When working a Liferay Portal in Organizations with existing web applications, generally new web applications will need to be integrated in current Authentication and Web-SSO service. This document explains how to create new java web applications knowing that they will use the AuthN service and will Web-SSO with Liferay. Although, this document is for new java web applications, existing web applications (based in java, php,. net, ruby, …) can also use it as this document explains the most important steps to perform.
This document can be taken as a set of best practices (including source code) when you want to integrate with CAS.


  • This document does not say how to do Single-Sign Out or logout, only Single-Sign On or login.

Use cases when CAS-ifying web applications

Use case #1: Authentication

[caption id=”” align=”alignnone” width=”487” caption=”Use case #1: Authentication”]Use case #1: Authentication[/caption]

Use case #2: Web-SSO

To perform Web-SSO, we will need 2 webapps, the first one is Liferay, and the second one is webappA. Both should be authenticated with CAS-server.
The main difference between authentication and web-sso processes is that CAS shares authenticated session through CAS Service Manager.

Use case #3: Web Single Sign Off or Single Log Out

Single Sign Out or Single Log Out means that CAS-server contacts each webapp and notifies them that you have logged out. Then you should invalidate or delete all cookies stored in your web browser.
This protocol is implemented in Java CAS client library only.

Use case #4: Logout

To perform a logout means (involves) to close authenticated session in CAS-server side. Afterwards, you will need to make sure that the cookie does not exist in your web browser.

Process of installation and deployment of a CAS-ified webapp

When you install and deploy any web application in an environment where Web-SSO is enabled, you should to following steps.

[caption id=”” align=”alignnone” width=”507” caption=”Task to do with/in CAS-ified webapp”]Task to do with/in CAS-ified webapp[/caption]
Generally, the steps 1, 2 and 3 have already been made and it is only pending to how to configure CAS-client, CAS-service manager, java webapp, etc.

CAS service manager

It is necessary to define an URL for identify the new web application. This URL will be called the “URL Service”:

  • Identify the CAS-ified webapp trying to authenticate in CAS-server. In almost all cases, this will be the URL of the web application.
  • In a successfully login process is used to redirect web browser to URL specified.
  • It is used as filter for CAS Services Management in Web-SSO process allowing to do SSO between webapps registered.

[caption id=”” align=”alignnone” width=”511” caption=”Define URL for CAS-ified webapp”]Define URL for CAS-ified webapp[/caption] To replace the URL/IP for yours.

[caption id=”” align=”alignnone” width=”590” caption=”Define URL to filter webapp to perform SSO”]Define URL to filter webapp to perform SSO[/caption]

Develop your Java Webapp and configure Tomcat

Firstly, you have to design your scenario to do Web-SSO. In this case, We have 3 servers:

  • lfry01 or svdapp85 (IP, HTTP port 6060): Liferay Portal
  • lfry02 (IP or IP, HTTP port 8080): Tomcat server hosting new CAS-ified Java Web App
  • blcr00 or svdapp85 (IP, SSL port 6443): Tomcat server hosting CAS server and CAS service manager Our scenario will look like to following diagram.

Scenario where we will deploy our CAS-ified webapp. Scenario where we will deploy our CAS-ified webapp.

  1. Install Tomcat, enable SSL ( lfry02 ) using server.xml sample:

    <?xml version='1.0' encoding='utf-8'?>  
    <Server port="8005" shutdown="SHUTDOWN">  
    <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />  
    <Listener className="org.apache.catalina.core.JasperListener" />  
    <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />  
    <Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" />  
    <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />  
    <Resource name="UserDatabase" auth="Container"  
    description="User database that can be updated and saved"  
    pathname="conf/tomcat-users.xml" />  
    <Service name="Catalina">  
    <Connector port="8080" protocol="HTTP/1.1"  
    redirectPort="8443" />  
    <Connector protocol="org.apache.coyote.http11.Http11NioProtocol"  
    port="8443" maxHttpHeaderSize="8192" SSLEnabled="true"  
    enableLookups="false" disableUploadTimeout="true"  
    acceptCount="100" scheme="https" secure="true"  
    clientAuth="false" sslProtocol="TLS"  
    truststoreFile="D:\devel\usr-dev\jdk_6u21\Java\lib\security\cacerts" />  
    <!-- My CAS URL service = https://localhost:8443/webssotest1/protected/ -->  
    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />  
    <Engine name="Catalina" defaultHost="localhost">  
    <Realm className="org.apache.catalina.realm.UserDatabaseRealm"  
    <Host name="localhost" appBase="webapps"  
    unpackWARs="true" autoDeploy="true"  
    xmlValidation="false" xmlNamespaceAware="false">  
  2. Generate key pair and export certificate SSL of this Tomcat ( lfry02 ).
  3. Install CAS root certificate ( blcr00 ) as trusted cert into JVM cacert repository of Tomcat ( lfry02 ).
  4. Use this Java webapp ( webssotest1.war ), deploy this webapp into Java Web Server ( lfry02 ).
  5. Test this web application in HTTP and HTTPS mode.

Connect your Java Webapp to CAS

We have created a basic sample of java web application based in JSP ( webssptest1.war ). We recommend that you try to deploy and configure this web application before trying something more complex.

  1. In blcr00 use existing standard model of authentication based on usr/pwd where both are equals. If Liferay has already used this model, this webapp should follow too.
  2. In lfry02 (tomcat web.xml ) configure CAS server, to use this sample file:

    <?xml version="1.0" encoding="UTF-8"?>  
    <web-app id="webssotest1"  
    xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">  
    WebSSO sample, how to use CAS Java Client 3.x.  
    In this sample exists a public area (/)  
    and a private area (/protected/*).  
    <filter-name>CAS Authentication Filter</filter-name>  
    <filter-name>CAS Validation Filter</filter-name>  
    <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>  
    <filter-name>CAS Assertion Thread Local Filter</filter-name>  
    <filter-name>CAS Authentication Filter</filter-name>  
    <filter-name>CAS Validation Filter</filter-name>  
    <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>  
    <filter-name>CAS Assertion Thread Local Filter</filter-name>  
    <filter-name>CAS Validation Filter</filter-name>  
  3. Make sure that exists CAS-client java libraries into WEB-INF/lib directory, as follow:

CAS-client java libraries to be included in webssotest1.war CAS-client java libraries to be included in webssotest1.war

  1. Test login and SSO with liferay.

Login to Liferay (lfry01), go to following URL, for example: http://svdapp85:6060/en/group/intix/home
You will be redirected to CAS login form, to entry an user/password valid in CAS-server.

First login (CAS) when trying log into Liferay First login (CAS) when trying log into Liferay

Now, from same opened browser, switch to the CAS-ified webapp. Open following protected URL:
If all is OK, then you can see URL without user/pwd prompted.

Successfully Web-SSO in CAS-ified webapp (webssotest1.war) Successfully Web-SSO in CAS-ified webapp (webssotest1.war)

The same applies if you do log into webssotest1.war first and then go to liferay.
The CAS login form is the first page displayed when trying to login from any application. This form is shared by any web application you want to do Web-SSO. END.