1. You can set up CAS on separate tomcat or same tomcat running alfresco. you need to make couple of changes to tomcat's conf/server.xml file for separate tomcat regarding SSL/AJP/server port:
...
<Server port="8006" shutdown="SHUTDOWN">
...
<Connector port="8081" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25"
maxSpareThreads="75"
enableLookups="false" redirectPort="8444"
acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="tru
e" />
...
<!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25"
maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
...
<!-- Define an AJP 1.3 Connector on port 8010 -->
<Connector port="8010"
enableLookups="false" redirectPort="8443"
protocol="AJP/1.3" />
2. Start up new Tomcat instance. and it should run smoothly along with alfresco tomcat.
3. Download the CAS server from JA-SIG at http://www.ja-sig.org/products/cas/.
4. CAS-protected URL redirects, the browser to the CAS authentication page. For security reasons, the CAS URLs are protected with SSL. Creating the certificate and adding it to the JRE's keystore requires below steps.
5. Use Java's keytool program to create the SSL key for your machine. When asked to specify your first and last name, use the name of the machine running the CAS Tomcat server. For example, I used localhost:
keytool -genkey -alias tomcat -keypass changeit -keyalg RSA
6. We have a keystore in the user's home directory. Now need to add the certificate to your JRE's cacerts file. Export the certificate generated:
keytool -export -alias tomcat -keypass changeit -file server.crt
7. Adding the exported certificate (server.crt) to JRE's cacerts file, as follows:
keytool -import -file server.crt -keypass changeit -keystore ..\jre\lib\security\cacerts
8. The last step in setting up SSL is to tell Tomcat about the keystore. Edit the server.xml file again. :
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25"
maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/root/.keystore"
keystorePass="changeit"
truststoreFile="/usr/lib/jvm/java-1.5.0-sun/jre/lib/
security/cacerts" />
9. Copy the CAS webapp WAR to the webapps directory of Tomcat instance. The CAS webapp WAR is in the directory where you expanded CAS under "modules". The file is called cas-server-webapp-3.3.3.war.
10. Start CAS Tomcat. CAS screen can be seen at https://[machine name]:8443/cas. Add the following entry to the Alfresco web.xml
<!-- cas client filter -->
<filter>
<filter-name>CAS Filter</filter-name>
<filter-class>
edu.yale.its.tp.cas.client.filter.CASFilter</filter-class>
<init-param>
<param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name>
<param-value>https://localhost:8443/cas/login</param-value>
</init-param>
<init-param>
<param-name>
edu.yale.its.tp.cas.client.filter.validateUrl</param-name>
<param-value>https://localhost:8443/cas/serviceValidate</param-value>
</init-param>
<init-param>
<param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name>
<param-value>localhost:8080</param-value>
</init-param>
</filter>
11. Next, add the filter mapping.This will cause Tomcat to redirect the browser to the CAS login if anyone without a valid ticket attempts to run. For Alfresco, the URL pattern should be:
<filter-mapping>
<filter-name>CAS Filter</filter-name>
<url-pattern>/faces/*</url-pattern>
</filter-mapping>
12. Save the web.xml file. At this point, you could restart Alfresco Tomcat and open the web client and you'd be redirected to the CAS login page. But Alfresco doesn't yet know how to extract the credentials from CAS to use to start an Alfresco session. To do that, you have to write an AuthenticationFilter. Look at Alfresco Wiki at http://wiki.alfresco.com/wiki/Central_Authentication_Service_Configuration for same.
13. You need to tell Alfresco to use the new Authentication Filter in place of the out of the box Authentication Filter. Do that by editing web.xml and modifying the Authentication Filter filter as follows:
<filter>
<filter-name>Authentication Filter</filter-name>
<!--
<filter-class>
org.alfresco.web.app.servlet.AuthenticationFilter
</filter-class>
-->
<filter-class>
com.someco.servlets.AuthenticationFilter</filter-class>
<init-param>
<param-name>cas.user.label</param-name>
<param-value>
edu.yale.its.tp.cas.client.filter.user</param-value>
</init-param>
</filter>
15. Start Alfresco. You should now be able to log in to Alfresco . Remember that at this point, CAS is still using its default adapter, which grants successful logins when the username and password match.
