(CAS + LDAP + FTP + LifeRay) ^ GeoSolutions = Enteprise Portal

Recently GeoSolutions has developed for one our biggest clients their new web portal . The long term goal was to rationalize and concentrate all users and applications management in a single entry point, providing them with all the functionalities of a classic web portal.

Use Case and Requirements
The development and deployment of the whole architecture was challenging due to the strict functional and non-functional requirements they put forward.
The use case is quite complex since our client periodically conducts experiments at sea, collaborating with other agencies and research centres, where large amounts of data are collected and stored. Moreover, security is a crucial concern for it and therefore sophisticated and fine grained access control and authorization enforcements mechanisms are required.

Main requirements were as follows:

  • introduction of a Single Sign On (SSO) mechanism in order to allow users to share their credentials across all the applications exposed through the web portal
  • the system had to be able to distinguish external users from internal users and therefore present a different set of security checks as well as richer or poorer content according to their provenance.
  • usage of a single interoperable and open credentials respository for storing users credentials accounting also for the possibility to use them also for FTP A&A as well as for legacy applications.
  • fine grained RBAC control capabilities in order to group users according to their needs as well as their provenance

Let us briefly explain the concept and the work done in order to implement such a system.

Single Sign On
We decided to implement the SSO system trough a Central Authentication Service (CAS).
The CAS Service assigns authentication tickets to the users after a successful logon throught HTTP cookies so that an application or a service (like Apache HTTPD for instance) able to communicate with CAS is able to automatically recognize the user and its authentication status.

Authorization
Notice that with CAS we can provide only Authentication, not Authorization. That means that we need some other mechanism able to manage user’s authorizations, the choice we made was to use LDAP to implement Role Based Access Control (RBAC).
RBAC was accomplished by creating a specific LDAP users repository and enabling both HTTP and FTP daemons to draw users privileges from it. The LDAP service was provided by an OpenLDAP server with a custom schema for groups and peoples.

The Web Portal
The web portal was implemented through LifeRay. LifeRay was configured to provide authentication through CAS and authorization through LDAP. In other words it imports/exports users and groups from/to the LDAP server. All the others A&A LifeRay mechanisms have been configured accordingly.

Putting it all together
Here below a schema of the entire system and its components.

Let us now explain in more details the architecture above.

Apache HTTP Server sits in front of every direct HTTP access to data configured with “mod_cas” and “mod_ldap” in order to provide A&A. The “mod_rewrite” and “mod_proxy” modules have been also configured in order to both recognize internal/external accesses and forward requests to internal web apps.

Both CAS and FTP services have been configured to get users credentials from LDAP.

In order to provide the customer with a fully functional system allowing him to manage credentials and web applications areas, we also developed a specific portlet for allowing administrators to manage users’ credentials in LDAP as well as to provide users with the capability to reset their password.

Final Notes and next steps
We had to customized LifeRay deeply in order to integrate all the above components, but thanks to its flexibility as well as to its extension frameworks we have been able to accomplished what we needed to without touching the source code nor recompiling the standard distribution.
Next steps includes integrating also the GeoServer into this infrastructure and letting it play nice with LDAP and SSO. Stay tuned for more info on the topic.

The GeoSolutions team.