Web Service Using CAS SSO Authentication

[vinodkanhe]

Hi,

Iam trying to implement CAS Single Sing On for our application and openKM, iam able to configure Single Sign On for OpenKm and CAS.
But now there is requirement for using OpenKM web Service API's using CAS SSO and now am getting CAS authentication exception while invoking OKMAuth webservice to get authorization token.

How Open Km web service can be configured to authenticate user from CAS

Here are me Environment Details :
Java 6
OpenKM 5.1.9
Jboss 4.2.3
CAS Server 3.4.11

Here is the complete StackTrace :

Code: Select all

com.openkm.ws.client.AccessDeniedException_Exception: CAS ticket validation failed: org.jasig.cas.client.validation.TicketValidationException: 
		Service not allowed to validate tickets.
	: CAS ticket validation failed: org.jasig.cas.client.validation.TicketValidationException: 
		Service not allowed to validate tickets.
	
	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
	at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
	at com.sun.xml.internal.ws.fault.SOAPFaultBuilder.createException(SOAPFaultBuilder.java:130)
	at com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:108)
	at com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:78)
	at com.sun.xml.internal.ws.client.sei.SEIStub.invoke(SEIStub.java:107)
	at $Proxy30.login(Unknown Source)
	at OpenKM.main(OpenKM.java:16)

Thanks

[jllort]

OKMAuth is not authenticated service, really you get token and uses it with other WS, this could be the origin of the problem.

Can you share your expertice configuring CAS configuration ? I would like add as an example of CAS in our wiki documentation. Aplication installed and configuration files.

[michaeled]

Hi,

I am trying to install a CAS Server on OpenKM. I am currently able to log on OpenKM, but every user is connected under the default role set up in login-config.xml and not under the role defined in the OpenKM database.(e.g. If the field « defaultRoles » is set up to UserRole, the admin is logged under the name « admin » but he has the same rights as a simple user, and doesn't have any access to the admin settings...)

Here is my server/default/conf/login-config.xml file :

Code: Select all

 <application-policy name="OpenKM">
 <authentication>
 <login-module code="org.jasig.cas.client.jaas.CasLoginModule" flag="required">
 <module-option name="ticketValidatorClass">org.jasig.cas.client.validation.Saml11TicketValidator</module-option>
 <module-option name="casServerUrlPrefix">https://***.***.***.***:8443/cas</module-option>
 <module-option name="tolerance">20000</module-option>
 <module-option name="service">https://***.***.***.***:8443/OpenKM</module-option>
 <module-option name="defaultRoles">UserRole</module-option>
 <module-option name="roleAttributeNames">groupMembership</module-option>
 <module-option name="principalGroupName">CallerPrincipal</module-option>
 <module-option name="roleGroupName">Roles</module-option>
 <module-option name="cacheAssertions">true</module-option>
 <module-option name="cacheTimeout">480</module-option>
 </login-module>
 </authentication>
 </application-policy>

I already tried without the line containing "defaultRoles" but it doesn't allow me to log (error 503).


And the server.log shows that the CAS client can't retrieve info from OpenKM server (bad initialization of the ticketValidator?) :

Code: Select all

 2012-06-07 11:48:20,374 DEBUG [org.jasig.cas.client.validation.Saml11TicketValidator] Server response: <?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Header/><SOAP-ENV:Body><Response xmlns="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" IssueInstant="2012-06-07T09:48:20.371Z" MajorVersion="1" MinorVersion="1" Recipient="https://***.***.***.***:8443/OpenKM" ResponseID="_aad0748e4b63949a81f442933a0128d8"><Status><StatusCode Value="samlp:Success"></StatusCode></Status><Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="_e7c4c2ed2063d1126e5f622155cd0cae" IssueInstant="2012-06-07T09:48:20.371Z" Issuer="localhost" MajorVersion="1" MinorVersion="1"><Conditions NotBefore="2012-06-07T09:48:20.371Z" NotOnOrAfter="2012-06-07T09:48:50.371Z"><AudienceRestrictionCondition><Audience>https://***.***.***.***:8443/OpenKM</Audience></AudienceRestrictionCondition></Conditions><AuthenticationStatement AuthenticationInstant="2012-06-07T09:48:11.454Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified"><Subject><NameIdentifier>admin</NameIdentifier><SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:artifact</ConfirmationMethod></SubjectConfirmation></Subject></AuthenticationStatement></Assertion></Response></SOAP-ENV:Body></SOAP-ENV:Envelope>
 2012-06-07 11:48:20,375 INFO [org.jasig.cas.client.jaas.CasLoginModule] Login succeeded.
 2012-06-07 11:48:20,375 DEBUG [org.jasig.cas.client.jaas.CasLoginModule] Created JAAS subject with principals: [admin, CallerPrincipal: [admin], Roles: [UserRole]]
 2012-06-07 11:48:20,375 DEBUG [org.jasig.cas.client.jaas.CasLoginModule] Caching assertion for principal admin
 2012-06-07 11:48:20,375 DEBUG [org.jasig.cas.client.jaas.CasLoginModule] Performing logout.
 2012-06-07 11:48:20,376 INFO [org.jasig.cas.client.jaas.CasLoginModule] Logout succeeded.
 2012-06-07 11:48:20,376 DEBUG [org.jasig.cas.client.jboss.authentication.WebAuthenticationFilter] Installing CAS assertion into session.
 2012-06-07 11:48:20,417 DEBUG [org.jasig.cas.client.jaas.CasLoginModule] Set ticketValidatorClass=org.jasig.cas.client.validation.Saml11TicketValidator
 2012-06-07 11:48:20,417 DEBUG [org.jasig.cas.client.jaas.CasLoginModule] Set roleGroupName=Roles
 2012-06-07 11:48:20,417 DEBUG [org.jasig.cas.client.jaas.CasLoginModule] Set defaultRoles=[UserRole]
 2012-06-07 11:48:20,417 DEBUG [org.jasig.cas.client.jaas.CasLoginModule] Set service=https://***.***.***.***:8443/OpenKM
 2012-06-07 11:48:20,417 DEBUG [org.jasig.cas.client.jaas.CasLoginModule] Set principalGroupName=CallerPrincipal
 2012-06-07 11:48:20,417 DEBUG [org.jasig.cas.client.jaas.CasLoginModule] Set cacheAssertions=true
 2012-06-07 11:48:20,417 DEBUG [org.jasig.cas.client.jaas.CasLoginModule] Set roleAttributeNames=[groupMembership]
 2012-06-07 11:48:20,417 DEBUG [org.jasig.cas.client.jaas.CasLoginModule] Set cacheTimeout=480
 2012-06-07 11:48:20,417 DEBUG [org.jasig.cas.client.jaas.CasLoginModule] Cleaning assertion cache of size 3
 2012-06-07 11:48:20,417 DEBUG [org.jasig.cas.client.jaas.CasLoginModule] Attempting to set TicketValidator property ticketValidatorClass
 2012-06-07 11:48:20,417 WARN [org.jasig.cas.client.jaas.CasLoginModule] Cannot find property ticketValidatorClass on org.jasig.cas.client.validation.Saml11TicketValidator
 2012-06-07 11:48:20,417 DEBUG [org.jasig.cas.client.jaas.CasLoginModule] Attempting to set TicketValidator property roleGroupName
 2012-06-07 11:48:20,417 WARN [org.jasig.cas.client.jaas.CasLoginModule] Cannot find property roleGroupName on org.jasig.cas.client.validation.Saml11TicketValidator
 2012-06-07 11:48:20,417 DEBUG [org.jasig.cas.client.jaas.CasLoginModule] Attempting to set TicketValidator property jboss.security.security_domain
 2012-06-07 11:48:20,417 WARN [org.jasig.cas.client.jaas.CasLoginModule] Cannot find property jboss.security.security_domain on org.jasig.cas.client.validation.Saml11TicketValidator
 2012-06-07 11:48:20,417 DEBUG [org.jasig.cas.client.jaas.CasLoginModule] Attempting to set TicketValidator property defaultRoles
 2012-06-07 11:48:20,417 WARN [org.jasig.cas.client.jaas.CasLoginModule] Cannot find property defaultRoles on org.jasig.cas.client.validation.Saml11TicketValidator
 2012-06-07 11:48:20,417 DEBUG [org.jasig.cas.client.jaas.CasLoginModule] Attempting to set TicketValidator property tolerance
 2012-06-07 11:48:20,417 DEBUG [org.jasig.cas.client.jaas.CasLoginModule] Set tolerance=20000
 2012-06-07 11:48:20,417 DEBUG [org.jasig.cas.client.jaas.CasLoginModule] Attempting to set TicketValidator property service
 2012-06-07 11:48:20,417 WARN [org.jasig.cas.client.jaas.CasLoginModule] Cannot find property service on org.jasig.cas.client.validation.Saml11TicketValidator
 2012-06-07 11:48:20,417 DEBUG [org.jasig.cas.client.jaas.CasLoginModule] Attempting to set TicketValidator property principalGroupName
 2012-06-07 11:48:20,418 WARN [org.jasig.cas.client.jaas.CasLoginModule] Cannot find property principalGroupName on org.jasig.cas.client.validation.Saml11TicketValidator
 2012-06-07 11:48:20,418 DEBUG [org.jasig.cas.client.jaas.CasLoginModule] Attempting to set TicketValidator property cacheAssertions
 2012-06-07 11:48:20,418 WARN [org.jasig.cas.client.jaas.CasLoginModule] Cannot find property cacheAssertions on org.jasig.cas.client.validation.Saml11TicketValidator
 2012-06-07 11:48:20,418 DEBUG [org.jasig.cas.client.jaas.CasLoginModule] Attempting to set TicketValidator property roleAttributeNames
 2012-06-07 11:48:20,418 WARN [org.jasig.cas.client.jaas.CasLoginModule] Cannot find property roleAttributeNames on org.jasig.cas.client.validation.Saml11TicketValidator
 2012-06-07 11:48:20,418 DEBUG [org.jasig.cas.client.jaas.CasLoginModule] Attempting to set TicketValidator property cacheTimeout
 2012-06-07 11:48:20,418 WARN [org.jasig.cas.client.jaas.CasLoginModule] Cannot find property cacheTimeout on org.jasig.cas.client.validation.Saml11TicketValidator
 2012-06-07 11:48:20,418 DEBUG [org.jasig.cas.client.jaas.CasLoginModule] Performing login.
 2012-06-07 11:48:20,418 INFO [org.jasig.cas.client.jaas.CasLoginModule] Login failed due to unsupported callback: javax.security.auth.callback.UnsupportedCallbackException

I already put the 2 cas-client .jars to the WEB-INF/lib folder, as described here : http://wiki.openkm.com/index.php/Centra ... on_Service

And for more details, my web.xml :

Code: Select all

 <context-param>
 <param-name>service</param-name>
 <param-value>https://***.***.***.***:8443/OpenKM</param-value>
 </context-param>
 <context-param>
 <param-name>casServerLoginUrl</param-name>
 <param-value>https://***.***.***.***:8443/cas/login</param-value>
 </context-param>

 <filter>
 <filter-name>CASWebAuthenticationFilter</filter-name>
 <filter-class>org.jasig.cas.client.jboss.authentication.WebAuthenticationFilter</filter-class>
 </filter>
 <filter>
 <filter-name>CASAuthenticationFilter</filter-name>

 <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
 </filter>

 <filter-mapping>
 <filter-name>CASWebAuthenticationFilter</filter-name>
 <url-pattern>/*</url-pattern>
 </filter-mapping>

 <filter-mapping>
 <filter-name>CASAuthenticationFilter</filter-name>
 <url-pattern>/*</url-pattern>
 </filter-mapping>

How can we log a CAS user under the role he is actually registered in OpenKM, and what is possibly wrong or missing in my files ?

[jllort]

I suggest for it going to jasig forum, because users there has a more knowledgement of it than us. there's some mistake in your configuration but I don't know exactly where's the problem why you're not getting the correct roles with authentication. Really all users should have UserRole ( that's not a problem ) but if you login with UserRole will be interesting if in roles list ( at tools / configuration / users configuration ) if appearing other roles.

[michaeled]

I suggest for it going to jasig forum, because users there has a more knowledgement of it than us. there's some mistake in your configuration but I don't know exactly where's the problem why you're not getting the correct roles with authentication.

Ok, thanx, i'll do that !

Really all users should have UserRole ( that's not a problem ) but if you login with UserRole will be interesting if in roles list ( at tools / configuration / users configuration ) if appearing other roles.

Yes, i've others Roles, like "AdminRole" at least,
For example the user okmAdmin is logged like "UserRole" so i don't have any acces to the administration !

openkm_bug_cas_role.jpg (5.9 KiB) Viewed 12508 times

[jllort]

Seems if forcing all users to use UserRole, take a look if in some place you are forcing users to get this role.

[michaeled]

Thanx, I solved the issue. The role wasn't mapped correctly, so now, the UserRole is added by default and the Role is geted by the ticket.

Thanx for the CAS wiki, without which it would have been very difficult !

[jllort]

We're pleased you have configured successfuly CAS, is not easy. If you consider wiki documentation can be updated in any way tell us and will share the expertice you could provide to other community users.

[michaeled]

We're pleased you have configured successfuly CAS, is not easy. If you consider wiki documentation can be updated in any way tell us and will share the expertice you could provide to other community users.

Hi jllort,

I don't yet implement logout, but you can add this to the wiki:

SSO CAS work with Cas client-client-3.2.1, cas-server-3.4.12-release, OpenKM-5.1.10_JBoss-4.2.3.GA, but you have to change this:

openkm/pom.xml
<milton.version>, change "1.7.1" by "1.7.2".

cas-client-3.2.1/cas-client-core/pom.xml
<spring.version> (=2.5.6) by 3.0.5.RELEASE

Delete this default lib: (server/default/lib/) ejb3-persistence.jar
And add this one: hibernate-jpa-2.0-api-1.0.0.Final.jar

[jllort]

I have updated http://wiki.openkm.com/index.php/Centra ... on_Service, thanks.