2014-03-14

I want to configure biserver-ce-5.0 with CAS server, so that whenever user access pentaho it will redirect to CAS login page and and after entering credentials in CAS it should redirect to pentaho Home page with taking username and password from token generated by cas server. for that following modification I have done -

In \biserver-ce\tomcat\conf\server.xml file

commented
<!--Connector URIEncoding="UTF-8" port="8080" protocol="HTTP/1.1"

connectionTimeout="20000"

redirectPort="8443" /-->
Added

<Connector SSLEnabled="true"

acceptCount="100"

clientAuth="false"

disableUploadTimeout="true"

enableLookups="false"

maxThreads="25"

port="8444"

keystoreFile="C:\path\to\.keystore"

keystorePass="password"

truststoreFile="E:\path\to\cacerts"

truststorePass="changeit"

protocol="HTTP/1.1"

scheme="https"

secure="true"

sslProtocol="TLS"/>

Added file in \biserver-ce\pentaho-solutions\system\applicationContext-spring-security-cas.xml and added content

<?xml version="1.0" encoding="UTF-8" standalone="no"?>

<!--+

| Application context containing FilterChainProxy. This version overrides

| certain beans from applicationContext-spring-security.xml to enable CAS.

+--><!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans.dtd">

<beans default-autowire="no" default-dependency-check="none" default-lazy-init="false">

<!-- ======================== FILTER CHAIN ======================= -->

<!-- overridden from applicationContext-spring-security.xml to enable CAS -->

<bean autowire="default" class="org.springframework.security.util.FilterChainProxy" dependency-check="default" id="filterChainProxy" lazy-init="default">

<property name="filterInvocationDefinitionSource">

<value>

<![CDATA[CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON

PATTERN_TYPE_APACHE_ANT

/**=securityContextHolderAwareRequestFilter,httpSessionContextIntegrationFilter,logoutFilter,casProcessingFilter,basicProcessingFilter,requestParameterProcessingFilter,anonymousProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor]]>

</value>

</property>

</bean>

<!-- ======================== FILTER CHAIN WITH SIGNOUT ======================= -->

<!--

<bean id="filterChainProxy"

class="org.springframework.security.util.FilterChainProxy">

<property name="filterInvocationDefinitionSource">

<value>

<![CDATA[CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON

PATTERN_TYPE_APACHE_ANT

/**=securityContextHolderAwareRequestFilter,httpSessionContextIntegrationFilter,logoutFilter,casSingleSignOutFilter,casProcessingFilter,basicProcessingFilter,requestParameterProcessingFilter,anonymousProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor]]>

</value>

</property>

</bean>

<bean id="casSingleSignOutFilter" class="org.jasig.cas.client.session.SingleSignOutFilter"/>

-->

<!-- ===================== HTTP REQUEST SECURITY ==================== -->

<bean autowire="default" class="org.springframework.security.ui.cas.ServiceProperties" dependency-check="default" id="serviceProperties" lazy-init="default">

<property name="service" value="https://localhost:8444/pentaho/j_spring_cas_security_check"/>

<property name="sendRenew" value="false"/>

</bean>

<!-- replaces authenticationProcessingFilter in filterChainProxy above -->

<bean autowire="default" class="org.springframework.security.ui.cas.CasProcessingFilter" dependency-check="default" id="casProcessingFilter" lazy-init="default">

<property name="authenticationManager">

<ref bean="authenticationManager"/>

</property>

<property name="authenticationFailureUrl" value="/public/casFailed"/>

<property name="defaultTargetUrl" value="/"/>

<property name="filterProcessesUrl" value="/j_spring_cas_security_check"/>

</bean>

<!-- overridden from applicationContext-spring-security.xml -->

<bean autowire="default" class="org.springframework.security.ui.ExceptionTranslationFilter" dependency-check="default" id="exceptionTranslationFilter" lazy-init="default">

<property name="authenticationEntryPoint">

<ref local="casProcessingFilterEntryPoint"/>

</property>

<property name="accessDeniedHandler">

<bean autowire="default" class="org.springframework.security.ui.AccessDeniedHandlerImpl" dependency-check="default" lazy-init="default"/>

</property>

</bean>

<bean autowire="default" class="org.springframework.security.ui.cas.CasProcessingFilterEntryPoint" dependency-check="default" id="casProcessingFilterEntryPoint" lazy-init="default">

<property name="loginUrl" value="https://localhost:8444/cas-server-webapp-3.5.1-RC1/login"/>

<property name="serviceProperties">

<ref local="serviceProperties"/>

</property>

</bean>

<!-- overridden from applicationContext-spring-security.xml -->

<bean autowire="default" class="org.springframework.security.providers.ProviderManager" dependency-check="default" id="authenticationManager" lazy-init="default">

<property name="providers">

<list>

<ref bean="anonymousAuthenticationProvider"/>

<ref bean="casAuthenticationProvider"/>

</list>

</property>

</bean>

<bean autowire="default" class="org.springframework.security.providers.cas.CasAuthenticationProvider" dependency-check="default" id="casAuthenticationProvider" lazy-init="default">

<property name="userDetailsService">

<ref bean="userDetailsService"/>

</property>

<property name="serviceProperties">

<ref local="serviceProperties"/>

</property>

<property name="ticketValidator">

<ref local="ticketValidator"/>

</property>

<property name="key" value="my_password_for_this_auth_provider_only"/>

</bean>

<bean autowire="default" class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator" dependency-check="default" id="ticketValidator" lazy-init="default">

<constructor-arg index="0" value="https://localhost:8444/cas-server-webapp-3.5.1-RC1"/>

</bean>

<!-- overridden from applicationContext-spring-security.xml to specify logoutSuccessUrl as CAS logout page -->

<bean autowire="default" class="org.springframework.security.ui.logout.LogoutFilter" dependency-check="default" id="logoutFilter" lazy-init="default">

<constructor-arg value="https://localhost:8444/cas-server-webapp-3.5.1-RC1/logout?url=https://localhost:8444/pentaho/Home"/>

<!-- URL redirected to after logout -->

<constructor-arg>

<list>

<bean autowire="default" class="org.pentaho.platform.web.http.security.PentahoLogoutHandler" dependency-check="default" lazy-init="default"/>

<bean autowire="default" class="org.springframework.security.ui.logout.SecurityContextLogoutHandler" dependency-check="default" lazy-init="default"/>

</list>

</constructor-arg>

<property name="filterProcessesUrl" value="/Logout"/>

</bean>

</beans>

In \biserver-ce\pentaho-solutions\system\pentaho-spring-beans
Added

<import resource="applicationContext-spring-security-cas.xml"/>

Also added cas-client-core-3.1.5.jar and spring-security-cas-client-2.0.5.RELEASE.jar in \biserver-ce\tomcat\webapps\pentaho\WEB-INF\lib

apart from from this all java certificate, keystore and CAS server files are in place.

on running tomcat server is redirecting to CAS login page but if I will give same username and password (ie. username==password) it will generate token and redirect to pentaho but throw error saying

16:25:53,927 ERROR [Cas20ServiceTicketValidator] javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed:

sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilde

rException: unable to find valid certification path to requested target

on other hand when I m giving username as admin and password as password it is staying in CAS login page itself.

pentaho is not able to take credentials from CAS token. so tell me if I have done any wrong configuration or I need to do something else to Configure pentaho 5.0 with CAS

Thanks & Regards

Show more