Saturday, 11 March 2006

CAS & Magnolia

In brief


Magnolia uses a filter to intercept those urls which are secured and used basic auth to authenticate a user. Once the authentication is done, magnolia uses the Authenticator class to read username and password from the http header and checks the credential with the one stored in the repository. Replacing this filter with a customized one using CAS to authenticate the user and replacing the Authenticator class with one which reads the credential from the HttpSession does the trick. The new Authenticator does not need to check the password in the repository since once the control reaches it, the CAS filter has already taken care of the authentication.


The problem


I like Magnolia, but its source is not well made for customization! It uses a lot of static methods which means that if you have to customize any part of it you need to phisically replace the class you want to customize.


Step by step



  1. Download magnolia source code through svn. I used magnolia 2.1.6

  2. Add the CAS filter to the web.xml of your magnolia installation (as shown here), rember to configure it with your cas server settings

  3. Add the CAS filter to the web.xml (CASSecurityFilter.java)

  4. Replace the class Authenticator in src/main/info/magnolia/cms/security/Authenticator.java with this one

  5. Run maven clean jar and you should get a magnolia*.jar in you target directory

  6. Replace the magnolia*.jar in your magnolia installation with the given one. REPLACE, not copy

  7. Download Java CAS client ( used version 2.1.1) and add casclient*.jar to your Magnolia WEB-INF/lib


Update (march 10th, 2006): SECURITY RISK


Magnolia relies on the basic auth mechanism for the activation. I have right now no time to look at the proxying stuff so I wrote a workaround wich is base on unprotecting the /ActivationHandler url. Please understand the implications of the workaround! Malicius code could activate/deactivate your content!. If you have any questions don't esitate to contact me.

3 comments:

  1. Hi Roberto,

    Nice to see your work on CAS & Magnolia here.

    I followed your instructions, but I can't get activation work.

    I am not sure if it's because I did something wrong. Could you please give me some advices?

    Cheers,

    Richard
    richard.zeng@gmail.com
    from New Zealand

    ReplyDelete
  2. Hello,
    I am using Magnolia 3.03 .I am facing the following compilation error in the Authentication class.

    Cannot instantiate the type User
    in the following lines public static User getUser(HttpServletRequest request) {
    return new User(getUserPage(request));
    }
    Do you have any idea on this?

    ReplyDelete
  3. Hi,

    I've been going through this walkthrough and thought I would post what I found so that others might do things faster.

    Firstly, The CASSecurityFilter.java given here references a number of classes that are deprecated and are no longer part of the source code for later versions of Magnolia.

    For instance:
    - User is now an interface and therefore cannot be instantiated - instead I used the info.magnolia.cms.security.MgnlUser class (this is no doubt the orror that the previous poster encountered).
    - info.magnolia.cms.security.SessionAccessControl is deprecated and no longer exists, you should use the methods in info.magnolia.context.MgnlContext
    - The method SessionAccessControl.isSecuredSession(HttpServletRequest request) should be replaced with Authenticator.isAuthenticated(HttpServletRequest)
    - Unfortunately, there does not seem to be an equivalent version of 'invalidateUser' so instead I invalidated the user's session with (request.getSession).invalidate();
    - info.magnolia.cms.security.SecureURI no longer exists. For now I have just added it to the package by cutting and pasting the old source code. Once I get a chance to work through this code and see exactly what it's doing i'll post a better fix.

    ReplyDelete