Requirements
1. OpenCms is authenticated by CAS + LDAP.
2. OpenCms is authorized by CAS + LDAP.
3. Support OpenCms OU.
4. CAS will search LDAP for groups and roles when validating, not authenticating.
5. Validation URI can be customised, not /serviceValidate only.
6. Easy to extend the module to support CAS + DATABASE.
Environments
Tested in Fedora 10, OpenJDK 1.6.0, Tomcat 5.5.27, OpenCms7.0.5, CAS3.3.1, OpenLDAP 2.4.12.
Login Procedure
Module Parameters
Module parameters for authentication handler:
AuthenticationHandler: cn.langhua.opencms.ldap.cas.CmsCasAuthenticationHandler AutoUserRoleName: not required. If you want the user can login OpenCms workplace by default, this parameter should be RoleWorkplaceUsers. CasUrl: not required, default is https://localhost:8443/cas. CasLoginUri: not required, the uri to CAS login, default is /login. CasValidateUri: not required, the uri to CAS validate, default is /serviceValidate. CasLenientURL: not required, if set, this url will be used to validate CAS ticket, default is null. CasLogoutUri: not required, default is /logout.
Module parameters for authorization handler:
AuthenticationHandler: cn.langhua.opencms.ldap.cas.CmsCasAuthorizationHandler GroupSearchDN: required, the group dn to resolve OpenCms OU. If not set, will use BaseDN. RoleSearchDN: required, the role dn to resolve OpenCms role. If not set, will use BaseDN. BaseDN: not required. AutoUserRoleName: not required. If you want the user can login OpenCms workplace by default, this parameter should be RoleWorkplaceUsers. CasUrl: not required, default is https://localhost:8443/cas. CasLoginUri: not required, the uri to CAS login, default is /login. CasValidateUri: not required, the uri to CAS validate, default is /serviceValidate. CasLenientURL: not required, if set, this url will be used to validate CAS ticket, default is null. CasLogoutUri: not required, default is /logout.
How to validate service ticket
I use CAS 1.0 protocal to validate service ticket in the login procedure.
String ticket = CmsRequestUtil.getNotEmptyParameter(getRequest(), PARAM_TICKET);
CmsModule ldapModule = OpenCms.getModuleManager().getModule("cn.langhua.opencms.ldap");
if (ldapModule != null) {
String casUrl = ldapModule.getParameter("CasUrl", "https://localhost:8443/cas");
String loginUri = ldapModule.getParameter("CasLoginUri", "/login");
String validateUri = ldapModule.getParameter("CasValidateUri", "/validate");
String serviceUrl = getRequest().getRequestURL().toString();
String url = URLEncoder.encode(serviceUrl, "UTF-8");
if (ticket == null) {
getResponse().sendRedirect(casUrl + loginUri + "?service=" + url);
} else {
// there's a ticket, we should validate the ticket
URL validateURL = new URL(casUrl + validateUri + "?" + PARAM_TICKET + "=" + ticket + "&" + PARAM_SERVICE + "=" + url);
URLConnection conn = validateURL.openConnection();
InputStreamReader result = new InputStreamReader(conn.getInputStream(), "UTF-8");
BufferedReader reader = new BufferedReader(result);
String oneline = reader.readLine();
if (CmsStringUtil.isNotEmpty(oneline) && oneline.equals("yes")) {
// the ticket is true
m_username = reader.readLine().trim();
m_password = "cas_login";
m_actionLogin = "true";
reader.close();
result.close();
} else {
// the ticket is false, forward the request to cas login page
reader.close();
result.close();
getResponse().sendRedirect(casUrl + loginUri + "?service=" + url);
}
}
}
/system/login/index.html
Please replace the /system/login/index.html with /system/modules/cn.langhua.opencms.ldap/login/index_cas.html, and then you'll use CAS login page to login your OpenCms.
Note: Your CAS server must have SSL configured properly or it will return an error. Also this version only works for 7.0.1 and only supports LDAP connection of no authentication.
Check the OpenCMS forums for details on integrating with 7.0.3
How to get the module and the source code
SVN:
http://www.langhua.cn/langhua/modules/ldap/
Username:anon
Password:anon
ViewVC:
http://www.langhua.cn/viewvc/svn/modules/ldap/
Shi Yusen/Beijing Langhua Ltd.