18 Jul
2013
18 Jul
'13
12:35 p.m.
This is what I have. But I want enable unathentifcated access to "public" pages
and enable some pages-admins to login (using login link) and edit this pages.
I have idea to make auth access over https , but I need to change how to XWiki login link
is working and redirect login link to https .
httpd.conf examle
None auth part (http)
<VirtualHost 10.0.1.33:80>
ServerName iwtest.chemosvit.sk
ServerAdmin webmaster@localhost
ErrorLog ${APACHE_LOG_DIR}/chdmstest_error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/chdmstest_access.log combined
ProxyRequests Off
ProxyPreserveHost On
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass /cas ajp://cas.chemosvit.sk:8009/cas connectiontimeout=10 timeout=60
ProxyPassReverse /cas ajp://cas.chemosvit.sk:8009/cas
ProxyPass /jira ajp://pwtest.chemosvit.sk:8009/jira connectiontimeout=10
timeout=60
ProxyPassReverse /jira ajp://pwtest.chemosvit.sk:8009/jira
ProxyPass /alfresco http://dmstest.chemosvit.sk:7080/alfresco connectiontimeout=10
timeout=60
ProxyPassReverse /alfresco http://dmstest.chemosvit.sk:7080/alfresco
ProxyPass /xwiki ajp://ubuntults6.chemosvit.sk:8009/xwiki connectiontimeout=10
timeout=60
ProxyPassReverse /xwiki ajp://ubuntults6.chemosvit.sk:8009/xwiki
ProxyPass / http://elftest.chemosvit.sk:10080/ connectiontimeout=10 timeout=60
ProxyPassReverse / http://elftest.chemosvit.sk:10080/
CASSSOEnabled On
CASCookiePath /var/cache/apache2/mod_auth_cas/
CASLoginURL https://cas.chemosvit.sk/cas/login
CASValidateURL https://cas.chemosvit.sk/cas/serviceValidate
CASValidateServer Off
CASDebug On
</VirtualHost>
Auth part (https)
<VirtualHost 10.0.1.33:443>
ServerName iwtest.chemosvit.sk
ServerAdmin webmaster@localhost
SSLEngine on
SSLProxyEngine On
SSLCertificateFile /etc/ssl/certs/StarChemosvitSk2012.cer
SSLProxyCACertificateFile /etc/ssl/certs/ca-certificates.crt
SSLCertificateKeyFile /etc/ssl/private/StarChemosvitSk.key
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
ErrorLog /var/log/apache2/app_ssl_error.log
TransferLog /var/log/apache2/app_ssl_access.log
CustomLog /var/log/apache2/app_ssl_request.log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
ProxyRequests Off
ProxyPreserveHost On
<Location /xwiki/>
AuthType CAS
AuthName "CAS Server Auth"
CasScope /xwiki
Order allow,deny
require valid-user
Allow from 127.0.0.1
Satisfy Any
</Location>
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass /cas ajp://cas.chemosvit.sk:8009/cas connectiontimeout=10 timeout=60
ProxyPassReverse /cas ajp://cas.chemosvit.sk:8009/cas
ProxyPass /xwiki ajp://ubuntults6.chemosvit.sk:8009/xwiki connectiontimeout=10
timeout=60
ProxyPassReverse /xwiki ajp://ubuntults6.chemosvit.sk:8009/xwiki
CASSSOEnabled On
CASCookiePath /var/cache/apache2/mod_auth_cas/
CASLoginURL https://cas.chemosvit.sk/cas/login
CASValidateURL https://cas.chemosvit.sk/cas/serviceValidate
CASValidateServer Off
CASDebug On
</VirtualHost>
----- Pôvodná správa -----
Odosielateľ: "Guillaume Fenollar"
<guillaume.fenollar(a)xwiki.com>
Príjemca: "XWiki Users" <users(a)xwiki.org>
Dátum: 18/07/2013 10:56
Predmet: [Spam] Re: [xwiki-users] XWiki and Jasig CAS integration
Hi Rudolf,
I suggest you to look again at the message I posted before, about
configuration:
CASLoginURL https://sso.xwikisas.com/cas/login
CASValidateURL https://sso.xwikisas.com/cas/serviceValidate
CASValidateServer Off
CASTimeout 28800
CASIdleTimeout 14400
<Location "/xwiki/">
AuthType CAS
AuthName "CAS Server Auth"
CasScope /xwiki
Order allow,deny
require valid-user
Allow from 127.0.0.1
Satisfy Any
</Location>
It means that when Apache meets a request that match the Location '/xwiki'
(change it according to your webapp's name), it'll try to apply a CAS Auth,
which leads to a redirection to login page specified in CASLoginURL
parameter. So of course you need to change those examples (CASLoginURL and
CASValidateURL) according to your CAS server configuration.
Guillaume
2013/7/18 Krejci Rudolf Ing. <krejci.r(a)chemosvit.sk>
--------------------------------------------------------------------------
Táto správa a všetky pripojené súbory sú dôverné a určené
výhradne osobám alebo organizáciám, ktorým boli adresované. Ak nie ste
zamýšlaný príjemca alebo ste dostali tento e-mail omylom, prosím upozornite
okamžite odosielateľa a vymažte tento e-mail. Neoprávnené kopírovanie,
zverejnenie alebo distribúcia tohto e-mailu, je prísne zakázané.
This email and any attached file are confidential and intended solely for the
use of the individual or entity to which they are addressed. If you are not the
intended recipient or have received this e-mail by mistake, please notify the
sender immediately and delete this e-mail. Any unauthorized copying, disclosure
or distribution of this e-mail's content is strictly prohibited.
---------------------------------------------------------------------------
Pred vytlačením tohto e-mailu myslite na životné prostredie.
Please consider your environmental responsibility before printing this e-mail
Hi,
CAS is working on my XWiki now. The main problem was old apache cas module
(downloaded from ubuntu repozitory).
After compilation of newest apache cas module version CAS works OK.
My new problem is that I need redirect login to cas server. Is there any
way how to do it?
I try set xwiki.authentication.loginpage parameter but no changes in
login link.
Rudolf
----- Pôvodná správa -----
http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Authentication#HKerbero…
we're
--------------------------------------------------------------------------
Táto správa a všetky pripojené súbory sú dôverné a určené
výhradne osobám alebo organizáciám, ktorým boli adresované. Ak nie ste
zamýšlaný príjemca alebo ste dostali tento e-mail omylom, prosím upozornite
okamžite odosielateľa a vymažte tento e-mail. Neoprávnené kopírovanie,
zverejnenie alebo distribúcia tohto e-mailu, je prísne zakázané.
This email and any attached file are confidential and intended solely for
the
use of the individual or entity to which they are addressed. If you are
not the
intended recipient or have received this e-mail by mistake, please notify
the
sender immediately and delete this e-mail. Any unauthorized copying,
disclosure
or distribution of this e-mail's content is strictly prohibited.
---------------------------------------------------------------------------
Pred vytlačením tohto e-mailu myslite na životné prostredie.
Please consider your environmental responsibility before printing this
e-mail
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users Odosielateľ: "Thomas Mortagne"
<thomas.mortagne(a)xwiki.com>
Príjemca: "XWiki Users" <users(a)xwiki.org>
Dátum: 03/07/2013 16:11
Predmet: Re: [xwiki-users] XWiki and Jasig CAS integration
On Wed, Jul 3, 2013 at 4:01 PM, Thomas Mortagne
<thomas.mortagne(a)xwiki.com> wrote:
> On Wed, Jul 3, 2013 at 3:56 PM, Guillaume Fenollar
> <guillaume.fenollar(a)xwiki.com> wrote:
>> Hi Thomas,
>>
>> What if an admin wants to use a trusted authentication (to enable
SSO,
from
> a
front-end) but doesn't use LDAP at all? Is it possible to use this
> authenticator to simply accept the remote user, comparing it with the
> internal XWiki Users DB?
You don't need this authenticator for this, there is one by default in
XWiki: com.xpn.xwiki.user.impl.xwiki.AppServerTrustedAuthServiceImpl
but it does not seems to be documented in xwiki.org
There is which is included by default too and is more or
less the same things
(default authenticators are quite a mess...).
>
>>
>> Thanks,
>>
>> Guillaume
>>
>>
>> 2013/7/3 Thomas Mortagne <thomas.mortagne(a)xwiki.com>
>>
>>> On Wed, Jul 3, 2013 at 2:26 PM, Guillaume Fenollar
>>> <guillaume.fenollar(a)xwiki.com> wrote:
>>> > Hi,
>>> >
>>> > Sorry I forgot to talk about the most important thing, I don't
know what
>>> I
>>> > was thinking about when I wrote my first answer :-P
>>> >
>>> > About XWiki part, you need to tell your wiki to accept any user
that will
>>> > be given by Apache front-end,
which will authenticate the users
with *
>>> > libapache2-mod-auth-cas*.
>>> > To do this, you need to use a different authenticator, like this
one :
>>> >
https://github.com/xwiki-contrib/xwiki-authenticator-trusted-ldap
>>> >
>>> > Build it and place it in you webapp (xwiki/WEB-INF/lib directory).
>>>
>>> No need to build it anymore:
>>>
>>>
http://extensions.xwiki.org/xwiki/bin/view/Extension/XWiki+Authenticator+Tr…
>>> ;)
>>>
>>> > In *xwiki.cfg*, add this line:
>>> >
>>>
xwiki.authentication.authclass=com.xwiki.authentication.trustedldap.TrustedLDAPAuthServiceImpl
>>> >
>>> > Then, modify your Servlet Container application to leave the
>>> authentication
>>> > alone. If you're using tomcat, it's in you *server.xml*, you
need
to add
>>> in
>>> > each "Connector" block, the following option:
>>> > tomcatAuthentication="false"
>>> >
>>> > Finally, configure your apache server. Here's a minimal conf you
can use:
>>> >
>>> > CASLoginURL https://sso.xwikisas.com/cas/login
>>> > CASValidateURL
https://sso.xwikisas.com/cas/serviceValidate
>>> > CASValidateServer Off
>>> > CASTimeout 28800
>>> > CASIdleTimeout 14400
>>> > <Location "/xwiki/">
>>> > AuthType CAS
>>> > AuthName "CAS Server Auth"
>>> > CasScope /xwiki
>>> > Order allow,deny
>>> > require valid-user
>>> > Allow from 127.0.0.1
>>> > Satisfy Any
>>> > </Location>
>>> > This should work, after you restart everything (apache and tomcat)
>>> >
>>> > This authenticator is good to use if you're already using CAS with
LDAP
>>> > authentication (most of
cases).
>>> > To resume, in this case, you're first authenticating the user
through
>>> > Apache HTTPd to CAS (you get
the login page if you don't have any
>>> > session/cookie), then the mod_auth_cas gives tomcat some data
(which are
>>> > not altered because of
tomcatAuthentication="false"), then XWiki
use them
>>> > to retrieve the info (email,
phone number... as you configured it
in the
>>> > LDAP section of xwiki.cfg) from
the LDAP server.
>>> >
>>> > It's not something very trivial, but I tried to make it clear and
short,
>>
> and I hope you'll understand.
>> >
>> > Guillaume Fenollar
>> >
>> >
>> > 2013/7/3 Krejci Rudolf Ing. <krejci.r(a)chemosvit.sk>
>> >
>> >> Hi Guillaume
>> >>
>> >> You are happy man :D. I don`t know how to setup XWiki to accept
>> >> authentification from apache CASScope
>> >>
>> >> Pls, :D
>> >>
>> >> Could you share your httpd.conf - CAS part and XWiki config?
>> >>
>> >>
>> >> Thx
>> >>
>> >> Rudolf
>> >>
>> >>
>> >> ----- Pôvodná správa -----
>> >> > Odosielateľ: "Guillaume Fenollar"
<guillaume.fenollar(a)xwiki.com
>>> >> > Príjemca: "XWiki Users" <users(a)xwiki.org>
>>> >> > Dátum: 02/07/2013 18:11
>>> >> > Predmet: Re: [xwiki-users] XWiki and Jasig CAS integration
>>> >> >
>>> >> > Hi Rudolf,
>>> >> >
>>> >> > I'm also trying to get XWiki work with Jasig CAS' SSO.
In fact >>> >> using
>>> >> > mod_auth_cas for Apache, in front of our XWiki instance.
Everything is
>>> >> > running smoothly apart
from an issue that appears randomly,
>>> sometime...
>>> >> the
>>> >> > webserver returns no data, and I have to clean my cookies to
make it
>>> work
>>> >> > again. I'll try to really investigate this issue next time
it
happens.
>>> >> > There's nothing
special to know about XWiki + CAS +
mod_auth_cas,
>>> except
>>> >> > the CASScope, that is wise to set to '/xwiki' (or any
other
name for
>>> >> XWiki
>>> >> > app, after the root '/'.
>>> >> >
>>> >> > Don't hesitate to share your experience about CAS + XWiki
with
us!
>>> >> >
>>> >> > Guillaume
>>> >> >
>>> >> >
>>> >> > 2013/6/28 Krejci Rudolf Ing. <krejci.r(a)chemosvit.sk>
>>> >> >
>>> >> > >
>>> >> > > Is it possible to integrate Jasig CAS (Central
authentification
>>> >> Service)
>>> >> > > to XWiki?
>>> >> > > We are using cas for our web infrastructure ( Lifreray,
Alfresco and
>>> >> Jira
>>> >> > > ) and we would like add XWiki.
>>> >> > >
>>> >> > >
>>> >> > >
>>> >> > > Thx
>>> >> > >
>>> >> > > Rudolf
>>> >> > >
>>> >> > >
>>> >> > >
>>> >> > >
>>> >> > >
>>> >> > >
>>> >>
>>>
--------------------------------------------------------------------------
>>> >> > > Táto správa a
všetky pripojené súbory sú dôverné a určené
>>> >> > > výhradne osobám alebo organizáciám, ktorým boli
adresované.
Ak nie
>>> ste
>>> >> > > zamýšlaný príjemca alebo ste dostali tento e-mail omylom,
prosím
>>> >> upozornite
>>> >> > > okamžite odosielateľa a vymažte tento e-mail.
Neoprávnené
>>> kopírovanie,
>>> >> > > zverejnenie alebo distribúcia tohto e-mailu, je prísne
zakázané.
>>> >> > >
>>> >> > > This email and any attached file are confidential and
intended
>>> solely
>>> >> for
>>> >> > > the
>>> >> > > use of the individual or entity to which they are
addressed.
If you
>>> are
>>> >> > > not the
>>> >> > > intended recipient or have received this e-mail by
mistake,
please
>>> >> notify
>>> >> > > the
>>> >> > > sender immediately and delete this e-mail. Any
unauthorized
copying,
>>> >> > > disclosure
>>> >> > > or distribution of this e-mail's content is strictly
prohibited.
>>> >> > >
>>> >>
>>>
---------------------------------------------------------------------------
>>> >> > >
>>> >> > > Pred vytlačením tohto e-mailu myslite na životné
prostredie.
>>> >> > > Please consider your environmental responsibility before
printing
>>> this
>>> >> > > e-mail
>>> >> > >
>>> >> > > _______________________________________________
>>> >> > > users mailing list
>>> >> > > users(a)xwiki.org
>>> >> > > http://lists.xwiki.org/mailman/listinfo/users
>>> >> > >
>>> >> > _______________________________________________
>>> >> > users mailing list
>>> >> > users(a)xwiki.org
>>> >> > http://lists.xwiki.org/mailman/listinfo/users
>>> >>
>>> >>
>>> >>
>>> >>
>>>
--------------------------------------------------------------------------
>>> >> Táto správa a všetky
pripojené súbory sú dôverné a určené
>>> >> výhradne osobám alebo organizáciám, ktorým boli adresované. Ak
nie ste
>>> >> zamýšlaný príjemca alebo
ste dostali tento e-mail omylom, prosím
>>> upozornite
>>> >> okamžite odosielateľa a vymažte tento e-mail. Neoprávnené
kopírovanie,
>>> >> zverejnenie alebo
distribúcia tohto e-mailu, je prísne zakázané.
>>> >>
>>> >> This email and any attached file are confidential and intended
solely
>>> for
>>> >> the
>>> >> use of the individual or entity to which they are addressed. If
you are
>>> >> not the
>>> >> intended recipient or have received this e-mail by mistake, please
>>> notify
>>> >> the
>>> >> sender immediately and delete this e-mail. Any unauthorized
copying,
>>> >> disclosure
>>> >> or distribution of this e-mail's content is strictly
prohibited.
>>> >>
>>>
---------------------------------------------------------------------------
>>> >>
>>> >> Pred vytlačením tohto e-mailu myslite na životné prostredie.
>>> >> Please consider your environmental responsibility before printing
this
>>
>> e-mail
>> >>
>> >> _______________________________________________
>> >> users mailing list
>> >> users(a)xwiki.org
>> >> http://lists.xwiki.org/mailman/listinfo/users
>> >>
>> > _______________________________________________
>> > users mailing list
>> > users(a)xwiki.org
>> > http://lists.xwiki.org/mailman/listinfo/users
>>
>>
>>
>> --
>> Thomas Mortagne
>> _______________________________________________
>> users mailing list
>> users(a)xwiki.org
>> http://lists.xwiki.org/mailman/listinfo/users
>>
> _______________________________________________
> users mailing list
> users(a)xwiki.org
> http://lists.xwiki.org/mailman/listinfo/users
--
Thomas Mortagne
--
Thomas Mortagne
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users