Setting up authentication
Introduction
Bedework is a standard J2EE servlet as defined by the Java servlet specification and, as such, it is the container (JBoss) which carries out authentication. JBoss in the Bedework quickstart authenticates using the packaged ApacheDS directory server. Most sites choose to authenticate their Bedework users against their centralized directory service. For installations that will not be authenticating to a local domain, the Apache DS server shipped with Bedework is acceptable for a production deployment. Add users to ApacheDS using the tools outlined in Getting started → Authentication and user accounts, and add superusers via the JMX-Console as described below.
The authentication method used by JBoss is defined in
<JBoss>/server/default/conf/login-config.xml
In the quickstart, the connection to ApacheDS is defined in login-config.xml by <application-policy name="bedeworkdemo">. The web applications are configured to use a particular application-policy in cal.properties:
org.bedework.app.webapp.security.domain=bedeworkdemo
Moving to local LDAP authentication involves copying or modifying the <application-policy> block.
Other forms of authentication can be managed by the servlet container in a number of ways which are beyond the scope of this document. The JBoss website provides documentation on configuring JBoss to use other forms of authentication, including active directory, a local file or databases.
An alternative which has been implemented is to use filter based Yale/JA-SIG CAS.
Step 1: Add a superuser
Before you switch from the quickstart's authentication to your site's authentication you need to ensure you have an administrative superuser that exists within your own authentication domain.
Two ways to achieve this are to:
- Create a Bedework superuser with an account that already exists in your authentication domain. To achieve this,
- log into the JMX-Console (http://localhost:8080/jmx-console/ – see "The JMX-Console" for instructions) and
- visit org.bedework.bwengine (in the leftmost menu) and then
- click service=system (in the central list of services).
- Look for the attribute named "RootUsers", and add the accounts that exist in your local domain. Do not remove the “admin” user from the list of superusers, as a number of services rely on that account (though it does not need to authenticate or exist in your directory).
- Click the "Apply Changes" button
- In the lower list of Operations, click the "Invoke" button on the saveConfig operation.
- Create a user in your domain, e.g. “admin”, that is already set up as a superuser in the Bedework quickstart.
Option 1 is probably the most appropriate, and as the deployer it is probably acceptable to use your own account, at least initially.
Option: Use LDAP for authentication
- Configure JBoss to point at your local LDAP server:
- Edit <quickstart>/jboss-5.1.0.GA /server/default/conf/login-config.xml
- Modify the <application-policy name=”bedeworkdemo”> section found near line 110 to point to your local LDAP server. This will typically involve modifying three properties:
- principalDNPrefix, e.g. "uid="
- principalDNSuffix, e.g. ",ou=accounts, dc=rpi, dc=edu"
- java.naming.provider.url, e.g "ldap://login.myserver.edu/"
- Prepare your group properties by modifying /home/<userid>/bwbuild/jboss-mysql/cal.options.xml: Set the <user-ldap-group> options on or around lines 68-87
- Rebuild the system:
- stop JBoss
- build Bedework
- restart JBoss
- Test the web clients. Login to the admin or user client to test Ldap auth.
If you choose to change the name “bedeworkdemo” to something more reasonable for your site, you must update the references to "bedeworkdemo" in bwbuild/cal.options (four places) to reflect the new policy name.)
Option: Use CAS for authentication
- Download the CAS Java Client
- Unzip the file and copy the CAS client to Bedework:
- unzip cas-client-3.1.10-release.zip
- cd cas-client-3.1.10/modules
- cp cas-client-core-3.1.10.jar <qs>/jboss-5.1.0.GA/common/lib/
Add a CAS filter to each application that requires a log in (eventsubmit, ucal, caladmin). Do caladmin last; you may want access to it while you are debugging this procedure. The files to edit are:
<qs>/bwwebapps/websubmit/war/WEB-INF/web.xml <qs>/bwwebapps/webclient/war/WEB-INF/userweb.xml <qs>/bwwebapps/webadmin/war/WEB-INF/web.xml
In each file, add the lines in the "CAS Filters" box at the bottom of this page, replacing the URLs with those that work at your site. The CAS filters must come BEFORE any other filters. Also, delete any and all of the following elements:
- <security-role-ref>
- <security-constraint>
- <security-role>
(optionally) Point the logout buttons on the Bedework clients that have them (Admin Client, Personal Calendar Client, Submissions Client) at your CAS server by editing the corresponding stylesheets. For example, in the Submissions Client (<quickstart>/bedework/deployment/websubmit/webapp/resources/demoskins/default/default/default.xsl), change the logout "span" to look something like this:
<span class="logout"> <a href="https://yourserver:8443/cas/logout?service=http%3A%2F%2Fyourserver%2Feventsubmit%2F" id="bwLogoutButton"> <xsl:copy-of select="$bwStr-Hedr-Logout"/> </a> </span>
- build Bedework
CAS Filters:
<filter> <filter-name>CAS Authentication Filter</filter-name> <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class> <init-param> <param-name>casServerLoginUrl</param-name> <param-value>https://myCasServer/login</param-value> </init-param> <init-param> <param-name>service</param-name> <param-value>http://myclient/</param-value> </init-param> <init-param> <param-name>serverName</param-name> <param-value>http://myBedeworkServer</param-value> </init-param> </filter> <filter> <filter-name>CAS Validation Filter</filter-name> <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class> <init-param> <param-name>casServerUrlPrefix</param-name> <param-value>https:/myCasServer/cas</param-value> </init-param> <init-param> <param-name>serverName</param-name> <param-value>http://myBedeworkServer</param-value> </init-param> </filter> <filter> <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class> </filter> <filter-mapping> <filter-name>CAS Authentication Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>CAS Validation Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter> <filter-name>CAS Sign-Out Filter</filter-name> <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class> </filter> <filter-mapping> <filter-name>CAS Sign-Out Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <listener> <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class> </listener>
Bedework Enterprise Calendar Server, version 3.10