 | NOTICE!!!
This is the first approach considered by Gothenburg university and was never used on production environment.
This page only exists for history purpose!
To CASify Oracle Portal use this approach: CASifiyng Oracle Portal |
Maximiliano Lubian has written on the CAS Mailman list regarding CASifying Oracle Portal. Some of that discussion is presented here for your convenience.
| Security Concern
A serious security concern has been raised off-list about the code posted to this page. This is an unresolved issue. More information to come... Andrew Petro, June 8 05 |
Maxiimiliano wrote:
This is how we solved the problem:
#When you click on the login link in oracle portal you will be redirected to the CAS server with a service argument that points to a JSP servlet page on the portal but not to the loginurl on portal.
#You login to CAS.
#CAS redirect you to the JSP page which validates the ticket to the CAS-server, gets the NET-id(userid) and set user information in a Cookie. It also truncates the ticket argument in the URL because Oracle SSO do not accept this argument. The Servlet redirects you to the portal login page.
#A custom plugin in OraSSO gets the userinfo on the cookie and sends it to the standard OraSSO mamagement.
#The user is logged in.
If one register a plugin to OraSSO you exchange the standard OraSSO to external SSO handler.
We implemented a CASSSO handler called:
CasExtendedAuthenticator
Located:$ORACLE_HOME/sso/plugin/oracle/consulting/gu/cas
with a property file: $ORACLE_HOME/sso/plugin/cas.properties
The servlet:
source code: $ORACLE_HOME/sso/plugin/oracle/consulting/gu/cas/CasServlet.java
(The attached files from the email are appended below. -ed)
We are in process of solving CAS 2.0 in oracle portal. But we don't have a solution to this yet. We are expecting a delivery on this solution in a few weeks. Notify me if you're still interested and if you need more info.
Hope this was to any help.
Best regards Maxi
package oracle.consulting.gu.cas;
import java.io.*;
import java.net.*;
import java.util.Properties;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import oracle.security.sso.ias904.toolkit.*;
public class CasExtendedAuthenticator implements IPASAuthInterface
{
private static String CLASS_NAME = "CasExtendedAuthenticator";
private static String ACME_USER_HEADER = "ACME_USER";
private String cookieName;
private String validateURL;
private String casLoginPage;
private String succUrl;
private static final String propFile = "cas.properties";
public CasExtendedAuthenticator()
{
System.out.println("Init casAuthenticator");
try
{
InputStream is =
Thread.currentThread().getContextClassLoader().
getResourceAsStream("cas.properties");
Properties prop = new Properties();
prop.load(is);
cookieName = prop.getProperty("cookieName");
validateURL = prop.getProperty("validateURL");
casLoginPage = prop.getProperty("casLoginPage");
succUrl = prop.getProperty("successUrl");
}
catch(FileNotFoundException e)
{
System.out.println("File not found:cas.properties");
e.printStackTrace();
}
catch(IOException e)
{
e.printStackTrace();
}
}
public IPASUserInfo authenticate(HttpServletRequest request)
throws IPASAuthException, IPASInsufficientCredException
{
String acmeUserName = null;
try
{
Cookie[] cookies = request.getCookies();
for(int i=0; i<cookies.length; i++)
{
Cookie cookie = cookies[i];
writeToFile("cookie:" + cookie.getName());
if(cookie.getName().equalsIgnoreCase(ACME_USER_HEADER))
{
acmeUserName = cookie.getValue();
break;
}
}
if(acmeUserName == null)
acmeUserName = request.getHeader(ACME_USER_HEADER);
writeToFile("acmeUserName:" + acmeUserName);
}
catch(Exception e)
{
writeToFile("No Acme Header");
throw new IPASInsufficientCredException("No Acme Header");
}
if(acmeUserName == null)
throw new IPASInsufficientCredException("No Acme Header");
IPASUserInfo authUser = new IPASUserInfo(acmeUserName);
writeToFile("authUser:" + authUser.getUserName());
return authUser;
}
public URL getUserCredentialPage(HttpServletRequest arg0, String arg1)
{
URL url = null;
try
{
url = new URL(casLoginPage +
"http: +
"PORTAL.wwsec_app_priv.login?p_requested_url=" +
"http%3A%2F%2Foracle-portal.com" +
"%3A7778%2Fpls%2Fportal%2FPORTAL.home" +
"&p_cancel_url=http%3A%2F%2Foracle-portal.com" +
"%3A7778%2Fpls%2Fportal%2FPORTAL.home");
System.out.println("userCred:" + url.toString());
}
catch(MalformedURLException e)
{
System.out.println("Problem med URL :" + casLoginPage);
}
return url;
}
public void writeToFile(String text)
{
try
{
File file = new File("/tmp/sso.log");
PrintWriter pout;
pout = new PrintWriter(new FileWriter(file, true));
pout.println(text);
pout.close();
}
catch (IOException e)
{
e.printStackTrace();
}
}
}
package oracle.consulting.gu.cas;
import java.io.IOException;
import java.io.PrintWriter;
import java.util.List;
import javax.servlet.ServletException;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import edu.yale.its.tp.cas.client.ProxyTicketValidator;
public class CasServlet extends HttpServlet
{
/**
* Handles HTTP GET requests by performing some Java processing
* and then delegating to a C-method to perform some native
* processing.
*/
public void doGet(HttpServletRequest request, HttpServletResponse resp)
throws IOException, ServletException
{
try
{
String queryString = request.getQueryString();
String ticket = request.getParameter("ticket");
String url = "apa.html";
if (ticket != null || !ticket.equals(""))
{
/*
if (loginUrl == null)
{
throw new ServletException(
"When InfoGlueFilter protects pages that do not receive a 'userName' " +
"parameter, it needs a org.infoglue.cms.security.loginUrl " +
"filter parameter");
}
*/
String requestURI = request.getRequestURI();
/*
String redirectUrl = "";
if(requestURI.indexOf("?") > 0)
redirectUrl = loginUrl +
"&service=" +
getService(request) +
((casRenew != null && !casRenew.equals("")) ?
"&renew="+ casRenew : "");
else
redirectUrl = loginUrl +
"?service=" +
getService(request) +
((casRenew != null && !casRenew.equals("")) ?
"&renew="+ casRenew : "");
System.out.println("redirectUrl:" + redirectUrl);
response.sendRedirect(redirectUrl);
return null;
*/
String authenticatedUserName = null;
ProxyTicketValidator pv = new ProxyTicketValidator();
String casValidateUrl = "https:;
String casServiceUrl = "https: +
"target_url=http: +
"/pls/portal/PORTAL.wwsec_app_priv.login?" +
"p_requested_url=http%3A%2F%2Foracle-portal.com" +
"%3A7778%2Fpls%2Fportal" +
"%2FPORTAL.home&p_cancel_url=http%3A%2F%2Foracle-portal.com" +
"%3A7778%2Fpls%2Fportal%2FPORTAL.home";
pv.setCasValidateUrl(casValidateUrl);
pv.setService(casServiceUrl);
pv.setServiceTicket(ticket);
pv.validate();
String xmlResponse = pv.getResponse();
if(pv.isAuthenticationSuccesful())
{
String user = pv.getUser();
List proxyList = pv.getProxyList();
authenticatedUserName = pv.getUser();
}
else
{
String errorCode = pv.getErrorCode();
String errorMessage = pv.getErrorMessage();
}
if(authenticatedUserName == null)
{
requestURI = request.getRequestURI();
String redirectUrl = "";
/*
if(requestURI.indexOf("?") > 0)
redirectUrl = loginUrl +
"&service=" + getService(request) +
((casRenew != null && !casRenew.equals(""))
? "&renew="+ casRenew : "");
else
redirectUrl = loginUrl + "?service=" +
getService(request) + ((casRenew != null
&& !casRenew.equals("")) ?
"&renew="+ casRenew : "");
out.println("redirectUrl:" + redirectUrl);
response.sendRedirect(redirectUrl);
*/
}
else
{
String targetUrl = request.getParameter("target_url");
resp.setHeader("ACME_USER", authenticatedUserName);
Cookie cookie = new Cookie("ACME_USER", authenticatedUserName);
cookie.setDomain("gu.se");
cookie.setPath("/");
resp.addCookie(cookie);
resp.sendRedirect(targetUrl);
}
}
}
catch(Exception e)
{
}
}
}
cookieName=CASTGC
validateURL=https:casLoginPage=https:successUrl=http:
