CASifying Sakai

Information about how to CASify Sakai, captured from threads on the sakai-dev and cas email lists. Thanks are due to Drew Mazurek, Glenn Golden, Vishal Goenka, Lyndon Tiu, and others for posting to the lists information that's been captured here.

CASifying Sakai 2.0

Looking for CAS 3 info?

These instructions are for CAS 2. For CAS 3, read the new article.

A new version of Sakai brought many changes, one of which was how to CASify it.

CAS can be implemented via an Apache module or a servlet filter. Much of what is discussed here is applicable to other WebISOs.

Adding a second login button that bypasses container authorization (using /portal/xlogin instead of /portal/login) is now a configurable option in $TOMCAT/sakai/sakai.properties. Details are at the end of this section.

The Sakai 2.0 readme includes brief information on how to CASify Sakai

CAS via an Apache module

1) Install mod_cas (or its equivalent) under Apache and enable SSL.
2) Add the following to Apache's httpd.conf:
<Location /sakai-login/container>
     AuthType CAS
     Require valid-user
</Location>
3) Edit Tomcat's server.xml

Disable Tomcat's container authentication by adding the following parameter to the connector configuration:

tomcatAuthentication="false"

When you're done, the connector declaration should look something like this:

<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009"
enableLookups="false" redirectPort="8443"
tomcatAuthentication="false" URIEncoding="UTF-8"
protocol="AJP/1.3" />
4) Add these entries to $TOMCAT/sakai/sakai.properties
top.login = false
container.login = true

CAS via a servlet filter

Essentially, you can install any filter that wraps requests to getRemoteUser(). It must be placed in the sakai-login webapp and protect the /container path.

If you are using a newer version of the "official" CASFilter, you need to enable an optional init-param:

edu.yale.its.tp.cas.client.filter.wrapRequest

Once set to "true", it will wrap the HttpServletRequest object so the call to getRemoteUser() returns the CAS-authenticated user.

See http://jasigch.princeton.edu:9000/display/CAS/Using+CASFilter for more information.

1) Obtain a filter and install the appropriate jar into the $TOMCAT/webapps/sakai-login/WEB-INF/lib/.
2) Configure sakai-login's web.xml ($TOMCAT/webapps/sakai-login/WEB-INF/web.xml):

First, add your filter configuration, usually after any others:

[...]
    <filter-mapping>
        <filter-name>sakai.request.container</filter-name>
        <servlet-name>sakai.login.container</servlet-name>
        <dispatcher>REQUEST</dispatcher>
    </filter-mapping>

<!-- begin servlet filter -->
<filter>
[...params...]
</filter>

<filter-mapping>
        <filter-name>my-filter</filter-name>
        <url-pattern>/container</url-pattern>
</filter-mapping>
<!-- end servlet filter -->

    <servlet>
        <servlet-name>sakai.login</servlet-name>
        <servlet-class>org.sakaiproject.tool.login.LoginTool</servlet-class>
[...]

Next, add another filter to force requests for /container through Sakai's RequestFilter. This filter must be placed close to the top of web.xml near::

[...]
        <filter-class>org.sakaiproject.util.RequestFilter</filter-class>
    </filter>

<!-- Force request for /container through the request filter -->
    <filter-mapping>
        <filter-name>sakai.request</filter-name>
        <url-pattern>/container</url-pattern>
        <dispatcher>REQUEST</dispatcher>
        <dispatcher>FORWARD</dispatcher>
        <dispatcher>INCLUDE</dispatcher>
    </filter-mapping>

    <filter>
        <filter-name>sakai.request.container</filter-name>
        <filter-class>org.sakaiproject.util.RequestFilter</filter-class>
[...]

If your tests (see below) fail, try substituting "<url-pattern>/*</url-pattern>" for "<url-pattern>/container</url-pattern>" in the above stanza.

3) Restart Sakai and test.

Clicking on the "Login" link should redirect you for authentication and then log you into Sakai.

Adding a second button to bypass container auth

Note: You must pull new code from the Subversion tree to get this functionality. It is not in the 2.0.0 source release.

Recent versions of Sakai support a second login ("xlogin") to bypass container-based logins. In addition, you can also use an icon for the login links; see the [examples|https://source.sakaiproject.org/svn/trunk/sakai/reference/library/src/webapp/image] in the Subversion tree.

A sample sakai.properties using xlogin:

###
### Authentication settings
###

# Show login/password boxes at top?
# Almost always false
#
top.login=false

#
# For CAS-based login, set to true
#
container.login=true

#
# Login icon (uses container auth)
# set to cas_login when CAS is in use
#
login.icon=/library/image/cas_login.gif

#
# Controls 2nd button (bypasses container auth)
#
xlogin.enabled=true
xlogin.text=Guests
xlogin.icon=/library/image/xlogin_login.gif

# Logout icon
#
logout.icon=/library/image/cas_logout.gif

CASifying Sakai 1.5

Install mod_cas under Apache.

Edit httpd.conf

Add this to httpd.conf:

<Location /tunnel/sakai-chef-tool/authn>
AuthType CAS
Require valid-user
</Location>

Edit Tomcat server.xml

For the JK2 Connector, add the following parameter:

tomcatAuthentication="false"

When you're done, the connector declaration should look something like this:

<Connector port="8009"
enableLookups="false" redirectPort="8443" debug="0"
tomcatAuthentication="false"
protocol="AJP/1.3" />

edit sakai.properties

top.login = false
container.auth = true

Optional: edit the Login UI to reflect CAS usage

Optionally edit webapps/sakai-chef-tool/vm/sitenav/login.vm

In general it is recommended when using CAS to make it clear to the user when following a link will invoke CAS authentication. So we'll change the "Login" link to be "Login through CAS":

Making it clear that Login goes through CAS
<input type="button" class="button" value="Login through CAS"
onclick="parent.location='$login_url'" />

Also, optionally, we can add a link to Login without using CAS:

A link to login without using CAS
<input type="button" class="button" value="Login without CAS"
onclick="parent.location='/login'" />

Other notes from the lists (Sakai 1.5)


What we do at U of M for CTools, which uses an Apache based single sign-on called COSIGN, is to enable the COSIGN checking for ONLY the login url. That way when we want a user to be logged in, it goes though the single sign-on system, and if successful, we see the remote user set and we establish a session for the user. All other requests do not go through the single sign-on (and in fact the request remote user is not set), but the user's session has already been established.

The path we protect is:

/tunnel/sakai-chef-tool/authn

There's a way for the user to avoid going through this, by using the login
path:

/login

This invokes the Sakai internal login dialog, without invoking our single
sign-on system.

  • Glenn

On Nov 12, 2004, at 6:11 AM, Vishal Goenka wrote:

My approach may be considered a hack, but I found this quick and easy. If there is a cleaner way along the lines that Drew has approached, I would love to know about it.

I installed a CAS Filter in tomcat for the sakai-dispatch webapp. In the CAS Filter (or in a separately chained ServletFilter) I directly invoke methods in org.sakaiproject.util.Setup (Setup.setup(request, response) followed by Setup.login(user, request)) after a successful CAS ticket validation.

The one thing I haven't found a way to resolve, is to ensure that CAS is triggered only for the authenticated portion of Sakai. Since the non-authenticated access to Site Info etc. isn't distinguished based on URL, rather is based on session context, I have to enable the CAS Filter for <url-pattern>/*</url-pattern>.

Thanks.

  • Vishal

Vishal Goenka
SunGard SCT
Advisory Technical Architect, Luminis Solutions
+91 80 511 42767 (Office)
+91 98455 46487 (Mobile)
Time Zone: GMT +5:30
vgoenka@sungardsct.com
www.sungardsct.com

>>>> ----Original Message----
>>>> From: Drew Mazurek drew.mazurek@yale.edu
>>>> Sent: Thursday, November 11, 2004 10:05 PM
>>>> To: sakai-dev
>>>> Subject: CASifying Sakai
>>>>
>>>> Poking around the list, I've seen at least a couple institutions have
>>>> CASified Sakai. Any pointers?
>>>>
>>>> I've been working on it in a couple ways – through mod_cas in
>>>> Apache, and through the CAS Filter in Tomcat (setting the filter to
>>>> wrap the request and provide a useful getRemoteUser()). In
>>>> sakai.properties, I set top.login=false and container.auth=true.
>>>> When I tried it out, I got redirected through CAS, but when I hit
>>>> Sakai, I wasn't logged in – there was still a "Login" button in the
>>>> top right corner. When I clicked on it, I was presented a "user id"
>>>> and "password" screen.
>>>>
>>>> I made sure an account exists for the user I am trying to log in as,
>>>> so I don't think that's the problem. Does anyone out there know
>>>> what's going on?
>>>>
>>>> Thanks in advance!