Forums de discussion

  1. Accueil
  2. Portal
  3. CAS and Liferay users

CAS and Liferay users

Enrique José Cabal González, modifié il y a 14 années.

CAS and Liferay users

New Member Publications: 12 Date d'inscription: 11/01/10 Publications récentes
Hi,

I am trying to integrate CAS and Liferay. My problem is that I can't login with my liferay previous users. So I need to integrate CAS with Liferay database (lportal). I am using Mysql.

Someone who helps me?

Thans.
thumbnail
Shagul Khaja, modifié il y a 14 années.

RE: CAS and Liferay users

Liferay Master Publications: 758 Date d'inscription: 27/09/07 Publications récentes
Hi,

The below link may be useful.

CAS SSO Liferay

One option is to configure CAS and Liferay to use LDAP. If not you may have to write your own handler to authenticate against Liferay database as explained in the above document.


Best Regards,
Shagul
Enrique José Cabal González, modifié il y a 14 années.

RE: CAS and Liferay users

New Member Publications: 12 Date d'inscription: 11/01/10 Publications récentes
Hi,

Thanks for your answer. I am developing a small prototipe in a test server, so I don't need to import users from LDAP, I only need users from "lportal".

Are you sure that I have to write my own handler? I've found this thread in the ja-sig wiki:

http://www.ja-sig.org/wiki/display/CASUM/Using+JDBC+for+Authentication

In theory we have to configure CAS server to use JDBC, so we can use our own database (in that case liferay's one). I hope it works, I will post when I try it.

Thanks.
thumbnail
Shagul Khaja, modifié il y a 14 années.

RE: CAS and Liferay users

Liferay Master Publications: 758 Date d'inscription: 27/09/07 Publications récentes
If you are storing the password in Liferay in encrypted form (which is the default), you may have to encrypt the user entered password in CAS in a similar way before you can compare.

I think for your prototype you could just have Liferay store clear text password.


## Passwords
##

    #
    # Set the following encryption algorithm to encrypt passwords. The default
    # algorithm is SHA (SHA-1). If set to NONE, passwords are stored in the
    # database as plain text. The SHA-512 algorithm is currently unsupported.
    #
    #passwords.encryption.algorithm=CRYPT
    #passwords.encryption.algorithm=MD2
    #passwords.encryption.algorithm=MD5
    #passwords.encryption.algorithm=NONE
    passwords.encryption.algorithm=SHA
    #passwords.encryption.algorithm=SHA-256
    #passwords.encryption.algorithm=SHA-384
    #passwords.encryption.algorithm=SSHA



Best Regards,
Shagul
Enrique José Cabal González, modifié il y a 14 années.

RE: CAS and Liferay users

New Member Publications: 12 Date d'inscription: 11/01/10 Publications récentes
I suppose that I have to write it in the portal-ext.properties.

If I quit the encryption, What happens with the users that are already in the database? Their passwords are decrypted? Or it happens only with the new users that will be inserted in the database?

This is a well solution for a test environment, but if I work in a real one, can I encrypt the password in the CAS Server?

Sorry, I know that I make a lot of questions...

Thanks!
thumbnail
Shagul Khaja, modifié il y a 14 années.

RE: CAS and Liferay users

Liferay Master Publications: 758 Date d'inscription: 27/09/07 Publications récentes
Yes, the properties go in portal-ext.properties.

There is no decryption in place. Changing the algorithm will only affect the new users and may require others to change password.

As I mentioned earlier, you may have to write your own handler that will encrypt the password using the same algorithm as that of lportal before comparing with the string in database. You could borrow the classes from Liferay.

Take a look at UserLocalServiceImpl and other places (authenticators) where PwdEncryptor is used.


if (!user.isPasswordEncrypted()) {
			user.setPassword(PwdEncryptor.encrypt(user.getPassword()));
			user.setPasswordEncrypted(true);

			userPersistence.update(user, false);
		}


Best Regards,
Shagul
Enrique José Cabal González, modifié il y a 14 années.

RE: CAS and Liferay users

New Member Publications: 12 Date d'inscription: 11/01/10 Publications récentes
Now I am working without encryption but I am very interested in encrypting the password in the future. As I read in several forums there is a default handler in CAS Server.


<bean class="org.jasig.cas.authentication.handler.DefaultPasswordEncoder">
    <constructor-arg index="0" value="MD5" />
</bean>


Do you know if it works fine? And which algorithms implements?

Thank you.
thumbnail
Shagul Khaja, modifié il y a 14 années.

RE: CAS and Liferay users

Liferay Master Publications: 758 Date d'inscription: 27/09/07 Publications récentes
I don't think this would work. As I stated in my previous post you have encrypt, encode the password in a similar way it is done in Liferay code before you can compare.



-Shagul
Enrique José Cabal González, modifié il y a 14 années.

RE: CAS and Liferay users

New Member Publications: 12 Date d'inscription: 11/01/10 Publications récentes
I've been trying and it doesn't work, so finally I will have to write my own handler. Now I have to solve other problems, because CAS doesn't work fine.

Thank you very much for your help Shagul!
thumbnail
Shagul Khaja, modifié il y a 14 années.

RE: CAS and Liferay users

Liferay Master Publications: 758 Date d'inscription: 27/09/07 Publications récentes
Most Welcome. We usually integrate CAS with LDAP and I don't have a sample or something to share with you.

Best,
Shagul
Bernardo Riveira Faraldo, modifié il y a 14 années.

RE: CAS and Liferay users

Regular Member Publications: 135 Date d'inscription: 30/10/08 Publications récentes
We have made it; don't need to change Liferay password encryption from default

but you have to implement it in CAS; you need to use the SQL query adaptor for user+pass combination check that just makes a SELECT from the liferay User_ table, and add a java class that implements the Liferay password encryption

you just use that class instead of the org.jasig.cas.authentication.handler.DefaultPasswordEncoder CAS default

let me see if I can get it from here (I'm at home now)
Bernardo Riveira Faraldo, modifié il y a 14 années.

RE: CAS and Liferay users

Regular Member Publications: 135 Date d'inscription: 30/10/08 Publications récentes
This is it; you just have to implement the SHA algorithm in the "encode()" method (in your class implementing the CAS PasswordEncoder interface)

import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.io.UnsupportedEncodingException;
import org.jasig.cas.authentication.handler.*;

public final class LiferayPasswordEncoder implements PasswordEncoder {
	
	public String encode(final String password) {
		MessageDigest digester = null;

		try{
			digester = MessageDigest.getInstance("SHA");
			digester.update(password.getBytes("UTF-8"));
		}
		catch (NoSuchAlgorithmException nsae) {
			System.out.println("LiferayPasswordEncoder - error algoritmo SHA no encontrado");
			nsae.printStackTrace();
		}
		catch (UnsupportedEncodingException uee) {
			System.out.println("LiferayPasswordEncoder - error codificando texto");
			uee.printStackTrace();
		}

		byte[] bytes = digester.digest();

		return encodeBase64(bytes);
		}


	private static char getChar(int sixbit) {
		if (sixbit &gt;= 0 &amp;&amp; sixbit &lt;= 25) {
			return (char)(65 + sixbit);
		}
	
		if (sixbit &gt;= 26 &amp;&amp; sixbit &lt;= 51) {
			return (char)(97 + (sixbit - 26));
		}
	
		if (sixbit &gt;= 52 &amp;&amp; sixbit &lt;= 61) {
			return (char)(48 + (sixbit - 52));
		}
	
		if (sixbit == 62) {
			return '+';
		}
	
		return sixbit != 63 ? '?' : '/';
	}
	
	
	private static String encodeBase64(byte raw[]) {
		StringBuilder encoded = new StringBuilder();
	
		for (int i = 0; i &lt; raw.length; i += 3) {
			encoded.append(encodeBlock(raw, i));
		}
	
		return encoded.toString();
	}
	
	private static char[] encodeBlock(byte raw[], int offset) {
		int block = 0;
		int slack = raw.length - offset - 1;
		int end = slack &lt; 2 ? slack : 2;
	
		for (int i = 0; i &lt;= end; i++) {
			byte b = raw[offset + i];
	
			int neuter = b &gt;= 0 ? ((int) (b)) : b + 256;
			block += neuter &lt;&lt; 8 * (2 - i);
		}
	
		char base64[] = new char[4];
	
		for (int i = 0; i &lt; 4; i++) {
			int sixbit = block &gt;&gt;&gt; 6 * (3 - i) &amp; 0x3f;
			base64[ i ] = getChar(sixbit);
		}
	
		if (slack &lt; 1) {
			base64[2] = '=';
		}
	
		if (slack &lt; 2) {
			base64[3] = '=';
		}
	
		return base64;
	}
	
}



For checking the Liferay database you use the QueryDatabaseAuthenticationHandler:

<bean class="org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler">
                        <property name="dataSource" ref="dataSource" />
                        <property name="sql" value="SELECT password_ FROM User_ WHERE screenName=?" />
                        <property name="passwordEncoder" ref="passwordEncoder" />
        </bean>



And the passwordEncoder:

<bean id="passwordEncoder" class="class.name.from.above.code.LiferayPasswordEncoder" />


And of course the database connection for the QueryDatabaseAuth....

<bean id="dataSource" class="org.apache.commons.dbcp.BasicDataSource">
    <property name="driverClassName">
      <value>com.mysql.jdbc.Driver</value>
    </property>
    <property name="url">
      <value>jdbc:mysql://your.database.server/liferay.database?useUnicode=true&amp;characterEncoding=UTF-8&amp;autoReconnect=true</value>
    </property>
    <property name="username"><value>your.liferay.db.username</value></property>
    <property name="password"><value>your.liferay.db.password</value></property>
  </bean>



Of course, change values for YOUR values (database name, user, pass, name of class above...)

Hope this helps!
Bernardo Riveira

UPDATED: liferay forum system is changing the code up there in unknown ways; emoticon it will not work if just copied and pasted because it changes an array index into italic emoticon "[ i ]"

so to be safe I just added a file to the post; remember to change the package name to where you're going to have it

Pièces jointes:

Enrique José Cabal González, modifié il y a 14 années.

RE: CAS and Liferay users

New Member Publications: 12 Date d'inscription: 11/01/10 Publications récentes
Thank you very much Bernardo,

I'm sure that it will be helpfull for me and other people. What do you think about writing it in the wiki? sometimes it's dificult to find this kind of things in the forums.

I will try it as soon as posible and I will write my results here.

Regards.
thumbnail
Ajay Saharan, modifié il y a 11 années.

RE: CAS and Liferay users

New Member Publications: 18 Date d'inscription: 25/02/09 Publications récentes
In which xml file i have to enter above configurations.
thumbnail
Nidhi Singh, modifié il y a 14 années.

RE: CAS and Liferay users

Regular Member Publications: 155 Date d'inscription: 07/10/09 Publications récentes
Hi,

You can check this blog

Thanks
Nidhi Singh
Carlo Altarelli, modifié il y a 12 années.

RE: CAS and Liferay users

New Member Envoyer: 1 Date d'inscription: 23/08/11 Publications récentes
Hi,
Another way is to convert Liferay password (ASCII representation of Base64 encoded SHA1) in SHA1 string used by CAS.
And you can make this using directly some Database function, if your Database Metadata Repository permit this.
For istance, if you deployed Liferay on Oracle Database, you can change the query of Authentication Handler in the following:

select lower(UTL_ENCODE.BASE64_DECODE(utl_raw.CAST_TO_RAW(PASSWORD_))) from USER_ where lower(SCREENNAME) = lower(?)

So with CAS, Liferay on Oracle DB you can simple change your deployerConfigContext.xml with:

<bean class="org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler">
<property name="dataSource" ref="dataSource" />
<property name="sql" value="select lower(UTL_ENCODE.BASE64_DECODE(utl_raw.CAST_TO_RAW(PASSWORD_))) from USER_ where lower(SCREENNAME) = lower(?)" />
<property name="passwordEncoder" ref="LFPasswordEncoder" />
</bean>

<bean id="LFPasswordEncoder" class="org.jasig.cas.authentication.handler.DefaultPasswordEncoder" p:characterEncoding="UTF-8" >
<constructor-arg index="0" value="SHA1" />
</bean>

Regards,
Carlo