JBoss Portal: enabling SSO with CAS – Central Authentication Service (taken from this guide)
This Single Sign On plugin enables seamless integration between JBoss Portal and the CAS Single Sign On Framework.
Details about CAS can be found here
-
Install CAS server (v 3.2.1). This should be as simple as deploying single cas-server-webapp-3.2.1.war file.
-
Copy portal-identity-lib.jar and portal-identity-sso-lib.jar files from
$JBOSS_HOME/server/default/deploy/jboss-portal.sar/lib to
$JBOSS_HOME/server/default/deploy/cas-server-webapp-3.2.1.war/
WEB-INF/lib. -
Edit $JBOSS_HOME/server/default/deploy/jboss-portal.sar/portal-server.war/
WEB-INF/context.xml file and enable proper tomcat valve
by uncommenting following lines:<Valve className=”org.jboss.portal.identity.sso.cas.CASAuthenticationValve”
casLogin=”https://localhost:port/cas-server-webapp-3.2.1/login”
casLogout=”https://localhost:port/cas-server-webapp-3.2.1/logout”
casValidate=”https://localhost:port/cas-server-webapp-3.2.1/serviceValidate”
casServerName=”localhost:port”
authType=”FORM”
/> -
Update valve options as follow:
-
casLogin: URL of your CAS Authentication Server
-
casLogout: URL of your CAS Authentication Server
-
casValidate: URL of your CAS Authentication Server validation service
-
casServerName: the hostname:port combination of your CAS Authentication Server
-
-
Copy casclient.jar into $JBOSS_HOME/server/default/deploy/jboss-portal.sar/lib.
You can download this file from CAS homepage or from JBoss repository under http://repository.jboss.com/cas/3.0.7/lib/ -
Edit $JBOSS_HOME/server/default/deploy/jboss-portal.sar/META-INF/jboss-service.xml file and uncomment following lines:
<mbean
code=”org.jboss.portal.identity.sso.cas.CASAuthenticationService”
name=”portal:service=Module,type=CASAuthenticationService”
xmbean-dd=”"
xmbean-code=”org.jboss.portal.jems.as.system.JBossServiceModelMBean”>
<xmbean/>
<depends>portal:service=Module,type=IdentityServiceController</depends>
<attribute name=”HavingRole”></attribute>
</mbean>This will expose special service in JBoss Portal that can be leveraged by CAS AuthenticationHandler if the server is deployed on the same
application server instance. This AuthenticationHandler will be enabled in next 2 steps. -
Edit $JBOSS_HOME/server/default/deploy/cas-server-webapp-3.2.1.war/
WEB-INF/deployerConfigContext.xml and add following line in the
authenticationManagers’s authenticationHandler property’s section:<bean class=”org.jboss.portal.identity.sso.cas.CASAuthenticationHandler”/>
This can replace default SimpleTestUsernamePasswordAuthenticationHandler so whole part of this config file can look as follows:
<property name=”authenticationHandlers”>
<list>
<bean
class=”org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler”>
<property
name=”httpClient”
ref=”httpClient” />
</bean><bean class=”org.jboss.portal.identity.sso.cas.CASAuthenticationHandler”/>
</list>
</property>
To test the integration:
-
Go to your portal. Typically, https://localhost:8443(or 443)/portal
-
Click on the “Login” link on the main portal page
-
This should bring up the CAS Authentication Server’s login screen instead of the default JBoss Portal login screen
-
Input your portal username and password. For built-in portal login try user:user or admin:admin
-
If login is successful, you should be redirected back to the portal with the appropriate user logged in.
-
MOST IMPORTANT: if you want to make working logout action from portal, and portals inside it, you have to change the href link in header.jsp located in $JBOSS_HOME/server/default/deploy/jboss-portal.sar/portal-core.war/WEB-INF/jsp/header/ like here: <a href=”https://your-server-name:8443/cas-server-webapp-3.2.1/logout?service= https://your-server-name:8443/signout?location=portal“>Logout</a>
Last step is available here
Hi,
I implemented everything in page one and two and in step two I manage to get the CAS login screen, but after introducing admin/admin or user/user I get the JBoss Portal login page. And even if I put the credentials in there, this page comes back.
If I remove the CAS app and use only the portal, admin/admin works perfectly.
Any idea what could be wrong?
Thanks
Da: ulrich su Agosto 15, 2008
alle 4:59 pm
Check what happens after logging in through Cas login page: go to your portal’s page writing its link in your browser.
If you get that page, Cas login works well and you have to check only in your configuration where users are redirected after cas login…
Probably after cas login you have portal login page at the bottom of the address in your browser.
Da: pasquale rizzi su Agosto 16, 2008
alle 12:49 pm
Thanks for the reply.
Finally I found it: I used casclient-lenient.jar as client jar as suggested in the guide if you use a self-signed certificate, but that does not work, see
http://forums.alfresco.com/en/viewtopic.php?=&p=27257#p35232
Using casclient.jar instead works without problems.
Da: ulrich su Agosto 18, 2008
alle 2:11 pm
Well…I’m happy for the useful guide I wrote…
Da: pasquale rizzi su Agosto 18, 2008
alle 2:29 pm
Hi,
I’m trying to integrate Pentaho with CAS and I have some problems. I already have a Liferay with CAS and Alfresco integrated, now I want to integrate Pentaho too in order to SSO to Pentaho from Liferya without insert any login information. I thought that I only had to change some .XMLs from Pentaho and the Pentaho.xml to use the Liferays roles (Administrator, user, Guest, etc.) but I have an unusual exception qhen I try to access Pentaho through CAS authentification. Could somobody help me? THANKS!
If you need any configuration file I could post them too.
Here is my exception:
2008/10/10 07:38:52:807 GMT [INFO] CentralAuthenticationServiceImpl – Granted se
rvice ticket [ST-3-bIc7xfd0faM46zpYQlf7koX5cTGPp1DovmV-20] for service [https://
http://www.intranet.amesaconsulting.com/pentaho/j_acegi_cas_security_check for user [a
dmin]
2008/10/10 07:38:52:838 GMT [ERROR] ServiceValidateController – TicketException
generating ticket for: https://www.intranet.amesaconsulting.com/cas-web/proxy/re
ceptor org.jasig.cas.ticket.TicketCreationException: error.authentic
ation.credentials.unsupported
Da: Asier su Ottobre 10, 2008
alle 8:41 am
have you tried last step of my guide?
Try to follow it and if you have troubles send my your pentaho context configuration files
Da: pasquale rizzi su Ottobre 10, 2008
alle 9:28 am
Pasquale,
I’m trying to implement your guide but:
in step 2 I don’t find portal-identity-sso-lib.jar from
$JBOSS_HOME/server/default/deploy/jboss-portal.sar/lib
in step 3 I don’t find jboss-portal.sar/portal-server.war/WEB-INF/context.xml
I’m using Pentaho 1.7.
What are the version your guide is related to ?
Bye
Da: Pierpaolo De Grandis su Ottobre 30, 2008
alle 3:53 pm
This guide refers to pentaho version 1.6
Da: pasquale rizzi su Ottobre 31, 2008
alle 8:48 am
Where can I find the files Pierpaolo mentiones? I don’t even see them in Pentaho 1.6?
thanks, dejan
Da: dgambin su Dicembre 15, 2008
alle 9:34 am
version 1.7 is bundled with tomcat…in this case you have to refer to tomcat server.xml for cas integration
Da: pasquale rizzi su Dicembre 16, 2008
alle 9:31 am
Hi,
If I can see, both the versions 1.7.x and 1.6 of Preconfigured-install are using Jboss portal 2.6.1. This version is not SSO enabled and the files: portal-identity-sso-lib.jar and context.xml don’t exist.
Even in svn source of pentaho-preconfiguredinstall the Jboss portal version is still 2.6.1.
So I don’t know where to find those files
regards, dejan
Da: dgambin su Dicembre 16, 2008
alle 1:24 pm
Hi,
If I can see, both the PCI versions 1.7.x and 1.6 are bundled wiht JBoss Portal 2.6.1. And it doesn’t natively support CAS, only 2.6.2 and up does.
Even the svn version of pentaho-preconfiguredinstall still has JBoss Portal 2.6.1
So where are those files in PCI
?
regards, dejan
Da: dgambin su Dicembre 17, 2008
alle 12:51 pm
First you have to enable sso in jboss portal, next in pentaho…follow this guide from first step…if you don’t find the files mentioned up in prec posts you have to understand where they are in your jbossportal distr…
Da: pasquale rizzi su Dicembre 19, 2008
alle 9:21 am
Hola,
Voi sapete dove posso trovare pentaho-cas-container-adapter-filter.jar e pentaho-acegi-security-updates.jar ho bisogno di integrare CAS, Liferay e Pentaho su Tomcat
If this a bad translation here in English:
Do you know where are pentaho-cas-container-adapter-filter.jar and pentaho-acegi-security-updates.jar to integrate Liferay, CAS and Pentaho under Tomcat.
Grazie mille
Da: rubenagui su Marzo 18, 2009
alle 10:51 am
Probabilmente si trovano nella subscription edition nella folder pentaho-sso/res/jboss-portal…
Da: pasquale rizzi su Marzo 19, 2009
alle 3:18 pm
Ciao!
Ho letto delle tue esperienze con Pentaho e CAS. Quello che io sto cercando di fare è l’integrazione CAS LIFERAY PENTAHO… ma purtroppo sn ferma e nn riesco ad andare avanti… saresti così gentile da darmi una mano? In rete non trovo una soluzione al mio problema, ma magari è + semplice di quello che penso…
Te ne sarei grata, attendo una tua risposta.
Grazie!
Da: Veronica su Ottobre 14, 2009
alle 8:21 pm