...
Requirements
1.
...
OpenCms
...
is
...
authenticated
...
by
...
CAS
...
+
...
LDAP.
...
2.
...
OpenCms
...
is
...
authorized
...
by
...
CAS
...
+
...
LDAP.
...
3.
...
Support
...
OpenCms
...
OU.
...
4.
...
CAS
...
will search LDAP for groups and roles when validating, not authenticating.
5. Validation URI can be customised, not /serviceValidate only.
6. Easy to extend the module to support CAS + DATABASE.
Environments
Tested in Fedora 10, OpenJDK 1.6.0,
...
Tomcat
...
5.5.27,
...
OpenCms7.0.5,
...
CAS3.3.1,
...
OpenLDAP
...
2.4.12.
...
Login Procedure
Module Parameters
Module parameters for authentication handler:
Code Block |
---|
AuthenticationHandler: cn.langhua.opencms.ldap.cas.CmsCasAuthenticationHandler
AutoUserRoleName: not required. If you want the user can login OpenCms workplace by default, this parameter should be RoleWorkplaceUsers.
CasUrl: not required, default is https://localhost:8443/cas.
CasLoginUri: not required, the uri to CAS login, default is /login.
CasValidateUri: not required, the uri to CAS validate, default is /serviceValidate.
CasLenientURL: not required, if set, this url will be used to validate CAS ticket, default is null.
CasLogoutUri: not required, default is /logout.
{code}
h2.
*+ Module parameters for authorization handler:+*
\\
{code} |
Module parameters for authorization handler:
Code Block |
---|
AuthenticationHandler: cn.langhua.opencms.ldap.cas.CmsCasAuthorizationHandler
GroupSearchDN: required, the group dn to resolve OpenCms OU. If not set, will use BaseDN.
RoleSearchDN: required, the role dn to resolve OpenCms role. If not set, will use BaseDN.
BaseDN: not required.
AutoUserRoleName: not required. If you want the user can login OpenCms workplace by default, this parameter should be RoleWorkplaceUsers.
CasUrl: not required, default is https://localhost:8443/cas.
CasLoginUri: not required, the uri to CAS login, default is /login.
CasValidateUri: not required, the uri to CAS validate, default is /serviceValidate.
CasLenientURL: not required, if set, this url will be used to validate CAS ticket, default is null.
CasLogoutUri: not required, default is /logout.
{code}
h2. Add a new validate servlet to CAS
Here I use /authzValidate as the new validate servlet uri for an example.
h4. 1. Add /authzValidate in |
Add a new validate servlet to CAS
Here I use /authzValidate as the new validate servlet uri for an example.
1. Add /authzValidate in $(cas_server)/WEB-INF/web.xml
...
Code Block |
---|
cas
/authzValidate
{code}
h4. |
2.
...
Modify$(cas_server)/WEB-INF/cas-servlet.xml
...
Code Block |
---|
... <!-- start service validate extensions --> <prop key="/authzValidate"> authzValidateController </prop> <!-- end service validate extensions --> ... <!-- start service validate extensions --> <bean id="authzValidateController" class="org.jasig.cas.web.ServiceValidateController" p:validationSpecificationClass="org.jasig.cas.validation.Cas20WithoutProxyingValidationSpecification" p:centralAuthenticationService-ref="centralAuthorizationService" p:proxyHandler-ref="proxy20Handler" p:argumentExtractor-ref="casArgumentExtractor" /> {code} h4. h4. 3. Modify {cas_server} h2. How to get the module and the source code SVN: [ <!-- end service validate extensions --> |
3. Modify $(cas_server)
How to get the module and the source code
SVN:
http://www.langhua.cn/langhua/modules/ldap/
...
Username:anon
...
Password:anon
...
ViewVC:
...
http://www.langhua.cn/viewvc/svn/modules/ldap/
...
Shi
...
Yusen/Beijing
...
Langhua
...
Ltd.
...
...
...