Versions Compared

Old Version 4

changes.mady.by.user Peter Kharchenko (Deactivated)

Saved on

compared with

New Version 5

changes.mady.by.user ScottS

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

uPortal extensions are implemented by providing an alternative SecurityContext implementation: org.jasig.portal.security.provider.cas.PasswordCachingCasFilteredSecurityContext.

Accessing clear-text credentials within uPortal

Within uPortal, the cleartext password can be accessed in exactly the same way as opaque credentials.

The modified security context will make cleartext passwords accessible to the IPrivileged channels via ISecurityContext.getOpaqueCredentialsInstance()

Portlets that need to access cleartext credentials can instruct portal to place the password among the other user attributes by including the following declaration within portlet.xml:

Code Block

<user-attribute>
  <description>User Password</description>
  <name>password</name>
</user-attribute>

For illustration and testing purposes, a modified version of FunctionalTestsPortlet has been configured in this way, and extended to show the obtained password. The portlet is distributed in /uportal/FunctionalTestsPortlet, can be built using "mvn package", and the resulting war file can be deployed using standard procedure.

Installation and required configuration changes

CAS extensions

CAS extensions are packaged as a maven2 patch on top of CAS 3.2.1.

  • Edit src/main/webapp/WEB-INF/cas-servlet.xml
    • Change clearPassControllerUrl property (last one) on the clearPassController bean to specify the URL at which the clearPass service will be accessible
    • Edit enabledServices property of the clearPassServiceValidator bean to list all of the services that will be allowed to retrieve cleartext credentials. Note that the services must be listed by their ProxyReceptor (CasProxyServlet) URLs.
  • Add any additional required CAS configuration changes (e.g. LDAP config, skin customizations)
  • Run "mvn package" command to create a war file in the target directory, deploy war file into the servlet container
  • Make sure that the SSL certificates used by the CAS-enabled applications (e.g. uPortal instances) are registered with the JVM that is being used to run CAS.

uPortal extensions

  • Make sure that appropriate uPortal.jar is present in your Maven repository
  • Build uportal.clearpass jar by running "mvn package" in the uportal-clearpass folder
  • Copy the uportal.clearpass jar to your uPortal lib folder
  • Edit properties/security.properties (these instructions assume you have already configured uPortal to use CAS)
    • see doc/security.properties.example for details
    • replace this line "root.cas=org.jasig.portal.security.provider.cas.CasFilteredSecurityContextFactory", with this line "org.jasig.portal.security.provider.cas.PasswordCachingCasFilteredSecurityContextFactory"
    • add the CAS clearpass URL to the security.properties file: org.jasig.portal.security.provider.cas.PasswordCachingCasFilteredSecurityContextFactory.clearPassCasUrl=https://\{cas.location}/clearPass
    • Make sure that uPortal is properly configured to utilize proxy tickets. (i.e. CasProxyServlet is configured in WEB-INF/web.xml. If using clustered uPortal instances, configure ProxyEchoFilter to list all uPortal instances running in the cluster)