Single Sign-On (SSO) based on CAS: CAS + LDAP for Single Sign-on authentication and ssoldap

Source: Internet
Author: User

Single Sign-On (SSO) based on CAS: CAS + LDAP for Single Sign-on authentication and ssoldap


      [1]. Overview CAS is the central authentication portal for N systems, and user information throughout multiple systems is shared and should be maintained separately, this information may belong to unused systems, organizations, and countries, thus forming a tree structure. Maintaining tree structure information using relational databases is its weakness, this is the original intention of CAS and LDAP integration in this article.

      This document describes how to integrate CAS and LDAP to implement Single-point logon.

      [2]. Detailed steps

      1. LDAP installation Configuration

      For details, see:

      Introduction to openLDAP installation and configuration on windows

      Install the configuration and add some test data as follows:


       

      2. Basic CAS installation Configuration:

      See demonstration of CAS single-point logon instance of SSO

       

      3. Integrate LDAP configuration with CAS

      For Mave build projects, add LDAP-related dependencies:

      <Dependency> <groupId> org. jasig. cas </groupId> <artifactId> cas-server-support-ldap </artifactId> <version >$ {cas. version }</version> </dependency> <! -- Add the dependency <dependency> <groupId> commons-pool </groupId> <artifactId> commons-pool </artifactId> <version >$ {apache. commons. pool. version} </version> </dependency> -->

      Les) and spring-ldap-core-1.3.1.RELEASE.jar

       

      There are two LDAP authentication configurations:

      [First], FastBindLdapAuthenticationHandler

      This authentication processor is generally used for DN directly composed of user names, such as: uid = % u, ou = dev, dc = micmiu.com, dc = com, % u is the user name for CAS logon.

      Modify the web configuration file WEB-INF \ deployerConfigContext. xml:

      First, add the bean: ContextSource configuration under the <beans> and node:

      <bean id="contextSource" class="org.springframework.ldap.core.support.LdapContextSource">  <property name="pooled" value="false"/>  <property name="url" value="ldap://127.0.0.1:389" />  <property name="userDn" value="cn=Manager"/>  <property name="password" value="secret"/>  <property name="baseEnvironmentProperties"><map>  <entry key="com.sun.jndi.ldap.connect.timeout" value="3000" />  <entry key="com.sun.jndi.ldap.read.timeout" value="3000" />  <entry key="java.naming.security.authentication" value="simple" /></map>  </property></bean>

       

      ContextSource configuration instructions:

      • If you have multiple LDAP servers, you can configure multiple
      • When FastBindLdapAuthenticationHandler is configured, The userDn here can be configured as "cn = Manager, ou = dev, dc = micmiu, dc = com" or "cn = Manager, ou = dev, cn = Manager, or Manager.
      • If the LDAP server has SSL, note that the prefix of the url configuration is ldaps: "ldaps: // 192.168.8.150: 636 ″

      Under <bean id = "authenticationManager"/>, find the SimpleTestUsernamePasswordAuthenticationHandler configuration and modify it as follows:

      <bean class="org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler"><property name="filter" value="uid=%u,ou=Developer,dc=micmiu,dc=com" /><property name="contextSource" ref="contextSource" /></bean>


      After the configuration, start three applications: tomcat-cas, tomcat-app1, tomcat-app2, certification test:

      • Enter Michael/111111 to log on successfully,
      • If you enter Miumiu/111111, the logon fails.

       

      [2], BindLdapAuthenticationHandler

      This authentication processor is generally used to verify other attributes of the User Name of the DN, such as email, rather than the uid in the first processor (of course, the uid attribute is also applicable, the following is a configuration example using mail ).

      Modify the web configuration file WEB-INF \ deployerConfigContext. xml:

      Add the bean: ContextSource configuration under the <beans> and node:

      <Bean id = "contextSource" class = "org. springframework. ldap. core. support. ldapContextSource "> <property name =" anonymousReadOnly "value =" false "/> <property name =" password "value =" secret "/> <property name =" pooled "value = "true"/> <property name = "urls"> <list> <value> ldap: // 127.0.0.1: 389 </value> </list> </property> <property name = "userDn" value = "cn = Manager, dc = micmiu, dc = com "/> <property name =" baseEnvironmentPrope Rties "> <map> <! -- Ldap ssl access configuration <entry key = "java. naming. security. protocol "value =" ssl "/> --> <entry key =" java. naming. security. authentication "value =" simple "/> </map> </property> </bean>

       

      Modify the configuration of the authentication bean in <bean id = "authenticationManager"/> as follows:

      <Bean class = "org. jasig. cas. adaptors. ldap. bindLdapAuthenticationHandler "> <property name =" filter "value =" mail = % u "/> <property name =" searchBase "value =" dc = micmiu, dc = com "/> <property name =" contextSource "ref =" contextSource "/> <! -- Allow multiple accounts --> <property name = "allowMultipleAccounts" value = "true"/> </bean>

       

      After the configuration, start three applications: tomcat-cas, tomcat-app1, tomcat-app2, certification test:

      • Enter Michael/111111 to log on successfully,
      • If you enter Miumiu/111111, you can log on successfully.

       

      If you change the value of parameter: searchBase to "ou = Developer, dc = micmiu, dc = com", the result of restarting the test authentication is as follows:

      • Enter Michael/111111 to log on successfully,
      • If you enter Miumiu/111111, the logon fails.

      At this time, the authentication effect is the same as that of the first authentication.

      For the configuration of the Connection Pool, see the official introduction: https://wiki.jasig.org/display/CASUM/LDAP

      Summary CAS and LDAP are mainly used in System Integration scenarios. CAS provides uniform authentication portals for multiple systems, and you only need to log on to multiple systems at a time. LDAP is used to store information commonly used by multiple systems, such as user information and user permission information. This information is common and simple (dominated by strings) with less modification, because they belong to different organizations and systems, they form a tree structure and form a directory. In this way, you can perform efficient retrieval when matching the user name and password.
      Download source code

    Cas Single Sign-on

    First, answer your first question. The security certificate is used by tomcat or apache to enable the ssl Secure socket link, that is, it supports the https protocol. We usually use tomcat as the application server, so we need tomcat to support the https protocol first. It is very easy to enable https. Please refer to the official documentation for a brief introduction here, first, generate a certificate for jdk on the machine where tomcat is deployed (specifically jre, but we usually install jdk instead of jre on the tomcat server, you can use the keytool that comes with jre to generate the certificate. During the certificate generation process, note that it is the CN item, the first field, and the server domain name, for example, you can use localhost for local testing. Use the following statement
    1. keytool-keystore-alias acegisecurity-genkey-keyalg RSA-validity 9999-storepass password-keypass password
    What is your first and last name? (This is the CN term.) Answer localhost.
    You can enter any other information.
    2. keytool-export-v-rfc-alias acegisecurity-file acegisecurity.txt-keystore-storepass password
    This step exports the key.
    3. Copy acegisecurity.txt to % JAVA_HOME % \ jre \ lib \ security

    4. Copy the keystore to % CATALINA_HOME %
    5. Enter % JAVA_HOME % \ jre \ lib \ security in the console window (if Windows is the dos window)
    6. keytool-import-v-file acegisecurity.txt-keypass password-keystore cacerts-storepass changeit-alias acegisecurity
    Import Certificates to virtual machines
    Next, open % CATALINA_HOME %/conf/server. xml in the editor and find <Connector port = "8443" maxHttpHeaderSize = "8192"
    MaxThreads = "150" minSpareThreads = "25" maxSpareThreads = "75"
    EnableLookups = "false" disableUploadTimeout = "true"
    AcceptCount = "100" scheme = "https" secure = "true"
    ClientAuth = "false" sslProtocol = "TLS"/>
    This line is commented out by default. Cancel the comment and add keystoreFile = "keystore" keystorePass = "passwo ...... the remaining full text>

    Java implements single-point logon without a certificate. How can this problem be solved?

    Is cas okay? Do you want a certificate? It's configured by yourself! Cas does not need certificates. This is a positive! We used it in the middle of the project!

    Contact Us

    The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

    If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

    A Free Trial That Lets You Build Big!

    Start building with 50+ products and up to 12 months usage for Elastic Compute Service

    • Sales Support

      1 on 1 presale consultation

    • After-Sales Support

      24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.