THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
Install CAS and Test
- Install CAS by copying its modules/cas.war to $CATALINA_HOME/webapps.
- Navigate to http://localhost:8080/cas and login with admin/admin.
- Configure Roller to talk to CAS by making the following modifications to security.xml:
- In the filterChainProxy bean definition, replace "authenticationProcessingFilter,rememberMeProcessingFilter" with "casProcessingFilter".
- In the authenticationManager bean, comment out the "ldapAuthProvider" and add <ref local="casAuthenticationProvider"/>.
- Change the exceptionTranslationFilter to use "casProcessingFilterEntryPoint" for its "authenticationEntryPoint".
- Add the following bean definitions for Acegi-CAS integration:
Code Block <!-- ======================== CENTRAL AUTHENTICATION SERVICE (CAS) ======================= --> <bean id="casProcessingFilter" class="org.acegisecurity.ui.cas.CasProcessingFilter"> <property name="authenticationManager" ref="authenticationManager"/> <property name="authenticationFailureUrl" value="/roller-ui/login.rol?error=true"/> <property name="defaultTargetUrl" value="/"/> <property name="filterProcessesUrl" value="/roller_j_security_check"/> </bean> <bean id="casProcessingFilterEntryPoint" class="org.acegisecurity.ui.cas.CasProcessingFilterEntryPoint"> <property name="loginUrl" value="https://localhost:8443/cas/login"/> <property name="serviceProperties" ref="serviceProperties"/> </bean> <bean id="casAuthenticationProvider" class="org.acegisecurity.providers.cas.CasAuthenticationProvider"> <property name="casAuthoritiesPopulator"> <bean class="org.roller.ui.security.cas.RollerCasPopulator"> <property name="userDetailsService" ref="jdbcAuthenticationDao"/> </bean> </property> <property name="casProxyDecider" ref="casProxyDecider"/> <property name="ticketValidator" ref="casProxyTicketValidator"/> <property name="statelessTicketCache" ref="statelessTicketCache"/> <property name="key" value="my_password_for_this_auth_provider_only"/> </bean> <bean id="casProxyTicketValidator" class="org.acegisecurity.providers.cas.ticketvalidator.CasProxyTicketValidator"> <property name="casValidate" value="https://localhost:8443/cas/proxyValidate"/> <property name="proxyCallbackUrl" value="http://localhost:8080/roller/casProxy/receptor"/> <property name="serviceProperties" ref="serviceProperties"/> <property name="trustStore" value="/Library/Java/Home/lib/security/cacerts"/> </bean> <bean id="cacheManager" class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean"/> <bean id="ticketCacheBackend" class="org.springframework.cache.ehcache.EhCacheFactoryBean"> <property name="cacheManager" ref="cacheManager"/> <property name="cacheName" value="ticketCache"/> </bean> <bean id="statelessTicketCache" class="org.acegisecurity.providers.cas.cache.EhCacheBasedTicketCache"> <property name="cache" ref="ticketCacheBackend"/> </bean> <bean id="casProxyDecider" class="org.acegisecurity.providers.cas.proxy.RejectProxyTickets"/> <bean id="serviceProperties" class="org.acegisecurity.ui.cas.ServiceProperties"> <property name="service" value="http://localhost:8080/roller/roller_j_security_check"/> <property name="sendRenew" value="false"/> </bean>
- Download roller-cas.jar and copy it to $CATALINA_HOME/webapps/roller/WEB-INF/lib.
- Copy casclient.jar from the cas-client-java-2.1.1/dist directory to $CATALINA_HOME/webapps/roller/WEB-INF/lib.
- Modify $CATALINA_HOME/conf/server.xml to enable https support. Below is an example.
Code Block <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="/Users/mraible/.keystore" keystorePass="changeit" truststoreFile="/System/Library/Frameworks/JavaVM.framework/Home/lib/security/cacerts"/>
- Use the CAS SSL Guide to generate, export and import a certificate.
- At this point, you should be able to start Tomcat and login to your blog. The login page should be from CAS rather than Roller and admin/admin should log you in successfully.
Integrate CAS with Roller's Database
By default CAS ships with a SimpleTestUsernamePasswordAuthenticationHandler that has a hard-coded username and password. To change this to authenticate against Roller's database, complete the following steps:
- Edit $CATALINA_HOME/webapps/cas/WEB-INF/deployerConfigContext.xml in your favorite XML editor.
- Find the SimpleTestUsernamePasswordAuthenticationHandler bean towards the bottom and comment it out. Replace it with the following:
Code Block <bean class="org.jasig.cas.adaptors.jdbc.SearchModeSearchDatabaseAuthenticationHandler"> <property name="tableUsers" value="rolleruser"/> <property name="fieldUser" value="username"/> <property name="fieldPassword" value="passphrase"/> <property name="dataSource" ref="dataSource"/> </bean>
- At the very end of the file (before the ending </beans> element), add a "dataSource" bean definition:
Code Block <bean id="dataSource" class="org.apache.commons.dbcp.BasicDataSource" destroy-method="close"> <property name="driverClassName" value="com.mysql.jdbc.Driver"/> <property name="url" value="jdbc:mysql://localhost:3306/rollerdb"/> <property name="username" value="root"/> <property name="password" value=""/> <property name="maxActive" value="100"/> <property name="maxWait" value="1000"/> <property name="poolPreparedStatements" value="true"/> <property name="defaultAutoCommit" value="true"/> </bean>
- Download the following JARs and put them into $CATALINA_HOME/webapps/cas/WEB-INF/lib.
- Copy cas-server-support-jdbc-3.1.jar from $CAS_DOWNLOAD/modules to $CATALINA_HOME/webapps/cas/WEB-INF/lib.
- Modify the password in the "rollerdb" database so the "admin" user's password is in plain text.
- Start Tomcat. You should be able to login with the password you set in the previous step.
Integrate CAS with Roller's Database
By default CAS ships with a SimpleTestUsernamePasswordAuthenticationHandler that has a hard-coded username and password. To change this to authenticate against your previously installed Apache Directory Server, complete the following steps:
- Edit $CATALINA_HOME/webapps/cas/WEB-INF/deployerConfigContext.xml in your favorite XML editor.
- Find the SimpleTestUsernamePasswordAuthenticationHandler bean towards the bottom and comment it out. Replace it with the following:
Code Block <bean class="org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler" > <property name="filter" value="uid=%u,ou=People,dc=example,dc=com" /> <property name="contextSource" ref="contextSource" /> </bean>
- At the very end of the file (before the ending </beans> element), add a "contextSource" bean definition:
Code Block <bean id="contextSource" class="org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource"> <property name="pooled" value="true"/> <property name="urls"> <list> <value>ldap://localhost:10389</value> </list> </property> <property name="userName" value="uid=admin,ou=system"/> <property name="password" value="secret"/> <property name="baseEnvironmentProperties"> <map> <entry> <key> <value>java.naming.security.authentication</value> </key> <value>simple</value> </entry> </map> </property> </bean>
- Download the following JARs and put them into $CATALINA_HOME/webapps/cas/WEB-INF/lib.
- Copy cas-server-support-ldap-3.1.jar from $CAS_DOWNLOAD/modules to $CATALINA_HOME/webapps/cas/WEB-INF/lib.
- Start Tomcat. You should be able to login with admin/adminldap.