CAS SSO Integration

[mj123]

Hi,

After successful LDAP integration with Konakart now we want to implement SSO with CAS and Konakart Admin.
The important issue is a methodology for CasAuthenticationFilter implementation which is called after regular CasFilter
(responsible for authentication and SSO token management).
CasAuthenticationFilter must check for "CAS authentication header" which contains username.
The username is used for KKAdminEngine initialization, but I don't know the algorithm to be used (password is not accessible).
I'm not sure how to initialize other objects used by GWT engine in KKAdmin Console.

Code Select Expand


@Override
public void doFilter(ServletRequest req, ServletResponse resp,
FilterChain chain) throws IOException, ServletException {

// Get the HTTP request/response/session
HttpServletRequest httpReq = (HttpServletRequest) req;
HttpServletResponse httpResp = (HttpServletResponse) resp;
HttpSession httpSess = httpReq.getSession(true);

String authHdr = (String) httpReq.getSession().getAttribute(casFilterUser);

if (authHdr == null) {
logger.debug("cas-user header not found.");
} else {
logger.debug("cas-user header is <" + authHdr + ">");
}

// Throw an error if we have an unknown authentication
if ((authHdr == null) || (authHdr.length() < 1)) {
httpResp.sendRedirect(httpReq.getContextPath() + "/jsp/noaccess.jsp");
return;
}
// Get the user
String userName = authHdr;
if (logger.isDebugEnabled()) {
logger.debug("User= " + userName);
}
       
// See if there is a user in the session and test if it matches
// ????????????????????????????????????????????????????
                // WHAT IS the algorithm
}
   

[trevor]

Regarding your implementation architecture, I think that it will only work if the communication channel between the Admin App client and server is secure and that the server can trust the client. Otherwise the server needs to validate the SSO token.

Since the Admin App we provide uses Google GWT technology, the client side is all generated Java Script so I think that you may need our help to integrate your code. Please write to enquiries at konakart dot com if you'd like to take the discussion further.

[erockx]

I am also very interested in a CAS client integration for Kona Kart.  Any progress on this?

Thanks,
Eric

[trevor]

We're working on Admin App hooks at the moment to integrate with an SSO system. Maybe you could post the requirements that are required for CAS so that we can check whether these will all be covered?

[erockx]

We'll need to authenticate users for the admin area.  Then we'll need Kona Kart to ask CAS for role data from another system (use CAS as a proxy) for the authenticated user.  Then we'll need to either map or replace the authorizations that Kona Kart admin area comes with to our our administrator roles.  In the beginning, an "Order System Administrator" in our system will have full access to the Kona Kart's admin area, but later, we'll want to fine tune what different administrators can do.

Please let me know if anything here is unclear.

Thanks,
Eric

[erockx]

I'm just starting to integrate CAS with the client/server Kona Kart application, but I found this class, com.konakartadmin.bl.AdminLoginIntegrationMgr, which makes me think integration with the admin Kona Kart application is doable.  This is in version 3.2.

[julie]

You really need the latest version (4.1.0.0) for this since we've added functionality so that you can call the admin app defining the user and role that it should use.

To understand how it works, you should look at the code and docs under \KonaKart\custom\konakartadmin_portlet\liferay since we use this functionality to enable integration of the Admin App within Liferay.

If you need any further help, please contact our professional services team (support AT konakart.com).

[erockx]

The files in \KonaKart\custom\konakartadmin_portlet\liferay define the portlet.  We're not using portlets so this really doesn't help us.  We just upgraded to 4.1 so I'll poke around and see if I can't find out where to hook in CAS.

Thanks,
Eric