Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

Security Concern

This is the first approach considered by Gothenburg university and was never used on production environment.
This page only exists for history purpose!

To CASify Oracle Portal use this approach: CASifiyng Oracle Portal

Maximiliano Lubian has written on the CAS Mailman list regarding CASifying Oracle Portal. Some of that discussion is presented here for your convenience.

Security Concern

A serious security concern has been raised off-list about the code posted to this page. This is an unresolved issue. More information to come... Andrew Petro, June 8 05

Maxiimiliano wrote:

This is how we solved the problem:

#When you click on the login link in oracle portal you will be redirected to the CAS server with a service argument that points to a JSP servlet page on the portal but not to the loginurl on portal.
#You login to CAS.
#CAS redirect you to the JSP page which validates the ticket to the CAS-server, gets the NET-id(userid) and set user information in a Cookie. It also truncates the ticket argument in the URL because Oracle SSO do not accept this argument. The Servlet redirects you to the portal login page.
#A custom plugin in OraSSO gets the userinfo on the cookie and sends it to the standard OraSSO mamagement.
#The user is logged in.

If one register a plugin to OraSSO you exchange the standard OraSSO to external SSO handler.
We implemented a CASSSO handler called:
CasExtendedAuthenticator
Located:$ORACLE_HOME/sso/plugin/oracle/consulting/gu/cas
with a property file: $ORACLE_HOME/sso/plugin/cas.properties

The servlet:
source code: $ORACLE_HOME/sso/plugin/oracle/consulting/gu/cas/CasServlet.java

(The attached files from the email are appended below. -ed)

We are in process of solving CAS 2.0 in oracle portal. But we don't have a solution to this yet. We are expecting a delivery on this solution in a few weeks. Notify me if you're still interested and if you need more info.

Hope this was to any help.
Best regards Maxi

// Decompiled by Jad v1.5.8e2. Copyright 2001 Pavel Kouznetsov.
// Jad home page: http://kpdus.tripod.com/jad.html
// Decompiler options: packimports(3)
// Source File Name:   CasAuthenticator.java

package oracle.consulting.gu.cas;

import java.io.*;
import java.net.*;
import java.util.Properties;

import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import oracle.security.sso.ias904.toolkit.*;

public class CasExtendedAuthenticator implements IPASAuthInterface
{
   private static String CLASS_NAME            = "CasExtendedAuthenticator";
       private static String ACME_USER_HEADER  = "ACME_USER";

       private String cookieName;
       private String validateURL;
       private String casLoginPage;
       private String succUrl;
       private static final String propFile = "cas.properties";

       public CasExtendedAuthenticator()
       {
               System.out.println("Init casAuthenticator");
               try
               {
                       InputStream is =
                           Thread.currentThread().getContextClassLoader().
                                 getResourceAsStream("cas.properties");
                       Properties prop = new Properties();
                       prop.load(is);
                       cookieName = prop.getProperty("cookieName");
                       validateURL = prop.getProperty("validateURL");
                       casLoginPage = prop.getProperty("casLoginPage");
                       succUrl = prop.getProperty("successUrl");
               }
               catch(FileNotFoundException e)
               {
                       System.out.println("File not found:cas.properties");
                       e.printStackTrace();
               }
               catch(IOException e)
               {
                       e.printStackTrace();
               }
       }

       public IPASUserInfo authenticate(HttpServletRequest request)
           throws IPASAuthException, IPASInsufficientCredException
       {
               String acmeUserName = null;

               try
               {
                       Cookie[] cookies = request.getCookies();
                       for(int i=0; i<cookies.length; i++)
                       {
                               Cookie cookie = cookies[i];
                               writeToFile("cookie:" + cookie.getName());
                               if(cookie.getName().equalsIgnoreCase(ACME_USER_HEADER))
                               {
                                       acmeUserName = cookie.getValue();
                                       break;
                               }
                       }

                       if(acmeUserName == null)
                               acmeUserName = request.getHeader(ACME_USER_HEADER);

                       writeToFile("acmeUserName:" + acmeUserName);
               }
               catch(Exception e)
               {
                       writeToFile("No Acme Header");
                       throw new IPASInsufficientCredException("No Acme Header");
               }

               if(acmeUserName == null)
                       throw new IPASInsufficientCredException("No Acme Header");

               IPASUserInfo authUser = new IPASUserInfo(acmeUserName);
               //authUser.setUserDN("cn=users,dc=it,dc=gu,dc=se");
               writeToFile("authUser:" + authUser.getUserName());

               return authUser;
       }

       public URL getUserCredentialPage(HttpServletRequest arg0, String arg1)
       {
               URL url = null;
               try
               {
                       url = new URL(casLoginPage +
                                "http://oracle-portal.com:7778/pls/portal/" +
                                 "PORTAL.wwsec_app_priv.login?p_requested_url=" +
                                 "http%3A%2F%2Foracle-portal.com" +
                                 "%3A7778%2Fpls%2Fportal%2FPORTAL.home" +
                                  "&p_cancel_url=http%3A%2F%2Foracle-portal.com" +
                                  "%3A7778%2Fpls%2Fportal%2FPORTAL.home");
                       System.out.println("userCred:" + url.toString());
               }
               catch(MalformedURLException e)
               {
                       System.out.println("Problem med URL :" + casLoginPage);
               }

               return url;
       }

       public void writeToFile(String text)
       {
               try
               {
                       File file = new File("/tmp/sso.log");
                       PrintWriter pout;
                       pout = new PrintWriter(new FileWriter(file, true));
                       pout.println(text);
                       pout.close();
               }
               catch (IOException e)
               {
                       e.printStackTrace();
               }
       }

}



package oracle.consulting.gu.cas;

import java.io.IOException;
import java.io.PrintWriter;
import java.util.List;

import javax.servlet.ServletException;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import edu.yale.its.tp.cas.client.ProxyTicketValidator;

public class CasServlet extends HttpServlet
{
        /**
        * Handles HTTP GET requests by performing some Java processing
        * and then delegating to a C-method to perform some native
        * processing.
        */
        public void doGet(HttpServletRequest request, HttpServletResponse resp)
            throws IOException, ServletException
        {
               //PrintWriter out = resp.getWriter();

                 try
                 {

                       String queryString = request.getQueryString();
                       String ticket = request.getParameter("ticket");

                       //String url =
                       //   "j_security_check;jsessionid=" +
                       //    sessionId + "?j_username=" +
                       //    java.net.URLEncoder.encode(j_username) +
                       //    "&j_password=" + java.net.URLEncoder.encode(j_password);
                       String url = "apa.html";
                       //out.println("queryString:" + queryString);
                       //out.println("ticket:" + ticket);
                       //out.println("url:" + url);
                       //response.sendRedirect(url);

                       // no ticket?  abort request processing and redirect
                       if (ticket != null || !ticket.equals(""))
                       {
                               /*
                               if (loginUrl == null)
                               {
                                       throw new ServletException(
                                         "When InfoGlueFilter protects pages that do not receive a 'userName' " +
                                         "parameter, it needs a org.infoglue.cms.security.loginUrl " +
                                         "filter parameter");
                               }
                               */

                               String requestURI = request.getRequestURI();
                               //out.println("requestURI:" + requestURI);

                               /*
                               String redirectUrl = "";

                               if(requestURI.indexOf("?") > 0)
                                       redirectUrl = loginUrl +
                                                          "&service=" +
                                                          getService(request) +
                                                          ((casRenew != null && !casRenew.equals("")) ?
                                                             "&renew="+ casRenew : "");
                               else
                                       redirectUrl = loginUrl +
                                                           "?service=" +
                                                           getService(request) +
                                                           ((casRenew != null && !casRenew.equals("")) ?
                                                           "&renew="+ casRenew : "");

                               System.out.println("redirectUrl:" + redirectUrl);
                               response.sendRedirect(redirectUrl);

                               return null;
                               */

                               String authenticatedUserName = null;

                               ProxyTicketValidator pv = new ProxyTicketValidator();

                               String casValidateUrl = "https://gavin.it.gu.se:8433/cas/serviceValidate";
                               String casServiceUrl = "https://cas-server.com:8433/cas/casServlet?" +
                                 "target_url=http://oracle-portal.com:7778" +
                                 "/pls/portal/PORTAL.wwsec_app_priv.login?" +
                                 "p_requested_url=http%3A%2F%2Foracle-portal.com" +
                                 "%3A7778%2Fpls%2Fportal" +
                                 "%2FPORTAL.home&p_cancel_url=http%3A%2F%2Foracle-portal.com" +
                                 "%3A7778%2Fpls%2Fportal%2FPORTAL.home";
                               pv.setCasValidateUrl(casValidateUrl);
                               pv.setService(casServiceUrl);
                               pv.setServiceTicket(ticket);

                               //out.println("requestURI:" + requestURI);

                               //pv.setProxyCallbackUrl("https://cas-server.com:9070"
                               // + "/uPortal/CasProxyServlet");
                               //pv.setProxyCallbackUrl("http://localhost:8080/" +
                               //     "infoglueCMSAuthDev/CasProxyServlet");

                               pv.validate();

                               String xmlResponse = pv.getResponse();
                               //out.println("xmlResponse:" + xmlResponse);

                               if(pv.isAuthenticationSuccesful())
                               {
                                       String user = pv.getUser();
                                       List proxyList = pv.getProxyList();
                                       authenticatedUserName = pv.getUser();
                               }
                               else
                               {
                                       String errorCode = pv.getErrorCode();
                                       String errorMessage = pv.getErrorMessage();
                               }

                               //out.println("authenticatedUserName:" + authenticatedUserName);
                               if(authenticatedUserName == null)
                               {
                                       requestURI = request.getRequestURI();
                                       //out.println("requestURI:" + requestURI);

                                       String redirectUrl = "";
                                       /*
                                       if(requestURI.indexOf("?") > 0)
                                               redirectUrl = loginUrl +
                                                "&service=" + getService(request) +
                                                 ((casRenew != null && !casRenew.equals(""))
                                                  ? "&renew="+ casRenew : "");
                                       else
                                               redirectUrl = loginUrl + "?service=" +
                                               getService(request) + ((casRenew != null
                                                && !casRenew.equals("")) ?
                                                 "&renew="+ casRenew : "");

                                       out.println("redirectUrl:" + redirectUrl);
                                       response.sendRedirect(redirectUrl);
                                       */
                               }
                               else
                               {
                                       String targetUrl = request.getParameter("target_url");
                                       //out.println("targetUrl:" + targetUrl);
                                       resp.setHeader("ACME_USER", authenticatedUserName);
                                       //Cookie cookie = new Cookie("ACME_USER", authenticatedUserName);
                                       //cookie.setDomain("gavin.it.gu.se");

                                       //Cookie cookie = new Cookie("ACME_USER", authenticatedUserName);
                                       Cookie cookie = new Cookie("ACME_USER", authenticatedUserName);
                                       cookie.setDomain("gu.se");
                                       cookie.setPath("/");
                                       resp.addCookie(cookie);
                                       //resp.addCookie(cookie2);
                                       resp.sendRedirect(targetUrl);
                               }

                               //out.println("authenticatedUserName:" + authenticatedUserName);

                       }

                 }
                 catch(Exception e)
                 {
                       //out.println("Error:" + e.getMessage());
                       //e.printStackTrace(out);
                 }

                 //out.flush();
                 //out.close();
        }

}



cookieName=CASTGC
validateURL=https://cas-server.com/cas/serviceValidate
casLoginPage=https://cas-server.com/cas/index.jsp?service=https://cas-server.com/cas/casServlet?target_url=
successUrl=http://oracle-postal.com:7778/portal/page?_pageid=6,1,6_13&_dad=portal&_schema=PORTAL
  • No labels