DSpace

This patch enables a dspace instance to authenticate using the widely
adopted Single Sign On CAS Authentication system developed by Yale
university: http://www.ja-sig.org/wiki/display/CAS/Home.

The patch is based on the work done by Roskilde University and Nordija A/S:

http://wiki.dspace.org/index.php/CvtContribution
The patch has been modified to work with the new Stackable Authentication
architecture. The patch implementation is specific to the needs of the
University of Bristol:
- it is configured to work with our University Portal (built using uPortal)

- it works with CAS 2.0 which means that the user/net ID retrieved from CAS
is in XML format.
- it requires a java client: cascleint.jar library
- it assumes that the JVM has certificates pre-installed for secure (https)
communications with the CAS server
- it retrieves the user's network ID (not email) from the CAS server upon
successful authentication.

However, the patch can easily be adjusted to the needs of others wishing to
implement CAS authentication with DSpace, see in-line documentation. Note:
only the validate method needs to be modified to your requirements.

The patch works as follows:

1. Changes to dspace.cfg

In the #### Stackable Authentication Methods ##### section add/update as
follows:

plugin.sequence.org.dspace.eperson.AuthenticationMethod = \
org.dspace.eperson.CASAuthentication


## method 3, using CAS authentication
cas.server.url= URL to the CAS login page.
cas.validate.url= URL where a CAS ticket can be validated
cas.logout.url= URL to log out from CAS
## Create e-persons for no matching user in DSpace
webui.cas.autoregister = true


2. CASAuthentication.java works as follows:
- the canSelfRegister method returns true/false depending on
webui.cas.autoregister as specified in dspace.cfg.
- the isimplicit method returns true because the username/password is
authenticated outside of DSpace.
- the allowSetPassword method returns false.
- the authenticate() method works as follows:
1. First check to see if the user has already logged into CAS (should
recieve a ticket from CAS server)
2. If a ticket exists, validate the ticket by calling cas.validate.url. If
valid, the net ID of the user is returned.
3. Does the user (net ID) exist in DSpace? if so they have successfully
authenitcated.
4. Otherwise, if SelfRegistration is true: the user will be automatically
created/registered using the net ID. This implies that the email, firstname
and lastname have to be added manually by the user once logged in. If you
wish to extract this info automatically, you need to create a method which
can query an LDAP source or RDBMS etc using the net ID.
4. if the user has not logged into DSpace, re-direct them to the CAS login
page (see loginPageURL method).
5. If user successfully authenticates, CAS server returns a ticket.
6. Goto 1

If there are others using CAS with DSpace, have a go at implementing the
patch. Let me know if you have any problems.

Thanks,

Naveed