Integrate Liferay with CAS server.

Central Authentication Service (CAS) server is a single sign on (SSO) protocol for the web. Its purpose is to permit a user to access multiple applications while providing their credentials (such as userid and password) only once. It also allows web applications to authenticate users without gaining access to a user's security credentials, such as a password.

CAS was conceived and developed by Shawn Bayern of Yale University Technology and Planning. In December 2004, CAS became a project of the Java Architectures Special Interest Group, which is as of 2008 responsible for its maintenance and development. Formerly called "Yale CAS", CAS is now also known as "JA-SIG CAS". In oder to implement SSO with Liferay, I used the CAS server.

Following steps gives all the steps that I followed implemennting SSO in Liferay. I used Liferay (liferay-portal-tomcat-6.0-5.2.3), CAS Server (cas-server-3.3.5-release) and CAS client (cas-client-2.0.11).

Setting up CAS server:

• Download the CAS server from http://www.ja-sig.org/downloads/cas/
  
• Rename the cas-server-3.3.5\modules\cas-server-webapp-3.3.5.war to cas-web.war.
• Drop the cas-web.war file into Tomcat's webapps directroy. (For testing purposes I used the Liferay's tomcat but in a production environment CAS servershould really run on its own tomcat instance.
• Then edit the server.xml file in tomcat and uncomment the SSL section to open up port 8443 as shown below.

Setting up the CAS client:

• Download the CAS client from http://www.ja-sig.org/downloads/cas-clients/
• Place the casclient.jar in cas-client-2.0.11\java\lib to ROOT/web-inf/lib of the Liferay install.

Generate the SSL cert with Java keytool:

• In any directory ( I use my root ) enter the command:

keytool -genkey -alias tomcat -keypass changeit -keyalg RSA

• Answer the questions as shown in the image: (note that your firstname and lastname MUST be hostname of your server and cannot be a IP address; this is very important as an IP address will fail client hostname verification even if it is correct)

• Then enter the command:

keytool -export -alias tomcat -keypass changeit -file %FILE_NAME%

I use server.cert for %FILE_NAME%.

• Finally import the cert into Java's keystore with this command.

keytool -import -alias tomcat -file %FILE_NAME% -keypass changeit -keystore %JAVA_HOME%/jre/lib/security/cacerts

• Startup the CAS server by startup.bat in the bin folder.
• Now you are ready to startup your CAS server. Simply startup Tomcat and access CAS with https://localhost:8443/cas-web/login You should see the CAS login screen and no errors in your catalina logs.
  

Setting up Liferay Portal:

• Remove the sevencogs theme and the sample data by deleting the two sevencogs folders at the liferay-portal-5.2.3\ tomcat-6.0.18\webapps folder and by deleting the lportal.properties and lportal.script files at the liferay-portal-5.2.2\data\hsql folder.
• Now if you run the liferay you should be able to login to portal by
  

E-mail: test@liferay.com
Password: test

• In the webapps/ROOT/WEB-INF/web.xml file add a new filter as shown below(add it as the first filter).
• Then add the filter mapping directly above the first existing filter mapping as shown below.
  • 
• Then add the following to the rest of the auto login filters.(Just after the last existing auto login filter)
• Now Start up the Liferay and Go to sign in.
• It will redirect you you CAS login page.
  
• Then Enter the
  

NetID = test
Password = test

• Then you will returned back to the Liferay home page as logged in user test.