[Ala-portal] Cas Authentication - Hubs-Webapp

Nick.Dosremedios at csiro.au Nick.Dosremedios at csiro.au
Mon Apr 28 03:00:25 CEST 2014


Hi Suelane,

Could you also provide the URLs for the two screen shot images you included in the Word doc you attached? I.e. The URL for the login page (CAS login) and the following “connection refused" page. There might be something about those URLs that may explain the connection refused error(?).

Thanks,
Nick
--
Nick dos Remedios
Atlas of Living Australia
http://www.ala.org.au/

From: "Suelane G. Fontes" <suelane at uol.com.br<mailto:suelane at uol.com.br>>
Date: Saturday, 26 April 2014 4:53 am
To: Nick <nick.dosremedios at csiro.au<mailto:nick.dosremedios at csiro.au>>
Cc: "ala-portal at lists.gbif.org<mailto:ala-portal at lists.gbif.org>" <ala-portal at lists.gbif.org<mailto:ala-portal at lists.gbif.org>>, "support at ala.org.au<mailto:support at ala.org.au>" <support at ala.org.au<mailto:support at ala.org.au>>
Subject: Re: Cas Authentication - Hubs-Webapp

Hi Nick!

I am trying to integrate the Hubs-WEBAPP with CAS jasig.
It is partially working but I have some issues ...
I am sending attached the document explaining the issue and the Tomcat logs.

Thanks!
Regards.

Sueln
________________________________

De: Nick.Dosremedios at csiro.au<mailto:Nick.Dosremedios at csiro.au>
Enviada: Terça-feira, 22 de Abril de 2014 04:05
Para: suelane at uol.com.br<mailto:suelane at uol.com.br>
Assunto: Cas Authentication - Hubs-Webapp

Hi Suelane,

There are many variables to getting CAS working its hard to tell what the problem is from your screen shots alone. One thing I can suggest is that you compare the web.xml file you are using with hubs-webapp to the generated web.xml in the Collectory grails app and try to work out what CAS settings are different that might be causing your issue.

Also does your casServerName and loginUrl settings both start with “https”? Have you set the correct “contextPath” value (/hubs-webapp)?

Regards Nick
--
Nick dos Remedios
Atlas of Living Australia
http://www.ala.org.au/

From: "Suelane G. Fontes" <suelane at uol.com.br<../../../undefined//compose?to=suelane at uol.com.br>>
Date: Friday, 18 April 2014 7:45 am
To: Nick <nick.dosremedios at csiro.au<../../../undefined//compose?to=nick.dosremedios at csiro.au>>
Cc: "ala-portal at lists.gbif.org<../../../undefined//compose?to=ala-portal at lists.gbif.org>" <ala-portal at lists.gbif.org<../../../undefined//compose?to=ala-portal at lists.gbif.org>>, "support at ala.org.au<../../../undefined//compose?to=support at ala.org.au>" <support at ala.org.au<../../../undefined//compose?to=support at ala.org.au>>
Subject: Re: Cas Authentication - Hubs-Webapp


Hi Nick,
I did what you suggested and we integrated ala-hubs with jasig-cas.
Now, The Log in button (see image attached)  redirects the hubs-webapp page to jasig-cas authentication page.
nevertheless, The search button in the same page can be accessed even if the user do not perform the log in operation.
We would like to know how to enforce this authentication before the user has access to perform a search in ala-hubs.
Thanks!
Regards.
________________________________

De: Nick.Dosremedios at csiro.au<../../../undefined//compose?to=Nick.Dosremedios at csiro.au>
Enviada: Quinta-feira, 17 de Abril de 2014 00:16
Para: suelane at uol.com.br<../../../undefined//compose?to=suelane at uol.com.br>,ala-portal at lists.gbif.org<../../../undefined//compose?to=ala-portal at lists.gbif.org>,support at ala.org.au<../../../undefined//compose?to=support at ala.org.au>
Assunto: Cas Authentication - Hubs-Webapp
Hi Suelane,

I’d suggest you try these 2 minor changes to the web.xml file:

1. Change the serverName section -
from:

serverName

  http://143.107.102.247:8080/hubs-webapp/



to:

serverName

  http://143.107.102.247:8080<http://143.107.102.247:8080/hubs-webapp/>



contextpath

  <param-value>/hubs-webappparam-value>




2. Change the server uriFilterPattern to:



  uriFilterPattern

  /*




I also note you are missing a few filter settings that we use in our version of hub-webapp. I’ve attached a sample “web.xml” file that you should look at, to check against, if the above changes do not work.

Regards

Nick
--
Nick dos Remedios
Atlas of Living Australia
http://www.ala.org.au/

From: "Suelane G. Fontes" <suelane at uol.com.br<../undefined/compose?to=suelane at uol.com.br>>
Date: Thursday, 17 April 2014 5:22 am
To: "ala-portal at lists.gbif.org<../undefined/compose?to=ala-portal at lists.gbif.org>" <ala-portal at lists.gbif.org<../undefined/compose?to=ala-portal at lists.gbif.org>>, "support at ala.org.au<../undefined/compose?to=support at ala.org.au>" <support at ala.org.au<../undefined/compose?to=support at ala.org.au>>
Subject: Cas Authentication - Hubs-Webapp


Hi all,

We need to enforce the users to authenticate before have access to ALA-PORTAL..

We found a authentication enforcement in ala-collectory module, when the user tries to access the “admin” page, using JASIG Cas server.

We performed the following steps to test the authentication:

We deployed an instance of JASIG Cas server (http://www.jasig.org/cas) in server: http://143.107.102.247:65002/cas-server-webapp-3.4.12.1<http://www.google.com/url?q=http%3A%2F%2F143.107.102.247%3A65002%2Fcas-server-webapp-3.4.12.1%2Flogin&sa=D&sntz=1&usg=AFQjCNH3vG0Ka4sLQzPoHwActqlfWHpv0g>.

We configured the ala-collectoy to enforce authentication in file: ala-collectory-0.1.0/ala-collectory/grails-app/conf/config.groovy , using the following code:

/******************************************************************************\

*  SECURITY
\******************************************************************************/
if (!security.cas.uriFilterPattern) {
   security.cas.uriFilterPattern = "/admin.*,/collection.*,/institution.*,/contact.*,/reports.*," +
           "/providerCode.*,/providerMap.*,/dataProvider.*,/dataResource.*,/dataHub.*,/manage/.*"
}
if (!security.cas.loginUrl) {
   security.cas.loginUrl = "http://143.107.102.247:65002/cas-server-webapp-3.4.12.1/login<http://www.google.com/url?q=http%3A%2F%2F143.107.102.247%3A65002%2Fcas-server-webapp-3.4.12.1%2Flogin&sa=D&sntz=1&usg=AFQjCNH3vG0Ka4sLQzPoHwActqlfWHpv0g>"
}
if (!security.cas.logoutUrl) {
   security.cas.logoutUrl = "http://143.107.102.247:65002/cas-server-webapp-3.4.12.1/logout<http://www.google.com/url?q=http%3A%2F%2F143.107.102.247%3A65002%2Fcas-server-webapp-3.4.12.1%2Flogout&sa=D&sntz=1&usg=AFQjCNHehugoZZSv8DVSUX-3YHdqFzEY6A>"
}
if (!security.apikey.serviceUrl) {
   security.apikey.serviceUrl = "http://143.107.102.247:65002/cas-server-webapp-3.4.12.1/apikey/ws/check?apikey=<http://www.google.com/url?q=http%3A%2F%2F143.107.102.247%3A65002%2Fcas-server-webapp-3.4.12.1%2Fapikey%2Fws%2Fcheck%3Fapikey%3D&sa=D&sntz=1&usg=AFQjCNGqC95eT2XCTZg-6Vh_63edJG7VyA>"
}
if(!security.cas.appServerName){
   security.cas.appServerName = "http://143.107.102.247:65002<http://www.google.com/url?q=http%3A%2F%2F143.107.102.247%3A65002&sa=D&sntz=1&usg=AFQjCNH5k83H3rCfxq9G6357RoRk2vu4yA>"
}
if(!security.cas.casServerName){
   security.cas.casServerName = "http://143.107.102.247:8080<http://www.google.com/url?q=http%3A%2F%2F143.107.102.247%3A8080&sa=D&sntz=1&usg=AFQjCNHNS4B3AfRd4bnMHSoxOVwzDisprw>"
}
if(!security.cas.uriExclusionFilterPattern){
   security.cas.uriExclusionFilterPattern = '/images.*,/css.*,/js.*,/less.*'
}
if(!security.cas.authenticateOnlyIfLoggedInPattern){
   security.cas.authenticateOnlyIfLoggedInPattern = "" // pattern for pages that can optionally display info about the logged-in user
}
if(!security.cas.casServerUrlPrefix){
   security.cas.casServerUrlPrefix = 'http://143.107.102.247:65002/cas-server-webapp-3.4.12.1/'<http://www.google.com/url?q=http%3A%2F%2F143.107.102.247%3A65002%2Fcas-server-webapp-3.4.12.1%2F%27&sa=D&sntz=1&usg=AFQjCNGRqmrqERZlp6oeLUpeJlC8LhUNqA>
}
if(!security.cas.bypass){
   security.cas.bypass = true
}
if(!disableAlertLinks){
   disableAlertLinks = false
}

if(!disableOverviewMap){
   disableOverviewMap = false
}

then, we tried to access the admin section of ala-collectory browser. Which worked perfectly: the ala-collectory redirected the call to CAS server login page, and after the user provides correct username and password the user is redirected again to admin-section of ala-collectory.

We would like to enforce the same authentication in ala-hubs, as shown in the figure adapted from wiki (attached).

We followed the steps in wiki:

https://code.google.com/p/ala-bie/wiki/Authentication#Example_web.xml_configuration .

In pom.xml of hubs-webapp directory we included the following code:



org.jasig.cas

cas-client-core

3.1.10

jar

compile





au.org.ala

ala-cas-client

2.0-SNAPSHOT

jar

compile





javax.servlet

servlet-api









In web.xml file we included the following code:







serverName

http://143.107.102.247:8080/hubs-webapp/







casServerName

http://143.107.102.247:8080<http://143.107.102.247:8080/>







uriFilterPattern

/, /occurrences/\d+, /occurrences/search, /explore/your-area









CAS Authentication Filter

au.org.ala.cas.client.UriFilter



filterClass

org.jasig.cas.client.authentication.AuthenticationFilter





casServerLoginUrl

http://143.107.102.247:65002/cas-server-webapp-3.4.12.1/login





gateway

true









CAS Validation Filter

au.org.ala.cas.client.UriFilter



filterClass

org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter





casServerUrlPrefix

http://143.107.102.247:65002/cas-server-webapp-3.4.12.1









CAS HttpServletRequest Wrapper Filter

au.org.ala.cas.client.UriFilter



filterClass

au.org.ala.cas.client.AlaHttpServletRequestWrapperFilter









CAS Authentication Filter

/*







CAS Validation Filter

/*







CAS HttpServletRequest Wrapper Filter

/*



then we deployed the hubs-webapp.war in tomcat server. Unfornatelly, when the user access ala-webapp no autentication is asked by ala-portal.

What we need to do in order to enforce all the users to autenticate in jasig cas before have access to hubs-webapp?

Regards,

Suelane/Silvio



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.gbif.org/pipermail/ala-portal/attachments/20140428/f3717d84/attachment-0001.html 


More information about the Ala-portal mailing list