Junky's IT Notebook

liferay portal 4.2.1 配置sso+cas

按照官方文檔配置：

Introduction
The following are a set of instructions for integrating Liferay Portal with CAS Server to setup single sign on (SSO) between Liferay and an existing web application.

[edit]Setting up CAS server
We will begin with setting up JA-SIG CAS server on Tomcat 5.x.x.

Download cas-server WAR from Liferay's download page or the whole distribution from here and drop the cas-web.war file into Tomcat's webapps dir. In a production environment The CAS server should really run on its own tomcat instance but for testing purposes we'll drop it in the same instance as our Liferay portal.

We'll need to edit the server.xml file in tomcat and uncomment the SSL section to open up port 8443.

xml 代碼

[edit]Setting up the CAS client
Next we need to download the Yale CAS client from here. Get cas-client-2.0.11. Place the casclient.jar in ROOT/web-inf/lib of the Liferay install.

[edit]Generate the SSL cert with Java keytool
Now that we have everything we need, it's time to generate an SSL cert for our CAS server. Instructions and more information on SSL certs can be found here(http://www.ja-sig.org/products/cas/downloads/index.html)

（我下載的就是這個版本，3.0應該也是可以的，我沒有測試。）

But I found some typos and errors on that page. So following the instructions below should get you what you need.

In any directory ( I use my root ) enter the command:

keytool -genkey -alias tomcat -keypass changeit -keyalg RSA

Answer the questions: (note that your firstname and lastname MUST be hostname of your server and cannot be a IP address; this is very important as an IP address will fail client hostname verification even if it is correct)

Enter keystore password:  changeit
What is your first and last name?
[Unknown]:  localhost
What is the name of your organizational unit?
[Unknown]:
What is the name of your organization?
[Unknown]:
What is the name of your City or Locality?
[Unknown]:
What is the name of your State or Province?
[Unknown]:
What is the two-letter country code for this unit?
[Unknown]:
Is CN=localhost, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
[no]: yes

（這點需要注意，都需要添上，否則不能通過，不會生成.keystore目錄；下面的文件名隨便輸入一個）
Then enter the command:

keytool -export -alias tomcat -keypass changeit -file %FILE_NAME%
I use server.cert for %FILE_NAME%. This command exports the cert you generated from your personal keystore (In windows your personal keystore is in C:\Documents and Settings\\.keystore)

Finally import the cert into Java's keystore with this command. Tomcat uses the keystore in your JRE (%JAVA_HOME%/jre/lib/security/cacerts)

keytool -import -alias tomcat -file %FILE_NAME% -keypass changeit -keystore %JAVA_HOME%/jre/lib/security/cacerts
Startup the CAS server

Now you are ready to startup your CAS server. Simply startup Tomcat and access CAS with https://localhost:8443/cas You should see the CAS login screen and no errors in your catalina logs.

[edit]Setting up Liferay Portal
[edit]web.xml
Note: If you are using Liferay 4.2, this filter is already defined. All you have to do is modify the URL parameters, if your CAS server is at a different location.

It's time to move on to configuring Liferay. In the web.xml file you will need to add a new filter and its mapping directly above the first existing auto login filter mapping. This new filter we just added will redirect all login attempts to the CAS server. If your hostname is different you can modify the init-params accordingly. 
 

xml 代碼

If you use a ...serviceUrl param like above, after logging in with CAS, the browser will be redirected back to that serviceUrl. However, you can change it to the following and it will redirect back to the full URL that was originally requested. This allows you to have a deep link (e.g. to a certain layout with parameters for a portlet even) that is preserved through the CAS login process:

xml 代碼

Then add the following to the rest of the auto login filters

xml 代碼

[edit]system-ext.properties
Note: this is only needed in Liferay 4.2

Set the com.liferay.filters.sso.cas.CASFilter setting to true.

( system-ext.properties這個文件不存在，新建一個\ROOT\WEB-INF\classes\system-ext.properties，然后填入該內容)

Place the following in system-ext.properties:

   #
   # The CAS filter will redirect the user to the CAS login page for SSO. See
   # http://www.ja-sig.org/products/cas for more information.
   #
   com.liferay.filters.sso.cas.CASFilter=true

（portal-ext.properties 該文件存在，僅僅添加內容即可）
[edit]portal-ext.properties
Put this in portal-ext.properties.

##
## Auto Login
##
#
# Input a list of comma delimited class names that implement
# com.liferay.portal.security.auth.AutoLogin. These classes will run in
# consecutive order for all unauthenticated users until one of them return a
# valid user id and password combination. If no valid combination is
# returned, then the request continues to process normally. If a valid
# combination is returned, then the portal will automatically login that
# user with the returned user id and password combination.
#
# For example, com.liferay.portal.security.auth.BasicAutoLogin reads from a
# cookie to automatically log in a user who previously logged in while
# checking on the "Remember Me" box.
#
# This interface allows deployers to easily configure the portal to work
# with other SSO servers. See com.liferay.portal.security.auth.CASAutoLogin
# for an example of how to configure the portal with Yale's SSO server.
#
#auto.login.hooks=com.liferay.portal.security.auth.BasicAutoLogin
auto.login.hooks=com.liferay.portal.security.auth.BasicAutoLogin,com.liferay.portal.security.auth.CASAutoLogin
Comment the first auto.login.hooks property and uncomment the second to add CASAutoLogin to the list of AutoLogin implementations.

[edit]Startup Liferay and Test
Startup the portal and when the homepage loads up hit the login link. If all goes well you should be redirected to the CAS server's login screen. Login to CAS with liferay.com.1 as your username and liferay.com.1 as your password. You should now be logged into the portal.

The current auth scheme for CAS is quite simple but in production an auth scheme which taps into an LDAP repository or some other auth service will be required.

[edit]Troubleshooting
If you created a cert with the %FILE_NAME%, you'll probably run into problems. Here are 2 commands to delete the tomcat alias from the keystore so you can start fresh:

keytool -delete -alias tomcat -keystore %JAVA_HOME%/jre/lib/security/cacerts
keytool -delete -alias tomcat -file server.cert
You may not be able to get https://localhost:8443/cas up and running after the cert key generation. If so, skip the test and try it after you've finished all the steps. If you can't login at that point, you've probably generated your cert incorrectly.
I've had problems with certs on IE7, make sure you try it out on Firefox and Opera.
[edit]Lifecast
CAS Setup - Integrate Liferay Portal with a CAS server to access multiple applications with a single sign on.

Retrieved from "http://wiki.liferay.com/index.php/Single_SignOn_-_Integrating_Liferay_With_CAS_Server"
Category: Customization

posted on 2007-05-22 13:48 junky 閱讀(836) 評論(0)  編輯  收藏 所屬分類: security