Liferay workshop

1,841 views
1,766 views

Published on

Published in: Education
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,841
On SlideShare
0
From Embeds
0
Number of Embeds
13
Actions
Shares
0
Downloads
46
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • Talk about the different features of the new liferay version - awesome work on new integration of different security protocol- plugin with CAS, OpenID, SAML different SSO solutions …
  • SSO framework through the different tempo services - UI-FW, FormManager, Task Attachement (Alfresco), Feeds (Slightly modified)
  • Walk through all these: http://www.ja-sig.org/wiki/display/CAS/Proxy+CAS+Walkthrough
  • Explain the integration with tempo services
  • Liferay workshop

    1. 1. Nicolas Modrzyk [email_address] With the help of Joseph Shum @ Liferay Intalio, Leader in Open Source BPM
    2. 2. Agenda <ul><li>Vision </li></ul><ul><li>Liferay features </li></ul><ul><li>SSO in tempo </li></ul><ul><li>How CAS works </li></ul><ul><li>CAS applied to tempo </li></ul><ul><li>What we learned </li></ul><ul><li>Demo </li></ul>Intalio, Leader in Open Source BPM
    3. 3. Intalio | Portal (some ideas) Intalio, Leader in Open Source BPM
    4. 4. Liferay Version 5.0 <ul><li>Message Boards, Blogs and Wiki, fully equipped with RSS support, email notifications, dynamic tagging, rating systems and social bookmark links. Other collaboration enhancements include: </li></ul><ul><li>A dynamic tagging system for user-driven categorization </li></ul><ul><li>AJAX-based mail client that allows users to send email directly from the portal </li></ul><ul><li>Shared calendars, chat and polls </li></ul><ul><li>Direct portlet publishing to the MySpace and Facebook networks </li></ul><ul><li>Ability to leverage iGoogle gadgets directly within portal deployment </li></ul>Intalio, Leader in Open Source BPM
    5. 5. SSO in Tempo <ul><li>RBAC (Role-based access control) </li></ul><ul><li>http://csrc.nist.gov/groups/SNS/rbac/ </li></ul><ul><li>Simple plugin </li></ul><ul><li>LDAP plugin </li></ul><ul><li>Token Service </li></ul><ul><li>No credentials sent around </li></ul><ul><li>Plugged with CAS </li></ul><ul><li>.. can now supports, basic CAS, OpenID, GoogleSAML </li></ul>Intalio, Leader in Open Source BPM
    6. 6. What is CAS ? <ul><li>CAS provides enterprise single sign on service: </li></ul><ul><li>An open and well-documented protocol </li></ul><ul><li>An open-source Java server component (also a ruby one: http://code.google.com/p/rubycas-server/ ) </li></ul><ul><li>A library of clients for Java, .Net, PHP, Perl, Apache, uPortal, and others </li></ul><ul><li>Integrates with uPortal, BlueSocket, TikiWiki, Mule, Liferay, Moodle and others </li></ul><ul><li>Community documentation and implementation support </li></ul><ul><li>An extensive community of adopters </li></ul>Intalio, Leader in Open Source BPM
    7. 7. CAS 1.0 Basics <ul><li>How CAS 1.0 works </li></ul>Intalio, Leader in Open Source BPM
    8. 8. CAS Basics Intalio, Leader in Open Source BPM
    9. 9. CAS Proxying Quick Walkthrough <ul><li>Step One: login </li></ul><ul><li>To start with, log in to CAS with some invented service: </li></ul><ul><li>https://foo.bar.com/is/cas/login?service=http://localhost/bling </li></ul><ul><li>On successful login, CAS will redirect you to the service with a ticket appended (it doesn't matter that the service is made up as the ticket you're after is part of the url and will appear in the location bar even if your browser can't find the resource): </li></ul><ul><li>http://localhost/bling?ticket=ST-956-Lyg0BdLkgdrBO9W17bXS </li></ul>Intalio, Leader in Open Source BPM
    10. 10. CAS Proxying Quick Walkthrough <ul><li>Step Two </li></ul><ul><li>(a): verify the ticket and be done </li></ul><ul><li>So, playing the role of the first application (not a proxying application at this stage - lets just see if we can get our application authenticated without proxying for now), you need to take the ticket and turn it into a username: </li></ul><ul><li>https://foo.bar.com/is/cas/serviceValidate?ticket=ST-956-Lyg0BdLkgdrBO9W17bXS&service=http://localhost/bling </li></ul><ul><li>which will produce a result like: </li></ul><ul><li><cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> </li></ul><ul><li><cas:authenticationSuccess> </li></ul><ul><li><cas:user>endjs</cas:user> </li></ul><ul><li></cas:authenticationSuccess> </li></ul><ul><li></cas:serviceResponse> </li></ul><ul><li>This is the end of the road for normal applications that don't need to proxy other applications. </li></ul>Intalio, Leader in Open Source BPM
    11. 11. CAS Proxying Quick Walkthrough <ul><li>Step Two (b): verify the ticket and enable further proxying </li></ul><ul><li>If instead you do want to be able to proxy other applications you need to also supply a pgtUrl to your validation request so that CAS can callback with the Proxy Granting Ticket. This is where life gets complicated, especially if you forget that service tickets are one-time-only tickets and that once you've used them with serviceValidate, you have to go back to CAS and get a new one (so if you've done Step One and Step Two (a) you'll need to do Step One again before you can do Step Two (b)). </li></ul><ul><li>The choice of pgtUrl here is fairly arbitrary except that it needs to be an https url and it needs to be on a server on which you can access the log files. </li></ul><ul><li>https://foo.bar.com/is/cas/serviceValidate?ticket=ST-956-Lyg0BdLkgdrBO9W17bXS&service=http://localhost/bling&pgtUrl=https://foo.bar.com/pgtCallback </li></ul><ul><li>results in: </li></ul><ul><li><cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> </li></ul><ul><li><cas:authenticationSuccess> </li></ul><ul><li><cas:user>endjs</cas:user> </li></ul><ul><li><cas:proxyGrantingTicket>PGTIOU-85-8PFx8qipjkWYDbuBbNJ1roVu4yeb9WJIRdngg7fzl523Eti2td</cas:proxyGrantingTicket> </li></ul><ul><li></cas:authenticationSuccess> </li></ul><ul><li></cas:serviceResponse> </li></ul>Intalio, Leader in Open Source BPM
    12. 12. CAS Proxying Quick Walkthrough <ul><li>Step Three: dig out the PGT </li></ul><ul><li>Now our first application knows who the user is and has a Proxy Granting Ticket IOU. To find the real PGT we look in the apache access log for foo.bar.com and hunt out the request made by CAS to deliver the PGT: </li></ul><ul><li>foo.bar.com - - [10/Dec/2003:09:28:15 +0000] &quot;GET </li></ul><ul><li>/pgtCallback?pgtIou=PGTIOU-85-8PFx8qipjkWYDbuBbNJ1roVu4yeb9WJIRdngg7fzl523Eti2td </li></ul><ul><li>&pgtId=PGT-330-CSdUc5fCBz3g8KDDiSgO5osXfLMj9sRDAI0xDLg7jPn8gZaDqS HTTP/1.1&quot; 200 13079 </li></ul>Intalio, Leader in Open Source BPM
    13. 13. CAS Proxying quick walkthrough <ul><li>Step Four: get a proxy ticket </li></ul><ul><li>With the PGT in our grasp we can make a call on CAS to give us a proxy ticket for some other service we wish to proxy: </li></ul><ul><li>https://foo.bar.com/is/cas/proxy?targetService=http://localhost/bongo&pgt=PGT-330-CSdUc5fCBz3g8KDDiSgO5osXfLMj9sRDAI0xDLg7jPn8gZaDqS </li></ul><ul><li>resulting in: </li></ul><ul><li><cas:serviceResponse> </li></ul><ul><li><cas:proxySuccess> </li></ul><ul><li><cas:proxyTicket>PT-957-ZuucXqTZ1YcJw81T3dxf</cas:proxyTicket> </li></ul><ul><li></cas:proxySuccess> </li></ul><ul><li></cas:serviceResponse> </li></ul>Intalio, Leader in Open Source BPM
    14. 14. CAS Quick Walkthrough <ul><li>Step Five: verify the proxy ticket </li></ul><ul><li>Now we take on our final role for the exercise - the proxied application. The proxying application has invoked our service url and has passed in the proxy ticket it's got. We take that ticket and validate it to find out both who the user is and which applications are in the proxy chain: </li></ul><ul><li>https://foo.bar.com/is/cas/proxyValidate?service=http://localhost/bongo&ticket=PT-957-ZuucXqTZ1YcJw81T3dxf </li></ul><ul><li>resulting in: </li></ul><ul><li><cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> </li></ul><ul><li><cas:authenticationSuccess> </li></ul><ul><li><cas:user>endjs</cas:user> </li></ul><ul><li><cas:proxies> </li></ul><ul><li><cas:proxy>https://foo.bar.com/pgtCallback</cas:proxy> </li></ul><ul><li></cas:proxies> </li></ul><ul><li></cas:authenticationSuccess> </li></ul><ul><li></cas:serviceResponse> </li></ul>Intalio, Leader in Open Source BPM
    15. 15. CAS Applied to Tempo - I <ul><li>Get a CAS Receipt from the http session from Liferay (CASified) </li></ul><ul><li>CASReceipt CASreceipt = (CASReceipt) (hsr.getSession().getAttribute(CASFilter.CAS_FILTER_RECEIPT)); </li></ul><ul><li>pgtIou = CASreceipt.getPgtIou </li></ul><ul><li>The pgtIou provides a way to associate the Proxy Granting Ticket with a </li></ul><ul><li>ticket validation response without including the Proxy Granting Ticket </li></ul><ul><li>directly in the response. </li></ul><ul><li>proxyTicket = ProxyTicketReceptor.getProxyTicket(pgtIou, _serviceURL) </li></ul><ul><li>String token = _tokenService.getTokenFromTicket(proxyTicket, _serviceURL) </li></ul><ul><li>Then call our own </li></ul><ul><li>User currentUser = authenticate(token, grantedRoles); </li></ul>Intalio, Leader in Open Source BPM
    16. 16. CAS Applied to tempo - II <ul><li>Call Tempo TokenService </li></ul><ul><li>public String getTokenFromTicket(String proxyTicket, String serviceURL) </li></ul><ul><li>ProxyTicketValidator pv = new ProxyTicketValidator(); </li></ul><ul><li>pv.setCasValidateUrl(_validateURL); </li></ul><ul><li>pv.setService(serviceURL); </li></ul><ul><li>pv.setServiceTicket(proxyTicket); </li></ul><ul><li>pv.validate(); </li></ul><ul><li>if (pv.isAuthenticationSuccesful()) { </li></ul><ul><li>String user = pv.getUser(); </li></ul><ul><li>return createToken(user); </li></ul><ul><li>We now have a tempo service ticket !! </li></ul>Intalio, Leader in Open Source BPM
    17. 17. Migration of UI-FW to a portlet <ul><li>Being able to display UI-FW from a portal </li></ul><ul><li>Also the Intalio console, BAM … </li></ul><ul><li>Integrate with SSO </li></ul><ul><li>We started with pluto, as the open source portal </li></ul>Intalio, Leader in Open Source BPM
    18. 18. Lessons learned: Switch from Pluto to Liferay <ul><li>JSR-168 leaves authentication out </li></ul><ul><li>Pluto has very limited SSO support </li></ul><ul><li>Get many threads why it doesn’t work, versions mismatch </li></ul><ul><li>Migrating to Liferay was a treat </li></ul>Intalio, Leader in Open Source BPM
    19. 19. Lessons learned: Jquery from the start <ul><li>ExtJS dual licensing and the GPL v3 </li></ul><ul><li>Jquery in short: </li></ul><ul><li>http://www.slideshare.net/Sudar/a-short-introduction-to-jquery/ </li></ul><ul><li>http://www.slideshare.net/simon/jquery-in-15-minutes/ </li></ul><ul><li>Jquery in very short: </li></ul><ul><li>You start with 10 lines of jQuery that would have been 20 lines of tedious DOM JavaScript. By the time you are done it’s down to two or three lines and it couldn’t get any shorter unless it read your mind.” </li></ul><ul><li>Simple Ajax in a breeze </li></ul><ul><li>Search for elements in the DOM is made easy </li></ul><ul><li>The helper function [ $() ] is a pleasure to use </li></ul><ul><li>Most importantly: it handles cross browser compatibility. </li></ul><ul><li>Plenty of plugings and components </li></ul><ul><li>Doesn’t hijack the common namespace </li></ul><ul><li>Nested sortable example </li></ul>Intalio, Leader in Open Source BPM
    20. 20. UI-FW Portlet Demo Intalio, Leader in Open Source BPM
    21. 21. <ul><li>Thank you !! </li></ul><ul><li>Now’s is the perfect time to ask plenty of questions … </li></ul><ul><li>What you think is important (speak your mind.) </li></ul>Intalio, Leader in Open Source BPM

    ×