Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

trouble with alfresco + cas

sean
Champ in-the-making
Champ in-the-making

‎08-15-2006 05:45 AM

hi folks,

i've been tasked with evaluating alfresco for my company.  it seems like a really cool product.  after playing around with the default install for a bit and r'ing tfm's, i've attempted unsuccessfully to get SSO via CAS working.

first i tried to use the acegi hooks in the authentication context file but couldn't seem to get things working via that route.  things were further complicated by the bundled version of acegi being outdated wrt the latest upstream version (and hence the documentation i had was not fully accurate).  furthermore, the latest version has a different namespace (org.acegisecurity instead of under net.sf), with some subtle yet non-backwards-compatible API changes.

i'm now trying to authenticate via CAS directly, by replacing the authentication filter in web.xml.  i've had more success with this route, though not much.  now when i request /alfresco, i'm sent to the cas login page, and after authenticating i'm sent back to alfresco (so far so good), but then alfresco sends me a 302 header sending me back to cas, which thinks there's nothing wrong and 302's me back to alfresco, etc etc.

i saw a similar problem in the forums that was solved by recompiling alfresco with a different name for ARG_TICKET in baseServlet.java, which i've tried without success.

does anyone have an idea of what else could be a problem?  any help would be greatly appreciated!

    sean
Labels:
0 Kudos
32 REPLIES 32

sean
Champ in-the-making
Champ in-the-making

‎08-15-2006 06:08 AM

here are the relevant parts of my web.xml, in case it's helpful:


   <filter>
      <filter-name>Authentication Filter</filter-name>
<!– LOCAL CHANGES
<filter-class>org.alfresco.web.app.servlet.AuthenticationFilter</filter-class>
–>
<!– BEGIN LOCAL CHANGES –>
    <filter-class>edu.yale.its.tp.cas.client.filter.CASFilter</filter-class>
    <init-param>
      <param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name>
      <param-value>https://myserver:8443/cas/login</param-value>
    </init-param>
    <init-param>
      <param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name>
      <param-value>https://myserver:8443/cas/serviceValidate</param-value>
    </init-param>
    <init-param>
      <param-name>edu.yale.its.tp.cas.client.filter.serviceUrl</param-name>
      <param-value>http://myserver:8090/alfresco</param-value>
    </init-param>
<!– END LOCAL CHANGES –>
</filter>
0 Kudos

alarocca
Champ in-the-making
Champ in-the-making

‎01-25-2007 11:34 AM

Ciao Sean,

I'm having the same problem you described. Have you find the solution? Best regards, Alessandro

hi folks,

i've been tasked with evaluating alfresco for my company.  it seems like a really cool product.  after playing around with the default install for a bit and r'ing tfm's, i've attempted unsuccessfully to get SSO via CAS working.

first i tried to use the acegi hooks in the authentication context file but couldn't seem to get things working via that route.  things were further complicated by the bundled version of acegi being outdated wrt the latest upstream version (and hence the documentation i had was not fully accurate).  furthermore, the latest version has a different namespace (org.acegisecurity instead of under net.sf), with some subtle yet non-backwards-compatible API changes.

i'm now trying to authenticate via CAS directly, by replacing the authentication filter in web.xml.  i've had more success with this route, though not much.  now when i request /alfresco, i'm sent to the cas login page, and after authenticating i'm sent back to alfresco (so far so good), but then alfresco sends me a 302 header sending me back to cas, which thinks there's nothing wrong and 302's me back to alfresco, etc etc.

i saw a similar problem in the forums that was solved by recompiling alfresco with a different name for ARG_TICKET in baseServlet.java, which i've tried without success.

does anyone have an idea of what else could be a problem?  any help would be greatly appreciated!

    sean
0 Kudos

sean
Champ in-the-making
Champ in-the-making

‎01-29-2007 03:00 AM

hi alessandro,

no luck, sorry Smiley Sad  we've currently given up looking further into it and have had to compromise with ldap authentication/synchronization instead.

but i'm not incredibly familiar with the acegi internals, so it's possible there is a way.  all i know is that the method currently documented in the latest version of acegi won't work with code from 0.8 (namespace and other incompatibilities). maybe someone with more experience could comment?  any chance some alfresco people are reading this?


      sean
0 Kudos

andy
Champ on-the-rise
Champ on-the-rise

‎01-29-2007 09:53 AM

Hi

Yes, it is read ….

Moving to acegi 1.0 is one of those tasks that keeps getting put off, but it is on the list. So is getting round to learning about CAS and setting it all up.

It sounds like you are doing the right thing. You probably need to implement your own AuthenticationFilter - see NovellIChainsHTTPRequestAuthenticationFilter for an example. You will not be able to get away with using an out of the box CAS filter as there is some alfresco specific stuff to set up.

Regards

Andy
0 Kudos

alarocca
Champ in-the-making
Champ in-the-making

‎01-29-2007 10:16 AM

Finally I have alfresco 1.4 and liferay 4.2.1 smoothly authenticating with CAS. To get it, you have to change just a row of the NovellIChainsHTTPRequestAuthenticationFilter class (and rename it if you like as CASAuthenticationFilter):

        String authHdr = (String) req.getSession().getAttribute(CASFilter.CAS_FILTER_USER);

Then you have to properly configure the filter within web.xml as the following:


   <filter>
      <filter-name>CAS Filter</filter-name>
   <filter-class>edu.yale.its.tp.cas.client.filter.CASFilter</filter-class>
   <init-param>
      <param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name>
      <param-value>https://myserver:8443/cas/login</param-value>
   </init-param>
   <init-param>
      <param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name>
      <param-value>https://myserver:8443/cas/serviceValidate</param-value>
   </init-param>
   <init-param>
      <param-name>edu.yale.its.tp.cas.client.filter.serviceUrl</param-name>
      <param-value>http://myserver/alfresco/faces/jsp/login.jsp</param-value>
   </init-param>
   </filter>

   <filter>
      <filter-name>Authentication Filter</filter-name>      <filter-class>org.alfresco.web.app.servlet.CASAuthenticationFilter</filter-class>
   </filter>

   <filter>
      <filter-name>WebDAV Authentication Filter</filter-name>      <filter-class>org.alfresco.repo.webdav.auth.AuthenticationFilter</filter-class>      
   </filter>
   
   <filter>
      <filter-name>Admin Authentication Filter</filter-name>
      <filter-class>org.alfresco.web.app.servlet.AdminAuthenticationFilter</filter-class>
   </filter>

   <filter-mapping>
      <filter-name>CAS Filter</filter-name>
      <url-pattern>/*</url-pattern>
   </filter-mapping>

   <filter-mapping>
      <filter-name>Authentication Filter</filter-name>
      <url-pattern>/*</url-pattern>
   </filter-mapping>
      
   <filter-mapping>
      <filter-name>WebDAV Authentication Filter</filter-name>
      <url-pattern>/webdav/*</url-pattern>
   </filter-mapping>
   
   <filter-mapping>
      <filter-name>Admin Authentication Filter</filter-name>
      <url-pattern>/faces/jsp/admin/*</url-pattern>
   </filter-mapping>
   
   <filter-mapping>
      <filter-name>Admin Authentication Filter</filter-name>
      <url-pattern>/faces/jsp/categories/*</url-pattern>
   </filter-mapping>
   
   <filter-mapping>
      <filter-name>Admin Authentication Filter</filter-name>
      <url-pattern>/faces/jsp/groups/*</url-pattern>
   </filter-mapping>
   
   <filter-mapping>
      <filter-name>Admin Authentication Filter</filter-name>
      <url-pattern>/faces/jsp/users/delete-user.jsp</url-pattern>
   </filter-mapping>
   
   <filter-mapping>
      <filter-name>Admin Authentication Filter</filter-name>
      <url-pattern>/faces/jsp/users/users.jsp</url-pattern>
   </filter-mapping>
   
   <filter-mapping>
      <filter-name>Admin Authentication Filter</filter-name>
      <url-pattern>/faces/jsp/dialog/system-info.jsp</url-pattern>
   </filter-mapping>

Best regards, Alessandro
0 Kudos

andy
Champ on-the-rise
Champ on-the-rise

‎01-29-2007 10:45 AM

Hi Alessandro

Thanks for reporting back your solution!

The intention is make NovellIChainsHTTPRequestAuthenticationFilter more configurable. One option will be to specify the session attribute in which to find the user id. Does this make CAS integration purely configuration?

Cheers

Andy
0 Kudos

alarocca
Champ in-the-making
Champ in-the-making

‎01-29-2007 10:58 AM

Yes. It does.

Greetings from Italy

Hi Alessandro

Thanks for reporting back your solution!

The intention is make NovellIChainsHTTPRequestAuthenticationFilter more configurable. One option will be to specify the session attribute in which to find the user id. Does this make CAS integration purely configuration?

Cheers

Andy
0 Kudos

mdbhokie
Champ in-the-making
Champ in-the-making

‎02-05-2007 04:29 PM

What version of the CAS client are you using?  Are you using cas-web.war from the Liferay site?  Where did you put the casclient.jar? 

How do you relate alfresco's user with the CAS user?  I'm using liferay.com.1 from the liferay-CAS installation and when I access the Alfresco portlet I still need to login.
0 Kudos

alarocca
Champ in-the-making
Champ in-the-making

‎02-07-2007 03:36 AM

Exactly I don't know the version of the CAS client. I'm using for Alfresco the same library bundled with Liferay 4.2.1.

Yes. I'm using the war available from Liferay site even if this should not be different from the one available from CAS site. Probably, only the war name (then the context) changes and liferay is already configured for use that name. Anyway, I changed the filename to cas.war before deploying and the settings within web.xml to reflect that change.

In my setup casclient.jar is in tomcat\common\lib\ext.

CAS is configured to authenticate users against LDAP (MS Active Directory). I created an application that retrieves all the users from LDAP and creates an account on Alfresco and Liferay if they haven't.

I don't use alfresco portlet (IMHO, useless). Anyway, liferay.com.1 is not a valid LDAP users then should not be successfully authenticated.

BR, Alessandro

What version of the CAS client are you using?  Are you using cas-web.war from the Liferay site?  Where did you put the casclient.jar? 

How do you relate alfresco's user with the CAS user?  I'm using liferay.com.1 from the liferay-CAS installation and when I access the Alfresco portlet I still need to login.
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2024 Khoros, LLC