Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Configure mod-jk

Create a workers.properties file in /etc/apache2

Code Block
sudo vi /etc/apache2/workers.properties
Add the following

 

No Format
worker.list=worker1
worker.worker1.port=8009
worker.worker1.host=localhost
worker.worker1.type=ajp13

Configure apache2 sites

 

Code Block
sudo vi /etc/apache2/sites-available/default-ssl.conf

 

Add the following below the first default DocumentRoot /var/www/html

 

No Format
<Location ~ "/midpoint*">  AuthType CAS
  AuthName "CAS"
  require valid-user
  CasAuthNHeader Cas-User
 </Location>

JkMount /midpoint* worker1 

 Configure auth-cas

 

Code Block
sudo vi /etc/apache2/mods-available/auth_cas.conf

 

Add the following

 

No Format
CASCookiePath /var/cache/apache2/mod_auth_cas/
CASLoginURL https://SERVERURL/cas/login
CASValidateURL https://SERVERURL/cas/serviceValidate
CASDebug Off
CASValidateServer On
CASVersion 2
CASSSOEnabled On
#Below
 is needed, auth-cas will use the server hostname in the service URL 
redirect so we will override that, do not add a trailing / or add 
/midpoint!
CASRootProxiedAs https://MIDPOINTSERVERURL

 

Restart Apache2

 

Code Block
sudo service apache2 restart

 

Tomcat Configuration

Confgure tomcat to use the AJP connector

 

Code Block
sudo vi /var/lib/tomcat7/conf/server.xml

 

Uncomment the following so that it reads

 

No Format
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /

Midpoint Configuration

Edit ctx-web-security.xml

 

Code Block
sudo vi /var/lib/tomcat7/webapps/ctx-web-security.xml

 

Uncomment the following so that reads

 

No Format
<!-- For SSO integration use the following: -->        
<custom-filter position="PRE_AUTH_FILTER" ref="requestHeaderAuthenticationFilter" />

 

Edit the following value "principalRequestHeader" in the bean "requestHeaderAuthenticationFilter" so that it reads

 

No Format
    <!-- Following bean is used with pre-authentication based on HTTP headers (e.g. for SSO integration) -->
    <beans:bean
 id="requestHeaderAuthenticationFilter" 
class="org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter">
     <beans:property name="principalRequestHeader" value="Cas-User"/>
     <beans:property name="authenticationManager" ref="authenticationManager" />
 </beans:bean>
 
 <beans:bean id="logoutHandler" class="com.evolveum.midpoint.web.security.AuditedLogoutHandler">        <beans:property name="defaultTargetUrl" value="https://SERVERURL/cas/logout"/>
    </beans:bean>

 

Finally restart tomcat7

 

Code Block
sudo service tomcat7 restart

 

User can now login to midPoint using CAS

See Also