Caching and Re-playing Credentials
Real-world portals often need to perform credential replay in order to access interesting information on behalf of an end user. For example, an email preview portlet might need to authenticate to an IMAP store using the logged-in user's institutional username and password.
Enabling Credential Caching
To enable credential caching, you will need to use the CacheSecurityContext. Add a line for each context you'd like to cache like the following:
<security.context.name>.cache=org.jasig.portal.security.provider.CacheSecurityContextFactory
The following example shows a portal installation modified to cache credentials for both local and LDAP login:
## This is the factory that supplies the concrete authentication class root=org.jasig.portal.security.provider.UnionSecurityContextFactory root.ldap=org.jasig.portal.security.provider.SimpleLdapSecurityContextFactory root.ldap.cache=org.jasig.portal.security.provider.CacheLdapSecurityContextFactory root.simple=org.jasig.portal.security.provider.SimpleSecurityContextFactory root.simple.cache=org.jasig.portal.security.provider.CacheSecurityContextFactory
To replay user credentials from a portlet, you will need to add the CachedPasswordUserInfo service to uportal-impl/src/main/resources/properties/contexts/portletContainerContext.xml. First add the following bean declaration:
<bean id="cachedPasswordUserInfoService" class="org.jasig.portal.portlet.container.services.CachedPasswordUserInfoService">
<property name="userInstanceManager" ref="userInstanceManager" />
<property name="portletWindowRegistry" ref="portletWindowRegistry" />
<property name="portletEntityRegistry" ref="portletEntityRegistry" />
<property name="portletDefinitionRegistry" ref="portletDefinitionRegistry" />
<property name="portalRequestUtils" ref="portalRequestUtils" />
<property name="stringEncryptionService" ref="stringEncryptionService" />
</bean>
Next, add this newly-configured service to the list of merged user info services:
<bean id="userInfoService" class="org.jasig.portal.portlet.container.services.MergingUserInfoService">
<property name="userInfoServices">
<list>
<ref bean="personDirectoryUserInfoService"/>
<ref bean="casTicketUserInfoService"/>
<ref bean="cachedPasswordUserInfoService"/>
</list>
</property>
</bean>
Lastly, you must make sure the stringEncryptionService bean in securityContext.xml is enabled (uncommented).
<bean id="stringEncryptionService" class="org.jasig.portal.security.JasyptPBEStringEncryptionServiceImpl">
<property name="stringEncryptor">
<bean class="org.jasypt.encryption.pbe.StandardPBEStringEncryptor">
<!-- Before using the string encryption service you must
first set a password -->
<property name="password" value="changeme"/>
<!--
Example BouncyCastle-powered AES encryption
To use AES encryption, uncomment the following section, add
the unrestricted JCE provider files to your JVM, and add
the JVM-version-appropriate BouncyCastle dependency to uPortal
-->
<!--
<property name="algorithm" value="PBEWITHSHA256AND128BITAES-CBC-BC"/>
<property name="provider">
<bean class="org.bouncycastle.jce.provider.BouncyCastleProvider"/>
</property>
-->
</bean>
</property>
</bean>
CAS Clearpass
Performing credential caching for CAS authentication is more complex, since when a user logs in via CAS, uPortal never sees the user's credentials. Luckily an interesting extension to CAS has been developed to allow the portal to query the CAS server and retrieve these credentials.
Some instructions for installing CAS Clearpass are documented in the ClearPassClearPass Integration - Maven Overlay.