Hi Suelane,
I just noticed that the CAS page is reporting the warning:
You are currently accessing CAS over a non-secure connection. Single Sign On WILL NOT WORK. In order to have single sign on work, you MUST log in over HTTPS.
And in your web.xml you are setting your casServerLoginUrl to a http:// address and not a https:// address. I think this may be the reason why the connection is being refused – it requires a secure https connection.
Nick -- Nick dos Remedios Atlas of Living Australia http://www.ala.org.au/
From: "Suelane G. Fontes" <suelane@uol.com.brmailto:suelane@uol.com.br> Date: Saturday, 26 April 2014 4:53 am To: Nick <nick.dosremedios@csiro.aumailto:nick.dosremedios@csiro.au> Cc: "ala-portal@lists.gbif.orgmailto:ala-portal@lists.gbif.org" <ala-portal@lists.gbif.orgmailto:ala-portal@lists.gbif.org>, "support@ala.org.aumailto:support@ala.org.au" <support@ala.org.aumailto:support@ala.org.au> Subject: Re: Cas Authentication - Hubs-Webapp
Hi Nick!
I am trying to integrate the Hubs-WEBAPP with CAS jasig. It is partially working but I have some issues ... I am sending attached the document explaining the issue and the Tomcat logs.
Thanks! Regards.
Sueln ________________________________
De: Nick.Dosremedios@csiro.aumailto:Nick.Dosremedios@csiro.au Enviada: Terça-feira, 22 de Abril de 2014 04:05 Para: suelane@uol.com.brmailto:suelane@uol.com.br Assunto: Cas Authentication - Hubs-Webapp
Hi Suelane,
There are many variables to getting CAS working its hard to tell what the problem is from your screen shots alone. One thing I can suggest is that you compare the web.xml file you are using with hubs-webapp to the generated web.xml in the Collectory grails app and try to work out what CAS settings are different that might be causing your issue.
Also does your casServerName and loginUrl settings both start with “https”? Have you set the correct “contextPath” value (/hubs-webapp)?
Regards Nick -- Nick dos Remedios Atlas of Living Australia http://www.ala.org.au/
From: "Suelane G. Fontes" <suelane@uol.com.br../../../undefined//compose?to=suelane@uol.com.br> Date: Friday, 18 April 2014 7:45 am To: Nick <nick.dosremedios@csiro.au../../../undefined//compose?to=nick.dosremedios@csiro.au> Cc: "ala-portal@lists.gbif.org../../../undefined//compose?to=ala-portal@lists.gbif.org" <ala-portal@lists.gbif.org../../../undefined//compose?to=ala-portal@lists.gbif.org>, "support@ala.org.au../../../undefined//compose?to=support@ala.org.au" <support@ala.org.au../../../undefined//compose?to=support@ala.org.au> Subject: Re: Cas Authentication - Hubs-Webapp
Hi Nick, I did what you suggested and we integrated ala-hubs with jasig-cas. Now, The Log in button (see image attached) redirects the hubs-webapp page to jasig-cas authentication page. nevertheless, The search button in the same page can be accessed even if the user do not perform the log in operation. We would like to know how to enforce this authentication before the user has access to perform a search in ala-hubs. Thanks! Regards. ________________________________
De: Nick.Dosremedios@csiro.au../../../undefined//compose?to=Nick.Dosremedios@csiro.au Enviada: Quinta-feira, 17 de Abril de 2014 00:16 Para: suelane@uol.com.br../../../undefined//compose?to=suelane@uol.com.br,ala-portal@lists.gbif.org../../../undefined//compose?to=ala-portal@lists.gbif.org,support@ala.org.au../../../undefined//compose?to=support@ala.org.au Assunto: Cas Authentication - Hubs-Webapp Hi Suelane,
I’d suggest you try these 2 minor changes to the web.xml file:
1. Change the serverName section - from:
serverName
http://143.107.102.247:8080/hubs-webapp/
to:
serverName
http://143.107.102.247:8080http://143.107.102.247:8080/hubs-webapp/
contextpath
<param-value>/hubs-webappparam-value>
2. Change the server uriFilterPattern to:
uriFilterPattern
/*
I also note you are missing a few filter settings that we use in our version of hub-webapp. I’ve attached a sample “web.xml” file that you should look at, to check against, if the above changes do not work.
Regards
Nick -- Nick dos Remedios Atlas of Living Australia http://www.ala.org.au/
From: "Suelane G. Fontes" <suelane@uol.com.br../undefined/compose?to=suelane@uol.com.br> Date: Thursday, 17 April 2014 5:22 am To: "ala-portal@lists.gbif.org../undefined/compose?to=ala-portal@lists.gbif.org" <ala-portal@lists.gbif.org../undefined/compose?to=ala-portal@lists.gbif.org>, "support@ala.org.au../undefined/compose?to=support@ala.org.au" <support@ala.org.au../undefined/compose?to=support@ala.org.au> Subject: Cas Authentication - Hubs-Webapp
Hi all,
We need to enforce the users to authenticate before have access to ALA-PORTAL..
We found a authentication enforcement in ala-collectory module, when the user tries to access the “admin” page, using JASIG Cas server.
We performed the following steps to test the authentication:
We deployed an instance of JASIG Cas server (http://www.jasig.org/cas) in server: http://143.107.102.247:65002/cas-server-webapp-3.4.12.1http://www.google.com/url?q=http%3A%2F%2F143.107.102.247%3A65002%2Fcas-server-webapp-3.4.12.1%2Flogin&sa=D&sntz=1&usg=AFQjCNH3vG0Ka4sLQzPoHwActqlfWHpv0g.
We configured the ala-collectoy to enforce authentication in file: ala-collectory-0.1.0/ala-collectory/grails-app/conf/config.groovy , using the following code:
/******************************************************************************\
* SECURITY ******************************************************************************/ if (!security.cas.uriFilterPattern) { security.cas.uriFilterPattern = "/admin.*,/collection.*,/institution.*,/contact.*,/reports.*," + "/providerCode.*,/providerMap.*,/dataProvider.*,/dataResource.*,/dataHub.*,/manage/.*" } if (!security.cas.loginUrl) { security.cas.loginUrl = "http://143.107.102.247:65002/cas-server-webapp-3.4.12.1/loginhttp://www.google.com/url?q=http%3A%2F%2F143.107.102.247%3A65002%2Fcas-server-webapp-3.4.12.1%2Flogin&sa=D&sntz=1&usg=AFQjCNH3vG0Ka4sLQzPoHwActqlfWHpv0g" } if (!security.cas.logoutUrl) { security.cas.logoutUrl = "http://143.107.102.247:65002/cas-server-webapp-3.4.12.1/logouthttp://www.google.com/url?q=http%3A%2F%2F143.107.102.247%3A65002%2Fcas-server-webapp-3.4.12.1%2Flogout&sa=D&sntz=1&usg=AFQjCNHehugoZZSv8DVSUX-3YHdqFzEY6A" } if (!security.apikey.serviceUrl) { security.apikey.serviceUrl = "http://143.107.102.247:65002/cas-server-webapp-3.4.12.1/apikey/ws/check?apik...http://www.google.com/url?q=http%3A%2F%2F143.107.102.247%3A65002%2Fcas-server-webapp-3.4.12.1%2Fapikey%2Fws%2Fcheck%3Fapikey%3D&sa=D&sntz=1&usg=AFQjCNGqC95eT2XCTZg-6Vh_63edJG7VyA" } if(!security.cas.appServerName){ security.cas.appServerName = "http://143.107.102.247:65002http://www.google.com/url?q=http%3A%2F%2F143.107.102.247%3A65002&sa=D&sntz=1&usg=AFQjCNH5k83H3rCfxq9G6357RoRk2vu4yA" } if(!security.cas.casServerName){ security.cas.casServerName = "http://143.107.102.247:8080http://www.google.com/url?q=http%3A%2F%2F143.107.102.247%3A8080&sa=D&sntz=1&usg=AFQjCNHNS4B3AfRd4bnMHSoxOVwzDisprw" } if(!security.cas.uriExclusionFilterPattern){ security.cas.uriExclusionFilterPattern = '/images.*,/css.*,/js.*,/less.*' } if(!security.cas.authenticateOnlyIfLoggedInPattern){ security.cas.authenticateOnlyIfLoggedInPattern = "" // pattern for pages that can optionally display info about the logged-in user } if(!security.cas.casServerUrlPrefix){ security.cas.casServerUrlPrefix = 'http://143.107.102.247:65002/cas-server-webapp-3.4.12.1/'http://www.google.com/url?q=http%3A%2F%2F143.107.102.247%3A65002%2Fcas-server-webapp-3.4.12.1%2F%27&sa=D&sntz=1&usg=AFQjCNGRqmrqERZlp6oeLUpeJlC8LhUNqA } if(!security.cas.bypass){ security.cas.bypass = true } if(!disableAlertLinks){ disableAlertLinks = false }
if(!disableOverviewMap){ disableOverviewMap = false }
then, we tried to access the admin section of ala-collectory browser. Which worked perfectly: the ala-collectory redirected the call to CAS server login page, and after the user provides correct username and password the user is redirected again to admin-section of ala-collectory.
We would like to enforce the same authentication in ala-hubs, as shown in the figure adapted from wiki (attached).
We followed the steps in wiki:
https://code.google.com/p/ala-bie/wiki/Authentication#Example_web.xml_config... .
In pom.xml of hubs-webapp directory we included the following code:
org.jasig.cas
cas-client-core
3.1.10
jar
compile
au.org.ala
ala-cas-client
2.0-SNAPSHOT
jar
compile
javax.servlet
servlet-api
In web.xml file we included the following code:
serverName
http://143.107.102.247:8080/hubs-webapp/
casServerName
http://143.107.102.247:8080http://143.107.102.247:8080/
uriFilterPattern
/, /occurrences/\d+, /occurrences/search, /explore/your-area
CAS Authentication Filter
au.org.ala.cas.client.UriFilter
filterClass
org.jasig.cas.client.authentication.AuthenticationFilter
casServerLoginUrl
http://143.107.102.247:65002/cas-server-webapp-3.4.12.1/login
gateway
true
CAS Validation Filter
au.org.ala.cas.client.UriFilter
filterClass
org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter
casServerUrlPrefix
http://143.107.102.247:65002/cas-server-webapp-3.4.12.1
CAS HttpServletRequest Wrapper Filter
au.org.ala.cas.client.UriFilter
filterClass
au.org.ala.cas.client.AlaHttpServletRequestWrapperFilter
CAS Authentication Filter
/*
CAS Validation Filter
/*
CAS HttpServletRequest Wrapper Filter
/*
then we deployed the hubs-webapp.war in tomcat server. Unfornatelly, when the user access ala-webapp no autentication is asked by ala-portal.
What we need to do in order to enforce all the users to autenticate in jasig cas before have access to hubs-webapp?
Regards,
Suelane/Silvio