Allow login filters to be configured outside of the login tool. Useful for CAS/Shibboleth and other types of sign on extensions.
Description
Attachments
is related to
relates to
Activity
Earle Nietzel January 5, 2016 at 10:40 AM
Informational
deprecates SakaiHomeContextLoader and SakaiHomeContextLoaderListener and updates the standard SakaiContextLoader with this capability.
Sam Ottenhoff July 23, 2014 at 8:09 AM
Thanks! I committed the change in the sub-task:
Juanjo Meroño July 23, 2014 at 7:36 AM
Patch to fix xlogin-context.xml sample file.
Juanjo Meroño July 23, 2014 at 5:35 AM
Also I had to change the service value in xlogin-context.xml from: <property name="service" value="https://<my-sakai-host>/portal/login"/>
to: <property name="service" value="https://<my-sakai-host>/sakai-login-tool/container"/>
This change is needed to go to direct paths after authentication (/portal/site/....), without this change you're always go to /portal instead of go to the original url.
Juanjo Meroño July 23, 2014 at 1:57 AM
It works for me adding this to xlogin-context.xml:
<bean id="org.jasig.cas.client.util.HttpServletRequestWrapperFilter" class="org.jasig.cas.client.util.HttpServletRequestWrapperFilter"></bean>
<bean id="org.springframework.security.util.FilterChainProxy" class="org.springframework.security.util.FilterChainProxy">
<sec:filter-chain-map path-type="ant">
<sec:filter-chain pattern="/container/**" filters="org.sakaiproject.login.filter.SakaiCasAuthenticationFilter,org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter,org.jasig.cas.client.util.HttpServletRequestWrapperFilter"/>
</sec:filter-chain-map>
</bean>
In order to wire up CAS or shibboleth or other SSO/container integrations in Sakai. Typically, you need to add some filters to the login tools web.xml. This means you have to modify the web.xml to maintain your integrations. This complicates the deployment process and creates management issues between local mods and community code. It would be better if the filter config could be external to the tool itself.
This patch address this issue. It builds on Spring's DelegatingFilterProxy
http://static.springsource.org/spring/docs/1.2.x/api/org/springframework/web/filter/DelegatingFilterProxy.html
You simply configure and wire your filters in a Spring config file following the docs for DelegatingFilterProxy, and place a files called xlogin-context.xml in your sakai home directory. There is a new spring context listener that will find it and create a spring context and wire up those filters to the webapp. In this way implementors can keep their local CAS config external to the webapp.
With INFO turned on for login tool, if you have a xlogin-context.xml startup will look like this:
2013-01-29 23:50:30,273 INFO ContainerBackgroundProcessor[StandardEngine[Catalina]] org.springframework.beans.factory.xml.XmlBeanDefinitionReader - Loading XML bean definitions from file /Users/jbush/Dev/tools/apache-tomcat-7.0.27-cle28/sakai/xlogin-context.xml
2013-01-29 23:50:30,362 INFO ContainerBackgroundProcessor[StandardEngine[Catalina]] org.sakaiproject.login.tool.ContainerLogin - init()
2013-01-29 23:50:30,363 INFO ContainerBackgroundProcessor[StandardEngine[Catalina]] org.sakaiproject.login.tool.SkinnableLogin - init()
Without one it will look like this:
2013-01-29 23:52:00,957 INFO ContainerBackgroundProcessor[StandardEngine[Catalina]] org.sakaiproject.login.springframework.SakaiHomeContextLoader - org.apache.catalina.core.ApplicationContextFacade@1f16ae0 startup is skipping introspection of the resource: /Users/jbush/Dev/tools/apache-tomcat-7.0.27-cle28/sakai/xlogin-context.xml because it does not exist.
2013-01-29 23:52:00,965 INFO ContainerBackgroundProcessor[StandardEngine[Catalina]] org.sakaiproject.login.springframework.SafeDelegatingFilterProxy - can't find a valid Spring context or a bean with name: org.springframework.security.util.FilterChainProxy so no filter proxying for you!
2013-01-29 23:52:00,965 INFO ContainerBackgroundProcessor[StandardEngine[Catalina]] org.sakaiproject.login.tool.ContainerLogin - init()
2013-01-29 23:52:00,967 INFO ContainerBackgroundProcessor[StandardEngine[Catalina]] org.sakaiproject.login.tool.SkinnableLogin - init()
In addition this will help anyone attempting to get CAS setting correct, as you can modify the xlogin-context.xml file in the sakai.home folder, and then touch the sakai-login-tool/WEB-INF/web.xml to recycle the app. This is a much faster way to fiddle then recycling the whole tomcat.
You will still have to add any dependencies, into the webapp. At rSmart we simply always include the cas and shibboleth jars our login tool. Alternatively as a community we might want some maven build profiles included to help with that.