how to SSO CAS JASIG from JBOSS to TOMCAT (5.1.10 => 6.2)

OpenKM has many interesting features, but requires some configuration process to show its full potential.
Forum rules
Please, before asking something see the documentation wiki or use the search feature of the forum. And remember we don't have a crystal ball or mental readers, so if you post about an issue tell us which OpenKM are you using and also the browser and operating system version. For more info read How to Report Bugs Effectively.
michaeled
Expert Boarder
Expert Boarder
Posts: 101
Joined: Mon Apr 23, 2012 9:37 am

how to SSO CAS JASIG from JBOSS to TOMCAT (5.1.10 => 6.2)

Post by michaeled » Thu Aug 29, 2013 8:00 am

Hi,

I was using OpenKM (5.1.10) with cas-client (and ldap) without problem; the client application was on Jboss Server.

Now i'd like to install OpenKM 6.2 with Tomcat.

I try to apply the old configuration to the new but having some trouble (the ldap part is operational, but not the auth via CAS-client). The cas server is unchanged.

With Jboss i used to change the file :

server/default/conf/login-config.xml

With this modification :

Code: Select all

 <application-policy name="OpenKM">
  <authentication>
    <login-module code="org.jasig.cas.client.jaas.CasLoginModule" flag="required">
      <module-option name="ticketValidatorClass">org.jasig.cas.client.validation.Saml11TicketValidator</module-option>
      <module-option name="casServerUrlPrefix">https://URL:8443/cas/</module-option>
      <module-option name="service">https://URL:8443/OpenKM/</module-option>
      <module-option name="defaultRoles">UserRole</module-option>
      <module-option name="roleAttributeNames">roleAttributeNames</module-option>
      <module-option name="principalGroupName">CallerPrincipal</module-option>
      <module-option name="roleGroupName">Roles</module-option>
      <module-option name="cacheAssertions">true</module-option>
      <module-option name="tolerance">20000</module-option>
      <module-option name="cacheTimeout">480</module-option>
    </login-module>
  </authentication>
</application-policy>
and this file :

WEB-INF/web.xml


with that modification :

Code: Select all

<!-- CAS SSO-->
  <!-- Facilitates CAS single sign-out -->
  <listener>
    <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
  </listener>
 
  <!-- Following is needed only if CAS single-sign out is desired -->
  <filter>
    <filter-name>CAS Single Sign Out Filter</filter-name>
    <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
  </filter>
 
  <!-- Only 2 CAS filters are required for JAAS support -->
  <context-param>
    <param-name>service</param-name>
    <param-value>https://URL:8443/OpenKM</param-value>
  </context-param>
  <context-param>
    <param-name>casServerLoginUrl</param-name>
    <param-value>https://URL:8443/cas/login</param-value>
  </context-param>
 
  <filter>
    <filter-name>CASWebAuthenticationFilter</filter-name>
    <filter-class>org.jasig.cas.client.jboss.authentication.WebAuthenticationFilter</filter-class>
  </filter>
  <filter>
    <filter-name>CASAuthenticationFilter</filter-name>
    <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
  </filter>
 
  <!-- CAS client filter mappings -->
  <!-- The order of the following filters is vitally important -->
  <filter-mapping>
    <filter-name>CAS Single Sign Out Filter</filter-name>
    <url-pattern>*.jsp</url-pattern>
 
    <!-- GWT -->
    <url-pattern>/frontend/*</url-pattern>
 
    <!-- JSPs -->
    <url-pattern>/admin/*</url-pattern>
    <url-pattern>/mobile/*</url-pattern>
    <url-pattern>/mobile-nt/*</url-pattern>
 
    <!-- Servlets -->
    <url-pattern>/RepositoryStartup</url-pattern>
    <url-pattern>/TextToSpeech</url-pattern>
    <url-pattern>/Test</url-pattern>
    <url-pattern>/frontend/*</url-pattern>
    <url-pattern>/extension/*</url-pattern>
    <!--url-pattern>/*</url-pattern-->
  </filter-mapping>
  <filter-mapping>
    <filter-name>CASWebAuthenticationFilter</filter-name>
    <url-pattern>*.jsp</url-pattern>
 
    <!-- GWT -->
    <url-pattern>/frontend/*</url-pattern>
 
    <!-- JSPs -->
    <url-pattern>/admin/*</url-pattern>
    <url-pattern>/mobile/*</url-pattern>
    <url-pattern>/mobile-nt/*</url-pattern>
 
    <!-- Servlets -->
    <url-pattern>/RepositoryStartup</url-pattern>
    <url-pattern>/TextToSpeech</url-pattern>
    <url-pattern>/Test</url-pattern>
    <url-pattern>/frontend/*</url-pattern>
    <url-pattern>/extension/*</url-pattern>
 
    <!--url-pattern>/*</url-pattern-->
  </filter-mapping>
  <filter-mapping>
    <filter-name>CASAuthenticationFilter</filter-name>
    <url-pattern>*.jsp</url-pattern>
 
    <!-- GWT -->
    <url-pattern>/frontend/*</url-pattern>
 
    <!-- JSPs -->
    <url-pattern>/admin/*</url-pattern>
    <url-pattern>/mobile/*</url-pattern>
    <url-pattern>/mobile-nt/*</url-pattern>
 
    <!-- Servlets -->
    <url-pattern>/RepositoryStartup</url-pattern>
    <url-pattern>/TextToSpeech</url-pattern>
    <url-pattern>/Test</url-pattern>
    <url-pattern>/frontend/*</url-pattern>
    <url-pattern>/extension/*</url-pattern>
 
    <!--url-pattern>/*</url-pattern-->
  </filter-mapping>
  <!-- /CAS SSO -->
And all was OK.

Now with Tomcat i'm little bit lost...

so, I don't know how to adapt this file :

Code: Select all

 <security:authentication-manager alias="authenticationManager">
        <security:authentication-provider ref="ldapAuthProvider" />
  </security:authentication-manager>

  <beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
        <beans:constructor-arg value="ldap://URL:389/ou=service,dc=domaine,dc=fr"/>
                <beans:property name="userDn" value="cn=admin,dc=domaine,dc=fr"/>
        <beans:property name="password" value="PASSWORD"/>
  </beans:bean>

        <beans:bean id="ldapAuthProvider" 
class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
                <beans:constructor-arg>
                        <beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
                                <beans:constructor-arg ref="contextSource"/>
                                <beans:property name="userSearch" ref="userSearch"></beans:property>
                        </beans:bean>
                </beans:constructor-arg>
                <beans:constructor-arg>
                        <beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
                        <beans:constructor-arg ref="contextSource"/>
                                <beans:constructor-arg value="ou=groups"/>
                                <beans:property name="groupSearchFilter" value="memberUid={1}"/>
                                <beans:property name="groupRoleAttribute" value="cn"/>
                                <beans:property name="searchSubtree" value="true" />
                                <beans:property name="convertToUpperCase" value="true" />
                                <beans:property name="rolePrefix" value="" />
                                <beans:property name="defaultRole" value="ROLE_USER" />
                        </beans:bean>
                </beans:constructor-arg>
        </beans:bean>

   <beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
    <beans:constructor-arg index="0" value="ou=people" />
    <beans:constructor-arg index="1" value="cn={0}" />
    <beans:constructor-arg index="2" ref="contextSource" />
    <beans:property name="searchSubtree" value="true" />
  </beans:bean>
And the web.xml :


Code: Select all

<jsp-config>
    <taglib>
      <taglib-uri>http://www.openkm.com/tags/utils</taglib-uri>
      <taglib-location>/WEB-INF/tlds/utils.tld</taglib-location>
    </taglib>
  </jsp-config>

  <!-- Filters -->
  <filter>
        <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
  </filter>
  <filter>
    <filter-name>WebDAVFilter</filter-name>
    <filter-class>com.openkm.webdav.WebDAVFilter</filter-class>
  </filter>
  <filter>
    <filter-name>UploadThrottleFilter</filter-name>
    <filter-class>com.openkm.servlet.frontend.UploadThrottleFilter</filter-class>
  </filter>

  <!-- Filter Mappings -->
  <filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>
  <filter-mapping>
    <filter-name>WebDAVFilter</filter-name>
    <url-pattern>/webdav/*</url-pattern>
  </filter-mapping>
  <filter-mapping>
    <filter-name>UploadThrottleFilter</filter-name>
    <url-pattern>/frontend/FileUpload</url-pattern>
  </filter-mapping>

  <!-- Listeners -->
  <listener>
    <listener-class>com.openkm.servlet.SessionListener</listener-class>
  </listener>
  <listener>
    <listener-class>org.apache.commons.fileupload.servlet.FileCleanerCleanup</listener-class>
  </listener>
  <listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
  </listener>

  <context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>
      /WEB-INF/applicationContext.xml
      file:${catalina.home}/OpenKM.xml
    </param-value>
  </context-param>

  <!-- Startup Servlets -->
  <servlet>
    <servlet-name>RepositoryStartup</servlet-name>
    <servlet-class>com.openkm.servlet.RepositoryStartupServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
  </servlet>
  <servlet>
    <servlet-name>CXFServlet</servlet-name>
    <servlet-class>org.apache.cxf.transport.servlet.CXFServlet</servlet-class>
    <load-on-startup>2</load-on-startup>
  </servlet>

  <!-- Frontend Servlets -->
  <servlet>
    <servlet-name>WorkspaceServlet</servlet-name>
    <servlet-class>com.openkm.servlet.frontend.WorkspaceServlet</servlet-class>
  </servlet>
  <servlet>
    <servlet-name>DocumentServlet</servlet-name>
    <servlet-class>com.openkm.servlet.frontend.DocumentServlet</servlet-class>
  </servlet>
  <servlet>
    <servlet-name>FrontendAuthServlet</servlet-name>
    <servlet-class>com.openkm.servlet.frontend.AuthServlet</servlet-class>
  </servlet>

 .....

  <!-- Test Servlets -->
  <servlet>
    <servlet-name>Test</servlet-name>
    <servlet-class>com.openkm.servlet.TestServlet</servlet-class>
  </servlet>

  <!-- Startup servlets -->
  <servlet-mapping>
    <servlet-name>CXFServlet</servlet-name>
    <url-pattern>/services/*</url-pattern>
  </servlet-mapping>

  <!-- Frontend Servlet Mappings -->
  <servlet-mapping>
    <servlet-name>WorkspaceServlet</servlet-name>
    <url-pattern>/frontend/Workspace</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
    <servlet-name>DocumentServlet</servlet-name>
    <url-pattern>/frontend/Document</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
    <servlet-name>FrontendAuthServlet</servlet-name>
    <url-pattern>/frontend/Auth</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
    <servlet-name>RepositoryServlet</servlet-name>
    <url-pattern>/frontend/Repository</url-pattern>
  </servlet-mapping>


.....

  <!-- Test Servlets -->
  <servlet-mapping>
    <servlet-name>TestServlet</servlet-name>
    <url-pattern>/frontend/Test</url-pattern>
  </servlet-mapping>

  <!-- Extensions Servlet Mappings -->
  <servlet-mapping>
    <servlet-name>DataBrowserServlet</servlet-name>
    <url-pattern>/extension/DataBrowser</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
    <servlet-name>MacrosServlet</servlet-name>
    <url-pattern>/extension/Macros</url-pattern>
  </servlet-mapping>
    <servlet-mapping>
    <servlet-name>DropboxServlet</servlet-name>
    <url-pattern>/extension/Dropbox</url-pattern>
  </servlet-mapping>
  <!-- Misc servlets mappings -->
  <servlet-mapping>
    <servlet-name>SyndicationServlet</servlet-name>
    <url-pattern>/feed/*</url-pattern>
  </servlet-mapping>


.....

  <!-- Admin Servlet Mappings -->
  <servlet-mapping>
    <servlet-name>StatsGraphServlet</servlet-name>
    <url-pattern>/admin/StatsGraph</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
    <servlet-name>RepositoryCheckerServlet</servlet-name>
    <url-pattern>/admin/RepositoryChecker</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
    <servlet-name>WorkflowGraphServlet</servlet-name>
    <url-pattern>/admin/WorkflowGraph</url-pattern>

.....


  <!-- Test Servlet Mapping -->
  <servlet-mapping>
    <servlet-name>Test</servlet-name>
    <url-pattern>/Test</url-pattern>
  </servlet-mapping>

  <welcome-file-list>
    <welcome-file>index.jsp</welcome-file>
  </welcome-file-list>

  <error-page>
    <exception-type>com.openkm.frontend.client.OKMException</exception-type>
    <location>/error.jsp</location>
  </error-page>

  <error-page>
    <exception-type>java.lang.Exception</exception-type>
    <location>/error.jsp</location>
  </error-page>
 

I've tried lot of things but without success,

Someone have an idee ?

regards,

Michael.

jllort
Moderator
Moderator
Posts: 10767
Joined: Fri Dec 21, 2007 11:23 am
Location: Sineu - ( Illes Balears ) - Spain
Contact:

Re: how to SSO CAS JASIG from JBOSS to TOMCAT (5.1.10 => 6.2

Post by jllort » Fri Aug 30, 2013 4:27 pm

Hi you should take a look about Spring security and JASIG, I'm not sure if you should modify internal file into OpenKM, basically security xml file is composed by OpenKM.xml ( exposed ) and internal xml file called applicationContext.xml into WEF-INF folder

If you finally configure it, we will appreciate if you would like to share the information with us into our documentation wiki

michaeled
Expert Boarder
Expert Boarder
Posts: 101
Joined: Mon Apr 23, 2012 9:37 am

Re: how to SSO CAS JASIG from JBOSS to TOMCAT (5.1.10 => 6.2

Post by michaeled » Mon Sep 02, 2013 9:53 pm

Hi,

Sure i will document it.

For now i have some trouble with that,

It works well with LdapAuthenticationProvider. (And the cas server work well with others applications.)

I'm definitly not a java expert, so, with some exemple on the net and on the Jasig wiki, i try to replace the "ldapAuthProvider" by "casAuthenticationProvider".

This is where i am :
OpenKM.xml looks like this:

Code: Select all

  <security:authentication-manager alias="authenticationManager">
        <security:authentication-provider ref="casAuthenticationProvider" />
  </security:authentication-manager>

<beans:bean id="casSingleSignOutFilter" class="org.jasig.cas.client.session.SingleSignOutFilter"/>

<beans:bean id="serviceProperties" class="org.springframework.security.cas.ServiceProperties">
    <beans:property name="service" value="https://URLCASSERVER:8443/cas/j_spring_cas_security_check"/>
    <beans:property name="sendRenew" value="false"/>
</beans:bean>

<beans:bean id="casAuthenticationEntryPoint"    class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">
    <beans:property name="loginUrl" value="https://URLCASSERVER:8443/cas/login"/>
    <beans:property name="serviceProperties" ref="serviceProperties"/>
</beans:bean>

<beans:bean id="casAuthenticationProvider"  class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
    <beans:property name="userDetailsService" ref="userService"/>
    <beans:property name="serviceProperties" ref="serviceProperties"/>
    <beans:property name="key" value="etpourquoipas"/>
    <beans:property name="ticketValidator" ref="ticketValidator"/>
</beans:bean>

<beans:bean id="ticketValidator"
                class="org.jasig.cas.client.validation.Saml11TicketValidator">
            <beans:constructor-arg index="0" value="https://URLCASSERVER:8443/cas">
            </beans:constructor-arg>
</beans:bean>


<beans:bean id="casAuthenticationFilter" class="org.springframework.security.cas.web.CasAuthenticationFilter">
    <beans:property name="authenticationManager" ref="authenticationManager"/>
    <beans:property name="filterProcessesUrl" value="/auth_check" />
</beans:bean>
<!-- The users available for this application. -->
<security:user-service id="userService">
    <security:user name="user" password="user" authorities="ROLE_USER"></security:user>
</security:user-service>
webapps/OpenKM/WEB-INF/web.xml :

Code: Select all

<filter>
        <filter-name>CAS Authentication Filter</filter-name>
        <filter-class>org.jasig.cas.client.authentication.Saml11AuthenticationFilter</filter-class>
        <init-param>
            <param-name>casServerLoginUrl</param-name>
            <param-value>https://URLCASSERVER:8443/cas/login</param-value>
        </init-param>
        <init-param>
            <param-name>serverName</param-name>
            <param-value>http://URLCASCLIENT:8080</param-value>
        </init-param>
</filter>
<filter>
        <filter-name>CAS Validation Filter</filter-name>
        <filter-class>org.jasig.cas.client.validation.Saml11TicketValidationFilter</filter-class>
<init-param>
            <param-name>casServerUrlPrefix</param-name>
            <param-value>https://URLCASSERVER:8443/cas</param-value>
        </init-param>
              <init-param>
            <param-name>serverName</param-name>
            <param-value>http://URLCASCLEINT:8080</param-value>
        </init-param>
          <init-param>
            <param-name>redirectAfterValidation</param-name>
            <param-value>true</param-value>
        </init-param>
        <init-param>
            <param-name>tolerance</param-name>
            <param-value>5000</param-value>
        </init-param>
        </filter>

    <filter>
        <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
        <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
    </filter>
    <!-- Other filters as needed -->
<filter>
  <filter-name>CAS Assertion Thread Local Filter</filter-name>
  <filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
</filter>
    <filter-mapping>
        <filter-name>CAS Authentication Filter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
    <filter-mapping>
        <filter-name>CAS Validation Filter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
    <filter-mapping>
        <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
  <listener>
    <listener-class>com.openkm.servlet.SessionListener</listener-class>
  </listener>
  <listener>
    <listener-class>org.apache.commons.fileupload.servlet.FileCleanerCleanup</listener-class>
  </listener>
  <listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
  </listener>

  <context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>
      /WEB-INF/applicationContext.xml
      file:${catalina.home}/OpenKM.xml
    </param-value>
  </context-param>

 
The server start correctly, the only WARN is this two lines :

Code: Select all

WARN  org.jasig.cas.client.authentication.Saml11AuthenticationFilter - SAML1.1 compliance requires the [artifactParameterName] and [serviceParameterName] to be set to specified values.
WARN  org.jasig.cas.client.authentication.Saml11AuthenticationFilter - This filter will overwrite any user-provided values (if any are provided)
This is the problem :
=> I try to go to the application and i'm correctly redirecting to the login of the cas server
=> the login is accepted and i'm redirecting to the client application
=> error of the client (OpenKM) : com.openkm.core.RepositoryException: User not authenticated

I don't have lot of thing in logs :

Code: Select all

DEBUG org.jasig.cas.client.validation.Saml11TicketValidator - Placing URL parameters in map.
DEBUG org.jasig.cas.client.validation.Saml11TicketValidator - Calling template URL attribute map.
DEBUG org.jasig.cas.client.validation.Saml11TicketValidator - Loading custom parameters from configuration.
DEBUG org.jasig.cas.client.validation.Saml11TicketValidator - Constructing validation url: https://URLCASSERVER:8443/cas/samlValidate?TARGET=http%3A%2F%2FURLCASCLIENT%3A8080%2FOpenKM%2Flogo%2Flogin%3FTARGET%3Dhttp%253A%252F%252FURLCASCLIENT%253A8080%252FOpenKM%252Flogo%252Flogin
DEBUG org.jasig.cas.client.validation.Saml11TicketValidator - Retrieving response from server.
DEBUG org.jasig.cas.client.validation.Saml11TicketValidator - Server response: <?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Header/><SOAP-ENV:Body><Response xmlns="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" IssueInstant="2013-09-02T21:36:13.944Z" MajorVersion="1" MinorVersion="1" Recipient="http://URLCASCLIENT:8080/OpenKM/logo/login" ResponseID="_14ce5945f0cce6759da22bafb98facd4"><Status><StatusCode Value="samlp:Success"></StatusCode></Status><Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="_5216abc4e65335471bb6a5330a3bf9a3" IssueInstant="2013-09-02T21:36:13.944Z" Issuer="localhost" MajorVersion="1" MinorVersion="1"><Conditions NotBefore="2013-09-02T21:36:13.944Z" NotOnOrAfter="2013-09-02T21:36:43.944Z"><AudienceRestrictionCondition><Audience>http://URLCASCLIENT:8080/OpenKM/logo/login</Audience></AudienceRestrictionCondition></Conditions><AttributeStatement><Subject><NameIdentifier>g.lemaire</NameIdentifier><SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:artifact</ConfirmationMethod></SubjectConfirmation></Subject><Attribute AttributeName="roleAttributeNames" AttributeNamespace="http://www.ja-sig.org/products/cas/"><AttributeValue>DEMOVILLE</AttributeValue></Attribute></AttributeStatement><AuthenticationStatement AuthenticationInstant="2013-09-02T21:18:02.862Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified"><Subject><NameIdentifier>g.lemaire</NameIdentifier><SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:artifact</ConfirmationMethod></SubjectConfirmation></Subject></AuthenticationStatement></Assertion></Response></SOAP-ENV:Body></SOAP-ENV:Envelope>
DEBUG org.jasig.cas.client.validation.Saml11TicketValidationFilter - Successfully authenticated user: g.lemaire
DEBUG org.jasig.cas.client.validation.Saml11TicketValidationFilter - Redirecting after successful ticket validation.
DEBUG org.jasig.cas.client.util.CommonUtils - serviceUrl generated: http://URLCASCLIENT:8080/OpenKM/logo/login?TARGET=http%3A%2F%2FURLCASCLIENT%3A8080%2FOpenKM%2Flogo%2Flogin
DEBUG com.openkm.core.UINotification - *** Clean UI notification ***
DEBUG com.openkm.servlet.frontend.UINotificationServlet - clean()
this is the code who show the exception :

Code: Select all

@Override
73  public void login() throws RepositoryException, DatabaseException {
74  log.debug("login()");
75 
76  try {
77  Authentication auth = PrincipalUtils.getAuthentication();
78 
79  if (auth != null) {
80  String user = auth.getName();
81  loadUserData(user);
82 
83  // Activity log
84  // @see com.openkm.spring.LoggerListener
85  } else {
86  throw new RepositoryException("User not authenticated");
87  }
88  } catch (DatabaseException e) {
89  throw e;
90  } catch (PathNotFoundException e) {
91  log.error(e.getMessage(), e);
92  throw new RepositoryException(e.getClass().getSimpleName() + ": " + e.getMessage(), e);
93  } catch (AccessDeniedException e) {
94  log.error(e.getMessage(), e);
95  throw new RepositoryException(e.getClass().getSimpleName() + ": " + e.getMessage(), e);
96  } catch (ItemExistsException e) {
97  log.error(e.getMessage(), e);
98  throw new RepositoryException(e.getClass().getSimpleName() + ": " + e.getMessage(), e);
99  }
100 
101  log.debug("grantRole: void");
I don't find how to make OpenKM log more the authentication, have you an idea ?

Thanks !

Michael.

pavila
Moderator
Moderator
Posts: 3072
Joined: Tue Dec 11, 2007 6:02 pm
Location: Alicante, Spain
Contact:

Re: how to SSO CAS JASIG from JBOSS to TOMCAT (5.1.10 => 6.2

Post by pavila » Mon Sep 09, 2013 5:06 pm

According with the "User not authenticated" error message, the integration between Spring and CAS is not working properly. This piece of code:

Code: Select all

SecurityContextHolder.getContext().getAuthentication()
Should return the authenticated user credentials (org.springframework.security.core.Authentication) and in you installation is returning "null".

Are you reading the documentation from http://static.springsource.org/spring-s ... e/cas.html ?

Note: Please, provide me a downloadable CAS server for testing (or another online) so I can start testing your configuration and check what fails.

michaeled
Expert Boarder
Expert Boarder
Posts: 101
Joined: Mon Apr 23, 2012 9:37 am

[SOLVED] SSO CAS JASIG from JBOSS to TOMCAT

Post by michaeled » Thu Sep 26, 2013 3:26 pm

Hi !

Pavila, thank you for this indication,
Indeed, it is sometimes necessary to go back to the source and reading this page I was able to highlight some of my mistakes.

Finally I managed to CASsified OpenKM!!

For those who are tempted by the experiance, here's what to do:

1) Have a working CAS server (can be on another machine)
2) compile CAS client and copy the library in OpenKM
3) Change the config file:

a) applicationContext.xml (line 117):

Code: Select all

<security:http access-denied-page="/unauthorized.jsp" entry-point-ref="casEntryPoint" >
<security:custom-filter position="CAS_FILTER" ref="casFilter" />
b) OpenKM.xml

Code: Select all

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:security="http://www.springframework.org/schema/security"
             xmlns:task="http://www.springframework.org/schema/task"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
                                 http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
                                 http://www.springframework.org/schema/security
                                 http://www.springframework.org/schema/security/spring-security-3.1.xsd
                                 http://www.springframework.org/schema/task
                                 http://www.springframework.org/schema/task/spring-task-3.1.xsd">


<security:authentication-manager alias="authenticationManager">
    <security:authentication-provider ref="casAuthenticationProvider" />
    <security:authentication-provider ref="ldapAuthProvider" />
  </security:authentication-manager>

  <beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
        <beans:constructor-arg value="ldap://URLSERVEURLDAP:389/ou=sde,dc=SITE,dc=fr"/>
                <beans:property name="userDn" value="cn=admin,dc=SITE,dc=fr"/>
        <beans:property name="password" value="PASSLDAP"/>
  </beans:bean>

        <beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
                <beans:constructor-arg>
                        <beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
                                <beans:constructor-arg ref="contextSource"/>
                                <beans:property name="userSearch" ref="userSearch"></beans:property>
                        </beans:bean>
                </beans:constructor-arg>
                <beans:constructor-arg>
                        <beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
                        <beans:constructor-arg ref="contextSource"/>
                                <beans:constructor-arg value="ou=groups"/>
                                <beans:property name="groupSearchFilter" value="memberUid={1}"/>
                                <beans:property name="groupRoleAttribute" value="cn"/>
                                <beans:property name="searchSubtree" value="true" />
                                <beans:property name="convertToUpperCase" value="true" />
                                <beans:property name="rolePrefix" value="" />
                        </beans:bean>
                </beans:constructor-arg>
        </beans:bean>

   <beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
    <beans:constructor-arg index="0" value="ou=people" />
    <beans:constructor-arg index="1" value="cn={0}" />
    <beans:constructor-arg index="2" ref="contextSource" />
    <beans:property name="searchSubtree" value="true" />
  </beans:bean>
  <beans:bean id="serviceProperties"
        class="org.springframework.security.cas.ServiceProperties">
    <beans:property name="service"
        value="http://URLOPENKM:8080/OpenKM/j_spring_cas_security_check"/>
    <beans:property name="sendRenew" value="false"/>
  </beans:bean>

  <beans:bean id="casAuthenticationProvider"
      class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
    <beans:property name="authenticationUserDetailsService">
      <beans:bean class="org.springframework.security.cas.userdetails.GrantedAuthorityFromAssertionAttributesUserDetailsService">
<beans:constructor-arg>
                        <beans:array>
                                <beans:value>groupe</beans:value>
                        </beans:array>
                </beans:constructor-arg>
      </beans:bean>
    </beans:property>

    <beans:property name="serviceProperties" ref="serviceProperties" />
    <beans:property name="ticketValidator">
      <beans:bean class="org.jasig.cas.client.validation.Saml11TicketValidator">
        <beans:constructor-arg index="0" value="https://URLSERVEURCAS:8443/cas" />
      </beans:bean>
    </beans:property>
    <beans:property name="key" value="an_id_for_this_auth_provider_only"/>
  </beans:bean>

  <beans:bean id="casFilter"
        class="org.springframework.security.cas.web.CasAuthenticationFilter">
    <beans:property name="authenticationManager" ref="authenticationManager"/>
  </beans:bean>

  <beans:bean id="casEntryPoint"
      class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">
    <beans:property name="loginUrl" value="https://URLSERVEURCAS:8443/cas/login"/>
    <beans:property name="serviceProperties" ref="serviceProperties"/>
  </beans:bean>

<!--
<security:user-service id="userService">
    <security:user name="m.edlich" password="user" authorities="ROLE_USER"></security:user>
</security:user-service>

-->

</beans:beans>
:-)

Michael.

pavila
Moderator
Moderator
Posts: 3072
Joined: Tue Dec 11, 2007 6:02 pm
Location: Alicante, Spain
Contact:

Re: how to SSO CAS JASIG from JBOSS to TOMCAT (5.1.10 => 6.2

Post by pavila » Wed Oct 02, 2013 8:56 am

Thanks, Michael.

I have added to the documentation wiki at http://wiki.openkm.com/index.php/Centra ... OpenKM_6.2. Please, take a look and tell me if something is wrong.

michaeled
Expert Boarder
Expert Boarder
Posts: 101
Joined: Mon Apr 23, 2012 9:37 am

Re: how to SSO CAS JASIG from JBOSS to TOMCAT (5.1.10 => 6.2

Post by michaeled » Wed Oct 02, 2013 1:06 pm

Hi !

I think you should'nt describe here how to setup a CAS-Server because if you do that you have to explain how CAS should be setup to send to the client the Role (not so easy).

You should maybe replace in the documentation this :
<<download the package with the server from http://www.jasig.org/cas_server_3_5_2_release ...>> (and all the paragraph)

by this :
<< download CAS-Client : Maven2 Repository :
<dependency>
<groupId>org.jasig.cas.client</groupId>
<artifactId>cas-client-core</artifactId>
<version>3.1.11</version>
<scope>runtime</scope>
<type>jar</type>
</dependency>
>>

The prerequis is to have a cas server operational

Michael.

chasedream285
Fresh Boarder
Fresh Boarder
Posts: 10
Joined: Fri Oct 11, 2013 11:15 am

Re: how to SSO CAS JASIG from JBOSS to TOMCAT (5.1.10 => 6.2

Post by chasedream285 » Tue Nov 05, 2013 3:34 am

Deal,
Why this error happened in tomcat//OpenkM start after I followed your guide in this post to change my 'OpenKM.xml' ?

Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.config.authentication.AuthenticationManagerFactoryBean#0': FactoryBean threw exception on object creation; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.authenticationManager': Could not resolve matching constructor (hint: specify index/type/name arguments for simple parameters to avoid type ambiguities)
at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:149)
at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.getObjectFromFactoryBean(FactoryBeanRegistrySupport.java:102)
at org.springframework.beans.factory.support.AbstractBeanFactory.getObjectForBeanInstance(AbstractBeanFactory.java:1441)
at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:305)
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:193)
at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:322)
... 63 more
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.authenticationManager': Could not resolve matching constructor (hint: specify index/type/name arguments for simple parameters to avoid type ambiguities)
at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:250)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.autowireConstructor(AbstractAutowireCapableBeanFactory.java:1035)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:939)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:485)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:456)
at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:294)
at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:225)
at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:291)
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:193)
at org.springframework.security.config.authentication.AuthenticationManagerFactoryBean.getObject(AuthenticationManagerFactoryBean.java:28)
at org.springframework.security.config.authentication.AuthenticationManagerFactoryBean.getObject(AuthenticationManagerFactoryBean.java:20)
at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:142)
... 68 more
2013-11-05 10:43:09,234 [pool-2-thread-1] ERROR org.apache.catalina.core.StandardContext - Error listenerStart
2013-11-05 10:43:09,234 [pool-2-thread-1] ERROR org.apache.catalina.core.StandardContext - Context [/OpenKM] startup failed due to previous errors

michaeled
Expert Boarder
Expert Boarder
Posts: 101
Joined: Mon Apr 23, 2012 9:37 am

Re: how to SSO CAS JASIG from JBOSS to TOMCAT (5.1.10 => 6.2

Post by michaeled » Tue Nov 05, 2013 7:38 am

Can you send your OpenKM.xml ?
Michael.

chasedream285
Fresh Boarder
Fresh Boarder
Posts: 10
Joined: Fri Oct 11, 2013 11:15 am

Re: how to SSO CAS JASIG from JBOSS to TOMCAT (5.1.10 => 6.2

Post by chasedream285 » Wed Nov 06, 2013 7:04 am

Hi Miachel,
Thanks your reponsese, it's http://files.cnblogs.com/youcanwin/OpenKM.xml(http://files.cnblogs.com/youcanwin/OpenKM.xml) ,even i replaced some values with actual my env values, it's still error!

michaeled
Expert Boarder
Expert Boarder
Posts: 101
Joined: Mon Apr 23, 2012 9:37 am

Re: how to SSO CAS JASIG from JBOSS to TOMCAT (5.1.10 => 6.2

Post by michaeled » Wed Nov 06, 2013 11:51 am

Hi,

Can you post the result of :

Code: Select all

ls /opt/tomcat7/webapps/OpenKM/WEB-INF/lib/
and

Code: Select all

ls /opt/tomcat7/lib/

chasedream285
Fresh Boarder
Fresh Boarder
Posts: 10
Joined: Fri Oct 11, 2013 11:15 am

Re: how to SSO CAS JASIG from JBOSS to TOMCAT (5.1.10 => 6.2

Post by chasedream285 » Thu Nov 07, 2013 1:42 am

I am using OpenKM6.2 on Windows 2003, JDK1.6 ,CAS client version 3.1, libary list are:
C:\KM-staging\openkm6\tomcat\lib

Code: Select all

annotations-api.jar
cas-client-core-3.1.jar
catalina-ant.jar
catalina-ha.jar
catalina-tribes.jar
catalina.jar
commons-logging-1.1.jar
ecj-3.7.2.jar
el-api.jar
hsqldb.jar
jasper-el.jar
jasper.jar
javassist-3.11.0.GA.jar
jsp-api.jar
jstl-1.2.jar
jta-1.1.jar
log4j-1.2.17.jar
log4j-initializer.jar
mail-1.4.5.jar
mysql-connector-java-5.1.12-bin.jar
opensaml-1.1b.jar
README.txt
servlet-api.jar
sigar
spring-aop-3.1.0.RELEASE.jar
spring-asm-3.1.0.RELEASE.jar
spring-beans-3.1.0.RELEASE.jar
spring-context-3.1.0.RELEASE.jar
spring-context-support-3.0.6.RELEASE.jar
spring-core-3.1.0.RELEASE.jar
spring-expression-3.1.0.RELEASE.jar
spring-jdbc-3.1.0.RELEASE.jar
spring-ldap-core-1.3.1.RELEASE.jar
spring-orm-3.1.0.RELEASE.jar
spring-oxm-3.0.6.RELEASE.jar
spring-security-acl-3.1.0.RELEASE.jar
spring-security-cas-3.1.1.RELEASE.jar
spring-security-config-3.1.0.RELEASE.jar
spring-security-core-3.1.0.RELEASE.jar
spring-security-crypto-3.1.0.RELEASE.jar
spring-security-ldap-3.1.0.RELEASE.jar
spring-security-taglibs-3.1.0.RELEASE.jar
spring-security-web-3.1.0.RELEASE.jar
spring-tx-3.1.0.RELEASE.jar
spring-web-3.1.0.RELEASE.jar
spring-webmvc-3.0.6.RELEASE.jar
spring-ws-core-2.0.3.RELEASE.jar
spring-xml-2.0.3.RELEASE.jar
tomcat-api.jar
tomcat-coyote.jar
tomcat-dbcp.jar
tomcat-i18n-es.jar
tomcat-i18n-fr.jar
tomcat-i18n-ja.jar
tomcat-jdbc.jar
tomcat-juli-adapters.jar
tomcat-util.jar
unicode.ttf
xmlsec-1.3.0.jar
C:\KM-staging\openkm6\tomcat\webapps\OpenKM\WEB-INF\lib

Code: Select all

ant-1.7.0.jar
ant-launcher-1.7.0.jar
antlr-2.7.6.jar
aopalliance-1.0.jar
apache-mime4j-0.6.jar
asm-3.3.jar
audioformats-0.15.jar
bcmail-jdk14-1.38.jar
bcmail-jdk14-138.jar
bcprov-jdk14-1.38.jar
bcprov-jdk14-138.jar
bctsp-jdk14-1.38.jar
bsh-1.3.0.jar
commons-beanutils-1.8.3.jar
commons-codec-1.2.jar
commons-collections-3.1.jar
commons-compress-1.0.jar
commons-digester-1.7.jar
commons-fileupload-1.2.2.jar
commons-httpclient-3.1.jar
commons-io-1.4.jar
commons-lang-2.5.jar
commons-logging-1.0.4.jar
concurrent-1.3.4.jar
core-1.7.jar
crontab-parser-1.0.1.jar
cxf-api-2.5.1.jar
cxf-common-utilities-2.5.1.jar
cxf-rt-bindings-soap-2.5.1.jar
cxf-rt-bindings-xml-2.5.1.jar
cxf-rt-core-2.5.1.jar
cxf-rt-databinding-jaxb-2.5.1.jar
cxf-rt-frontend-jaxws-2.5.1.jar
cxf-rt-frontend-simple-2.5.1.jar
cxf-rt-transports-common-2.5.1.jar
cxf-rt-transports-http-2.5.1.jar
cxf-rt-ws-addr-2.5.1.jar
cxf-rt-ws-security-2.5.1.jar
cxf-tools-common-2.5.1.jar
derby-10.5.3.0_1.jar
dnsjava-2.0.8.jar
dom4j-1.6.1.jar
dozer-5.3.2.jar
dropbox-client-5.1.3.jar
encoder-1.1.jar
fontbox-1.6.0.jar
freemarker-2.3.16.jar
groovy-all-minimal-1.5.8.jar
gson-1.5.jar
gwt-incubator-2.1.0.jar
gwt-log-3.1.6.jar
gwt-servlet-2.4.0.jar
gwt-vl-2.0b-without-hibernate.jar
hibernate-commons-annotations-3.2.0.Final.jar
hibernate-core-3.6.10.Final.jar
hibernate-jpa-2.0-api-1.0.1.Final.jar
hibernate-search-3.4.2.Final.jar
hibernate-search-analyzers-3.4.2.Final.jar
hibernate-validator-4.2.0.Final.jar
httpclient-4.0.3.jar
httpcore-4.0.1.jar
httpmime-4.0.3.jar
icu4j-50.1.1.jar
itext-2.1.7.jar
jackrabbit-api-1.6.5.jar
jackrabbit-core-1.6.5.jar
jackrabbit-jcr-commons-1.6.5.jar
jackrabbit-spi-1.6.5.jar
jackrabbit-spi-commons-1.6.5.jar
jackrabbit-text-extractors-1.6.5.jar
jakarta-regexp-1.4.jar
jasperreports-3.7.6.jar
javase-1.7.jar
jaxb-impl-2.1.13.jar
jbpm-identity-3.3.1.OKM.jar
jbpm-jpdl-3.3.1.OKM.jar
jcl-over-slf4j-1.5.3.jar
jcommon-1.0.15.jar
jcr-1.0.jar
jdom-1.0.jar
jdom-1.1.jar
jempbox-1.6.0.jar
jfreechart-1.0.12.jar
jiu-2007.07.01.jar
jmyspell-core-1.0.0-beta-2.jar
joda-time-1.6.2.jar
jodconverter-core-3.0-beta-4.jar
jodreports-2.3.0.jar
json-simple-1.1.jar
jsonic-1.2.11.jar
jspf-1.0.1.jar
juh-3.2.1.jar
jul-to-slf4j-1.5.3.jar
jurt-3.2.1.jar
langdetect-2011.11.28.jar
lucene-analyzers-3.1.0.jar
lucene-core-3.1.0.jar
lucene-highlighter-3.1.0.jar
lucene-memory-3.1.0.jar
lucene-misc-3.1.0.jar
lucene-queries-3.1.0.jar
lucene-smartcn-3.1.0.jar
lucene-spatial-3.1.0.jar
lucene-spellchecker-3.1.0.jar
lucene-stempel-3.1.0.jar
metadata-extractor-2.4.0-beta-1.jar
milton-api-1.8.1.3.jar
milton-servlet-1.8.1.3.jar
mime-util-2.1.3.jar
msgparser-1.11.jar
neethi-3.0.1.jar
nekohtml-1.9.7.jar
odfdom-java-0.8.6.jar
odfutils-051129.jar
omr-tool-2007.07.01.jar
onejar-2.2.4.jar
opensaml-2.5.1-1.jar
openws-1.4.2-1.jar
pdfbox-1.6.0.jar
poi-3.8.jar
poi-scratchpad-3.8.jar
ridl-3.2.1.jar
rome-1.0.jar
serializer-2.7.1.jar
sigar-1.6.5.132.jar
slf4j-api-1.5.3.jar
slf4j-log4j12-1.5.3.jar
solr-analysis-extras-3.1.0.jar
solr-commons-csv-3.1.0.jar
solr-core-3.1.0.jar
solr-solrj-3.1.0.jar
spring-aop-3.1.0.RELEASE.jar
spring-asm-3.1.0.RELEASE.jar
spring-beans-3.1.0.RELEASE.jar
spring-context-3.1.0.RELEASE.jar
spring-context-support-3.0.6.RELEASE.jar
spring-core-3.1.0.RELEASE.jar
spring-expression-3.1.0.RELEASE.jar
spring-jdbc-3.1.0.RELEASE.jar
spring-ldap-core-1.3.1.RELEASE.jar
spring-orm-3.1.0.RELEASE.jar
spring-oxm-3.0.6.RELEASE.jar
spring-security-acl-3.1.0.RELEASE.jar
spring-security-config-3.1.0.RELEASE.jar
spring-security-core-3.1.0.RELEASE.jar
spring-security-crypto-3.1.0.RELEASE.jar
spring-security-ldap-3.1.0.RELEASE.jar
spring-security-taglibs-3.1.0.RELEASE.jar
spring-security-web-3.1.0.RELEASE.jar
spring-tx-3.1.0.RELEASE.jar
spring-web-3.1.0.RELEASE.jar
spring-webmvc-3.0.6.RELEASE.jar
spring-ws-core-2.0.3.RELEASE.jar
spring-xml-2.0.3.RELEASE.jar
stax2-api-3.1.1.jar
truezip-6.8.2.jar
twitter4j-2.0.10.jar
unoil-3.2.1.jar
validation-api-1.0.0.GA.jar
woodstox-core-asl-4.1.1.jar
wsdl4j-1.6.1.jar
wss4j-1.6.4.jar
xalan-2.7.1.jar
xercesImpl-2.9.1.jar
xml-apis-1.3.02.jar
xml-resolver-1.2.jar
xmlschema-core-2.0.1.jar
xmlsec-1.4.6.jar
xmltooling-1.3.2-1.jar
xom-1.2.5.jar

chasedream285
Fresh Boarder
Fresh Boarder
Posts: 10
Joined: Fri Oct 11, 2013 11:15 am

Re: how to SSO CAS JASIG from JBOSS to TOMCAT (5.1.10 => 6.2

Post by chasedream285 » Mon Nov 11, 2013 10:33 am

hi Michael,

I resolved it by copied all the necessary jar files under the webapps\cas\WEB-INF\lib\*.jar into the OpenKM\WEB-INF\lib\..
But a new problem happened that I can only authenticate by 'SimpleTestUsernamePasswordAuthenticationHandler' in CAS server, when I access 'http://myserver/OpenKM', it will jump into http://myserver/cas/login', when I type same username and password ,the authtication will be sucessful and the page will redirect to
'http://myserver/OpenkM/frontend/index.jsp'.

But I want to use Windows Server AD to verify username&password, so I changed CAS config file: 'webapps\cas\WEB-INF\deployerConfigContext.xml' and commented the line of 'SimpleTestUsernamePasswordAuthenticationHandler' and wrote like below:

Code: Select all

                 <bean class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler">
                    <property name="filter" value="sAMAccountName=%u" />
                    <property name="searchBase" value="ou=staff,ou=lemon shanghai,dc=mycompany,dc=com" />
                    <property name="contextSource" ref="contextSource " />
                </bean> 			
				<!--
				<bean 
					class="org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler" />
				-->

<bean id="contextSource" class="org.springframework.ldap.core.support.LdapContextSource">       
 <property name="anonymousReadOnly" value="false" />  
 <property name="password" value="password" />  
 <property name="pooled" value="true" />  
 <property name="urls">  
  <list>  
   <value>ldap://192.144.176.20:3268/</value>   
  </list>  
 </property>  
 <property name="userDn" value="michael@mycompany.com" />  
 <property name="baseEnvironmentProperties">  
  <map>  
  <entry>    
   <key><value>java.naming.security.protocol</value></key>    
   <value>3268</value>    
  </entry>    
  <entry>                       
   <key><value>java.naming.security.authentication</value></key>    
   <value>simple</value>  
  </entry>  
  </map>  
 </property>  
</bean>   	 
It always happened error when I restart the whole system:

Code: Select all


2013-11-11 18:10:51,066 [pool-2-thread-1] ERROR org.apache.catalina.core.ContainerBase.[Catalina].[km.rdc.com].[/cas] - Exception starting filter characterEncodingFilter
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'centralAuthenticationService' defined in ServletContext resource [/WEB-INF/spring-configuration/applicationContext.xml]: Cannot resolve reference to bean 'authenticationManager' while setting bean property 'authenticationManager'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authenticationManager' defined in ServletContext resource [/WEB-INF/deployerConfigContext.xml]: Cannot create inner bean 'org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler#b28980' of type [org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler] while setting bean property 'authenticationHandlers' with key [0]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler#b28980' defined in ServletContext resource [/WEB-INF/deployerConfigContext.xml]: Cannot resolve reference to bean 'contextSource ' while setting bean property 'contextSource'; nested exception is org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean named 'contextSource ' is defined
	at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:328)
	at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:106)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyPropertyValues(AbstractAutowireCapableBeanFactory.java:1360)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:1118)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:517)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:456)
	at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:294)
	at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:225)
	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:291)
	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:193)
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:585)
	at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:913)
	at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:464)
	at org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:385)
	at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:284)
	at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:111)
	at org.jasig.cas.web.init.SafeContextLoaderListener.contextInitialized_aroundBody0(SafeContextLoaderListener.java:75)
	at org.jasig.cas.web.init.SafeContextLoaderListener.contextInitialized_aroundBody1$advice(SafeContextLoaderListener.java:57)
	at org.jasig.cas.web.init.SafeContextLoaderListener.contextInitialized(SafeContextLoaderListener.java:1)
	at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4779)
	at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5273)
	at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
	at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1566)
	at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1556)
	at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303)
	at java.util.concurrent.FutureTask.run(FutureTask.java:138)
	at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
	at java.lang.Thread.run(Thread.java:662)
Any thoughts?

michaeled
Expert Boarder
Expert Boarder
Posts: 101
Joined: Mon Apr 23, 2012 9:37 am

Re: how to SSO CAS JASIG from JBOSS to TOMCAT (5.1.10 => 6.2

Post by michaeled » Mon Nov 11, 2013 6:04 pm

Hi,

It seems now some library are missing for the cas server App.

Do you have something like org.springframework.security.ldap.DefaultSpringSecurityContextSource somewhere ?

It's better to follow this :
1) Have a cas server fully fonctinnal with your AD (you cas test it with php-cas or another cas client)
2) Have (maybe on another tomcat server) an openkm fonctionnal with the users from the AD
3) change the parameter of the openKM to log users on cas server

For the first point,
if you're french (like me), you can try his : http://www.artduweb.com/tutoriels/cas-sso
or look at to the jasig site here : https://wiki.jasig.org/display/CASUM/Active+Directory

Next, for the second point you'll find exlanation here : http://wiki.openkm.com/index.php/Kerberos

I hope it helps you

Regards,

Michael.

chasedream285
Fresh Boarder
Fresh Boarder
Posts: 10
Joined: Fri Oct 11, 2013 11:15 am

Re: how to SSO CAS JASIG from JBOSS to TOMCAT (5.1.10 => 6.2

Post by chasedream285 » Thu Nov 21, 2013 6:33 am

Finally I found the CAS LDAP configuration document for newest Spring version (such as 3.5.x) was too old on the internet, I caught a new available version of 'deployerConfigContext.xml' , and contribute it here for every people.

Code: Select all

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p"
    xmlns:sec="http://www.springframework.org/schema/security"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
       http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">

    <bean id="contextSource" class="org.springframework.ldap.core.support.LdapContextSource">
        <property name="pooled" value="false" />
        <property name="url" value="ldap://197.144.176.20:3268" />
        <property name="userDn" value="myuser@mydc.com" />
        <property name="password" value="abcd1234" />

        <property name="baseEnvironmentProperties">
            <map>
                <entry key="com.sun.jndi.ldap.connect.timeout" value="3000" />
                <entry key="com.sun.jndi.ldap.read.timeout" value="3000" />
                <entry key="java.naming.security.authentication" value="simple" />
            </map>
        </property>
    </bean>


    <bean id="pooledContextSource"
        class="org.springframework.ldap.pool.factory.PoolingContextSource"
        p:minIdle="${ldap.pool.minIdle}" p:maxIdle="${ldap.pool.maxIdle}"
        p:maxActive="${ldap.pool.maxSize}" p:maxWait="${ldap.pool.maxWait}"
        p:timeBetweenEvictionRunsMillis="${ldap.pool.evictionPeriod}"
        p:minEvictableIdleTimeMillis="${ldap.pool.idleTime}" p:testOnBorrow="${ldap.pool.testOnBorrow}"
        p:testWhileIdle="${ldap.pool.testWhileIdle}"
        p:dirContextValidator-ref="dirContextValidator" p:contextSource-ref="contextSource" />

    <bean id="dirContextValidator"
        class="org.springframework.ldap.pool.validation.DefaultDirContextValidator"
        p:base="" p:filter="objectclass=*">
        <property name="searchControls">
            <bean class="javax.naming.directory.SearchControls" p:timeLimit="1000"
                p:countLimit="1" p:searchScope="0" p:returningAttributes="" />
        </property>
    </bean>

    <bean id="authenticationManager" class="org.jasig.cas.authentication.AuthenticationManagerImpl">

        <property name="credentialsToPrincipalResolvers">
            <list>
                <bean
                    class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" />
                <bean
                    class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" />
            </list>
        </property>

        <property name="authenticationHandlers">
            <list>
                <bean
                    class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
                    p:httpClient-ref="httpClient" />

                <bean class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler"
                    p:filter="sAMAccountName=%u" p:searchBase="ou=staff,dc=mydc,,dc=com"
                    p:contextSource-ref="contextSource" p:searchContextSource-ref="pooledContextSource"
                    p:ignorePartialResultException="true" />
            </list>
        </property>
    </bean>

    <sec:user-service id="userDetailsService">
        <sec:user name="administrator" authorities="ROLE_ADMIN" />
    </sec:user-service>

    <bean id="attributeRepository"
        class="org.jasig.services.persondir.support.StubPersonAttributeDao">
        <property name="backingMap">
            <map>
                <entry key="uid" value="uid" />
                <entry key="eduPersonAffiliation" value="eduPersonAffiliation" />
                <entry key="groupMembership" value="groupMembership" />
            </map>
        </property>
    </bean>

    <bean id="serviceRegistryDao" class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl">
        <property name="registeredServices">
            <list>
                <bean class="org.jasig.cas.services.RegisteredServiceImpl">
                    <property name="id" value="0" />
                    <property name="name" value="HTTP" />
                    <property name="description" value="Only Allows HTTP Urls" />
                    <property name="serviceId" value="http://**" />
                    <property name="evaluationOrder" value="10000001" />
                </bean>

                <bean class="org.jasig.cas.services.RegisteredServiceImpl">
                    <property name="id" value="1" />
                    <property name="name" value="HTTPS" />
                    <property name="description" value="Only Allows HTTPS Urls" />
                    <property name="serviceId" value="https://**" />
                    <property name="evaluationOrder" value="10000002" />
                </bean>

                <bean class="org.jasig.cas.services.RegisteredServiceImpl">
                    <property name="id" value="2" />
                    <property name="name" value="IMAPS" />
                    <property name="description" value="Only Allows HTTPS Urls" />
                    <property name="serviceId" value="imaps://**" />
                    <property name="evaluationOrder" value="10000003" />
                </bean>

                <bean class="org.jasig.cas.services.RegisteredServiceImpl">
                    <property name="id" value="3" />
                    <property name="name" value="IMAP" />
                    <property name="description" value="Only Allows IMAP Urls" />
                    <property name="serviceId" value="imap://**" />
                    <property name="evaluationOrder" value="10000004" />
                </bean>
            </list>
        </property>
    </bean>

    <bean id="auditTrailManager"
        class="com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager" />
        
  <bean id="healthCheckMonitor" class="org.jasig.cas.monitor.HealthCheckMonitor">
    <property name="monitors">
      <list>
        <bean class="org.jasig.cas.monitor.MemoryMonitor"
            p:freeMemoryWarnThreshold="10" />
        <bean class="org.jasig.cas.monitor.SessionMonitor"
            p:ticketRegistry-ref="ticketRegistry"
            p:serviceTicketCountWarnThreshold="5000"
            p:sessionCountWarnThreshold="100000" />
      </list>
    </property>
  </bean>
  
          
</beans>
Also I copied some missed jar files which are not contained in the CAS&OpenKM packages but can be found in CAS source MVN packages.
commons-pool-1.6.jar
opensaml-1.1b.jar

And fianlly I am sucessful! and CAS without SSL can be used in my system! CAS WITHOUT ssl IS MY WANT! I don't need such abored notification about SSL!
Next what i am care about is priviledges between LDAP users and OpenKM folders, I can't use LDAP group but want use my own customized group + LDAP user,
thinking ........
Last edited by chasedream285 on Tue Nov 26, 2013 2:11 pm, edited 1 time in total.

Post Reply