[Ala-portal] Cas Authentication - Hubs-Webapp

Nick.Dosremedios at csiro.au Nick.Dosremedios at csiro.au
Thu Apr 17 02:16:41 CEST 2014 

Hi Suelane,

I’d suggest you try these 2 minor changes to the web.xml file:

1. Change the serverName section -
from:

<param-name>serverName</param-name>

  <param-value>http://143.107.102.247:8080/hubs-webapp/</param-value>

</context-param>

to:

<param-name>serverName</param-name>

  <param-value>http://143.107.102.247:8080<http://143.107.102.247:8080/hubs-webapp/></param-value>

</context-param>

<param-name>contextpath</param-name>

  <param-value>/hubs-webapp</param-value>

</context-param>


2. Change the server uriFilterPattern to:

<context-param>

  <param-name>uriFilterPattern</param-name>

  <param-value>/*</param-value>

</context-param>

I also note you are missing a few filter settings that we use in our version of hub-webapp. I’ve attached a sample “web.xml” file that you should look at, to check against, if the above changes do not work.

Regards

Nick
--
Nick dos Remedios
Atlas of Living Australia
http://www.ala.org.au/

From: "Suelane G. Fontes" <suelane at uol.com.br<mailto:suelane at uol.com.br>>
Date: Thursday, 17 April 2014 5:22 am
To: "ala-portal at lists.gbif.org<mailto:ala-portal at lists.gbif.org>" <ala-portal at lists.gbif.org<mailto:ala-portal at lists.gbif.org>>, "support at ala.org.au<mailto:support at ala.org.au>" <support at ala.org.au<mailto:support at ala.org.au>>
Subject: Cas Authentication - Hubs-Webapp


Hi all,

We need to enforce the users to authenticate before have access to ALA-PORTAL..

We found a authentication enforcement in ala-collectory module, when the user tries to access the “admin” page, using JASIG Cas server.

We performed the following steps to test the authentication:

We deployed an instance of JASIG Cas server (http://www.jasig.org/cas) in server: http://143.107.102.247:65002/cas-server-webapp-3.4.12.1<http://www.google.com/url?q=http%3A%2F%2F143.107.102.247%3A65002%2Fcas-server-webapp-3.4.12.1%2Flogin&sa=D&sntz=1&usg=AFQjCNH3vG0Ka4sLQzPoHwActqlfWHpv0g>.

We configured the ala-collectoy to enforce authentication in file: ala-collectory-0.1.0/ala-collectory/grails-app/conf/config.groovy , using the following code:

/******************************************************************************\

*  SECURITY
\******************************************************************************/
if (!security.cas.uriFilterPattern) {
   security.cas.uriFilterPattern = "/admin.*,/collection.*,/institution.*,/contact.*,/reports.*," +
           "/providerCode.*,/providerMap.*,/dataProvider.*,/dataResource.*,/dataHub.*,/manage/.*"
}
if (!security.cas.loginUrl) {
   security.cas.loginUrl = "http://143.107.102.247:65002/cas-server-webapp-3.4.12.1/login<http://www.google.com/url?q=http%3A%2F%2F143.107.102.247%3A65002%2Fcas-server-webapp-3.4.12.1%2Flogin&sa=D&sntz=1&usg=AFQjCNH3vG0Ka4sLQzPoHwActqlfWHpv0g>"
}
if (!security.cas.logoutUrl) {
   security.cas.logoutUrl = "http://143.107.102.247:65002/cas-server-webapp-3.4.12.1/logout<http://www.google.com/url?q=http%3A%2F%2F143.107.102.247%3A65002%2Fcas-server-webapp-3.4.12.1%2Flogout&sa=D&sntz=1&usg=AFQjCNHehugoZZSv8DVSUX-3YHdqFzEY6A>"
}
if (!security.apikey.serviceUrl) {
   security.apikey.serviceUrl = "http://143.107.102.247:65002/cas-server-webapp-3.4.12.1/apikey/ws/check?apikey=<http://www.google.com/url?q=http%3A%2F%2F143.107.102.247%3A65002%2Fcas-server-webapp-3.4.12.1%2Fapikey%2Fws%2Fcheck%3Fapikey%3D&sa=D&sntz=1&usg=AFQjCNGqC95eT2XCTZg-6Vh_63edJG7VyA>"
}
if(!security.cas.appServerName){
   security.cas.appServerName = "http://143.107.102.247:65002<http://www.google.com/url?q=http%3A%2F%2F143.107.102.247%3A65002&sa=D&sntz=1&usg=AFQjCNH5k83H3rCfxq9G6357RoRk2vu4yA>"
}
if(!security.cas.casServerName){
   security.cas.casServerName = "http://143.107.102.247:8080<http://www.google.com/url?q=http%3A%2F%2F143.107.102.247%3A8080&sa=D&sntz=1&usg=AFQjCNHNS4B3AfRd4bnMHSoxOVwzDisprw>"
}
if(!security.cas.uriExclusionFilterPattern){
   security.cas.uriExclusionFilterPattern = '/images.*,/css.*,/js.*,/less.*'
}
if(!security.cas.authenticateOnlyIfLoggedInPattern){
   security.cas.authenticateOnlyIfLoggedInPattern = "" // pattern for pages that can optionally display info about the logged-in user
}
if(!security.cas.casServerUrlPrefix){
   security.cas.casServerUrlPrefix = 'http://143.107.102.247:65002/cas-server-webapp-3.4.12.1/'<http://www.google.com/url?q=http%3A%2F%2F143.107.102.247%3A65002%2Fcas-server-webapp-3.4.12.1%2F%27&sa=D&sntz=1&usg=AFQjCNGRqmrqERZlp6oeLUpeJlC8LhUNqA>
}
if(!security.cas.bypass){
   security.cas.bypass = true
}
if(!disableAlertLinks){
   disableAlertLinks = false
}

if(!disableOverviewMap){
   disableOverviewMap = false
}

then, we tried to access the admin section of ala-collectory browser. Which worked perfectly: the ala-collectory redirected the call to CAS server login page, and after the user provides correct username and password the user is redirected again to admin-section of ala-collectory.

We would like to enforce the same authentication in ala-hubs, as shown in the figure adapted from wiki (attached).

We followed the steps in wiki:

https://code.google.com/p/ala-bie/wiki/Authentication#Example_web.xml_configuration .

In pom.xml of hubs-webapp directory we included the following code:

<dependency>

<groupId>org.jasig.cas</groupId>

<artifactId>cas-client-core</artifactId>

<version>3.1.10</version>

<type>jar</type>

<scope>compile</scope>

</dependency>

<dependency>

<groupId>au.org.ala</groupId>

<artifactId>ala-cas-client</artifactId>

<version>2.0-SNAPSHOT</version>

<type>jar</type>

<scope>compile</scope>

<exclusions>

<exclusion>

<groupId>javax.servlet</groupId>

<artifactId>servlet-api</artifactId>

</exclusion>

</exclusions>

</dependency>



In web.xml file we included the following code:

<!-- CAS Authentication related properties -->

<context-param>

<!-- Parameter used by CAS filters -->

<param-name>serverName</param-name>

<param-value>http://143.107.102.247:8080/hubs-webapp/</param-value>

</context-param>



<context-param>

<param-name>casServerName</param-name>

<param-value>http://143.107.102.247:8080<http://143.107.102.247:8080/></param-value>

</context-param>



<context-param>

<param-name>uriFilterPattern</param-name>

<param-value>/, /occurrences/\d+, /occurrences/search, /explore/your-area</param-value>

</context-param>



<!-- CAS Authentication Service filters -->

<filter>

<filter-name>CAS Authentication Filter</filter-name>

<filter-class>au.org.ala.cas.client.UriFilter</filter-class>

<init-param>

<param-name>filterClass</param-name>

<param-value>org.jasig.cas.client.authentication.AuthenticationFilter</param-value>

</init-param>

<init-param>

<param-name>casServerLoginUrl</param-name>

<param-value>http://143.107.102.247:65002/cas-server-webapp-3.4.12.1/login</param-value>

</init-param>

<init-param>

<param-name>gateway</param-name>

<param-value>true</param-value>

</init-param>

</filter>



<filter>

<filter-name>CAS Validation Filter</filter-name>

<filter-class>au.org.ala.cas.client.UriFilter</filter-class>

<init-param>

<param-name>filterClass</param-name>

<param-value>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</param-value>

</init-param>

<init-param>

<param-name>casServerUrlPrefix</param-name>

<param-value>http://143.107.102.247:65002/cas-server-webapp-3.4.12.1</param-value>

</init-param>

</filter>



<filter>

<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>

<filter-class>au.org.ala.cas.client.UriFilter</filter-class>

<init-param>

<param-name>filterClass</param-name>

<param-value>au.org.ala.cas.client.AlaHttpServletRequestWrapperFilter</param-value>

</init-param>

</filter>



<filter-mapping>

<filter-name>CAS Authentication Filter</filter-name>

<url-pattern>/*</url-pattern>

</filter-mapping>



<filter-mapping>

<filter-name>CAS Validation Filter</filter-name>

<url-pattern>/*</url-pattern>

</filter-mapping>



<filter-mapping>

<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>

<url-pattern>/*</url-pattern>

</filter-mapping>

then we deployed the hubs-webapp.war in tomcat server. Unfornatelly, when the user access ala-webapp no autentication is asked by ala-portal.

What we need to do in order to enforce all the users to autenticate in jasig cas before have access to hubs-webapp?

Regards,

Suelane/Silvio
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.gbif.org/pipermail/ala-portal/attachments/20140417/b86bfae6/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: web.xml
Type: application/xml
Size: 6416 bytes
Desc: web.xml
Url : http://lists.gbif.org/pipermail/ala-portal/attachments/20140417/b86bfae6/attachment-0001.rdf

More information about the Ala-portal mailing list