Magnolia uses a filter to intercept those urls which are secured and used basic auth to authenticate a user. Once the authentication is done, magnolia uses the Authenticator class to read username and password from the http header and checks the credential with the one stored in the repository. Replacing this filter with a customized one using CAS to authenticate the user and replacing the Authenticator class with one which reads the credential from the HttpSession does the trick. The new Authenticator does not need to check the password in the repository since once the control reaches it, the CAS filter has already taken care of the authentication.
I like Magnolia, but its source is not well made for customization! It uses a lot of static methods which means that if you have to customize any part of it you need to phisically replace the class you want to customize.
Step by step
- Download magnolia source code through svn. I used magnolia 2.1.6
- Add the CAS filter to the web.xml of your magnolia installation (as shown here), rember to configure it with your cas server settings
- Add the CAS filter to the web.xml (CASSecurityFilter.java)
- Replace the class Authenticator in
src/main/info/magnolia/cms/security/Authenticator.javawith this one
maven clean jarand you should get a magnolia*.jar in you target directory
- Replace the
magnolia*.jarin your magnolia installation with the given one. REPLACE, not copy
- Download Java CAS client ( used version 2.1.1) and add
casclient*.jarto your Magnolia WEB-INF/lib
Update (march 10th, 2006): SECURITY RISK
Magnolia relies on the basic auth mechanism for the activation. I have right now no time to look at the proxying stuff so I wrote a workaround wich is base on unprotecting the /ActivationHandler url. Please understand the implications of the workaround! Malicius code could activate/deactivate your content!. If you have any questions don't esitate to contact me.