Web-SSO between Liferay and Alfresco with CAS and Penrose (part 2/2)

The aims are to do authentication and web-sso between liferay and alfresco using CAS.
In this blog post we will explain how to configure Alfresco to enable LDAP authentication and users syncronization, also we will explain how to configure CAS Authentication Filter to do Web-SSO with automatic/transparent login.

Firstly, we will follow this technical design for authentication and sso.

Authentication and SSO architectura between Liferay, Alfresco and CAS

Authentication and SSO architectura

Requirements

  1. Virtual Directory Server (Penrose server 2.0) and CAS-server (tested with version 3.3.5)I will use existing CentOS VirtualBox VM with CAS and Penrose Server pre-configured (Virtual Directory/LDAP) named “directorysrv1” of last blog post (Web-SSO between Liferay and Alfresco with CAS and Penrose (part 1/2)) but with a few changes:
    A sample DN:
    uid=480838,ou=Employees,dc=intix,dc=info
    cn=aamodwroclawski
    

    You can download this new Penrose partition here.

    LDAP tree

    LDAP tree

  2. Alfresco 3.4c CE:We are using a new WinXP VirtualBox VM with Alfresco and MySQL installed named “alfr01”.
  3. Liferay 6.0.5 with LDAP and CAS enabled:We are using a WinXP VirtualBox VM with Liferay 6.0.5 CE installed named “lfry01”. See before post here.
    1 2
    3 4
    5

  4. CAS-client (3.1.10)

I. Enable LDAP Authentication and LDAP users import in Alfresco

To do Web-SSO is not necessary this step, but i recommend to do it because you can do users management from Alfresco Admin Console (Browser/Explorer or Share) (edit, delete, to do groups and give permissions).

1. Create the following folders in “\subsystems\Authentication\ldap\ldap1” in ${ALF_HOME}\tomcat\shared\classes\alfresco\extension

2. Copy the file ${ALF_HOME}\tomcat\webapps\alfresco\WEB-INF\classes\alfresco\subsystems\Authentication\ldap\ldap-authentication.properties in the folder before created.

3. Modify ldap-authentication.properties enabling LDAP authN and sync. For example, you can use my file (This only works for my LDAP tree with UID as RDN and authN with CN. See my LDAP tree):

# This flag enables use of this LDAP subsystem for authentication. It may be
# that this subsytem should only be used for synchronization, in which case
# this flag should be set to false.
ldap.authentication.active=true

#
# This properties file brings together the common options for LDAP authentication rather than editing the bean definitions
#
ldap.authentication.allowGuestLogin=true
# How to map the user id entered by the user to that passed through to LDAP
# - simple
#    - this must be a DN and would be something like
#      uid=%s,ou=People,dc=company,dc=com
# - digest
#    - usually pass through what is entered
#      %s
# If not set, an LDAP query involving ldap.synchronization.personQuery and ldap.synchronization.userIdAttributeName will
# be performed to resolve the DN dynamically. This allows directories to be structured and doesn't require the user ID to
# appear in the DN.
### intix: always search DN by RDN attribute, in my case uid (see ldap tree)
### ldap.authentication.userNameFormat=cn=%s,ou=Employees,dc=intix,dc=info
### intix: this config is better than above, because i want to searh by CN.
### It is necessary set ldap.synchronization.personQuery=inetOrgPerson and ldap.synchronization.userIdAttributeName=cn
ldap.authentication.userNameFormat=

# The LDAP context factory to use
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory

# The URL to connect to the LDAP server
ldap.authentication.java.naming.provider.url=ldap://directorysrv1:10389

# The authentication mechanism to use for password validation
ldap.authentication.java.naming.security.authentication=simple

# Escape commas entered by the user at bind time
# Useful when using simple authentication and the CN is part of the DN and contains commas
ldap.authentication.escapeCommasInBind=false

# Escape commas entered by the user when setting the authenticated user
# Useful when using simple authentication and the CN is part of the DN and contains commas, and the escaped \, is
# pulled in as part of an LDAP sync
# If this option is set to true it will break the default home folder provider as space names can not contain \
ldap.authentication.escapeCommasInUid=false

# Comma separated list of user names who should be considered administrators by default
### intix: administration user (CN) when ldap authN is enabled.
### The "admin" user is valid when alfrescoNtlm authN is enabled.
ldap.authentication.defaultAdministratorUserNames=aamodwroclawski

# This flag enables use of this LDAP subsystem for user and group
# synchronization. It may be that this subsytem should only be used for
# authentication, in which case this flag should be set to false.
ldap.synchronization.active=true

# The authentication mechanism to use for synchronization
ldap.synchronization.java.naming.security.authentication=simple

# The default principal to use (only used for LDAP sync)
ldap.synchronization.java.naming.security.principal=uid\=admin,ou\=system

# The password for the default principal (only used for LDAP sync)
ldap.synchronization.java.naming.security.credentials=secret

# If positive, this property indicates that RFC 2696 paged results should be
# used to split query results into batches of the specified size. This
# overcomes any size limits imposed by the LDAP server.
ldap.synchronization.queryBatchSize=0

# If positive, this property indicates that range retrieval should be used to fetch
# multi-valued attributes (such as member) in batches of the specified size.
# Overcomes any size limits imposed by Active Directory.
ldap.synchronization.attributeBatchSize=0

# The query to select all objects that represent the groups to import.
### ldap.synchronization.groupQuery=(objectclass\=groupOfNames)
ldap.synchronization.groupQuery=(objectclass\=groupOfUniqueNames)

# The query to select objects that represent the groups to import that have changed since a certain time.
### ldap.synchronization.groupDifferentialQuery=(&(objectclass\=groupOfNames)(!(modifyTimestamp<\={0})))
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=groupOfUniqueNames)(!(modifyTimestamp<\={0})))

# The query to select all objects that represent the users to import.
ldap.synchronization.personQuery=(objectclass\=inetOrgPerson)

# The query to select objects that represent the users to import that have changed since a certain time.
ldap.synchronization.personDifferentialQuery=(&(objectclass\=inetOrgPerson)(!(modifyTimestamp<\={0})))

# The group search base restricts the LDAP group query to a sub section of tree on the LDAP server.
ldap.synchronization.groupSearchBase=ou\=Groups,dc\=intix,dc\=info

# The user search base restricts the LDAP user query to a sub section of tree on the LDAP server.
ldap.synchronization.userSearchBase=ou\=Employees,dc\=intix,dc\=info

# The name of the operational attribute recording the last update time for a group or user.
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp

# The timestamp format. Unfortunately, this varies between directory servers.
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'Z'

# The attribute name on people objects found in LDAP to use as the uid in Alfresco
### ldap.synchronization.userIdAttributeName=uid
### intix: CN is necessary to authN by this attribute when searching LDAP
ldap.synchronization.userIdAttributeName=cn

# The attribute on person objects in LDAP to map to the first name property in Alfresco
ldap.synchronization.userFirstNameAttributeName=givenName

# The attribute on person objects in LDAP to map to the last name property in Alfresco
ldap.synchronization.userLastNameAttributeName=sn

# The attribute on person objects in LDAP to map to the email property in Alfresco
ldap.synchronization.userEmailAttributeName=mail

# The attribute on person objects in LDAP to map to the organizational id  property in Alfresco
ldap.synchronization.userOrganizationalIdAttributeName=o

# The default home folder provider to use for people created via LDAP import
ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolderProvider

# The attribute on LDAP group objects to map to the authority name property in Alfresco
ldap.synchronization.groupIdAttributeName=cn

# The attribute on LDAP group objects to map to the authority display name property in Alfresco
ldap.synchronization.groupDisplayNameAttributeName=description

# The group type in LDAP
### ldap.synchronization.groupType=groupOfNames
ldap.synchronization.groupType=groupOfUniqueNames

# The person type in LDAP
ldap.synchronization.personType=inetOrgPerson

# The attribute in LDAP on group objects that defines the DN for its members
### ldap.synchronization.groupMemberAttributeName=member
ldap.synchronization.groupMemberAttributeName=uniqueMember

# If true progress estimation is enabled. When enabled, the user query has to be run twice in order to count entries.
ldap.synchronization.enableProgressEstimation=true

4. Re-start Alfresco.

5. Check LDAP authN and import of users in Alfresco.

Imported users from LDAP tree in Alfresco

Imported users from LDAP tree in Alfresco

II. Configure CAS in Alfresco

We are setting up Alfresco so that when someone log into Alfresco it is redirected to CAS for authentication.

Through the CAS filter, Alfresco catchs any request to access and these are redirected to CAS-login.

When you has successfully authenticated with CAS, after you will be redirected to the My Alfresco Dashboard, then Alfresco will need to retrieve the values of session which is placed there by the CAS Filter.

If you want to do SSO and automatic redirection when login to Alfresco Explorer after authentication in CAS, you should create a CAS Authentication Filter as Aksels Architecture Blog show us here and test with version 3.4c.

To do this you have to create/modify the Java code (CasAuthenticationFilter.java) that is executed when enter to Alfresco page.

1. Edit the alfresco web.xml to modify Authentication Filter and to add the CAS filters.

c:\>notepad++ C:\1bpms-demo\alfr34c_1\tomcat\webapps\alfresco\WEB-INF\web.xml

… modify web.xml

[...]
   <context-param>
         <param-name>rootPath</param-name>
         <param-value>/app:company_home</param-value>
   </context-param>
   
   <!--filter>
      <filter-name>Authentication Filter</filter-name>
      <description>Authentication filter mapped only to faces URLs. Other URLs generally use proprietary means to talk to the AuthenticationComponent</description>
      <filter-class>org.alfresco.repo.web.filter.beans.BeanProxyFilter</filter-class>
      <init-param>
         <param-name>beanName</param-name>
         <param-value>AuthenticationFilter</param-value>
      </init-param>
   </filter-->
   <!-- ******* INTIX, Step 1 of 3: Comment above 'Authentication Filter' filter and add a CAS modified filter below -->
   <filter>
      <filter-name>Authentication Filter</filter-name>
	  <description>INTIX - Authentication Filter</description>
	  <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
      <init-param>
         <param-name>casServerLoginUrl</param-name>
         <param-value>https://directorysrv1:8443/cas-server-webapp-3.3.5/login</param-value>
      </init-param>
      <init-param>
         <param-name>serverName</param-name>
         <param-value>http://alfr01:8080</param-value>
      </init-param>
   </filter>
   <!-- End new CAS filter -->   
   
   <filter>
      <filter-name>Global Authentication Filter</filter-name>
      <description>Authentication filter mapped to all authenticated URLs. Mainly for SSO support</description>
      <filter-class>org.alfresco.repo.web.filter.beans.BeanProxyFilter</filter-class>
      <init-param>
         <param-name>beanName</param-name>
         <param-value>GlobalAuthenticationFilter</param-value>
      </init-param>
   </filter>
[...]
  <!-- ******* INTIX, Step 2 of 3: Add all CAS urls --> 
   <filter>
      <filter-name>CAS Validation Filter</filter-name>
      <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
      <init-param>
         <param-name>casServerUrlPrefix</param-name>
         <param-value>https://directorysrv1:8443/cas-server-webapp-3.3.5</param-value>
      </init-param>
      <init-param>
         <param-name>serverName</param-name>
         <param-value>http://alfr01:8080</param-value>
      </init-param>
   </filter>
   
   <filter>
      <filter-name>Alfresco CAS Authentication Filter</filter-name>
      <filter-class>info.intix.alfresco.CasAuthenticationFilter</filter-class>
   </filter>

   <filter-mapping>
      <filter-name>Authentication Filter</filter-name>
      <url-pattern>/faces/*</url-pattern>
   </filter-mapping>
   
   <filter-mapping>
      <filter-name>CAS Validation Filter</filter-name>
      <url-pattern>/faces/*</url-pattern>
   </filter-mapping>
   
   <filter-mapping>
      <filter-name>Alfresco CAS Authentication Filter</filter-name>
      <url-pattern>/faces/*</url-pattern>
   </filter-mapping>
   
   <filter-mapping>
      <filter-name>Authentication Filter</filter-name>
      <url-pattern>/navigate/*</url-pattern>
   </filter-mapping>

   <filter-mapping>
      <filter-name>CAS Validation Filter</filter-name>
      <url-pattern>/navigate/*</url-pattern>
   </filter-mapping>

   <filter-mapping>
      <filter-name>Alfresco CAS Authentication Filter</filter-name>
      <url-pattern>/navigate/*</url-pattern>
   </filter-mapping>

   <filter-mapping>
      <filter-name>Authentication Filter</filter-name>
      <url-pattern>/command/*</url-pattern>
   </filter-mapping>
   
   <filter-mapping>
      <filter-name>CAS Validation Filter</filter-name>
      <url-pattern>/command/*</url-pattern>
   </filter-mapping>
   
   <filter-mapping>
      <filter-name>Alfresco CAS Authentication Filter</filter-name>
      <url-pattern>/command/*</url-pattern>
   </filter-mapping>

   <filter-mapping>
      <filter-name>Authentication Filter</filter-name>
      <url-pattern>/download/*</url-pattern>
   </filter-mapping>

   <filter-mapping>
      <filter-name>CAS Validation Filter</filter-name>
      <url-pattern>/download/*</url-pattern>
   </filter-mapping>

   <filter-mapping>
      <filter-name>Alfresco CAS Authentication Filter</filter-name>
      <url-pattern>/download/*</url-pattern>
   </filter-mapping>

   <filter-mapping>
      <filter-name>Authentication Filter</filter-name>
      <url-pattern>/template/*</url-pattern>
   </filter-mapping>
   
   <filter-mapping>
      <filter-name>CAS Validation Filter</filter-name>
      <url-pattern>/template/*</url-pattern>
   </filter-mapping>

   <filter-mapping>
      <filter-name>Alfresco CAS Authentication Filter</filter-name>
      <url-pattern>/template/*</url-pattern>
   </filter-mapping>

   <filter-mapping>
      <filter-name>Authentication Filter</filter-name>
      <url-pattern>/n/*</url-pattern>
   </filter-mapping>

   <filter-mapping>
      <filter-name>CAS Validation Filter</filter-name>
      <url-pattern>/n/*</url-pattern>
   </filter-mapping>

   <filter-mapping>
      <filter-name>Alfresco CAS Authentication Filter</filter-name>
      <url-pattern>/n/*</url-pattern>
   </filter-mapping>

   <filter-mapping>
      <filter-name>Authentication Filter</filter-name>
      <url-pattern>/c/*</url-pattern>
   </filter-mapping>

   <filter-mapping>
      <filter-name>CAS Validation Filter</filter-name>
      <url-pattern>/c/*</url-pattern>
   </filter-mapping>

   <filter-mapping>
      <filter-name>Alfresco CAS Authentication Filter</filter-name>
      <url-pattern>/c/*</url-pattern>
   </filter-mapping>

   <filter-mapping>
      <filter-name>Authentication Filter</filter-name>
      <url-pattern>/t/*</url-pattern>
   </filter-mapping>
   
   <filter-mapping>
      <filter-name>CAS Validation Filter</filter-name>
      <url-pattern>/t/*</url-pattern>
   </filter-mapping>

   <filter-mapping>
      <filter-name>Alfresco CAS Authentication Filter</filter-name>
      <url-pattern>/t/*</url-pattern>
   </filter-mapping>
   
   <filter-mapping>
      <filter-name>Authentication Filter</filter-name>
      <url-pattern>/d/*</url-pattern>
   </filter-mapping>
   
   <filter-mapping>
      <filter-name>CAS Validation Filter</filter-name>
      <url-pattern>/d/*</url-pattern>
   </filter-mapping>
   
   <filter-mapping>
      <filter-name>Alfresco CAS Authentication Filter</filter-name>
      <url-pattern>/d/*</url-pattern>
   </filter-mapping>
 <!-- ******* End of CAS urls -->   
   
   <filter-mapping>
      <filter-name>Global Localization Filter</filter-name>
      <url-pattern>/*</url-pattern>
   </filter-mapping>
 [...]
   <filter-mapping>
      <filter-name>Global Authentication Filter</filter-name>
      <url-pattern>/faces/*</url-pattern>
   </filter-mapping>
   <!-- ******* INTIX, Step 3 of 3: Comment this, it is a duplicated -->
   <!--filter-mapping>
      <filter-name>Authentication Filter</filter-name>
      <url-pattern>/faces/*</url-pattern>
   </filter-mapping-->

   <filter-mapping>
      <filter-name>WebDAV Authentication Filter</filter-name>
      <url-pattern>/webdav/*</url-pattern>
   </filter-mapping> 
[...]

2. Copy the CAS client jar file into the alfresco webapp lib folder.

c:\>
c:\>copy C:\0share1\cas-client-core-3.1.10.jar C:\1bpms-demo\alfr34c_1\tomcat\webapps\alfresco\WEB-INF\lib\cas-client-core-3.1.10.jar
        1 archivos copiados.

c:\>

3. Modify and compile CasAuthenticationFilter.java (http://akselsarchitecture.googlegroups.com/web/CasAuthenticationFilter-Alfresco.java) and copy .jar into the alfresco webapp lib folder.

c:\>
c:\>copy C:\0share1\www.intix.info-casauthnfilter-0.1.jar c:\1bpms-demo\alfr34c_1\tomcat\webapps\alfresco\WEB-INF\lib\www.intix.info-casauthnfilter-0.1.jar
        1 archivos copiados.

c:\>

You can download my http://www.intix.info-casauthnfilter-0.1.jar file from here.

4. Re-start Alfresco.

5. Test CAS configuration.

Try opening an Alfresco’s page, for example: http://alfr01:8080/alfresco in a browser. You should be redirected to the CAS login page, and when you log in (for example with aamodwroclawski/test) you should be redirected back to the My Alfresco Dashboard.

6. If you have get this error (see figure below) is because you have not installed the CAS root SSL Cert as a trusted certificate in Alfresco (JRE’s cacert store). Alfresco 3.4c CE has JRE’s cacert store in ${ALF_HOME}/java/jre/lib/sec, then install the certificate there.

CAS server SSL certificate no installed in Alfresco

CAS server SSL certificate no installed in Alfresco

To solve it, you should import CAS server SSL public certificate in the JRE’s cacerts where Alfresco is running, in my case I have Alfresco running in WinXP box called “alfr01″.

c:\>keytool -import -alias tomcat -file c:\0share1\directorysrv1_730days.crt -keystore C:\1bpms-demo\alf34c_1\java\jre\lib\sec
y\cacerts
Enter keystore password:
Owner: CN=directorysrv1, OU="INTIX I+D", O=INTIX.info, L=BARCELONA, ST=CATALUNYA, C=ES
Issuer: CN=directorysrv1, OU="INTIX I+D", O=INTIX.info, L=BARCELONA, ST=CATALUNYA, C=ES
Serial number: 4d1df9bc
Valid from: Fri Dec 31 16:41:48 GMT+01:00 2010 until: Sun Dec 30 16:41:48 GMT+01:00 2012
Certificate fingerprints:
         MD5:  11:4D:72:BB:80:42:EE:F7:4A:CA:E9:EA:F6:4F:86:8D
         SHA1: 7F:6B:12:64:31:8B:47:4E:11:33:D7:FE:EF:C6:D4:65:12:59:8D:2E
         Signature algorithm name: SHA1withRSA
         Version: 3
Trust this certificate? [no]:  yes
Certificate was added to keystore

III. Tuning Authentication in Alfresco

Right now, we have configured Alfresco and CAS, where the user management can be done syncronizing or importing users stored in LDAP tree.

We can do user, groups and roles management via Alfresco LDAP subsystem and Authentication-SSO via EXTERNAL subsystem. To do this, we must modify the file alfresco-global.properties.

[...]
### authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap1:ldap
authentication.chain=external1:external,ldap1:ldap

IV. Test Web Single Sign On between Liferay 6.0.5 CE and Alfresco 3.4.c CE

Open a browser with http://alfr01:8080/alfresco, you get redirected to CAS-login page. Enter aamodwroclawski/test, then you should be redirected to Alfresco My Dashboard page (authenticated).

In this time you should see Logout (aamodwroclawski) in the top right of the Alfresco page indicating that you have sucessfully logged in.

User properly authenticated in Alfresco

User properly authenticated in Alfresco

Then, open other browser with http://lfry01:8080/intixportal/user/aamodwroclawski, you get redirected to Liferay private and authenticated page for the user “aamodwroclawski”.

The same user authenticated and with SSO in Liferay

The same user authenticated and with SSO in Liferay

In other direction (Liferay to Alfresco) it does work too.

V. Conclusions

1. Authentication and users sync in Alfresco 3.4c does work with authentication subsystem LDAP.

2. SSO with CAS in Alfresco 3.4c does work by enabling authentication subsystem EXTERNAL.

3. There is an issue when importing users from LDAP tree in Liferay. The passwords are created with random value and no with “test”.

END

References:

1. CAS in Alfresco

http://wiki.alfresco.com/wiki/Central_Authentication_Service_Configuration

2. CAS SSO for Alfresco 3.3 and Share

http://akselsarchitecture.blogspot.com/2010/09/cas-sso-for-alfresco-33-and-share.html

@Chilcano

Tagged with: , , ,
Posted in ECM, Portal
25 comments on “Web-SSO between Liferay and Alfresco with CAS and Penrose (part 2/2)
  1. […] This post was mentioned on Twitter by Bladimir Rondon, Roger Carhuatocto. Roger Carhuatocto said: Web-SSO between Liferay and Alfresco with CAS and Penrose (part 2/2) http://wp.me/p8pPj-6L […]

  2. Harry Ng says:

    Thank you very much for your post.

  3. Michael says:

    Hi,

    I tried this and it almost works.
    Liferay displays the CAS-Login Page.
    Alfresco displays the CAS-Login Page.

    If I login, the SSO-Mechanism seems not to work, CAS creates two different tickts for the same credentials.

    Any ideas?

  4. Hemang says:

    Any one have successfully tried integration CAS with Alfresco share for Alfresco 3.4.c version?

  5. skollen says:

    In order to to add Single Sign Off capabilities you aalso have to redirect CAS Server’s logout page when leaving Alfresco.

    You must edit tomcat/webapps/alfresco/jsp/relogin.jsp and add (around line 38)

    // logout CAS
    response.sendRedirect(“https://server_cas:8443/cas/logout”);

    Just before the line :
    // remove the username cookie value if explicit logout was requested by the user

    Thank for your post, it’s really useful

  6. Maximilien Tyc says:

    Hello everyone,
    I’m trying to integrate CAS authentication into Alfresco, i’ve followed what you said.
    Redirection to cas server works well, but I have an issue with the certificate, after I get logged into CAS server, it redirect me to the alfresco instal, but I have that Exception :

    Caused by: java.security.cert.CertificateException: No subject alternative names present
    at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:142)
    at sun.security.util.HostnameChecker.match(HostnameChecker.java:75)
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:264)
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:250)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1014)
    … 30 more

    I think this is due to my certificate CN field.
    Both CAS server and Alfresco are on the same machine,

    My CN field contains the local ip adress of the server,
    and in my web.xml, i’ve put the same in casServerUrlPrefix and serverName fields,

    does anyone have an idea ?
    Thanks

    • Yes, It is an issue with X.509 SSL server certificate. Seems you Certificate was create without required attributes (No subject alternative names), try create new cert with hostname (no IP) in the CN field. Make sure too to install as trusted the Root Cert in cert store (cacerts) of your JMV.

  7. Maximilien Tyc says:

    Thank you for your answer Roger,
    So i’ve tried to make a new cert, with my hostname (testmachine) as a CN. Generated a cert file and I’ve imported it into the alfresco’s JVM. Well.
    In my web.xml, I did exactly like you, with those fields :
    for information :
    http://testmachine:8081/alfresco -> is the alfresco install
    https://testmachine:8443/cas/login -> is my CAS (wich works well with other applications)

    Authentication Filter

    INTIX – Authentication Filter

    org.jasig.cas.client.authentication.AuthenticationFilter

    casServerLoginUrl

    https://testmachine:8443/cas/login

    serverName

    http://testmachine:8081

    CAS Validation Filter

    org.jasig.cas.client.validation.Cas10TicketValidationFilter

    casServerUrlPrefix

    https://testmachine:8443/cas

    

    serverName

    http://testmachine:8081

    Alfresco CAS Authentication Filter

    info.intix.alfresco.CasAuthenticationFilter

    I’ve also commented others authentication filters like you did.

    (I have 2 installation of tomcat, one for my cas server ans one for alfresco)

    As a result, alfresco redirects me to the cas server properly. I authenticate correctly to the cas serveur with the account “m.tyc” wich I’ve also added in alfresco. And alfresco give me another Exception, that I can’t resolve for the moment :

    java.lang.NullPointerException
    at org.alfresco.repo.security.authentication.AbstractAuthenticationComponent.isSystemUserName(AbstractAuthenticationComponent.java:353)
    at org.alfresco.repo.security.authentication.AbstractAuthenticationComponent.setCurrentUser(AbstractAuthenticationComponent.java:195)
    at org.alfresco.repo.security.authentication.AbstractAuthenticationComponent.setCurrentUser(AbstractAuthenticationComponent.java:190)
    at info.intix.alfresco.CasAuthenticationFilter.setAuthenticatedUser(CasAuthenticationFilter.java:163)
    at info.intix.alfresco.CasAuthenticationFilter.doFilter(CasAuthenticationFilter.java:137)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:167)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:93)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    ……………

    Thanks you again for your answer,and I hope you could help me
    Maximilien

  8. Maximilien Tyc says:

    OK thanks Roger, I’m waitin for news from you
    Maximilien

  9. Hi Maximilien,

    You have an mistake in web.xml configuration in “CAS Validation Filter” section.

    You have “org.jasig.cas.client.validation.Cas10TicketValidationFilter” and should be “org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter”.

    Try again and then tell me if that worked.

    Regards.

  10. miller_huang says:

    Hi!Thanks for your blog,i do it as your said,and successful sign in.but i have a problem that when i sign in to liferay,and open alfresco i need sign in again,Reverse is also true!
    i do not know why.Do you have any ideas??
    Thanks

  11. Miller says:

    HI!I did as your blog,but when i login liferay,and open alfresco ,i need again,i do not know why? DO you have any ideas?

    Thanks!!

  12. […] between Liferay and Alfresco with CAS and Penrose part 1 and part 2 Posted by Roger Carhuatocto Filed in PORTAL, Security, SSO Tags: CAS, Liferay, SSO Leave a […]

  13. Vijith P A says:

    Hi ,

    i followed this article for CAS integration on Alfresco.my Open-LDAP server already integrated with CAS as well as Alfresco.i configured alfresco and cas on different server

    For Information :
    http://192.168.1.132:8080/alfresco -> is the alfresco url
    https://192.168.1.135:8443/casuid/login -> is my CAS

    when am using alfresco url it’s redirecting to cas login page, after Successful authentication of LDAP ,am getting error’s in alfresco

    “java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present
    caused by:
    javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present
    caused by:
    java.security.cert.CertificateException: No subject alternative names present”

    I read about Mr:Maximilien Tyc have the same issues, Installation of Certificate i uses “cas” as cn name ,because my cas server uses the hostname as “cas”,alfresco hostname as “alfresco” , after that i imported that certificate file to alfresco …

    does anyone have an idea of this?

    with regards

    • Vijith P A says:

      It was my mistake for creating SelfSignedCertificate i not given the first&lastname name properly

  14. I really was looking for suggestions for my own site and located ur posting, “Web-SSO between Liferay and Alfresco with
    CAS and Penrose (part 2/2) • Holism and Technology •”, would you mind in
    cases where I employ a few of your concepts? Thank you -Cruz

  15. George Vincent says:

    Could you all help me to update this in to liferay 6.2 GA2 and Alfresco 4.2. I have been trying this past a weak but i failed to achieve it please spend your valuable time with me.Thank you

  16. sysdocs says:

    Hi,

    Do you have by any chance the source code for CasAuthenticationFilter.java? Looks like akselsarchitecture.googlegroups.com/web/CasAuthenticationFilter-Alfresco.java is down and I’m unable to find a copy anywhere.

    Thanks!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Archives
%d bloggers like this: