Today began to write the first CAs-related article, this article is mainly about the CAS environment collocation, provides a primer for just contact with CAs, and demonstrates the simplest example of a CAs
Second, environmental requirements
The blogger's environment is as follows:
- win8.1 bit
- JDK1.7 dot Me
- Tomcat-8.0.15 dot Me
- cas-server-4.0.0, cas-client-3.3.3 point I (official website speed is relatively slow, provide Baidu network disk)
Tomcat server needs to deploy three, I named Apache-tomcat-8.0.15-app1, APACHE-TOMCAT-8.0.15-APP2, Apache-tomcat-8.0.15-cas
The respective uses are as follows:
Serial number |
Server name |
Use |
1 |
Tomcat-app1 |
Client server 1: User deployment App App1 |
2 |
Tomcat-app2 |
Client server 2: User deployment App App2 |
3 |
Tomcat-cas |
CAS server: Used to deploy CAS server |
III. Special Instructions
CAS Default authentication method uses the HTTPS protocol, generally to the security is not high, it is recommended to cancel the change to HTTP mode. Because, the word will often prompt the certificate expires, users need to confirm, etc., the perception of the customer is not good, the current need can be opened.
If you need the HTTPS protocol, you can refer to this article for certificate generation: CAs Single sign-on certificate import
The way to cancel the HTTPS protocol, the 4th will be specific, you can continue to look down!
iv. Explanation of examplesfirst step, tomcat modification
- Unzip the downloaded Tomcat-8.0.15.zip and copy the three and name according to the 2nd Convention
Modify the Tomcat-related boot ports so that the machine can run multiple tomcat. My access port corresponds to the following:
Serial number |
Server name |
Access Port |
1 |
Tomcat-app1 |
8081 |
2 |
Tomcat-app2 |
8082 |
3 |
Tomcat-cas |
18080 |
Port Modification Method: Open the X:\tomcat-app1\conf\server.xml file to find
First: Modify the shutdown port (default is Port 8005)
<server port= "8005" shutdown= "Shutdown" >
Second: Modify the HTTP access port (default is 8080 port) <connector port= "8080" protocol= "http/1.1" connectiontimeout= "20000" redirectport= "8443"/>
Third: Modify the port of 8009
<connector port= "8009" protocol= "ajp/1.3" redirectport= "8443"/>
Modify the port you want.
The second step, the deployment of the Cas-server server
-
- Unzip the downloaded Cas-server-4.0.0-release.zip compressed package
- Locate X:\cas-server-4.0.0\modules\cas-server-webapp-4.0.0.war File
- Unzip to the tomcat-cas\webapps\.
- To cancel the HTTPS protocol:
1) Open the Cas-server\web-inf\deployerconfigcontext.xml file and locate the following configuration:
<!--Required for proxy ticket mechanism. -
class= "Org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" p: httpclient-ref= "httpClient"/> Add parameter P:requiresecure= "false", whether security authentication is required, that is, Https,false is not adopted. Modified to:
class= "Org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" p: httpclient-ref= "HttpClient" p:requiresecure= "false"/>
2) Open Cas-server\web-inf\spring-configuration\ticketgrantingticketcookiegenerator.xml and find the following configuration:
<bean id= "Ticketgrantingticketcookiegenerator" class= " Org.jasig.cas.web.support.CookieRetrievingCookieGenerator " p:cookiesecure=" true " p:cookiemaxage="-1 " p:cookiename= "CASTGC" p:cookiepath= "/cas"/> Modify p:cookiesecure= "true" to P:cookiesecure= "false" That is, HTTPS authentication is not turned on
3) Open Cas-server\web-inf\spring-configuration\warncookiegenerator.xml and find the following configuration:
<bean id= "Warncookiegenerator" class= "Org.jasig.cas.web.support.CookieRetrievingCookieGenerator" p: Cookiesecure= "true" p:cookiemaxage= "-1" p:cookiename= "casprivacy" p:cookiepath= "/cas"/>
Modify p:cookiesecure= "true" to p:cookiesecure= "false" that does not turn on HTTPS authentication
5. Start Tomcat-cas, Access Http://localhost:18080/cas-server, you can see the following interface
Note:The default validation rule before cas-server4.0: Authentication is done as long as the user name and password are the same
After 4.0 the rule changed, the default is configured in the Deployerconfigcontext.xml configuration file, you can see the user name password is casuser/mellon.
<bean id= "Primaryauthenticationhandler" class= " Org.jasig.cas.authentication.AcceptUsersAuthenticationHandler "> <property name=" Users "> < map> <entry key= "Casuser" value= "Mellon"/> </map> </property> </bean>
Configuration of the third step, client (cas-client)
Note: We directly use Tomcat's own examples project as a client example
- Unzip our downloaded Cas-client-3.3.3-release.zip package, copy the Cas-client-3.3.3\modules\cas-client-core-3.3.3.jar package
- Put it under the Tomcat-app1\webapps\examples\web-inf\lib (two client Tomcat needs to be put, only one of them is listed here)
- Modify the Examples\web-inf\web.xml file to add the following:
<!--======================== Single Sign-on start ========================-<!--for single-point logout, which allows for single-point logout, optional configuration--< Listener> <listener-class>org.jasig.cas.client.session.singlesignouthttpsessionlistener</ Listener-class> </listener> <!--This filter is used for single-point logout, optional configuration. -<filter> <filter-name>cassingle Sign outfilter</filter-name> <filter-class> ;org.jasig.cas.client.session.singlesignoutfilter</filter-class> </filter> <filter-mapping> <filter-name>cassingle sign Outfilter</filter-name> <url-pattern>/*</url-pattern> </ filter-mapping> <filter> <filter-name>CASFilter</filter-name> <filter-class>or G.jasig.cas.client.authentication.authenticationfilter</filter-class> <init-param> <param -name>casserverloginurl</param-name> <param-value>http://localhost:18080/cas-server/login</param-value> </init-param> <init-param> <param-n Ame>servername</param-name> <param-value>http://localhost:8081</param-value> </i nit-param> </filter> <filter-mapping> <filter-name>CASFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!--The filter is responsible for verifying the ticket, it must be enabled--<filt Er> <filter-name>CASValidationFilter</filter-name> <filter-class> Org.jasig. Cas.client.validation.Cas20ProxyReceivingTicketValidationFilter </filter-class> <init-param> <param-name>casServerUrlPrefix</param-name> <param-value>http://localhost:18080/cas-s erver</param-value> </init-param> <init-param> <param-name>serverName< /param-name> <param-value>http://localhost:8081</param-value> </init-param> </filter> <filte R-mapping> <filter-name>CASValidationFilter</filter-name> <url-pattern>/*</url-patte Rn> </filter-mapping> <!--This filter is responsible for implementing HttpServletRequest-requested packages, such as allowing developers to HttpServletRequest Getremoteuser ( ) method to obtain the login name of the SSO login user, optional configuration. -<filter> <filter-name>cashttpservletrequest wrapperfilter</filter-name> <filt er-class> Org.jasig.cas.client.util.HttpServletRequestWrapperFilter </filter-class> </fil ter> <filter-mapping> <filter-name>cashttpservletrequest wrapperfilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- This filter allows developers to get the user's login name through Org.jasig.cas.client.util.AssertionHolder. such as Assertionholder.getassertion (). Getprincipal (). GetName (). -<filter> <filter-name>casassertion Thread localfilter</filter-name> <filter-class> Org.jasig.cas.client.util.assertionthreadlocalfilter</filter-class> </filter> <filter-mapping> <filter-name>casassertion Thread localfilter</filter-name> <URL-PATTERN>/*</URL-PATTERN&G T </filter-mapping> <!--======================== Single Sign-on end ========================-
4. Start Tomcat-app1, then visit Http://localhost:8081/examples, and the page will jump to
Http://localhost:18080/cas-server/login?service=http%3A%2F%2Flocalhost%3A8081%2Fexamples%2F
Description Single Point success
The same tomcat-app2, I don't have a demo on this side.
I uploaded the modified two Web. xml
Tomcat-app1:web.xml
Tomcat-app2:web.xml
Fourth step, single point process demo
We start with three Tomcat in turn, we first visit two clients to see the effect
1. Visit Http://localhost:8081/examples = = "Jump to http://localhost:18080/cas-server/login?service=http%3A%2F%2Flocalhost% 3a8081%2fexamples%2f
2. Visit Http://localhost:8082/examples = = "Jump to http://localhost:18080/cas-server/login?service=http%3A%2F%2Flocalhost% 3a8082%2fexamples%2f
Indicates that both clients need to jump to Cas-server for authentication the first time they visit
Next: We log in one of the client http://localhost:8081/examples, account password Casuser/mellon
The following interface is displayed after successful login
Then we open a new tab and access the Http://localhost:8082/examples directly
Can see not jump to Cas-server login interface directly display the following interface
Two client Single sign-on success, log in one, the other does not need to login to access.
Summarize
Single Sign-on, or SSO, is one of the most popular solutions for enterprise business integration, and SSO enables users to access all trusted applications in multiple application systems with only one login.
This is just the simplest example of single sign-on, which is not available in real-world development. If you need to apply to the project, but also need a lot of personalized customization, such as landing page beautification, through the database authentication, server and client user information interaction. These will be described in a later article.
SSO single Point series (1): CAS4.0 Environment Construction