Original address: http://my.oschina.net/sayi/blog/200278
Catalogue [-]
cas3.5.x provides support for OAuth, including client and server side, Cas-server-support-oauth dependency rack Package
Scribe-1.3.5.jar
Scribe-up-1.2.0.jar
Jackson-core-2.3.0.jar,jackson-databind-2.3.0.jar.
CAS provides three services by default:
/oauth2.0/authorize
Input GET parameters required:client_id and Redirect_uri.
/oauth2.0/accesstoken
Input GET Parameters required:client_id, Redirect_uri, Client_secret and code.
/oauth2.0/profile
Input GET parameter Required:access_token.
The 1.cas Web login access path is Https://cas.sayi.com:8443/cas/login
2. Callback address is http://www.doubannote.org/(virtual address, not actually present)
3.CLIENT_ID as key
4.client_secret to Secret
5. The application name is Doubannote
6. Core class is Org.jasig.cas.support.oauth.web.OAuth20WrapperController
The following configuration of CAS server support Oauth2 server, we from the OAUTH2 client to CAS access as a step to analyze the configuration of each step:
Step1. Apply configurations to get client_id and Client_secretIn a mature system, where a page is typically provided for the user to apply for, then the user client_id and Client_secret are provided, and the user is allowed to configure the callback address, then the Oauthserver side (that is, CAS Server) first considers the need to persist these configurations. The app service is configured by default in the Serviceregistrydao of the file Deployerconfigcontext.xml, and we can store the application information in the database in real-life:
?| 12345678910111213141516171819 | |
As shown in the code, we have registered two new beans, the configuration of the application in the second bean, name client_id,description to Client_secret,serviceid as the callback address, and theme as the app name.
The purpose of the first bean is described below. "Finally figured out why this is so, the server indirectly get ST"
Typically the client constructs the URL as follows (parameters can refer to standard OAUTH2 protocol, but different OAuth servers usually provide their own standards):
?| 1 | https://cas.sayi.com:8443/cas/oauth2.0/authorize?client_id=key&redirect_uri=http://www.doubannote.org/&response_type=code |
In this case, the CAS server is required to process the/oauth2.0/authorize URL, then you need to configure the mapping, which is configured in Web. Xml as follows:
?| 1234 | <servlet-mapping> <servlet-name>cas</servlet-name> <url-pattern>/oauth2.0/*</url-pattern></servlet-mapping> |
To configure mappings in Cas-servlet.xml:
?| 1234567 | |
Once configured, the link to our authorization code is shifted to the login page, where the service address is the Serviceid of the first bean configured in Step1, which is obtained indirectly through this default provided address.
?| 1 | https://cas.sayi.com:8443/cas/login?service=https%3A%2F%2Fcas.sayi.com%3A8443%2Fcas%2Foauth2.0%2FcallbackAuthorize |
After successful authentication, will carry the value of St's parameters to jump to the Callbackauthorize page, the resulting ST is the authorization Code, callback address, service name passed through the session.
?| 1 | https://cas.sayi.com:8443/cas/oauth2.0/callbackAuthorize?ticket=ST-5-ywMLFaXQFnDeFI7erFy7-cas.sayi.com |
The default authorization code can only be used once, and the validity time is 10s, can be configured by the ticket expiration policy time.
Step3. Authorization Code Exchange Access_tokenThe URL is constructed as follows:
?| 123 | https://cas.sayi.com:8443/cas/oauth2.0/accessToken?client_id=key&client_secret=secret&grant_type=authorization_code&redirect_uri=http://www.doubannote.org/&code=ST-1-3jLuZnhcAvLiLdy7R6ft-cas.sayi.comaccess_token=TGT-2-qWkLyEbeoby043q05p5GHXfBg7qtdPZjEUhfemgg3UKbxAyB5s-cas.sayi.com&expires=7143 |
Access_token can be obtained by returning the value.
Step4. Get user information based on Access_tokenConstruct the URL as follows:
?| 12345678910111213141516 | |
CAS server support Oauth2 server, is simply to consider the/authorize,/accesstoken,/profile request processing, after the server application configuration, the application of access to check, such as callback address, Client_ Secret and so on. In the fusion with CAS server, it is mainly the fusion of CAS authentication and/authorize. Here is the Callbackauthorize way, CAS default provides the service address of/oauth2.0/callbackauthorize, through this address CAS authentication after the successful generation of St, this value is the authorization code, The callback address that is passed to the app.
Overall oauth2 support in the cas3.5.x is not perfect, and OAuth2 implementation is not standard, for the 3.5.x version we need to expand Oauth20wrappercontroller to further integrate OAUTH2 protocol.
cas3.5.x (x>1) supports OAUTH2 server
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
