[opencms-dev] opencms and single sign-on

Alfonso de Gea García addegea at ono.com
Fri May 18 13:27:43 CEST 2007 

Hello Iñigo,
Sorry but I have been out for a few days and maybe you have already solved
your problem.

As you mentioned, CAS will only provide you for the authentication
capabilities. The authorization is an issue of every application intended to
share the CAS login. That's to say: you have to maintain the same users set
inside OpenCms in order to assign permissions on folders/resources. The
change is that the password for the users has no longer to be maintaned
inside OpenCms and you should specify a 'generic' password for all of them.
Take in mind that an user will only be authenticated if CAS previously did
it.

On the other hand, maybe your Tomcat do not store the session info
(server.xml property session="false" in the connector config.), or your
client doesn't manage the cookies in a right way. Be aware to not to close
your web browser (session only persists in the same browser in IE, with
firefox you can share the session with different firefox instances).

The spected behaviour is that once you receive the ticket (first auth.),
next time you don't have to re-login as you are already logged.
I hope this helps.
Regards, Alfonso Diego de Gea García.

-----Mensaje original-----
De: Inigo [mailto:imunoz at zylk.net] 
Enviado el: viernes, 04 de mayo de 2007 13:09
Para: The OpenCms mailing list
Asunto: Re: [opencms-dev] opencms and single sign-on

Alfonso de Gea García escribió:
> Hello Iñigo,
>
> You should take a look to http://www.ja-sig.org/products/cas/, it's an
open
> source central authentication server with single sign on capabilities (it
> also supports ntlm for sso over windows systems... great!!).
>
> You have to deploy the server like a web application with Tomcat and use
the
> cas jsp taglib in your login form (e.g.: login.jsp) inside OpenCms (note
> that the key is that you have to use form-based authentication with
OpenCms
> and you could find out how to deal with this issue in the posts of the
> OpenCms mailing lists).
>   
I have some doubts. Using CAS you still have to manage the user roles in 
OpenCMS and so on, dont you? I mean, CAS only validates if a given user 
is valid or not, according to the configurated authentication mechanism, 
but you still have to check if a user can or can't see some pages or 
not, is that right? Appart from that, (this is CAS specific) is there 
anything special you have to do configurating CAS in order to maintain 
the sessions between different applications? I have setup a CAS Server 
in my machine, and appart from that I have installed OpenCMS and 
Webcalendar, both of them having CAS integration. Well, when I go to 
webcalendar, it redirects me to the CAS login screen, I logged 
successfully. Then, I go to the login defined in OpenCMS, and it also 
redirects me to the CAS login screen. As fas as I understand, CAS should 
know that user is already logged and therefore, log you in 
automatically. I hope I have explained myself well.

Thanks in advance.

More information about the opencms-dev mailing list