Obsolete Pages{{Obsolete}}
The official documentation is at: http://docs.alfresco.com
Please Note: This article describes configuration methods now outdated in the Alfresco version 3.2 release. For a more up to date description, refer to Alfresco With mod_auth_cas.
This article is a not very good translation of an article found in the French version of this wiki. I do not speak French so the translation might not be perfect. I didn't found any better documentation than this one about using CAS with Alfresco so I decided to translate it as well as I could.
Central Authentication Service ( from now on CAS ) is a Single Sign On service providing system.
This document describes how to modify Alfresco in order for it to work with CAS.
Requirements :
Alfresco uses Acegi for the authentication and authorisation. Acegi is supposed to provide ways to authenticate with CAS but I've not been able to achieve so.
Check this doc : http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html
In order for the CAS client to work it is mandatory that the JVM knows the certificate that the CAS Server uses to establish the SSL connection.
That's neccessary in order to validate the ticket shared among the server and the client. To add the servers certificate use JVM's keytool command:
# export of the certificat from the CAS tomcat server to the file CAS.bin.export
keytool -export -keystore /where/is/the/file.keystore -alias my_alias -storepass serverks -file CAS.bin.export
# import the certificat from the file CAS.bin.export to the Alfresco's JVM
# default password for the keystore is : changeit
keytool -import -alias my_alias -file CAS.bin.export -keystore $JAVA_HOME/jre/lib/security/cacerts
Download Yale's implementation of the Java client here and place casclient.jar file in tomcat/shared/lib/.
web.xml file allows to define a set of filters that would be applied to authentication.
Let's add a redirection (response.sendRedirect) in order to go to CAS Server's logout page when leaving CAS. This a first step in order to add Single Sign Off capabilities.
We need to edit tomcat/webapps/alfresco/jsp/relogin.jsp and add this :
// logout CAS
response.sendRedirect('https://server_cas:8443/cas/logout');
here (around line 38 ):
...
The file CasAuthenticationFilter.java is a new filter based on NovellIChainsHTTPRequestAuthenticationFilter.java. We also need to replace Alfresco's BaseServlet class in order to change the value of ARG_TICKET. ARG_TICKET collides with the variable ticket that CAS uses. So, in order to solve the problem, we change the value of ARG_TICKET. That is a nasty solution and implies to manage to recompile the BaseServlet Class by hand for each different Alfresco version you use ¿ Is there a better solution ?
As the authentication is done by CAS as well as by Alfresco, we will tell Alfresco to allow everyone. We can achieve this by simply adding a file called cas-context.xml in tomcat/shared/classes/alfresco/extension/ with this content:
<beans>
<bean id='authenticationComponent' class='org.alfresco.repo.security.authentication.SimpleAcceptOrRejectAllAuthenticationComponentImpl'>
<property name='accept'>
<value>true</value>
</property>
</bean>
</beans>
Ask for and offer help to other Alfresco Content Services Users and members of the Alfresco team.
Related links:
By using this site, you are agreeing to allow us to collect and use cookies as outlined in Alfresco’s Cookie Statement and Terms of Use (and you have a legitimate interest in Alfresco and our products, authorizing us to contact you in such methods). If you are not ok with these terms, please do not use this website.