Further adventures with CAS and Alfresco (and LDAP)

Like Alfresco in the cloud and myriad other systems we’ve decided to use the email address as the user name for logging in. This works fine until you want to allow the user to be able to change their email.

The problem here is that Alfresco doesn’t support changing user names (I believe that it can be done with some database hacking but not recommended)

My solution here is to allow logging in via CAS to use the mail attribute as the user name but to pass the uid to Alfresco to use as the Alfresco user name while this means that the Alfresco user name is not the same as they’ve used to log in, it does allow you to change the mail attribute and as the user name isn’t often visible this works quite well – actually it’s not too bad to set the uid as the mail address especially if the rate of change is low although there are some situations where this is potentially confusing.

So how to do it…

First configure CAS (I’m using 4.0_RC2 at the moment)

In your deployerConfigContext.xml find your registeredServices and add

 <property name="usernameAttribute" value="uid"/>

so you end up with something like this:

<bean class="org.jasig.cas.services.RegexRegisteredService" p:id="0"
	p:name="HTTP and IMAP" p:description="Allows HTTP(S) and IMAP(S) protocols"
	p:serviceId="^(https?|imaps?)://alfresco.wrighting.org/.*" p:evaluationOrder="10000001">
    <property name="usernameAttribute" value="uid"/>
</bean>

For 4.1 you’ll need:

Note that you need the allowedAttributes to contain the usernameAttribute otherwise the value of the usernameAttribute will be ignored.

<bean class="org.jasig.cas.services.RegexRegisteredService" p:id="0"
p:serviceId="^(https?|imaps?)://xxx.*"
p:evaluationOrder="10000000">
<property name="usernameAttributeProvider">
<bean
class="org.jasig.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider"
c:usernameAttribute="uid" />
</property>
<property name="attributeReleasePolicy">
<bean class="org.jasig.cas.services.ReturnAllowedAttributeReleasePolicy">
<property name="allowedAttributes">
<list>
<value>uid</value>
</list>
</property>
</bean>
</property>
</bean>

Now to configure Share and Alfresco (see previous posts)

If you are using CAS 4.0_RC2 then make sure that you are using the CAS 2 protocol (or SAML but I’d go with CAS 2) so if you are using the java client the in the web.xml your CAS Validation Filter will be:

  <filter>
   <filter-name>CAS Validation Filter</filter-name>
   <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
   <init-param>
       <param-name>casServerUrlPrefix</param-name>
        <param-value>${cas.server.prefix}</param-value>
   </init-param>
     <init-param>
         <param-name>serverName</param-name>
         <param-value>${alfresco.server.name}</param-value>
     </init-param>
 </filter>

(This will work for CAS 1 in later versions)