Central Authentication Service - OpenKM 6.2

From OpenKM Documentation
Jump to: navigation, search

The Central Authentication Service (CAS) is a single sign-on protocol for the web. Its purpose is to permit a user to access multiple applications while providing their credentials (such as userid and password) only once. It also allows web applications to authenticate users without gaining access to a user's security credentials, such as a password. The name CAS also refers to a software package that implements this protocol.


Nota advertencia.png In lastest 6.x version has been found some problem with opensaml-2.5.1-1.jar what is included by default in OpenKM build. For more information take a look [here].

First of all you should read about how CAS works. So I recommend to read these articles:

According to the CAS documentation, it only works in secured HTTPS connections. For this reasong you need to configure HTTPS under Tomcat. Uncomment the "SSL HTTP/1.1 Connector" entry in $TOMCAT_HOME/conf/server.xml. Once you have modified it, start Tomcat and access https://localhost:8443/ to check it works fine.

Now go to the CAS web site and download the package with the server from http://www.jasig.org/cas_server_3_5_2_release. Once downloaded unpack it and copy the cas-server-3.5.2/modules/cas-server-webapp-3.5.2.war file to $TOMCAT_HOME/webapps/cas-server.war (so the access to this webapp module will be easier to remember and write). Start Tomcat and check it has been deployed ok accessing to https://localhost:8443/cas-server. You can use any user to login with this unique restriction: the user and password should be the same. For example, try "foo" / "foo".

Remember these two URLs:

Spring Security configuration

In order to use CAS with Spring Security, you need to edit the pom.xml descriptor and add this dependency:

<dependency>
  <groupId>org.springframework.security</groupId>
  <artifactId>spring-security-cas</artifactId>
  <version>${spring.security.version}</version>
</dependency>

Once compiled, modify the applicationContext.xml (line 117):

<security:http access-denied-page="/unauthorized.jsp" entry-point-ref="casEntryPoint" >
<security:custom-filter position="CAS_FILTER" ref="casFilter" />

And OpenKM.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:security="http://www.springframework.org/schema/security"
             xmlns:task="http://www.springframework.org/schema/task"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
                                 http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
                                 http://www.springframework.org/schema/security
                                 http://www.springframework.org/schema/security/spring-security-3.1.xsd
                                 http://www.springframework.org/schema/task
                                 http://www.springframework.org/schema/task/spring-task-3.1.xsd">


    <security:authentication-manager alias="authenticationManager">
        <security:authentication-provider ref="casAuthenticationProvider" />
        <security:authentication-provider ref="ldapAuthProvider" />
    </security:authentication-manager>

    <beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
        <beans:constructor-arg value="ldap://URLSERVEURLDAP:389/ou=sde,dc=SITE,dc=fr"/>
        <beans:property name="userDn" value="cn=admin,dc=SITE,dc=fr"/>
        <beans:property name="password" value="PASSLDAP"/>
    </beans:bean>

    <beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
        <beans:constructor-arg>
            <beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
                <beans:constructor-arg ref="contextSource"/>
                <beans:property name="userSearch" ref="userSearch"></beans:property>
            </beans:bean>
        </beans:constructor-arg>
        <beans:constructor-arg>
            <beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
                <beans:constructor-arg ref="contextSource"/>
                <beans:constructor-arg value="ou=groups"/>
                <beans:property name="groupSearchFilter" value="memberUid={1}"/>
                <beans:property name="groupRoleAttribute" value="cn"/>
                <beans:property name="searchSubtree" value="true" />
                <beans:property name="convertToUpperCase" value="true" />
                <beans:property name="rolePrefix" value="" />
            </beans:bean>
        </beans:constructor-arg>
    </beans:bean>
    <beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
        <beans:constructor-arg index="0" value="ou=people" />
        <beans:constructor-arg index="1" value="cn={0}" />
        <beans:constructor-arg index="2" ref="contextSource" />
        <beans:property name="searchSubtree" value="true" />
    </beans:bean>
    <beans:bean id="serviceProperties" class="org.springframework.security.cas.ServiceProperties">
        <beans:property name="service" value="http://URLOPENKM:8080/OpenKM/j_spring_cas_security_check"/>
        <beans:property name="sendRenew" value="false"/>
    </beans:bean>

    <beans:bean id="casAuthenticationProvider" class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
        <beans:property name="authenticationUserDetailsService">
            <beans:bean class="org.springframework.security.cas.userdetails.GrantedAuthorityFromAssertionAttributesUserDetailsService">
                <beans:constructor-arg>
                    <beans:array>
                        <beans:value>groupe</beans:value>
                    </beans:array>
                </beans:constructor-arg>
            </beans:bean>
        </beans:property>

        <beans:property name="serviceProperties" ref="serviceProperties" />
        <beans:property name="ticketValidator">
            <beans:bean class="org.jasig.cas.client.validation.Saml11TicketValidator">
                <beans:constructor-arg index="0" value="https://URLSERVEURCAS:8443/cas" />
            </beans:bean>
        </beans:property>
        <beans:property name="key" value="an_id_for_this_auth_provider_only"/>
    </beans:bean>

    <beans:bean id="casFilter" class="org.springframework.security.cas.web.CasAuthenticationFilter">
        <beans:property name="authenticationManager" ref="authenticationManager"/>
    </beans:bean>

    <beans:bean id="casEntryPoint" class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">
        <beans:property name="loginUrl" value="https://URLSERVEURCAS:8443/cas/login"/>
        <beans:property name="serviceProperties" ref="serviceProperties"/>
    </beans:bean>
</beans:beans>

Note: This documentation is based in forum post http://forum.openkm.com/viewtopic.php?f=4&t=10711.