Section 1: Introduction to single sign-on
Step 1: Learn About Single Sign-on
SSO is mainly characterized by the use of web protocols (such as https) between SSO applications, and there is only one login portal.
The SSO system has the following three roles:
1) user (multiple)
2) Web applications (multiple)
3) SSO authentication center (one)
SSO implementation includes the following three principles:
1) All logins are performed in the SSO authentication center.
2) The SSO authentication center uses some methods to tell the web application whether the current user is authenticated or not.
3) The SSO authentication center establishes a trust relationship with all web applications.
CAS (Central Authentication Service) is a Java open-source project initiated by Yale University to build Web SSO.
1. CAS Glossary:
SSO-Single Sign on Single Sign-on
TGT-ticket granting ticket user identity authentication credential ticket
St-service ticket service license ticket
TGC-ticket granting cookie stores the cookie of the user identity authentication credential.
Step 2: Understand the Single Sign-On Architecture
1) CAS server authenticates user information and needs to be deployed independently. CAS server processes credentials such as user name and password ).
2) The CAS client is deployed on the client. When an access request is sent to the protected resources of the local web application, the request must be authenticated and redirected to the CAS server for authentication.
Step 3: Preparations for the Single Sign-On Environment
110000cas-server-3.5.0-release.zip (CAS server)
22.16cas-client-3.3.3-release.zip (CAS client)
3) APACHE-Tomcat-7.0.40
4) cas-client-core-3.2.1.jar
Cas-server-core-3.5.0.jar (5)
6) cas-server-support-jdbc-3.5.0.jar
Section 2: setup and deployment of a single sign-on Environment
Step 1: Environment deployment
1. Generate a certificate trilogy using Java JDK
The certificate is very important for achieving this single sign-on. The certificate is the credential for secure communication between the server and the client. This tutorial only demonstrates how to use keytool, a built-in JDK certificate generation tool.
Of course, in actual projects, you can purchase a certificate from a dedicated certificate Certification Center.
Use the built-in JDK keytool to generate a certificate
The first step is to generate a certificate:
Keytool-genkey-alias mycacerts-keyalg RSA-keystore C:/common/keys/keycard
Note: enter relevant information to generate the certificate. the first and last names of your domain names are recommended. If you click test, you can map a virtual domain name to the c: \ windows \ system32 \ drivers \ etc \ hosts file,
Do not write IP addresses.
Step 2 export the certificate:
Keytool-export-file C:/common/keys/keycard. CRT-alias mycacerts-keystorec:/common/keys/keycard
Step 3 import the certificate to the JDK installation directory:
Keytool-import-keystore C:/"ProgramFiles"/Java/jdk1.6.0 _ 32/JRE/lib/security/cacerts-filec:/common/keys/keycard. CRT-alias mycacerts
2.decompress the cas-server-3.5.0-release.zip file,
Find the cas-server-3.5.0-release file in the cas-server-3.5.0 \ cas-server-webapp-3.5.0.war \ modules directory, name it cas. War, and copy it to the webapps directory in the Tomcat root directory,
For example:
3. Add the following configuration to the host file (c: \ windows \ system32 \ drivers \ etc ).
127.0.0.1 ????????? Jeesz.cn (configure your own domain name .)
Note: If you want to simulate this single sign-on a PC, you must redirect the domain name. If you want to use multiple PCs, you can leave this option unconfigured. Is it useful below? Fast-web.cn, can be replaced with the corresponding PC IP
4. Modify server. XML (APACHE-Tomcat-7.0.40 \ conf \ Server. XML) in the Tomcat file to add the following content:
In the server. xml file
Maxthreads = "150" Scheme = "HTTPS" secure = "true"
Clientauth = "false" sslprotocol = "TLS"/>
To:
Port = "8443"
Protocol = "org. Apache. Coyote. http11.http11protocol"
Maxthreads = "150"
Sslenabled = "true"
Scheme = "HTTPS"
Secure = "true"
Clientauth = "false"
Sslprotocol = "TLS"
Keystorefile = "C:/common/keys/keycard"
Keystorepass = "xxxxxx"
Ciphers = "encrypt, decrypt, tls_rsa_with_aes_128_cbc_sha256, tls_rsa_with_aes_128_cbc_sha, scheme, tls_rsa_with_aes_256_cbc_sha"
/>
5. Start the Tomcat service and view the information. (If any error is reported, you can find the error based on the information.) Open the browser and enter? Jeesz.cn: 8080/CAS if the following interface appears, the CAS server is configured successfully.
Note: This is the simplest CAS service. As long as you enter the same user name and password, you can log on normally. In our actual development, this verification is compared with the database. Next, we configure database verification.
Step 2: Configure database Verification
1. Find the deployerconfigcontext. xml file in the Apache-Tomcat-7.0.2 \ webapps \ CAS \ WEB-INF directory
Here, the SQL attribute is to find the password Based on the CAS login name in the User table -->
2. Add a data source datasource,
In deployerconfigcontext. XML, find
, Add the following code below:
Com. MySQL. JDBC. Driver
JDBC: mysql: // 127.0.0.1: 3306/SSO based on your database URL -->
Root: based on the user name of the database -->
Based on your database password -->
3. Add User tables and data to the database (MySQL is used here). For example, there is a t_user table in the MySQL database.
4. Add jar packages, cas-client-core-3.2.1.jar, cas-server-core-3.5.0.jar package copy to Apache-Tomcat-7.0.2 \ webapps \ CAS \ cas-server-support-jdbc-3.5.0.jar \ lib directory.
5. Restart tomcat, open the browser, and enter ?? Jeesz.cn: 8080/, enter the user name and password in the database. If the following interface appears, the configuration is successful.
Now our cas server has been configured. Next, we configure the client.
Section 2: Configure your own web project (client)
1. Add the following code under the host file:
127.0.0.1 ?????????? Www.sso1.com
127.0.0.1 ??????? Www.sso2.com
Note: It is best not to use a domain name that already exists on the Internet. Otherwise, you will not be able to access this address.
If you want to simulate this single sign-on a PC, Domain Name Redirection is required. If you want to use multiple PCs, you do not need to configure this option. The following is useful for www.sso1.com and www.sso2.com, which can be replaced by the IP address of the corresponding PC.
1. Create a sso1 and sso2 directory under the Tomcat root directory. For example:
2. Create two web projects in eclipse, sso1 and sso2 respectively.
Dependencies \ cas-client-3.2.0 \ modules, find the jar package) are added to the sso1, sso2 project Lib.
JEESZ-SSO Solutions