Liferay intregation with CAS and LDAP

Nidhi Singh
Nidhi Singh
A Minute Read

Steps of Configure LDAP Server

www.liferay.com/web/nidhi.singh/blog/-/blogs/liferay-integration-with-ldap

Steps for  SSL Certificate

Open Command Prompt and type given below command

keytool -genkey -alias tomcat -keypass changeit -keyalg RSA

Enter keystore password:  changeit

What is your first and last name?

  [Unknown]:  localhost

What is the name of your organizational unit?

  [Unknown]:  Information Systems

What is the name of your organization?

  [Unknown]:  Life

What is the name of your City or Locality?

  [Unknown]:  Bangalore

What is the name of your State or Province?

  [Unknown]:  KA

What is the two-letter country code for this unit?

  [Unknown]:  IN

Is CN=localhost, OU=Information Systems, O=Life, L=Bangalore, ST=KA, C=IN correct?

  [no]:  yes

 

keytool -export -alias tomcat -keypass changeit -file E:\server.crt

Enter keystore password: changeit

Certificate stored in file E:\<server.crt>

 

keytool -import -file E:\server.crt -keypass changeit -keystore ..\jre\lib\security\cacerts

Enter keystore password: changeit

Owner: CN=localhost, OU=Information Systems, O=Life, L=Bangalore, ST=KA, C=IN

Issuer: CN=localhost, OU=Information Systems, O=Life, L=Bangalore, ST=KA, C=IN

Serial number: 462030d8

Valid from: Fri Apr 13 15:39:36 HST 2010 until: Thu Jul 12 15:39:36 HST 2010

Certificate fingerprints:

MD5: CC:3B:FB:FB:AE:12:AD:FB:3E:D 5:98:CB:2E:3B:0A:AD

SHA1: A1:16:80:68:39:C7:58:EA:2F:48:59:AA:1D:73:5F:56:78:CE:A4:CE

Trust this certificate? [no]: yes

Certificate was added to keystore

 
Steps for ApacheTomcat Server

Remove comments from server.xml file for HTTPS request which runs on port no 8443.

 <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS"   keystoreFile="C:/Documents and Settings/nidhi.singh/.keystore"  keystorePass="changeit" truststoreFile="C:/Program Files/Java/jdk1.6.0_18/jre/lib/security/cacerts" />

 Setting up CAS server

1.      Download the CAS Server and find the war file e.g. \cas-server-3.2.1\modules\cas-server-webapp-3.2.1.war

2.      Start the Apache Tomcat server. Deploy the war file (cas-server-webapp-3.2.1.war) to the Tomcat’s webapps folder and rename it. e.g. C:\apache-tomcat-6.0.14\webapps\cas-web

3.      Now that CAS is deployed you should have an unpacked directory in your webapps folder e.g. C:\apache-tomcat-6.0.14\webapps\cas-web

4.      Stop the tomcat server

5.      Add the below lines to the pom.xml file in the META-INF folder (e.g. C:\apache-tomcat-6.0.14\webapps\cas-web\META-INF\maven\org.jasig.cas\cas-server-webapp)

<dependency>

            <groupId>${project.groupId}</groupId>

            <artifactId>cas-server-support-ldap</artifactId>

  <version>${project.version}</version>

</dependency>

6.        Add the following to the  deployerConfigContext.xml file in the WEB-INF directory e.g. C:\apache-tomcat-6.0.14\webapps\cas-web\WEB-INF (Connects to the default Apache Directory Server configuration)

<bean id="contextSource" class="org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource">
              <property name="pooled" value="true"/>
              <property name="urls">
                  <list>
                      <value>ldap://localhost:10389</value>
                  </list>
              </property>
              <property name="userName" value="uid=admin,ou=system"/>
              <property name="password" value="secret"/>
              <property name="baseEnvironmentProperties">
                  <map>
                      <entry>
                          <key>
                              <value>java.naming.security.authentication</value>
                          </key>
                          <value>simple</value>
                      </entry>
                  </map>
              </property>
        </bean>


7. Add the corresponding AuthenticationHandler to the deployerConfigContext.xml file (Remove the SimpleAuthenticationHandler) and Add the following in it's place.

  <bean  class="org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler" >
                                 <property name="filter" value="cn=%u,dc=example,dc=com" />
                                 <property name="contextSource" ref="contextSource" />
   </bean>


 8. Add the cas-server-support-ldap-3.2.1.jar from the CAS installation  \cas-server-3.2.1\modules to the web application library e.g( C:\apache-tomcat-6.0.14\webapps\cas-web\WEB-INF\lib)

9. Start tomcat and log in with the username and password at the url https://localhost:8443/cas-web/login

Setting up Liferay

 1.  Create system-ext.properties (webapps\ROOT\WEB_INF\classes)

  2.  Open system-ext.properties and enter and Save it.

com.liferay.filters.sso.cas.CASFilter=true

 3. Open portal-ext.properties and enter and Save it.

auto.login.hooks=com.liferay.portal.security.auth.BasicAutoLogin

auto.login.hooks=com.liferay.portal.security.auth.BasicAutoLogin,com.liferay.portal.security.auth.CASAutoLogin

     4. Login as administrator and go to control panel->settings->Authentication->CAS

   

5.       Check Enable checkbox and Import from LDAP.

6.      Give Login URL:  https://localhost:8443/cas-web/login

7.      Give Logout URL: https://localhost:8443/cas-web/logout

8.      Give Server Name: localhost:8080

9.      Give Service URL:  http://localhost:8080/c/portal/login

10.      Give Validate URL: https://localhost:8443/cas-web/proxyValidate

11.   Save it

 

 

 

 



 

 

Page Comments
joydeep roy
15 Years Ago
nice explanation with proper guided urls.... thanks for such nice piece of information
Please sign in to reply.
Freddi Fischer
15 Years Ago
a little hint for those how want to run LR under a other domain like "dev" or sth.:
make sure your cert is created for this host and the cert is imported to the correct cert store at %JAVA_HOME% and/or the LR JRE store.
Please sign in to reply.
Saravanan V
15 Years Ago
Hi,

Thanks for your blog,
In portal.properties for CAS, below comment is provided,

#
# Set the default values for the required CAS URLs. Set either
# "cas.server.name" or "cas.service.url". Setting "cas.server.name" allows
# deep linking. See LEP-4423.
#

please let me know do we need to specify cas.server.name and cas.servive.url or any one as commented in the property file,

in my case if i provide both the values it didnt work, after CAS authentication page was blank,
if i enter only ther cas.service.url and not cas.server.name in this case Authentication works fine and i am getting the page but here also redirect didnt work.
Please sign in to reply.
coe-jek same
15 Years Ago
thanks for the tutorial, but actually it didn' solve my problem in "single sign out".
I've implemented this single sign on, and it works, but when I sign out from other application which is connected to CAS, the session in liferay didn't invalidate this session_ID, so what's shoul I do.

thanks & regards
Please sign in to reply.
Daljeet Kaur
15 Years Ago
I need urgent help on CAS+Liferay on Linux Centos.

Please help.
Please sign in to reply.
thumbnail
Nidhi Singh Daljeet Kaur
15 Years Ago
Please write your problem so that i can solve
Please sign in to reply.
Daljeet Kaur Nidhi Singh
15 Years Ago
Hi Nidhi
i am trying to integrate CAS+liferay on centOS, i have created signature certificate but the problem is that i am unable to locate jre/lib/security on centOS as it uses OpenJDK.

I tried to integrate CAS+Liferay without doing the above step but it didnot work. Please help!
Thanks for your early response.
Please sign in to reply.
(You) Nidhi Singh
15 Years Ago
Hi
I have located jre. Would contact for further help

Thanks
Please sign in to reply.
Daljeet Kaur
15 Years Ago
Hi,

i am trying to integrate Liferay+CAS. When i click on signin on Liferay portal it opens the Liferay Portal again instead of CAS Login page.

Can anyone please help in solving this issue.

Thanks in advance
Daljeet
Please sign in to reply.
thumbnail
Nidhi Singh Daljeet Kaur
15 Years Ago
Hi,

you did CAS setting in liferay, system-ext.properties file and portal-ext.properties file.

Nidhi
Please sign in to reply.
Daljeet Kaur Nidhi Singh
15 Years Ago
Hi

I am having problem in adding authentication handler in the file deployerConfigContext.xml

When i add the code by replacing simple authentication it gives exception of class not found for FastBindLdapAuthenticationHandler.

Please help out.

Thanks
Please sign in to reply.
thumbnail
Nidhi Singh Daljeet Kaur
15 Years Ago
Hi,

you have added this cas-server-support-ldap-3.2.1.jar

Nidhi
Please sign in to reply.
(You) Nidhi Singh
15 Years Ago
Hi,
yes i have added cas-server-support-ldap-3.2.1.jar

It is giving the following exception

Line 124 in XML document from ServletContext resource [/WEB-INF/deployerConfigContext.xml] is invalid; nested exception is org.xml.sax.SAXParseException: cvc-complex-type.2.3: Element 'list' cannot have character [children], because the type's content type is element-only.


Daljeet
Please sign in to reply.
(You)
15 Years Ago
I have also added system-ext.properties file and portal-ext.properties file.

As I am working on Linux please tell how to do settings that you mentioned by visiting control panel.

Thanks
Please sign in to reply.
Daljeet Kaur
15 Years Ago
Hi Nidhi,

When i click on signin on Liferay Portal home page it takes me to url : https://server:8443/c/portal/login?p_l_id=10298

But Internet explorer cannot display page.

Kindly help for the needful

Thanks
DJ
Please sign in to reply.
thumbnail
Ananda Ramana
15 Years Ago
Hi nidhi,
We have some PHP-Mysql based applications running on a different server. I want to sign into liferay and get access to those applications using single sign on. Is it possible?. I have added those URLs as embedded pages into liferay.
Please sign in to reply.
thumbnail
Ed Holderman Ananda Ramana
15 Years Ago
Ananda,
I am sort of new at this, but I believe that if you have CAS-enabled the PHP-Mysql applications so that you can login to them through CAS (without any Liferay involvement) then yes, you should be able to set up an SSO situation between Liferay and your applications. The key point is that _all_ of them must use CAS for login before SSO will work.

Ed
Please sign in to reply.
thumbnail
Ananda Ramana Ed Holderman
15 Years Ago
Hi, Iam not able to get how installing CAS would enable single sign on for an external application. How CAS will talk to my external application? Should i install CAS in my external aplication as well???
Please sign in to reply.
thumbnail
Ed Holderman Ananda Ramana
15 Years Ago
Yes, you would have to integrate CAS into your other applications so that they could all have the same trust relationship with the CAS validation ticket. If you were to use SiteMinder instead of CAS, you would have the same situation where all of the apps would have to be protected by SiteMinder. The other option is to not use SSO at all and use some sort of uid/password storage mechanism in custom portlets that would send the credentials to the external system, but that isn't as flexible.
Please sign in to reply.
thumbnail
Joe Osowski
15 Years Ago
Is it possible to setup Liferay to use CAS without an LDAP server and without creating an autologin hook?

That is, once the user is authenticated, can liferay be configured to complete the user creation by asking the user for the missing profile information?
Please sign in to reply.
thumbnail
Ed Holderman Joe Osowski
15 Years Ago
I have seen information about configuring CAS to use the Liferay database via JDBC instead of the LDAP for a user store so that would solve your first problem: https://wiki.jasig.org/display/CASUM/JDBC. You can extend the functionality of the CAS post-login process to ask the user for the information and store it in the portal DB before sending them back to Liferay (something like this: https://wiki.jasig.org/display/CASUM/Acceptable+Use+interface+for+Login+Webflow). You can also modify Liferay to extend the functionality of it's post-login process: http://www.liferay.com/web/guest/community/wiki/-/wiki/Main/Customizing+the+default+page+after+login
I've only read about any of these and they all seem fairly involved. -Ed
Please sign in to reply.
thumbnail
Nagendra Kumar Busam
15 Years Ago
That's a very nice post.

Can you let me know is there any way by configuration/any simple means doing following scenario

We have a CAS + Liferay integrated environment, but it looks like that the “concurrent login prevention” does not work in some occasions for Liferay. For example, we have an iframe enclosing the portal menu bar and the page content. User logs in on Browser 1 and the same User logs in on Browser 2. User then navigates on Browser 1 by clicking on the menu bar (some private pages), but he did not get logged out.

Practically i think user's old token should be invalid.

Can you give me suggestion regarding the same
Please sign in to reply.
kiruba garan Nagendra Kumar Busam
15 Years Ago
Can u please help me configuring Liferay 6.0.5 with CAS 3.0.7? CAS is working fine with validating user credentials properly with OpenLDAP. But I am confused with the three entries i.e. Server Name, Server URL, and Service URL on the CAS configuraton screen on liferay and not sure what to provide where. I tried with many combimantions but of no use.

Please guide me!

Thanks!
Kiru
Please sign in to reply.
thumbnail
Apoorva Prakash
15 Years Ago
Hello,
I am working on a web-application, in which I am using Liferay and Pentaho. I wish to use CAS for aunthenticating users. I followed all the steps, and CAS is working fine.
When I am logging in CAS, and then opening the Pentaho portion, i get it signed in, as CAS is login, and when I am logging out from CAS, it as also reflecting in Pentaho, (and vice-versa too). It depicts that Pentaho is sharing the login ticket. But when I am using it with Liferay, it is giving the following problem-
when I am logging in through Liferay Sigh In button, then its opening the CAS page and logs in properly, but when I am logging in CAS first, and then open Liferay, then it is not getting that login ticket. () The same problem is persisting at the time of log out also.

Please give solution...
Thanks in advance !!!
Please sign in to reply.
thumbnail
diego santiviago
15 Years Ago
hi,

when i am logging in through Liferay Sign In button (dock), then its opening the CAS page and logs in properly, but when I am logging in CAS first, and then open Liferay, then it is not getting that login ticket. but if i click in 'sign in' link, liferay acquire the ticket.

how i use autologin, logging in cas first ?
Please sign in to reply.
thumbnail
Ed Holderman diego santiviago
15 Years Ago
Diego,
I think if you are just going to the public home page, there is no need for Liferay to authenticate so it doesn't check the ticket or try to do autologin. Try this: create a private page and make note of the friendly URL. Log out of everything and close browsers, in a new browser log in to CAS, then use your friendly private page URL. You should go through the autologin. - Ed
Please sign in to reply.
kiruba garan Ed Holderman
15 Years Ago
Can u please help me configuring Liferay 6.0.5 with CAS 3.0.7? CAS is working fine with validating user credentials properly with OpenLDAP. But I am confused with the three entries i.e. Server Name, Server URL, and Service URL on the CAS configuraton screen on liferay and not sure what to provide where. I tried with many combimantions but of no use.

Please guide me!

Thanks!
Kiru
Please sign in to reply.
thumbnail
Ed Holderman kiruba garan
15 Years Ago
Kiru,
The best documentation on the use of these settings is in portal-ext.properties and the portal admin guide. If you want people to be able to email or bookmark friendly URLs to pages other than the home page, then you should use combination of server name and server url while leaving the service url blank. This will allow the portal to generate a dynamic service url based on the one the user is trying to access. Here is a summary of portal 5.2.3 settings:
- cas.server.name: This is the server name of the portal that CAS should use when calling back to the CAS client. Set either "cas.server.name" or "cas.service.url". Setting "cas.server.name" allows deep linking. See LEP-4423. ex: portal.acme.com
- cas.server.url: URL address of the CAS server. ex: https://cas.acme.com:8443/cas
- cas.service.url: This parameter replaces the serverName parameter above. It becomes the URL that CAS redirects to after login. If you have one specific point of entry to your web application and you want all logins to proceed through that page, you would specify the full URL of that page here. Either this parameter or the serverName parameter must be set. ex: (don't have example since we don't use this setting)
- cas.validate.url: The URL whereat CAS offers its service ticket or proxy ticket validation service. ex: https://cas.acme.com:8443/cas/proxyValidate
- cas.login.url: The URL whereat CAS offers its Login page. ex: https://cas.acme.com:8443/cas/login
- cas.logout.url: The CAS URL that triggers session invalidation logic. This depends on CAS functionality to redirect the user back to the portal. ex (you may have to alter this depending on your logged out page strategy): https://cas.acme.com:8443/cas/logout?service=http://portal.acme.com/c
Please sign in to reply.
Jordi Torne
15 Years Ago
Simple and straight forward explanation to setting up CAS with Liferay and LDAP.

However, I've tried but I didn't manage to get it working.
I'm stuck on a ClassNotFoundException. The authentication handler is not loaded because the "org/springframework/ldap/NamingException" class is not found.
I've tried both the CAS Server 3.2.1.1 and the CAS 3.4.3.1 with identical results. The spring-ldap-*.jar are in the WEB-INF/lib but for some reason, the Tomcat does not load those jars.

Anyone with the same issue? Thanks in advance for any advice on this.

Jordi
Please sign in to reply.
thumbnail
Ed Holderman Jordi Torne
15 Years Ago
Jordi,
Are you getting the exception from Liferay/CAS Client or the CAS Server? Liferay needs to have a cas-client-core.jar installed in ROOT\WEB-INF\lib with a version that supports the CAS server version since they will be talking to each other. On the CAS server side, I'm building using the maven overlay method detailed in CAS and my pom.xml has an LDAP reference which probably brings in everything needed for the war:
<dependency>
<groupId>org.jasig.cas</groupId>
<artifactId>cas-server-support-ldap</artifactId>
<version>${cas.version}</version>
</dependency>
Please sign in to reply.
Jordi Torne Ed Holderman
15 Years Ago
Hi Ed,

I finally solved the issue by reinstalling everything from scratch (Liferay, tomcat and CAS from sources). No idea what was the problem. I have another weird issue now ("CAS is Unavailable" with no single line of error on the logs after submitting user/password) but I'm still working on it.

The problem was on the server (at tomcat startup). I haven't reached the point of talking to Liferay yet.

Thanks
Please sign in to reply.
thumbnail
Apoorva PRAKASH
15 Years Ago
Hi All,
The BasicAutoLogin clss is renamed to RememberMeAutoLogin, I hope the following will help you in case you encounter 'java.lang.ClassNotFoundException: com.liferay.portal.security.auth.BasicAutoLogin' exception...
auto.login.hooks=com.liferay.portal.security.auth.RememberMeAutoLogin
auto.login.hooks=com.liferay.portal.security.auth.BRememberMeAutoLogin,com.liferay.portal.security.auth.CASAutoLogin

Thanks and Regards...
Please sign in to reply.
thumbnail
jelmer kuperus
14 Years Ago
As of CAS 3.3.2, you MUST use Spring LDAP's LdapContextSource (org.springframework.ldap.core.support.LdapContextSource) instead of the AuthenticatedLdapContextSource)

https://wiki.jasig.org/display/CASUM/LDAP
Please sign in to reply.
thumbnail
jelmer kuperus
14 Years Ago
If you authenticate based on email address instead of screenname you cannot use the FastBindLdapAuthenticationHandler instead you can use this

<bean class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler">
<property name="filter" value="mail=%u" />
<property name="searchBase" value="dc=example,dc=com" />
<property name="contextSource" ref="contextSource" />
</bean>
Please sign in to reply.
Biresh Choudhury
14 Years Ago
Hi Nidhi,

Thanks for a nice explanation on how to integrate.
I have a little different requirement like integrating liferay 6 with CAS(already available in a web application) without any LDAP.

Since the CAS set up is already available what are the steps I need to take? As of now I am trying out the below things without any result.

1) Added casclient.jar into ROOT\WEB-INF\lib
2) Added auto.login.hooks=com.liferay.portal.security.auth.BasicAutoLogin,com.liferay.portal.security.auth.CASAutoLogin
to portal-ext.properties.
3) Enabled the CAS from Administrative's control panel with values as:
(i)Enabled - Check box enabled by default.
(ii)Import from LDAP - Didn't check the check box since no LDAP in my case.
(iii) Login URL - http://(MACHINE NAME WHERE CAS IS INSTALLED):9080/cas-web/login
(iv) Logout URL - http://(MACHINE NAME WHERE CAS IS INSTALLED):9080/cas-web/logout
(v) Server Name - (MACHINE NAME WHERE CAS IS INSTALLED):9080
(vi) Server URL - http://(MACHINE NAME WHERE CAS IS INSTALLED):9080/cas-web
(vii) Service URL - http://localhost:8080/web/guest/reference

I am able to login into the portal page instead of me getting redirected to cas-web page.
Need help on anything I am missing out.
Please sign in to reply.
Duy Linh Nguyen Biresh Choudhury
14 Years Ago
I do step by step but when start Tomcat http://localhost:8443/cas-web/login error. Can you help me ? i want to SSO liferay and Sakai by CAS
Please sign in to reply.
zulfa arifah
13 Years Ago
hello.. i need help. the quest is, if ive allready installed CAS in liferay, used the free one, do i need follow the configuration above?

regards,
iefa
Please sign in to reply.
zulfa arifah
13 Years Ago
additional quest, how i can used the service that i already installed in liferay. for example CAS,?
Please sign in to reply.

Related Assets...

No Results Found

More Blog Entries...