...
- ucd-form-based-distauth module, includes UCD Authentication Filter, and RequestWrapper to handle remote_user. https://mware.ucdavis.edu/svn/ucdsakai/trunk/ucd-form-based-distauth
- updated web.xml config patch for login module in Sakai https://mware.ucdavis.edu/svn/ucdsakai/trunkbranches/sakai-core-2-1-x/login
Background (Please see previous documentation on early screenshots, functional specs, etc):
One solution that was found for Sakai 1.5, however not straight forward for Sakai 2.0. It is less than ideal, but just noted here as a solution that was found to work on both Windows and Linux. The details are provided below:
The loginservlet class was extended to a servlet called the DistAuthLoginServlet. The DistAuthLoginServlet preserves the same logic that the LoginServlet has, with exception to any password lookup/recognition information. Because the LoginServlet is used to capture form passwords, this logic can no longer be used and only DistAuth handles password information. Above is not the only difference between the DistAuthServlet and LoginServlet, the main difference is that the DistAuthLoginServlet replaces the "getRemoteUser" with the Kerberos name from the AuthUser cookie. The LoginServlet is used for inherent Sakai accounts (e.g. admin, etc.), while the DistAuthLoginServlet is the login that is protected by DistAuth. In addition to these modifications, other modifications need to be incorporated in the Sakai framework for DistAuth to be configured correctly, including the addition of a DistAuth filter to handle the DistAuth and DA1 cookie validation/parsing, etc. See the "HOW TO CONFIGURE DISTAUTH AND SAKAI 1.5, 2.0" section below.
Solution Found: For both Sakai 1.5, 2.0, and 2.0.1, 2.1.x
Keeping the requirements in mind (see Requirements doc), a better solution had to be found that didn't involve direct modification and maintenance of Sakai source code. The solution found is a combination of a Servlet Filter and Request Wrapper, each handling a portion of the filtering and request handling in conjunction with the existing Sakai Request Filter.
...
The following are instructions for adding DistAuth login to Sakai 1.5, 2.0, 2.1.x (This is assuming one login page that is protected by DistAuth, version 1 below)
Sakai 2.1.x
1. Remove any prior versions of DistAuth jars located in shared/lib/ or common/lib.
2. Setup any Sakai usernames you would like to have the ability to login to the site.
(this step will soon be replaced by automated provisioning)
23. Login to Sakai as admin. Set your admin account password to a secure value, then proceed.
34. Update the admin realm to include the usernames who should have administrative rights when they login to the Sakai instance.
Click the Realms navigation link.
Click the /site/!admin realm.
Click the Grant Ability link.
Add any usernames in the provide ID box.
Save your changes to the Realm.
Click Done to commit your changes to the Sakai Realm.
45. Download the DistAuth filter and wrapper source from SVN: https://mware.ucdavis.edu/svn/ucdsakai/trunk/ucd-form-based-distauth OR https://mware.ucdavis.edu/svn/ucdsakai/branches/sakai-core-2-1-x-scottdev/ucd-form-based-distauth (most recent changes)
This DistAuth module contains filter and request wrapper combined, and is built by maven within Sakai.
56. Edit the sakai.properties file located in $CATALINA_HOME/sakai/sakai.properties by default.
Turn on the container.login behavior in sakai.properties. If you do not have a line add
container.login = true6
7. Apply the patch for the login module in Sakai, downloading from SVN: https://mware.ucdavis.edu/svn/ucdsakai/trunk/loginthe logging out of distauth and going to secureweb. This is now a BasicConfigurationService modification, and Jon Gorrono patched this service to go along with the logoutURL parameter in sakai.properties. See Jon G or Thomas about this code.
perform a patch command, when in the root of sakai, use:
*$SAKAI_DEV\login* directory, such as patch -p0< patch file location
This patch 8. Set the web.xml parameters for distauth via the login/login/src/webapp/WEB-INF directory (in sakai-core-2-1-x code). This directory contains web.xml configuration parameters, for setting filter mapping and filter params used by the DistAuth Servlet filter and wrapper.
See the example web.xml below. The order is important within the web.xml file. Note that <filter> and <filter-mapping> elements must be contiguous within the web.xml file. The example below contains many parameters that are required for completeness but may not be used in your impementation. The ... notation is included to demonstrate that you may additional entries in your web.xml file. The critical elements that were used to test and the order-important elements are each included below.
...
<listener>
<listener-class>org.sakaiproject.util.ToolListener</listener-class>
</listener>
...
</webapp>
68. Build the ucd-form-based-distauth module
cd $SAKAI_DEV/ucd-form-based-distauth
maven sakai
79. Stop Tomcat
/etc/init.d/tomcat stop
or on Windows use the net command or the Services Control Panel
810. Rebuild Sakai and deploy to Tomcat
cd $SAKAI_DEV
maven bld dpl
911. Start Tomcat
/etc/init.d/tomcat start
or on Windows use the net command or the Services Control Panel
1012. Now test that when you visit your Sakai instance's URL and click the login link you are sent to the UC Davis DistAuth Page for authentication. Note that it is important to use the dotted quad IP Address of FQDN in your URL. This is required for DistAuth to function. Do not use localhost o the localhost IP Address to test this. Check access and/or error logs for further details of the test.
...