CAS & Magnolia

In brief


Magnolia uses a filter to intercept those urls which are secured and used basic auth to authenticate a user. Once the authentication is done, magnolia uses the Authenticator class to read username and password from the http header and checks the credential with the one stored in the repository. Replacing this filter with a customized one using CAS to authenticate the user and replacing the Authenticator class with one which reads the credential from the HttpSession does the trick. The new Authenticator does not need to check the password in the repository since once the control reaches it, the CAS filter has already taken care of the authentication.


The problem


I like Magnolia, but its source is not well made for customization! It uses a lot of static methods which means that if you have to customize any part of it you need to phisically replace the class you want to customize.


Step by step



  1. Download magnolia source code through svn. I used magnolia 2.1.6

  2. Add the CAS filter to the web.xml of your magnolia installation (as shown here), rember to configure it with your cas server settings

  3. Add the CAS filter to the web.xml (CASSecurityFilter.java)

  4. Replace the class Authenticator in src/main/info/magnolia/cms/security/Authenticator.java with this one

  5. Run maven clean jar and you should get a magnolia*.jar in you target directory

  6. Replace the magnolia*.jar in your magnolia installation with the given one. REPLACE, not copy

  7. Download Java CAS client ( used version 2.1.1) and add casclient*.jar to your Magnolia WEB-INF/lib


Update (march 10th, 2006): SECURITY RISK


Magnolia relies on the basic auth mechanism for the activation. I have right now no time to look at the proxying stuff so I wrote a workaround wich is base on unprotecting the /ActivationHandler url. Please understand the implications of the workaround! Malicius code could activate/deactivate your content!. If you have any questions don't esitate to contact me.

Comments

  1. Richard23 March 2007 at 05:25

    Hi Roberto,

    Nice to see your work on CAS & Magnolia here.

    I followed your instructions, but I can't get activation work.

    I am not sure if it's because I did something wrong. Could you please give me some advices?

    Cheers,

    Richard
    richard.zeng@gmail.com
    from New Zealand

    ReplyDelete
  2. Sankar4 September 2007 at 13:24

    Hello,
    I am using Magnolia 3.03 .I am facing the following compilation error in the Authentication class.

    Cannot instantiate the type User
    in the following lines public static User getUser(HttpServletRequest request) {
    return new User(getUserPage(request));
    }
    Do you have any idea on this?

    ReplyDelete
  3. Chris Robson31 March 2008 at 17:50

    Hi,

    I've been going through this walkthrough and thought I would post what I found so that others might do things faster.

    Firstly, The CASSecurityFilter.java given here references a number of classes that are deprecated and are no longer part of the source code for later versions of Magnolia.

    For instance:
    - User is now an interface and therefore cannot be instantiated - instead I used the info.magnolia.cms.security.MgnlUser class (this is no doubt the orror that the previous poster encountered).
    - info.magnolia.cms.security.SessionAccessControl is deprecated and no longer exists, you should use the methods in info.magnolia.context.MgnlContext
    - The method SessionAccessControl.isSecuredSession(HttpServletRequest request) should be replaced with Authenticator.isAuthenticated(HttpServletRequest)
    - Unfortunately, there does not seem to be an equivalent version of 'invalidateUser' so instead I invalidated the user's session with (request.getSession).invalidate();
    - info.magnolia.cms.security.SecureURI no longer exists. For now I have just added it to the package by cutting and pasting the old source code. Once I get a chance to work through this code and see exactly what it's doing i'll post a better fix.

    ReplyDelete

Post a Comment

Popular posts from this blog

Home Assistant in Docker on MacOs BigSur

  Install brew. Follow instructions on https://brew.sh/ Install virtualbox # brew install virtualbox Install docker-machine # brew install docker-machine # brew services start docker-machine If you want the machine to run at boot (rather than at login) Move your launchd configuration file homebrew.mxcl.docker-machine.plist from $USER/Library/LaunchAgents to /Library/LaunchDaemons Add a user directive:  <key>UserName</key> <string>robcos</string> Make sure the permissions are right: # sudo chmod root.wheel homebrew.mxcl.docker-machine.plist Install docker # brew install docker Create a virtual machine # docker-machine create --driver=virtualbox default Setup docker environment (you will need this every time you open a new shell) # eval $(docker-machine env default) Setup your “default” virtualbox to forward any relevant port.  Settings -> Network -> Adapter 1 -> Nat -> Advanced In my case I forward 1880 for NodeRed, 8123 for HomeAssistant and 8080 for
Read more

The little yellow book of vaccinations

Image
I have almost filled my yellow book with vaccinations. You get it when you contact NHS and make an appointment with your closest travel clinic. I went to my usual surgery Sterndale in Hammersmith. The nurse recommended to get Hepatitis A and B, Typhoid, Rabies and the compulsory Yellow Fever. Some of them require more than one shot so make sure to start your treatment at least 3 weeks before you leave. I am also going to get an anti malaria treatment but for that I need another appointment. The injection are almost harmless so don't be scared. Be scared of the bill though as some of those vaccines are not free and cost up to 40£ per short. And yes, you can also use private clinics as Nomad (STA Travel) but it will cost you more.
Read more

Installing Box Backup on a ReadyNas NV+ (sparc)

Image
I'm jetlagged so what do I do? I install Box Backup on my NetGear ReadyNas NV+. A while ago I have in fact built my own little datacenter in my loft. There I store all my music and most importantly the backup for all the pictures that I take. It is a raid 5 so if one of the disks breaks down, I can still recover 100% of the data. But what happens if it gets stolen or something really bad happens? I will loose everything so I need to have another backup copy of my data somewhere else. Meet www.boxbackup.org : The backup daemon,  bbackupd , runs on all machines to be backed up. The store server daemon,  bbstored  runs on a central server. Data is sent to the store server, which stores all data on local filesystems, that is, only on local hard drives. Tape or other archive media is not used. The ReadyNas NV+ has a Sparc CPU and at the moment there are no official builds for this platform so I had to build it myself. It took a while to find the right setup so let me shar
Read more