CAS and Orbeon Integration

Hi people,

I've been trying for the first time to integrate webapps with CAS. First I did it on Liferay 6.2 and it was pretty easy following tutorials. But I couldn't find anywhere how to do the same with Orbeon. I read about CAS and tried changing here and there many times but I'm feeling lost.

I am using Tomcat 7.0.42 (the same bundled with Liferay 6.2 GA2) with JDK 1.6.0.45 on Windows 7.
Orbeon pre.4.9 is deployed outside liferay/tomcat/webapps using tomcat/conf/Catalina/localhost/orbeon.xml.
The CAS Server 3.5.2 is deployed in liferay/tomcat/webapps.

CAS and Liferay are working properly but how can I integrate CAS with Orbeon as well? I intend to use LDAP later, but for now I want to keep things simple by making it works with the CAS test user.

Well, starting from the beginning, I copied liferay\tomcat\webapps\cas-webapp\WEB-INF\lib\cas-client-core-3.2.1.jar to C:\orbeon\orbeon-forms\build\orbeon-war\WEB-INF\lib\

After that, I added to my orbeon-forms\build\orbeon-war\WEB-INF\resources\config\properties-local.xml the following:

<property
    as="xs:string"
    name="oxf.fr.authentication.method"
    value="header"/>

	<property as="xs:string" name="oxf.fr.authentication.header.username" value="My-Username-Header"/>
	<property as="xs:string" name="oxf.fr.authentication.header.group"    value="My-Group-Header"/>
	<property as="xs:string" name="oxf.fr.authentication.header.roles"    value="My-Roles-Header"/>

	<!-- Orbeon Forms must be told to trust the self-signed certificate -->

	<property as="xs:anyURI"
          name="oxf.http.ssl.keystore.uri"
          value="file:/C:/PROGRA~1/Java/jdk1.6.0_45/jre/lib/security/cacerts"/>
	<property as="xs:string"
          name="oxf.http.ssl.keystore.password"
          value="changeit"/>
	<property as="xs:anyURI"
          name="oxf.url-rewriting.service.base-uri"
          value="https://localhost:8443/orbeon"/>
	<property as="xs:anyURI"
          name="oxf.fr.persistence.exist.uri"
          value="https://localhost:8443/orbeon/fr/service/exist"/>
	<property as="xs:anyURI"
          name="oxf.fr.persistence.exist.exist-uri"
          value="https://localhost:8443/orbeon/exist/rest/db/orbeon/fr"/>

  <property as="xs:string"
          name="oxf.http.ssl.hostname-verifier"
          value="allow-all"/>

The http.ssl.keystore.uri is where I created a self-signed certificate while I was casifying Liferay.

If the settings above are right, what else should I do? What should I change in orbeon-war/WEB-INF/web.xml?

Not knowing CAS at all, it is hard to help.

Could you explain what it entails, and how the parts are supposed to fit together?

-Erik

This electronic communication, including any attached documents, may contain confidential and/or legally privileged information that is intended only for use by the recipient(s) named above. If you have received this communication in error, please notify the sender immediately and delete the communication and any attachments. Views expressed by the author do not necessarily represent those of Martin Luther College.

--
You received this message because you are subscribed to the Google Groups "Orbeon Forms" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].

An for reference, about the splitting, I imagine you're referring to issue #2059, which is fixed and will be in 4.9.

https://github.com/orbeon/orbeon-forms/issues/2059

Alex

Hi Erik,

The idea is either I access Liferay (http://localhost:9090/) or Orbeon (http://localhost:9090/orbeon) I have to login once to have access to both. I could progress on it by adding to web.xml the following:

<!-- START CAS CONFIG (https://www.casinthecloud.com/docs/tech/client.html) -->
<!-- URL protection: To protect an url of your website, you only need to add a J2E filter on the right path in your web.xml file -->
<filter>
    <filter-name>CAS Authentication Filter</filter-name>
    <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
    <init-param>
        <param-name>casServerLoginUrl</param-name>
        <param-value>https://localhost:8443/cas-webapp/login</param-value>
    </init-param>
    <init-param>
        <param-name>serverName</param-name>
        <param-value>https://localhost:8443</param-value>
    </init-param>
</filter>
<filter-mapping>
    <filter-name>CAS Authentication Filter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

<!-- Service ticket validation: To validate the service tickets returned by the CAS server, you need to declare a specific filter on the same path -->
<!-- Also: https://cuit.columbia.edu/cas-ify-java-application -->
<filter> 
    <filter-name>CAS Validation Filter</filter-name> 
    <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class> 
    <init-param> 
        <param-name>casServerUrlPrefix</param-name> 
        <param-value>https://localhost:8443/cas-webapp/</param-value> 
    </init-param> 
    <init-param> 
        <param-name>serverName</param-name> 
        <param-value>https://localhost:8443</param-value>
    </init-param> 
    <init-param> 
        <param-name>artifactParameterName</param-name> 
        <param-value>ticket</param-value> 
    </init-param> 
    <init-param> 
        <param-name>redirectAfterValidation</param-name> 
        <param-value>true</param-value> 
    </init-param> 
</filter> 
<filter-mapping> 
    <filter-name>CAS Validation Filter</filter-name> 
    <url-pattern>/*</url-pattern> 
</filter-mapping>

<!-- Display of current user: To make the current authenticated user available in all HTTP requests -->
<filter> 
    <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> 
    <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class> 
</filter>
    <filter-mapping> 
    <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> 
    <url-pattern>/*</url-pattern> 
</filter-mapping>
<!-- END CAS CONFIG -->

It's also a reference: https://wiki.jasig.org/display/CASC/Configuring+the+Jasig+CAS+Client+for+Java+in+the+web.xml

So when I access /orbeon I am redirected to CAS. I login and I am redirected to /orbeon start page. I clink on Form Runner hyperlink (https://localhost:8443/orbeon/fr/) and an error message appears: "Unable to complete action: There was an error running the process. Please contact the application administrator."

I'm getting a problem just with this page, because I can create forms, fill and edit them with no problems. I can see the summary of a form, for example, but not the FR home page with the forms list.

I can see errors in orbeon.log when I access orbeon/fr/: orbeon.log

When I comment the CAS filter in web.xml disabling it, then Form Runner home page come back working properly. Even when I let just the minimal CAS properties (just what is between the "URL protection" commented section) I can login with CAS but still get the same error.

Different from what it's saying here: http://wiki.orbeon.com/forms/how-to/use-ssl-https, I have not added keystoreFile and keystorePass to the Tomcat SSL connector because I was getting this exception: "SSL configuration is invalid due to No available certificate or key corresponds to the SSL cipher suites which are enabled." and when I also added keyAlias I got this one: "Alias name tomcat does not identify a key entry". I don't know if not setting them up can be related to the problem, but at least with Liferay it works well and I can verify that the key with the alias "tomcat" exists into cacerts file.

Considering what I said and looking the error in orbeon.log, can you have an idea what's going on?

Thanks in advance,
Ali

Hi Aaron!

Interesting! Thanks for sharing it. I had progress using the header method with the settings above. I'm just getting an error at the Form Runner home page now. So, are you using the Orbeon login form instead of CAS?

Regarding to LDAP, I have seen that it's very common the use of LDAP with CAS and as a best practice for user management. So as I have to integrate with some user database/directory anyway, I am thinking to give a try to LDAP. Thanks for your advice about it!

How is your SSL connector configured in server.xml? Could you get it working without setting this: http://wiki.orbeon.com/forms/how-to/use-ssl-https?

One last question, what syntax highlighter are you using to post here? I'm using http://tohtml.com/ which is not so good.

This electronic communication, including any attached documents, may contain confidential and/or legally privileged information that is intended only for use by the recipient(s) named above. If you have received this communication in error, please notify the sender immediately and delete the communication and any attachments. Views expressed by the author do not necessarily represent those of Martin Luther College.

--
You received this message because you are subscribed to the Google Groups "Orbeon Forms" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].

Hi guys,

I'm still trying to get Form Runner Home Page (https://localhost:8443/orbeon/fr/) working after CAS login without success. This is the error I'm getting:

ERROR XFormsServer  - xforms-submit-error - setting throwable {throwable: "
ERROR XFormsServer  -     +----------------------------------------------------------------------------------------------------------------------+
ERROR XFormsServer  -     |An Error has Occurred                                                                                                 |
ERROR XFormsServer  -     |----------------------------------------------------------------------------------------------------------------------|
ERROR XFormsServer  -     |xf:submission for submission id: fr-default-submission, redirect code received with replace="instance"                |
ERROR XFormsServer  -     |----------------------------------------------------------------------------------------------------------------------|
ERROR XFormsServer  -     |Application Call Stack                                                                                                |
ERROR XFormsServer  -     |----------------------------------------------------------------------------------------------------------------------|
ERROR XFormsServer  -     |oxf:/ops/xforms/xforms-submission.xpl                                             |processing submission response|  54|
ERROR XFormsServer  -     |······················································································································|
ERROR XFormsServer  -     |element=<xf:submission id="fr-default-submission" replace="instance" method="post" resource="{xxf:get-request-header('|
ERROR XFormsServer  -     |----------------------------------------------------------------------------------------------------------------------|
ERROR XFormsServer  -     |----------------------------------------------------------------------------------------------------------------------|
ERROR XFormsServer  -     |Exception: org.orbeon.oxf.xforms.submission.XFormsSubmissionException                                                 |
ERROR XFormsServer  -     |----------------------------------------------------------------------------------------------------------------------|
ERROR XFormsServer  -     |.orbeon.oxf.xforms.submission.XFormsModelSubmission|getReplacer                   |XFormsModelSubmission.java    | 722|
ERROR XFormsServer  -     |rg.orbeon.oxf.xforms.submission.RegularSubmission$1|call                          |RegularSubmission.java        | 107|
ERROR XFormsServer  -     |rg.orbeon.oxf.xforms.submission.RegularSubmission$1|call                          |RegularSubmission.java        |  77|
ERROR XFormsServer  -     |org.orbeon.oxf.xforms.submission.BaseSubmission    |submitCallable                |BaseSubmission.scala          |  89|

For a complete orbeon.log of the issue the same TXT file I provided before works.

This is the code snippet in XFormsModelSubmission.java which is throwing the exception:

} else if (NetUtils.isRedirectCode(connectionResult.statusCode())) {
  // Got a redirect

  // Currently we don't know how to handle a redirect for replace != "all"
  if (!p.isReplaceAll)
       throw new XFormsSubmissionException(this, "xf:submission for submission id: " + id + ", redirect code received with replace=\"" + replace + "\"", "processing submission response",
            new XFormsSubmitErrorEvent(this, XFormsSubmitErrorEvent.RESOURCE_ERROR(), connectionResult));

  replacer = new RedirectReplacer(this, containingDocument);

I tried to understand it but I don't know what's going on.

I also tested with new clones of Orbeon 4.8.1 and 4.6.2 on Tomcat 7.0.55. While with 4.8.1 I got the same error, with 4.6.2 I could get FR home working well after CAS login.

As I didn't need to change the original properties-local.xml to get the version 4.6.2 working properly, maybe the problem isn't there. If I'm not wrong, it looks like that the problem is about some change done at the source code more recently. Considering what I said now and my previous reply to Erik, can someone see what's going on or have some suggestion I can try?

Thanks in Advance,
Ali

Hi Ali,

How did you end up setting up CAS? Though a filter, or a Tomcat realm?

In either case, looks like a request might be redirected to a login page. Are you using the internal eXist? If you are, can you either exclude it from being protected by CAS, or make sure whatever header is needed for that authentication to go though is forwarded by adding it to the oxf.http.forward-headers property, or whatever cookie is needed to oxf.http.forward-cookies.

Also, it would be interesting to put an HTTP proxy such as Charles so you can know exactly which request is failing, and what the response was. For more on how to do this with Charles, see:

http://blog.orbeon.com/2013/04/let-charles-help-you-monitor-http.html

Alex