Difference between revisions of "Central Authentication Service - OpenKM 6.2"

Revision as of 10:49, 2 October 2013

The Central Authentication Service (CAS) is a single sign-on protocol for the web. Its purpose is to permit a user to access multiple applications while providing their credentials (such as userid and password) only once. It also allows web applications to authenticate users without gaining access to a user's security credentials, such as a password. The name CAS also refers to a software package that implements this protocol.

First of all you should read about how CAS works. So I recommend to read these articles:

A detailed walk through a CAS authentication
Spring Security: CAS Authentication
And te mother-of-all-documentation at Spring Security 3.1 (Chapter 9).

According to the CAS documentation, it only works in secured HTTPS connections. For this reasong you need to configure HTTPS under Tomcat. Uncomment the "SSL HTTP/1.1 Connector" entry in $TOMCAT_HOME/conf/server.xml. Once you have modified it, start Tomcat and access https://localhost:8443/ to check it works fine.

Now go to the CAS web site and download the package with the server from http://www.jasig.org/cas_server_3_5_2_release. Once downloaded unpack it and copy the cas-server-3.5.2/modules/cas-server-webapp-3.5.2.war file to $TOMCAT_HOME/webapps/cas-server.war (so the access to this webapp module will be easier to remember and write). Start Tomcat and check it has been deployed ok accessing to https://localhost:8443/cas-server. You can use any user to login with this unique restriction: the user and password should be the same. For example, try "foo" / "foo".

Remember these two URLs:

CAS Login: https://localhost:8443/cas-server/login
CAS Logout: https://localhost:8443/cas-server/logout

Spring Security configuration

In order to use CAS with Spring Security, you need to edit the pom.xml descriptor and add this dependency:

<dependency>
  <groupId>org.springframework.security</groupId>
  <artifactId>spring-security-cas</artifactId>
  <version>${spring.security.version}</version>
</dependency>

Once compiled, modify the applicationContext.xml (line 117):

<security:http access-denied-page="/unauthorized.jsp" entry-point-ref="casEntryPoint" >
<security:custom-filter position="CAS_FILTER" ref="casFilter" />

And OpenKM.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:security="http://www.springframework.org/schema/security"
             xmlns:task="http://www.springframework.org/schema/task"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
                                 http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
                                 http://www.springframework.org/schema/security
                                 http://www.springframework.org/schema/security/spring-security-3.1.xsd
                                 http://www.springframework.org/schema/task
                                 http://www.springframework.org/schema/task/spring-task-3.1.xsd">


<security:authentication-manager alias="authenticationManager">
    <security:authentication-provider ref="casAuthenticationProvider" />
    <security:authentication-provider ref="ldapAuthProvider" />
  </security:authentication-manager>

  <beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
        <beans:constructor-arg value="ldap://URLSERVEURLDAP:389/ou=sde,dc=SITE,dc=fr"/>
                <beans:property name="userDn" value="cn=admin,dc=SITE,dc=fr"/>
        <beans:property name="password" value="PASSLDAP"/>
  </beans:bean>

        <beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
                <beans:constructor-arg>
                        <beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
                                <beans:constructor-arg ref="contextSource"/>
                                <beans:property name="userSearch" ref="userSearch"></beans:property>
                        </beans:bean>
                </beans:constructor-arg>
                <beans:constructor-arg>
                        <beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
                        <beans:constructor-arg ref="contextSource"/>
                                <beans:constructor-arg value="ou=groups"/>
                                <beans:property name="groupSearchFilter" value="memberUid={1}"/>
                                <beans:property name="groupRoleAttribute" value="cn"/>
                                <beans:property name="searchSubtree" value="true" />
                                <beans:property name="convertToUpperCase" value="true" />
                                <beans:property name="rolePrefix" value="" />
                        </beans:bean>
                </beans:constructor-arg>
        </beans:bean>

   <beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
    <beans:constructor-arg index="0" value="ou=people" />
    <beans:constructor-arg index="1" value="cn={0}" />
    <beans:constructor-arg index="2" ref="contextSource" />
    <beans:property name="searchSubtree" value="true" />
  </beans:bean>
  <beans:bean id="serviceProperties"
        class="org.springframework.security.cas.ServiceProperties">
    <beans:property name="service"
        value="http://URLOPENKM:8080/OpenKM/j_spring_cas_security_check"/>
    <beans:property name="sendRenew" value="false"/>
  </beans:bean>

  <beans:bean id="casAuthenticationProvider"
      class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
    <beans:property name="authenticationUserDetailsService">
      <beans:bean class="org.springframework.security.cas.userdetails.GrantedAuthorityFromAssertionAttributesUserDetailsService">
<beans:constructor-arg>
                        <beans:array>
                                <beans:value>groupe</beans:value>
                        </beans:array>
                </beans:constructor-arg>
      </beans:bean>
    </beans:property>

    <beans:property name="serviceProperties" ref="serviceProperties" />
    <beans:property name="ticketValidator">
      <beans:bean class="org.jasig.cas.client.validation.Saml11TicketValidator">
        <beans:constructor-arg index="0" value="https://URLSERVEURCAS:8443/cas" />
      </beans:bean>
    </beans:property>
    <beans:property name="key" value="an_id_for_this_auth_provider_only"/>
  </beans:bean>

  <beans:bean id="casFilter"
        class="org.springframework.security.cas.web.CasAuthenticationFilter">
    <beans:property name="authenticationManager" ref="authenticationManager"/>
  </beans:bean>

  <beans:bean id="casEntryPoint"
      class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">
    <beans:property name="loginUrl" value="https://URLSERVEURCAS:8443/cas/login"/>
    <beans:property name="serviceProperties" ref="serviceProperties"/>
  </beans:bean>

<!--
<security:user-service id="userService">
    <security:user name="m.edlich" password="user" authorities="ROLE_USER"></security:user>
</security:user-service>

-->

</beans:beans>

Difference between revisions of "Central Authentication Service - OpenKM 6.2"

Revision as of 10:49, 2 October 2013

Spring Security configuration

Navigation menu

Views

Personal tools

Navigation

Search

Tools