Tuesday, March 16, 2010

Integrate Liferay with CAS server.

Central Authentication Service (CAS) server is a single sign on (SSO) protocol for the web. Its purpose is to permit a user to access multiple applications while providing their credentials (such as userid and password) only once. It also allows web applications to authenticate users without gaining access to a user's security credentials, such as a password.

CAS was conceived and developed by Shawn Bayern of Yale University Technology and Planning. In December 2004, CAS became a project of the Java Architectures Special Interest Group, which is as of 2008 responsible for its maintenance and development. Formerly called "Yale CAS", CAS is now also known as "JA-SIG CAS". In oder to implement SSO with Liferay, I used the CAS server.

Following steps gives all the steps that I followed implemennting SSO in Liferay. I used Liferay (liferay-portal-tomcat-6.0-5.2.3), CAS Server (cas-server-3.3.5-release) and CAS client (cas-client-2.0.11).

Setting up CAS server:
  • Download the CAS server from http://www.ja-sig.org/downloads/cas/
  • Rename the cas-server-3.3.5\modules\cas-server-webapp-3.3.5.war to cas-web.war.
  • Drop the cas-web.war file into Tomcat's webapps directroy. (For testing purposes I used the Liferay's tomcat but in a production environment CAS servershould really run on its own tomcat instance.
  • Then edit the server.xml file in tomcat and uncomment the SSL section to open up port 8443 as shown below.

Setting up the CAS client:

Generate the SSL cert with Java keytool:

  • In any directory ( I use my root ) enter the command:
keytool -genkey -alias tomcat -keypass changeit -keyalg RSA
  • Answer the questions as shown in the image: (note that your firstname and lastname MUST be hostname of your server and cannot be a IP address; this is very important as an IP address will fail client hostname verification even if it is correct)
  • Then enter the command:
keytool -export -alias tomcat -keypass changeit -file %FILE_NAME%
I use server.cert for %FILE_NAME%.
  • Finally import the cert into Java's keystore with this command.
keytool -import -alias tomcat -file %FILE_NAME% -keypass changeit -keystore %JAVA_HOME%/jre/lib/security/cacerts
  • Startup the CAS server by startup.bat in the bin folder.
  • Now you are ready to startup your CAS server. Simply startup Tomcat and access CAS with https://localhost:8443/cas-web/login You should see the CAS login screen and no errors in your catalina logs.

Setting up Liferay Portal:
  • Remove the sevencogs theme and the sample data by deleting the two sevencogs folders at the liferay-portal-5.2.3\ tomcat-6.0.18\webapps folder and by deleting the lportal.properties and lportal.script files at the liferay-portal-5.2.2\data\hsql folder.
  • Now if you run the liferay you should be able to login to portal by
E-mail: test@liferay.com
Password: test
  • In the webapps/ROOT/WEB-INF/web.xml file add a new filter as shown below(add it as the first filter).
  • Then add the filter mapping directly above the first existing filter mapping as shown below.
  • Then add the following to the rest of the auto login filters.(Just after the last existing auto login filter)
  • Now Start up the Liferay and Go to sign in.
  • It will redirect you you CAS login page.
  • Then Enter the
NetID = test
Password = test
  • Then you will returned back to the Liferay home page as logged in user test.


  1. I recently came across your blog and have been following it. I'm very impressed. You're truly well informed and very intelligent. You've been able to write in a way people can understand easily. I'm saving this for future use.
    liferay training in hyderabad