CAS principle and configuration-cas-based single-point login (I)

1 Preface

Single Sign On (SSO) is one of the most popular solutions for enterprise business integration. SSO enables, you only need to log on once to access all mutually trusted application systems.

CAS (Central Authentication Service) is a good single sign-on Framework for Web applications. This article introduces the principles, protocols, configuration and use of CAs in Tomcat, this article describes how to use CAs to implement a Lightweight Single Sign-On solution.

CAS is an open source project initiated by Yale University. It aims to provide a reliable Single Sign-On Method for Web application systems. CAS became a project of JA-SIG in December 2004. CAS has the following features:

Open-source enterprise-level Single Sign-On solution.

CAS Server is a Web application that needs to be deployed independently.

CAS client supports many clients, including Java,. net, PHP, Perl, Apache, uportal, and Ruby.

2. CAS principle 2.1 from the perspective of the structure system, CAS consists of two parts:

CAS Server

CAS server is responsible for user authentication. CAS server needs to be deployed independently. There are more than one implementation of CAS server. Yale CAS server and esup CAS server are both good choices.

CAS server processes credentials such as user name/password, which may retrieve a user account information from the database or the user password in an XML file. In this way, CAS provides a flexible but the same method of Interface/implementation separation. What authentication method does CAS use? It is separated from the CAS protocol, that is, you can customize and expand the implementation details of this authentication.

CAS Client

CAS client is deployed on the client (note that I am referring to Web applications). In principle, the deployment of CAS client means that when there are access requests for protected resources of local web applications, the Web application no longer accepts credentials such as usernames and passwords, but redirects to the CAS server for authentication.

Currently, CAS client supports a large number of clients, including Java ,.. net, ISAPI, PHP, Perl, uportal, acegi, Ruby, VBScript, and other clients. The CAS protocol can be used for client applications written in any language.

2.2 Protocol

From CAS V1 to CAS V3, the basic idea of the entire Protocol is based on the ticket method.

CAS V1 is very primitive. Send a user name "Yes \ ndavid. in the Turing mode, CAS V2 began to use XML specifications, greatly enhancing scalability. CAS V3 began to use the AOP technology, allowing spring fans to easily configure CAS server to the existing application environment.

CAS obtains service ticket through TGT (ticket granting ticket) and accesses services through St. CAS also has entities corresponding to TGT and St, in addition, although they differ in the TGT protection method, they can achieve this goal in the end-eliminating the trouble of multiple logins.

TGT + S = sT? (This may be the case)

Next, let's look at the basic Protocol framework of CaS:

 

CAS Basic Mode

Is the most basic CAS protocol. The CAS client uses filter to protect protected resources of web applications and filter every Web request from the client. At the same time, CAS client will analyze whether the HTTP request includes a service ticket (ticket in). If not, it indicates that the user has not been authenticated. Therefore, CAS client redirects the user request to CAS server (step 2 ). Step 3 is the user authentication process. If the user provides the correct credentials, the CAS server generates a random Service
Then, cache the ticket and redirect the user to the CAS client (with the generated service ticket). The service ticket cannot be forged. Finally, step 5 and Step 6 are between the CAS client and the CAS server to complete a user identity verification, use ticket to find the username, because ticket is generated by the CAS server, therefore, therefore, the judgment of CAS server is beyond doubt.

This Protocol completes a simple task, namely user (David. (Turing) Open IE and directly access the clientweb application. It is immediately redirected to the CAS server for authentication. The user may feel that the browser is redirected between clientweb and casserver, but the user cannot see it, the service ticket verification process between CAS client and CAS server. When CAS server notifies CAS client user service ticket of a specific identity, CAS
The client serves the user of the current request.

Look at two more useful figures, this is found from the Internet, one is the CAS browser request sequence diagram, the other is the CAS Server login flowchart (refer to the http://hi.baidu.com/dianjinglong/blog/item/f74f353156d390a15fdf0e43.html http://hi.baidu.com/fallenlord/item/7b8e123c3df41ff32784f4d8)

 

CAS browser request sequence diagram

 

CAS Server login Flowchart

3. CAS Server Configuration

The server must install and run the war package of the server. Because the interaction between the client and CAS server adopts the HTTPS protocol, the server deployed on the CAS server also needs to support the SSL protocol. After the SSL configuration is successful, you can deploy the CAS server on the server like a common web application. However, before using it, you also need to extend the user authentication interface.

3.1 add Tomcat SSL Configuration

The key generation step is omitted. For details, see here. Then configure the Tomcat server. xml file, add the following configuration, and configure the JDK cacerts to the Tomcat trust Library:

Modify % atat_home %/CONF/server. xml

Remove the following ssl http comment and modify it to the following:

XML Code

<Connector port="8443" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443"       SSLEnabled="true"     maxThreads="150"     scheme="https"     secure="true"     clientAuth="false"     sslProtocol="TLS"       keystoreFile="conf/tomcat.keystore"   keystorePass="123456" />

Keystorefile is the location where tomcat. keystore is stored, and keystorepass is the password (123456) set by the previous generation of Tomcat. keystore)

 

You can also cancel HTTPS logon to CAS. You need to set up several places. You can refer to here.

In general, it is to find the secure character, find two settings, and change true to false;

Modify deployerconfigcontext. xml <Bean class = "org. JASIG. Cas. Authentication. handler. Support. httpbasedservicecredentialsauthenticationhandler" P: httpclient-ref = "httpclient"/>

Add P: requiresecure = "false"

The client may also need to be modified.

 

3.2 Extended Authentication Interface

Here, the CAS-server version is 3.4.2.1.

Currently, deploy the war package in the module of the downloaded server to Tomcat, start Tomcat, and then access: https: // localhost: 8443/CAS. If the normal CAS logon page appears, the CAS server has been deployed successfully.

Although CAS server has been deployed successfully, this is only a default implementation. On the default server interface, you can log on by entering the same user name and password. Of course, in actual use, this will certainly not work, but also need to be expanded and customized according to the actual situation, the most important is the Extended Authentication interface and the CAS server interface.

We usually use JDBC to connect to the database for authentication. In this case, the user name and password are stored in a table in the database. The following configuration is required.

3.2.1 configure the jdbc SQL statement authentication method

Open/webapps/cas-server-3.1.1/WEB-INF/deployerconfigcontext. XML in the editor, find the following XML and comment out the code:

<Bean class = "org. JASIG. Cas. Authentication. handler. Support. simpletestusername

Passwordauthenticationhandler "/>

Enter the following code:

<Bean class = "org. JASIG. Cas. adaptors. JDBC. querydatabaseauthenticationhandler">

<Property name = "SQL" value = "select password from usertable where username =? "/>

<Property name = "datasource" ref = "datasource"/>

</Bean>

And add a bean:

<Bean id = "datasource" class = "org. springframework. JDBC. datasource. drivermanagerdatasource" Destroy-method = "close">

<Property name = "driverclassname"> <value> com. MySQL. JDBC. Driver </value> </property>

<Property name = "url"> <value> JDBC: mysql: // localhost: 3306/test </value> </property>

<Property name = "username"> <value> test </value> </property>

<Property name = "password"> <value> test </value> </property>

</Bean>

If you use the Database Password sd5 encryption, add the following configuration: (the red part is the sd5 encryption configuration)

<Bean class = "org. JASIG. Cas. adaptors. JDBC. querydatabaseauthenticationhandler">

<Property name = "SQL" value = "select password from usertable where username =? "/>

<Property name = "passwordencoder" ref = "passwordencoder"/>

<Property name = "datasource" ref = "datasource"/>

</Bean>

<Bean id = "passwordencoder" class = "org. JASIG. Cas. Authentication. handler. defaultpasswordencoder" autowire = "byname">

<Constructor-Arg value = "MD5"/>

</Bean>

Note: You need to add several packages for re-deployment as dependencies. If Maven is used, you can add the following code:

       <dependency>            <groupId>mysql</groupId>            <artifactId>mysql-connector-java</artifactId>            <version>5.1.12</version>        </dependency>        <dependency>            <groupId>org.apache.openejb</groupId>            <artifactId>commons-dbcp-all</artifactId>            <version>1.3-r699049</version>        </dependency>

If you do not use Maven management, you can download the corresponding package and copy it to the WEB-INF/lib/and restart tomcat.

 

Create a table

Mysql> Create Table user (ID int, username char (100) not null, password char (100) not null, primary key (ID ));

Mysql> insert into user values (2, 'admin', 'admin123 ');

 

3.3 restful Configuration

CAS provides restful APIs. The restlet configuration is as follows:

        <dependency>            <groupId>org.jasig.cas</groupId>            <artifactId>cas-server-integration-restlet</artifactId>            <version>3.4.11</version>            <type>jar</type>        </dependency>

Then add the following content to Web. xml:

 <servlet>        <servlet-name>restlet</servlet-name>        <servlet-class>com.noelios.restlet.ext.spring.RestletFrameworkServlet</servlet-class>        <load-on-startup>1</load-on-startup>    </servlet>    <servlet-mapping>        <servlet-name>restlet</servlet-name>        <url-pattern>/v1/*</url-pattern>    </servlet-mapping>

Address: http: // ip: 8080/CAS/V1/tickets

 

3.4 spring security integration

The homepage of spring Security 3.1.x describes how to configure it to your project. For more information about online official documents, click here. For details about cas, click here. 3.0.x spring also has an official explanation. Here, I am not talking about 3.1.x much.

The CAS official website also provides an example for spring security integration. However, it is not detailed. You can click here to view details.

Two articles in China can be found. Click link 1 and link 2.

 

 

3.5 logout

You can refer to here.

3.6 Add "user does not exist" error message for logon authentication

Refer to here.

The above are server-side configurations. The next article will summarize the client configurations.

 

4. Problem

4.1 certificate Problems

Enter

What is your first name and last name?

After testing, we found that .. if caserver and single point of service are on the same computer, it is no problem to use the localhost registered in the key for access. but if not on the same computer .. an error occurs during Intranet access!

Therefore, we do not recommend using localhost or IP address registration. IP addresses are not recommended for Intranet access. (In cas, IP addresses are not recommended for registration)

In another domain name, change localhost to the computer name on the server where caserver is located (right-click my computer, properties, and computer name). The test passed! (This method is not a problem, but you must change the name of the deployed machine to the name in this authentication, such as master)

4.2 The client can only use a domain name to send an application to the center, rather than an IP address.

Reference: http://blog.csdn.net/yaolong77/article/details/4041434