Hi there. My name is Liran Zelkha and I am THE consultant you want to work with. In the last 10 years I have assisted hundreds of companies to successfully complete their software projects, for both code (in Java, PHP or Ruby) or ops (be it MySQL, Oracle or your favorite Cloud platform).

Where do you want to see your project? Late? #epic #fail? Do not reinvent the wheel. Let me save you the time and money that comes with failed project. You can depend on me! It’s my responsibility to make sure you Succeed.

“I am familiar with Liran while working with him on several joint projects: – as a coacher – facilitating conversion of ABAP programmers to Java world – as a lecturer – delivering courses of J2EE and Oracle Fusion in BMC – as a senior consultant – consulting BMC projects in Oracle Fusion environment In all these projects he demonstrated himself as outstanding expert in Java and Oracle technologies. His dedication, flexibility and openness were among those key factors, that several times helped us to achieved the required business targets. His communication skills makes interaction with Liran very friendly and people were always willing to work with him. I can recommend Liran as a technical lead for any complex project on the cutting edge of Java and/or Oracle technologies He is an excellent professional and very nice guy. Boris Goldberg Senior Architect BMCSoftware” Boris Goldberg, BMC

Some of my customers include big names like Amdocs, Teva, Cisco, Red Hat and Ruckus Wireless, and also smaller names – like Jungo, Cloudyn, Cyber-Ark and many more.

If you decide you want to work together, I will introduce you to my consulting process, so I can make sure I give you the best value money can buy.

“Liran is a true professional. Working with business integrity and best of practices service delivery. Working with Liran is both pleasure and business wise beneficial.” Noam Wekser, Oracle

I’m known to finish projects quickly meeting time and budget constraints, so drop me an email at liran@tonaconsulting.com.

Everybody can be a consultant, but only I can get you these great additional values:

  1. Immediate assistance (yes – even in the middle of the night)
  2. Years of experience
  3. Off site or on site consulting
  4. Incredibly wide technological experience – starting with Java, PHP and Ruby programming languages, going to BigData technologies, like MySQL, MongoDB and other noSQL technologies, and settling on UI frameworks, web services, BPM and other related tools.

Recent Posts

Improving LifeRay 6 CAS integration

Posted on by
5

Lately, I had the dubious pleasure of integrating CAS with LifeRay (the results of which can be seen in my previous posts). Unfortunately, LifeRay assumes that both CAS and LifeRay are connected to the same user store (LDAP server or any similar security store), and thus no user import is necessary. But, as CAS has a much wider range of supported user stores – this is not always the case.
I needed to address this issue, meaning – allow users to login through CAS, even if they are not LifeRay users.

Concept

I replaced LifeRay CAS filter, and made sure that the AttributePrincipal object arriving from CAS client is stored at the HTTPSession.
Then, I replaced LifeRay auto-login class, and used LifeRay API to create a user if a user has logged in but did not exist in the internal LifeRay user database.

The How

Here’s what I did:

  1. Configure LifeRay for CAS (see my previous post – http://tonaconsulting.com/configuring-liferay-and-cas-to-work-with-ldap/, but DON’T configure the LifeRay for LDAP
  2. Create a new Java project.
  3. As I use Maven, I used the following pom.xml file:
    [xml]

    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"
    xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    4.0.0
    com.tona.liferay
    Authenticator
    1.0-SNAPSHOT

    jar Authenticator


    org.slf4j
    slf4j-api
    1.6.6


    javax.portlet
    portlet-api
    2.0


    junit
    junit
    3.8.1
    test


    org.jasig.cas.client
    cas-client-core
    3.2.1


    log4j
    log4j
    1.2.14


    com.liferay.portal
    portal-client
    6.0.4


    com.liferay.portal
    portal-impl
    6.0.4
    provided


    com.liferay.portal
    portal-service
    6.0.4
    provided


    com.liferay.portal
    util-java
    6.0.4


    com.liferay.portal
    util-bridges
    6.0.4
    provided

    [/xml]

  4. I create a new class, called TonaCASFilter, that derives from CASFilter. Note that I had to copy some code from the parent class, as it was not easily extensible :-(
    [java]
    public class TonaCasFilter extends CASFilter {

    public static String LOGIN = CASFilter.class.getName() + “LOGIN”;

    public static void reload(long companyId) {
    _ticketValidators.remove(companyId);
    }

    protected Log getLog() {
    return _log;
    }

    protected TicketValidator getTicketValidator(long companyId)
    throws Exception {

    TicketValidator ticketValidator = _ticketValidators.get(companyId);

    if (ticketValidator != null) {
    return ticketValidator;
    }

    String serverName = PrefsPropsUtil.getString(
    companyId, PropsKeys.CAS_SERVER_NAME, PropsValues.CAS_SERVER_NAME);
    String serverUrl = PrefsPropsUtil.getString(
    companyId, PropsKeys.CAS_SERVER_URL, PropsValues.CAS_SERVER_URL);
    String loginUrl = PrefsPropsUtil.getString(
    companyId, PropsKeys.CAS_LOGIN_URL, PropsValues.CAS_LOGIN_URL);

    Saml11TicketValidator cas20ProxyTicketValidator = new Saml11TicketValidator(serverUrl);

    Map parameters = new HashMap();

    parameters.put(“serverName”, serverName);
    parameters.put(“casServerUrlPrefix”, serverUrl);
    parameters.put(“casServerLoginUrl”, loginUrl);
    parameters.put(“redirectAfterValidation”, “false”);

    cas20ProxyTicketValidator.setCustomParameters(parameters);

    _ticketValidators.put(companyId, cas20ProxyTicketValidator);

    return cas20ProxyTicketValidator;
    }

    protected void processFilter(
    HttpServletRequest request, HttpServletResponse response,
    FilterChain filterChain)
    throws Exception {

    long companyId = PortalUtil.getCompanyId(request);

    if (PrefsPropsUtil.getBoolean(
    companyId, PropsKeys.CAS_AUTH_ENABLED,
    PropsValues.CAS_AUTH_ENABLED)) {

    HttpSession session = request.getSession();

    String pathInfo = request.getPathInfo();

    if (pathInfo.indexOf(“/portal/logout”) != -1) {
    session.invalidate();

    String logoutUrl = PrefsPropsUtil.getString(
    companyId, PropsKeys.CAS_LOGOUT_URL,
    PropsValues.CAS_LOGOUT_URL);

    response.sendRedirect(logoutUrl);

    return;
    }
    else {
    String login = (String)session.getAttribute(LOGIN);

    String serverName = PrefsPropsUtil.getString(
    companyId, PropsKeys.CAS_SERVER_NAME,
    PropsValues.CAS_SERVER_NAME);

    String serviceUrl = PrefsPropsUtil.getString(
    companyId, PropsKeys.CAS_SERVICE_URL,
    PropsValues.CAS_SERVICE_URL);

    if (Validator.isNull(serviceUrl)) {
    serviceUrl = CommonUtils.constructServiceUrl(
    request, response, serviceUrl, serverName, “ticket”,
    false);
    }

    String ticket = ParamUtil.getString(request, “ticket”);

    if (Validator.isNull(ticket)) {
    if (Validator.isNotNull(login)) {
    processFilter(
    TonaCasFilter.class, request, response, filterChain);
    }
    else {
    String loginUrl = PrefsPropsUtil.getString(
    companyId, PropsKeys.CAS_LOGIN_URL,
    PropsValues.CAS_LOGIN_URL);

    loginUrl = HttpUtil.addParameter(
    loginUrl, “service”, serviceUrl);

    response.sendRedirect(loginUrl);
    }

    return;
    }

    TicketValidator ticketValidator = getTicketValidator(
    companyId);

    Assertion assertion = ticketValidator.validate(
    ticket, serviceUrl);

    if (assertion != null) {
    AttributePrincipal attributePrincipal =
    assertion.getPrincipal();

    login = attributePrincipal.getName();

    session.setAttribute(LOGIN, login);
    session.setAttribute(“principal”, attributePrincipal);
    }
    }
    }

    processFilter(TonaCasFilter.class, request, response, filterChain);
    }

    private static Log _log = LogFactoryUtil.getLog(TonaCasFilter.class);

    private static Map _ticketValidators =
    new ConcurrentHashMap();

    }
    [/java]

  5. I then create the new auto-login class. Again – as it was not very extendible, I had to copy-paste allot of code from the parent class…
    [java]
    public class TonaCASAutoLogin extends CASAutoLogin {
    private Logger logger = LoggerFactory.getLogger(TonaCASAutoLogin.class.getName());

    @Override
    public String[] login(HttpServletRequest request, HttpServletResponse response) {
    String[] credentials = null;

    try {
    long companyId = PortalUtil.getCompanyId(request);

    if (!PrefsPropsUtil.getBoolean(companyId, PropsKeys.CAS_AUTH_ENABLED, PropsValues.CAS_AUTH_ENABLED)) {

    return credentials;
    }

    HttpSession session = request.getSession();

    String login = (String) session.getAttribute(CASFilter.LOGIN);

    if (Validator.isNull(login)) {
    return credentials;
    }

    AttributePrincipal principal = (AttributePrincipal) session.getAttribute(“principal”);
    if (principal != null) {

    Map attrs = principal.getAttributes();

    Configuration.getInstance().load();

    Object groupMembership = attrs.get(Configuration.getInstance().getMemberOfProperty());

    if (groupMembership != null) {
    com.liferay.portal.service.ServiceContext context = new com.liferay.portal.service.ServiceContext();

    User user = null;

    String email = attrs.get(“email”).toString();
    String lastName = attrs.get(“lastName”).toString();
    String firstName = attrs.get(“firstName”).toString();

    try {
    user = UserLocalServiceUtil.getUserByScreenName(companyId, login);
    } catch (NoSuchUserException nsue) {
    // User not found.
    }

    // The groups the user needs to belong to
    long[] mapToGroupsArray = getUserGroups(companyId, groupMembership.toString());

    // The community we want to map the user to
    long groupId = 10131;

    // User not found – create it.
    if (user == null) {
    try {
    UserLocalServiceUtil.addUser(0, companyId, false, “not-used”, “not-used”, false,
    fixScreenName(login), email, 0, “”, Locale.getDefault(), firstName, “”, lastName,
    0, 0, true, 1, 1, 1970, null, new long[] {groupId}, null, null, mapToGroupsArray, false, context);

    } catch (Exception e) {
    logger.error(“Can’t add user”, e);
    }
    } else {
    // User exists – remap groups
    UserGroupLocalServiceUtil.setUserUserGroups(user.getUserId(), mapToGroupsArray);

    // Ensure user has the right community

    UserLocalServiceUtil.addGroupUsers(groupId, new long[] { user.getUserId()});
    }
    }
    }

    return super.login(request, response);

    } catch (Throwable e) {
    logger.error(“Can’t auto-login, reverting to default behavior”, e);
    }

    return super.login(request, response);
    }

    private String fixScreenName(String loginName) {

    String name = loginName;

    if (name.contains(“@”)) {
    name = name.substring(0,name.indexOf(“@”));
    }

    return name;
    }

    private long[] getUserGroups(long companyId, String groupMembership) throws Exception {
    String[] groups = groupMembership.toString().split(“;”);

    List mapToGroups = new ArrayList();

    for (String group : groups) {
    if (group.contains(“[")) {
    group = group.replace('[', ' ');
    group = group.replace(']‘, ‘ ‘);
    group = group.trim();
    }
    String groupName = group;

    if (groupName != null) {
    UserGroup liferayGroup = UserGroupLocalServiceUtil.getUserGroup(companyId, groupName);
    if (liferayGroup != null) {
    logger.debug(“Found user group ” + liferayGroup.getUserGroupId());
    mapToGroups.add(liferayGroup.getUserGroupId());
    } else {
    logger.debug(“Liferay group ” + groupName + ” not found”);
    }
    }
    }

    long[] mapToGroupsArray = new long[mapToGroups.size()];
    int i = 0;
    for (long l : mapToGroups) {
    mapToGroupsArray[i] = l;
    ++i;
    }

    return mapToGroupsArray;
    }
    }
    [/java]
    Note that you must make sure CAS sends all the relevant properties in the return SAML response, and that the groups sent exist in LifeRay.

  6. Now, create a JAR file (mvn clean install), and copy the JAR file to TOMCAT_HOME/webapps/ROOT/WEB-INF/lib
  7. Edit the LifeRay web.xml file. It can be found in TOMCAT_HOME/webapps/ROOT/WEB-INF. Replace the line
    [xml]
    com.liferay.portal.servlet.filters.sso.cas.CASFilter
    [/xml]
    with the following line:
    [xml]
    com.tona.security.TonaCasFilter
    [/xml]
  8. Edit the LifeRay portal-ext.properties file. It can be found in TOMCAT_HOME/webapps/ROOT/WEB-INF/classes. Add the following line:
    [xml]
    auto.login.hooks=com.tona.security.TonaCASAutoLogin
    [/xml]
  9. Restart LifeRay. All should work…
  1. Configuring LifeRay and CAS to work with LDAP 2 Replies
  2. RuntimeException in Action for tag [rollingPolicy] java.lang.IndexOutOfBoundsException: No group 1 Leave a reply
  3. Using Liferay SSO with Oracle Access Manager 11g Leave a reply
  4. Monitoring seda queues with JBoss JMX console Leave a reply
  5. Import users into Liferay Leave a reply
  6. Tracking Locks in Oracle Database Leave a reply
  7. Updating Pentaho PRPT files to add a PreProcessor Leave a reply
  8. Templating with Pentaho BI 1 Reply
  9. Using Oracle tkprof with JDBC thin client application Leave a reply