uPortal ClearPass Extension

Owned by ScottS
Last updated: Feb 10, 2014 by James Wennmacher (Deactivated)Version comment
4 min read

This page refers to code that is in SVN under uPortal trunk. A patch has been submitted to upgrade uPortal 3.2 to the latest Jasig CAS Client for Java. The uPortal support for ClearPass is dependent on that. Making ClearPass work with uPortal 3.1 would involve back-porting that upgrade and configuring uPortal by following the instructions below

For uPortal 4.x, refer to the page Caching and Re-playing Credentials in the uPortal 4.x manual.

 

Including the Dependency in your uPortal installation.

You'll need to include the uPortal ClearPass support in your uPortal installation:

uPortal 3.x:

<dependency>
    <groupId>org.jasig.cas3.extensions</groupId>
    <artifactId>clearpass-integration-uportal</artifactId>
    <version>1.0.8.GA</version>
    <scope>runtime</scope>
    <type>jar</type>
</dependency>

uPortal 4.x:  Dependency already present in uportal-war/pom.xml

Note, the ClearPass extensions will be available in the Jasig Maven2 repository.

Update the security.properties file

uPortal 3.x: This is an example of a security.properties file

##
##  CAS example
##  The following is an example of configuring uPortal to use both CAS
##  and local user authentication (authentication by username and password
##  hash stored in the uPortal database).  It uses the UnionSecurityContext
##  to consider both these authentication methods and declares the required
##  tokens for all.  This approach requires the corresponding filter mappings
##  in web.xml (mapping both the CASValidateFilter and the StaticCasReceiptCacher
##  filter in front of the LoginServlet).
##

## This is the factory that supplies the concrete authentication class
root=org.jasig.portal.security.provider.UnionSecurityContextFactory
root.cas=org.jasig.cas3.extensions.clearpass.integration.uportal.PasswordCachingCasAssertionSecurityContextFactory
root.simple=org.jasig.portal.security.provider.SimpleSecurityContextFactory

## Answers what tokens are examined in the request for each context during authentication.
## A subcontext only needs to set its tokens if it differs from those of the root context.
principalToken.root=userName
credentialToken.root=password
credentialToken.root.cas=ticket

## Answers where the user will be redirected when log out occurs. Each security context can have one.
## (See comments in the LogoutServlet class)

## It would be better to escape the value of the url parameter, but since there are no parameters on the
## unescaped URL and since there are no further parameters on the logout URL, this does work.
logoutRedirect.root.cas=https://localhost:8443/cas/logout?url=http://localhost:8080/uPortal/Login

## This is the factory that supplies the concrete authorization class
authorizationProvider=org.jasig.portal.security.provider.AuthorizationServiceFactoryImpl

## Login URL
## For display in CLogin channel.
org.jasig.portal.channels.CLogin.CasLoginUrl=https://localhost:8443/cas/login?service=http%3A%2F%2Flocalhost%3a8080%2FuPortal%2FLogin

## URL of the CAS cleartext password service
org.jasig.cas3.extensions.clearpass.integration.uportal.PasswordCachingCasAssertionSecurityContextFactory.clearPassCasUrl=https://localhost:8443/cas/clearPass

uPortal 4.x:

  • Change the root.cas property
  • Uncomment org.jasig.portal.security.provider.cas.clearpass.PasswordCachingCasAssertionSecurityContextFactory.clearPassCasUrl
uPortl 4.x security.properties
##  CAS & Local Authentication
##  
##  The following is an example of configuring uPortal to use both CAS
##  and local user authentication (authentication by username and password
##  hash stored in the uPortal database).  It uses the UnionSecurityContext
##  to consider both these authentication methods and declares the required
##  tokens for all.  This approach requires the corresponding filter mappings
##  in web.xml (mapping both the CASValidateFilter and the StaticCasReceiptCacher
##  filter in front of the LoginServlet).
##
##  The bundled cas instance (http://localhost:8080/cas) also uses the user in
##  the uPortal database for authentication.
##
## This is the factory that supplies the concrete authentication class
root=org.jasig.portal.security.provider.UnionSecurityContextFactory
#root.cas=org.jasig.portal.security.provider.cas.CasAssertionSecurityContextFactory
root.cas=org.jasig.portal.security.provider.cas.clearpass.PasswordCachingCasAssertionSecurityContextFactory
root.simple=org.jasig.portal.security.provider.SimpleSecurityContextFactory

## Answers what tokens are examined in the request for each context during authentication.
## A subcontext only needs to set its tokens if it differs from those of the root context.
principalToken.root=userName
credentialToken.root=password
credentialToken.root.cas=ticket

## Answers where the user will be redirected when log out occurs. Each security context can have one.
## (See comments in the LogoutController class)
## It would be better to escape the value of the url parameter, but since there are no parameters on the
## unescaped URL and since there are no further parameters on the logout URL, this does work.
logoutRedirect.root=${environment.build.cas.protocol}://${environment.build.cas.server}/logout?url=${environment.build.uportal.protocol}://${environment.build.uportal.server}${environment.build.uportal.context}/Login

## This is the factory that supplies the concrete authorization class
authorizationProvider=org.jasig.portal.security.provider.AuthorizationServiceFactoryImpl

## Login URL, if specified the CLogin channel will display a Login link with
## this URL instead of the standard userName/password form.
org.jasig.portal.channels.CLogin.CasLoginUrl=${environment.build.cas.protocol}://${environment.build.cas.server}/login?service=${environment.build.uportal.protocol}://${environment.build.uportal.server}${environment.build.uportal.context}/Login

## URL of the CAS clearPass password service
org.jasig.portal.security.provider.cas.clearpass.PasswordCachingCasAssertionSecurityContextFactory.clearPassCasUrl=${environment.build.cas.protocol}://${environment.build.cas.server}/cas/clearPass

Modify uPortal's portlet container to make the password available to portlets

This change is needed if your portlet will request the password attribute. The portlet container by default does not enable the release of passwords to portlets. To enable it, please add the following bean to portletContainerContext.xml:

uPortal 3.x:

uPortal 3.x
<bean id="cachedPasswordUserInfoService" class="org.jasig.portal.portlet.container.services.CachedPasswordUserInfoService">
  <property name="userInstanceManager" ref="userInstanceManager" />
  <property name="portletWindowRegistry" ref="portletWindowRegistry" />
  <property name="portletEntityRegistry" ref="portletEntityRegistry" />
  <property name="portletDefinitionRegistry" ref="portletDefinitionRegistry" />
  <property name="portalRequestUtils" ref="portalRequestUtils" />
  <property name="decryptPassword" value="false" />
</bean>

This new bean also needs to be added to the list in userInfoService bean defined already in the same file.

uPoral 4.x: uncomment the following:

uPortal 4.x
     <!--bean id="cachedPasswordUserInfoService" 
        class="org.jasig.portal.portlet.container.services.CachedPasswordUserInfoService">
        <property name="decryptPassword" value="false"/>
    </bean-->

Clustered Configuration

If your CAS servers are clustered, see http://jasig.github.io/cas/current/integration/ClearPass.html

If your uPortal servers are clustered, see https://wiki.jasig.org/display/UPM40/Caching+and+Re-playing+Credentials and https://wiki.jasig.org/display/UPM40/Clustering

Rebuild uPortal

Rebuild uPortal as you normally would.

Note, these instructions have assumed you already have a uPortal instance configured to use CAS.

Accessing the Password within uPortal

Within uPortal, the password can be accessed in exactly the same way as opaque credentials.

The modified security context will make passwords accessible to the IPrivileged channels via ISecurityContext.getOpaqueCredentialsInstance()

Portlets that need to access cleartext credentials can instruct uPortal to place the password among the other user attributes by including the following declaration within portlet.xml:

<user-attribute>
  <description>User Password</description>
  <name>password</name>
</user-attribute>