ClassCastException with WebCredentials in RestProxyServicePlugin

114 views
Skip to first unread message

bcs...@gmail.com

unread,
Sep 16, 2014, 8:33:20 AM9/16/14
to hippo-c...@googlegroups.com
Hi,
I'm configuring Hippo to use our single sign on (SSO) (Apache using CAS which calls LDAP).
To reach this, I used http://blog.tirasa.net/hippocms-in-sso.html
I implemented an own LoginModule and RenderPlugin, which sets the Credentials to a new created WebCredentials.
The SSO-Login and most stuff works fine, but some parts of Hippo crash because in RestProxyServicePlugin.getEncryptedCredentials the current credentials are cast to SimpleCredentials instead of it's parent Credentials.
I wonder if this is a bug because this cast doesn't seems necessary. It could just be changed in RestProxyServicePlugin and the used CredentialCipher.
Is there a workaround or shouldn't I use WebCredentials? SimpleCredentials seems not possible for me because I don't have the password.
Any help is welcome.
Thank you,
Bjoern

Woonsan Ko

unread,
Sep 16, 2014, 7:19:13 PM9/16/14
to hippo-c...@googlegroups.com

Hi Bjoern,

Which version are you working with? 7.9 or 7.8?
Since 7.9.2, we support a lot more simplified sso integration support. I planned to write a blog about that but have been busy with something else.
Let me know if you can use 7.9.2.
Btw, afaik, there are more locations depending on SimpleCredentials in the core auth management module. So sorry but I'm afraid it's safer with the new approach if possible (because its now intended sso support feature in product level).

Woonsan
(Sent via my mobile device. Apologies for any typos.)
   

--
Hippo Community Group: The place for all discussions and announcements about Hippo CMS (and HST, repository etc. etc.)
 
To post to this group, send email to hippo-c...@googlegroups.com
RSS: https://groups.google.com/group/hippo-community/feed/rss_v2_0_msgs.xml?num=50
---
You received this message because you are subscribed to the Google Groups "Hippo Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to hippo-communi...@googlegroups.com.
Visit this group at http://groups.google.com/group/hippo-community.
For more options, visit https://groups.google.com/d/optout.

bcs...@gmail.com

unread,
Sep 17, 2014, 3:35:04 AM9/17/14
to hippo-c...@googlegroups.com
Hi Woonsan,

thank you for your response.
I'm working with 7.9.2 and can switch to newer versions when they appear, but the named critical cast exists even in the trunk.
Until now, the named cast was the only critical place I found. Would it be possible to fix this? Only to lines of code ;). I could provide a patch file.

It would be great if you have a hint, link, blog or example for using the new simplified sso. I will test it and report my experiences with it.

Greetings and thank you,
Bjoern

Woonsan Ko

unread,
Sep 17, 2014, 4:10:03 PM9/17/14
to hippo-c...@googlegroups.com
Hi Bjoern,

I'm a bit doubtful about the possibility to avoid the direct
dependencies on SimpleCredentials. For example, HippoUserManager
interface and its implementation in hippo-repository-engine module
requires that, too.
I will try to write a blog article soon and keep you updated.

Regards,

Woonsan
> <javascript:>
> RSS:
> https://groups.google.com/group/hippo-community/feed/rss_v2_0_msgs.xml?num=50
> <https://groups.google.com/group/hippo-community/feed/rss_v2_0_msgs.xml?num=50>
> ---
> You received this message because you are subscribed to the
> Google Groups "Hippo Community" group.
> To unsubscribe from this group and stop receiving emails from
> it, send an email to hippo-communi...@googlegroups.com
> <javascript:>.
> <http://groups.google.com/group/hippo-community>.
> For more options, visit https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>.
>
> --
> Hippo Community Group: The place for all discussions and announcements
> about Hippo CMS (and HST, repository etc. etc.)
>
> To post to this group, send email to hippo-c...@googlegroups.com
> RSS:
> https://groups.google.com/group/hippo-community/feed/rss_v2_0_msgs.xml?num=50
> ---
> You received this message because you are subscribed to the Google
> Groups "Hippo Community" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to hippo-communi...@googlegroups.com
> <mailto:hippo-communi...@googlegroups.com>.
--
w....@onehippo.com www.onehippo.com
Boston - 101 Main Street, Cambridge, MA 02142
Amsterdam - Oosteinde 11, 1017 WT Amsterdam
US +1 877 414 4776 (toll free)
Europe +31(0)20 522 4466

bcs...@gmail.com

unread,
Sep 22, 2014, 2:50:34 AM9/22/14
to hippo-c...@googlegroups.com

Hi Woonsan,

I'm loocking forward for your blog entry.
Could you meanwhile give me a hint where to lock: Link, Example, Classname, Package, ... Everything is welcome. ;)

Thank you very much.
Greetings,
Bjoern


mahip...@gmail.com

unread,
Sep 23, 2014, 4:26:03 PM9/23/14
to hippo-c...@googlegroups.com
Hi Woonsan,

the blog article would also be interested in me.

Regards,
Markus

Woonsan Ko

unread,
Sep 24, 2014, 12:26:53 AM9/24/14
to hippo-c...@googlegroups.com
Hi Bjoern,

I've just added a very simple example project with brief summary
information with references. [1]
The channel manager perspective doesn't work with the project yet, but
it's due to a different reason: even if there's no class casting error,
the rest service on /site application was not integrated with SSO
solution yet, so the channel manager doesn't seem to get proper results.
I'll take a look from time to time.

Cheers,

Woonsan

[1] https://github.com/woonsanko/hippo-cas-integration-demo

bcs...@gmail.com

unread,
Sep 29, 2014, 11:51:56 AM9/29/14
to hippo-c...@googlegroups.com

Hi Woonsan,

thank you very much for your answer and the example project.
Meanwhile I tried just fixing the two "bad" casts (see my first post). The result was: Everything seems fine, as far as I tested, except for the channel-manager where I also was stuck at the rest service. :/
So we have two solutions with SSO, but both without channel manager.
Unfortunately, we need the channel manager.
So, do you know if there is any working solution to use Hippo with SSO including the channel manager?
Any hint, link, idea or keyword is welcome.

Woonsan Ko

unread,
Sep 29, 2014, 1:18:14 PM9/29/14
to hippo-c...@googlegroups.com
Hi Bjoern,

I didn't have time to look into the problem in detail yet, but I will
probably want to look into
org.hippoecm.hst.core.container.CmsSecurityValve to see what's happening
there because the valve seems to establish a jcr session for either the
rest calls from the channel manager or preview rendering
(#createCmsChannelManagerRestSession(), and #createCmsPreviewSession()).
I think we'll need to understand what the problem really is in SSO
integration for channel manager first, and then try to find most proper
solution. For example, the solution might be to improve the valve itself
for more extensibility or to recommend to add a custom valve for a
specific sso solution before the valve, or something else, depending on
the problem determination.

Regards,

Woonsan

Woonsan Ko

unread,
Oct 20, 2014, 3:23:17 PM10/20/14
to hippo-c...@googlegroups.com
I figured out why channel manager didn't work. After asking around
internally, I was able to solve the channel manager issue by adding
extra attribute in SimpleCredentials and use the extra attribute in my
custom CAS SecurityProvider.
See my personal github project for detail:
- https://github.com/woonsanko/hippo-cas-integration-demo

I think this approach will be valid in 7.9 at least.

Regards,

Woonsan

Ard Schrijvers

unread,
Oct 20, 2014, 3:28:15 PM10/20/14
to hippo-c...@googlegroups.com
On Mon, Oct 20, 2014 at 9:23 PM, Woonsan Ko <w....@onehippo.com> wrote:
> I figured out why channel manager didn't work. After asking around
> internally, I was able to solve the channel manager issue by adding
> extra attribute in SimpleCredentials and use the extra attribute in my
> custom CAS SecurityProvider.
> See my personal github project for detail:
> - https://github.com/woonsanko/hippo-cas-integration-demo
>
> I think this approach will be valid in 7.9 at least.

Afaics this approach will just keep working in the 7.10 but most
likely we'll support something like TokenBasedCredentials (or perhaps
SSOBasedCredentials) as well instead of having to use
SimpleCredentials without really requiring a password

Regards Ard
> To unsubscribe from this group and stop receiving emails from it, send an email to hippo-communi...@googlegroups.com.
> Visit this group at http://groups.google.com/group/hippo-community.
> For more options, visit https://groups.google.com/d/optout.



--
Amsterdam - Oosteinde 11, 1017 WT Amsterdam
Boston - 1 Broadway, Cambridge, MA 02142

US +1 877 414 4776 (toll free)
Europe +31(0)20 522 4466
www.onehippo.com

Woonsan Ko

unread,
Oct 20, 2014, 3:43:32 PM10/20/14
to hippo-c...@googlegroups.com
On 10/20/14 3:28 PM, Ard Schrijvers wrote:
> On Mon, Oct 20, 2014 at 9:23 PM, Woonsan Ko <w....@onehippo.com> wrote:
>> I figured out why channel manager didn't work. After asking around
>> internally, I was able to solve the channel manager issue by adding
>> extra attribute in SimpleCredentials and use the extra attribute in my
>> custom CAS SecurityProvider.
>> See my personal github project for detail:
>> - https://github.com/woonsanko/hippo-cas-integration-demo
>>
>> I think this approach will be valid in 7.9 at least.
>
> Afaics this approach will just keep working in the 7.10 but most
> likely we'll support something like TokenBasedCredentials (or perhaps
> SSOBasedCredentials) as well instead of having to use
> SimpleCredentials without really requiring a password

Sounds great! Looking forward to the improvements in 7.10!

Cheers,

Woonsan

bcs...@gmail.com

unread,
Oct 29, 2014, 8:58:46 AM10/29/14
to hippo-c...@googlegroups.com

Hi Woonsan,

thank you very much for your response and the hippo-cas-integration-demo.
Thanks to this, I was able to solve our SSO issues :)

Hint:
It was even possible to combine your CASDelegatingSecurityProvider and the LdapSecurityProvider to a new SecurityProvider, syncing the users with our Ldap server and allowing SSO login (which itself is connected to the Ldap, too) at same time.

Thank you very much. Cheers,
Björn

Woonsan Ko

unread,
Oct 29, 2014, 9:37:56 AM10/29/14
to hippo-c...@googlegroups.com
Really cool, Björn!
I am really glad to help you.

Cheers,

Woonsan

bcs...@gmail.com

unread,
Oct 30, 2014, 12:36:32 PM10/30/14
to hippo-c...@googlegroups.com

Hi Woonsan,
I've one more question concerning the SSO:
The demo project and my code handle SSO for the CMS.
Now I try to use it for the Site, too.
Do you have a hint how to extend the demo project to use SSO also for the site?
Thank you very much,
Björn

Woonsan Ko

unread,
Oct 30, 2014, 1:22:54 PM10/30/14
to hippo-c...@googlegroups.com
Hi Björn,

I think it's straightforward when considering SSO in SITE applications
because you don't have to think about which JCR credentials should be
used for instance.
In SITE applications, it's just about creating a subject with principals
in the servlet standard way (e.g, HttpServletRequest#getUserPrincipal(),
#isUserInRole(), #getRemoteUser(), ..).
For example, if we use CAS in /site as well, then I think it's just
about configuring the CAS Java Client Servlet filters in web.xml before
HstFilter. Then in HST applications, they can retrieve the established
user principal, role checking, etc. without any problem. FYI, HST can
check user roles for a sitemap item [1] whatever authentication
mechanism is used as long as it can use the standard APIs such as
HttpServletRequest#isUserInRole(), etc.
If you have a difficulty because of other integration technology other
than CAS for instance, then let us know. HST also provides a good
feature to establish subject and principals in valves.

Cheers,

Woonsan

[1]
http://www.onehippo.org/library/concepts/security/hst-2-authentication-and-authorization-support.html
("6. Authorization Configuration" section)

On 10/30/14 12:36 PM, bcs...@gmail.com wrote:
>
> Hi Woonsan,
> I've one more question concerning the SSO:
> The demo project and my code handle SSO for the CMS.
> Now I try to use it for the Site, too.
> Do you have a hint how to extend the demo project to use SSO also for
> the site?
> Thank you very much,
> Björn
>
> Am Mittwoch, 29. Oktober 2014 14:37:56 UTC+1 schrieb w.ko:
>
> Really cool, Björn!
> I am really glad to help you.
>
> Cheers,
>
> Woonsan
>
> On 10/29/14 8:58 AM, bcs...@gmail.com <javascript:> wrote:
> >
> > Hi Woonsan,
> >
> > thank you very much for your response and the
> hippo-cas-integration-demo.
> > Thanks to this, I was able to solve our SSO issues :)
> >
> > Hint:
> > It was even possible to combine your CASDelegatingSecurityProvider
> and
> > the LdapSecurityProvider to a new SecurityProvider, syncing the users
> > with our Ldap server and allowing SSO login (which itself is
> connected
> > to the Ldap, too) at same time.
> >
> > Thank you very much. Cheers,
> > Björn
> >
> > --
> > Hippo Community Group: The place for all discussions and
> announcements
> > about Hippo CMS (and HST, repository etc. etc.)
> >
> > To post to this group, send email to hippo-c...@googlegroups.com
> <javascript:>
> > RSS:
> >
> https://groups.google.com/group/hippo-community/feed/rss_v2_0_msgs.xml?num=50
> <https://groups.google.com/group/hippo-community/feed/rss_v2_0_msgs.xml?num=50>
>
> > ---
> > You received this message because you are subscribed to the Google
> > Groups "Hippo Community" group.
> > To unsubscribe from this group and stop receiving emails from it,
> send
> > an email to hippo-communi...@googlegroups.com <javascript:>
> > <mailto:hippo-communi...@googlegroups.com <javascript:>>.
> w....@onehippo.com <javascript:> www.onehippo.com
> <http://www.onehippo.com>
> Boston - 101 Main Street, Cambridge, MA 02142
> Amsterdam - Oosteinde 11, 1017 WT Amsterdam
> US +1 877 414 4776 (toll free)
> Europe +31(0)20 522 4466
>
> --
> Hippo Community Group: The place for all discussions and announcements
> about Hippo CMS (and HST, repository etc. etc.)
>
> To post to this group, send email to hippo-c...@googlegroups.com
> RSS:
> https://groups.google.com/group/hippo-community/feed/rss_v2_0_msgs.xml?num=50
> ---
> You received this message because you are subscribed to the Google
> Groups "Hippo Community" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to hippo-communi...@googlegroups.com
> <mailto:hippo-communi...@googlegroups.com>.

bcs...@gmail.com

unread,
Nov 11, 2014, 8:01:11 AM11/11/14
to hippo-c...@googlegroups.com

Hi Woonsan,

thank you again for your reply.

After some debugging I figured out that using the servlet filters from CMS from your example should work, if the CAS provides the roles for the users. This is wrapped by HttpServletRequestWrapperFilter.
In our case we rely on a combination of LDAP and local Hippo internal groups, so that wasn't possible for us. To stop hippo using exactly the roles provided by CAS I had to remove the HttpServletRequestWrapperFilter from the list of servlet filters.
Than, to get it working I did several things:
* used the SSOExampleLoginFilter from CMS from your example
* used own LoginServletWrapper wrapping the default LoginServlet (not extending because of problems with relative ressources in LoginServlet), which tests for SSO and handles this (in case of MODE_LOGIN_FORM) or calls contained LoginServlet
* used own SSOAuthenticationProvider extending HippoAuthenticationProvider and only overwriting the authenticate method by handling SSO or calling super. Equivalent to your SecurityProvider
* In the site, I had problems with your verification by ThreadLocal because the site uses sub-threads. So I implemented a short singleton ticket system in a shared project used by CMS & site, creating a password from merging a constant, the username, a random UUID and a short timeslice to the password field each time in the LoginFilter. So later I could validate the given user/password combination against this system.

Now CMS and site work with SSO, users from LDAP and our own authentication-methods. :)


Thank you very much,
Björn

>     > <mailto:hippo-community+unsub...@googlegroups.com <javascript:>>.
>     > Visit this group at http://groups.google.com/group/hippo-community
>     <http://groups.google.com/group/hippo-community>.
>     > For more options, visit https://groups.google.com/d/optout
>     <https://groups.google.com/d/optout>.
>
>
>     --
>     w....@onehippo.com <javascript:>     www.onehippo.com
>     <http://www.onehippo.com>
>     Boston - 101 Main Street, Cambridge, MA 02142
>     Amsterdam - Oosteinde 11, 1017 WT Amsterdam
>     US +1 877 414 4776 (toll free)
>     Europe +31(0)20 522 4466
>
> --
> Hippo Community Group: The place for all discussions and announcements
> about Hippo CMS (and HST, repository etc. etc.)
>  
> To post to this group, send email to hippo-c...@googlegroups.com
> RSS:
> https://groups.google.com/group/hippo-community/feed/rss_v2_0_msgs.xml?num=50
> ---
> You received this message because you are subscribed to the Google
> Groups "Hippo Community" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to hippo-communi...@googlegroups.com

Woonsan Ko

unread,
Nov 11, 2014, 8:51:05 AM11/11/14
to hippo-c...@googlegroups.com
Hi Björn,

Great to hear it's working! :)
I can imagine the complexity with the combination of LDAP and local
Hippo internal groups. It's really a great work!
Thanks for sharing your knowledge and experience.

Cheers,

Woonsan

On 11/11/14 8:01 AM, bcs...@gmail.com wrote:
>
> Hi Woonsan,
>
> > > <mailto:hippo-communi...@googlegroups.com
> <javascript:> <javascript:>>.
> > > Visit this group at
> http://groups.google.com/group/hippo-community
> <http://groups.google.com/group/hippo-community>
> > <http://groups.google.com/group/hippo-community
> <http://groups.google.com/group/hippo-community>>.
> > > For more options, visit https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>
> > <https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>>.
> >
> >
> > --
> > w....@onehippo.com <javascript:> www.onehippo.com
> <http://www.onehippo.com>
> > <http://www.onehippo.com>
> > Boston - 101 Main Street, Cambridge, MA 02142
> > Amsterdam - Oosteinde 11, 1017 WT Amsterdam
> > US +1 877 414 4776 (toll free)
> > Europe +31(0)20 522 4466
> >
> > --
> > Hippo Community Group: The place for all discussions and
> announcements
> > about Hippo CMS (and HST, repository etc. etc.)
> >
> > To post to this group, send email to hippo-c...@googlegroups.com
> <javascript:>
> > RSS:
> >
> https://groups.google.com/group/hippo-community/feed/rss_v2_0_msgs.xml?num=50
> <https://groups.google.com/group/hippo-community/feed/rss_v2_0_msgs.xml?num=50>
>
> > ---
> > You received this message because you are subscribed to the Google
> > Groups "Hippo Community" group.
> > To unsubscribe from this group and stop receiving emails from it,
> send
> > an email to hippo-communi...@googlegroups.com <javascript:>
> > <mailto:hippo-communi...@googlegroups.com <javascript:>>.
> > Visit this group at http://groups.google.com/group/hippo-community
> <http://groups.google.com/group/hippo-community>.
> > For more options, visit https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>.
>
>
> --
> w....@onehippo.com <javascript:> www.onehippo.com
> <http://www.onehippo.com>
> Boston - 101 Main Street, Cambridge, MA 02142
> Amsterdam - Oosteinde 11, 1017 WT Amsterdam
> US +1 877 414 4776 (toll free)
> Europe +31(0)20 522 4466
>
> --
> Hippo Community Group: The place for all discussions and announcements
> about Hippo CMS (and HST, repository etc. etc.)
>
> To post to this group, send email to hippo-c...@googlegroups.com
> RSS:
> https://groups.google.com/group/hippo-community/feed/rss_v2_0_msgs.xml?num=50
> ---
> You received this message because you are subscribed to the Google
> Groups "Hippo Community" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to hippo-communi...@googlegroups.com
> <mailto:hippo-communi...@googlegroups.com>.
Reply all
Reply to author
Forward
0 new messages