Saturday, August 1, 2009

Liferay and WebSphere SSO (simplistic)

Since Liferay is providing CAS (Central Authentication Service) support its possible to access Liferay through WebSphere SSO (LTPA tokens) login credentials.
So what to do?
I can not post all of our source code because of "some security" issues :-)
Steps:
1. Edit portel-ext.properties (or portal-impl.jar//portal.properties)
1.1 Add/Edit the CAS configuration lines
##
## CAS
##
cas.auth.enabled=true
#
cas.import.from.ldap=false
#
cas.login.url=/portal/cas-web/login
cas.logout.url=/portal/html/common/was_logout.jsp
cas.service.url=/portal/c/portal/login
cas.validate.url=/portal/cas-web/proxyValidate

The bold lines say Liferay where to login or logout

2. Create Java-Classes for decrypting the WebSphere LTPA-Token
Have a look at these examples
http://blog.offbytwo.com/2007/08/21/working-with-lightweight-third-party-authentication-ltpa/
http://offbytwo.googlecode.com/svn/trunk/bitsandpieces/LTPAUtils/

and copy them to WEB-INF/classes/ (or pack them into a jar-file)

3. Add AutoLogin-Classes (Step 2) to portal-ext.properties
auto.login.hooks=,com.liferay.portal.security.auth.CASAutoLogin,...

4. Add was_logout.jsp to specify the cas-logout-path (see step 1)
Content (example):
<%@ page import="java.util.*" %>
<%@ page import="com.liferay.portal.util.*;" %>





<%-- auto-submitted by javascript --%>




5. Create new Sign in portlet or edit the delivered sign in portlet
Content of view.jsp (example):
<% if (!themeDisplay.isSignedIn()) { %>

<%-- /*
">" method="post" name="fm"> */ --%>
fm">



















<% } %>

6. Add Login-config to web.xml
...

FORM
PortalRealm

/c/portal/j_login
/portal/web/guest/login/error


...

Thats it

Workflow:
User logs in > LTPA-Token cookie is created by WebSphere > Custom AutoLogin-Class is called > Custom AutoLogin-Class reads Cookies > Custom AutoLogin-Class decrypts LTAP-Token from Cookie > Custom AutoLogin-Class returns credentials array
Example:
credentials[0] = String.valueOf(user.getUserId());
credentials[1] = user.getPassword();
credentials[2] = boolean.TRUE.toString();
> Liferay accepts login