Re: CAS authentication / authorization: msg#00033 jetspeed-dev-portals.apache.org

Hi again,

thnx for the response. I use jetspeed 2.2 but I do not want to talk directly to the LDAP.
I am introducing a filter based on PortalFilter (see attached CASPortalFilter.java implementation in order to: (http://u-portal.gunet.gr:8080/uportal3/)
- get the username of authenticated user -> done
- if username does not appear in portal db -> create new user with username and assign default group/roles (in future I plan to introduce a mapping mechanism)
- put principal in portal context

Problems till now:
- exception (see attached exception.txt) Any help ??
- As the CAS filter has a url-pattern="/*" (see web.xml) how can a user see public pages without being redirected to CAS

Any help would be appreciated.

BR,
Vangelis

David Sean Taylor wrote:

On Jul 19, 2009, at 8:47 AM, Evangelos Vlachogiannis wrote:

Hi list,

I would like to ask if anybody has integrated CAS (Central Authentication Service - http://www.jasig.org/cas) with Jetspeed-2.

I don't have any experience with CAS but I have integrated similar solutions such as Shibboleth.

Here is my problem situation:

CAS sits"in front" of an LDAP server of my university that I do not have "write" permissions. The meta I use from ldap is the credentials and some information of users' role in university (like student, instructor e.t.c.). What I need to do is to login in jetspeed portal from jetspeed login form and through CAS to validate authentication for all services under jetspeed. However, as I cannot store anything in ldap I need somehow to initialize an existing user stored in ldap in jetspeed database. An idea is to do that on first login by introducing some mapping rules (any help how to do that?). Another problem which I cannot overcome using CAS java clients filters is how to allow public access, as the filter will always asks for authentication under /portal/.

We do have a LDAP replication solution in 2.2. What version of Jetspeed are you using?

Any ideas, help more than welcome,

It would be a valuable contribution to have CAS support or at least documentation in Jetspeed at some level.

---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@xxxxxxxxxxxxxxxxxx
For additional commands, e-mail: jetspeed-dev-help@xxxxxxxxxxxxxxxxxx

HTTP Status 500 -

type Exception report

message

description The server encountered an internal error () that prevented it from
fulfilling this request.

exception

java.lang.NullPointerException

org.apache.jetspeed.security.spi.impl.JetspeedSecurityPersistenceManager.getPasswordCredential(JetspeedSecurityPersistenceManager.java:495)
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)

sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
java.lang.reflect.Method.invoke(Method.java:597)

org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)

org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)

org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)

org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:106)

org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)

org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
$Proxy3.getPasswordCredential(Unknown Source)

org.apache.jetspeed.security.spi.impl.UserPasswordCredentialManagerImpl.getPasswordCredential(UserPasswordCredentialManagerImpl.java:51)
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)

sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
java.lang.reflect.Method.invoke(Method.java:597)

org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)

org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)

org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)

org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:106)

org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)

org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
$Proxy5.getPasswordCredential(Unknown Source)

org.apache.jetspeed.security.impl.UserManagerImpl.getPasswordCredential(UserManagerImpl.java:119)

org.apache.jetspeed.security.impl.UserManagerImpl.getSubject(UserManagerImpl.java:128)
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)

sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
java.lang.reflect.Method.invoke(Method.java:597)

org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)

org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)

org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)

org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:106)

org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)

org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
$Proxy6.getSubject(Unknown Source)
gr.uportal.filter.CASPortalFilter.doFilter(CASPortalFilter.java:131)

org.apache.jetspeed.engine.servlet.XXSUrlAttackFilter.doFilter(XXSUrlAttackFilter.java:52)
edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:401)

note The full stack trace of the root cause is available in the Apache
Tomcat/6.0.18 logs.
Apache Tomcat/6.0.18 /*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package gr.uportal.filter;

import java.io.IOException;
import java.security.Principal;
import java.util.List;

import javax.security.auth.Subject;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;

import org.apache.jetspeed.Jetspeed;
import org.apache.jetspeed.PortalReservedParameters;
import org.apache.jetspeed.administration.PortalAdministration;
import org.apache.jetspeed.administration.PortalAuthenticationConfiguration;
import org.apache.jetspeed.administration.PortalConfiguration;
import org.apache.jetspeed.administration.RegistrationException;
import org.apache.jetspeed.audit.AuditActivity;
import org.apache.jetspeed.cache.UserContentCacheManager;
import org.apache.jetspeed.components.ComponentManager;
import org.apache.jetspeed.login.LoginConstants;
import org.apache.jetspeed.login.filter.PortalRequestWrapper;
import org.apache.jetspeed.security.AuthenticatedUser;
import org.apache.jetspeed.security.AuthenticatedUserImpl;
import org.apache.jetspeed.security.AuthenticationProvider;
import org.apache.jetspeed.security.SecurityException;
import org.apache.jetspeed.security.SubjectHelper;
import org.apache.jetspeed.security.User;
import org.apache.jetspeed.security.UserManager;

import org.apache.jetspeed.security.RoleManager;
import org.apache.jetspeed.security.GroupManager;

import edu.yale.its.tp.cas.client.filter.CASFilter;

public class CASPortalFilter implements Filter {
protected String guest = "guest";

public void init(FilterConfig filterConfig) throws ServletException {
PortalConfiguration config = Jetspeed.getConfiguration();
if (config != null)
guest = config.getString("default.user.principal");
}

public void doFilter(ServletRequest sRequest, ServletResponse sResponse,
FilterChain filterChain) throws IOException,
ServletException {

HttpServletRequest request = null;
System.out.println("gr.uportal.filter");
request = (HttpServletRequest) sRequest;
ComponentManager cm = Jetspeed.getComponentManager();
UserManager userManager = (UserManager) cm

.getComponent("org.apache.jetspeed.security.UserManager");
HttpSession session = request.getSession(true);

// get username from CAS authentication
String userName = (String) session
.getAttribute(CASFilter.CAS_FILTER_USER);
System.out.println("user: " + userName);
User user = null;
// if user has been authenticated though CAS
if (userName == null) {

RoleManager roleManager = (RoleManager) cm

.getComponent("org.apache.jetspeed.security.RoleManager");
GroupManager groupManager = (GroupManager) cm

.getComponent("org.apache.jetspeed.security.GroupManager");

try {
// check if the user exists in the portal
database
user = userManager.getUser(userName);
} catch (SecurityException e) {
// TODO Auto-generated catch block
System.out.println("user: " + userName + " not
in portal db");
PortalAdministration portalAdministration =
(PortalAdministration) cm

.getComponent("PortalAdministration");
try {
// populate portal db with user and
appropriate group/roles
// FIXME: set default group/role ->
then introduce mapping
// mechanism
List roles =
roleManager.getRoles("user");
List groups =
groupManager.getGroups("");
//
portalAdministration.registerUser(userName,
//
portalAdministration.generatePassword(),roles,
// groups,null,null,null);

portalAdministration.registerUser(userName,

portalAdministration.generatePassword());
user = userManager.getUser(userName);

} catch (RegistrationException e1) {
// TODO Auto-generated catch block
System.out.println("user: " + userName
+ " not created");
} catch (SecurityException e1) {
// TODO Auto-generated catch block
System.out.println("user: " + userName
+ " not created");
}
}

// if user has not been authenticated though CAS
//FIXME: How do allow
} else {
//guest account
}

//put subject into jetspeed

Subject subject;
try {
// default solution using the build-in UserManager
subject = userManager.getSubject(user);
} catch (SecurityException e) {
// TODO: maybe some better handling required here
throw new ServletException(e);
}
sRequest = wrapperRequest(request, subject, user);
request.getSession().removeAttribute(LoginConstants.ERRORCODE);

session.setAttribute(PortalReservedParameters.SESSION_KEY_SUBJECT,
subject);
System.out.println("*** login session = " + session);

sRequest.setAttribute(PortalReservedParameters.PORTAL_FILTER_ATTRIBUTE,
"true");
if (filterChain != null) {
filterChain.doFilter(sRequest, sResponse);
}

}

private ServletRequest wrapperRequest(HttpServletRequest request,
Subject subject, Principal principal) {
PortalRequestWrapper wrapper = new PortalRequestWrapper(request,
subject, principal);
return wrapper;
}

public void destroy() {
}
}

---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@xxxxxxxxxxxxxxxxxx
For additional commands, e-mail: jetspeed-dev-help@xxxxxxxxxxxxxxxxxx