Central Authentication Service

cancel
Showing results for 
Search instead for 
Did you mean: 

Central Authentication Service

resplin
Intermediate
0 0 1,972

Obsolete Pages{{Obsolete}}

The official documentation is at: http://docs.alfresco.com



AuthenticationSingle Sign On

Please Note: This article describes configuration methods now outdated in the Alfresco version 3.2 release. For a more up to date description, refer to Alfresco With mod_auth_cas.



This article is a not very good translation of an article found in the French version of this wiki. I do not speak French so the translation might not be perfect. I didn't found any better documentation than this one about using CAS with Alfresco so I decided to translate it as well as I could.

Central Authentication Service ( from now on CAS ) is a Single Sign On service providing system.


CASifying Alfresco


This document describes how to modify Alfresco in order for it to work with CAS.

Requirements :


Alfresco uses Acegi for the authentication and authorisation. Acegi is supposed to provide ways to authenticate with CAS but I've not been able to achieve so.


Certificates


Tomcat with SSL


Check this doc : http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html


JVM and CAS


In order for the CAS client to work it is mandatory that the JVM knows the certificate that the CAS Server uses to establish the SSL connection.
That's neccessary in order to validate the ticket shared among the server and the client. To add the servers certificate use JVM's keytool command:



# export of the certificat from the CAS tomcat server to the file CAS.bin.export
keytool -export -keystore /where/is/the/file.keystore -alias my_alias -storepass serverks -file CAS.bin.export

# import the certificat from the file CAS.bin.export to the Alfresco's JVM
# default password for the keystore is : changeit
keytool -import -alias my_alias -file CAS.bin.export -keystore $JAVA_HOME/jre/lib/security/cacerts

Using CAS Client in Alfresco


Download Yale's implementation of the Java client here and place casclient.jar file in  tomcat/shared/lib/.


Modifications of Alfresco


web.xml


web.xml file allows to define a set of filters that would be applied to authentication.


  • get the example file for web.xml
  • Backup the original web.xml
  • place the file in tomcat/webapps/alfresco/WEB-INF
  • modify the URLs for Authentication Filter filter, this URLs should point to your CAS Server (and must be equal to the domain name exposed in the certificate)

relogin.jsp


Let's add a redirection (response.sendRedirect) in order to go to CAS Server's logout page when leaving CAS. This a first step in order to add Single Sign Off capabilities.

We need to edit tomcat/webapps/alfresco/jsp/relogin.jsp and add this :



// logout CAS
response.sendRedirect('https://server_cas:8443/cas/logout');

here (around line 38 ):



...

CasAuthenticationFilter.java


The file CasAuthenticationFilter.java is a new filter based on NovellIChainsHTTPRequestAuthenticationFilter.java. We also need to replace Alfresco's BaseServlet class in order to change the value of ARG_TICKET. ARG_TICKET collides with the variable ticket that CAS uses. So, in order to solve the problem, we change the value of ARG_TICKET. That is a nasty solution and implies to manage to recompile the BaseServlet Class by hand for each different Alfresco version you use ¿ Is there a better solution ?




  • get this java files :
  • place this files into Alfrescos source directory, wherever they should go
  • compile them
  • copy the generate .class files in tomcat/webapps/alfresco/WEB-INF/classes/org/alfresco/web/app/servlet




cas-context.xml


As the authentication is done by CAS as well as by Alfresco, we will tell Alfresco to allow everyone. We can achieve this by simply adding a file called  cas-context.xml in tomcat/shared/classes/alfresco/extension/ with this content:



<beans>


   
    <bean id='authenticationComponent' class='org.alfresco.repo.security.authentication.SimpleAcceptOrRejectAllAuthenticationComponentImpl'>
        <property name='accept'>
            <value>true</value>
        </property>   
    </bean>
</beans>




External references


Main reference for this article