Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

Real-world portals often need to perform credential replay in order to access interesting information on behalf of an end user. For example, an email preview portlet might need to authenticate to an IMAP store using the logged-in user's institutional username and password.

Enabling Credential Caching

To enable credential caching, you will need to use the CacheSecurityContext. Add a line for each context you'd like to cache like the following:

<security.context.name>.cache=org.jasig.portal.security.provider.CacheSecurityContextFactory

The following example shows a portal installation modified to cache credentials for both local and LDAP login:

## This is the factory that supplies the concrete authentication class
root=org.jasig.portal.security.provider.UnionSecurityContextFactory
root.ldap=org.jasig.portal.security.provider.SimpleLdapSecurityContextFactory
root.ldap.cache=org.jasig.portal.security.provider.CacheLdapSecurityContextFactory
root.simple=org.jasig.portal.security.provider.SimpleSecurityContextFactory
root.simple.cache=org.jasig.portal.security.provider.CacheSecurityContextFactory

To replay user credentials from a portlet, you will need to add the CachedPasswordUserInfo service to uportal-impl/src/main/resources/properties/contexts/portletContainerContext.xml. First add the following bean declaration:

    <bean id="cachedPasswordUserInfoService" class="org.jasig.portal.portlet.container.services.CachedPasswordUserInfoService">
        <property name="userInstanceManager" ref="userInstanceManager" />
        <property name="portletWindowRegistry" ref="portletWindowRegistry" />
        <property name="portletEntityRegistry" ref="portletEntityRegistry" />
        <property name="portletDefinitionRegistry" ref="portletDefinitionRegistry" />
        <property name="portalRequestUtils" ref="portalRequestUtils" />
        <property name="stringEncryptionService" ref="stringEncryptionService" />
    </bean>

Next, add this newly-configured service to the list of merged user info services:

    <bean id="userInfoService" class="org.jasig.portal.portlet.container.services.MergingUserInfoService">
        <property name="userInfoServices">
            <list>
                <ref bean="personDirectoryUserInfoService"/>
                <ref bean="casTicketUserInfoService"/>
                <ref bean="cachedPasswordUserInfoService"/>
            </list>
        </property>
    </bean>

Lastly, you must make sure the stringEncryptionService bean in securityContext.xml is enabled (uncommented).

    <bean id="stringEncryptionService" class="org.jasig.portal.security.JasyptPBEStringEncryptionServiceImpl">
        <property name="stringEncryptor">
            <bean class="org.jasypt.encryption.pbe.StandardPBEStringEncryptor">

                <!-- Before using the string encryption service you must
                    first set a password -->
                <property name="password" value="changeme"/>

                <!--
                    Example BouncyCastle-powered AES encryption

                    To use AES encryption, uncomment the following section, add
                    the unrestricted JCE provider files to your JVM, and add
                    the JVM-version-appropriate BouncyCastle dependency to uPortal
                -->
                <!--
                <property name="algorithm" value="PBEWITHSHA256AND128BITAES-CBC-BC"/>
                <property name="provider">
                    <bean class="org.bouncycastle.jce.provider.BouncyCastleProvider"/>
                </property>
                -->
            </bean>
        </property>
    </bean>

CAS Clearpass

Performing credential caching for CAS authentication is more complex, since when a user logs in via CAS, uPortal never sees the user's credentials. Luckily an interesting extension to CAS has been developed to allow the portal to query the CAS server and retrieve these credentials.

Some instructions for installing CAS Clearpass are documented in the ClearPassClearPass Integration - Maven Overlay.

  • No labels