AnsweredAssumed Answered

Alfresco + CAS + single sign on + single sign out + solution

Question asked by umeshcse3 on Mar 24, 2009
Latest reply on Aug 26, 2009 by w0lf
Hi,
I am new to alfresco and I faced lot of problems in configuring alfresco with CAS single sign on (and single sign out) but i have successfully done it
and providing steps of the same so that others can do it easily.

Environment :
Apache Tomcat 5.5.26
cas-server-3.2.1
Alfresco 2.1 Community Edition
CAS client 3.1.32

NOTE : Before using this make sure that LDAP and Tomcat are configured on SSL.
—————————————————————————————————————–
1.Copy the 'CAS client 3.1.32' jar to $ALFRESCO_HOME/WEB-INF/lib.

2. Add CAS filter
Modify the $ALFRESCO_HOME/WEB_INF/web.xml by adding following.

</context-param>
<context-param>
<param-name>serverName</param-name>
<param-value>http://<HOSTNAME></param-value>
</context-param>
<filter>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Single Sign Out Filter</filter-name>
<url-pattern>/faces/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
<filter>
<filter-name>CAS Authentication Filter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>https://<HOST_NAME>:443/cas/login</param-value>
</init-param>
</filter>
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://<HOST_NAME>:443/cas</param-value>
</init-param>
</filter>

<filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<filter>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Authentication Filter</filter-name>
<url-pattern>/faces/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/faces/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/faces/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<url-pattern>/faces/*</url-pattern>
</filter-mapping>


Make sure that the CAS Single Sign Out Filter is the first filter.


3.Configure for user name forwarding

Download the keembay source file.
–Download uri - http://keembay.com/alfresco/extras/CASAuthenticationFilter.java
–Refer url - http://athenalogics.blogspot.com/2008/07/how-to-casify-alfresco-cms 567.html

Create a project in an IDE like Netbeans with required package hierarchy. Copy the file to the src directory of the project.
Modify it to forward username to the application after picking up the value from REMOTE_USER.

Change
public class CASAuthenticationFilter extends AbstractAuthenticationFilter implements Filter {

public void doFilter(…) {

// Retrieve the CAS username from the session
String userName = null;
Object o = httpSess.getAttribute(casUserSessionAttributeName);
if (o == null) {
logger.error("CAS : Attribute named "+casUserSessionAttributeName+" not found in the session. ");
} else {
userName = o.toString();
}
if (logger.isDebugEnabled()) {

}

}

to

public class CASAuthenticationFilter extends AbstractAuthenticationFilter implements Filter {

public void doFilter(…) {

// Retrieve the CAS username from the session
String userName = null;
userName = req.getRemoteUser();
if (logger.isDebugEnabled()) {

}

}

Build the project and a jar file would be created and copy it in $ALFRESCO_HOME/WEB_INF/lib/.

This jar contains code to forward the cas-authenticated user’s name to the application.

Open the file $ALFRESCO_HOME/WEB_INF/web.xml in a text editor and edit
the filter named Authentication Filter.

Locate the following lines:
<filter>
<filter-name>Authentication Filter</filter-name>
<filter-class>org.alfresco.web.app.servlet.AuthenticationFilter</filter-class>
and edit them to become
<filter>
<filter-name>Authentication Filter</filter-name>
<filter-class>com.keembay.alfresco.web.app.servlet.CASAuthenticationFilter</filter-class>

Logout from Alfreso can be configured by modifying $ALFRESCO_HOME/jsp/relogin.jsp.
To logout from CAS server we need to add redirection after alfresco logout.
Modify $ALFRESCO_HOME/jsp/relogin.jsp


response.addCookie(authCookie);
}
}
%>
to
response.addCookie(authCookie);
}
}
response.sendRedirect("https://<HOST_NAME>:8443/cas/logout");
%>

4. LDAP Integration

Create a file ldap-authentication-context.xml with following contents.
<?xml version=’1.0’ encoding=’UTF-8’?>
<!DOCTYPE beans PUBLIC ’-//SPRING//DTD BEAN//EN’ ’http://www.springframework.org/dtd/spring-beans.dtd’>
<beans>
<bean name="authenticationDao"
class="org.alfresco.repo.security.authentication.DefaultMutableAuthenticationDao" >
<property name="allowDeleteUser">
<value>false</value>
</property>
</bean>
<bean id="authenticationComponent"
class="org.alfresco.repo.security.authentication.ldap.LDAPAuthenticationComponentImpl">
<property name="LDAPInitialDirContextFactory">
<ref bean="ldapInitialDirContextFactory"/>
</property>
<property name="userNameFormat">
<value>%s</value>
</property>
</bean>
<bean id="ldapInitialDirContextFactory"
class="org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl">
<property name="initialDirContextEnvironment">
<map>
<entry key="java.naming.factory.initial">
<value>com.sun.jndi.ldap.LdapCtxFactory</value>
</entry>
<entry key="java.naming.provider.url">
<value>ldap://localhost</value>
</entry>
<entry key="java.naming.security.authentication">
<value>simple</value>
</entry>
<entry key="java.naming.security.principal">
<value>admin</value>
</entry>
<entry key="java.naming.security.credentials">
<value>adminpassword</value>
</entry>
</map>
</property>
</bean>
</beans>

Copy this file to $ALFRESCO_HOME/WEB-INF/classes/alfresco/
$ALFRESCO_HOME/WEB-INF/classes/alfresco/extension

—————————————————————————————————————–

Outcomes