E-mail
|
Key
This line was removed.
This word was removed. This word was added.
This line was added.
|
Comment:
Changes (21)
View Page History{composition-setup}
{composition-setup}
{composition-setup}
{section}
{column:width=50%}
{column:width=50%}
...
*Petals View* *External Authentication* {column}
{column:width=50%}
{panel}{toc}{panel}
{column}
{section}
h2. Introduction
By default, Petals View is configured to works with an embedded User Management system that allows to manage application users directly from the Petals View GUI. So, if you want to delegate authentication to a REALM system or LDAP system or CAS system, you have to do configurations according to your needs.
...{warning} Be careful, if you enable REALM, LDAP or CAS authentication, the User Management system embedded in Petals View will be completely disabled. So the User Management section in the Petals View GUI will become useless. Authentication will be managed by the REALM mode, LDAP server or CAS server and user roles management will be externalised {warning}
Go to the Petals View web application directory in your application server web app repository. We'll call it PETALSVIEW_ROOT in this page.
h2. Available roles
To use an external authentication, you need to add some specific roles to the users to customize their Petals View access rights. Here is a list of available roles:
...*ROLE_FLOWREFMANAGER*: allows the user to access to the Flow Referential management section. *ROLE_FLOWMANAGER*: allows the user to access to the Flow instances management section.
{warning}
You must add the role "*ROLE_AUTH*" to all users so that they're authorized to access the Petals View web application.
{warning}
h2. Authentication with REALM
h3. web.xml configuration
You must edit the web.xml (in PETALSVIEW_ROOT/WEB-INF repository) file and change comments. Comment the "classical authentication" section and the line "/WEB-INF/spring/petals-view-security-classical.xml". Uncomment the "realm authentication" section.
An exemple *web.xml* is provided here :
{toggle-cloak:id=code1}Display code example
{cloak:id=code1}
{code:lang=xml}
<web-app id="WebApp_ID" version="2.4"
<web-app id="WebApp_ID" version="2.4"
... xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
<display-name>Petals View</display-name>
<resource-ref>
<description>DB Connection</description>
<res-ref-name>jdbc/PetalsViewDataSource</res-ref-name>
<res-type>javax.sql.DataSource</res-type>
<res-auth>Container</res-auth>
</resource-ref>
</resource-ref>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-name>contextConfigLocation</param-name>
... <param-value> <!-- #################################-->
<!-- Here, you can define the datasource access, by default you must specify the jndi datasource in your -->
<!-- container with name jdbc/PetalsViewDataSource. If you choose c3po or dbcp datasource, you must configure-->
<!-- the petals-view.properties with your informations. -->
<!-- #################################-->
/WEB-INF/spring/petals-view-datasource-jndi.xml
<!-- /WEB-INF/spring/petals-view-datasource-c3po.xml -->
<!-- /WEB-INF/spring/petals-view-datasource-dbcp.xml -->
<!-- #################################-->
<!-- Here, you can configure the spring security authentication. If you choose cas or ldap authentication,-->
<!-- you must configure it with your properties. If you choose a realm authentication, all spring security -->
<!-- authentication files must be commented. -->
<!-- #################################-->
<!--/WEB-INF/spring/petals-view-security-classical.xml-->
<!-- /WEB-INF/spring/petals-view-security-cas.xml -->
<!-- /WEB-INF/spring/petals-view-security-ldap.xml -->
<!-- #################################-->
<!-- Here, all files must be uncommented, they are necessary to application configuration.-->
<!-- #################################-->
/WEB-INF/spring/petals-view-annotation.xml
/WEB-INF/spring/petals-view-hibernate.xml
/WEB-INF/spring/petals-view-transaction.xml
classpath:web-commons-user-all.xml
/WEB-INF/spring/petals-view-ui.xml
/WEB-INF/spring/petals-view-ws.xml
</param-value>
</context-param>
<context-param>
<param-name>log4jConfigLocation</param-name>
<param-value>/WEB-INF/log4j.xml</param-value>
</context-param>
<context-param>
<param-name>webAppRootKey</param-name>
<param-value>petalview.root</param-value>
</context-param>
<listener>
<listener-class>com.ebmwebsourcing.petalsview.init.StartupContext</listener-class>
</listener>
<listener>
<listener-class>
org.springframework.web.context.request.RequestContextListener</listener-class>
</listener>
<!-- Listerner for security - Publishes events for session creation and -->
<!-- destruction through the application - context. Optional unless concurrent -->
<!-- session control is being used. -->
<listener>
<listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>
<welcome-file-list>
<welcome-file>petals-view/pg/pages/Welcome</welcome-file>
</welcome-file-list>
<servlet>
<description>The main open SUIT servlet</description>
<display-name>OpenSUITServlet</display-name>
<servlet-name>OpenSUITServlet</servlet-name>
<servlet-class>com.ebmwebsourcing.petalsview.init.FlowWatchServlet</servlet-class>
<init-param>
<param-name>xml</param-name>
<param-value>/WEB-INF/FlowWatch.xml</param-value>
</init-param>
<load-on-startup>0</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>OpenSUITServlet</servlet-name>
<url-pattern>/petals-view/*</url-pattern>
</servlet-mapping>
<!-- ################################# CXF Servlet used to expose petals-view -->
<!-- api as web service ################################# -->
<servlet>
<display-name>CXF Servlet</display-name>
<servlet-name>CXFServlet</servlet-name>
<servlet-class>org.apache.cxf.transport.servlet.CXFServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>CXFServlet</servlet-name>
<url-pattern>/ws/*</url-pattern>
</servlet-mapping>
<!-- ################################# H2 Console (for dev purposes) ################################# -->
<!-- <servlet> -->
<!-- <servlet-name>H2Console</servlet-name> -->
<!-- <servlet-class>org.h2.server.web.WebServlet</servlet-class> -->
<!-- <load-on-startup>1</load-on-startup> -->
<!-- </servlet> -->
<!-- <servlet-mapping> -->
<!-- <servlet-name>H2Console</servlet-name> -->
<!-- <url-pattern>/h2console/*</url-pattern> -->
<!-- </servlet-mapping> -->
<!-- ################################# Configuration for spring security
cas authentication ################################# -->
<!-- <filter> -->
<!-- <filter-name>CAS Single Sign Out Filter</filter-name> -->
<!-- <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class> -->
<!-- </filter> -->
<!-- <filter-mapping> -->
<!-- <filter-name>CAS Single Sign Out Filter</filter-name> -->
<!-- <url-pattern>/*</url-pattern> -->
<!-- </filter-mapping> -->
<!-- ################################# -->
<!-- Configuration for spring security -->
<!-- classical authentication + ldap authentication. Must be commented, if realm -->
<!-- configuration is choosing. -->
<!-- ################################# -->
<!--
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/petals-view/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
-->
<!-- ################################# Configuration for realm authentication. -->
<!-- Must be commented if spring security authentication is choosing. ################################# -->
<security-constraint>
<web-resource-collection>
<web-resource-name>all</web-resource-name>
<url-pattern>/petals-view/pg/pages/Welcome</url-pattern>
<url-pattern>/petals-view/pg/pages/admin/*</url-pattern>
<url-pattern>/petals-view/pg/pages/flow/*</url-pattern>
<url-pattern>/petals-view/pg/pages/ref/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>ROLE_AUTH</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Petals View</realm-name>
<form-login-config>
<form-login-page>/petals-view/pg/pages/LoginRealm</form-login-page>
<form-error-page>/petals-view/pg/pages/LoginError</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description></description>
<role-name>ROLE_AUTH</role-name>
</security-role>
<!-- ################################# A filter used to open and close hibernate -->
<!-- sessions ################################# -->
<filter>
<filter-name>OpenHibernateSessionInViewFilter</filter-name>
<filter-class>org.springframework.orm.hibernate3.support.OpenSessionInViewFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>OpenHibernateSessionInViewFilter</filter-name>
<url-pattern>/petals-view/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>OpenHibernateSessionInViewFilter</filter-name>
<url-pattern>/ws/*</url-pattern>
</filter-mapping>
<session-config>
<session-timeout>20</session-timeout>
</session-config>
</web-app>
{code}
{cloak}
You must configure your server to add realm security.
...h3. Tomcat configuration For Tomcat, you must edit context.xml (in PETALSVIEW_ROOT/META-INF/ repository). Uncomment "JAAS implementation" or "JNDI implementation for ldap" or "JDBC implementation" and change the configuration according to your need.
An exemple *context.xml* is provided here with JAAS implementation:
{toggle-cloak:id=code2}Display code example
{cloak:id=code2}
{code:lang=xml}
<Context>
<Context>
... <!-- JDBC DataSource could be configured here for Tomcat -->
<!--
#################################
By default, the datasource access is provided by JNDI.
Here, the database must be specified (its driverClass, jdbcUrl,user, password),
the c3p0 properties can be modified (maxPoolSize, minPoolSize, acquireIncrement)
#################################
-->
<!-- ###################### H2 DataSource configuration example-->
<Resource name="jdbc/PetalsViewDataSource"
auth="Container"
factory="org.apache.naming.factory.BeanFactory"
type="com.mchange.v2.c3p0.ComboPooledDataSource"
driverClass="org.h2.Driver"
jdbcUrl="jdbc:h2:~/test/db/petalsview;AUTO_SERVER=TRUE"
user="sa"
password="sa"
maxPoolSize="10"
minPoolSize="2"
acquireIncrement="2" />
<!-- ###################### MySQL DataSource configuration example-->
<!--
<Resource name="jdbc/PetalsViewDataSource"
auth="Container"
factory="org.apache.naming.factory.BeanFactory"
type="com.mchange.v2.c3p0.ComboPooledDataSource"
driverClass="com.mysql.jdbc.Driver"
jdbcUrl="jdbc:mysql://<yourhost>:3306/<yourdatabse>"
user="<youruser>"
password="<userpass>"
maxPoolSize="10"
minPoolSize="2"
acquireIncrement="2" />
-->
<!-- ###################### PostgreSQL DataSource configuration example-->
<!--
<Resource name="jdbc/PetalsViewDataSource"
auth="Container"
factory="org.apache.naming.factory.BeanFactory"
type="com.mchange.v2.c3p0.ComboPooledDataSource"
driverClass="org.postgresql.Driver"
jdbcUrl="jdbc:postgresql://<your host>:5432/<your database>"
user="<your user>"
password="<password>"
maxPoolSize="10"
minPoolSize="2"
acquireIncrement="2" />
-->
<!-- ###################### Oracle DataSource configuration example -->
<!--
<Resource name="jdbc/PetalsViewDataSource"
auth="Container"
factory="org.apache.naming.factory.BeanFactory"
type="com.mchange.v2.c3p0.ComboPooledDataSource"
driverClass="oracle.jdbc.driver.OracleDriver"
jdbcUrl="jdbc:oracle:thin:@<your host>:1521:<your database>"
user="<your user>"
password="<password>"
maxPoolSize="10"
minPoolSize="2"
acquireIncrement="2" />
-->
<!--
#################################
Here, you can define a petals-view.properties file
where is defined:
the properties to configure a basic datasource access or
c3p0 datasource access if jndi datasource access isn't used.
the cas properties.
#################################
-->
<!-- <Parameter name="petalsViewConfig"
value="file:///yourLocation/petals-view.properties" />-->
<!--
#################################
Here, you can define the realm which uses a JAAS implementation.
The configuration by default, is the PetalsView JDBCLoginModule.
#################################
-->
<Realm appName="JaasConf"
className="org.apache.catalina.realm.JAASRealm" debug="99"
roleClassNames="com.ebmwebsourcing.webcommons.user.api.to.RoleTO"
userClassNames="com.ebmwebsourcing.webcommons.user.api.to.UserTO" />
<!--
#################################
Here, you can define the realm which uses a JNDI implementation,
to retrieve users in ldap server.
#################################
-->
<!--
<Realm className="org.apache.catalina.realm.JNDIRealm"
debug="99"
connectionName="cn=admin,dc=<your dc>"
connectionPassword="<password>"
connectionURL="ldap://<your host>:389"
userPassword="<user password>"
userPattern="<your pattern>"
roleBase="ou=groups,dc=<your dc>"
roleName="cn"
roleSearch="(memberUid={1})" />
-->
<!--
#################################
Here, you can define the realm which uses a classical JDBC access
to retrieve users in database.
#################################
-->
<!--
<Realm className="org.apache.catalina.realm.JDBCRealm" debug="99"
driverName="com.mysql.jdbc.Driver"
connectionURL="jdbc:mysql://<your host>:3306/<your database>"
connectionName="<your user>"
connectionPassword="<password>"
userTable="Users"
userNameCol="user_name"
userCredCol="password"
userRoleTable="Users_Roles"
roleNameCol="role_name"
digest="MD5" />
-->
</Context>
{code}
{cloak}
h2. Authentification with LDAP
...h3. web.xml configuration You must edit the web.xml (in PETALSVIEW_ROOT/WEB-INF repository) file and change comments. Comment the line "/WEB-INF/spring/petals-view-security-classical.xml" and uncomment the line "/WEB-INF/spring/petals-view-security-ldap.xml".
An exemple *web.xml* is provided here:
{toggle-cloak:id=code3}Display code example
{cloak:id=code3}
{cloak:id=code3}
{code:lang=xml}
<web-app id="WebApp_ID" version="2.4"
<web-app id="WebApp_ID" version="2.4"
... xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
<display-name>Petals View</display-name>
<resource-ref>
<description>DB Connection</description>
<res-ref-name>jdbc/PetalsViewDataSource</res-ref-name>
<res-type>javax.sql.DataSource</res-type>
<res-auth>Container</res-auth>
</resource-ref>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
<!-- #################################-->
<!-- Here, you can define the datasource access, by default you must specify the jndi datasource in your -->
<!-- container with name jdbc/PetalsViewDataSource. If you chosse c3po or dbcp datasource, you must configure-->
<!-- the petals-view.properties with your informations -->
<!-- #################################-->
/WEB-INF/spring/petals-view-datasource-jndi.xml
<!-- /WEB-INF/spring/petals-view-datasource-c3po.xml -->
<!-- /WEB-INF/spring/petals-view-datasource-dbcp.xml -->
<!-- #################################-->
<!-- Here, you can define the spring security authentication, if you choose cas or ldap authentication,-->
<!-- you must configure it with your properties. If you choose a realm authentication, all spring security -->
<!-- authentication files must be commented. -->
<!-- #################################-->
<!--/WEB-INF/spring/petals-view-security-classical.xml-->
<!-- /WEB-INF/spring/petals-view-security-cas.xml -->
/WEB-INF/spring/petals-view-security-ldap.xml
<!-- #################################-->
<!-- Here, all files must be uncommented, they are necessaries to application configuration.-->
<!-- #################################-->
/WEB-INF/spring/petals-view-annotation.xml
/WEB-INF/spring/petals-view-hibernate.xml
/WEB-INF/spring/petals-view-transaction.xml
classpath:web-commons-user-all.xml
/WEB-INF/spring/petals-view-ui.xml
/WEB-INF/spring/petals-view-ws.xml
</param-value>
</context-param>
<context-param>
<param-name>log4jConfigLocation</param-name>
<param-value>/WEB-INF/log4j.xml</param-value>
</context-param>
<context-param>
<param-name>webAppRootKey</param-name>
<param-value>petalview.root</param-value>
</context-param>
<listener>
<listener-class>com.ebmwebsourcing.petalsview.init.StartupContext</listener-class>
</listener>
<listener>
<listener-class>
org.springframework.web.context.request.RequestContextListener</listener-class>
</listener>
<!-- Listerner for security - Publishes events for session creation and -->
<!-- destruction through the application - context. Optional unless concurrent -->
<!-- session control is being used. -->
<listener>
<listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>
<welcome-file-list>
<welcome-file>petals-view/pg/pages/Welcome</welcome-file>
</welcome-file-list>
<servlet>
<description>The main open SUIT servlet</description>
<display-name>OpenSUITServlet</display-name>
<servlet-name>OpenSUITServlet</servlet-name>
<servlet-class>com.ebmwebsourcing.petalsview.init.FlowWatchServlet</servlet-class>
<init-param>
<param-name>xml</param-name>
<param-value>/WEB-INF/FlowWatch.xml</param-value>
</init-param>
<load-on-startup>0</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>OpenSUITServlet</servlet-name>
<url-pattern>/petals-view/*</url-pattern>
</servlet-mapping>
<!-- ################################# CXF Servlet used to expose petals-view -->
<!-- api as web service ################################# -->
<servlet>
<display-name>CXF Servlet</display-name>
<servlet-name>CXFServlet</servlet-name>
<servlet-class>org.apache.cxf.transport.servlet.CXFServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>CXFServlet</servlet-name>
<url-pattern>/ws/*</url-pattern>
</servlet-mapping>
<!-- ################################# H2 Console (for dev purposes) ################################# -->
<!-- <servlet> -->
<!-- <servlet-name>H2Console</servlet-name> -->
<!-- <servlet-class>org.h2.server.web.WebServlet</servlet-class> -->
<!-- <load-on-startup>1</load-on-startup> -->
<!-- </servlet> -->
<!-- <servlet-mapping> -->
<!-- <servlet-name>H2Console</servlet-name> -->
<!-- <url-pattern>/h2console/*</url-pattern> -->
<!-- </servlet-mapping> -->
<!-- ################################# Configuration for spring security
cas authentication ################################# -->
<!-- <filter> -->
<!-- <filter-name>CAS Single Sign Out Filter</filter-name> -->
<!-- <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class> -->
<!-- </filter> -->
<!-- <filter-mapping> -->
<!-- <filter-name>CAS Single Sign Out Filter</filter-name> -->
<!-- <url-pattern>/*</url-pattern> -->
<!-- </filter-mapping> -->
<!-- ################################# -->
<!-- Configuration for spring security -->
<!-- classical authentication + ldap authentication. Must be commented, if realm -->
<!-- configuration is choosing. -->
<!-- ################################# -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/petals-view/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- ################################# Configuration for realm authentication. -->
<!-- Must be commented if spring security authentication is choosing. ################################# -->
<!-- <security-constraint> -->
<!-- <web-resource-collection> -->
<!-- <web-resource-name>all</web-resource-name> -->
<!-- <url-pattern>/petals-view/pg/pages/Welcome</url-pattern> -->
<!-- <url-pattern>/petals-view/pg/pages/admin/*</url-pattern> -->
<!-- <url-pattern>/petals-view/pg/pages/flow/*</url-pattern> -->
<!-- <url-pattern>/petals-view/pg/pages/ref/*</url-pattern> -->
<!-- </web-resource-collection> -->
<!-- <auth-constraint> -->
<!-- <role-name>ROLE_AUTH</role-name> -->
<!-- </auth-constraint> -->
<!-- </security-constraint> -->
<!-- <login-config> -->
<!-- <auth-method>FORM</auth-method> -->
<!-- <realm-name>Petals View</realm-name> -->
<!-- <form-login-config> -->
<!-- <form-login-page>/petals-view/pg/pages/LoginRealm</form-login-page> -->
<!-- <form-error-page>/petals-view/pg/pages/LoginError</form-error-page> -->
<!-- </form-login-config> -->
<!-- </login-config> -->
<!-- <security-role> -->
<!-- <description></description> -->
<!-- <role-name>ROLE_AUTH</role-name> -->
<!-- </security-role> -->
<!-- ################################# A filter used to open and close hibernate -->
<!-- sessions ################################# -->
<filter>
<filter-name>OpenHibernateSessionInViewFilter</filter-name>
<filter-class>org.springframework.orm.hibernate3.support.OpenSessionInViewFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>OpenHibernateSessionInViewFilter</filter-name>
<url-pattern>/petals-view/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>OpenHibernateSessionInViewFilter</filter-name>
<url-pattern>/ws/*</url-pattern>
</filter-mapping>
<session-config>
<session-timeout>20</session-timeout>
</session-config>
</web-app>
{code}
{cloak}
h3. petals-view-security-ldap.xml configuration
...Edit petals-view-security-ldap.xml (in PETALSVIEW_ROOT/WEB-INF/spring repository), and change configuration according to your need. An example petals-view-security-ldap.xml is provided here:
{toggle-cloak:id=code4}Display code example
{cloak:id=code4}
{code:lang=xml}
<beans xmlns:security="http://www.springframework.org/schema/security"
<beans xmlns:security="http://www.springframework.org/schema/security"
... xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<security:http>
<security:intercept-url pattern="/petals-view/pg/pages/Login"
access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/petals-view/**"
access="ROLE_AUTH" />
<security:form-login default-target-url="/petals-view/pg/pages/Login"
login-page="/petals-view/pg/pages/Login" authentication-failure-url="/petals-view/pg/pages/Login?login_error=1" />
<security:anonymous />
<security:logout logout-success-url="/petals-view/pg/pages/Login" />
</security:http>
<security:ldap-server id="ldapServer" url="ldap://yourhost:389"
manager-dn="CN=admin,DC=yourdc" manager-password="yourpassword" />
<security:authentication-manager>
<security:ldap-authentication-provider
server-ref="ldapServer"
user-search-base="ou=people,dc=yourdc"
user-search-filter="(uid={0})"
group-role-attribute="cn"
group-search-base="ou=groups,dc=yourdc"
group-search-filter="(memberUid={1})"
role-prefix="ROLE_" />
</security:authentication-manager>
</beans
{code}
{cloak}
h2. Authentification with CAS
...h3. Overview CAS is an enterprise Single Sign-On solution for web services. _Single Sign-On_ (SSO) means a better user experience when running a multitude of web services, each with it's own means of authentication. With a SSO solution, different web services may authenticate to one authorative source of trust, that the user needs to log in to, instead of requiring the end-user to log in into each separate service.
JA-SIG produces an enterprise-wide single sign on system known as CAS. Unlike other initiatives, JA-SIG's Central Authentication Service is open source, widely used, simple to understand, platform independent, and supports proxy capabilities. Petals View could be connected to a CAS server to provide single sign on.
Somewhere in your enterprise you will need to setup a CAS server. The CAS server is simply a standard WAR file, so there isn't anything difficult about setting up your server. Inside the WAR file you will customise the login and other single sign on pages displayed to users.
You can learn more about CAS at [http://www.ja-sig.org/cas|http://www.ja-sig.org/cas]. You will also need to visit this site to download the CAS Server files.
h3. web.xml configuration
You must edit the web.xml (in PETALSVIEW_ROOT/WEB-INF repository) file and change comments. Comment the line "/WEB-INF/spring/petals-view-security-classical.xml" and uncomment the line "/WEB-INF/spring/petals-view-security-cas.xml". Comment "classical authentication" section and uncomment "cas authentication" section.
An exemple *web.xml* is provided here :
{toggle-cloak:id=code5}Display code example
{cloak:id=code5}
{code:lang=xml}
<web-app id="WebApp_ID" version="2.4"
<web-app id="WebApp_ID" version="2.4"
... xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
<display-name>Petals View</display-name>
<resource-ref>
<description>DB Connection</description>
<res-ref-name>jdbc/PetalsViewDataSource</res-ref-name>
<res-type>javax.sql.DataSource</res-type>
<res-auth>Container</res-auth>
</resource-ref>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
<!-- #################################-->
<!-- Here, you can define the datasource access, by default you must specify the jndi datasource in your -->
<!-- container with name jdbc/PetalsViewDataSource. If you chosse c3po or dbcp datasource, you must configure-->
<!-- the petals-view.properties with your informations -->
<!-- #################################-->
/WEB-INF/spring/petals-view-datasource-jndi.xml
<!-- /WEB-INF/spring/petals-view-datasource-c3po.xml -->
<!-- /WEB-INF/spring/petals-view-datasource-dbcp.xml -->
<!-- #################################-->
<!-- Here, you can define the spring security authentication, if you choose cas or ldap authentication,-->
<!-- you must configure it with your properties. If you choose a realm authentication, all spring security -->
<!-- authentication files must be commented. -->
<!-- #################################-->
<!--/WEB-INF/spring/petals-view-security-classical.xml-->
<!-- /WEB-INF/spring/petals-view-security-cas.xml -->
/WEB-INF/spring/petals-view-security-ldap.xml
<!-- #################################-->
<!-- Here, all files must be uncommented, they are necessaries to application configuration.-->
<!-- #################################-->
/WEB-INF/spring/petals-view-annotation.xml
/WEB-INF/spring/petals-view-hibernate.xml
/WEB-INF/spring/petals-view-transaction.xml
classpath:web-commons-user-all.xml
/WEB-INF/spring/petals-view-ui.xml
/WEB-INF/spring/petals-view-ws.xml
</param-value>
</context-param>
<context-param>
<param-name>log4jConfigLocation</param-name>
<param-value>/WEB-INF/log4j.xml</param-value>
</context-param>
<context-param>
<param-name>webAppRootKey</param-name>
<param-value>petalview.root</param-value>
</context-param>
<listener>
<listener-class>com.ebmwebsourcing.petalsview.init.StartupContext</listener-class>
</listener>
<listener>
<listener-class>
org.springframework.web.context.request.RequestContextListener</listener-class>
</listener>
<!-- Listerner for security - Publishes events for session creation and -->
<!-- destruction through the application - context. Optional unless concurrent -->
<!-- session control is being used. -->
<listener>
<listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>
<welcome-file-list>
<welcome-file>petals-view/pg/pages/Welcome</welcome-file>
</welcome-file-list>
<servlet>
<description>The main open SUIT servlet</description>
<display-name>OpenSUITServlet</display-name>
<servlet-name>OpenSUITServlet</servlet-name>
<servlet-class>com.ebmwebsourcing.petalsview.init.FlowWatchServlet</servlet-class>
<init-param>
<param-name>xml</param-name>
<param-value>/WEB-INF/FlowWatch.xml</param-value>
</init-param>
<load-on-startup>0</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>OpenSUITServlet</servlet-name>
<url-pattern>/petals-view/*</url-pattern>
</servlet-mapping>
<!-- ################################# CXF Servlet used to expose petals-view -->
<!-- api as web service ################################# -->
<servlet>
<display-name>CXF Servlet</display-name>
<servlet-name>CXFServlet</servlet-name>
<servlet-class>org.apache.cxf.transport.servlet.CXFServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>CXFServlet</servlet-name>
<url-pattern>/ws/*</url-pattern>
</servlet-mapping>
<!-- ################################# H2 Console (for dev purposes) ################################# -->
<!-- <servlet> -->
<!-- <servlet-name>H2Console</servlet-name> -->
<!-- <servlet-class>org.h2.server.web.WebServlet</servlet-class> -->
<!-- <load-on-startup>1</load-on-startup> -->
<!-- </servlet> -->
<!-- <servlet-mapping> -->
<!-- <servlet-name>H2Console</servlet-name> -->
<!-- <url-pattern>/h2console/*</url-pattern> -->
<!-- </servlet-mapping> -->
<!-- ################################# Configuration for spring security
cas authentication ################################# -->
<filter>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class> -->
</filter>
<filter-mapping>
<filter-name>CAS Single Sign Out Filter</filter-name>
<url-pattern>/*</url-pattern> -->
</filter-mapping> -->
<!-- ################################# -->
<!-- Configuration for spring security -->
<!-- classical authentication + ldap authentication. Must be commented, if realm -->
<!-- configuration is choosing. -->
<!-- ################################# -->
<!--
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/petals-view/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
-->
<!-- ################################# Configuration for realm authentication. -->
<!-- Must be commented if spring security authentication is choosing. ################################# -->
<!-- <security-constraint> -->
<!-- <web-resource-collection> -->
<!-- <web-resource-name>all</web-resource-name> -->
<!-- <url-pattern>/petals-view/pg/pages/Welcome</url-pattern> -->
<!-- <url-pattern>/petals-view/pg/pages/admin/*</url-pattern> -->
<!-- <url-pattern>/petals-view/pg/pages/flow/*</url-pattern> -->
<!-- <url-pattern>/petals-view/pg/pages/ref/*</url-pattern> -->
<!-- </web-resource-collection> -->
<!-- <auth-constraint> -->
<!-- <role-name>ROLE_AUTH</role-name> -->
<!-- </auth-constraint> -->
<!-- </security-constraint> -->
<!-- <login-config> -->
<!-- <auth-method>FORM</auth-method> -->
<!-- <realm-name>Petals View</realm-name> -->
<!-- <form-login-config> -->
<!-- <form-login-page>/petals-view/pg/pages/LoginRealm</form-login-page> -->
<!-- <form-error-page>/petals-view/pg/pages/LoginError</form-error-page> -->
<!-- </form-login-config> -->
<!-- </login-config> -->
<!-- <security-role> -->
<!-- <description></description> -->
<!-- <role-name>ROLE_AUTH</role-name> -->
<!-- </security-role> -->
<!-- ################################# A filter used to open and close hibernate -->
<!-- sessions ################################# -->
<filter>
<filter-name>OpenHibernateSessionInViewFilter</filter-name>
<filter-class>org.springframework.orm.hibernate3.support.OpenSessionInViewFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>OpenHibernateSessionInViewFilter</filter-name>
<url-pattern>/petals-view/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>OpenHibernateSessionInViewFilter</filter-name>
<url-pattern>/ws/*</url-pattern>
</filter-mapping>
<session-config>
<session-timeout>20</session-timeout>
</session-config>
</web-app>
{code}
{cloak}
h3. Configure CAS properties
...Now you have to configure CAS properties in the *PETALSVIEW_ROOT{*}*/WEB-INF/Classes/*{*}petalsview.properties* file. Here is a sample configuration for a CAS server available at "https://localhost:8443/cas" and a Petals View instance available at "http://localhost:9080/petals-view-ui": {code}
## CAS properties
cas.server.url = https://localhost:8443/cas
cas.logout.path = /logout
cas.login.path = /login
webapp.url = http://localhost:9080/petals-view-ui
{code}
*cas.server.url* : your CAS server URL.
*cas.logout.path* : the path to the CAS server logout page. In the above example, the full URL to the logout page is: [https://localhost:8443/cas/logout].
{color:#333333}{*}cas.login.path{*}{color} {color:#333333}: the path to the CAS server login page. In the above example, the full URL to the login page is : {color}{color:#000000}https:{color}{color:#000000}//localhost:8443/cas/login.{color}
... {color:#000000}{*}webapp.url{*}{color} {color:#000000}:{color} the URL to your Petals View webapp. This URL must be accessible from the CAS server as it will redirect to this URL after authentication.
h3. *petals-view-security-cas.xml* configuration
By default, Petals View CAS authentication manager is plugged with a user rights manager that provides all rights to all authenticated users. If you would like to customize this behavior, you need to configure an other user rights manager. This could be done in the *PETALSVIEW_ROOT{*}*/WEB-INF/spring/petals-view-security-cas.xml* file. You have to change the bean called "myUserDetailsService" to point to your custom user detail service. Here is the code snippet showing the default user details service configuration provided by Petals View.
{code:lang=xml}
<bean id="myUserDetailsService"
class="com.ebmwebsourcing.petalsview.util.FullAccessRightsUserDetailsService">
<property name="rolesResource">
<value>${role.list.file.url}</value>
</property>
</bean>
{code}
Spring provides a lot of user details service implementations for different types of user rights repositories like LDAP, JDBC, etc. For more information about user details services see [http://static.springsource.org/spring-security/site/docs/3.0.x/reference/technical-overview.html#d4e758].
Your CAS server is also based on a Spring framework, so if you want to use the same user details service as the one configured in your CAS server, you could find it in the */WEB-INF/deployerConfigContext.xml* avalaible in the CAS server webapp directory.
{warning}Be careful, the Spring framework version used in CAS server is 2.5 which is different from the one used in Petals View. Some packages have changed, but you could easily retrieve equivalent classes.{warning}
Here is a simple In Memory user details service for Spring 2.5.x:
{code:lang=xml}<bean id="userDetailsService" class="org.springframework.security.userdetails.memory.InMemoryDaoImpl">
<property name="userMap">
<value>
admin=dummy,ROLE_AUTH,ROLE_FLOWMANAGER,ROLE_FLOWREFMANAGER,ROLE_USERMANAGER
refmanager=dummy,ROLE_AUTH,ROLE_FLOWREFMANAGER
fluxmanager=dummy,ROLE_AUTH,ROLE_FLOWMANAGER
</value>
</property>
</bean> {code}
Here is the same user details service, but for Spring 3.0.x:
{code:lang=xml}<bean id="userDetailsService" class="org.springframework.security.core.userdetails.memory.InMemoryDaoImpl">
<property name="userMap">
<value>
admin=dummy,ROLE_AUTH,ROLE_FLOWMANAGER,ROLE_FLOWREFMANAGER,ROLE_USERMANAGER
refmanager=dummy,ROLE_AUTH,ROLE_FLOWREFMANAGER
fluxmanager=dummy,ROLE_AUTH,ROLE_FLOWMANAGER
</value>
</property>
</bean>
{code}
{info}The password is set to "dummy" for the three user defined because it isn't used (password based authentication is done by the CAS server). Only role list for each users is useful.
In Memory user details service isn't for production purposes. Use LDAP, JDBC or something else to connect to your user repository in production environment.{info}