"SSO single Point Series" (1): Setting up the environment of CAS4.0

"SSO single Point Series" (1): CAS4.0 Environment Construction

I. Overview

Today began to write the first CAs-related article, this article is mainly about the CAS environment collocation, provides a primer for just contact with CAs, and demonstrates the simplest example of a CAs

Second, environmental requirements

The blogger's environment is as follows:

1. win8.1 bit
2. JDK1.7 dot Me
3. Tomcat-8.0.15 dot Me
4. cas-server-4.0.0, cas-client-3.3.3 point I (official website speed is relatively slow, provide Baidu network disk)

Tomcat server needs to deploy three, I named Apache-tomcat-8.0.15-app1, APACHE-TOMCAT-8.0.15-APP2, Apache-tomcat-8.0.15-cas

The respective uses are as follows:

Serial number	Server name	Use
1	Tomcat-app1	Client server 1: User deployment App App1
2	Tomcat-app2	Client server 2: User deployment App App2
3	Tomcat-cas	CAS server: Used to deploy CAS server

iii. Special Instructions

CAS Default authentication method uses the HTTPS protocol, generally to the security is not high, it is recommended to cancel the change to HTTP mode. Because, the word will often prompt the certificate expires, users need to confirm, etc., the perception of the customer is not good, the current need can be opened.

If you need the HTTPS protocol, you can refer to this article for certificate generation: CAS Single sign-on certificate import

The way to cancel the HTTPS protocol, the 4th will be specific, you can continue to look down!

Iv. Explanation of examples

First step, Tomcat modification

1. Unzip the downloaded Tomcat-8.0.15.zip and copy the three and name according to the 2nd Convention

Modify the Tomcat-related boot ports so that the machine can run multiple tomcat. My access port corresponds to the following:

Serial number	Server name	Access Port
1	Tomcat-app1	8081
2	Tomcat-app2	8082
3	Tomcat-cas	18080

Port Modification Method: Open the X:\tomcat-app1\conf\server.xml file to find

First: Modify the shutdown port (default is Port 8005)
<server port= "8005" shutdown= "Shutdown" >

Second: Modify the HTTP access port (default is port 8080)

<connector port= "8080" protocol= "http/1.1"

connectiontimeout= "20000"

redirectport= "8443"/>

Third: Modify the port of 8009
<connector port= "8009" protocol= "ajp/1.3" redirectport= "8443"/>

Modify the port you want.

　　　　　　　　

The second step, the deployment of the Cas-server server

1. Unzip the downloaded Cas-server-4.0.0-release.zip compressed package
2. Locate X:\cas-server-4.0.0\modules\cas-server-webapp-4.0.0.war File
3. Unzip to the tomcat-cas\webapps\.
4. To cancel the HTTPS protocol:

1) Open the Cas-server\web-inf\deployerconfigcontext.xml file and locate the following configuration:

<!--Required for proxy ticket mechanism.-->

<bean id= "Proxyauthenticationhandler"
Class= "Org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"

p:httpclient-ref= "HttpClient"/>

Increase the parameter p:requiresecure= "false", whether the need for security verification, that is, Https,false is not adopted. Modified to:

<bean id= "Proxyauthenticationhandler"
Class= "Org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"

p:httpclient-ref= "HttpClient" p:requiresecure= "false"/>

2) Open Cas-server\web-inf\spring-configuration\ticketgrantingticketcookiegenerator.xml and find the following configuration:

<bean id= "Ticketgrantingticketcookiegenerator" class= " Org.jasig.cas.web.support.CookieRetrievingCookieGenerator "

P:cookiesecure= "true"

P:cookiemaxage= "-1"

P:cookiename= "CASTGC"

P:cookiepath= "/cas"/>

Modify P:cookiesecure= "true" to P:cookiesecure= "false"

That is, HTTPS authentication is not turned on

3) Open Cas-server\web-inf\spring-configuration\warncookiegenerator.xml and find the following configuration:

<bean id= "Warncookiegenerator" class= "Org.jasig.cas.web.support.CookieRetrievingCookieGenerator"

P:cookiesecure= "true"

P:cookiemaxage= "-1"

P:cookiename= "Casprivacy"

P:cookiepath= "/cas"/>

Modify P:cookiesecure= "true" to P:cookiesecure= "false"

That is, HTTPS authentication is not turned on

　

5. Start Tomcat-cas, Access Http://localhost:18080/cas-server, you can see the following interface

　　

　　　　　　

　　Note:The default validation rule before cas-server4.0: Authentication is done as long as the user name and password are the same

After 4.0 the rule changed, the default is configured in the Deployerconfigcontext.xml configuration file, you can see the user name password is casuser/mellon.

　　　　　　

<bean id= "Primaryauthenticationhandler"

class= "Org.jasig.cas.authentication.AcceptUsersAuthenticationHandler" >

<property name= "Users" >

<map>

<entry key= "Casuser" value= "Mellon"/>

</map>

</property>

</bean>

Configuration of the third step, client (cas-client)

Note: We directly use Tomcat's own examples project as a client example

1. Unzip our downloaded Cas-client-3.3.3-release.zip package, copy the Cas-client-3.3.3\modules\cas-client-core-3.3.3.jar package
2. Put it under the Tomcat-app1\webapps\examples\web-inf\lib (two client Tomcat needs to be put, only one of them is listed here)
3. Modify the Examples\web-inf\web.xml file to add the following:

<!--======================== Single Sign-on start ========================

<!--is used for single-point exit, which is used for single-point logout functions, optional configuration-

<listener>

<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>

</listener>

<!--This filter is used for single-point logout, optional configuration. -

<filter>

<filter-name>cassingle Sign Outfilter</filter-name>

<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>

</filter>

<filter-mapping>

<filter-name>cassingle Sign Outfilter</filter-name>

<url-pattern>/*</url-pattern>

</filter-mapping>

<filter>

<filter-name>CASFilter</filter-name>

<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>

<init-param>

<param-name>casServerLoginUrl</param-name>

<param-value>http://localhost:18080/cas-server/login</param-value>

</init-param>

<init-param>

<param-name>serverName</param-name>

<param-value>http://localhost:8081</param-value>

</init-param>

</filter>

<filter-mapping>

<filter-name>CASFilter</filter-name>

<url-pattern>/*</url-pattern>

</filter-mapping>

<!--the filter is responsible for verifying the ticket, it must be enabled--

<filter>

<filter-name>CASValidationFilter</filter-name>

<filter-class>

Org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter

</filter-class>

<init-param>

<param-name>casServerUrlPrefix</param-name>

<param-value>http://localhost:18080/cas-server</param-value>

</init-param>

<init-param>

<param-name>serverName</param-name>

<param-value>http://localhost:8081</param-value>

</init-param>

</filter>

<filter-mapping>

<filter-name>CASValidationFilter</filter-name>

<url-pattern>/*</url-pattern>

</filter-mapping>

<!--the filter is responsible for implementing the HttpServletRequest request package, such as allowing the developer to obtain the login name of the SSO login user through the HttpServletRequest getremoteuser () method, optional configuration. -

<filter>

<filter-name>cashttpservletrequest wrapperfilter</filter-name>

<filter-class>

Org.jasig.cas.client.util.HttpServletRequestWrapperFilter

</filter-class>

</filter>

<filter-mapping>

<filter-name>cashttpservletrequest wrapperfilter</filter-name>

<url-pattern>/*</url-pattern>

</filter-mapping>

<!--This filter allows developers to get the user's login name through Org.jasig.cas.client.util.AssertionHolder. such as Assertionholder.getassertion (). Getprincipal (). GetName (). -

<filter>

<filter-name>casassertion Thread localfilter</filter-name>

<filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>

</filter>

<filter-mapping>

<filter-name>casassertion Thread localfilter</filter-name>

<url-pattern>/*</url-pattern>

</filter-mapping>

<!--======================== Single Sign-on end ========================-

4. Start Tomcat-app1, then visit Http://localhost:8081/examples, and the page will jump to

Http://localhost:18080/cas-server/login?service=http%3A%2F%2Flocalhost%3A8081%2Fexamples%2F

Description Single Point success

The same tomcat-app2, I don't have a demo on this side.

I uploaded the modified two Web. xml

Tomcat-app1:web.xml

Tomcat-app2:web.xml

Fourth Step, single point process demo

We start with three Tomcat in turn, we first visit two clients to see the effect

1. Visit Http://localhost:8081/examples = = "Jump to http://localhost:18080/cas-server/login?service=http%3A%2F%2Flocalhost% 3a8081%2fexamples%2f

2. Visit Http://localhost:8082/examples = = "Jump to http://localhost:18080/cas-server/login?service=http%3A%2F%2Flocalhost% 3a8082%2fexamples%2f

Indicates that both clients need to jump to Cas-server for authentication the first time they visit

Next: We log in one of the client http://localhost:8081/examples, account password Casuser/mellon

The following interface is displayed after successful login

Then we open a new tab and access the Http://localhost:8082/examples directly

Can see not jump to Cas-server login interface directly display the following interface

Two client Single sign-on success, log in one, the other does not need to login to access.

"SSO single Point Series" (1): Setting up the environment of CAS4.0