CVE-2014-5059

uPortal 4.1.1 or later (or 4.0.15 or later) includes a fix for CVE-2014-5059, which allows malicious users with valid credentials to assume an identity other than their own.

Configuring uPortal to use CAS

uPortal 4 is shipped with a default CAS authentication configuration that uses a bundled CAS server. This CAS server is included in the uPortal build and is deployed to the same servlet container as uPortal.

The required CAS configuration is contained in two filters and filter mappings in the portal's web.xml and in the security.properties file. When any of the following configuration elements changes, the CAS configuration will need to change as well:

server hostname
server port
SSL/non-SSL
application context name change

To update the CAS authentication configuration, look for all values of "localhost" in the "CAS Validate Filter" element of web.xml. Each URL will need to be sensibly updated to match either the CAS or uPortal installation. The "logoutRedirect.root" and "org.jasig.portal.channels.CLogin.CasLoginUrl" properties of security.properties will also need modification. More information on the configuration filter parameters can be found in the CAS documentation.

It's important to remember that moving to SSL will also require adopters to import the SSL of the CAS server into the JVM's keystore. This step must be performed even if the bundled CAS server is used. (See SSL Configuration)

Configuration Options

Option 1: Using the uPortal Bundled CAS Server
Option 2: Using an External CAS Server

Option 1: Using the uPortal Bundled CAS Server

The code below provides an example of changing the default "http://localhost:8080" installation to a real domain, mapped by Apache over SSL at "https://portal.school.edu".

Step 1: Edit filters/local.properties

1. In the filters folder, locate the default local.properties file (uPortal-4.x/filters) and configure the CAS Server Configuration. Replace localhost:8080 with your server name.

# HSQL Configuration
environment.build.hsql.port=8887

# Database Connection Settings (Uncomment the Maven Filters section in rdbm.properties)
environment.build.hibernate.connection.driver_class=org.hsqldb.jdbc.JDBCDriver
environment.build.hibernate.connection.url=jdbc:hsqldb:hsql://localhost:${environment.build.hsql.port}/uPortal
environment.build.hibernate.connection.username=sa
environment.build.hibernate.connection.password=
environment.build.hibernate.dialect=org.hibernate.dialect.HSQLDialect

# uPortal server configuration properties
environment.build.uportal.server=localhost:8080
environment.build.uportal.protocol=http
environment.build.uportal.context=/uPortal
environment.build.uportal.email.fromAddress=portal@university.edu

# CAS server configuration properties
environment.build.cas.server=localhost:8080
environment.build.cas.protocol=http

Step 2: Edit the security.properties file

You can edit the security.properties file (uPortal-4.x/uportal-war/src/main/resources/properties/security.properties) to update the Logout redirect string, by default it points to the uPortal Login page. Also, if you are interested in turning on the clearPass feature you can uncomment the "org.jasig.cas3.extensions.clearpass..." line of code.

logoutRedirect.root By default the string will take the user to the CAS logout page with the url link displayed. If you want the user to be redirected back to the portal after logging out you would use the string below by replacing "url=" with "service="

logoutRedirect.root=${environment.build.cas.protocol}://${environment.build.cas.server}/cas/logout?

service=${environment.build.uportal.protocol}://${environment.build.uportal.server}${environment.build.uportal.context}/Login

You will also need modify cas.properties on the CAS server by removing the comment in front of the following line and changing false to true to enable CAS's ability to redirect.

#cas.logout.followServiceRedirects=false

uportal-war/src/main/resources/properties/security.properties

## This is the factory that supplies the concrete authentication class
root=org.jasig.portal.security.provider.UnionSecurityContextFactory
root.cas=org.jasig.portal.security.provider.cas.CasAssertionSecurityContextFactory
#root.cas=org.jasig.cas3.extensions.clearpass,integration.uportal.PasswordCachingCasAssertionSecurityContextFactory 
root.simple=org.jasig.portal.security.provider.SimpleSecurityContextFactory

## Answers what tokens are examined in the request for each context during authentication.
## A subcontext only needs to set its tokens if it differs from those of the root context.
principalToken.root=userName
credentialToken.root=password
credentialToken.root.cas=ticket

## Answers where the user will be redirected when log out occurs. Each security context can have one.
## (See comments in the LogoutServlet class)
## It would be better to escape the value of the url parameter, but since there are no parameters on the
## unescaped URL and since there are no further parameters on the logout URL, this does work.
logoutRedirect.root=${environment.build.cas.protocol}://${environment.build.cas.server}/cas/logout?url=${environment.build.uportal.protocol}://${environment.build.uportal.server}${environment.build.uportal.context}/Login


## This is the factory that supplies the concrete authorization class
authorizationProvider=org.jasig.portal.security.provider.AuthorizationServiceFactoryImpl


## Login URL, if specified the CLogin channel will display a Login link with
## this URL instead of the standard userName/password form.
org.jasig.portal.channels.CLogin.CasLoginUrl=${environment.build.cas.protocol}://${environment.build.cas.server}/cas/login?service=${environment.build.uportal.protocol}://${environment.build.uportal.server}${environment.build.uportal.context}/Login


## URL of the CAS cleartext password service
#org.jasig.cas3.extensions.clearpass.integration.uportal.PasswordCachingCasAssertionSecurityContextFactory.clearPassCasUrl=${environment.build.cas.protocol}://${environment.build.cas.server}/cas/clearPass


###
...

Step 3: Rebuild/Redeploy uPortal

ant clean deploy-war

Step 4: Restart Tomcat

Restart your tomcat servlet container to activate the modification.

Note: If you choose not to configure the CasLoginUrl parameter you will receive the following error, "Could not resolve property placeholder ${org.jasig.portal.channels.CLogin.CasLoginUrl}". This error stems from the CasLoginUrl parameter being referenced in two files: jsonRenderingPipelineContext.xml and renderingPipelineContext.xml located in the directory path, uportal-war/src/main/resources/properties/contexts. Therefore, you will need to remove (comment out) the CasLoginUrl parameter reference in the two xml files.

Option 2: Using an External CAS Server

Configuring uPortal for an external CAS service is essentially the same. Once the portal is configured against an external CAS server, you may wish to remove the bundled CAS installation.

Steps 1 and 2: As Above

Configuration uPortal to authenticate to an external CAS server will require modifying the web.xml and security.properties files shown above to match the new CAS URL.

Step 3: Remove Bundled CAS Dependencies from Maven POM Files

To prevent CAS from being deployed by the ant deploy-ear task, perform the following changes:

Remove the line <module>cas</module> from uPortal-4.x/uportal-portlets-overlay/pom.xml.

<modules>
        <module>BookmarksPortlet</module>
	<!-- comment out the cas module below -->
        <!-- module>cas</module -->
        <module>cas-proxy-test-portlet</module>
        ...
</modules>

Remove the CAS dependency and webModule elements from uPortal-4.x/uportal-ear/pom.xml.

<dependency>
            <groupId>org.jasig.portal.portlets-overlay</groupId>
            <artifactId>cas</artifactId>
            <version>${project.version}</version>
            <type>war</type>
</dependency>

Step 4: CAS Server 3.5.3+

CAS Server 3.5.3 changed the default value of 'AllowedToProxy' to false. Make sure your uPortal service that is registered with the CAS service registry is allowed to execute proxy authentication. Consult CAS docs for your appropriate version. If this is not done, on Login you will see an error similar to the following in portal.log:

ERROR [http-bio-8080-exec-20641] web.ExceptionLoggingFilter.[] 2015-01-29 11:27:40,956 - uPortal: unhandled exception 'org.jasig.cas.client.validation.TicketValidationException: 
service.not.authorized.proxy' for URL=/uPortal/Login?ticket=ST-144-go3as7Kx5dyg05gKf45Z-cas
javax.servlet.ServletException: org.jasig.cas.client.validation.TicketValidationException: service.not.authorized.proxy

Step 5. Rebuild/Redeploy uPortal

ant clean deploy-war

Step 6: Restart Tomcat

Restart your tomcat servlet container to activate the modification.

Additional References

Having problems with these instructions?

Please send us feedback at uportal-user@lists.ja-sig.org