20 Jul
2013
20 Jul
'13
10:39 a.m.
If you only want to put SSO on admin pages, you could have created a
Location block in your Apache configuration, like that:
<Location '/xwiki/bin/admin/'>
AuthType CAS
(...)
</Location>
But perhaps I don't really get your expectations here.
Guillaume
2013/7/18 Krejci Rudolf Ing. <krejci.r(a)chemosvit.sk>
My first try :D "brutal attact" to
menuview.vm
#if (!$xcontext.action.startsWith('login'))
#if ($isGuest)
-- #set ($loginurl = $xwiki.getURL('/cas/login', 'login',
"xredirect=$escapetool.url($xwiki.relativeRequestURL)"))
++ #set ($loginurl = 'https://iwtest.chemosvit.sk' +
$xwiki.relativeRequestURL )
#xwikitopmenuentry($!loginurl $!services.localization.render('login')
'tmLogin')
----- Pôvodná správa -----
--------------------------------------------------------------------------
Odosielateľ: "Krejci Rudolf Ing."
<krejci.r(a)chemosvit.sk>
Príjemca: "XWiki Users" <users(a)xwiki.org>
Dátum: 18/07/2013 12:35
Predmet: [Spam] [xwiki-users] XWiki and Jasig CAS integration
This is what I have. But I want enable unathentifcated access to
"public" pages and enable some pages-admins to login (using login link) and
edit this pages.
I have idea to make auth access over https , but
I need to change how
to XWiki login link is working and redirect login link to
https .
httpd.conf examle
None auth part (http)
<VirtualHost 10.0.1.33:80>
ServerName iwtest.chemosvit.sk
ServerAdmin webmaster@localhost
ErrorLog ${APACHE_LOG_DIR}/chdmstest_error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/chdmstest_access.log combined
ProxyRequests Off
ProxyPreserveHost On
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass /cas ajp://cas.chemosvit.sk:8009/casconnectiontimeout=10 timeout=60
ProxyPassReverse /cas ajp://cas.chemosvit.sk:8009/cas
ProxyPass /jira ajp://pwtest.chemosvit.sk:8009/jiraconnectiontimeout=10
timeout=60
ProxyPassReverse /jira ajp://pwtest.chemosvit.sk:8009/jira
ProxyPass /alfresco http://dmstest.chemosvit.sk:7080/alfrescoconnectiontimeout=10
timeout=60
ProxyPassReverse /alfresco
http://dmstest.chemosvit.sk:7080/alfresco
ProxyPass /xwiki
ajp://ubuntults6.chemosvit.sk:8009/xwiki connectiontimeout=10 timeout=60
ProxyPassReverse /xwiki ajp://ubuntults6.chemosvit.sk:8009/xwiki
ProxyPass / http://elftest.chemosvit.sk:10080/connectiontimeout=10 timeout=60
ProxyPassReverse / http://elftest.chemosvit.sk:10080/
CASSSOEnabled On
CASCookiePath /var/cache/apache2/mod_auth_cas/
CASLoginURL https://cas.chemosvit.sk/cas/login
CASValidateURL https://cas.chemosvit.sk/cas/serviceValidate
CASValidateServer Off
CASDebug On
</VirtualHost>
Auth part (https)
<VirtualHost 10.0.1.33:443>
ServerName iwtest.chemosvit.sk
ServerAdmin webmaster@localhost
SSLEngine on
SSLProxyEngine On
SSLCertificateFile /etc/ssl/certs/StarChemosvitSk2012.cer
SSLProxyCACertificateFile /etc/ssl/certs/ca-certificates.crt
SSLCertificateKeyFile /etc/ssl/private/StarChemosvitSk.key
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
ErrorLog
/var/log/apache2/app_ssl_error.log
TransferLog /var/log/apache2/app_ssl_access.log
CustomLog /var/log/apache2/app_ssl_request.log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
ProxyRequests Off
ProxyPreserveHost On
<Location /xwiki/>
AuthType CAS
AuthName "CAS Server Auth"
CasScope /xwiki
Order allow,deny
require valid-user
Allow from 127.0.0.1
Satisfy Any
</Location>
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass /cas ajp://cas.chemosvit.sk:8009/casconnectiontimeout=10 timeout=60
ProxyPassReverse /cas ajp://cas.chemosvit.sk:8009/cas
ProxyPass /xwiki ajp://ubuntults6.chemosvit.sk:8009/xwiki connectiontimeout=10
timeout=60
ProxyPassReverse /xwiki ajp://ubuntults6.chemosvit.sk:8009/xwiki
CASSSOEnabled On
CASCookiePath /var/cache/apache2/mod_auth_cas/
CASLoginURL https://cas.chemosvit.sk/cas/login
CASValidateURL https://cas.chemosvit.sk/cas/serviceValidate
CASValidateServer Off
CASDebug On
</VirtualHost>
----- Pôvodná správa -----
> Odosielateľ: "Guillaume Fenollar" <guillaume.fenollar(a)xwiki.com>
> Príjemca: "XWiki Users" <users(a)xwiki.org>
> Dátum: 18/07/2013 10:56
> Predmet: [Spam] Re: [xwiki-users] XWiki and Jasig CAS integration
>
> Hi Rudolf,
>
> I suggest you to look again at the message I posted before, about
> configuration:
>
> CASLoginURL https://sso.xwikisas.com/cas/login
> CASValidateURL https://sso.xwikisas.com/cas/serviceValidate
> CASValidateServer Off
> CASTimeout 28800
> CASIdleTimeout 14400
> <Location "/xwiki/">
> AuthType CAS
> AuthName "CAS Server Auth"
> CasScope /xwiki
> Order allow,deny
> require valid-user
> Allow from 127.0.0.1
> Satisfy Any
> </Location>
>
> It means that when Apache meets a request that match the Location
'/xwiki'
> (change it according to your webapp's
name), it'll try to apply a CAS
Auth,
> which leads to a redirection to login page
specified in CASLoginURL
> parameter. So of course you need to change those examples (CASLoginURL
and
> CASValidateURL) according to your CAS server
configuration.
>
> Guillaume
>
>
>
>
> 2013/7/18 Krejci Rudolf Ing. <krejci.r(a)chemosvit.sk>
>
> > Hi,
> >
> > CAS is working on my XWiki now. The main problem was old apache cas
module
> > (downloaded from ubuntu repozitory).
> > After compilation of newest apache cas module version CAS works OK.
> >
> >
> > My new problem is that I need redirect login to cas server. Is there
any
> > way how to do it?
> >
> >
> > I try set xwiki.authentication.loginpage parameter but no changes
in
> > login link.
> >
> >
> > Rudolf
> >
> >
> >
> >
> >
> >
> > ----- Pôvodná správa -----
> > > Odosielateľ: "Thomas Mortagne"
<thomas.mortagne(a)xwiki.com>
> > > Príjemca: "XWiki Users" <users(a)xwiki.org>
> > > Dátum: 03/07/2013 16:11
> > > Predmet: Re: [xwiki-users] XWiki and Jasig CAS integration
> > >
> > > On Wed, Jul 3, 2013 at 4:01 PM, Thomas Mortagne
> > > <thomas.mortagne(a)xwiki.com> wrote:
> > > > On Wed, Jul 3, 2013 at 3:56 PM, Guillaume Fenollar
> > > > <guillaume.fenollar(a)xwiki.com> wrote:
> > > >> Hi Thomas,
> > > >>
> > > >> What if an admin wants to use a trusted authentication (to
enable
> > SSO, from
> > > >> a front-end) but doesn't use LDAP at all? Is it possible to
use
this
> > > >> authenticator to simply
accept the remote user, comparing it
with the
> > > >> internal XWiki Users DB?
> > > >
> > > > You don't need this authenticator for this, there is one by
default in
> > > > XWiki:
com.xpn.xwiki.user.impl.xwiki.AppServerTrustedAuthServiceImpl
> > > > but it does not seems to be
documented in xwiki.org
> > >
> > > There is
> >
http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Authentication#HKerbero…
> > > which is included by default too
and is more or less the same
things
> > > (default authenticators are quite
a mess...).
> > >
> > > >
> > > >>
> > > >> Thanks,
> > > >>
> > > >> Guillaume
> > > >>
> > > >>
> > > >> 2013/7/3 Thomas Mortagne <thomas.mortagne(a)xwiki.com>
> > > >>
> > > >>> On Wed, Jul 3, 2013 at 2:26 PM, Guillaume Fenollar
> > > >>> <guillaume.fenollar(a)xwiki.com> wrote:
> > > >>> > Hi,
> > > >>> >
> > > >>> > Sorry I forgot to talk about the most important thing, I
don't
> > know what
> > > >>> I
> > > >>> > was thinking about when I wrote my first answer :-P
> > > >>> >
> > > >>> > About XWiki part, you need to tell your wiki to accept
any
user
> > that will
> > > >>> > be given by Apache front-end, which will authenticate
the
users
> > with *
> > > >>> > libapache2-mod-auth-cas*.
> > > >>> > To do this, you need to use a different authenticator,
like
this
> > one :
> > > >>> >
https://github.com/xwiki-contrib/xwiki-authenticator-trusted-ldap
> > > >>> >
> > > >>> > Build it and place it in you webapp (xwiki/WEB-INF/lib
directory).
> > > >>>
> > > >>> No need to build it anymore:
> > > >>>
> > > >>>
> >
http://extensions.xwiki.org/xwiki/bin/view/Extension/XWiki+Authenticator+Tr…
> > > >>> ;)
> > > >>>
> > > >>> > In *xwiki.cfg*, add this line:
> > > >>> >
> > > >>>
> >
xwiki.authentication.authclass=com.xwiki.authentication.trustedldap.TrustedLDAPAuthServiceImpl
> > > >>> >
> > > >>> > Then, modify your Servlet Container application to leave
the
> > > >>> authentication
> > > >>> > alone. If you're using tomcat, it's in you
*server.xml*, you
need
> > to add
> > > >>> in
> > > >>> > each "Connector" block, the following option:
> > > >>> > tomcatAuthentication="false"
> > > >>> >
> > > >>> > Finally, configure your apache server. Here's a
minimal conf
you
> > can use:
> > > >>> >
> > > >>> > CASLoginURL https://sso.xwikisas.com/cas/login
> > > >>> > CASValidateURL
> > https://sso.xwikisas.com/cas/serviceValidate
> > > >>> > CASValidateServer Off
> > > >>> > CASTimeout 28800
> > > >>> > CASIdleTimeout 14400
> > > >>> > <Location "/xwiki/">
> > > >>> > AuthType CAS
> > > >>> > AuthName "CAS Server Auth"
> > > >>> > CasScope /xwiki
> > > >>> > Order allow,deny
> > > >>> > require valid-user
> > > >>> > Allow from 127.0.0.1
> > > >>> > Satisfy Any
> > > >>> > </Location>
> > > >>> > This should work, after you restart everything (apache
and
tomcat)
> > > >>> >
> > > >>> > This authenticator is good to use if you're already
using
CAS with
> > LDAP
> > > >>> > authentication (most of cases).
> > > >>> > To resume, in this case, you're first authenticating
the user
> > through
> > > >>> > Apache HTTPd to CAS (you get the login page if you
don't
have any
> > > >>> > session/cookie),
then the mod_auth_cas gives tomcat some data
> > (which are
> > > >>> > not altered because of
tomcatAuthentication="false"), then
XWiki
> > use them
> > > >>> > to retrieve the info (email, phone number... as you
configured it
> > in the
> > > >>> > LDAP section of xwiki.cfg) from the LDAP server.
> > > >>> >
> > > >>> > It's not something very trivial, but I tried to make
it
clear and
> > short,
> > > >>> > and I hope you'll understand.
> > > >>> >
> > > >>> > Guillaume Fenollar
> > > >>> >
> > > >>> >
> > > >>> > 2013/7/3 Krejci Rudolf Ing.
<krejci.r(a)chemosvit.sk>
> > > >>> >
> > > >>> >> Hi Guillaume
> > > >>> >>
> > > >>> >> You are happy man :D. I don`t know how to setup
XWiki to
accept
> > > >>> >>
authentification from apache CASScope
> > > >>> >>
> > > >>> >> Pls, :D
> > > >>> >>
> > > >>> >> Could you share your httpd.conf - CAS part and XWiki
config?
> > > >>> >>
> > > >>> >>
> > > >>> >> Thx
> > > >>> >>
> > > >>> >> Rudolf
> > > >>> >>
> > > >>> >>
> > > >>> >> ----- Pôvodná správa -----
> > > >>> >> > Odosielateľ: "Guillaume Fenollar"
<
guillaume.fenollar(a)xwiki.com
> > >
> > > >>> >> > Príjemca: "XWiki Users"
<users(a)xwiki.org>
> > > >>> >> > Dátum: 02/07/2013 18:11
> > > >>> >> > Predmet: Re: [xwiki-users] XWiki and Jasig CAS
integration
> > > >>> >> >
> > > >>> >> > Hi Rudolf,
> > > >>> >> >
> > > >>> >> > I'm also trying to get XWiki work with
Jasig CAS' SSO. In
fact
> > we're
> > > >>> >> using
> > > >>> >> > mod_auth_cas for Apache, in front of our XWiki
instance.
> > Everything is
> > > >>> >> > running smoothly apart from an issue that
appears
randomly,
> > > >>> sometime...
> > > >>> >> the
> > > >>> >> > webserver returns no data, and I have to clean
my cookies
to
> > make it
> > > >>> work
> > > >>> >> > again. I'll try to really investigate this
issue next
time it
> > happens.
> > > >>> >> > There's nothing special to know about
XWiki + CAS +
> > mod_auth_cas,
> > > >>> except
> > > >>> >> > the CASScope, that is wise to set to
'/xwiki' (or any
other
> > name for
> > > >>> >> XWiki
> > > >>> >> > app, after the root '/'.
> > > >>> >> >
> > > >>> >> > Don't hesitate to share your experience
about CAS + XWiki
with
> > us!
> > > >>> >> >
> > > >>> >> > Guillaume
> > > >>> >> >
> > > >>> >> >
> > > >>> >> > 2013/6/28 Krejci Rudolf Ing.
<krejci.r(a)chemosvit.sk>
> > > >>> >> >
> > > >>> >> > >
> > > >>> >> > > Is it possible to integrate Jasig CAS
(Central
> > authentification
> > > >>> >> Service)
> > > >>> >> > > to XWiki?
> > > >>> >> > > We are using cas for our web
infrastructure ( Lifreray,
> > Alfresco and
> > > >>> >> Jira
> > > >>> >> > > ) and we would like add XWiki.
> > > >>> >> > >
> > > >>> >> > >
> > > >>> >> > >
> > > >>> >> > > Thx
> > > >>> >> > >
> > > >>> >> > > Rudolf
> > > >>> >> > >
> > > >>> >> > >
> > > >>> >> > >
> > > >>> >> > >
> > > >>> >> > >
> > > >>> >> > >
> > > >>> >>
> > > >>>
> >
--------------------------------------------------------------------------
> > > >>> >> > >
Táto správa a všetky pripojené súbory sú dôverné a
určené
> > > >>> >> > >
výhradne osobám alebo organizáciám, ktorým boli
adresované.
> > Ak nie
> > > >>> ste
> > > >>> >> > > zamýšlaný príjemca alebo ste dostali tento
e-mail
omylom,
> > prosím
> > > >>> >> upozornite
> > > >>> >> > > okamžite odosielateľa a vymažte tento
e-mail.
Neoprávnené
> > > >>> kopírovanie,
> > > >>> >> > > zverejnenie alebo distribúcia tohto
e-mailu, je prísne
> > zakázané.
> > > >>> >> > >
> > > >>> >> > > This email and any attached file are
confidential and
intended
> > > >>> solely
> > > >>> >> for
> > > >>> >> > > the
> > > >>> >> > > use of the individual or entity to which
they are
addressed.
> > If you
> > > >>> are
> > > >>> >> > > not the
> > > >>> >> > > intended recipient or have received this
e-mail by
mistake,
> > please
> > > >>> >> notify
> > > >>> >> > > the
> > > >>> >> > > sender immediately and delete this e-mail.
Any
unauthorized
> > copying,
> > > >>> >> > > disclosure
> > > >>> >> > > or distribution of this e-mail's
content is strictly
> > prohibited.
> > > >>> >> > >
> > > >>> >>
> > > >>>
> >
---------------------------------------------------------------------------
> > > >>> >> > >
> > > >>> >> > > Pred vytlačením tohto e-mailu myslite na
životné
prostredie.
> > > >>> >> > >
Please consider your environmental responsibility before
> > printing
> > > >>> this
> > > >>> >> > > e-mail
> > > >>> >> > >
> > > >>> >> > >
_______________________________________________
> > > >>> >> > > users mailing list
> > > >>> >> > > users(a)xwiki.org
> > > >>> >> > >
http://lists.xwiki.org/mailman/listinfo/users
> > > >>> >> > >
> > > >>> >> >
_______________________________________________
> > > >>> >> > users mailing list
> > > >>> >> > users(a)xwiki.org
> > > >>> >> > http://lists.xwiki.org/mailman/listinfo/users
> > > >>> >>
> > > >>> >>
> > > >>> >>
> > > >>> >>
> > > >>>
> >
--------------------------------------------------------------------------
> > > >>> >> Táto správa
a všetky pripojené súbory sú dôverné a určené
> > > >>> >> výhradne osobám alebo organizáciám, ktorým boli
adresované.
Ak
> > nie ste
> > > >>> >> zamýšlaný príjemca alebo ste dostali tento e-mail
omylom,
prosím
> > > >>> upozornite
> > > >>> >> okamžite odosielateľa a vymažte tento e-mail.
Neoprávnené
> > kopírovanie,
> > > >>> >> zverejnenie alebo distribúcia tohto e-mailu, je
prísne
zakázané.
> > > >>> >>
> > > >>> >> This email and any attached file are confidential
and
intended
> > solely
> > > >>> for
> > > >>> >> the
> > > >>> >> use of the individual or entity to which they are
addressed. If
> > you are
> > > >>> >> not the
> > > >>> >> intended recipient or have received this e-mail by
mistake,
please
> > > >>> notify
> > > >>> >> the
> > > >>> >> sender immediately and delete this e-mail. Any
unauthorized
> > copying,
> > > >>> >> disclosure
> > > >>> >> or distribution of this e-mail's content is
strictly
prohibited.
> > > >>> >>
> > > >>>
> >
---------------------------------------------------------------------------
> > > >>> >>
> > > >>> >> Pred vytlačením tohto e-mailu myslite na životné
prostredie.
> > > >>> >> Please consider your environmental responsibility
before
printing
> > this
> > > >>> >> e-mail
> > > >>> >>
> > > >>> >> _______________________________________________
> > > >>> >> users mailing list
> > > >>> >> users(a)xwiki.org
> > > >>> >> http://lists.xwiki.org/mailman/listinfo/users
> > > >>> >>
> > > >>> > _______________________________________________
> > > >>> > users mailing list
> > > >>> > users(a)xwiki.org
> > > >>> > http://lists.xwiki.org/mailman/listinfo/users
> > > >>>
> > > >>>
> > > >>>
> > > >>> --
> > > >>> Thomas Mortagne
> > > >>> _______________________________________________
> > > >>> users mailing list
> > > >>> users(a)xwiki.org
> > > >>> http://lists.xwiki.org/mailman/listinfo/users
> > > >>>
> > > >> _______________________________________________
> > > >> users mailing list
> > > >> users(a)xwiki.org
> > > >> http://lists.xwiki.org/mailman/listinfo/users
> > > >
> > > >
> > > >
> > > > --
> > > > Thomas Mortagne
> > >
> > >
> > >
> > > --
> > > Thomas Mortagne
> > > _______________________________________________
> > > users mailing list
> > > users(a)xwiki.org
> > > http://lists.xwiki.org/mailman/listinfo/users
> >
> >
> >
> >
--------------------------------------------------------------------------
> > Táto správa a všetky pripojené súbory
sú dôverné a určené
> > výhradne osobám alebo organizáciám, ktorým boli adresované. Ak nie
ste
> > zamýšlaný príjemca alebo ste dostali
tento e-mail omylom, prosím
upozornite
> > okamžite odosielateľa a vymažte tento
e-mail. Neoprávnené
kopírovanie,
> > zverejnenie alebo distribúcia tohto
e-mailu, je prísne zakázané.
> >
> > This email and any attached file are confidential and intended
solely
for
> > the
> > use of the individual or entity to which they are addressed. If you
are
> > not the
> > intended recipient or have received this e-mail by mistake, please
notify
> > the
>
---------------------------------------------------------------------------
sender immediately and delete this e-mail.
Any unauthorized copying,
> > disclosure
> > or distribution of this e-mail's content is strictly prohibited.
> > > >
> > Pred vytlačením tohto e-mailu myslite na životné prostredie.
> > Please consider your environmental responsibility before printing
this
e-mail
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users Táto správa a všetky pripojené súbory sú dôverné
a určené
výhradne osobám alebo organizáciám, ktorým boli adresované. Ak nie ste
zamýšlaný príjemca alebo ste dostali tento e-mail omylom, prosím
upozornite
okamžite odosielateľa a vymažte tento e-mail.
Neoprávnené kopírovanie,
zverejnenie alebo distribúcia tohto e-mailu, je prísne zakázané.
This email and any attached file are confidential and intended solely
for the
use of the individual or entity to which they are
addressed. If you are
not the
intended recipient or have received this e-mail
by mistake, please
notify the
sender immediately and delete this e-mail. Any
unauthorized copying,
disclosure
or distribution of this e-mail's content is
strictly prohibited.
---------------------------------------------------------------------------
Pred vytlačením tohto e-mailu myslite na životné prostredie.
Please consider your environmental responsibility before printing this
e-mail
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
--------------------------------------------------------------------------
Táto správa a všetky pripojené súbory sú dôverné a určené
výhradne osobám alebo organizáciám, ktorým boli adresované. Ak nie ste
zamýšlaný príjemca alebo ste dostali tento e-mail omylom, prosím upozornite
okamžite odosielateľa a vymažte tento e-mail. Neoprávnené kopírovanie,
zverejnenie alebo distribúcia tohto e-mailu, je prísne zakázané.
This email and any attached file are confidential and intended solely for
the
use of the individual or entity to which they are addressed. If you are
not the
intended recipient or have received this e-mail by mistake, please notify
the
sender immediately and delete this e-mail. Any unauthorized copying,
disclosure
or distribution of this e-mail's content is strictly prohibited.
---------------------------------------------------------------------------
Pred vytlačením tohto e-mailu myslite na životné prostredie.
Please consider your environmental responsibility before printing this
e-mail
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users