, LDAP and Liferay 5.2.x

0 Attachments
106098 Views
Average (1 Vote)
The average rating is 4.0 stars out of 5.
Comments
Threaded Replies Author Date
Liferay still uses the old CAS2 (Yale) client.... Boris Niyazov March 18, 2009 3:46 PM
The above steps seem to work fine. The only... Satish Iyer July 9, 2009 7:30 AM
I'm having the same issue. Have you managed to... Jerome Munchenberg September 3, 2009 7:02 PM
I wonder if anyone would mind updating this... Kirk Stork August 2, 2010 6:49 PM
Nice article for starting up Shivam Aggarwal February 23, 2012 3:48 AM
Thanks ..I followed the steps and it worked... Suavsis Pattanaik August 21, 2012 6:26 AM

Liferay still uses the old CAS2 (Yale) client. JA-SIG implemented a new version 3 of CAS (server and client) which is a big improvement over version 2. However, Liferay didn't adapt the new client in its development (at least for the current version 5.2.2 at the time of this writing). This creates some issues, one of the major ones is Single Sign Out. When a user signs out from other applications (or CAS server directly) Liferay still keeps the user's session that creates security problem. The CAS 3 server, in fact sends callback upon user logout to all authenticated clients that can use the callback to invalidate their sessions.

Hope Liferay developers take this into consideration.
Posted on 3/18/09 3:46 PM.
The above steps seem to work fine.
The only issue I have is that the redirection is from a https port to a http port.
How do I maintain the secure connection (i.e https)?

using localhost:<secure port number> (for serverName parameter)
or https://localhost:<secure port number>/c/portal/login (for serviceUrl) doesn't seem to work.
Posted on 7/9/09 7:30 AM.
I'm having the same issue. Have you managed to resolve it?
Posted on 9/3/09 7:02 PM in reply to Satish Iyer.
I wonder if anyone would mind updating this page for current versions of Liferay....
Posted on 8/2/10 6:49 PM.
Nice article for starting up
Posted on 2/23/12 3:48 AM.
Thanks ..I followed the steps and it worked fine for me. I am using liferay 6.1.0 with cas server 3.4.12 and cas client 2.3.1.
Do I need to follow the same steps to integrate with liferay 6.1.1?
Posted on 8/21/12 6:26 AM in reply to shivam aggarwal.