Requirements
1. OpenCms is authenticated by CAS + LDAP.
2. OpenCms is authorized by CAS + LDAP.
3. Support OpenCms OU.
4. CAS will search LDAP for groups and roles when validating, not authenticating.
5. Validation URI can be customised, not /serviceValidate only.
6. Easy to extend the module to support CAS + DATABASE.
Environments
Tested in Fedora 10, OpenJDK 1.6.0, Tomcat 5.5.27, OpenCms7.0.5, CAS3.3.1, OpenLDAP 2.4.12.
Login Procedure
Module Parameters
Module parameters for authentication handler:
AuthenticationHandler: cn.langhua.opencms.ldap.cas.CmsCasAuthenticationHandler AutoUserRoleName: not required. If you want the user can login OpenCms workplace by default, this parameter should be RoleWorkplaceUsers. CasUrl: not required, default is https://localhost:8443/cas. CasLoginUri: not required, the uri to CAS login, default is /login. CasValidateUri: not required, the uri to CAS validate, default is /serviceValidate. CasLenientURL: not required, if set, this url will be used to validate CAS ticket, default is null. CasLogoutUri: not required, default is /logout.
Module parameters for authorization handler:
AuthenticationHandler: cn.langhua.opencms.ldap.cas.CmsCasAuthorizationHandler GroupSearchDN: required, the group dn to resolve OpenCms OU. If not set, will use BaseDN. RoleSearchDN: required, the role dn to resolve OpenCms role. If not set, will use BaseDN. BaseDN: not required. AutoUserRoleName: not required. If you want the user can login OpenCms workplace by default, this parameter should be RoleWorkplaceUsers. CasUrl: not required, default is https://localhost:8443/cas. CasLoginUri: not required, the uri to CAS login, default is /login. CasValidateUri: not required, the uri to CAS validate, default is /serviceValidate. CasLenientURL: not required, if set, this url will be used to validate CAS ticket, default is null. CasLogoutUri: not required, default is /logout.
How to validate service ticket
I use CAS 1.0 protocal to validate service ticket in the login procedure.
String ticket = CmsRequestUtil.getNotEmptyParameter(getRequest(), PARAM_TICKET); CmsModule ldapModule = OpenCms.getModuleManager().getModule("cn.langhua.opencms.ldap"); if (ldapModule != null) { String casUrl = ldapModule.getParameter("CasUrl", "https://localhost:8443/cas"); String loginUri = ldapModule.getParameter("CasLoginUri", "/login"); String validateUri = ldapModule.getParameter("CasValidateUri", "/validate"); String serviceUrl = getRequest().getRequestURL().toString(); String url = URLEncoder.encode(serviceUrl, "UTF-8"); if (ticket == null) { getResponse().sendRedirect(casUrl + loginUri + "?service=" + url); } else { // there's a ticket, we should validate the ticket URL validateURL = new URL(casUrl + validateUri + "?" + PARAM_TICKET + "=" + ticket + "&" + PARAM_SERVICE + "=" + url); URLConnection conn = validateURL.openConnection(); InputStreamReader result = new InputStreamReader(conn.getInputStream(), "UTF-8"); BufferedReader reader = new BufferedReader(result); String oneline = reader.readLine(); if (CmsStringUtil.isNotEmpty(oneline) && oneline.equals("yes")) { // the ticket is true m_username = reader.readLine().trim(); m_password = "cas_login"; m_actionLogin = "true"; reader.close(); result.close(); } else { // the ticket is false, forward the request to cas login page reader.close(); result.close(); getResponse().sendRedirect(casUrl + loginUri + "?service=" + url); } } }
How to get the module and the source code
SVN:
http://www.langhua.cn/langhua/modules/ldap/
Username:anon
Password:anon
ViewVC:
http://www.langhua.cn/viewvc/svn/modules/ldap/
Shi Yusen/Beijing Langhua Ltd.