Versions Compared

Old Version 23

changes.mady.by.user Scott Amerson

Saved on

compared with

New Version 24

changes.mady.by.user Scott Amerson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The design of the technical solution found is described below:

Sakai 1.5 and Sakai 2.0:

Required code:
  1. UCDDistAuthFilterAndWrapper.jar, includes UCD Authentication Filter, and RequestWrapper to handle remote_user.
  2. updated web.xml config (different for Sakai 1.5 and 2.0)

Background:

One solution that was found for Sakai 1.5, however not straight forward for Sakai 2.0. It is less than ideal, but just noted here as a solution that was found to work on both Windows and Linux. The details are provided below:
The loginservlet class was extended to a servlet called the DistAuthLoginServlet. The DistAuthLoginServlet preserves the same logic that the LoginServlet has, with exception to any password lookup/recognition information. Because the LoginServlet is used to capture form passwords, this logic can no longer be used and only DistAuth handles password information. Above is not the only difference between the DistAuthServlet and LoginServlet, the main difference is that the DistAuthLoginServlet replaces the "getRemoteUser" with the Kerberos name from the AuthUser cookie. The LoginServlet is used for inherent Sakai accounts (e.g. admin, etc.), while the DistAuthLoginServlet is the login that is protected by DistAuth. In addition to these modifications, other modifications need to be incorporated in the Sakai framework for DistAuth to be configured correctly, including the addition of a DistAuth filter to handle the DistAuth and DA1 cookie validation/parsing, etc. See the "HOW TO CONFIGURE DISTAUTH AND SAKAI 1.5, 2.0" section below.

...

<url-pattern>/tunnel/sakai-chef-tool/authn/*</url-pattern>

</filter-mapping>

Sakai 2.0

  • Add the following params to the ..\Tomcat 5.0\conf Rebuild chef-tools module in Sakai (or full Sakai if you haven't made significant changes). Redeploy to Tomcat?just copying the WAR file doesn't seem to be enough. Verify that the source codes being changed are indeed modified at the Tomcat level. I have not found a maven goal that does this specifically..
  • Add top.login=false and container.auth=true to the sakai.properties file (this will turn off the password field on the login page)
  • Restart Tomcat: test that when you hit login (you shouldn't be localhost, use your IP so that the domain cookie is set correctly and can be seen), that the form that has the "DistAuth log in" button is there. When you click this button, you should be taken to DistAuth. Check error logs for the debugging code that I have in Cookies/Filters, etc.

Sakai 2.0

  • Add the following params to the ~[CurrentSakaiInstall]\login\login\src\webapp\WEB-INF\web.xml to declare the DistAuth Filter and mapping.. Basically these are configurable pieces that not everyone will need, but we should put them in. ProtectionLevel is most important (2 is default, 3 is AFS)
    <webapp>
    ..
    <filter>
    <filter-name>sakai.request</filter-name>
    <filter-class>org.sakaiproject.util.RequestFilter</filter-class>
    </filter>

...

<listener>
<listener-class>org.sakaiproject.util.ToolListener</listener-class>
</listener>
..
</webapp>

  • Rebuild chef-tools module in Sakai (or full Sakai if you haven't made significant changes). Redeploy to Tomcat?just copying the WAR file doesn't seem to be enough. Verify that the source codes being changed are indeed modified at the Tomcat level. I have not found a maven goal that does this specifically..
  • Add topcontainer.login=false and container.auth=true to the sakai.properties file (this will turn off the password field on the login page)Make necessary changes to login servlet at the sitenavservlet level. This may add another button with text "UCD login" for example on the portal page.this will turn off the password field on the login page, located at ..[TomcatInstall]\sakai)
  • Restart Tomcat: test that when you hit login (you shouldn't be localhost, use your IP so that the domain cookie is set correctly and can be seen), that the form that has the "DistAuth log in" button is there. When you click this buttonthe "Login" link on the portal, you should be taken to DistAuth. Check error logs for the debugging code that I have in Cookies/Filters, etc.

Screenshots are provided for 2 versions:
1. ) Dist Auth login and login buttons appear on site Login. Each will take you to a different location to authenticate.
2. ) One Login button replaces username and password form boxes on the site Login, takes you to a central login for both DistAuth and Sakai admin.