Maximiliano Lubian has written on the CAS Mailman list regarding CASifying Oracle Portal. Some of that discussion is presented here for your convenience.
Security Concern
A serious security concern has been raised off-list about the code posted to this page. This is an unresolved issue. More information to come... Andrew Petro, June 8 05
Maxiimiliano wrote:
This is how we solved the problem:
#When you click on the login link in oracle portal you will be redirected to the CAS server with a service argument that points to a JSP servlet page on the portal but not to the loginurl on portal.
#You login to CAS.
#CAS redirect you to the JSP page which validates the ticket to the CAS-server, gets the NET-id(userid) and set user information in a Cookie. It also truncates the ticket argument in the URL because Oracle SSO do not accept this argument. The Servlet redirects you to the portal login page.
#A custom plugin in OraSSO gets the userinfo on the cookie and sends it to the standard OraSSO mamagement.
#The user is logged in.
If one register a plugin to OraSSO you exchange the standard OraSSO to external SSO handler.
We implemented a CASSSO handler called:
CasExtendedAuthenticator
Located:$ORACLE_HOME/sso/plugin/oracle/consulting/gu/cas
with a property file: $ORACLE_HOME/sso/plugin/cas.properties
The servlet:
source code: $ORACLE_HOME/sso/plugin/oracle/consulting/gu/cas/CasServlet.java
(The attached files from the email are appended below. -ed)
We are in process of solving CAS 2.0 in oracle portal. But we don't have a solution to this yet. We are expecting a delivery on this solution in a few weeks. Notify me if you're still interested and if you need more info.
Hope this was to any help.
Best regards Maxi
// Decompiled by Jad v1.5.8e2. Copyright 2001 Pavel Kouznetsov. // Jad home page: http://kpdus.tripod.com/jad.html // Decompiler options: packimports(3) // Source File Name: CasAuthenticator.java package oracle.consulting.gu.cas; import java.io.*; import java.net.*; import java.util.Properties; import javax.servlet.http.Cookie; import javax.servlet.http.HttpServletRequest; import oracle.security.sso.ias904.toolkit.*; public class CasExtendedAuthenticator implements IPASAuthInterface { private static String CLASS_NAME = "CasExtendedAuthenticator"; private static String ACME_USER_HEADER = "ACME_USER"; private String cookieName; private String validateURL; private String casLoginPage; private String succUrl; private static final String propFile = "cas.properties"; public CasExtendedAuthenticator() { System.out.println("Init casAuthenticator"); try { InputStream is = Thread.currentThread().getContextClassLoader(). getResourceAsStream("cas.properties"); Properties prop = new Properties(); prop.load(is); cookieName = prop.getProperty("cookieName"); validateURL = prop.getProperty("validateURL"); casLoginPage = prop.getProperty("casLoginPage"); succUrl = prop.getProperty("successUrl"); } catch(FileNotFoundException e) { System.out.println("File not found:cas.properties"); e.printStackTrace(); } catch(IOException e) { e.printStackTrace(); } } public IPASUserInfo authenticate(HttpServletRequest request) throws IPASAuthException, IPASInsufficientCredException { String acmeUserName = null; try { Cookie[] cookies = request.getCookies(); for(int i=0; i<cookies.length; i++) { Cookie cookie = cookies[i]; writeToFile("cookie:" + cookie.getName()); if(cookie.getName().equalsIgnoreCase(ACME_USER_HEADER)) { acmeUserName = cookie.getValue(); break; } } if(acmeUserName == null) acmeUserName = request.getHeader(ACME_USER_HEADER); writeToFile("acmeUserName:" + acmeUserName); } catch(Exception e) { writeToFile("No Acme Header"); throw new IPASInsufficientCredException("No Acme Header"); } if(acmeUserName == null) throw new IPASInsufficientCredException("No Acme Header"); IPASUserInfo authUser = new IPASUserInfo(acmeUserName); //authUser.setUserDN("cn=users,dc=it,dc=gu,dc=se"); writeToFile("authUser:" + authUser.getUserName()); return authUser; } public URL getUserCredentialPage(HttpServletRequest arg0, String arg1) { URL url = null; try { url = new URL(casLoginPage + "http://oracle-portal.com:7778/pls/portal/" + "PORTAL.wwsec_app_priv.login?p_requested_url=" + "http%3A%2F%2Foracle-portal.com" + "%3A7778%2Fpls%2Fportal%2FPORTAL.home" + "&p_cancel_url=http%3A%2F%2Foracle-portal.com" + "%3A7778%2Fpls%2Fportal%2FPORTAL.home"); System.out.println("userCred:" + url.toString()); } catch(MalformedURLException e) { System.out.println("Problem med URL :" + casLoginPage); } return url; } public void writeToFile(String text) { try { File file = new File("/tmp/sso.log"); PrintWriter pout; pout = new PrintWriter(new FileWriter(file, true)); pout.println(text); pout.close(); } catch (IOException e) { e.printStackTrace(); } } } package oracle.consulting.gu.cas; import java.io.IOException; import java.io.PrintWriter; import java.util.List; import javax.servlet.ServletException; import javax.servlet.http.Cookie; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import edu.yale.its.tp.cas.client.ProxyTicketValidator; public class CasServlet extends HttpServlet { /** * Handles HTTP GET requests by performing some Java processing * and then delegating to a C-method to perform some native * processing. */ public void doGet(HttpServletRequest request, HttpServletResponse resp) throws IOException, ServletException { //PrintWriter out = resp.getWriter(); try { String queryString = request.getQueryString(); String ticket = request.getParameter("ticket"); //String url = // "j_security_check;jsessionid=" + // sessionId + "?j_username=" + // java.net.URLEncoder.encode(j_username) + // "&j_password=" + java.net.URLEncoder.encode(j_password); String url = "apa.html"; //out.println("queryString:" + queryString); //out.println("ticket:" + ticket); //out.println("url:" + url); //response.sendRedirect(url); // no ticket? abort request processing and redirect if (ticket != null || !ticket.equals("")) { /* if (loginUrl == null) { throw new ServletException( "When InfoGlueFilter protects pages that do not receive a 'userName' " + "parameter, it needs a org.infoglue.cms.security.loginUrl " + "filter parameter"); } */ String requestURI = request.getRequestURI(); //out.println("requestURI:" + requestURI); /* String redirectUrl = ""; if(requestURI.indexOf("?") > 0) redirectUrl = loginUrl + "&service=" + getService(request) + ((casRenew != null && !casRenew.equals("")) ? "&renew="+ casRenew : ""); else redirectUrl = loginUrl + "?service=" + getService(request) + ((casRenew != null && !casRenew.equals("")) ? "&renew="+ casRenew : ""); System.out.println("redirectUrl:" + redirectUrl); response.sendRedirect(redirectUrl); return null; */ String authenticatedUserName = null; ProxyTicketValidator pv = new ProxyTicketValidator(); String casValidateUrl = "https://gavin.it.gu.se:8433/cas/serviceValidate"; String casServiceUrl = "https://cas-server.com:8433/cas/casServlet?" + "target_url=http://oracle-portal.com:7778" + "/pls/portal/PORTAL.wwsec_app_priv.login?" + "p_requested_url=http%3A%2F%2Foracle-portal.com" + "%3A7778%2Fpls%2Fportal" + "%2FPORTAL.home&p_cancel_url=http%3A%2F%2Foracle-portal.com" + "%3A7778%2Fpls%2Fportal%2FPORTAL.home"; pv.setCasValidateUrl(casValidateUrl); pv.setService(casServiceUrl); pv.setServiceTicket(ticket); //out.println("requestURI:" + requestURI); //pv.setProxyCallbackUrl("https://cas-server.com:9070" // + "/uPortal/CasProxyServlet"); //pv.setProxyCallbackUrl("http://localhost:8080/" + // "infoglueCMSAuthDev/CasProxyServlet"); pv.validate(); String xmlResponse = pv.getResponse(); //out.println("xmlResponse:" + xmlResponse); if(pv.isAuthenticationSuccesful()) { String user = pv.getUser(); List proxyList = pv.getProxyList(); authenticatedUserName = pv.getUser(); } else { String errorCode = pv.getErrorCode(); String errorMessage = pv.getErrorMessage(); } //out.println("authenticatedUserName:" + authenticatedUserName); if(authenticatedUserName == null) { requestURI = request.getRequestURI(); //out.println("requestURI:" + requestURI); String redirectUrl = ""; /* if(requestURI.indexOf("?") > 0) redirectUrl = loginUrl + "&service=" + getService(request) + ((casRenew != null && !casRenew.equals("")) ? "&renew="+ casRenew : ""); else redirectUrl = loginUrl + "?service=" + getService(request) + ((casRenew != null && !casRenew.equals("")) ? "&renew="+ casRenew : ""); out.println("redirectUrl:" + redirectUrl); response.sendRedirect(redirectUrl); */ } else { String targetUrl = request.getParameter("target_url"); //out.println("targetUrl:" + targetUrl); resp.setHeader("ACME_USER", authenticatedUserName); //Cookie cookie = new Cookie("ACME_USER", authenticatedUserName); //cookie.setDomain("gavin.it.gu.se"); //Cookie cookie = new Cookie("ACME_USER", authenticatedUserName); Cookie cookie = new Cookie("ACME_USER", authenticatedUserName); cookie.setDomain("gu.se"); cookie.setPath("/"); resp.addCookie(cookie); //resp.addCookie(cookie2); resp.sendRedirect(targetUrl); } //out.println("authenticatedUserName:" + authenticatedUserName); } } catch(Exception e) { //out.println("Error:" + e.getMessage()); //e.printStackTrace(out); } //out.flush(); //out.close(); } } cookieName=CASTGC validateURL=https://cas-server.com/cas/serviceValidate casLoginPage=https://cas-server.com/cas/index.jsp?service=https://cas-server.com/cas/casServlet?target_url= successUrl=http://oracle-postal.com:7778/portal/page?_pageid=6,1,6_13&_dad=portal&_schema=PORTAL