Once you have the CAS server up and running it is easy to set SSO in OpenKM. I wanted to keep basic authentication for the WebDav part that is why the filter mapping is complicated. I did the following changes in OpenKM:
1. In server/default/deploy/OpenKM.war/WEB-INF/web.xml:
Code: Select all <!-- CAS SSO-->
<!-- Facilitates CAS single sign-out -->
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
<!-- Following is needed only if CAS single-sign out is desired -->
<filter>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
<!-- Only 2 CAS filters are required for JAAS support -->
<context-param>
<param-name>service</param-name>
<param-value>https://openkm.chronossoftware.com/OpenKM</param-value>
</context-param>
<context-param>
<param-name>casServerLoginUrl</param-name>
<param-value>https://openkm.chronossoftware.com/cas/login</param-value>
</context-param>
<filter>
<filter-name>CASWebAuthenticationFilter</filter-name>
<filter-class>org.jasig.cas.client.jboss.authentication.WebAuthenticationFilter</filter-class>
</filter>
<filter>
<filter-name>CASAuthenticationFilter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
</filter>
<!-- CAS client filter mappings -->
<!-- The order of the following filters is vitally important -->
<filter-mapping>
<filter-name>CAS Single Sign Out Filter</filter-name>
<url-pattern>*.jsp</url-pattern>
<!-- GWT -->
<url-pattern>/frontend/*</url-pattern>
<!-- JSPs -->
<url-pattern>/admin/*</url-pattern>
<url-pattern>/mobile/*</url-pattern>
<url-pattern>/mobile-nt/*</url-pattern>
<!-- Servlets -->
<url-pattern>/RepositoryStartup</url-pattern>
<url-pattern>/TextToSpeech</url-pattern>
<url-pattern>/Test</url-pattern>
<url-pattern>/frontend/*</url-pattern>
<url-pattern>/extension/*</url-pattern>
<!--url-pattern>/*</url-pattern-->
</filter-mapping>
<filter-mapping>
<filter-name>CASWebAuthenticationFilter</filter-name>
<url-pattern>*.jsp</url-pattern>
<!-- GWT -->
<url-pattern>/frontend/*</url-pattern>
<!-- JSPs -->
<url-pattern>/admin/*</url-pattern>
<url-pattern>/mobile/*</url-pattern>
<url-pattern>/mobile-nt/*</url-pattern>
<!-- Servlets -->
<url-pattern>/RepositoryStartup</url-pattern>
<url-pattern>/TextToSpeech</url-pattern>
<url-pattern>/Test</url-pattern>
<url-pattern>/frontend/*</url-pattern>
<url-pattern>/extension/*</url-pattern>
<!--url-pattern>/*</url-pattern-->
</filter-mapping>
<filter-mapping>
<filter-name>CASAuthenticationFilter</filter-name>
<url-pattern>*.jsp</url-pattern>
<!-- GWT -->
<url-pattern>/frontend/*</url-pattern>
<!-- JSPs -->
<url-pattern>/admin/*</url-pattern>
<url-pattern>/mobile/*</url-pattern>
<url-pattern>/mobile-nt/*</url-pattern>
<!-- Servlets -->
<url-pattern>/RepositoryStartup</url-pattern>
<url-pattern>/TextToSpeech</url-pattern>
<url-pattern>/Test</url-pattern>
<url-pattern>/frontend/*</url-pattern>
<url-pattern>/extension/*</url-pattern>
<!--url-pattern>/*</url-pattern-->
</filter-mapping>
<!-- /CAS SSO -->
2. In server/default/conf/login-config.xml:
Code: Select all<application-policy name="OpenKMWebDav">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
<module-option name="java.naming.provider.url">ldap://dokumentum2.chronossoftware.com:389</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="baseCtxDN">ou=Users,dc=igyuk,dc=hu</module-option>
<module-option name="baseFilter">(cn={0})</module-option>
<module-option name="rolesCtxDN">ou=Groups,dc= igyuk,dc=hu </module-option>
<module-option name="roleFilter">(uniqueMember={1})</module-option>
<module-option name="roleAttributeID">cn</module-option>
<module-option name="roleNameAttributeID">cn</module-option>
<module-option name="roleAttributeIsDN">true</module-option>
<module-option name="roleRecursion">2</module-option>
<module-option name="searchScope">ONELEVEL_SCOPE</module-option>
<module-option name="allowEmptyPasswords">False</module-option>
<module-option name="defaultRole">UserRole</module-option>
</login-module>
</authentication>
</application-policy>
<application-policy name="OpenKM">
<authentication>
<login-module code="org.jasig.cas.client.jaas.CasLoginModule" flag="required">
<module-option name="ticketValidatorClass">org.jasig.cas.client.validation.Saml11TicketValidator</module-option>
<module-option name="casServerUrlPrefix">https://dokumentum2.chronossoftware.com/cas</module-option>
<module-option name="service">https://dokumentum2.chronossoftware.com/OpenKM</module-option>
<module-option name="defaultRoles">UserRole</module-option>
<module-option name="roleAttributeNames">groupMembership</module-option>
<module-option name="principalGroupName">CallerPrincipal</module-option>
<module-option name="roleGroupName">Roles</module-option>
<module-option name="cacheAssertions">true</module-option>
<module-option name="tolerance">20000</module-option>
<module-option name="cacheTimeout">480</module-option>
</login-module>
</authentication>
</application-policy>
3. In repository.xml I changed the "OpenKM" to "OpenKMWebDav" at
4. I have added the certificate of the CAS server to cacerts using the instructions what I found in the "Adding KPI Certificate" at
http://wiki.openkm.com/index.php/JBoss_ ... figuration
5. I have copied these 2 jar files from CAS client destribution to server/default/deploy/OpenKM.war/WEB-INF/lib :
cas-client-core-3.2.0.jar
cas-client-integration-jboss-3.2.0.jar
I checked the behavior of the URL /OpenKM/frontend/index.jsp and it also goes to the /OpenKM/login.jsp page. It seems that it does not apply the filter what is set in web.xml.
