Versions Compared

Old Version 10

changes.mady.by.user Shi Yusen

Saved on

compared with

New Version 11

changes.mady.by.user Shi Yusen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Requirements

Wiki Markup
h2. Requirements

1. OpenCms is authenticated by CAS + LDAP.

...



2. OpenCms is authorized by CAS + LDAP.

...



3. Support OpenCms OU.

...



4. CAS

...

5. Validation URI can be customised, not /serviceValidate only.

6. Easy to extend the module to support CAS + DATABASE.

Environments

...

 will search  LDAP for groups and roles when validating, not authenticating.

5. Validation URI can be customised, not /serviceValidate only.

6. Easy to extend the module to support CAS + DATABASE.
\\

h1.


h2. Environments

Tested in Fedora 10, OpenJDK 1.6.0, Tomcat 5.5.27, OpenCms7.0.5, CAS3.3.1, OpenLDAP 2.4.12.

...

Login Procedure

Image Removed

Module Parameters

 Module parameters for authentication handler:

Code Block

\\

h2. Login Procedure

!opencms7.0.5-cas3.3.1-ldap.png!\\

h2. Module Parameters

*+ Module parameters for authentication handler:+*\\
{code}
AuthenticationHandler: cn.langhua.opencms.ldap.cas.CmsCasAuthenticationHandler

AutoUserRoleName: not required. If you want the user can login OpenCms workplace by default, this parameter should be RoleWorkplaceUsers.

CasUrl: not required, default is https://localhost:8443/cas.

CasLoginUri: not required, the uri to CAS login, default is /login.

CasValidateUri: not required, the uri to CAS validate, default is /serviceValidate.

CasLenientURL: not required, if set, this url will be used to validate CAS ticket, default is null.

CasLogoutUri: not required, default is /logout.

 Module parameters for authorization handler:

Code Block

{code}

h2.

*+ Module parameters for authorization handler:+*\\
{code}
AuthenticationHandler: cn.langhua.opencms.ldap.cas.CmsCasAuthorizationHandler

GroupSearchDN: required, the group dn to resolve OpenCms OU. If not set, will use BaseDN.

RoleSearchDN: required, the role dn to resolve OpenCms role. If not set, will use BaseDN.

BaseDN: not required.

AutoUserRoleName: not required. If you want the user can login OpenCms workplace by default, this parameter should be RoleWorkplaceUsers.

CasUrl: not required, default is https://localhost:8443/cas.

CasLoginUri: not required, the uri to CAS login, default is /login.

CasValidateUri: not required, the uri to CAS validate, default is /serviceValidate.

CasLenientURL: not required, if set, this url will be used to validate CAS ticket, default is null.

CasLogoutUri: not required, default is /logout.

How to validate service ticket

 I use CAS 1.0 protocal to validate service ticket in the login procedure.

Code Block

String ticket = CmsRequestUtil.getNotEmptyParameter(getRequest(), PARAM_TICKET);
        	CmsModule ldapModule = OpenCms.getModuleManager().getModule("cn.langhua.opencms.ldap");
        	if (ldapModule != null) {
        		String casUrl = ldapModule.getParameter("CasUrl", "https://localhost:8443/cas");
        		String loginUri = ldapModule.getParameter("CasLoginUri", "/login");
        		String validateUri = ldapModule.getParameter("CasValidateUri", "/validate");
        		String serviceUrl = getRequest().getRequestURL().toString();
        		String url = URLEncoder.encode(serviceUrl, "UTF-8");
        		if (ticket == null) {
            		getResponse().sendRedirect(casUrl + loginUri + "?service=" + url);
            	} else {
            		// there's a ticket, we should validate the ticket
            		URL validateURL = new URL(casUrl + validateUri + "?" + PARAM_TICKET + "=" + ticket + "&" + PARAM_SERVICE + "=" + url);
            		URLConnection conn = validateURL.openConnection();
        			InputStreamReader result = new InputStreamReader(conn.getInputStream(), "UTF-8");
        			BufferedReader reader = new BufferedReader(result);
        			String oneline = reader.readLine();
        			if (CmsStringUtil.isNotEmpty(oneline) && oneline.equals("yes")) {
    					// the ticket is true
    					m_username = reader.readLine().trim();
    					m_password = "cas_login";
    					m_actionLogin = "true";
            			reader.close();
            			result.close();
       				} else {
       					// the ticket is false, forward the request to cas login page
            			reader.close();
            			result.close();
                		getResponse().sendRedirect(casUrl + loginUri + "?service=" + url);
        			}
            	        }
        	}

How to get the module and the source code

SVN:

{code}

h2. Add a new validate servlet to CAS


Here I use /authzValidate as the new validate servlet uri for an example.

h4. 1. Add /authzValidate in {cas_server}/WEB-INF/web.xml

{code}
	<!-- start service validate extensions -->
	<servlet-mapping>
		<servlet-name>cas</servlet-name>
		<url-pattern>/authzValidate</url-pattern>
	</servlet-mapping>
	<!-- end service validate extensions -->
{code}

h4. 2. Modify {cas_server}/WEB-INF/cas-servlet.xml

{code}
...

 				<!-- start service validate extensions -->
				<prop
					key="/authzValidate">
					authzValidateController
				</prop>
				<!-- end service validate extensions -->
...
	<!-- start service validate extensions -->
	<bean id="authzValidateController" class="org.jasig.cas.web.ServiceValidateController"
		p:validationSpecificationClass="org.jasig.cas.validation.Cas20WithoutProxyingValidationSpecification"
		p:centralAuthenticationService-ref="centralAuthorizationService"
		p:proxyHandler-ref="proxy20Handler"
		p:argumentExtractor-ref="casArgumentExtractor" />
	<!-- end service validate extensions -->
{code}

h4.


h4. 3. Modify {cas_server}



h2. How to get the module and the source code

SVN:

[http://www.langhua.cn/langhua/modules/ldap/

...

]

Username:anon

...



Password:anon

...



ViewVC:

...



[http://www.langhua.cn/viewvc/svn/modules/ldap/

...

]

Shi Yusen/Beijing Langhua Ltd.

...



[http://langhua.org/

...

]
[http://langhua.biz/]