Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Maximiliano Lubian has written on the CAS Mailman list regarding CASifying Oracle Portal. Some of that discussion is presented here for your convenience.

Security Concern

A serious security concern has been raised off-list about the code posted to this page. This is an unresolved issue. More information to come... Andrew Petro, June 8 05

Maxiimiliano wrote:

This is how we solved the problem:

#When you click on the login link in oracle portal you will be redirected to the CAS server with a service argument that points to a JSP servlet page on the portal but not to the loginurl on portal.
#You login to CAS.
#CAS redirect you to the JSP page which validates the ticket to the CAS-server, gets the NET-id(userid) and set user information in a Cookie. It also truncates the ticket argument in the URL because Oracle SSO do not accept this argument. The Servlet redirects you to the portal login page.
#A custom plugin in OraSSO gets the userinfo on the cookie and sends it to the standard OraSSO mamagement.
#The user is logged in.

If one register a plugin to OraSSO you exchange the standard OraSSO to external SSO handler.
We implemented a CASSSO handler called:
CasExtendedAuthenticator
Located:$ORACLE_HOME/sso/plugin/oracle/consulting/gu/cas
with a property file: $ORACLE_HOME/sso/plugin/cas.properties

The servlet:
source code: $ORACLE_HOME/sso/plugin/oracle/consulting/gu/cas/CasServlet.java

(The attached files from the email are appended below. -ed)

We are in process of solving CAS 2.0 in oracle portal. But we don't have a solution to this yet. We are expecting a delivery on this solution in a few weeks. Notify me if you're still interested and if you need more info.

Hope this was to any help.
Best regards Maxi

// Decompiled by Jad v1.5.8e2. Copyright 2001 Pavel Kouznetsov.
// Jad home page: http://kpdus.tripod.com/jad.html
// Decompiler options: packimports(3)
// Source File Name:   CasAuthenticator.java

package oracle.consulting.gu.cas;

import java.io.*;
import java.net.*;
import java.util.Properties;

import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import oracle.security.sso.ias904.toolkit.*;

public class CasExtendedAuthenticator implements IPASAuthInterface
{
   private static String CLASS_NAME            = "CasExtendedAuthenticator";
       private static String ACME_USER_HEADER  = "ACME_USER";

       private String cookieName;
       private String validateURL;
       private String casLoginPage;
       private String succUrl;
       private static final String propFile = "cas.properties";

       public CasExtendedAuthenticator()
       {
               System.out.println("Init casAuthenticator");
               try
               {
                       InputStream is =
                           Thread.currentThread().getContextClassLoader().
                                 getResourceAsStream("cas.properties");
                       Properties prop = new Properties();
                       prop.load(is);
                       cookieName = prop.getProperty("cookieName");
                       validateURL = prop.getProperty("validateURL");
                       casLoginPage = prop.getProperty("casLoginPage");
                       succUrl = prop.getProperty("successUrl");
               }
               catch(FileNotFoundException e)
               {
                       System.out.println("File not found:cas.properties");
                       e.printStackTrace();
               }
               catch(IOException e)
               {
                       e.printStackTrace();
               }
       }

       public IPASUserInfo authenticate(HttpServletRequest request)
           throws IPASAuthException, IPASInsufficientCredException
       {
               String acmeUserName = null;

               try
               {
                       Cookie[] cookies = request.getCookies();
                       for(int i=0; i<cookies.length; i++)
                       {
                               Cookie cookie = cookies[i];
                               writeToFile("cookie:" + cookie.getName());
                               if(cookie.getName().equalsIgnoreCase(ACME_USER_HEADER))
                               {
                                       acmeUserName = cookie.getValue();
                                       break;
                               }
                       }

                       if(acmeUserName == null)
                               acmeUserName = request.getHeader(ACME_USER_HEADER);

                       writeToFile("acmeUserName:" + acmeUserName);
               }
               catch(Exception e)
               {
                       writeToFile("No Acme Header");
                       throw new IPASInsufficientCredException("No Acme Header");
               }

               if(acmeUserName == null)
                       throw new IPASInsufficientCredException("No Acme Header");

               IPASUserInfo authUser = new IPASUserInfo(acmeUserName);
               //authUser.setUserDN("cn=users,dc=it,dc=gu,dc=se");
               writeToFile("authUser:" + authUser.getUserName());

               return authUser;
       }

       public URL getUserCredentialPage(HttpServletRequest arg0, String arg1)
       {
               URL url = null;
               try
               {
                       url = new URL(casLoginPage +
                                "http://oracle-portal.com:7778/pls/portal/" +
                                 "PORTAL.wwsec_app_priv.login?p_requested_url=" +
                                 "http%3A%2F%2Foracle-portal.com" +
                                 "%3A7778%2Fpls%2Fportal%2FPORTAL.home" +
                                  "&p_cancel_url=http%3A%2F%2Foracle-portal.com" +
                                  "%3A7778%2Fpls%2Fportal%2FPORTAL.home");
                       System.out.println("userCred:" + url.toString());
               }
               catch(MalformedURLException e)
               {
                       System.out.println("Problem med URL :" + casLoginPage);
               }

               return url;
       }

       public void writeToFile(String text)
       {
               try
               {
                       File file = new File("/tmp/sso.log");
                       PrintWriter pout;
                       pout = new PrintWriter(new FileWriter(file, true));
                       pout.println(text);
                       pout.close();
               }
               catch (IOException e)
               {
                       e.printStackTrace();
               }
       }

}



package oracle.consulting.gu.cas;

import java.io.IOException;
import java.io.PrintWriter;
import java.util.List;

import javax.servlet.ServletException;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import edu.yale.its.tp.cas.client.ProxyTicketValidator;

public class CasServlet extends HttpServlet
{
        /**
        * Handles HTTP GET requests by performing some Java processing
        * and then delegating to a C-method to perform some native
        * processing.
        */
        public void doGet(HttpServletRequest request, HttpServletResponse resp)
            throws IOException, ServletException
        {
               //PrintWriter out = resp.getWriter();

                 try
                 {

                       String queryString = request.getQueryString();
                       String ticket = request.getParameter("ticket");

                       //String url =
                       //   "j_security_check;jsessionid=" +
                       //    sessionId + "?j_username=" +
                       //    java.net.URLEncoder.encode(j_username) +
                       //    "&j_password=" + java.net.URLEncoder.encode(j_password);
                       String url = "apa.html";
                       //out.println("queryString:" + queryString);
                       //out.println("ticket:" + ticket);
                       //out.println("url:" + url);
                       //response.sendRedirect(url);

                       // no ticket?  abort request processing and redirect
                       if (ticket != null || !ticket.equals(""))
                       {
                               /*
                               if (loginUrl == null)
                               {
                                       throw new ServletException(
                                         "When InfoGlueFilter protects pages that do not receive a 'userName' " +
                                         "parameter, it needs a org.infoglue.cms.security.loginUrl " +
                                         "filter parameter");
                               }
                               */

                               String requestURI = request.getRequestURI();
                               //out.println("requestURI:" + requestURI);

                               /*
                               String redirectUrl = "";

                               if(requestURI.indexOf("?") > 0)
                                       redirectUrl = loginUrl +
                                                          "&service=" +
                                                          getService(request) +
                                                          ((casRenew != null && !casRenew.equals("")) ?
                                                             "&renew="+ casRenew : "");
                               else
                                       redirectUrl = loginUrl +
                                                           "?service=" +
                                                           getService(request) +
                                                           ((casRenew != null && !casRenew.equals("")) ?
                                                           "&renew="+ casRenew : "");

                               System.out.println("redirectUrl:" + redirectUrl);
                               response.sendRedirect(redirectUrl);

                               return null;
                               */

                               String authenticatedUserName = null;

                               ProxyTicketValidator pv = new ProxyTicketValidator();

                               String casValidateUrl = "https://gavin.it.gu.se:8433/cas/serviceValidate";
                               String casServiceUrl = "https://cas-server.com:8433/cas/casServlet?" +
                                 "target_url=http://oracle-portal.com:7778" +
                                 "/pls/portal/PORTAL.wwsec_app_priv.login?" +
                                 "p_requested_url=http%3A%2F%2Foracle-portal.com" +
                                 "%3A7778%2Fpls%2Fportal" +
                                 "%2FPORTAL.home&p_cancel_url=http%3A%2F%2Foracle-portal.com" +
                                 "%3A7778%2Fpls%2Fportal%2FPORTAL.home";
                               pv.setCasValidateUrl(casValidateUrl);
                               pv.setService(casServiceUrl);
                               pv.setServiceTicket(ticket);

                               //out.println("requestURI:" + requestURI);

                               //pv.setProxyCallbackUrl("https://cas-server.com:9070"
                               // + "/uPortal/CasProxyServlet");
                               //pv.setProxyCallbackUrl("http://localhost:8080/" +
                               //     "infoglueCMSAuthDev/CasProxyServlet");

                               pv.validate();

                               String xmlResponse = pv.getResponse();
                               //out.println("xmlResponse:" + xmlResponse);

                               if(pv.isAuthenticationSuccesful())
                               {
                                       String user = pv.getUser();
                                       List proxyList = pv.getProxyList();
                                       authenticatedUserName = pv.getUser();
                               }
                               else
                               {
                                       String errorCode = pv.getErrorCode();
                                       String errorMessage = pv.getErrorMessage();
                               }

                               //out.println("authenticatedUserName:" + authenticatedUserName);
                               if(authenticatedUserName == null)
                               {
                                       requestURI = request.getRequestURI();
                                       //out.println("requestURI:" + requestURI);

                                       String redirectUrl = "";
                                       /*
                                       if(requestURI.indexOf("?") > 0)
                                               redirectUrl = loginUrl +
                                                "&service=" + getService(request) +
                                                 ((casRenew != null && !casRenew.equals(""))
                                                  ? "&renew="+ casRenew : "");
                                       else
                                               redirectUrl = loginUrl + "?service=" +
                                               getService(request) + ((casRenew != null
                                                && !casRenew.equals("")) ?
                                                 "&renew="+ casRenew : "");

                                       out.println("redirectUrl:" + redirectUrl);
                                       response.sendRedirect(redirectUrl);
                                       */
                               }
                               else
                               {
                                       String targetUrl = request.getParameter("target_url");
                                       //out.println("targetUrl:" + targetUrl);
                                       resp.setHeader("ACME_USER", authenticatedUserName);
                                       //Cookie cookie = new Cookie("ACME_USER", authenticatedUserName);
                                       //cookie.setDomain("gavin.it.gu.se");

                                       //Cookie cookie = new Cookie("ACME_USER", authenticatedUserName);
                                       Cookie cookie = new Cookie("ACME_USER", authenticatedUserName);
                                       cookie.setDomain("gu.se");
                                       cookie.setPath("/");
                                       resp.addCookie(cookie);
                                       //resp.addCookie(cookie2);
                                       resp.sendRedirect(targetUrl);
                               }

                               //out.println("authenticatedUserName:" + authenticatedUserName);

                       }

                 }
                 catch(Exception e)
                 {
                       //out.println("Error:" + e.getMessage());
                       //e.printStackTrace(out);
                 }

                 //out.flush();
                 //out.close();
        }

}



cookieName=CASTGC
validateURL=https://cas-server.com/cas/serviceValidate
casLoginPage=https://cas-server.com/cas/index.jsp?service=https://cas-server.com/cas/casServlet?target_url=
successUrl=http://oracle-postal.com:7778/portal/page?_pageid=6,1,6_13&_dad=portal&_schema=PORTAL
  • No labels