From AlfrescoWiki

This article is a not very good translation of an article found in the French version of this wiki. I do not speak French so the translation might not be perfect. I didn't found any better documentation than this one about using CAS with Alfresco so I decided to translate it as well as I could.

Central Authentication Service ( from now on CAS ) is a Single Sign On service providing system.

Contents 1 CASifying Alfresco 2 Certificates 2.1 Tomcat with SSL 2.2 JVM and CAS 3 Using CAS Client in Alfresco 4 Modifications of Alfresco 4.1 web.xml 4.2 relogin.jsp 4.3 CasAuthenticationFilter.java 4.4 cas-context.xml 5 External references

[edit] CASifying Alfresco

This document describes how to modify Alfresco in order for it to work with CAS.

Requirements :

• Alfresco 2.1.0 enterprise
• Client CAS
• Server CAS

Alfresco uses Acegi for the authentication and authorisation. Acegi is supposed to provide ways to authenticate with CAS but I've not been able to achieve so.

[edit] Certificates

[edit] Tomcat with SSL

Check this doc : http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html

[edit] JVM and CAS

In order for the CAS client to work it is mandatory that the JVM knows the certificate that the CAS Server uses to establish the SSL connection. That's neccessary in order to validate the ticket shared among the server and the client. To add the servers certificate use JVM's keytool command:

# export of the certificat from the CAS tomcat server to the file CAS.bin.export
keytool -export -keystore /where/is/the/file.keystore -alias my_alias -storepass serverks -file CAS.bin.export

# import the certificat from the file CAS.bin.export to the Alfresco's JVM
# default password for the keystore is : changeit
keytool -import -alias my_alias -file CAS.bin.export -keystore $JAVA_HOME/jre/lib/security/cacerts

[edit] Using CAS Client in Alfresco

Download Yale's implementation of the Java client here and place casclient.jar file in tomcat/shared/lib/.

[edit] Modifications of Alfresco

[edit] web.xml

web.xml file allows to define a set of filters that would be applied to authentication.

• get the example file for web.xml
• Backup the original web.xml
• place the file in tomcat/webapps/alfresco/WEB-INF
• modify the URLs for Authentication Filter filter, this URLs should point to your CAS Server (and must be equal to the domain name exposed in the certificate)

[edit] relogin.jsp

Let's add a redirection (response.sendRedirect) in order to go to CAS Server's logout page when leaving CAS. This a first step in order to add Single Sign Off capabilities.

We need to edit tomcat/webapps/alfresco/jsp/relogin.jsp and add this :

// logout CAS
response.sendRedirect("https://server_cas:8443/cas/logout");

here (around line 38 ):

...
<%@ page isELIgnored="false" %>

<%
// logout CAS
response.sendRedirect("https://server_cas:8443/cas/logout");
// remove the username cookie value if explicit logout was requested by the user
...

[edit] CasAuthenticationFilter.java

The file CasAuthenticationFilter.java is a new filter based on NovellIChainsHTTPRequestAuthenticationFilter.java. We also need to replace Alfresco's BaseServlet class in order to change the value of ARG_TICKET. ARG_TICKET collides with the variable ticket that CAS uses. So, in order to solve the problem, we change the value of ARG_TICKET. That is a nasty solution and implies to manage to recompile the BaseServlet Class by hand for each different Alfresco version you use ¿ Is there a better solution ?

• get this java files :
  • CasAuthenticationFilter.java
  • BaseServlet.java
• place this files into Alfrescos source directory, wherever they should go
• compile them
• copy the generate .class files in tomcat/webapps/alfresco/WEB-INF/classes/org/alfresco/web/app/servlet

[edit] cas-context.xml

As the authentication is done by CAS as well as by Alfresco, we will tell Alfresco to allow everyone. We can achieve this by simply adding a file called cas-context.xml in tomcat/shared/classes/alfresco/extension/ with this content:

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>

<beans>
    <!-- Simple Authentication component that rejects all authentication requests -->
    <!-- Use this defintion for Novell IChain integration.                        -->
    <!-- It should never go to the login screen  so this is not required          -->
    
    <bean id="authenticationComponent" class="org.alfresco.repo.security.authentication.SimpleAcceptOrRejectAllAuthenticationComponentImpl">
        <property name="accept">
            <value>true</value>
        </property>    
    </bean>
</beans>

[edit] External references

Main reference for this article