CAS basic implementation process for Single Sign-On (SSO) (2), cassso
The purpose of this article is very clear, not to gradually clarify the operations in each step. There are many specific steps online, so the purpose of this article is to sort out your knowledge points, help you better understand.
Small knowledge point accumulation:
Modify the domain name address:
According to the demonstration requirements, it is easiest and convenient to add a domain name by modifying the hosts file (this is very important). Add three to the file C: \ Windows \ System32 \ drivers \ etc \ hosts
127.0.0.1 demo.micmiu.com
127.0.0.1 app1.micmiu.com
127.0.0.1 app2.micmiu.com
• Demo.micmiu.com => this virtual domain name is also used to generate a certificate for tomcat deployed on the cas server.
• App1.micmiu.com => tomcat for app1 deployment
• App2.micmiu.com => tomcat for app2 deployment
Note: optional configuration
Modify the port number:
Modify the tomcat startup port (5 in total) and find the following content in the conf/server. xml file:
<Server port="8005" shutdown="SHUTDOWN"><Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" /><Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
Modify:
<Server port="18005" shutdown="SHUTDOWN"><Connector port="18080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="18443" /><Connector port="18009" protocol="AJP/1.3" redirectPort="18443" />
Note: You need to modify the port number because it needs to be demonstrated on the same machine.
Security Certificate Configuration:
CAS uses HTTPS by default. If you do not have high security requirements, you can use HTTP.
Modify deployerConfigContext. xml (cas/WEB-INF) add parameter p: requireSecure = "false", whether security authentication is required, that is, HTTPS, false is not used.
<bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" p:httpClient-ref="httpClient" p:requireSecure="false" />
Modify the ticketGrantingTicketCookieGenerator. xml (cas/WEB-INF/spring-configuration/ticketGrantingTicketCookieGenerator. xml) in ticketGrantingTicketCookieGenerator p: cookieSecure attribute to false.
<bean id="ticketGrantingTicketCookieGenerator" class="org.jasig.cas.web.support.CookieRetrievingCookieGenerator"p:cookieSecure="false" p:cookieMaxAge="-1" p:cookieName="CASTGC" p:cookiePath="/cas" />
Http is used as an example for demonstration.
Enter the subject:
Configure the server
CAS-Server: http://www.jasig.org/cas/download
We take cas-server-3.4.11-release.zip as an example, extract the cas-server-3.4.11/modules/cas-server-webapp-3.4.11.war file, copy the file to the G: \ sso \ tomcat-cas \ webapps \ directory, and rename it as: cas. war.
Start tomcat-cas, enter: https://demo.micmiu.com: 8080/cas/login in the browser address bar, press ENTER
CAS-server default verification rules: if the user name and password are the same, the authentication is passed (only for testing, the environment needs to be changed according to the actual situation), enter admin/admin and click log on, the logon successful page is displayed:
Enter the username admin and password admin to log on.
The preceding page indicates that the CAS-Server has been deployed successfully.
Configure the client
Download Cas-Client
CAS-Client: http://downloads.jasig.org/cas-clients/
Taking cas-client-3.2.1-release.zip as an example, extract the cas-client-3.2.1/modules/cas-client-core-3.2.1.jar
The default webapps \ examples of tomcat is used as a simple web project for demonstration.
Start tomcat-app1, enter http://app1.micmiu.com: 18080/examples/servlets/press Enter:
Note: Modify the port number
<Connector port="18080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="18443" /><Connector port="18009" protocol="AJP/1.3" redirectPort="18443" />
The above interface indicates that the basic installation configuration for the tomcat-app1 has been successful.
Next copy the client's lib package cas-client-core-3.2.1.jar and commons-logging-1.1.jar to the tomcat-app1 \ webapps \ examples \ WEB-INF \ lib \ directory, In the tomcat-app1 \ webapps \ examples \ WEB-INF \ web. add the following content to the xml file:
<! -- Used for single-point exit. This filter is used for single-point logout. Optional. --> <listener-class> org. jasig. cas. client. session. singleSignOutHttpSessionListener </listener-class> </listener> <! -- This filter is optional for single-point logout. --> <Filter-name> CAS Single Sign Out Filter </filter-name> <filter-class> org. jasig. cas. client. session. singleSignOutFilter </filter-class> </filter> <filter-mapping> <filter-name> CAS Single Sign Out Filter </filter-name> <url-pattern>/* </url-pattern> </filter-mapping> <! -- This filter is used for user authentication and must be enabled --> <filter> <Filter-name> CAS filter </filter-name> <filter-class> org. jasig. cas. client. authentication. authenticationFilter </filter-class> <init-param> <param-name> casServerLoginUrl </param-name> <param-value> https://demo.micmiu.com: 8080/cas/login </param-value> <! -- Here the server is the server's IP --> </init-param> <param-name> serverName </param-name> <param-value> http://app1.micmiu.com: 18080 </param-value> </init-param> </filter> <filter-mapping> <filter-name> CAS Filter </filter-name> <url-pattern> /* </url-pattern> </filter-mapping> <! -- This filter is used for Ticket verification and must be enabled --> <filter> <Filter-name> CAS Validation filter </filter-name> <filter-class> org. jasig. cas. client. validation. cas20proxypolicingticketvalidationfilter </filter-class> <init-param> <param-name> casServerUrlPrefix </param-name> <param-value> https://demo.micmiu.com: 8080/cas </param-value> </init-param> <param-name> serverName </param-name> <param-value> http://app1.micmiu.com: 18 080 </param-value> </init-param> </filter> <filter-mapping> <filter-name> CAS Validation Filter </filter-name> <url-pattern >/* </url-pattern> </filter-mapping> <! -- This filter is used to implement the package of the HttpServletRequest request. For example, you can use the getRemoteUser () method of HttpServletRequest to obtain the login name of the SSO logon user. Optional. --> <Filter-name> CAS HttpServletRequest Wrapper Filter </filter-name> <filter-class> org. jasig. cas. client. util. httpServletRequestWrapperFilter </filter-class> </filter> <filter-mapping> <filter-name> CAS HttpServletRequest Wrapper Filter </filter-name> <url-pattern>/* </ url-pattern> </filter-mapping> <! -- This filter allows developers to use org. jasig. cas. client. util. AssertionHolder to obtain the user's login name. For example, AssertionHolder. getAssertion (). getPrincipal (). getName (). --> <Filter-name> CAS Assertion Thread Local Filter </filter-name> <filter-class> org. jasig. cas. client. util. assertionThreadLocalFilter </filter-class> </filter> <filter-mapping> <filter-name> CAS Assertion Thread Local Filter </filter-name> <url-pattern>/* </url-pattern> </filter-mapping> <! -- = ============== -->
The second examples is similar to the configuration.
Three tomcat configured before startup are: tomcat-cas, tomcat-app1, tomcat-app2.
Basic Testing
Expected process: open app1 url --> jump to cas server verification --> display app1 Application --> open app2 url --> display app2 Application --> log out of casserver --> open app1/app2 url --> jump back cas server verification.
Open the browser address bar and enter: http://app1.micmiu.com: 18080/examples/servlets/servlet/HelloWorldExample, press Enter:
The verification result is as follows:
Summary:
The above is just a brief introduction of the CAS configuration process. It is also a complementary learning of the first CAS principle. We hope that through the study of the principles and the configuration combined with practices, we can have a deeper understanding of CAS.
Detailed Tutorial:
Http://www.micmiu.com/enterprise-app/sso/sso-cas-sample/#viewSource