Requirements
Wiki Markup |
---|
h2. Requirements 1. OpenCms is authenticated by CAS + LDAP. |
...
2. OpenCms is authorized by CAS + LDAP. |
...
3. Support OpenCms OU. |
...
4. CAS |
...
5. Validation URI can be customised, not /serviceValidate only.
6. Easy to extend the module to support CAS + DATABASE.
Environments
...
will search LDAP for groups and roles when validating, not authenticating. 5. Validation URI can be customised, not /serviceValidate only. 6. Easy to extend the module to support CAS + DATABASE. \\ h1. h2. Environments Tested in Fedora 10, OpenJDK 1.6.0, Tomcat 5.5.27, OpenCms7.0.5, CAS3.3.1, OpenLDAP 2.4.12. |
...
Login Procedure
Module Parameters
Module parameters for authentication handler:
Code Block |
---|
\\ h2. Login Procedure !opencms7.0.5-cas3.3.1-ldap.png!\\ h2. Module Parameters *+ Module parameters for authentication handler:+*\\ {code} AuthenticationHandler: cn.langhua.opencms.ldap.cas.CmsCasAuthenticationHandler AutoUserRoleName: not required. If you want the user can login OpenCms workplace by default, this parameter should be RoleWorkplaceUsers. CasUrl: not required, default is https://localhost:8443/cas. CasLoginUri: not required, the uri to CAS login, default is /login. CasValidateUri: not required, the uri to CAS validate, default is /serviceValidate. CasLenientURL: not required, if set, this url will be used to validate CAS ticket, default is null. CasLogoutUri: not required, default is /logout. |
Module parameters for authorization handler:
Code Block |
---|
{code}
h2.
*+ Module parameters for authorization handler:+*\\
{code}
AuthenticationHandler: cn.langhua.opencms.ldap.cas.CmsCasAuthorizationHandler
GroupSearchDN: required, the group dn to resolve OpenCms OU. If not set, will use BaseDN.
RoleSearchDN: required, the role dn to resolve OpenCms role. If not set, will use BaseDN.
BaseDN: not required.
AutoUserRoleName: not required. If you want the user can login OpenCms workplace by default, this parameter should be RoleWorkplaceUsers.
CasUrl: not required, default is https://localhost:8443/cas.
CasLoginUri: not required, the uri to CAS login, default is /login.
CasValidateUri: not required, the uri to CAS validate, default is /serviceValidate.
CasLenientURL: not required, if set, this url will be used to validate CAS ticket, default is null.
CasLogoutUri: not required, default is /logout.
|
How to validate service ticket
I use CAS 1.0 protocal to validate service ticket in the login procedure.
Code Block |
---|
String ticket = CmsRequestUtil.getNotEmptyParameter(getRequest(), PARAM_TICKET);
CmsModule ldapModule = OpenCms.getModuleManager().getModule("cn.langhua.opencms.ldap");
if (ldapModule != null) {
String casUrl = ldapModule.getParameter("CasUrl", "https://localhost:8443/cas");
String loginUri = ldapModule.getParameter("CasLoginUri", "/login");
String validateUri = ldapModule.getParameter("CasValidateUri", "/validate");
String serviceUrl = getRequest().getRequestURL().toString();
String url = URLEncoder.encode(serviceUrl, "UTF-8");
if (ticket == null) {
getResponse().sendRedirect(casUrl + loginUri + "?service=" + url);
} else {
// there's a ticket, we should validate the ticket
URL validateURL = new URL(casUrl + validateUri + "?" + PARAM_TICKET + "=" + ticket + "&" + PARAM_SERVICE + "=" + url);
URLConnection conn = validateURL.openConnection();
InputStreamReader result = new InputStreamReader(conn.getInputStream(), "UTF-8");
BufferedReader reader = new BufferedReader(result);
String oneline = reader.readLine();
if (CmsStringUtil.isNotEmpty(oneline) && oneline.equals("yes")) {
// the ticket is true
m_username = reader.readLine().trim();
m_password = "cas_login";
m_actionLogin = "true";
reader.close();
result.close();
} else {
// the ticket is false, forward the request to cas login page
reader.close();
result.close();
getResponse().sendRedirect(casUrl + loginUri + "?service=" + url);
}
}
}
|
How to get the module and the source code
SVN:
{code} h2. Add a new validate servlet to CAS Here I use /authzValidate as the new validate servlet uri for an example. h4. 1. Add /authzValidate in {cas_server}/WEB-INF/web.xml {code} <!-- start service validate extensions --> <servlet-mapping> <servlet-name>cas</servlet-name> <url-pattern>/authzValidate</url-pattern> </servlet-mapping> <!-- end service validate extensions --> {code} h4. 2. Modify {cas_server}/WEB-INF/cas-servlet.xml {code} ... <!-- start service validate extensions --> <prop key="/authzValidate"> authzValidateController </prop> <!-- end service validate extensions --> ... <!-- start service validate extensions --> <bean id="authzValidateController" class="org.jasig.cas.web.ServiceValidateController" p:validationSpecificationClass="org.jasig.cas.validation.Cas20WithoutProxyingValidationSpecification" p:centralAuthenticationService-ref="centralAuthorizationService" p:proxyHandler-ref="proxy20Handler" p:argumentExtractor-ref="casArgumentExtractor" /> <!-- end service validate extensions --> {code} h4. h4. 3. Modify {cas_server} h2. How to get the module and the source code SVN: [http://www.langhua.cn/langhua/modules/ldap/ |
...
] Username:anon |
...
Password:anon |
...
ViewVC: |
...
[http://www.langhua.cn/viewvc/svn/modules/ldap/ |
...
] Shi Yusen/Beijing Langhua Ltd. |
...
[http://langhua.org/ |
...
] [http://langhua.biz/] |