How to bring back CAS integration to Liferay 7.4

Since version 7.4, Liferay decided to archive the CAS support and remove it from the portal features. Instead, they advise using more modern protocols like SAML or OpenID.
It sounds like a good strategy, but not all companies might be ready for that yet, and it would really be a shame to block Liferay's upgrade until the infrastructure/security team introduces SAML. Therefore I prepared a short tutorial about how to bring the CAS integration back.
 

TL/DR

  • Code repository with a Liferay Workspace project including the three integration modules
  • Three binaries ready to be deployed to LIFERAY_HOME/deploy folder in order to make the CAS in Liferay great again!

How it's made?

Fortunately, the integration code has been "archived" and not completely removed from Liferay. That is a new term for sources that have been moved from their original location to liferay-portal/modules/apps/archived/ and are not part of the product anymore (there are quite a lot of them already, a great place for a future Liferay archeologist to excavate some remnants of ancient releases).
That made the entire task pretty easy:
 

Create a new Liferay workspace with BLADE

blade init -v portal-7.4-ga24 -f liferay74-cas-integration/

Copy the required modules to the workspace's modules/ folder

  • portal-security-sso-cas-api
  • portal-security-sso-cas-impl
  • portal-security-sso-cas-settings-authentication-web

Update module dependencies

The original dependencies from build.gradle were crafted for the main Liferay source repository, so they need to be adapted to the Liferay workspace format. Fortunately, most of them could have been replaced by a single dependency to release.portal.api what can be seen in this commit .

In order to compile and build the project, we also need to remove the CASCompanySettingsVerifyProcess which references some resources from portal-impl  , and most likely was used for the migration purposes. We don't need to migrate anything (we just want to have CAS working!), so we don't need the class.

At this point, the workspace should compile and build with no errors, but the modules are not ready to be deployed yet.


Final adjustments for the OSGi

  • Exclude the org.slf4j.impl Import-Package so the OSGi container won't complain about missing the slf4j logger implementation and handles the ClassNotFoundException by using defaulting to a no-operation (NOP) logger.
  • Remove a weird -liferay-aggregate-resource-bundles directive from bnd.bnd of the Configuration module, which caused deployment issues. I guess it is some black magic available only to the main Liferay source. Integration works well without it.

Upgrade the CAS client

As of this very moment, we're in full control of the entire CAS integration, apart from copying and pasting Liferay code, we can also make an improvement! The original integration used an old cas-client-core , so the most obvious task was to upgrade it. Luckily it turned out to be really easy and thanks to the compileInclude directive, required only updating the version number in build.grade  in the implementation module.

That's it! Feel free to contribute to the repo if you find any issues or come up with more great improvements.
Blogs

Note for dxp-7.4-u51 :

We need to remove CASCompanyServiceConfigurationBeanDeclaration.java

For the bnd.bnd of portal-security-sso-cas-impl :

Bundle-Name: Liferay Portal Security SSO CAS Implementation Bundle-SymbolicName: com.liferay.portal.security.sso.cas.impl Bundle-Version: 4.0.12 Include-Resource: \     @cas-client-core-3.6.4.jar, \     @bcpkix-jdk15on-1.70.jar, \     @bcprov-jdk15on-1.70.jar, \     @bcutil-jdk15on-1.70.jar -fixupmessages: Classes found in the wrong directory: ...;is:=ignore

And build.gradle of the same bundle make the dependencies on compile:

    compile group: "org.bouncycastle", name: "bcpkix-jdk15on"     compile group: "org.bouncycastle", name: "bcprov-jdk15on"     compile group: "org.bouncycastle", name: "bcutil-jdk15on"     compile group: "org.jasig.cas.client", name: "cas-client-core"

 

 

we implemented and working fine but here we need to use the /c/portal/login then only it's working, but as per my requirement we don't want to use the /c/portal/login for that we changed it in CASFilter url-pattern to /* then it's working fine, but when we use the remote service call from postman it's redirecting CAS login page.

if we select Basic Auth and provided liferay credentials no use and also we tried CAS credentials always it's redirecting to CAS login page.

is there a way to remote call services?

can i use it in 7.3.6 g7 ?

If I'm not mistaken, CAS is only deprecated in 7.3, not (yet) removed. So there's nothing to do for you to use it in 7.3. Though (IMHO) you should consider to upgrade to 7.4, to benefit of bugfixes (potentially security-related) and newer features.