Hi,
I am trying to install a CAS Server on OpenKM. I am currently able to log on OpenKM, but every user is connected under the default role set up in login-config.xml and not under the role defined in the OpenKM database.(e.g. If the field « defaultRoles » is set up to UserRole, the admin is logged under the name « admin » but he has the same rights as a simple user, and doesn't have any access to the admin settings...)
Here is my server/default/conf/login-config.xml file :
Code: Select all <application-policy name="OpenKM">
<authentication>
<login-module code="org.jasig.cas.client.jaas.CasLoginModule" flag="required">
<module-option name="ticketValidatorClass">org.jasig.cas.client.validation.Saml11TicketValidator</module-option>
<module-option name="casServerUrlPrefix">https://***.***.***.***:8443/cas</module-option>
<module-option name="tolerance">20000</module-option>
<module-option name="service">https://***.***.***.***:8443/OpenKM</module-option>
<module-option name="defaultRoles">UserRole</module-option>
<module-option name="roleAttributeNames">groupMembership</module-option>
<module-option name="principalGroupName">CallerPrincipal</module-option>
<module-option name="roleGroupName">Roles</module-option>
<module-option name="cacheAssertions">true</module-option>
<module-option name="cacheTimeout">480</module-option>
</login-module>
</authentication>
</application-policy>
I already tried without the line containing "defaultRoles" but it doesn't allow me to log (error 503).
And the server.log shows that the CAS client can't retrieve info from OpenKM server (bad initialization of the ticketValidator?) :
Code: Select all 2012-06-07 11:48:20,374 DEBUG [org.jasig.cas.client.validation.Saml11TicketValidator] Server response: <?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Header/><SOAP-ENV:Body><Response xmlns="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" IssueInstant="2012-06-07T09:48:20.371Z" MajorVersion="1" MinorVersion="1" Recipient="https://***.***.***.***:8443/OpenKM" ResponseID="_aad0748e4b63949a81f442933a0128d8"><Status><StatusCode Value="samlp:Success"></StatusCode></Status><Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="_e7c4c2ed2063d1126e5f622155cd0cae" IssueInstant="2012-06-07T09:48:20.371Z" Issuer="localhost" MajorVersion="1" MinorVersion="1"><Conditions NotBefore="2012-06-07T09:48:20.371Z" NotOnOrAfter="2012-06-07T09:48:50.371Z"><AudienceRestrictionCondition><Audience>https://***.***.***.***:8443/OpenKM</Audience></AudienceRestrictionCondition></Conditions><AuthenticationStatement AuthenticationInstant="2012-06-07T09:48:11.454Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified"><Subject><NameIdentifier>admin</NameIdentifier><SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:artifact</ConfirmationMethod></SubjectConfirmation></Subject></AuthenticationStatement></Assertion></Response></SOAP-ENV:Body></SOAP-ENV:Envelope>
2012-06-07 11:48:20,375 INFO [org.jasig.cas.client.jaas.CasLoginModule] Login succeeded.
2012-06-07 11:48:20,375 DEBUG [org.jasig.cas.client.jaas.CasLoginModule] Created JAAS subject with principals: [admin, CallerPrincipal: [admin], Roles: [UserRole]]
2012-06-07 11:48:20,375 DEBUG [org.jasig.cas.client.jaas.CasLoginModule] Caching assertion for principal admin
2012-06-07 11:48:20,375 DEBUG [org.jasig.cas.client.jaas.CasLoginModule] Performing logout.
2012-06-07 11:48:20,376 INFO [org.jasig.cas.client.jaas.CasLoginModule] Logout succeeded.
2012-06-07 11:48:20,376 DEBUG [org.jasig.cas.client.jboss.authentication.WebAuthenticationFilter] Installing CAS assertion into session.
2012-06-07 11:48:20,417 DEBUG [org.jasig.cas.client.jaas.CasLoginModule] Set ticketValidatorClass=org.jasig.cas.client.validation.Saml11TicketValidator
2012-06-07 11:48:20,417 DEBUG [org.jasig.cas.client.jaas.CasLoginModule] Set roleGroupName=Roles
2012-06-07 11:48:20,417 DEBUG [org.jasig.cas.client.jaas.CasLoginModule] Set defaultRoles=[UserRole]
2012-06-07 11:48:20,417 DEBUG [org.jasig.cas.client.jaas.CasLoginModule] Set service=https://***.***.***.***:8443/OpenKM
2012-06-07 11:48:20,417 DEBUG [org.jasig.cas.client.jaas.CasLoginModule] Set principalGroupName=CallerPrincipal
2012-06-07 11:48:20,417 DEBUG [org.jasig.cas.client.jaas.CasLoginModule] Set cacheAssertions=true
2012-06-07 11:48:20,417 DEBUG [org.jasig.cas.client.jaas.CasLoginModule] Set roleAttributeNames=[groupMembership]
2012-06-07 11:48:20,417 DEBUG [org.jasig.cas.client.jaas.CasLoginModule] Set cacheTimeout=480
2012-06-07 11:48:20,417 DEBUG [org.jasig.cas.client.jaas.CasLoginModule] Cleaning assertion cache of size 3
2012-06-07 11:48:20,417 DEBUG [org.jasig.cas.client.jaas.CasLoginModule] Attempting to set TicketValidator property ticketValidatorClass
2012-06-07 11:48:20,417 WARN [org.jasig.cas.client.jaas.CasLoginModule] Cannot find property ticketValidatorClass on org.jasig.cas.client.validation.Saml11TicketValidator
2012-06-07 11:48:20,417 DEBUG [org.jasig.cas.client.jaas.CasLoginModule] Attempting to set TicketValidator property roleGroupName
2012-06-07 11:48:20,417 WARN [org.jasig.cas.client.jaas.CasLoginModule] Cannot find property roleGroupName on org.jasig.cas.client.validation.Saml11TicketValidator
2012-06-07 11:48:20,417 DEBUG [org.jasig.cas.client.jaas.CasLoginModule] Attempting to set TicketValidator property jboss.security.security_domain
2012-06-07 11:48:20,417 WARN [org.jasig.cas.client.jaas.CasLoginModule] Cannot find property jboss.security.security_domain on org.jasig.cas.client.validation.Saml11TicketValidator
2012-06-07 11:48:20,417 DEBUG [org.jasig.cas.client.jaas.CasLoginModule] Attempting to set TicketValidator property defaultRoles
2012-06-07 11:48:20,417 WARN [org.jasig.cas.client.jaas.CasLoginModule] Cannot find property defaultRoles on org.jasig.cas.client.validation.Saml11TicketValidator
2012-06-07 11:48:20,417 DEBUG [org.jasig.cas.client.jaas.CasLoginModule] Attempting to set TicketValidator property tolerance
2012-06-07 11:48:20,417 DEBUG [org.jasig.cas.client.jaas.CasLoginModule] Set tolerance=20000
2012-06-07 11:48:20,417 DEBUG [org.jasig.cas.client.jaas.CasLoginModule] Attempting to set TicketValidator property service
2012-06-07 11:48:20,417 WARN [org.jasig.cas.client.jaas.CasLoginModule] Cannot find property service on org.jasig.cas.client.validation.Saml11TicketValidator
2012-06-07 11:48:20,417 DEBUG [org.jasig.cas.client.jaas.CasLoginModule] Attempting to set TicketValidator property principalGroupName
2012-06-07 11:48:20,418 WARN [org.jasig.cas.client.jaas.CasLoginModule] Cannot find property principalGroupName on org.jasig.cas.client.validation.Saml11TicketValidator
2012-06-07 11:48:20,418 DEBUG [org.jasig.cas.client.jaas.CasLoginModule] Attempting to set TicketValidator property cacheAssertions
2012-06-07 11:48:20,418 WARN [org.jasig.cas.client.jaas.CasLoginModule] Cannot find property cacheAssertions on org.jasig.cas.client.validation.Saml11TicketValidator
2012-06-07 11:48:20,418 DEBUG [org.jasig.cas.client.jaas.CasLoginModule] Attempting to set TicketValidator property roleAttributeNames
2012-06-07 11:48:20,418 WARN [org.jasig.cas.client.jaas.CasLoginModule] Cannot find property roleAttributeNames on org.jasig.cas.client.validation.Saml11TicketValidator
2012-06-07 11:48:20,418 DEBUG [org.jasig.cas.client.jaas.CasLoginModule] Attempting to set TicketValidator property cacheTimeout
2012-06-07 11:48:20,418 WARN [org.jasig.cas.client.jaas.CasLoginModule] Cannot find property cacheTimeout on org.jasig.cas.client.validation.Saml11TicketValidator
2012-06-07 11:48:20,418 DEBUG [org.jasig.cas.client.jaas.CasLoginModule] Performing login.
2012-06-07 11:48:20,418 INFO [org.jasig.cas.client.jaas.CasLoginModule] Login failed due to unsupported callback: javax.security.auth.callback.UnsupportedCallbackException
I already put the 2 cas-client .jars to the WEB-INF/lib folder, as described here :
http://wiki.openkm.com/index.php/Centra ... on_Service
And for more details, my web.xml :
Code: Select all <context-param>
<param-name>service</param-name>
<param-value>https://***.***.***.***:8443/OpenKM</param-value>
</context-param>
<context-param>
<param-name>casServerLoginUrl</param-name>
<param-value>https://***.***.***.***:8443/cas/login</param-value>
</context-param>
<filter>
<filter-name>CASWebAuthenticationFilter</filter-name>
<filter-class>org.jasig.cas.client.jboss.authentication.WebAuthenticationFilter</filter-class>
</filter>
<filter>
<filter-name>CASAuthenticationFilter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CASWebAuthenticationFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CASAuthenticationFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
How can we log a CAS user under the role he is actually registered in OpenKM, and what is possibly wrong or missing in my files ?