Author: jaredmorgs
Date: 2013-01-31 17:31:27 -0500 (Thu, 31 Jan 2013)
New Revision: 9106
Modified:
epp/docs/branches/6.0/Reference_Guide/en-US/Author_Group.xml
epp/docs/branches/6.0/Reference_Guide/en-US/Revision_History.xml
epp/docs/branches/6.0/Reference_Guide/en-US/modules/AuthenticationAndIdentity/SSO.xml
Log:
BZ#856450 - Implemented all CAS QE review comments from Tomas K. Ready for verification.
Modified: epp/docs/branches/6.0/Reference_Guide/en-US/Author_Group.xml
===================================================================
--- epp/docs/branches/6.0/Reference_Guide/en-US/Author_Group.xml 2013-01-31 04:53:02 UTC
(rev 9105)
+++ epp/docs/branches/6.0/Reference_Guide/en-US/Author_Group.xml 2013-01-31 22:31:27 UTC
(rev 9106)
@@ -8,14 +8,6 @@
<firstname>Red Hat</firstname>
<surname>Documentation Group</surname>
</author>
- <editor>
- <firstname>Thomas</firstname>
- <surname>Heute</surname>
- </editor>
- <editor>
- <firstname>Chris</firstname>
- <surname>Laprun</surname>
- </editor>
<othercredit>
<affiliation>
<orgname><emphasis role="bold">
@@ -25,6 +17,6 @@
</emphasis></orgname>
<orgdiv>Documentation Teams</orgdiv>
</affiliation>
- <contrib>Based on original product documentation by:</contrib>
+ <contrib>Based on original documentation by:</contrib>
</othercredit>
</authorgroup>
Modified: epp/docs/branches/6.0/Reference_Guide/en-US/Revision_History.xml
===================================================================
--- epp/docs/branches/6.0/Reference_Guide/en-US/Revision_History.xml 2013-01-31 04:53:02
UTC (rev 9105)
+++ epp/docs/branches/6.0/Reference_Guide/en-US/Revision_History.xml 2013-01-31 22:31:27
UTC (rev 9106)
@@ -8,6 +8,20 @@
<simpara>
<revhistory>
<revision>
+ <revnumber>6.0.0-44</revnumber>
+ <date>Wed Jan 30 2013</date>
+ <author>
+ <firstname>Jared</firstname>
+ <surname>Morgan</surname>
+ <email/>
+ </author>
+ <revdescription>
+ <simplelist>
+ <member>BZ#856450 - Implemented all CAS QE review comments from Tomas
K. Ready for verification.</member>
+ </simplelist>
+ </revdescription>
+ </revision>
+ <revision>
<revnumber>6.0.0-43</revnumber>
<date>Wed Jan 30 2013</date>
<author>
@@ -18,7 +32,7 @@
<revdescription>
<simplelist>
<member>Cleaned up imported content in Chapter III. - Authentication
and Authorization.</member>
- <member>Cleared out TODO, FIXME and some other remarks, further code cleanup,
spell-check, unified capitals in titles, removed links to
docs.jboss.org (where
applicable), removed some technical jargon, etc.</member>
+ <member>Cleared out TODO, FIXME and some other remarks, further code
cleanup, spell-check, unified capitals in titles, removed links to
docs.jboss.org (where
applicable), removed some technical jargon, etc.</member>
</simplelist>
</revdescription>
</revision>
Modified:
epp/docs/branches/6.0/Reference_Guide/en-US/modules/AuthenticationAndIdentity/SSO.xml
===================================================================
---
epp/docs/branches/6.0/Reference_Guide/en-US/modules/AuthenticationAndIdentity/SSO.xml 2013-01-31
04:53:02 UTC (rev 9105)
+++
epp/docs/branches/6.0/Reference_Guide/en-US/modules/AuthenticationAndIdentity/SSO.xml 2013-01-31
22:31:27 UTC (rev 9106)
@@ -86,7 +86,7 @@
</listitem>
<listitem>
<para>
- The interceptor redirects the user to the CAS login page <ulink
url="http://localhost:8888/cas/login"/> . The user enters the correct
authentication information, and submits the form.
+ The interceptor redirects the user to the CAS login page <ulink
url="http://localhost:8888/cas/login"/>. The user enters the correct
authentication information, and submits the form.
</para>
<para>
The CAS server retrieves the information from the identity store.
The store could be an external database, a LDAP server, or from information obtained
through an authentication plug-in such as the one shipped with JBoss Portal Platform.
Refer to <xref linkend="sect-CAS_Authentication_Plug-in"/> for specific
details about this technology.
@@ -94,7 +94,7 @@
</listitem>
<listitem>
<para>
- Once CAS determines the user has the correct access privileges to
access the portal server, CAS redirects the user back to the portal through another marker
URL such as <ulink url="http://localhost:8080/portal/initiatelogin"/> .
+ Once CAS determines the user has the correct access privileges to
access the portal server, CAS redirects the user back to the portal through another marker
URL such as <ulink url="http://localhost:8080/portal/initiatelogin"/>.
</para>
<para>
The <emphasis
role="strong">InitiateLoginFilter</emphasis> interceptor acts on the
user redirection to <emphasis
role="italics">/portal/initiatelogin</emphasis> by obtaining a CAS
ticket attached in the HTTP request inside the <emphasis
role="italics">ticket</emphasis> parameter. The interceptor then
delegates validation of this ticket to a configured <emphasis
role="strong">CASAgent</emphasis> component.
@@ -107,7 +107,7 @@
</listitem>
<listitem>
<para>
- After SSO validation, <emphasis
role="italics">InitiateLoginFilter</emphasis> redirects the user to the
portal login URL <ulink url="http://localhost:8080/portal/login"/> , which
initiates JAAS authentication.
+ After SSO validation, <emphasis
role="italics">InitiateLoginFilter</emphasis> redirects the user to the
portal login URL <ulink url="http://localhost:8080/portal/login"/>, which
initiates JAAS authentication.
</para>
<para>
The <emphasis
role="strong">SSOLoginModule</emphasis> detects whether the user has
been successfully validated by <emphasis
role="italics">CASAgent</emphasis>. If this is the case, the login
module obtains data about user (groups, memberships) from <emphasis
role="italics">OrganizationService</emphasis> and encapsulates the
details into an <emphasis role="strong">Identity</emphasis> object.
@@ -142,12 +142,12 @@
</listitem>
<listitem>
<para>
- The <emphasis
role="strong">CASLogoutFilter</emphasis> interceptor recognizes the
logout request, and redirects the user to the CAS logout page <ulink
url="http://localhost:8888/cas/logout"/> .
+ The <emphasis
role="strong">CASLogoutFilter</emphasis> interceptor recognizes the
logout request, and redirects the user to the CAS logout page <ulink
url="http://localhost:8888/cas/logout"/>.
</para>
</listitem>
<listitem>
<para>
- The CAS server logs out the user, and invalidate the CAS cookie
<emphasis role="italics">CASTGC</emphasis> .
+ The CAS server logs out the user, and invalidates the CAS cookie
<emphasis role="italics">CASTGC</emphasis>.
</para>
</listitem>
<listitem>
@@ -202,7 +202,7 @@
<title><remark>BZ#856430 </remark>Download CAS</title>
<remark>Source:
https://docs.jboss.org/author/display/GTNPORTAL35/Central+Authentication+...
<para>
- CAS can be downloaded from <ulink
url="http://www.jasig.org/cas/download"/> . The supported version is
<emphasis role="italics">CAS 3.5</emphasis> . More recent CAS
versions may also work, however have not been officially tested as part of this specific
configuration exercise.
+ CAS can be downloaded from <ulink
url="http://www.jasig.org/cas/download"/>. The supported version is
<emphasis role="italics">CAS 3.5</emphasis>. More recent CAS
versions may also work, however have not been officially tested as part of this specific
configuration exercise.
</para>
<para>
Extract the downloaded file into a suitable working directory. This
location will be referred to as <code>CAS_DIR</code> in subsequent
configuration instructions.
@@ -246,24 +246,20 @@
</para>
<note>
<para>
- This configuration is available in the
<code><replaceable>JPP_DIST</replaceable>gatein-sso/cas/plugin/WEB-INF/deployerConfigContext.xml</code>
file. If you choose to take this configuration file, ensure the default host, port and
context parameters are adjusted to match the values corresponding to the remote portal
instance.
+ This configuration is available in the
<code><replaceable>JPP_DIST</replaceable>/gatein-sso/cas/plugin/WEB-INF/deployerConfigContext.xml</code>
file. If you choose to take this configuration file, ensure the default host, port and
context parameters are adjusted to match the values corresponding to the remote portal
instance.
</para>
</note>
- <programlisting>
-<!--
- XML comment used for configuration guidance removed for ease of readability+-->
-<bean
class="org.gatein.sso.cas.plugin.AuthenticationPlugin">
+ <programlisting language="XML"><bean
class="org.gatein.sso.cas.plugin.AuthenticationPlugin">
<property
name="gateInProtocol"><value>http</value></property>
<property
name="gateInHost"><value>localhost</value></property>
<property
name="gateInPort"><value>8080</value></property>
<property
name="gateInContext"><value>portal</value></property>
<property
name="httpMethod"><value>POST</value></property>
-</bean>
-</programlisting>
+</bean></programlisting>
</step>
<step>
<para>
- Copy all jars from
<code><replaceable>JPP_DIST</replaceable>gatein-sso/cas/plugin/WEB-INF/lib/</code>
to the <code>CAS_DIR/cas-server-webapp/src/main/webapp/WEB-INF/lib</code>
directory.
+ Copy all jars from
<code><replaceable>JPP_DIST</replaceable>/gatein-sso/cas/plugin/WEB-INF/lib/</code>
to the <code>CAS_DIR/cas-server-webapp/src/main/webapp/WEB-INF/lib</code>
directory.
</para>
</step>
</procedure>
@@ -272,9 +268,9 @@
<title>Logout Redirection Setup</title>
<remark>Source:
https://docs.jboss.org/author/display/GTNPORTAL35/Central+Authentication+...
<para>
- The CAS server displays the CAS logout page with a link to return to
the portal by default. To make the CAS server redirect to the portal page after a logout,
modify <code>CAS_DIR/cas-server-webapp/src/main/webapp/</code>
<code>WEB-INF/cas-servlet.xml</code> to include the
<code>followServiceRedirects="true"</code> parameter:
+ The CAS server displays the CAS logout page with a link to return to
the portal by default. To make the CAS server redirect to the portal page after a logout,
modify
<code>CAS_DIR/cas-server-webapp/src/main/webapp/WEB-INF/cas-servlet.xml</code>
to include the <code>followServiceRedirects="true"</code>
parameter:
</para>
- <programlisting language=""><bean
id="logoutController"
class="org.jasig.cas.web.LogoutController"
+ <programlisting language="XML"><bean
id="logoutController"
class="org.jasig.cas.web.LogoutController"
p:centralAuthenticationService-ref="centralAuthenticationService"
p:logoutView="casLogoutView"
p:warnCookieGenerator-ref="warnCookieGenerator"
@@ -287,7 +283,7 @@
<remark>Source:
https://docs.jboss.org/author/display/GTNPORTAL35/Central+Authentication+...
<para>
Jasic CAS uses a cookie named
- <firstterm> CAS Ticket Granting Cookie </firstterm>
+ <firstterm> CAS Ticket Granting Cookie</firstterm>
(CASTGC) to control the authentication state within the browser
session. The cookie contains a Ticket Granting Ticket (TGT), which preserves SSO
authentication where more than one site is controlled by the same SSO profile.
</para>
<example id="exam-CASTGC_Authentication">
@@ -303,7 +299,7 @@
</para>
</example>
<para>
- The behavior described in <xref
linkend="exam-CASTGC_Authentication"/>exists through a secured connection
only (https connection). To benefit from authentication across two or more portals, one of
the options below must be implemented. Choose the correct option based on the deployment
environment:
+ The behavior described in <xref
linkend="exam-CASTGC_Authentication"/> exists through a secured connection
only (https connection). To benefit from authentication across two or more portals, one of
the options below must be implemented. Choose the correct option based on the deployment
environment:
</para>
<variablelist>
<varlistentry>
@@ -318,7 +314,7 @@
<para>
To configure this test behavior, open
<code>CAS_DIR/cas-server-webapp/src/main/webapp/WEB-INF/spring-configuration/ticketGrantingTicketCookieGenerator.xml</code>
and switch the attribute <code>cookieSecure</code> to false.
</para>
- <programlisting><bean
id="ticketGrantingTicketCookieGenerator"
+ <programlisting language="XML"><bean
id="ticketGrantingTicketCookieGenerator"
p:cookieSecure="false"
p:cookieMaxAge="-1"
p:cookieName="CASTGC"
@@ -384,7 +380,7 @@
<section id="sect-CAS_Portal_SSO_Primary_Configuration_File">
<title>Portal SSO Primary Configuration File</title>
<para>
- The main portal configuration file for SSO integration is
<code>JPP_HOME/gatein/gatein.ear/portal.war/WEB-INF/conf/sso/security-sso-configuration.xml</code>
. All required SSO components such as agents and SSO interceptors (servlet filters in v5.x
of the product) are configured in this file.
+ The main portal configuration file for SSO integration is
<code>JPP_HOME/gatein/gatein.ear/portal.war/WEB-INF/conf/sso/security-sso-configuration.xml</code>.
All required SSO components such as agents and SSO interceptors (servlet filters in v5.x
of the product) are configured in this file.
</para>
<para>
In most cases, it will never be necessary to edit
<filename>security-sso-configuration.xml</filename> directly when using JBoss
Portal Platform. The portal architecture allows users to override the base configuration
described in this file using name/value pairs configured in one place:
<filename>JPP_HOME/standalone/configuration/gatein/configuration.properties</filename>
@@ -403,7 +399,7 @@
<title>Configuring SSO configuration.properties for CAS</title>
<step>
<para>
- Open
<filename>JPP_HOME/standalone/configuration/gatein/configuration.properties</filename>
and locate the SSO sections in the file.
+ Open
<filename>JPP_HOME/standalone/configuration/gatein/configuration.properties</filename>
and locate the SSO section in the file.
</para>
</step>
<step>
@@ -420,7 +416,7 @@
gatein.sso.portal.url=http://localhost:8080
gatein.sso.filter.logout.class=org.gatein.sso.agent.filter.CASLogoutFilter
gatein.sso.filter.logout.url=${gatein.sso.server.url}/logout
-gatein.sso.filter.login.sso.url=${gatein.sso.server.url}/login?service=${gatein.sso.portal.url}/@@[portal.container.name]@(a)/initiatessologin
+gatein.sso.filter.login.sso.url=${gatein.sso.server.url}/login?service=${gatein.sso.portal.url}/@@portal.container.name@(a)/initiatessologin
</programlisting>
</step>
</procedure>
@@ -441,7 +437,7 @@
Specifies whether the REST callback authentication handler is
enabled.
</para>
<para>
- The handler is required if the CAS server must use the SSO
Authentication plug-in to handle portal authentication. See <xref
linkend="sect-CAS_Logout_Redirection"/> for details. The callback handler is
enabled by default. Set the parameter to false if the authentication plug-in on the CAS
server side is not required.
+ The handler is required if the CAS server must use the SSO
Authentication plug-in to handle portal authentication. See <xref
linkend="sect-CAS_Authentication_Plug-in"/> for details. The callback handler
is enabled by default. Set the parameter to false if the authentication plug-in on the CAS
server side is not required.
</para>
</listitem>
</varlistentry>
@@ -452,7 +448,7 @@
Specifies whether a pre-defined SSO login module declared in
<filename> JPP_HOME/standalone/configuration/standalone.xml</filename> is used
for authentication. When the property is set to "true", the
SSODelegateLoginModule delegates work to another login module, as specified using the
<property>gatein.sso.login.module.class</property> property.
SSODelegateLoginModule will also resend all its options to its delegate.
</para>
<para>
- This parameter removes the need to manually change any login
module configuration in the standalone.xml file, which simplifies platform configuration.
+ This parameter removes the need to manually change any login
module configuration in the <filename>standalone.xml</filename> file, which
simplifies platform configuration.
</para>
</listitem>
</varlistentry>
@@ -460,7 +456,7 @@
<term>gatein.sso.login.module.class</term>
<listitem>
<para>
- Specifies the classname of the login module
SSODelegateLoginModule will delegate to. This parameter will work only if
gatein.sso.login.module.enabled is specified.
+ Specifies the classname of the login module
SSODelegateLoginModule will delegate to. This parameter will work only if
<property>gatein.sso.login.module.enabled</property> is specified.
</para>
</listitem>
</varlistentry>
@@ -484,7 +480,7 @@
<term>gatein.sso.filter.logout.class</term>
<listitem>
<para>
- Specifies the class of the logout filter. In the example above
<code>org.gatein.sso.agent.filter.CASLogoutFilter</code> is the correct choice
because this filter is able to redirect to the CAS server and perform logout on CAS side.
+ Specifies the class of the logout filter. In the example above
<code>org.gatein.sso.agent.filter.CASLogoutFilter</code> is the correct choice
because this filter is able to redirect to the CAS server and perform logout on the CAS
side.
</para>
</listitem>
</varlistentry>
@@ -492,16 +488,14 @@
<term>gatein.sso.filter.logout.url</term>
<listitem>
<para>
- Specifies the CAS server logout URL, which is used for
redirection by the logout filter
- </para>
+ Specifies the CAS server logout URL, which is used for
redirection by the logout filter. </para>
</listitem>
</varlistentry>
<varlistentry>
<term>gatein.sso.filter.logout.enabled</term>
<listitem>
<para>
- Optional parameter, which specifies whether the logout
interceptor is enabled. To disable logout on CAS side, set the parameter value to
" false" . This results in both options
<code>gatein.sso.filter.logout.class</code> and
<code>gatein.sso.filter.logout.url</code> are ignored
- </para>
+ Optional parameter, which specifies whether the logout
interceptor is enabled. To disable logout on CAS side, set the parameter value to
"false". This causes both options
<code>gatein.sso.filter.logout.class</code> and
<code>gatein.sso.filter.logout.url</code> to be ignored.
</para>
<para>
When a user logs out of the portal, the CAS authentication
ticket is still valid for other CAS authenticated sites.
</para>
@@ -513,7 +507,6 @@
<para>
Specifies the CAS server login URL, which is used by
LoginRedirectFilter for redirection to the CAS server login page.
</para>
- <remark>Docs Note - jmorgan - added this note about the p.c.n
variable, and that it *shouldn't* be substituted for a hard-coded variable
name.</remark>
<note>
<para>
The string <literal>@@portal.container.name(a)@
</literal>is dynamically replaced when the URL is interpreted by the
platform's SSO Component. It is recommended that this string is used over
hard-coding the name of the portal for future maintenance and ease of configuration
changes.