Liferay SSO Integration



1. What is SSO

Single sign-on (SSO) is a property of access control of multiple related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them.

2.CAS(Centralo Authentication System)

CAS is just a application or a simple web application which provides sso . It also allows web applications to authenticate users without gaining access to a user's security credentials, such as a password. The name CAS also refers to a software package that implements this protocol.

Requirements  For Cas Integration

1. Download Cas web application from the below give link:

you can use any of cas3.4.5 or cas3.5.2(latest)

2.jar files which will be used in cas Integration with liferay portal database.

Commoms-pool-1.6.jar .






 1.In CAS default authentication mechanism CAS Authenticate Users having same UserName and Password

Ex: NetId(Username):


We will also first test our cas with its default mechanism after that we will configure cas to use our Liferay portal database to authenticate username and Password with different value.

2.CAS authenticate users on HTTPS protocol ,For that we have to create our SSL certificate for our localhost port 8443.


Now Here is the STEPS we need to follow.


Unzip the CAS Web application jar file we have downloaded . Go inside \cas-server-3.4.5-release\cas-

server-3.4.5\modules\  you will see a war file cas-server-webapp-3.4.5.war .

Unzip this war file using any tool like-  7-zip File Manager or any .

Now  rename that to cas.


Put that  cas webapp  in you liferay tomcat server’s webbapp folder.


Now  UnComment  the connector port 8443 in your server.xml  file  available at server\tomcat-6.0.26\conf\server.xml

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true” maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" />  


Now we have to create our own Self Signed ssl certificate  from our command line tool cmd(in Windows) and terminal(ij ubantu)  these are the following steps

	1. keytool -genkey -alias tomcat -keypass changeit -keyalg RSA


Note: Be sure to use the keytool that comes with the Java VM (%JAVA_HOME%/jre/bin/keytool), as on some systems the default points to the GNU version of keytool, where the two seem incompatible.

Answer the questions: (note that your firstname and lastname MUST be hostname of your server and cannot be a IP address; this is very important as an IP address will fail client hostname verification even if it is correct)

	Enter keystore password:  changeit
	What is your first and last name?
	[Unknown]:  localhost
	What is the name of your organizational unit?
	What is the name of your organization?
	What is the name of your City or Locality?
	What is the name of your State or Province?
	What is the two-letter country code for this unit?
	Is CN=localhost, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
	[no]: y


2.Now we have to export our certificate we have generated from our  personal keystore (In windows your personal keystore is in C:\Documents and Settings\<username>\.keystore)


	keytool -export -alias tomcat -keypass changeit -file %FILE_NAME% 

For  %FILE_NAME%  you can give server.cert.

3. Finally import the cert into Java's keystore with this command. Tomcat uses the keystore in your JRE (%JAVA_HOME%/jre/lib/security/cacerts)

	keytool -import -alias tomcat -file %FILE_NAME% -keypass changeit -keystore


4.After Creating the ssl certificate we will refer our created Keystore and TrustStore from our server.xml File .                     Here how  I have Implemented

1.put your keystore file in servers  \liferay-portal-6.1.1-ce-ga2\tomcat-7.0.27\conf

2.Refer Your javas  Default  truststore.

<Connector SSLEnabled="true" clientAuth="false" keystoreFile="conf/.keystore" keystorePass="tomcat123" maxThreads="150"  enableLookups="false" disableUploadTimeout="true" port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true" sslProtocol="TLS" maxHttpHeaderSize="8192"  truststoreFile="C:/Java/jdk1.7.0/jre/lib/security/cacerts"  acceptCount="100"/>


STEP 5: Now We have to Configure our Liferay portal to Enable CAS  Authentication

1.Login as Admin in your portal.

2.goto Control Panel -->Portel Settings -->Authentication-->CAS

3.Configure the fields  and don’t ever forgot to chaeck the Enable Checkbox. And save the configuration


Now create a user from portal with same emailed and password.and SignOut.




Now Sign In through Sign In Button On your Liferay Portal home Page it will redirect you to CAS Login page.Like


Now try to login with same username and password of the user you have created.

You will be redirected to Liferay portal asking You to set New username and Password.


After that try to Logout You will find something Like this

Congratulation you have configured Liferay with cas default functionality.


Now We will configure cas to authenticate users from our liferay portal database. For that we have to edit  a file available in cas webapp in our server. File resides here:  liferay-portal-6.1.1-ce-ga2\tomcat-7.0.27\webapps\cas\WEB-INF \deployerConfigContext.xml. By default CAS is using SimpleTestUsernamePasswordAuthenticationHandler. Replace the above mentioned authentication handler inside authenticationhandlers property like structure mention below.

Note: If you want to authenticate ByEmailAddress change the sql query in deployerConfigContext.xml as bellow.

<property name="sql" value="SELECT password_ FROM User_ WHERE  emailAddress=?" />

	<property name="authenticationHandlers">
	                     <!--| This is the authentication handler that authenticates services
by means of callback via SSL, thereby validating a server side SSL certificate. -->
	<bean class=""
	p:httpClient-ref="httpClient" /> 
	<bean class="org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler">
	                      <property name="dataSource" ref="dataSource" />
	                       <property name="sql" value="SELECT password_ FROM User_ WHERE screenName=?" />
	                  <property name="passwordEncoder">
	                 <bean class="com.liferay.LiferayPasswordEncoder">
	  <!--  after closing of authenticationManager  bean  -->
	<!-- place database information  settings -->
	<bean id="dataSource" class="org.apache.commons.dbcp.BasicDataSource">
	                 <property name="driverClassName">
	                 <property name="url">
                <property name="username">   
                <property name="password">                         
                <property name="initialSize" value="1">
                <property name="maxIdle" value="5"></property>       
                <property name="maxActive" value="50"></property>       
                <property name="maxWait"  value="10000"></property>       
                <property name="validationQuery"  value="select 1"></property>       
                <property name="testOnBorrow" value="false"></property>    
                <property name="testWhileIdle" value="true"></property>
                <property name="timeBetweenEvictionRunsMillis"value="10000"></property>  
                <property name="minEvictableIdleTimeMillis" value="30000"></property>
                <property name="numTestsPerEvictionRun" value="-1"></property>
         </bean> //


STEP 10:

Now Create LiferayPassword Encoder class that will implements PasswordEncoder (While compiling it will need cas-server-core-3.3.5.jar that is available inside cas/WEB-INF/lib)  package  com.liferay  inside WEB-INF/classes

And compile it

	import org.jasig.cas.authentication.handler.PasswordEncoder;
	public final class LiferayPasswordEncoder implements PasswordEncoder
	    public String encode(final String password) {
	        MessageDigest digester = null;
	            digester = MessageDigest.getInstance("SHA");
	        catch (NoSuchAlgorithmException ex) {
	            System.out.println("encode method exception”+ ex.printStackTrace());}
	        catch (UnsupportedEncodingException ex) {
	            System.out.println("encode method exception”+ ex.printStackTrace());}
	 byte[] bytes = digester.digest();
	  return encodeBase64(bytes);
	    private static char getChar(int sixbit)
	    if (sixbit >= 0 && sixbit <= 25) {
	            return (char)(65 + sixbit);
	        if (sixbit >= 26 && sixbit <= 51) {
	            return (char)(97 + (sixbit - 26));
	        if (sixbit >= 52 && sixbit <= 61) {
	            return (char)(48 + (sixbit - 52));
	        if (sixbit == 62) {
	            return '+';
	        return sixbit != 63 ? '?' : '/';
	  private static String encodeBase64(byte raw[]) 
	                 StringBuilder encoded = new StringBuilder();
	        for (int i = 0; i < raw.length; i += 3) {
	            encoded.append(encodeBlock(raw, i));
	 return encoded.toString();
	    private static char[] encodeBlock(byte raw[], int offset)
	                 int block = 0;
	        int slack = raw.length - offset - 1;
	        int end = slack < 2 ? slack : 2;
	        for (int i = 0; i <= end; i++) {
	            byte b = raw[offset + i];
	            int neuter = b >= 0 ? ((int) (b)) : b + 256;
	            block += neuter << 8 * (2 - i);
	        char base64[] = new char[4];
	        for (int i = 0; i < 4; i++) {
	            int sixbit = block >>> 6 * (3 - i) & 0x3f;
	            base64[ i ] = getChar(sixbit);
	       if (slack < 1) {
	            base64[2] = '=';
	        if (slack < 2) {
	            base64[3] = '=';
	         return base64;


STEP 11:

Now Jars we have downloaded in  cas/WEB-INF/lib

Commoms-pool-1.6.jar .


cas-server-support-jdbc-3.4.5(This jar is available in your cas package you have downloaded inside cas-server-3.4.5-release\cas-server-3.4.5\modules)


 Now you are ready to test your cas authentication with Liferay using your own Portal database.


It’s not about ideas It’s about making ideas happen !!!