Requirements
1. OpenCms is authenticated by CAS + LDAP.
2. OpenCms is authorized by CAS + LDAP.
3. Support OpenCms OU.
4. CAS will search LDAP for groups and roles when validating, not authenticating.
5. Validation URI can be customised, not /serviceValidate only.
6. Easy to extend the module to support CAS + DATABASE.
Environments
Tested in Fedora 10, OpenJDK 1.6.0, Tomcat 5.5.27, OpenCms7.0.5, CAS3.3.1, OpenLDAP 2.4.12.
Login Procedure
Module Parameters
Module parameters for authentication handler:
AuthenticationHandler: cn.langhua.opencms.ldap.cas.CmsCasAuthenticationHandler AutoUserRoleName: not required. If you want the user can login OpenCms workplace by default, this parameter should be RoleWorkplaceUsers. CasUrl: not required, default is https://localhost:8443/cas. CasLoginUri: not required, the uri to CAS login, default is /login. CasValidateUri: not required, the uri to CAS validate, default is /serviceValidate. CasLenientURL: not required, if set, this url will be used to validate CAS ticket, default is null. CasLogoutUri: not required, default is /logout.
Module parameters for authorization handler:
AuthenticationHandler: cn.langhua.opencms.ldap.cas.CmsCasAuthorizationHandler GroupSearchDN: required, the group dn to resolve OpenCms OU. If not set, will use BaseDN. RoleSearchDN: required, the role dn to resolve OpenCms role. If not set, will use BaseDN. BaseDN: not required. AutoUserRoleName: not required. If you want the user can login OpenCms workplace by default, this parameter should be RoleWorkplaceUsers. CasUrl: not required, default is https://localhost:8443/cas. CasLoginUri: not required, the uri to CAS login, default is /login. CasValidateUri: not required, the uri to CAS validate, default is /serviceValidate. CasLenientURL: not required, if set, this url will be used to validate CAS ticket, default is null. CasLogoutUri: not required, default is /logout.
How to validate service ticket
I use CAS 1.0 protocal to validate service ticket in the login procedure.
String ticket = CmsRequestUtil.getNotEmptyParameter(getRequest(), PARAM_TICKET);
CmsModule ldapModule = OpenCms.getModuleManager().getModule("cn.langhua.opencms.ldap");
if (ldapModule != null) {
String casUrl = ldapModule.getParameter("CasUrl", "https://localhost:8443/cas");
String loginUri = ldapModule.getParameter("CasLoginUri", "/login");
String validateUri = ldapModule.getParameter("CasValidateUri", "/validate");
String serviceUrl = getRequest().getRequestURL().toString();
String url = URLEncoder.encode(serviceUrl, "UTF-8");
if (ticket == null) {
getResponse().sendRedirect(casUrl + loginUri + "?service=" + url);
} else {
// there's a ticket, we should validate the ticket
URL validateURL = new URL(casUrl + validateUri + "?" + PARAM_TICKET + "=" + ticket + "&" + PARAM_SERVICE + "=" + url);
URLConnection conn = validateURL.openConnection();
InputStreamReader result = new InputStreamReader(conn.getInputStream(), "UTF-8");
BufferedReader reader = new BufferedReader(result);
String oneline = reader.readLine();
if (CmsStringUtil.isNotEmpty(oneline) && oneline.equals("yes")) {
// the ticket is true
m_username = reader.readLine().trim();
m_password = "cas_login";
m_actionLogin = "true";
reader.close();
result.close();
} else {
// the ticket is false, forward the request to cas login page
reader.close();
result.close();
getResponse().sendRedirect(casUrl + loginUri + "?service=" + url);
}
}
}
How to get the module and the source code
SVN:
http://www.langhua.cn/langhua/modules/ldap/
Username:anon
Password:anon
ViewVC:
http://www.langhua.cn/viewvc/svn/modules/ldap/
Shi Yusen/Beijing Langhua Ltd.