This post was updated on .
Hi people,
I've been trying for the first time to integrate webapps with CAS. First I did it on Liferay 6.2 and it was pretty easy following tutorials. But I couldn't find anywhere how to do the same with Orbeon. I read about CAS and tried changing here and there many times but I'm feeling lost. I am using Tomcat 7.0.42 (the same bundled with Liferay 6.2 GA2) with JDK 1.6.0.45 on Windows 7. Orbeon pre.4.9 is deployed outside liferay/tomcat/webapps using tomcat/conf/Catalina/localhost/orbeon.xml. The CAS Server 3.5.2 is deployed in liferay/tomcat/webapps. CAS and Liferay are working properly but how can I integrate CAS with Orbeon as well? I intend to use LDAP later, but for now I want to keep things simple by making it works with the CAS test user. Well, starting from the beginning, I copied liferay\tomcat\webapps\cas-webapp\WEB-INF\lib\cas-client-core-3.2.1.jar to C:\orbeon\orbeon-forms\build\orbeon-war\WEB-INF\lib\ After that, I added to my orbeon-forms\build\orbeon-war\WEB-INF\resources\config\properties-local.xml the following: The http.ssl.keystore.uri is where I created a self-signed certificate while I was casifying Liferay.<property as="xs:string" name="oxf.fr.authentication.method" value="header"/> <property as="xs:string" name="oxf.fr.authentication.header.username" value="My-Username-Header"/> <property as="xs:string" name="oxf.fr.authentication.header.group" value="My-Group-Header"/> <property as="xs:string" name="oxf.fr.authentication.header.roles" value="My-Roles-Header"/> <!-- Orbeon Forms must be told to trust the self-signed certificate --> <property as="xs:anyURI" name="oxf.http.ssl.keystore.uri" value="file:/C:/PROGRA~1/Java/jdk1.6.0_45/jre/lib/security/cacerts"/> <property as="xs:string" name="oxf.http.ssl.keystore.password" value="changeit"/> <property as="xs:anyURI" name="oxf.url-rewriting.service.base-uri" value="https://localhost:8443/orbeon"/> <property as="xs:anyURI" name="oxf.fr.persistence.exist.uri" value="https://localhost:8443/orbeon/fr/service/exist"/> <property as="xs:anyURI" name="oxf.fr.persistence.exist.exist-uri" value="https://localhost:8443/orbeon/exist/rest/db/orbeon/fr"/> <property as="xs:string" name="oxf.http.ssl.hostname-verifier" value="allow-all"/> If the settings above are right, what else should I do? What should I change in orbeon-war/WEB-INF/web.xml? |
Administrator
|
Not knowing CAS at all, it is hard to help.
Could you explain what it entails, and how the parts are supposed to fit together? -Erik |
In reply to this post by ali112
I followed a slightly different path to integrating CAS and Orbeon. I configured properties-local.xml to use the container based authentication method.
And then added the cas client configuration in the orbeon context file:
And then I uncommented the security constraints in web.xml. This worked very well. Once you have CAS functioning, I don't know why you would want to transition to LDAP. A few things to note: The group names that came from LDAP through CAS used DN syntax which conflicts with Orbeon's current method of splitting group names from the configuration properties. A patch has been submitted to fix this issue. On the CAS client side there are a number of things that could be done to make it easier to transition between Saml11Authenticator and JNDIRealm. I plan to submit patches to CAS to support commonRole, parsing CN from DN for group names, and redirection to a URI without the CAS tokens after authentication. I'm still waiting on responses from the CAS community regarding these suggestions. Aaron Spike This electronic communication, including any attached documents, may contain confidential and/or legally privileged information that is intended only for use by the recipient(s) named above. If you have received this communication in error, please notify the sender immediately and delete the communication and any attachments. Views expressed by the author do not necessarily represent those of Martin Luther College. -- You received this message because you are subscribed to the Google Groups "Orbeon Forms" group. To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email]. To post to this group, send email to [hidden email]. |
Administrator
|
An for reference, about the splitting, I imagine you're referring to issue #2059, which is fixed and will be in 4.9.
https://github.com/orbeon/orbeon-forms/issues/2059 Alex
--
Follow Orbeon on Twitter: @orbeon Follow me on Twitter: @avernet |
In reply to this post by Erik Bruchez
Hi Erik,
The idea is either I access Liferay (http://localhost:9090/) or Orbeon (http://localhost:9090/orbeon) I have to login once to have access to both. I could progress on it by adding to web.xml the following: It's also a reference: https://wiki.jasig.org/display/CASC/Configuring+the+Jasig+CAS+Client+for+Java+in+the+web.xml<!-- START CAS CONFIG (https://www.casinthecloud.com/docs/tech/client.html) --> <!-- URL protection: To protect an url of your website, you only need to add a J2E filter on the right path in your web.xml file --> <filter> <filter-name>CAS Authentication Filter</filter-name> <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class> <init-param> <param-name>casServerLoginUrl</param-name> <param-value>https://localhost:8443/cas-webapp/login</param-value> </init-param> <init-param> <param-name>serverName</param-name> <param-value>https://localhost:8443</param-value> </init-param> </filter> <filter-mapping> <filter-name>CAS Authentication Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- Service ticket validation: To validate the service tickets returned by the CAS server, you need to declare a specific filter on the same path --> <!-- Also: https://cuit.columbia.edu/cas-ify-java-application --> <filter> <filter-name>CAS Validation Filter</filter-name> <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class> <init-param> <param-name>casServerUrlPrefix</param-name> <param-value>https://localhost:8443/cas-webapp/</param-value> </init-param> <init-param> <param-name>serverName</param-name> <param-value>https://localhost:8443</param-value> </init-param> <init-param> <param-name>artifactParameterName</param-name> <param-value>ticket</param-value> </init-param> <init-param> <param-name>redirectAfterValidation</param-name> <param-value>true</param-value> </init-param> </filter> <filter-mapping> <filter-name>CAS Validation Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- Display of current user: To make the current authenticated user available in all HTTP requests --> <filter> <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class> </filter> <filter-mapping> <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- END CAS CONFIG --> So when I access /orbeon I am redirected to CAS. I login and I am redirected to /orbeon start page. I clink on Form Runner hyperlink (https://localhost:8443/orbeon/fr/) and an error message appears: "Unable to complete action: There was an error running the process. Please contact the application administrator." I'm getting a problem just with this page, because I can create forms, fill and edit them with no problems. I can see the summary of a form, for example, but not the FR home page with the forms list. I can see errors in orbeon.log when I access orbeon/fr/: orbeon.log When I comment the CAS filter in web.xml disabling it, then Form Runner home page come back working properly. Even when I let just the minimal CAS properties (just what is between the "URL protection" commented section) I can login with CAS but still get the same error. Different from what it's saying here: http://wiki.orbeon.com/forms/how-to/use-ssl-https, I have not added keystoreFile and keystorePass to the Tomcat SSL connector because I was getting this exception: "SSL configuration is invalid due to No available certificate or key corresponds to the SSL cipher suites which are enabled." and when I also added keyAlias I got this one: "Alias name tomcat does not identify a key entry". I don't know if not setting them up can be related to the problem, but at least with Liferay it works well and I can verify that the key with the alias "tomcat" exists into cacerts file. Considering what I said and looking the error in orbeon.log, can you have an idea what's going on? Thanks in advance, Ali |
This post was updated on .
In reply to this post by Aaron Spike
Hi Aaron!
Interesting! Thanks for sharing it. I had progress using the header method with the settings above. I'm just getting an error at the Form Runner home page now. So, are you using the Orbeon login form instead of CAS? Regarding to LDAP, I have seen that it's very common the use of LDAP with CAS and as a best practice for user management. So as I have to integrate with some user database/directory anyway, I am thinking to give a try to LDAP. Thanks for your advice about it! How is your SSL connector configured in server.xml? Could you get it working without setting this: http://wiki.orbeon.com/forms/how-to/use-ssl-https? One last question, what syntax highlighter are you using to post here? I'm using http://tohtml.com/ which is not so good. |
On Friday, February 6, 2015 at 1:53:27 PM UTC-6, ali 112 wrote:
Hi Aaron! My intention is to use CAS with the CAS login form. Right now I'm using JNDIRealm (LDAP) with the Orbeon supplied login page. I've tested both. Regarding to LDAP, I have seen that it's very common the use of LDAP with I'm using Apache and mod_proxy_http to provide SSL at this point. But only because I am familiar with that solution and very unfamiliar with Tomcat. One last question, what syntax highlighter are you using to post here? I'm I'm posting through the Google group. When I saw your posts I thought "oh, groups must support syntax highlighting." And when I looked at the toolbar I found the "{}" icon there which I assumed you must have been using. Guess I was wrong. But now we've both learned something. Aaron Spike This electronic communication, including any attached documents, may contain confidential and/or legally privileged information that is intended only for use by the recipient(s) named above. If you have received this communication in error, please notify the sender immediately and delete the communication and any attachments. Views expressed by the author do not necessarily represent those of Martin Luther College. -- You received this message because you are subscribed to the Google Groups "Orbeon Forms" group. To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email]. To post to this group, send email to [hidden email]. |
In reply to this post by Erik Bruchez
Hi guys,
I'm still trying to get Form Runner Home Page (https://localhost:8443/orbeon/fr/) working after CAS login without success. This is the error I'm getting: For a complete orbeon.log of the issue the same TXT file I provided before works.ERROR XFormsServer - xforms-submit-error - setting throwable {throwable: " ERROR XFormsServer - +----------------------------------------------------------------------------------------------------------------------+ ERROR XFormsServer - |An Error has Occurred | ERROR XFormsServer - |----------------------------------------------------------------------------------------------------------------------| ERROR XFormsServer - |xf:submission for submission id: fr-default-submission, redirect code received with replace="instance" | ERROR XFormsServer - |----------------------------------------------------------------------------------------------------------------------| ERROR XFormsServer - |Application Call Stack | ERROR XFormsServer - |----------------------------------------------------------------------------------------------------------------------| ERROR XFormsServer - |oxf:/ops/xforms/xforms-submission.xpl |processing submission response| 54| ERROR XFormsServer - |······················································································································| ERROR XFormsServer - |element=<xf:submission id="fr-default-submission" replace="instance" method="post" resource="{xxf:get-request-header('| ERROR XFormsServer - |----------------------------------------------------------------------------------------------------------------------| ERROR XFormsServer - |----------------------------------------------------------------------------------------------------------------------| ERROR XFormsServer - |Exception: org.orbeon.oxf.xforms.submission.XFormsSubmissionException | ERROR XFormsServer - |----------------------------------------------------------------------------------------------------------------------| ERROR XFormsServer - |.orbeon.oxf.xforms.submission.XFormsModelSubmission|getReplacer |XFormsModelSubmission.java | 722| ERROR XFormsServer - |rg.orbeon.oxf.xforms.submission.RegularSubmission$1|call |RegularSubmission.java | 107| ERROR XFormsServer - |rg.orbeon.oxf.xforms.submission.RegularSubmission$1|call |RegularSubmission.java | 77| ERROR XFormsServer - |org.orbeon.oxf.xforms.submission.BaseSubmission |submitCallable |BaseSubmission.scala | 89| This is the code snippet in XFormsModelSubmission.java which is throwing the exception: I tried to understand it but I don't know what's going on.} else if (NetUtils.isRedirectCode(connectionResult.statusCode())) { // Got a redirect // Currently we don't know how to handle a redirect for replace != "all" if (!p.isReplaceAll) throw new XFormsSubmissionException(this, "xf:submission for submission id: " + id + ", redirect code received with replace=\"" + replace + "\"", "processing submission response", new XFormsSubmitErrorEvent(this, XFormsSubmitErrorEvent.RESOURCE_ERROR(), connectionResult)); replacer = new RedirectReplacer(this, containingDocument); I also tested with new clones of Orbeon 4.8.1 and 4.6.2 on Tomcat 7.0.55. While with 4.8.1 I got the same error, with 4.6.2 I could get FR home working well after CAS login. As I didn't need to change the original properties-local.xml to get the version 4.6.2 working properly, maybe the problem isn't there. If I'm not wrong, it looks like that the problem is about some change done at the source code more recently. Considering what I said now and my previous reply to Erik, can someone see what's going on or have some suggestion I can try? Thanks in Advance, Ali |
Administrator
|
Hi Ali,
How did you end up setting up CAS? Though a filter, or a Tomcat realm? In either case, looks like a request might be redirected to a login page. Are you using the internal eXist? If you are, can you either exclude it from being protected by CAS, or make sure whatever header is needed for that authentication to go though is forwarded by adding it to the oxf.http.forward-headers property, or whatever cookie is needed to oxf.http.forward-cookies. Also, it would be interesting to put an HTTP proxy such as Charles so you can know exactly which request is failing, and what the response was. For more on how to do this with Charles, see: http://blog.orbeon.com/2013/04/let-charles-help-you-monitor-http.html Alex
--
Follow Orbeon on Twitter: @orbeon Follow me on Twitter: @avernet |
Free forum by Nabble | Edit this page |