Open Source Document Management System | OpenKM

Because information matters
https://forum.openkm.com/

how to SSO CAS JASIG from JBOSS to TOMCAT (5.1.10 => 6.2)

https://forum.openkm.com/viewtopic.php?t=10711

Page 2 of 2

Re: how to SSO CAS JASIG from JBOSS to TOMCAT (5.1.10 => 6.2

PostPosted:Thu Nov 21, 2013 7:27 am
by michaeled
Super ! Félicitation !

I'm not sure to understand what you're wanting to do with groups, can you explain? Where are your groups if not in the LDAP?

Re: how to SSO CAS JASIG from JBoss to TOMCAT (5.1.10 => 6.2

PostPosted:Wed Dec 10, 2014 7:59 am
by cjpitmd
Could tell me if i need to edit the web.xml like this :

Code: Select all
<!-- CAS SSO-->
  <!-- Facilitates CAS single sign-out -->
  <listener>
    <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
  </listener>
 
  <!-- Following is needed only if CAS single-sign out is desired -->
  <filter>
    <filter-name>CAS Single Sign Out Filter</filter-name>
    <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
  </filter>
 
  <!-- Only 2 CAS filters are required for JAAS support -->
  <context-param>
    <param-name>service</param-name>
    <param-value>https://URL:8443/OpenKM</param-value>
  </context-param>
  <context-param>
    <param-name>casServerLoginUrl</param-name>
    <param-value>https://URL:8443/cas/login</param-value>
  </context-param>
 
  <filter>
    <filter-name>CASWebAuthenticationFilter</filter-name>
    <filter-class>org.jasig.cas.client.JBoss.authentication.WebAuthenticationFilter</filter-class>
  </filter>
  <filter>
    <filter-name>CASAuthenticationFilter</filter-name>
    <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
  </filter>
 
  <!-- CAS client filter mappings -->
  <!-- The order of the following filters is vitally important -->
  <filter-mapping>
    <filter-name>CAS Single Sign Out Filter</filter-name>
    <url-pattern>*.jsp</url-pattern>
 
    <!-- GWT -->
    <url-pattern>/frontend/*</url-pattern>
 
    <!-- JSPs -->
    <url-pattern>/admin/*</url-pattern>
    <url-pattern>/mobile/*</url-pattern>
    <url-pattern>/mobile-nt/*</url-pattern>
 
    <!-- Servlets -->
    <url-pattern>/RepositoryStartup</url-pattern>
    <url-pattern>/TextToSpeech</url-pattern>
    <url-pattern>/Test</url-pattern>
    <url-pattern>/frontend/*</url-pattern>
    <url-pattern>/extension/*</url-pattern>
    <!--url-pattern>/*</url-pattern-->
  </filter-mapping>
  <filter-mapping>
    <filter-name>CASWebAuthenticationFilter</filter-name>
    <url-pattern>*.jsp</url-pattern>
 
    <!-- GWT -->
    <url-pattern>/frontend/*</url-pattern>
 
    <!-- JSPs -->
    <url-pattern>/admin/*</url-pattern>
    <url-pattern>/mobile/*</url-pattern>
    <url-pattern>/mobile-nt/*</url-pattern>
 
    <!-- Servlets -->
    <url-pattern>/RepositoryStartup</url-pattern>
    <url-pattern>/TextToSpeech</url-pattern>
    <url-pattern>/Test</url-pattern>
    <url-pattern>/frontend/*</url-pattern>
    <url-pattern>/extension/*</url-pattern>
 
    <!--url-pattern>/*</url-pattern-->
  </filter-mapping>
  <filter-mapping>
    <filter-name>CASAuthenticationFilter</filter-name>
    <url-pattern>*.jsp</url-pattern>
 
    <!-- GWT -->
    <url-pattern>/frontend/*</url-pattern>
 
    <!-- JSPs -->
    <url-pattern>/admin/*</url-pattern>
    <url-pattern>/mobile/*</url-pattern>
    <url-pattern>/mobile-nt/*</url-pattern>
 
    <!-- Servlets -->
    <url-pattern>/RepositoryStartup</url-pattern>
    <url-pattern>/TextToSpeech</url-pattern>
    <url-pattern>/Test</url-pattern>
    <url-pattern>/frontend/*</url-pattern>
    <url-pattern>/extension/*</url-pattern>
 
    <!--url-pattern>/*</url-pattern-->
  </filter-mapping>
  <!-- /CAS SSO -->


thank you

Re: how to SSO CAS JASIG from JBoss to TOMCAT (5.1.10 => 6.2

PostPosted:Wed Dec 10, 2014 9:31 am
by michaeled
Hi Cjpitmd,

Try this : http://wiki.openkm.com/index.php/Centra ... OpenKM_6.2

And tell us if it works,

Michael.

Re: how to SSO CAS JASIG from JBoss to TOMCAT (5.1.10 => 6.2

PostPosted:Thu Dec 11, 2014 4:01 am
by cjpitmd
michaeled wrote:Hi Cjpitmd,

Try this : http://wiki.openkm.com/index.php/Centra ... OpenKM_6.2

And tell us if it works,

Michael.
Thank you for reply Michael,

i tried it, when i login to my CAS server, it redirect me to the Openkm with error :
Application error
Class: java.lang.RuntimeException
Message: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present
Date: Thu Dec 11 11:48:08 HKT 2014

I google it , and people say maybe the .keystore name is not matched to the host name, i tried to generate a new cert but problem remain

Any idea ?

here is my log file
Code: Select all
ERROR org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/OpenKM].[default]- Servlet.service() for servlet [default] in context with path [/OpenKM] threw exception
java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present
	at org.jasig.cas.client.validation.Saml11TicketValidator.retrieveResponseFromServer(Saml11TicketValidator.java:231)
	at org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:207)
	at org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticateNow(CasAuthenticationProvider.java:140)
	at org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticate(CasAuthenticationProvider.java:126)
	at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
	at org.springframework.security.cas.web.CasAuthenticationFilter.attemptAuthentication(CasAuthenticationFilter.java:242)
	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:194)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:173)
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
	at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040)
	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607)
	at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:313)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
	at java.lang.Thread.run(Thread.java:745)
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1884)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1439)
	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209)
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:878)
	at sun.security.ssl.Handshaker.process_record(Handshaker.java:814)
	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)
	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323)
	at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
	at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
	at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1091)
	at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)
	at org.jasig.cas.client.validation.Saml11TicketValidator.retrieveResponseFromServer(Saml11TicketValidator.java:216)
	... 28 more

Re: how to SSO CAS JASIG from JBoss to TOMCAT (5.1.10 => 6.2

PostPosted:Thu Dec 11, 2014 7:19 am
by cjpitmd
cjpitmd wrote:
michaeled wrote:Hi Cjpitmd,

Try this : http://wiki.openkm.com/index.php/Centra ... OpenKM_6.2

And tell us if it works,

Michael.
Thank you for reply Michael,

i tried it, when i login to my CAS server, it redirect me to the Openkm with error :
Code: Select all
Application error
Class:	java.lang.RuntimeException
Message:	javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present
Date:	Thu Dec 11 11:48:08 HKT 2014
I google it , and people say maybe the .keystore name is not matched to the host name, i tried to generate a new cert but problem remain

Any idea ?

here is my log file
Code: Select all
ERROR org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/OpenKM].[default]- Servlet.service() for servlet [default] in context with path [/OpenKM] threw exception
java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present
	at org.jasig.cas.client.validation.Saml11TicketValidator.retrieveResponseFromServer(Saml11TicketValidator.java:231)
	at org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:207)
	at org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticateNow(CasAuthenticationProvider.java:140)
	at org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticate(CasAuthenticationProvider.java:126)
	at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
	at org.springframework.security.cas.web.CasAuthenticationFilter.attemptAuthentication(CasAuthenticationFilter.java:242)
	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:194)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:173)
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
	at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040)
	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607)
	at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:313)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
	at java.lang.Thread.run(Thread.java:745)
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1884)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1439)
	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209)
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:878)
	at sun.security.ssl.Handshaker.process_record(Handshaker.java:814)
	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)
	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323)
	at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
	at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
	at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1091)
	at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)
	at org.jasig.cas.client.validation.Saml11TicketValidator.retrieveResponseFromServer(Saml11TicketValidator.java:216)
	... 28 more
I edit the host file :
"ServerIP" localhost
and edit the beans in OpenKM.xml ,
Code: Select all
<beans:constructor-arg index="0" value="https://localhost:8443/cas" />
<beans:property name="loginUrl" value="https://localhost:8443/cas/login"/>
<beans:property name="service" value="http://localhost:8080/OpenKM/j_spring_cas_security_check"/>
new error msg pop up ,
Code: Select all
Class:	java.lang.RuntimeException
Message:	javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
:cry: :cry: :cry:

Re: how to SSO CAS JASIG from JBoss to TOMCAT (5.1.10 => 6.2

PostPosted:Mon Dec 15, 2014 7:09 pm
by michaeled
Hi Cjpitmd,

Good news, it's not a problem with OpenKM,

Try to import your certificat into the java keystore with a command something like this :

keytool -import -alias WHATYOUWANT -keypass PASSWORD -file /path/to/your/certs/ssl.crt -keystore /etc/java-6-sun/security/cacerts

(the default password is : changeit )

Michael.

Re: how to SSO CAS JASIG from JBoss to TOMCAT (5.1.10 => 6.2

PostPosted:Tue Dec 16, 2014 6:51 am
by cjpitmd
michaeled wrote:Hi Cjpitmd,

Good news, it's not a problem with OpenKM,

Try to import your certificat into the java keystore with a command something like this :

keytool -import -alias WHATYOUWANT -keypass PASSWORD -file /path/to/your/certs/ssl.crt -keystore /etc/java-6-sun/security/cacerts

(the default password is : changeit )

Michael.
thank you michael , everything work fine now

Re: how to SSO CAS JASIG from JBoss to TOMCAT (5.1.10 => 6.2

PostPosted:Wed Dec 17, 2014 9:51 pm
by jllort
If there's some change on wiki documentation ( some note or similar ) what consider must indicate, tell us and we'll doing. Also could be interesting get webservices authenticated by jasig ( if somebody can help us on it is welcome ).

Re: how to SSO CAS JASIG from JBoss to TOMCAT (5.1.10 => 6.2

PostPosted:Wed Dec 17, 2014 11:39 pm
by michaeled
Problem with that is that the office plugin or joomla plugin will no more work (except if we duplicate the services, some with sso, and others with normal auth).... no?

Re: how to SSO CAS JASIG from JBoss to TOMCAT (5.1.10 => 6.2

PostPosted:Fri Dec 19, 2014 9:23 am
by jllort
The webservices should be authenticated by sso and then modify actual sdk for c# for it ( the c# lib used by all openkm windows apps for conneting ).
All times are UTC
Page 2 of 2
Powered by phpBB® Forum Software © phpBB Limited