Access Keys:
Skip to content (Access Key - 0)

WebSSO

Liferay Portal 4.3.3 with WebSSO Acegi Client Developers Guide

Table of Contents

Liferay Portal with Web Single Sign-On/Sign-Out Acegi Client (WebSSO Client) Installation and Configuration


The Liferay Portal with WebSSO Acegi Client is distributed both as a standalone project and a component other projects (such as caGrid). Each distribution contains a websso-client-liferay directory, herein referred to as WEBSSO_CLIENT_LOCATION. To install and configure the Liferay Portal with WebSSO Acegi Client, please follow the steps below.

Step 1: Install Prerequisite Software


In order to install and run the WebSSO Acegi Client, the following pre-requisite software must be installed:

The WebSSO Server has been configured and installed. The URL to this server would be used for configuring the WebSSO Client. Make sure host-identityof WebSSO Client was added as delegated application in websso-properties.xml for WEBSSO-Server.Details on how to install and configure a WebSSO Server can be found at following location WebSSO Administrators Guide.

Also, the target web application is a Liferay Portal web application deployed in JBoss.

Step 2: Building Liferay WebSSO Acegi Client


You have to configure and build the websso-client-liferay project to deploy in JBoss.

  1. Replace  (tokens) with respective values for portal-ext.properties in WEBSSO_CLIENT_LOCATION/src/resources folder.
      cas.login.url=https://@WEBSSO_SERVER_URL@/webssoserver/login
         cas.logout.url=https://@WEBSSO_SERVER_URL@/webssoserver/logout
         cas.service.url=http://@LIFERAY_PORTAL_SERVER_URL@/c/portal/login
         cas.validate.url=https://@WEBSSO_SERVER_URL@/webssoserver/proxyValidate
    
  2. Replace  (tokens) with respective values for cas-client.properties in WEBSSO_CLIENT_LOCATION/src/resources folder.
     cas.server.url=https://@WEBSSO_SERVER_URL@/webssoserver
        cas.client.service=http://@LIFERAY_PORTAL_SERVER_URL@/c/portal
    
  3. Replace  (tokens) with respective values for cagrid-liferay-acegi-application-context.xml in WEBSSO_CLIENT_LOCATION/src/resources folder.
       change bean id="portMapperImpl" to have entry for http and https port numbers of Liferay Portal Server.
    
         <bean id="portMapperImpl" class="org.acegisecurity.util.PortMapperImpl">
           <property name="portMappings">
              <map>
    	     <entry key="@HTTP.PORT@">
       	     <value>@HTTPS.PORT@</value>
    	     </entry>
    	  </map>
           </property>
         </bean>
    
     change bean id="casAuthoritiesPopulator" to have absolute path for host Certificate and host Key.
    
          <bean id="casAuthoritiesPopulator" class="org.cagrid.websso.client.acegi.WebSSOAuthoritiesPopulator">
    	<property name="userDetailsService" ref="defaultUserDetailsService"></property>
    	<property name="hostCertificate" value="@HOST.CREDENTIAL.CERTIFICATE@"></property>
    	<property name="hostKey" value="@HOST.CREDENTIAL.KEY@"></property>
          </bean>
    
  %> cd WEBSSO_CLIENT_LOCATION
   %> ant clean all

Step 3: Obtain a Host Credential


The WebSSO Client provides capability to retrieve user's delegated credentials by connecting to the Credentials Delegation Service (CDS). To use this feature, a host credential needs to be obtained for the container/server hosting the web application which will integrate with WebSSO Client. A host credential consist of an X.509 certificate and private key. Dorian provides the ability to issue and manage host credentials. There are many methods of retrieving host credentials, including:

  1. Requesting a credential from a known/trusted certificate authority (caGrid Certificate Authority).
  2. Standing up a Dorian service.
  3. Standing up a simple certificate authority.

Once a host credentials are obtained and stored on the server, the path to the certificate file and the key file should be noted. This will be used to configure the Delegation Lookup filter.

Step 4: Configure Server to Trust the Certificate Authority


To connect to the Credential Delegation Service (CDS), one must configure the server hosting the Web Application to trust the CA that issued the host credentials obtained in the previous step.

NOTE: If you opt to start syncGTS programmatically execute the following. For detailed steps refer Step 7 and Step 8.

In order for SyncGTS to 'sync' up the CA certificates on the server hosting the web application, the master GTS Certificate Authority .0 file must be copied from GTS to server.
Copy the MASTER GTS CA.0 file from the GTS server that is at the $HOME/.globus/certificates to the $HOME/.globus/certificates folder on the server hosting the web application.

Note: If you don't opt to start syncGTS programatically execute the following. For detailed steps refer Step 7 and Step 8.

Place a copy of the certificate for the CA that issued the host credentials in the Globus trusted certificates directory. Unless otherwise specified during installation, this is usually USER_HOME/.globus/certificates. Globus requires all CA certificates in its trusted certificates directory to be in PEM format and to have a digit extension (0-9). For example, if a CA certificate is stored in the file cacert.pem, it should be copied to the directory USER_HOME/.globus/certificates (create directory if needed) with the file name "cacert.0"

Step 5: Create Host Credential Keystore


  1. Download and unzip gridca.
  2. Bring up a command prompt and change to the gridca directory which you recently unzipped.
  3. At the command line type ant createTomcatKeystore, this will execute a command line program which will guide you through creating the keystore.
  4. In the Enter a location and name for your keystore: prompt enter a file name and location to create your keystore.
  5. In the Enter a password for your keystore: prompt enter a password for your keystore.
  6. In the Enter the location of the certificate (PEM format): prompt enter the location of the host certificate you just created.
  7. In the Enter the location of the private key (PEM format): prompt enter the location of the private key you just created.
  8. In the Enter the current password of the private key: prompt enter the password for your private key, if you private key does not have a password (most cases) just hit enter.
  9. At this point the program will create your keystore at the location you specified. Below is a sample output of the program just described:
    Enter a location and name for your keystore:mykeystore
    Enter a password for your keystore:password
    Enter the location of the certificate (PEM format):w:\certificates\dwight.bmi.ohio-state.edu-cert.pem
    Enter the location of the private key (PEM format):w:\certificates\dwight.bmi.ohio-state.edu-key.pem
    Enter the current password of the private key:
    

Step 6: Configuring JBOSS


Since the WebSSO Client would be running using SSL we need to configure Tomcat to enable SSL. To do so complete the following:

  1. Edit the file JBOSS_HOME/server/default/deploy/jboss-web.deployer/server.xml (example shown below).
  2. Uncomment connector element for port 8443 (SSL)
  3. Add a keystoreFile parameter containing the location of the keystore you just created.
  4. Add a keystorePass parameter containing the the password of the keystore you just created.
  5. Restart JBOSS
      <Connector protocol="org.apache.coyote.http11.Http11Protocol"
               port="8443" minSpareThreads="5" maxSpareThreads="75"
               enableLookups="true" disableUploadTimeout="true"
               acceptCount="100"  maxThreads="200"
               scheme="https" secure="true" SSLEnabled="true"
               keystoreFile="C:/Documents and Settings/user_account/mykeystore" keystorePass="password"
               clientAuth="false" sslProtocol="TLS"/>
    

Step 7: Integrating the WebSSO Acegi Client with Target Liferay Portal Server


Once host credentials have been obtained, you can integrate the WebSSO Acegi Client into your Liferay Portal Server.
The WEBSSO_CLIENT_LOCATION/build contains the following two configuration files:

cas-client-1.4-dev.properties
web-1.4-dev.xml

The cas-client-1.4-dev.properties is the file which contains configuration for connecting to the Central CAS Single Sign On Server. Rename this file to cas-client.properties and copy to JBOSS_HOME/server/default/deploy/ROOT.war/WEB-INF/classes folder
The web-1.4-dev.xml is a sample file provided to show entries which needs to be made to your web.xml file to enable the WebSSO Client capabilities in your application.Rename the file to web.xml.

Step 7.1: Modifying the web.xml File

You need to enable spring acegi integration with the Liferay Portal Server Application. To do this, make an entry into the web.xml. A sample web.xml is show below. This file can be found in the WEBSSO_CLIENT_LOCATION/build/ location of the WebSSO Client Release:

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" version="2.4">

  <!-- ******** Yale CAS Client integration with Liferay ********** -->
	<context-param>
		<param-name>contextConfigLocation</param-name>
		<param-value>
			classpath:cagrid-liferay-acegi-application-context.xml
		</param-value>
	</context-param>
	<filter>
		<filter-name>AcegiSecurityFilter</filter-name>
		<filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class>
		<init-param>
			<param-name>targetBean</param-name>
			<param-value>filterChainProxy</param-value>
		</init-param>
	</filter>
  <!-- *********************************************************** -->
	<filter>
		<filter-name>CAS Filter</filter-name>
		<filter-class>com.liferay.portal.servlet.filters.sso.cas.CASFilter</filter-class>
	</filter>
	<filter>
		<filter-name>Auto Login Filter</filter-name>
		<filter-class>com.liferay.portal.servlet.filters.autologin.AutoLoginFilter</filter-class>
	</filter>
	<filter>
		<filter-name>Compression Filter</filter-name>
		<filter-class>com.liferay.filters.compression.CompressionFilter</filter-class>
	</filter>
	<filter>
		<filter-name>Double Click Filter</filter-name>
		<filter-class>com.liferay.filters.doubleclick.DoubleClickFilter</filter-class>
	</filter>
	<filter>
		<filter-name>Header Filter</filter-name>
		<filter-class>com.liferay.filters.header.HeaderFilter</filter-class>
		<init-param>
			<param-name>Cache-Control</param-name>
			<param-value>max-age=172801, public</param-value>
		</init-param>
		<init-param>
			<param-name>Expires</param-name>
			<param-value>172801</param-value>
		</init-param>
	</filter>
	<filter>
		<filter-name>Layout Cache Filter - Friendly</filter-name>
		<filter-class>com.liferay.portal.servlet.filters.layoutcache.LayoutCacheFilter</filter-class>
		<init-param>
			<param-name>pattern</param-name>
			<param-value>0</param-value>
		</init-param>
	</filter>
	<filter>
		<filter-name>Layout Cache Filter - Layout</filter-name>
		<filter-class>com.liferay.portal.servlet.filters.layoutcache.LayoutCacheFilter</filter-class>
		<init-param>
			<param-name>pattern</param-name>
			<param-value>1</param-value>
		</init-param>
	</filter>
	<filter>
		<filter-name>Layout Cache Filter - Resource</filter-name>
		<filter-class>com.liferay.portal.servlet.filters.layoutcache.LayoutCacheFilter</filter-class>
		<init-param>
			<param-name>pattern</param-name>
			<param-value>2</param-value>
		</init-param>
	</filter>
	<filter>
		<filter-name>Ntlm Filter</filter-name>
		<filter-class>com.liferay.portal.servlet.filters.sso.ntlm.NtlmFilter</filter-class>
	</filter>
	<filter>
		<filter-name>Secure MainServlet Filter</filter-name>
		<filter-class>com.liferay.filters.secure.SecureFilter</filter-class>
		<init-param>
			<param-name>portal_property_prefix</param-name>
			<param-value>main.servlet.</param-value>
		</init-param>
	</filter>
	<filter>
		<filter-name>Session Id Filter</filter-name>
		<filter-class>com.liferay.portal.servlet.filters.sessionid.SessionIdFilter</filter-class>
	</filter>
	<filter>
		<filter-name>Strip Filter</filter-name>
		<filter-class>com.liferay.filters.strip.StripFilter</filter-class>
	</filter>
	<filter>
		<filter-name>Velocity Filter</filter-name>
		<filter-class>com.liferay.portal.servlet.filters.velocity.VelocityFilter</filter-class>
		<init-param>
			<param-name>pattern</param-name>
			<param-value>(.+)/css/main.css(.+)</param-value>
		</init-param>
	</filter>
	<filter>
		<filter-name>Virtual Host Filter</filter-name>
		<filter-class>com.liferay.portal.servlet.filters.virtualhost.VirtualHostFilter</filter-class>
	</filter>
 <!-- ******** Yale CAS Client integration with Liferay ********** -->
	<filter-mapping>
		<filter-name>AcegiSecurityFilter</filter-name>
		<url-pattern>/c/portal/*</url-pattern>
	</filter-mapping>
 <!-- ************************************************************ -->
	<filter-mapping>
		<filter-name>Session Id Filter</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>Virtual Host Filter</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>CAS Filter</filter-name>
		<url-pattern>/c/portal/login</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>CAS Filter</filter-name>
		<url-pattern>/c/portal/logout</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>Ntlm Filter</filter-name>
		<url-pattern>/c/portal/login</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>Auto Login Filter</filter-name>
		<url-pattern>/c/portal/change_password</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>Auto Login Filter</filter-name>
		<url-pattern>/c/portal/fckeditor</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>Auto Login Filter</filter-name>
		<url-pattern>/c/portal/layout</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>Auto Login Filter</filter-name>
		<url-pattern>/c/portal/login</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>Auto Login Filter</filter-name>
		<url-pattern>/c/portal/render_portlet</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>Auto Login Filter</filter-name>
		<url-pattern>/group/*</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>Auto Login Filter</filter-name>
		<url-pattern>/user/*</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>Auto Login Filter</filter-name>
		<url-pattern>/web/*</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>Layout Cache Filter - Friendly</filter-name>
		<url-pattern>/group/*</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>Layout Cache Filter - Friendly</filter-name>
		<url-pattern>/user/*</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>Layout Cache Filter - Friendly</filter-name>
		<url-pattern>/web/*</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>Layout Cache Filter - Layout</filter-name>
		<url-pattern>/c/portal/layout</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>Layout Cache Filter - Resource</filter-name>
		<url-pattern>/c/portal/css_cached</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>Layout Cache Filter - Resource</filter-name>
		<url-pattern>/c/portal/javascript_cached</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>Double Click Filter</filter-name>
		<url-pattern>/c/portal/layout</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>Double Click Filter</filter-name>
		<url-pattern>/group/*</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>Double Click Filter</filter-name>
		<url-pattern>/user/*</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>Double Click Filter</filter-name>
		<url-pattern>/web/*</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>Secure MainServlet Filter</filter-name>
		<url-pattern>/c/*</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>Secure MainServlet Filter</filter-name>
		<url-pattern>/group/*</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>Secure MainServlet Filter</filter-name>
		<url-pattern>/user/*</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>Secure MainServlet Filter</filter-name>
		<url-pattern>/web/*</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>Header Filter</filter-name>
		<url-pattern>/c/portal/css_cached</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>Header Filter</filter-name>
		<url-pattern>/c/portal/javascript_cached</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>Header Filter</filter-name>
		<url-pattern>/image/*</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>Header Filter</filter-name>
		<url-pattern>/language/*</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>Header Filter</filter-name>
		<url-pattern>*.css</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>Header Filter</filter-name>
		<url-pattern>*.gif</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>Header Filter</filter-name>
		<url-pattern>*.html</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>Header Filter</filter-name>
		<url-pattern>*.jpg</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>Header Filter</filter-name>
		<url-pattern>*.js</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>Header Filter</filter-name>
		<url-pattern>*.png</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>Compression Filter</filter-name>
		<url-pattern>/c/portal/*</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>Compression Filter</filter-name>
		<url-pattern>/group/*</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>Compression Filter</filter-name>
		<url-pattern>/user/*</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>Compression Filter</filter-name>
		<url-pattern>/web/*</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>Compression Filter</filter-name>
		<url-pattern>*.css</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>Compression Filter</filter-name>
		<url-pattern>*.html</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>Compression Filter</filter-name>
		<url-pattern>*.js</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>Compression Filter</filter-name>
		<url-pattern>*.jsp</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>Strip Filter</filter-name>
		<url-pattern>/c/portal/*</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>Strip Filter</filter-name>
		<url-pattern>/group/*</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>Strip Filter</filter-name>
		<url-pattern>/user/*</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>Strip Filter</filter-name>
		<url-pattern>/web/*</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>Strip Filter</filter-name>
		<url-pattern>*.css</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>Strip Filter</filter-name>
		<url-pattern>*.html</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>Strip Filter</filter-name>
		<url-pattern>*.js</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>Strip Filter</filter-name>
		<url-pattern>*.jsp</url-pattern>
	</filter-mapping>
 <!-- ******** Yale CAS Client integration with Liferay ********** -->
	<listener>
		<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
	</listener>
<!-- ************************************************************* -->
	<listener>
		<listener-class>com.liferay.portal.servlet.PortalSessionListener</listener-class>
	</listener>
	<listener>
		<listener-class>com.liferay.portal.kernel.servlet.PortletSessionListenerManager</listener-class>
	</listener>
	<listener>
		<listener-class>com.liferay.portal.kernel.servlet.SerializableSessionAttributeListener</listener-class>
	</listener>
	<servlet>
		<servlet-name>MainServlet</servlet-name>
		<servlet-class>com.liferay.portal.servlet.MainServlet</servlet-class>
		<init-param>
			<param-name>config</param-name>
			<param-value>/WEB-INF/struts-config.xml,/WEB-INF/struts-config-ext.xml</param-value>
		</init-param>
		<init-param>
			<param-name>debug</param-name>
			<param-value>0</param-value>
		</init-param>
		<init-param>
			<param-name>detail</param-name>
			<param-value>0</param-value>
		</init-param>
		<load-on-startup>1</load-on-startup>
	</servlet>
	<servlet>
		<servlet-name>FriendlyURLPrivateGroupServlet</servlet-name>
		<servlet-class>com.liferay.portal.servlet.FriendlyURLServlet</servlet-class>
		<init-param>
			<param-name>private</param-name>
			<param-value>true</param-value>
		</init-param>
		<init-param>
			<param-name>user</param-name>
			<param-value>false</param-value>
		</init-param>
		<load-on-startup>2</load-on-startup>
	</servlet>
	<servlet>
		<servlet-name>FriendlyURLPrivateUserServlet</servlet-name>
		<servlet-class>com.liferay.portal.servlet.FriendlyURLServlet</servlet-class>
		<init-param>
			<param-name>private</param-name>
			<param-value>true</param-value>
		</init-param>
		<init-param>
			<param-name>user</param-name>
			<param-value>true</param-value>
		</init-param>
		<load-on-startup>3</load-on-startup>
	</servlet>
	<servlet>
		<servlet-name>FriendlyURLPublicServlet</servlet-name>
		<servlet-class>com.liferay.portal.servlet.FriendlyURLServlet</servlet-class>
		<init-param>
			<param-name>private</param-name>
			<param-value>false</param-value>
		</init-param>
		<load-on-startup>4</load-on-startup>
	</servlet>
	<servlet>
		<servlet-name>ImageServlet</servlet-name>
		<servlet-class>com.liferay.portal.servlet.ImageServlet</servlet-class>
		<load-on-startup>5</load-on-startup>
	</servlet>
	<servlet>
		<servlet-name>LanguageServlet</servlet-name>
		<servlet-class>com.liferay.portal.servlet.LanguageServlet</servlet-class>
		<load-on-startup>6</load-on-startup>
	</servlet>
	<servlet>
		<servlet-name>LuceneServlet</servlet-name>
		<servlet-class>com.liferay.portal.servlet.LuceneServlet</servlet-class>
		<load-on-startup>7</load-on-startup>
	</servlet>
	<servlet>
		<servlet-name>SitemapServlet</servlet-name>
		<servlet-class>com.liferay.portal.servlet.SitemapServlet</servlet-class>
		<load-on-startup>8</load-on-startup>
	</servlet>
	<servlet>
		<servlet-name>PortalDelegatorServlet</servlet-name>
		<servlet-class>com.liferay.portal.kernel.servlet.PortalDelegatorServlet</servlet-class>
		<load-on-startup>9</load-on-startup>
	</servlet>
	<servlet>
		<servlet-name>ResourceProxyServlet</servlet-name>
		<servlet-class>com.liferay.portal.wsrp.servlet.ResourceProxyServlet</servlet-class>
		<load-on-startup>10</load-on-startup>
	</servlet>
	<servlet>
		<servlet-name>PortletBridgeServlet</servlet-name>
		<servlet-class>org.portletbridge.portlet.PortletBridgeServlet</servlet-class>
		<init-param>
			<param-name>mementoSessionKey</param-name>
			<param-value>mementoSessionKey</param-value>
		</init-param>
		<init-param>
			<param-name>cssRegex</param-name>
			<param-value>(?:url\((?:'|")?(.*?)(?:'|")?\))|(?:@import\s+[^url](?:'|")?(.*?)(?:'|")|;|\s+|$)</param-value>
		</init-param>
		<init-param>
			<param-name>jsRegex</param-name>
			<param-value>open\('([^']*)'|open\("([^\"]*)"</param-value>
		</init-param>
		<init-param>
			<param-name>ignoreRequestHeaders</param-name>
			<param-value>accept-encoding,connection,keep-alive</param-value>
		</init-param>
		<init-param>
			<param-name>ignorePostToGetRequestHeaders</param-name>
			<param-value>content-type,content-length</param-value>
		</init-param>
		<load-on-startup>11</load-on-startup>
	</servlet>
	<servlet>
		<servlet-name>SoftwareCatalogServlet</servlet-name>
		<servlet-class>com.liferay.portal.servlet.SoftwareCatalogServlet</servlet-class>
		<load-on-startup>12</load-on-startup>
	</servlet>

<!-- **************** SyncGTS  ********************************************* -->
	<servlet>
		<servlet-name>Start Auto Sync GTS</servlet-name>
		<servlet-class>org.cagrid.websso.common.StartSyncGTSServlet</servlet-class>
		<init-param>
			<description></description>
			<param-name>start-auto-syncgts</param-name>
			<param-value>no</param-value>
		</init-param>
		<load-on-startup>1</load-on-startup>
	</servlet>
<!-- ************************************************************* -->

	<servlet-mapping>
		<servlet-name>MainServlet</servlet-name>
		<url-pattern>/c/*</url-pattern>
	</servlet-mapping>
	<servlet-mapping>
		<servlet-name>FriendlyURLPrivateGroupServlet</servlet-name>
		<url-pattern>/group/*</url-pattern>
	</servlet-mapping>
	<servlet-mapping>
		<servlet-name>FriendlyURLPrivateUserServlet</servlet-name>
		<url-pattern>/user/*</url-pattern>
	</servlet-mapping>
	<servlet-mapping>
		<servlet-name>FriendlyURLPublicServlet</servlet-name>
		<url-pattern>/web/*</url-pattern>
	</servlet-mapping>
	<servlet-mapping>
		<servlet-name>ImageServlet</servlet-name>
		<url-pattern>/image/*</url-pattern>
	</servlet-mapping>
	<servlet-mapping>
		<servlet-name>LanguageServlet</servlet-name>
		<url-pattern>/language/*</url-pattern>
	</servlet-mapping>
	<servlet-mapping>
		<servlet-name>SitemapServlet</servlet-name>
		<url-pattern>/sitemap.xml</url-pattern>
	</servlet-mapping>
	<servlet-mapping>
		<servlet-name>PortalDelegatorServlet</servlet-name>
		<url-pattern>/delegate/*</url-pattern>
	</servlet-mapping>
	<servlet-mapping>
		<servlet-name>ResourceProxyServlet</servlet-name>
		<url-pattern>/wsrp/resource_proxy/*</url-pattern>
	</servlet-mapping>
	<servlet-mapping>
		<servlet-name>PortletBridgeServlet</servlet-name>
		<url-pattern>/pbhs/*</url-pattern>
	</servlet-mapping>
	<servlet-mapping>
		<servlet-name>SoftwareCatalogServlet</servlet-name>
		<url-pattern>/software_catalog/*</url-pattern>
	</servlet-mapping>
	<session-config>
		<session-timeout>30</session-timeout>
	</session-config>
	<welcome-file-list>
		<welcome-file>index.html</welcome-file>
		<welcome-file>index.jsp</welcome-file>
	</welcome-file-list>
	<jsp-config>
		<taglib>
			<taglib-uri>http://displaytag.sf.net</taglib-uri>
			<taglib-location>/WEB-INF/tld/displaytag.tld</taglib-location>
		</taglib>
		<taglib>
			<taglib-uri>http://easyconf.sourceforge.net/tags-easyconf</taglib-uri>
			<taglib-location>/WEB-INF/tld/easyconf.tld</taglib-location>
		</taglib>
		<taglib>
			<taglib-uri>http://java.sun.com/jstl/core_rt</taglib-uri>
			<taglib-location>/WEB-INF/tld/c-rt.tld</taglib-location>
		</taglib>
		<taglib>
			<taglib-uri>http://java.sun.com/jstl/fmt_rt</taglib-uri>
			<taglib-location>/WEB-INF/tld/fmt-rt.tld</taglib-location>
		</taglib>
		<taglib>
			<taglib-uri>http://java.sun.com/jstl/sql_rt</taglib-uri>
			<taglib-location>/WEB-INF/tld/sql-rt.tld</taglib-location>
		</taglib>
		<taglib>
			<taglib-uri>http://java.sun.com/jstl/xml_rt</taglib-uri>
			<taglib-location>/WEB-INF/tld/x-rt.tld</taglib-location>
		</taglib>
		<taglib>
			<taglib-uri>http://java.sun.com/portlet</taglib-uri>
			<taglib-location>/WEB-INF/tld/liferay-portlet.tld</taglib-location>
		</taglib>
		<taglib>
			<taglib-uri>http://liferay.com/tld/portlet</taglib-uri>
			<taglib-location>/WEB-INF/tld/liferay-portlet-ext.tld</taglib-location>
		</taglib>
		<taglib>
			<taglib-uri>http://liferay.com/tld/security</taglib-uri>
			<taglib-location>/WEB-INF/tld/liferay-security.tld</taglib-location>
		</taglib>
		<taglib>
			<taglib-uri>http://liferay.com/tld/theme</taglib-uri>
			<taglib-location>/WEB-INF/tld/liferay-theme.tld</taglib-location>
		</taglib>
		<taglib>
			<taglib-uri>http://liferay.com/tld/ui</taglib-uri>
			<taglib-location>/WEB-INF/tld/liferay-ui.tld</taglib-location>
		</taglib>
		<taglib>
			<taglib-uri>http://liferay.com/tld/util</taglib-uri>
			<taglib-location>/WEB-INF/tld/liferay-util.tld</taglib-location>
		</taglib>
		<taglib>
			<taglib-uri>http://struts.apache.org/tags-bean</taglib-uri>
			<taglib-location>/WEB-INF/tld/struts-bean.tld</taglib-location>
		</taglib>
		<taglib>
			<taglib-uri>http://struts.apache.org/tags-bean-el</taglib-uri>
			<taglib-location>/WEB-INF/tld/struts-bean-el.tld</taglib-location>
		</taglib>
		<taglib>
			<taglib-uri>http://struts.apache.org/tags-html</taglib-uri>
			<taglib-location>/WEB-INF/tld/struts-html.tld</taglib-location>
		</taglib>
		<taglib>
			<taglib-uri>http://struts.apache.org/tags-html-el</taglib-uri>
			<taglib-location>/WEB-INF/tld/struts-html-el.tld</taglib-location>
		</taglib>
		<taglib>
			<taglib-uri>http://struts.apache.org/tags-logic</taglib-uri>
			<taglib-location>/WEB-INF/tld/struts-logic.tld</taglib-location>
		</taglib>
		<taglib>
			<taglib-uri>http://struts.apache.org/tags-logic-el</taglib-uri>
			<taglib-location>/WEB-INF/tld/struts-logic-el.tld</taglib-location>
		</taglib>
		<taglib>
			<taglib-uri>http://struts.apache.org/tags-nested</taglib-uri>
			<taglib-location>/WEB-INF/tld/struts-nested.tld</taglib-location>
		</taglib>
		<taglib>
			<taglib-uri>http://struts.apache.org/tags-tiles</taglib-uri>
			<taglib-location>/WEB-INF/tld/struts-tiles.tld</taglib-location>
		</taglib>
		<taglib>
			<taglib-uri>http://struts.apache.org/tags-tiles-el</taglib-uri>
			<taglib-location>/WEB-INF/tld/struts-tiles-el.tld</taglib-location>
		</taglib>
	</jsp-config>
	<resource-ref>
		<res-ref-name>jdbc/LiferayPool</res-ref-name>
		<res-type>javax.sql.DataSource</res-type>
		<res-auth>Container</res-auth>
		<res-sharing-scope>Shareable</res-sharing-scope>
	</resource-ref>
	<resource-ref>
		<res-ref-name>mail/MailSession</res-ref-name>
		<res-type>javax.mail.Session</res-type>
		<res-auth>Container</res-auth>
	</resource-ref>
	<security-constraint>
		<web-resource-collection>
			<web-resource-name>/c/portal/protected</web-resource-name>
			<url-pattern>/c/portal/protected</url-pattern>
			<http-method>GET</http-method>
			<http-method>POST</http-method>
		</web-resource-collection>
		<auth-constraint>
			<role-name>users</role-name>
		</auth-constraint>
		<user-data-constraint>
			<transport-guarantee>NONE</transport-guarantee>
		</user-data-constraint>
	</security-constraint>
	<login-config>
		<auth-method>FORM</auth-method>
		<realm-name>PortalRealm</realm-name>
		<form-login-config>
			<form-login-page>/c/portal/j_login</form-login-page>
			<form-error-page>/c/portal/j_login_error</form-error-page>
		</form-login-config>
	</login-config>
	<security-role>
		<role-name>users</role-name>
	</security-role>
</web-app>

Following are the entries in the web.xml file which should be added to the Liferay Portal Web Application's web.xml file:

Start-up Entries

  1. Start Auto Sync GTS - This entry is to load the "org.cagrid.gaards.websso.client.utils.StartSyncGTSServlet" Servlet on start up. This Servlet uses the sync-description.xml file from the classpath and starts the SyncGTS Daemon. If the target application doesnt want to automatically start the SyncGTS Daemon then they should remove this entry from the web.xml or edit the param value to no eg: <param-value>no</param-value>.
NOTE: Depending on how many start up servlets are configured for your application you would need to give appropriate number (based on start up order) to the load-on-startup entry

Entries

  1. contextConfigLocation - This entry is to define the spring based cagrid-liferay-acegi-application-context.xml file entry which is needed by the CAS Client. This entry should be copied as it is in the client web application's web.xml file
  2. AcegiSecurityFilter filter mapping - This entry to invoke CAS filters present in cagrid-liferay-acegi-application-context.xml
  3. listener-class - This entry points to the listener class which should be used. org.springframework.web.context.ContextLoaderListener bootstrap listener to start up Spring's root.

Step 7.2: Copy Acegi Client Dependent Jars into Liferay Portal Server

Copy all the jars from WEBSSO_CLIENT_LOCATION/build directory into JBOSS_HOME/server/default/deploy/ROOT.war/WEB-INF/lib directory.

Step 8: Copying Sync Description File


In order to sync with the Grid Trust Fabric, the Liferay portal WebSSO Acegi Client a sync-description.xml file in its classpath to start SyncGTS programatically if the Start Auto Sync GTSServlet is configured in the web.xml file above. Depending upon the grid you are trying to connect to, you need to obtain the sync-description.xml file from the corresponding Grid Administrator. This file needs to be placed in the classpath within the target application. This can be done by placing the file in the classes folder of the target application web archive (war file).

NOTE: if you haven't configure the Start Auto Sync GTSstart up servlet, then the onus of syncing with the trust fabric relies on the administrator. This can be done manually by starting the syncGTS Daemon on the target web application. For detailed steps refer to GTS.

Step 9: Establish Trust with WebSSO CAS Server


In order for the client to trust the WebSSO Server you need to install the WebSSO Server's Public CA Cert into its truststore. This can be done by the following steps

  1. On the target application server, simply copy the cacerts to cacerts.old (to save it just in case)
  2. Run the java program given below by giving the following command - run java InstallCert <<CAS_SERVER_ADDRESS>>:<<CAS_SERVER_PORT>> (i.e. provide the argument "<<CAS_SERVER_ADDRESS>>:<<CAS_SERVER_PORT>>" to the executable "InstallCert"). (adapted source code for InstallCert.java from Sun blog by Andreas Sterbenz is shown below)
  3. Answer 1 to the prompt
    /*
     * @(#)InstallCert.java 1.1 06/10/09
     *
     * Copyright 2006 Sun Microsystems, Inc. All rights reserved.
     * Use is subject to license terms.
     */
    
    
    import java.io.*;
    import java.net.URL;
    
    import java.security.*;
    import java.security.cert.*;
    
    import javax.net.ssl.*;
    
    public class InstallCert {
    
        public static void main(String[] args) throws Exception {
        String host;
        int port;
        char[] passphrase;
        if ((args.length == 1) || (args.length == 2)) {
            String[] c = args[0].split(":");
            host = c[0];
            port = (c.length == 1) ? 443 : Integer.parseInt(c[1]);
            String p = (args.length == 1) ? "changeit" : args[1];
            passphrase = p.toCharArray();
        } else {
            System.out.println("Usage: java InstallCert <host>[:port] [passphrase]");
            return;
        }
    
        File file = new File("jssecacerts");
        if (file.isFile() == false) {
            char SEP = File.separatorChar;
            File dir = new File(System.getProperty("java.home") + SEP
                + "lib" + SEP + "security");
            file = new File(dir, "jssecacerts");
            if (file.isFile() == false) {
            file = new File(dir, "cacerts");
            }
        }
        System.out.println("Loading KeyStore " + file + "...");
        InputStream in = new FileInputStream(file);
        KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
        ks.load(in, passphrase);
        in.close();
    
        SSLContext context = SSLContext.getInstance("TLS");
        TrustManagerFactory tmf =
            TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        tmf.init(ks);
        X509TrustManager defaultTrustManager = (X509TrustManager)tmf.getTrustManagers()[0];
        SavingTrustManager tm = new SavingTrustManager(defaultTrustManager);
        context.init(null, new TrustManager[] {tm}, null);
        SSLSocketFactory factory = context.getSocketFactory();
    
        System.out.println("Opening connection to " + host + ":" + port + "...");
        SSLSocket socket = (SSLSocket)factory.createSocket(host, port);
        socket.setSoTimeout(10000);
        try {
            System.out.println("Starting SSL handshake...");
            socket.startHandshake();
            socket.close();
            System.out.println();
            System.out.println("No errors, certificate is already trusted");
        } catch (SSLException e) {
            System.out.println();
            e.printStackTrace(System.out);
        }
    
        X509Certificate[] chain = tm.chain;
        if (chain == null) {
            System.out.println("Could not obtain server certificate chain");
            return;
        }
    
        BufferedReader reader =
            new BufferedReader(new InputStreamReader(System.in));
    
        System.out.println();
        System.out.println("Server sent " + chain.length + " certificate(s):");
        System.out.println();
        MessageDigest sha1 = MessageDigest.getInstance("SHA1");
        MessageDigest md5 = MessageDigest.getInstance("MD5");
        for (int i = 0; i < chain.length; i++) {
            X509Certificate cert = chain[i];
            System.out.println
                (" " + (i + 1) + " Subject " + cert.getSubjectDN());
            System.out.println("   Issuer  " + cert.getIssuerDN());
            sha1.update(cert.getEncoded());
            System.out.println("   sha1    " + toHexString(sha1.digest()));
            md5.update(cert.getEncoded());
            System.out.println("   md5     " + toHexString(md5.digest()));
            System.out.println();
        }
    
        System.out.println("Enter certificate to add to trusted keystore or 'q' to quit: [1]");
        String line = reader.readLine().trim();
        int k;
        try {
            k = (line.length() == 0) ? 0 : Integer.parseInt(line) - 1;
        } catch (NumberFormatException e) {
            System.out.println("KeyStore not changed");
            return;
        }
    
        X509Certificate cert = chain[k];
        String alias = host + "-" + (k + 1);
        ks.setCertificateEntry(alias, cert);
    
        OutputStream out = new FileOutputStream(file);
        ks.store(out, passphrase);
        out.close();
    
        System.out.println();
        System.out.println(cert);
        System.out.println();
        System.out.println
            ("Added certificate to keystore 'cacerts' using alias '"
            + alias + "'");
        }
    
        private static final char[] HEXDIGITS = "0123456789abcdef".toCharArray();
    
        private static String toHexString(byte[] bytes) {
        StringBuilder sb = new StringBuilder(bytes.length * 3);
        for (int b : bytes) {
            b &= 0xff;
            sb.append(HEXDIGITS[b >> 4]);
            sb.append(HEXDIGITS[b & 15]);
            sb.append(' ');
        }
        return sb.toString();
        }
    
        private static class SavingTrustManager implements X509TrustManager {
    
          private final X509TrustManager tm;
          private X509Certificate[] chain;
    
          SavingTrustManager(X509TrustManager tm) {
              this.tm = tm;
          }
    
          public X509Certificate[] getAcceptedIssuers() {
              throw new UnsupportedOperationException();
          }
    
          public void checkClientTrusted(X509Certificate[] chain, String authType)
              throws CertificateException {
              throw new UnsupportedOperationException();
          }
    
          public void checkServerTrusted(X509Certificate[] chain, String authType)
              throws CertificateException {
              this.chain = chain;
              tm.checkServerTrusted(chain, authType);
          }
        }
    
    }
    
Last edited by
Clayton Clark (1486 days ago) , ...
Adaptavist Theme Builder Powered by Atlassian Confluence