Intalio and Liferay hand in hand

Nicolas Modrzyk nico@intalio.com

CONFIDENTIAL

Intalio, Leader in Open Source BPM

Agenda

1 2 3 4 5 6

Vision Tempo Liferay features Single Sign-on with CAS What we learned Demo

CONFIDENTIAL

Intalio, Leader in Open Source BPM

Intalio | Portal (some ideas)

CONFIDENTIAL

Intalio, Leader in Open Source BPM

Scenario Liferay, Intalio, Alfresco

CONFIDENTIAL

Intalio, Leader in Open Source BPM

Liferay Version 5

Query integration j irect portlet publishing to the D MySpace and Facebook networks bility to leverage iGoogle A gadgets directly within portal deployment
CONFIDENTIAL

Intalio, Leader in Open Source BPM

What is Tempo

CONFIDENTIAL

Intalio, Leader in Open Source BPM

What is Tempo

Intalio Tempo is a set of runtime components that support human workflow within an service-oriented architecture (SOA). Our main goal is to provide a complete and extensible workflow solution with a bias towards interoperable technologies (BPEL, BPEL4People, XForms, REST, and web services) as a default implementation.

CONFIDENTIAL

Intalio, Leader in Open Source BPM

SSO in Tempo

RBAC (Role-based access control) http://csrc.nist.gov/groups/SNS/rbac/ -Simple plugin -LDAP plugin Token Service No credentials sent around Plugged with CAS .. can now supports, basic CAS, OpenID, GoogleSAML
CONFIDENTIAL

Intalio, Leader in Open Source BPM

What is CAS ?

CAS provides enterprise single sign on service An open and well-documented protocol An open-source Java server component, also a ruby one: http://code.google.com/p/rubycas-server/ A library of clients for Java, .Net, PHP, Perl, Apache, uPortal, and others Integrates with uPortal, BlueSocket, TikiWiki, Mule, Liferay, Moodle and others Community documentation and implementation support An extensive community of adopters
CONFIDENTIAL

Intalio, Leader in Open Source BPM

CAS Basics

Login

Redirect to CAS

User

CAS Validate credentials

CAS client validates the service ticket

User authenticated with service ticket

CONFIDENTIAL

Intalio, Leader in Open Source BPM

10

CAS Proxying Quick Walkthrough

Step One: login

To start with, log in to CAS with some invented service: https://foo.bar.com/is/cas/login?service=http://localhost/bling On successful login, CAS will redirect you to the service with a ticket appended (it doesn't matter that the service is made up as the ticket you're after is part of the url and will appear in the location bar even if your browser can't find the resource): http://localhost/bling?ticket=ST-956-Lyg0BdLkgdrBO9W17bXS

CONFIDENTIAL

Intalio, Leader in Open Source BPM

11

CAS Proxying Quick Walkthrough

Step Two
(a): verify the ticket and be done So, playing the role of the first application (not a proxying application at this stage - lets just see if we can get our application authenticated without proxying for now), you need to take the ticket and turn it into a username: https://foo.bar.com/is/cas/serviceValidate?ticket=ST-956-Lyg0BdLkgdrBO9W17bXS&service=http:/localhost/ bling which will produce a result like: <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationSuccess> <cas:user>endjs</cas:user> </cas:authenticationSuccess> </cas:serviceResponse>

This is the end of the road for normal applications that don't need to proxy other applications.

CONFIDENTIAL

Intalio, Leader in Open Source BPM

12

CAS Proxying Quick Walkthrough

Step Two (b): verify the ticket and enable further proxying
If instead you do want to be able to proxy other applications you need to also supply a pgtUrl to your validation request so that CAS can callback with the Proxy Granting Ticket. This is where life gets complicated, especially if you forget that service tickets are one-time-only tickets and that once you've used them with serviceValidate, you have to go back to CAS and get a new one (so if you've done Step One and Step Two (a) you'll need to do Step One again before you can do Step Two (b)). The choice of pgtUrl here is fairly arbitrary except that it needs to be an https url and it needs to be on a server on which you can access the log files. https://foo.bar.com/is/cas/serviceValidate?ticket=ST-956-Lyg0BdLkgdrBO9W17bXS&service=http:// localhost/bling&pgtUrl=https://foo.bar.com/pgtCallback results in: <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationSuccess> <cas:user>endjs</cas:user> <cas:proxyGrantingTicket>PGTIOU-85-8PFx8qipjkWYDbuBbNJ1roVu4yeb9WJIRdngg7fzl523Eti2td</ cas:proxyGrantingTicket> </cas:authenticationSuccess> </cas:serviceResponse>
CONFIDENTIAL

Intalio, Leader in Open Source BPM

13

CAS Proxying Quick Walkthrough

Step Three: dig out the PGT

Now our first application knows who the user is and has a Proxy Granting Ticket IOU. To find the real PGT we look in the apache access log for foo.bar.com and hunt out the request made by CAS to deliver the PGT

foo.bar.com - - [10/Dec/2003:09:28:15 +0000] "GET /pgtCallback? pgtIou=PGTIOU-85-8PFx8qipjkWYDbuBbNJ1roVu4yeb9WJIRdngg7fzl523Eti2 td &pgtId=PGT-330-CSdUc5fCBz3g8KDDiSgO5osXfLMj9sRDAI0xDLg7jPn8gZaDqS HTTP/1.1" 200 13079

CONFIDENTIAL

Intalio, Leader in Open Source BPM

14

CAS Proxying quick walkthrough

Step Four: get a proxy ticket

With the PGT in our grasp we can make a call on CAS to give us a proxy ticket for some other service we wish to proxy: https://foo.bar.com/is/cas/proxy?targetService=http://localhost/ bongo&pgt=PGT-330CSdUc5fCBz3g8KDDiSgO5osXfLMj9sRDAI0xDLg7jPn8gZaDqS resulting in: <cas:serviceResponse> <cas:proxySuccess> <cas:proxyTicket>PT-957-ZuucXqTZ1YcJw81T3dxf</cas:proxyTicket> </cas:proxySuccess> </cas:serviceResponse>

CONFIDENTIAL

Intalio, Leader in Open Source BPM

15

CAS Quick Walkthrough

Step Five: verify the proxy ticket

Now we take on our final role for the exercise - the proxied application. The proxying application has invoked our service url and has passed in the proxy ticket it's got. We take that ticket and validate it to find out both who the user is and which applications are in the proxy chain: https://foo.bar.com/is/cas/proxyValidate?service=http://localhost/bongo&ticket=PT-957ZuucXqTZ1YcJw81T3dxf resulting in: <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationSuccess> <cas:user>endjs</cas:user> <cas:proxies> <cas:proxy>https://foo.bar.com/pgtCallback</cas:proxy> </cas:proxies> </cas:authenticationSuccess> </cas:serviceResponse>

CONFIDENTIAL

Intalio, Leader in Open Source BPM

16

CAS Applied to Tempo - I

Get a CAS Receipt from the http session from Liferay (CASified) CASReceipt CASreceipt = (CASReceipt) (hsr.getSession().getAttribute(CASFilter.CAS_FILTER_RECEIPT)); pgtIou = CASreceipt.getPgtIou The pgtIou provides a way to associate the Proxy Granting Ticket with a ticket validation response without including the Proxy Granting Ticket directly in the response. proxyTicket = ProxyTicketReceptor.getProxyTicket(pgtIou, _serviceURL) String token = _tokenService.getTokenFromTicket(proxyTicket, _serviceURL) Then call our own User currentUser = authenticate(token, grantedRoles);

CONFIDENTIAL

Intalio, Leader in Open Source BPM

17

CAS Applied to tempo - II

Call Tempo TokenService

public String getTokenFromTicket(String proxyTicket, String serviceURL) ProxyTicketValidator pv = new ProxyTicketValidator(); pv.setCasValidateUrl(_validateURL); pv.setService(serviceURL); pv.setServiceTicket(proxyTicket); pv.validate(); if (pv.isAuthenticationSuccesful()) { String user = pv.getUser(); return createToken(user); We now have a tempo service ticket !!

CONFIDENTIAL

Intalio, Leader in Open Source BPM

18

Migration of UI-FW to a portlet

Being able to display Tasks from a portal Intalio UI-FW Also the Intalio console, Business Monitoring (BAM) Integrate with SSO We started with pluto, as the open source portal Were happy to work with liferay now

CONFIDENTIAL

Intalio, Leader in Open Source BPM

19

Lessons learned: Switch from Pluto to Liferay

JSR-168 leaves authentication out Pluto has very limited SSO support Get many threads why it doesnt work Migrating to Liferay was a treat JSR-268 has support for shared variables between portlets

CONFIDENTIAL

Intalio, Leader in Open Source BPM

20

Lessons learned: Jquery from the start

ExtJS dual licensing and the GPL v3

Jquery in short:
http://www.slideshare.net/Sudar/a-short-introduction-to-jquery/ http://www.slideshare.net/simon/jquery-in-15-minutes/

Jquery in very short:

You start with 10 lines of jQuery that would have been 20 lines of tedious DOM JavaScript. By the time you are done its down to two or three lines and it couldnt get any shorter unless it read your mind. Simple Ajax in a breeze Search for elements in the DOM is made easy The helper function [ $() ] is a pleasure to use Most importantly: it handles cross browser compatibility. Plenty of plugings and components Doesnt hijack the common namespace Nested sortable example

CONFIDENTIAL

Intalio, Leader in Open Source BPM

21

UI-FW Portlet Demo

CONFIDENTIAL

Intalio, Leader in Open Source BPM

22

Thank you !! Nows is the perfect time to ask plenty of questions

What you think is important (speak your mind.)

CONFIDENTIAL

Intalio, Leader in Open Source BPM

23