Difference between revisions of "Central Authentication Service - OpenKM 5.1"
From OpenKM Documentation
m (moved CAS to Central Authentication Service) |
|||
| Line 1: | Line 1: | ||
The Central Authentication Service (CAS) is a single sign-on protocol for the web. Its purpose is to permit a user to access multiple applications while providing their credentials (such as userid and password) only once. It also allows web applications to authenticate users without gaining access to a user's security credentials, such as a password. The name CAS also refers to a software package that implements this protocol. | The Central Authentication Service (CAS) is a single sign-on protocol for the web. Its purpose is to permit a user to access multiple applications while providing their credentials (such as userid and password) only once. It also allows web applications to authenticate users without gaining access to a user's security credentials, such as a password. The name CAS also refers to a software package that implements this protocol. | ||
| + | |||
| + | Once you have the CAS server up and running it is easy to set SSO in OpenKM. I wanted to keep basic authentication for the WebDav part that is why the filter mapping is complicated. I did the following changes in OpenKM: | ||
| + | |||
| + | In server/default/deploy/OpenKM.war/WEB-INF/web.xml: | ||
| + | |||
| + | <source lang="xml"> | ||
| + | <!-- CAS SSO--> | ||
| + | <!-- Facilitates CAS single sign-out --> | ||
| + | <listener> | ||
| + | <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class> | ||
| + | </listener> | ||
| + | |||
| + | <!-- Following is needed only if CAS single-sign out is desired --> | ||
| + | <filter> | ||
| + | <filter-name>CAS Single Sign Out Filter</filter-name> | ||
| + | <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class> | ||
| + | </filter> | ||
| + | |||
| + | <!-- Only 2 CAS filters are required for JAAS support --> | ||
| + | <context-param> | ||
| + | <param-name>service</param-name> | ||
| + | <param-value>https://openkm.chronossoftware.com/OpenKM</param-value> | ||
| + | </context-param> | ||
| + | <context-param> | ||
| + | <param-name>casServerLoginUrl</param-name> | ||
| + | <param-value>https://openkm.chronossoftware.com/cas/login</param-value> | ||
| + | </context-param> | ||
| + | |||
| + | <filter> | ||
| + | <filter-name>CASWebAuthenticationFilter</filter-name> | ||
| + | <filter-class>org.jasig.cas.client.jboss.authentication.WebAuthenticationFilter</filter-class> | ||
| + | </filter> | ||
| + | <filter> | ||
| + | <filter-name>CASAuthenticationFilter</filter-name> | ||
| + | <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class> | ||
| + | </filter> | ||
| + | |||
| + | <!-- CAS client filter mappings --> | ||
| + | <!-- The order of the following filters is vitally important --> | ||
| + | <filter-mapping> | ||
| + | <filter-name>CAS Single Sign Out Filter</filter-name> | ||
| + | <url-pattern>*.jsp</url-pattern> | ||
| + | |||
| + | <!-- GWT --> | ||
| + | <url-pattern>/frontend/*</url-pattern> | ||
| + | |||
| + | <!-- JSPs --> | ||
| + | <url-pattern>/admin/*</url-pattern> | ||
| + | <url-pattern>/mobile/*</url-pattern> | ||
| + | <url-pattern>/mobile-nt/*</url-pattern> | ||
| + | |||
| + | <!-- Servlets --> | ||
| + | <url-pattern>/RepositoryStartup</url-pattern> | ||
| + | <url-pattern>/TextToSpeech</url-pattern> | ||
| + | <url-pattern>/Test</url-pattern> | ||
| + | <url-pattern>/frontend/*</url-pattern> | ||
| + | <url-pattern>/extension/*</url-pattern> | ||
| + | <!--url-pattern>/*</url-pattern--> | ||
| + | </filter-mapping> | ||
| + | <filter-mapping> | ||
| + | <filter-name>CASWebAuthenticationFilter</filter-name> | ||
| + | <url-pattern>*.jsp</url-pattern> | ||
| + | |||
| + | <!-- GWT --> | ||
| + | <url-pattern>/frontend/*</url-pattern> | ||
| + | |||
| + | <!-- JSPs --> | ||
| + | <url-pattern>/admin/*</url-pattern> | ||
| + | <url-pattern>/mobile/*</url-pattern> | ||
| + | <url-pattern>/mobile-nt/*</url-pattern> | ||
| + | |||
| + | <!-- Servlets --> | ||
| + | <url-pattern>/RepositoryStartup</url-pattern> | ||
| + | <url-pattern>/TextToSpeech</url-pattern> | ||
| + | <url-pattern>/Test</url-pattern> | ||
| + | <url-pattern>/frontend/*</url-pattern> | ||
| + | <url-pattern>/extension/*</url-pattern> | ||
| + | |||
| + | <!--url-pattern>/*</url-pattern--> | ||
| + | </filter-mapping> | ||
| + | <filter-mapping> | ||
| + | <filter-name>CASAuthenticationFilter</filter-name> | ||
| + | <url-pattern>*.jsp</url-pattern> | ||
| + | |||
| + | <!-- GWT --> | ||
| + | <url-pattern>/frontend/*</url-pattern> | ||
| + | |||
| + | <!-- JSPs --> | ||
| + | <url-pattern>/admin/*</url-pattern> | ||
| + | <url-pattern>/mobile/*</url-pattern> | ||
| + | <url-pattern>/mobile-nt/*</url-pattern> | ||
| + | |||
| + | <!-- Servlets --> | ||
| + | <url-pattern>/RepositoryStartup</url-pattern> | ||
| + | <url-pattern>/TextToSpeech</url-pattern> | ||
| + | <url-pattern>/Test</url-pattern> | ||
| + | <url-pattern>/frontend/*</url-pattern> | ||
| + | <url-pattern>/extension/*</url-pattern> | ||
| + | |||
| + | <!--url-pattern>/*</url-pattern--> | ||
| + | </filter-mapping> | ||
| + | <!-- /CAS SSO --> | ||
| + | </source> | ||
Revision as of 18:51, 3 October 2011
The Central Authentication Service (CAS) is a single sign-on protocol for the web. Its purpose is to permit a user to access multiple applications while providing their credentials (such as userid and password) only once. It also allows web applications to authenticate users without gaining access to a user's security credentials, such as a password. The name CAS also refers to a software package that implements this protocol.
Once you have the CAS server up and running it is easy to set SSO in OpenKM. I wanted to keep basic authentication for the WebDav part that is why the filter mapping is complicated. I did the following changes in OpenKM:
In server/default/deploy/OpenKM.war/WEB-INF/web.xml:
<!-- CAS SSO-->
<!-- Facilitates CAS single sign-out -->
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
<!-- Following is needed only if CAS single-sign out is desired -->
<filter>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
<!-- Only 2 CAS filters are required for JAAS support -->
<context-param>
<param-name>service</param-name>
<param-value>https://openkm.chronossoftware.com/OpenKM</param-value>
</context-param>
<context-param>
<param-name>casServerLoginUrl</param-name>
<param-value>https://openkm.chronossoftware.com/cas/login</param-value>
</context-param>
<filter>
<filter-name>CASWebAuthenticationFilter</filter-name>
<filter-class>org.jasig.cas.client.jboss.authentication.WebAuthenticationFilter</filter-class>
</filter>
<filter>
<filter-name>CASAuthenticationFilter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
</filter>
<!-- CAS client filter mappings -->
<!-- The order of the following filters is vitally important -->
<filter-mapping>
<filter-name>CAS Single Sign Out Filter</filter-name>
<url-pattern>*.jsp</url-pattern>
<!-- GWT -->
<url-pattern>/frontend/*</url-pattern>
<!-- JSPs -->
<url-pattern>/admin/*</url-pattern>
<url-pattern>/mobile/*</url-pattern>
<url-pattern>/mobile-nt/*</url-pattern>
<!-- Servlets -->
<url-pattern>/RepositoryStartup</url-pattern>
<url-pattern>/TextToSpeech</url-pattern>
<url-pattern>/Test</url-pattern>
<url-pattern>/frontend/*</url-pattern>
<url-pattern>/extension/*</url-pattern>
<!--url-pattern>/*</url-pattern-->
</filter-mapping>
<filter-mapping>
<filter-name>CASWebAuthenticationFilter</filter-name>
<url-pattern>*.jsp</url-pattern>
<!-- GWT -->
<url-pattern>/frontend/*</url-pattern>
<!-- JSPs -->
<url-pattern>/admin/*</url-pattern>
<url-pattern>/mobile/*</url-pattern>
<url-pattern>/mobile-nt/*</url-pattern>
<!-- Servlets -->
<url-pattern>/RepositoryStartup</url-pattern>
<url-pattern>/TextToSpeech</url-pattern>
<url-pattern>/Test</url-pattern>
<url-pattern>/frontend/*</url-pattern>
<url-pattern>/extension/*</url-pattern>
<!--url-pattern>/*</url-pattern-->
</filter-mapping>
<filter-mapping>
<filter-name>CASAuthenticationFilter</filter-name>
<url-pattern>*.jsp</url-pattern>
<!-- GWT -->
<url-pattern>/frontend/*</url-pattern>
<!-- JSPs -->
<url-pattern>/admin/*</url-pattern>
<url-pattern>/mobile/*</url-pattern>
<url-pattern>/mobile-nt/*</url-pattern>
<!-- Servlets -->
<url-pattern>/RepositoryStartup</url-pattern>
<url-pattern>/TextToSpeech</url-pattern>
<url-pattern>/Test</url-pattern>
<url-pattern>/frontend/*</url-pattern>
<url-pattern>/extension/*</url-pattern>
<!--url-pattern>/*</url-pattern-->
</filter-mapping>
<!-- /CAS SSO -->
