how to SSO CAS JASIG from JBOSS to TOMCAT (5.1.10 => 6.2)

OpenKM has many interesting features, but requires some configuration process to show its full potential.
Forum rules
Please, before asking something see the documentation wiki or use the search feature of the forum. And remember we don't have a crystal ball or mental readers, so if you post about an issue tell us which OpenKM are you using and also the browser and operating system version. For more info read How to Report Bugs Effectively.
michaeled
Expert Boarder
Expert Boarder
Posts: 101
Joined: Mon Apr 23, 2012 9:37 am

Re: how to SSO CAS JASIG from JBOSS to TOMCAT (5.1.10 => 6.2

Post by michaeled » Thu Nov 21, 2013 7:27 am

Super ! Félicitation !

I'm not sure to understand what you're wanting to do with groups, can you explain? Where are your groups if not in the LDAP?

cjpitmd
Fresh Boarder
Fresh Boarder
Posts: 17
Joined: Fri Jul 11, 2014 1:54 am

Re: how to SSO CAS JASIG from JBoss to TOMCAT (5.1.10 => 6.2

Post by cjpitmd » Wed Dec 10, 2014 7:59 am

Could tell me if i need to edit the web.xml like this :

Code: Select all

<!-- CAS SSO-->
  <!-- Facilitates CAS single sign-out -->
  <listener>
    <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
  </listener>
 
  <!-- Following is needed only if CAS single-sign out is desired -->
  <filter>
    <filter-name>CAS Single Sign Out Filter</filter-name>
    <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
  </filter>
 
  <!-- Only 2 CAS filters are required for JAAS support -->
  <context-param>
    <param-name>service</param-name>
    <param-value>https://URL:8443/OpenKM</param-value>
  </context-param>
  <context-param>
    <param-name>casServerLoginUrl</param-name>
    <param-value>https://URL:8443/cas/login</param-value>
  </context-param>
 
  <filter>
    <filter-name>CASWebAuthenticationFilter</filter-name>
    <filter-class>org.jasig.cas.client.JBoss.authentication.WebAuthenticationFilter</filter-class>
  </filter>
  <filter>
    <filter-name>CASAuthenticationFilter</filter-name>
    <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
  </filter>
 
  <!-- CAS client filter mappings -->
  <!-- The order of the following filters is vitally important -->
  <filter-mapping>
    <filter-name>CAS Single Sign Out Filter</filter-name>
    <url-pattern>*.jsp</url-pattern>
 
    <!-- GWT -->
    <url-pattern>/frontend/*</url-pattern>
 
    <!-- JSPs -->
    <url-pattern>/admin/*</url-pattern>
    <url-pattern>/mobile/*</url-pattern>
    <url-pattern>/mobile-nt/*</url-pattern>
 
    <!-- Servlets -->
    <url-pattern>/RepositoryStartup</url-pattern>
    <url-pattern>/TextToSpeech</url-pattern>
    <url-pattern>/Test</url-pattern>
    <url-pattern>/frontend/*</url-pattern>
    <url-pattern>/extension/*</url-pattern>
    <!--url-pattern>/*</url-pattern-->
  </filter-mapping>
  <filter-mapping>
    <filter-name>CASWebAuthenticationFilter</filter-name>
    <url-pattern>*.jsp</url-pattern>
 
    <!-- GWT -->
    <url-pattern>/frontend/*</url-pattern>
 
    <!-- JSPs -->
    <url-pattern>/admin/*</url-pattern>
    <url-pattern>/mobile/*</url-pattern>
    <url-pattern>/mobile-nt/*</url-pattern>
 
    <!-- Servlets -->
    <url-pattern>/RepositoryStartup</url-pattern>
    <url-pattern>/TextToSpeech</url-pattern>
    <url-pattern>/Test</url-pattern>
    <url-pattern>/frontend/*</url-pattern>
    <url-pattern>/extension/*</url-pattern>
 
    <!--url-pattern>/*</url-pattern-->
  </filter-mapping>
  <filter-mapping>
    <filter-name>CASAuthenticationFilter</filter-name>
    <url-pattern>*.jsp</url-pattern>
 
    <!-- GWT -->
    <url-pattern>/frontend/*</url-pattern>
 
    <!-- JSPs -->
    <url-pattern>/admin/*</url-pattern>
    <url-pattern>/mobile/*</url-pattern>
    <url-pattern>/mobile-nt/*</url-pattern>
 
    <!-- Servlets -->
    <url-pattern>/RepositoryStartup</url-pattern>
    <url-pattern>/TextToSpeech</url-pattern>
    <url-pattern>/Test</url-pattern>
    <url-pattern>/frontend/*</url-pattern>
    <url-pattern>/extension/*</url-pattern>
 
    <!--url-pattern>/*</url-pattern-->
  </filter-mapping>
  <!-- /CAS SSO -->


thank you

michaeled
Expert Boarder
Expert Boarder
Posts: 101
Joined: Mon Apr 23, 2012 9:37 am

Re: how to SSO CAS JASIG from JBoss to TOMCAT (5.1.10 => 6.2

Post by michaeled » Wed Dec 10, 2014 9:31 am

Hi Cjpitmd,

Try this : http://wiki.openkm.com/index.php/Centra ... OpenKM_6.2

And tell us if it works,

Michael.

cjpitmd
Fresh Boarder
Fresh Boarder
Posts: 17
Joined: Fri Jul 11, 2014 1:54 am

Re: how to SSO CAS JASIG from JBoss to TOMCAT (5.1.10 => 6.2

Post by cjpitmd » Thu Dec 11, 2014 4:01 am

michaeled wrote:Hi Cjpitmd,

Try this : http://wiki.openkm.com/index.php/Centra ... OpenKM_6.2

And tell us if it works,

Michael.
Thank you for reply Michael,

i tried it, when i login to my CAS server, it redirect me to the Openkm with error :
Application error
Class: java.lang.RuntimeException
Message: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present
Date: Thu Dec 11 11:48:08 HKT 2014

I google it , and people say maybe the .keystore name is not matched to the host name, i tried to generate a new cert but problem remain

Any idea ?

here is my log file

Code: Select all

ERROR org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/OpenKM].[default]- Servlet.service() for servlet [default] in context with path [/OpenKM] threw exception
java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present
	at org.jasig.cas.client.validation.Saml11TicketValidator.retrieveResponseFromServer(Saml11TicketValidator.java:231)
	at org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:207)
	at org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticateNow(CasAuthenticationProvider.java:140)
	at org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticate(CasAuthenticationProvider.java:126)
	at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
	at org.springframework.security.cas.web.CasAuthenticationFilter.attemptAuthentication(CasAuthenticationFilter.java:242)
	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:194)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:173)
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
	at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040)
	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607)
	at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:313)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
	at java.lang.Thread.run(Thread.java:745)
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1884)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1439)
	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209)
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:878)
	at sun.security.ssl.Handshaker.process_record(Handshaker.java:814)
	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)
	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323)
	at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
	at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
	at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1091)
	at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)
	at org.jasig.cas.client.validation.Saml11TicketValidator.retrieveResponseFromServer(Saml11TicketValidator.java:216)
	... 28 more

cjpitmd
Fresh Boarder
Fresh Boarder
Posts: 17
Joined: Fri Jul 11, 2014 1:54 am

Re: how to SSO CAS JASIG from JBoss to TOMCAT (5.1.10 => 6.2

Post by cjpitmd » Thu Dec 11, 2014 7:19 am

cjpitmd wrote:
michaeled wrote:Hi Cjpitmd,

Try this : http://wiki.openkm.com/index.php/Centra ... OpenKM_6.2

And tell us if it works,

Michael.
Thank you for reply Michael,

i tried it, when i login to my CAS server, it redirect me to the Openkm with error :

Code: Select all

Application error
Class:	java.lang.RuntimeException
Message:	javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present
Date:	Thu Dec 11 11:48:08 HKT 2014
I google it , and people say maybe the .keystore name is not matched to the host name, i tried to generate a new cert but problem remain

Any idea ?

here is my log file

Code: Select all

ERROR org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/OpenKM].[default]- Servlet.service() for servlet [default] in context with path [/OpenKM] threw exception
java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present
	at org.jasig.cas.client.validation.Saml11TicketValidator.retrieveResponseFromServer(Saml11TicketValidator.java:231)
	at org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:207)
	at org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticateNow(CasAuthenticationProvider.java:140)
	at org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticate(CasAuthenticationProvider.java:126)
	at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
	at org.springframework.security.cas.web.CasAuthenticationFilter.attemptAuthentication(CasAuthenticationFilter.java:242)
	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:194)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:173)
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
	at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040)
	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607)
	at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:313)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
	at java.lang.Thread.run(Thread.java:745)
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1884)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1439)
	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209)
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:878)
	at sun.security.ssl.Handshaker.process_record(Handshaker.java:814)
	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)
	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323)
	at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
	at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
	at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1091)
	at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)
	at org.jasig.cas.client.validation.Saml11TicketValidator.retrieveResponseFromServer(Saml11TicketValidator.java:216)
	... 28 more
I edit the host file :
"ServerIP" localhost
and edit the beans in OpenKM.xml ,

Code: Select all

<beans:constructor-arg index="0" value="https://localhost:8443/cas" />
<beans:property name="loginUrl" value="https://localhost:8443/cas/login"/>
<beans:property name="service" value="http://localhost:8080/OpenKM/j_spring_cas_security_check"/>
new error msg pop up ,

Code: Select all

Class:	java.lang.RuntimeException
Message:	javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
:cry: :cry: :cry:

michaeled
Expert Boarder
Expert Boarder
Posts: 101
Joined: Mon Apr 23, 2012 9:37 am

Re: how to SSO CAS JASIG from JBoss to TOMCAT (5.1.10 => 6.2

Post by michaeled » Mon Dec 15, 2014 7:09 pm

Hi Cjpitmd,

Good news, it's not a problem with OpenKM,

Try to import your certificat into the java keystore with a command something like this :

keytool -import -alias WHATYOUWANT -keypass PASSWORD -file /path/to/your/certs/ssl.crt -keystore /etc/java-6-sun/security/cacerts

(the default password is : changeit )

Michael.

cjpitmd
Fresh Boarder
Fresh Boarder
Posts: 17
Joined: Fri Jul 11, 2014 1:54 am

Re: how to SSO CAS JASIG from JBoss to TOMCAT (5.1.10 => 6.2

Post by cjpitmd » Tue Dec 16, 2014 6:51 am

michaeled wrote:Hi Cjpitmd,

Good news, it's not a problem with OpenKM,

Try to import your certificat into the java keystore with a command something like this :

keytool -import -alias WHATYOUWANT -keypass PASSWORD -file /path/to/your/certs/ssl.crt -keystore /etc/java-6-sun/security/cacerts

(the default password is : changeit )

Michael.
thank you michael , everything work fine now

jllort
Moderator
Moderator
Posts: 10672
Joined: Fri Dec 21, 2007 11:23 am
Location: Sineu - ( Illes Balears ) - Spain
Contact:

Re: how to SSO CAS JASIG from JBoss to TOMCAT (5.1.10 => 6.2

Post by jllort » Wed Dec 17, 2014 9:51 pm

If there's some change on wiki documentation ( some note or similar ) what consider must indicate, tell us and we'll doing. Also could be interesting get webservices authenticated by jasig ( if somebody can help us on it is welcome ).

michaeled
Expert Boarder
Expert Boarder
Posts: 101
Joined: Mon Apr 23, 2012 9:37 am

Re: how to SSO CAS JASIG from JBoss to TOMCAT (5.1.10 => 6.2

Post by michaeled » Wed Dec 17, 2014 11:39 pm

Problem with that is that the office plugin or joomla plugin will no more work (except if we duplicate the services, some with sso, and others with normal auth).... no?

jllort
Moderator
Moderator
Posts: 10672
Joined: Fri Dec 21, 2007 11:23 am
Location: Sineu - ( Illes Balears ) - Spain
Contact:

Re: how to SSO CAS JASIG from JBoss to TOMCAT (5.1.10 => 6.2

Post by jllort » Fri Dec 19, 2014 9:23 am

The webservices should be authenticated by sso and then modify actual sdk for c# for it ( the c# lib used by all openkm windows apps for conneting ).

Post Reply

Who is online

Users browsing this forum: Bing [Bot] and 7 guests