Web-SSO between Liferay and Alfresco with CAS and Penrose (part 2/2)
2011/02/19
The aims are to do authentication and web-sso between liferay and alfresco using CAS.
In this blog post we will explain how to configure Alfresco to enable LDAP authentication and users syncronization, also we will explain how to configure CAS Authentication Filter to do Web-SSO with automatic/transparent login.
Firstly, we will follow this technical design for authentication and sso.
Authentication and SSO architectura
Requirements
- Virtual Directory Server (Penrose server 2.0) and CAS-server (tested with version 3.3.5)I will use existing CentOS VirtualBox VM with CAS and Penrose Server pre-configured (Virtual Directory/LDAP) named “directorysrv1″ of last blog post (Web-SSO between Liferay and Alfresco with CAS and Penrose (part 1/2)) but with a few changes:
A sample DN: uid=480838,ou=Employees,dc=intix,dc=info cn=aamodwroclawski
You can download this new Penrose partition here.
LDAP tree
- Alfresco 3.4c CE:We are using a new WinXP VirtualBox VM with Alfresco and MySQL installed named “alfr01″.
- Liferay 6.0.5 with LDAP and CAS enabled:We are using a WinXP VirtualBox VM with Liferay 6.0.5 CE installed named “lfry01″. See before post here.
- CAS-client (3.1.10)
I. Enable LDAP Authentication and LDAP users import in Alfresco
To do Web-SSO is not necessary this step, but i recommend to do it because you can do users management from Alfresco Admin Console (Browser/Explorer or Share) (edit, delete, to do groups and give permissions).
1. Create the following folders in “\subsystems\Authentication\ldap\ldap1″ in ${ALF_HOME}\tomcat\shared\classes\alfresco\extension
2. Copy the file ${ALF_HOME}\tomcat\webapps\alfresco\WEB-INF\classes\alfresco\subsystems\Authentication\ldap\ldap-authentication.properties in the folder before created.
3. Modify ldap-authentication.properties enabling LDAP authN and sync. For example, you can use my file (This only works for my LDAP tree with UID as RDN and authN with CN. See my LDAP tree):
# This flag enables use of this LDAP subsystem for authentication. It may be
# that this subsytem should only be used for synchronization, in which case
# this flag should be set to false.
ldap.authentication.active=true
#
# This properties file brings together the common options for LDAP authentication rather than editing the bean definitions
#
ldap.authentication.allowGuestLogin=true
# How to map the user id entered by the user to that passed through to LDAP
# - simple
# - this must be a DN and would be something like
# uid=%s,ou=People,dc=company,dc=com
# - digest
# - usually pass through what is entered
# %s
# If not set, an LDAP query involving ldap.synchronization.personQuery and ldap.synchronization.userIdAttributeName will
# be performed to resolve the DN dynamically. This allows directories to be structured and doesn't require the user ID to
# appear in the DN.
### intix: always search DN by RDN attribute, in my case uid (see ldap tree)
### ldap.authentication.userNameFormat=cn=%s,ou=Employees,dc=intix,dc=info
### intix: this config is better than above, because i want to searh by CN.
### It is necessary set ldap.synchronization.personQuery=inetOrgPerson and ldap.synchronization.userIdAttributeName=cn
ldap.authentication.userNameFormat=
# The LDAP context factory to use
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
# The URL to connect to the LDAP server
ldap.authentication.java.naming.provider.url=ldap://directorysrv1:10389
# The authentication mechanism to use for password validation
ldap.authentication.java.naming.security.authentication=simple
# Escape commas entered by the user at bind time
# Useful when using simple authentication and the CN is part of the DN and contains commas
ldap.authentication.escapeCommasInBind=false
# Escape commas entered by the user when setting the authenticated user
# Useful when using simple authentication and the CN is part of the DN and contains commas, and the escaped \, is
# pulled in as part of an LDAP sync
# If this option is set to true it will break the default home folder provider as space names can not contain \
ldap.authentication.escapeCommasInUid=false
# Comma separated list of user names who should be considered administrators by default
### intix: administration user (CN) when ldap authN is enabled.
### The "admin" user is valid when alfrescoNtlm authN is enabled.
ldap.authentication.defaultAdministratorUserNames=aamodwroclawski
# This flag enables use of this LDAP subsystem for user and group
# synchronization. It may be that this subsytem should only be used for
# authentication, in which case this flag should be set to false.
ldap.synchronization.active=true
# The authentication mechanism to use for synchronization
ldap.synchronization.java.naming.security.authentication=simple
# The default principal to use (only used for LDAP sync)
ldap.synchronization.java.naming.security.principal=uid\=admin,ou\=system
# The password for the default principal (only used for LDAP sync)
ldap.synchronization.java.naming.security.credentials=secret
# If positive, this property indicates that RFC 2696 paged results should be
# used to split query results into batches of the specified size. This
# overcomes any size limits imposed by the LDAP server.
ldap.synchronization.queryBatchSize=0
# If positive, this property indicates that range retrieval should be used to fetch
# multi-valued attributes (such as member) in batches of the specified size.
# Overcomes any size limits imposed by Active Directory.
ldap.synchronization.attributeBatchSize=0
# The query to select all objects that represent the groups to import.
### ldap.synchronization.groupQuery=(objectclass\=groupOfNames)
ldap.synchronization.groupQuery=(objectclass\=groupOfUniqueNames)
# The query to select objects that represent the groups to import that have changed since a certain time.
### ldap.synchronization.groupDifferentialQuery=(&(objectclass\=groupOfNames)(!(modifyTimestamp<\={0})))
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=groupOfUniqueNames)(!(modifyTimestamp<\={0})))
# The query to select all objects that represent the users to import.
ldap.synchronization.personQuery=(objectclass\=inetOrgPerson)
# The query to select objects that represent the users to import that have changed since a certain time.
ldap.synchronization.personDifferentialQuery=(&(objectclass\=inetOrgPerson)(!(modifyTimestamp<\={0})))
# The group search base restricts the LDAP group query to a sub section of tree on the LDAP server.
ldap.synchronization.groupSearchBase=ou\=Groups,dc\=intix,dc\=info
# The user search base restricts the LDAP user query to a sub section of tree on the LDAP server.
ldap.synchronization.userSearchBase=ou\=Employees,dc\=intix,dc\=info
# The name of the operational attribute recording the last update time for a group or user.
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
# The timestamp format. Unfortunately, this varies between directory servers.
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'Z'
# The attribute name on people objects found in LDAP to use as the uid in Alfresco
### ldap.synchronization.userIdAttributeName=uid
### intix: CN is necessary to authN by this attribute when searching LDAP
ldap.synchronization.userIdAttributeName=cn
# The attribute on person objects in LDAP to map to the first name property in Alfresco
ldap.synchronization.userFirstNameAttributeName=givenName
# The attribute on person objects in LDAP to map to the last name property in Alfresco
ldap.synchronization.userLastNameAttributeName=sn
# The attribute on person objects in LDAP to map to the email property in Alfresco
ldap.synchronization.userEmailAttributeName=mail
# The attribute on person objects in LDAP to map to the organizational id property in Alfresco
ldap.synchronization.userOrganizationalIdAttributeName=o
# The default home folder provider to use for people created via LDAP import
ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolderProvider
# The attribute on LDAP group objects to map to the authority name property in Alfresco
ldap.synchronization.groupIdAttributeName=cn
# The attribute on LDAP group objects to map to the authority display name property in Alfresco
ldap.synchronization.groupDisplayNameAttributeName=description
# The group type in LDAP
### ldap.synchronization.groupType=groupOfNames
ldap.synchronization.groupType=groupOfUniqueNames
# The person type in LDAP
ldap.synchronization.personType=inetOrgPerson
# The attribute in LDAP on group objects that defines the DN for its members
### ldap.synchronization.groupMemberAttributeName=member
ldap.synchronization.groupMemberAttributeName=uniqueMember
# If true progress estimation is enabled. When enabled, the user query has to be run twice in order to count entries.
ldap.synchronization.enableProgressEstimation=true
4. Re-start Alfresco.
5. Check LDAP authN and import of users in Alfresco.
Imported users from LDAP tree in Alfresco
II. Configure CAS in Alfresco
We are setting up Alfresco so that when someone log into Alfresco it is redirected to CAS for authentication.
Through the CAS filter, Alfresco catchs any request to access and these are redirected to CAS-login.
When you has successfully authenticated with CAS, after you will be redirected to the My Alfresco Dashboard, then Alfresco will need to retrieve the values of session which is placed there by the CAS Filter.
If you want to do SSO and automatic redirection when login to Alfresco Explorer after authentication in CAS, you should create a CAS Authentication Filter as Aksels Architecture Blog show us here and test with version 3.4c.
To do this you have to create/modify the Java code (CasAuthenticationFilter.java) that is executed when enter to Alfresco page.
1. Edit the alfresco web.xml to modify Authentication Filter and to add the CAS filters.
c:\>notepad++ C:\1bpms-demo\alfr34c_1\tomcat\webapps\alfresco\WEB-INF\web.xml
… modify web.xml
[...]
<context-param>
<param-name>rootPath</param-name>
<param-value>/app:company_home</param-value>
</context-param>
<!--filter>
<filter-name>Authentication Filter</filter-name>
<description>Authentication filter mapped only to faces URLs. Other URLs generally use proprietary means to talk to the AuthenticationComponent</description>
<filter-class>org.alfresco.repo.web.filter.beans.BeanProxyFilter</filter-class>
<init-param>
<param-name>beanName</param-name>
<param-value>AuthenticationFilter</param-value>
</init-param>
</filter-->
<!-- ******* INTIX, Step 1 of 3: Comment above 'Authentication Filter' filter and add a CAS modified filter below -->
<filter>
<filter-name>Authentication Filter</filter-name>
<description>INTIX - Authentication Filter</description>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>https://directorysrv1:8443/cas-server-webapp-3.3.5/login</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://alfr01:8080</param-value>
</init-param>
</filter>
<!-- End new CAS filter -->
<filter>
<filter-name>Global Authentication Filter</filter-name>
<description>Authentication filter mapped to all authenticated URLs. Mainly for SSO support</description>
<filter-class>org.alfresco.repo.web.filter.beans.BeanProxyFilter</filter-class>
<init-param>
<param-name>beanName</param-name>
<param-value>GlobalAuthenticationFilter</param-value>
</init-param>
</filter>
[...]
<!-- ******* INTIX, Step 2 of 3: Add all CAS urls -->
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://directorysrv1:8443/cas-server-webapp-3.3.5</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://alfr01:8080</param-value>
</init-param>
</filter>
<filter>
<filter-name>Alfresco CAS Authentication Filter</filter-name>
<filter-class>info.intix.alfresco.CasAuthenticationFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>Authentication Filter</filter-name>
<url-pattern>/faces/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/faces/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Alfresco CAS Authentication Filter</filter-name>
<url-pattern>/faces/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Authentication Filter</filter-name>
<url-pattern>/navigate/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/navigate/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Alfresco CAS Authentication Filter</filter-name>
<url-pattern>/navigate/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Authentication Filter</filter-name>
<url-pattern>/command/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/command/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Alfresco CAS Authentication Filter</filter-name>
<url-pattern>/command/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Authentication Filter</filter-name>
<url-pattern>/download/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/download/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Alfresco CAS Authentication Filter</filter-name>
<url-pattern>/download/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Authentication Filter</filter-name>
<url-pattern>/template/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/template/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Alfresco CAS Authentication Filter</filter-name>
<url-pattern>/template/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Authentication Filter</filter-name>
<url-pattern>/n/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/n/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Alfresco CAS Authentication Filter</filter-name>
<url-pattern>/n/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Authentication Filter</filter-name>
<url-pattern>/c/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/c/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Alfresco CAS Authentication Filter</filter-name>
<url-pattern>/c/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Authentication Filter</filter-name>
<url-pattern>/t/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/t/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Alfresco CAS Authentication Filter</filter-name>
<url-pattern>/t/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Authentication Filter</filter-name>
<url-pattern>/d/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/d/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Alfresco CAS Authentication Filter</filter-name>
<url-pattern>/d/*</url-pattern>
</filter-mapping>
<!-- ******* End of CAS urls -->
<filter-mapping>
<filter-name>Global Localization Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
[...]
<filter-mapping>
<filter-name>Global Authentication Filter</filter-name>
<url-pattern>/faces/*</url-pattern>
</filter-mapping>
<!-- ******* INTIX, Step 3 of 3: Comment this, it is a duplicated -->
<!--filter-mapping>
<filter-name>Authentication Filter</filter-name>
<url-pattern>/faces/*</url-pattern>
</filter-mapping-->
<filter-mapping>
<filter-name>WebDAV Authentication Filter</filter-name>
<url-pattern>/webdav/*</url-pattern>
</filter-mapping>
[...]
2. Copy the CAS client jar file into the alfresco webapp lib folder.
c:\>
c:\>copy C:\0share1\cas-client-core-3.1.10.jar C:\1bpms-demo\alfr34c_1\tomcat\webapps\alfresco\WEB-INF\lib\cas-client-core-3.1.10.jar
1 archivos copiados.
c:\>
3. Modify and compile CasAuthenticationFilter.java (http://akselsarchitecture.googlegroups.com/web/CasAuthenticationFilter-Alfresco.java) and copy .jar into the alfresco webapp lib folder.
c:\>
c:\>copy C:\0share1\www.intix.info-casauthnfilter-0.1.jar c:\1bpms-demo\alfr34c_1\tomcat\webapps\alfresco\WEB-INF\lib\www.intix.info-casauthnfilter-0.1.jar
1 archivos copiados.
c:\>
You can download my www.intix.info-casauthnfilter-0.1.jar file from here.
4. Re-start Alfresco.
5. Test CAS configuration.
Try opening an Alfresco’s page, for example: http://alfr01:8080/alfresco in a browser. You should be redirected to the CAS login page, and when you log in (for example with aamodwroclawski/test) you should be redirected back to the My Alfresco Dashboard.
6. If you have get this error (see figure below) is because you have not installed the CAS root SSL Cert as a trusted certificate in Alfresco (JRE’s cacert store). Alfresco 3.4c CE has JRE’s cacert store in ${ALF_HOME}/java/jre/lib/sec, then install the certificate there.
CAS server SSL certificate no installed in Alfresco
To solve it, you should import CAS server SSL public certificate in the JRE’s cacerts where Alfresco is running, in my case I have Alfresco running in WinXP box called “alfr01″.
c:\>keytool -import -alias tomcat -file c:\0share1\directorysrv1_730days.crt -keystore C:\1bpms-demo\alf34c_1\java\jre\lib\sec
y\cacerts
Enter keystore password:
Owner: CN=directorysrv1, OU="INTIX I+D", O=INTIX.info, L=BARCELONA, ST=CATALUNYA, C=ES
Issuer: CN=directorysrv1, OU="INTIX I+D", O=INTIX.info, L=BARCELONA, ST=CATALUNYA, C=ES
Serial number: 4d1df9bc
Valid from: Fri Dec 31 16:41:48 GMT+01:00 2010 until: Sun Dec 30 16:41:48 GMT+01:00 2012
Certificate fingerprints:
MD5: 11:4D:72:BB:80:42:EE:F7:4A:CA:E9:EA:F6:4F:86:8D
SHA1: 7F:6B:12:64:31:8B:47:4E:11:33:D7:FE:EF:C6:D4:65:12:59:8D:2E
Signature algorithm name: SHA1withRSA
Version: 3
Trust this certificate? [no]: yes
Certificate was added to keystore
III. Tuning Authentication in Alfresco
Right now, we have configured Alfresco and CAS, where the user management can be done syncronizing or importing users stored in LDAP tree.
We can do user, groups and roles management via Alfresco LDAP subsystem and Authentication-SSO via EXTERNAL subsystem. To do this, we must modify the file alfresco-global.properties.
[...] ### authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap1:ldap authentication.chain=external1:external,ldap1:ldap
IV. Test Web Single Sign On between Liferay 6.0.5 CE and Alfresco 3.4.c CE
Open a browser with http://alfr01:8080/alfresco, you get redirected to CAS-login page. Enter aamodwroclawski/test, then you should be redirected to Alfresco My Dashboard page (authenticated).
In this time you should see Logout (aamodwroclawski) in the top right of the Alfresco page indicating that you have sucessfully logged in.
User properly authenticated in Alfresco
Then, open other browser with http://lfry01:8080/intixportal/user/aamodwroclawski, you get redirected to Liferay private and authenticated page for the user “aamodwroclawski”.
The same user authenticated and with SSO in Liferay
In other direction (Liferay to Alfresco) it does work too.
V. Conclusions
1. Authentication and users sync in Alfresco 3.4c does work with authentication subsystem LDAP.
2. SSO with CAS in Alfresco 3.4c does work by enabling authentication subsystem EXTERNAL.
3. There is an issue when importing users from LDAP tree in Liferay. The passwords are created with random value and no with “test”.
END
References:
1. CAS in Alfresco
http://wiki.alfresco.com/wiki/Central_Authentication_Service_Configuration
2. CAS SSO for Alfresco 3.3 and Share
http://akselsarchitecture.blogspot.com/2010/09/cas-sso-for-alfresco-33-and-share.html
2011/02/20 at 12:28 AM
[...] This post was mentioned on Twitter by Bladimir Rondon, Roger Carhuatocto. Roger Carhuatocto said: Web-SSO between Liferay and Alfresco with CAS and Penrose (part 2/2) http://wp.me/p8pPj-6L [...]
2011/02/21 at 5:30 PM
Thank you very much for your post.
2011/02/21 at 8:58 PM
You are welcome.
2011/02/28 at 4:21 PM
Hi,
I tried this and it almost works.
Liferay displays the CAS-Login Page.
Alfresco displays the CAS-Login Page.
If I login, the SSO-Mechanism seems not to work, CAS creates two different tickts for the same credentials.
Any ideas?
2011/03/17 at 6:54 AM
Any one have successfully tried integration CAS with Alfresco share for Alfresco 3.4.c version?
2011/04/08 at 12:09 PM
In order to to add Single Sign Off capabilities you aalso have to redirect CAS Server’s logout page when leaving Alfresco.
You must edit tomcat/webapps/alfresco/jsp/relogin.jsp and add (around line 38)
// logout CAS
response.sendRedirect(“https://server_cas:8443/cas/logout”);
Just before the line :
// remove the username cookie value if explicit logout was requested by the user
Thank for your post, it’s really useful
2011/04/08 at 5:11 PM
Thank you very much for your contribution.
2011/04/26 at 8:42 AM
hi!i used your cord,when i logout, the page turn to https://server_cas:8443/cas/logout,all are seems ok,but when i open alfresco again ,it has been login,
Any ideas?
Thanks!!
2011/04/26 at 5:18 PM
Single sign on works with liferay / alfresco, but does not Single sign off.
If do you want that this work then follow steps as Sebastien Kollen (skollen) (see thread in this post) show us.
Try it and then tell me if that worked.
Regards.
2011/04/14 at 4:22 PM
Hello everyone,
I’m trying to integrate CAS authentication into Alfresco, i’ve followed what you said.
Redirection to cas server works well, but I have an issue with the certificate, after I get logged into CAS server, it redirect me to the alfresco instal, but I have that Exception :
Caused by: java.security.cert.CertificateException: No subject alternative names present
at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:142)
at sun.security.util.HostnameChecker.match(HostnameChecker.java:75)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:264)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:250)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1014)
… 30 more
I think this is due to my certificate CN field.
Both CAS server and Alfresco are on the same machine,
My CN field contains the local ip adress of the server,
and in my web.xml, i’ve put the same in casServerUrlPrefix and serverName fields,
does anyone have an idea ?
Thanks
2011/04/14 at 9:23 PM
Yes, It is an issue with X.509 SSL server certificate. Seems you Certificate was create without required attributes (No subject alternative names), try create new cert with hostname (no IP) in the CN field. Make sure too to install as trusted the Root Cert in cert store (cacerts) of your JMV.
2011/04/14 at 9:56 PM
Thank you for your answer Roger,
So i’ve tried to make a new cert, with my hostname (testmachine) as a CN. Generated a cert file and I’ve imported it into the alfresco’s JVM. Well.
In my web.xml, I did exactly like you, with those fields :
for information :
http://testmachine:8081/alfresco -> is the alfresco install
https://testmachine:8443/cas/login -> is my CAS (wich works well with other applications)
Authentication Filter
INTIX – Authentication Filter
org.jasig.cas.client.authentication.AuthenticationFilter
casServerLoginUrl
https://testmachine:8443/cas/login
serverName
http://testmachine:8081
CAS Validation Filter
org.jasig.cas.client.validation.Cas10TicketValidationFilter
casServerUrlPrefix
https://testmachine:8443/cas
serverName
http://testmachine:8081
Alfresco CAS Authentication Filter
info.intix.alfresco.CasAuthenticationFilter
I’ve also commented others authentication filters like you did.
(I have 2 installation of tomcat, one for my cas server ans one for alfresco)
As a result, alfresco redirects me to the cas server properly. I authenticate correctly to the cas serveur with the account “m.tyc” wich I’ve also added in alfresco. And alfresco give me another Exception, that I can’t resolve for the moment :
java.lang.NullPointerException
at org.alfresco.repo.security.authentication.AbstractAuthenticationComponent.isSystemUserName(AbstractAuthenticationComponent.java:353)
at org.alfresco.repo.security.authentication.AbstractAuthenticationComponent.setCurrentUser(AbstractAuthenticationComponent.java:195)
at org.alfresco.repo.security.authentication.AbstractAuthenticationComponent.setCurrentUser(AbstractAuthenticationComponent.java:190)
at info.intix.alfresco.CasAuthenticationFilter.setAuthenticatedUser(CasAuthenticationFilter.java:163)
at info.intix.alfresco.CasAuthenticationFilter.doFilter(CasAuthenticationFilter.java:137)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:167)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:93)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
……………
Thanks you again for your answer,and I hope you could help me
Maximilien
2011/04/15 at 8:42 AM
Please, let me try again that. Im giving details on that after. Regards.
2011/04/15 at 3:22 PM
OK thanks Roger, I’m waitin for news from you
Maximilien
2011/04/18 at 10:01 PM
Hi Maximilien,
You have an mistake in web.xml configuration in “CAS Validation Filter” section.
You have “org.jasig.cas.client.validation.Cas10TicketValidationFilter” and should be “org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter”.
Try again and then tell me if that worked.
Regards.
2011/04/26 at 3:29 AM
Hi!Thanks for your blog,i do it as your said,and successful sign in.but i have a problem that when i sign in to liferay,and open alfresco i need sign in again,Reverse is also true!
i do not know why.Do you have any ideas??
Thanks
2011/04/26 at 7:57 AM
HI!I did as your blog,but when i login liferay,and open alfresco ,i need again,i do not know why? DO you have any ideas?
Thanks!!
2011/07/29 at 12:13 AM
[...] between Liferay and Alfresco with CAS and Penrose part 1 and part 2 Posted by Roger Carhuatocto Filed in PORTAL, Security, SSO Tags: CAS, Liferay, SSO Leave a [...]
2011/12/12 at 11:19 AM
Hi ,
i followed this article for CAS integration on Alfresco.my Open-LDAP server already integrated with CAS as well as Alfresco.i configured alfresco and cas on different server
For Information :
http://192.168.1.132:8080/alfresco -> is the alfresco url
https://192.168.1.135:8443/casuid/login -> is my CAS
when am using alfresco url it’s redirecting to cas login page, after Successful authentication of LDAP ,am getting error’s in alfresco
“java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present
caused by:
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present
caused by:
java.security.cert.CertificateException: No subject alternative names present”
I read about Mr:Maximilien Tyc have the same issues, Installation of Certificate i uses “cas” as cn name ,because my cas server uses the hostname as “cas”,alfresco hostname as “alfresco” , after that i imported that certificate file to alfresco …
does anyone have an idea of this?
with regards
2012/02/24 at 8:02 AM
It was my mistake for creating SelfSignedCertificate i not given the first&lastname name properly