"SSO single Point Series" (1): CAS4.0 Environment Construction
I. Overview
Today began to write the first CAs-related article, this article is mainly about the CAS environment collocation, provides a primer for just contact with CAs, and demonstrates the simplest example of a CAs
Second, environmental requirements
The blogger's environment is as follows:
- win8.1 bit
- JDK1.7 dot Me
- Tomcat-8.0.15 dot Me
- cas-server-4.0.0, cas-client-3.3.3 point I (official website speed is relatively slow, provide Baidu network disk)
Tomcat server needs to deploy three, I named Apache-tomcat-8.0.15-app1, APACHE-TOMCAT-8.0.15-APP2, Apache-tomcat-8.0.15-cas
The respective uses are as follows:
Serial number |
Server name |
Use |
1 |
Tomcat-app1 |
Client server 1: User deployment App App1 |
2 |
Tomcat-app2 |
Client server 2: User deployment App App2 |
3 |
Tomcat-cas |
CAS server: Used to deploy CAS server |
iii. Special Instructions
CAS Default authentication method uses the HTTPS protocol, generally to the security is not high, it is recommended to cancel the change to HTTP mode. Because, the word will often prompt the certificate expires, users need to confirm, etc., the perception of the customer is not good, the current need can be opened.
If you need the HTTPS protocol, you can refer to this article for certificate generation: CAS Single sign-on certificate import
The way to cancel the HTTPS protocol, the 4th will be specific, you can continue to look down!
Iv. Explanation of examples
First step, Tomcat modification
- Unzip the downloaded Tomcat-8.0.15.zip and copy the three and name according to the 2nd Convention
Modify the Tomcat-related boot ports so that the machine can run multiple tomcat. My access port corresponds to the following:
Serial number |
Server name |
Access Port |
1 |
Tomcat-app1 |
8081 |
2 |
Tomcat-app2 |
8082 |
3 |
Tomcat-cas |
18080 |
Port Modification Method: Open the X:\tomcat-app1\conf\server.xml file to find
First: Modify the shutdown port (default is Port 8005)
<server port= "8005" shutdown= "Shutdown" >
Second: Modify the HTTP access port (default is port 8080)
<connector port= "8080" protocol= "http/1.1"
connectiontimeout= "20000"
redirectport= "8443"/>
Third: Modify the port of 8009
<connector port= "8009" protocol= "ajp/1.3" redirectport= "8443"/>
Modify the port you want.
The second step, the deployment of the Cas-server server
- Unzip the downloaded Cas-server-4.0.0-release.zip compressed package
- Locate X:\cas-server-4.0.0\modules\cas-server-webapp-4.0.0.war File
- Unzip to the tomcat-cas\webapps\.
- To cancel the HTTPS protocol:
1) Open the Cas-server\web-inf\deployerconfigcontext.xml file and locate the following configuration:
<!--Required for proxy ticket mechanism.-->
<bean id= "Proxyauthenticationhandler"
Class= "Org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
p:httpclient-ref= "HttpClient"/>
Increase the parameter p:requiresecure= "false", whether the need for security verification, that is, Https,false is not adopted. Modified to:
<bean id= "Proxyauthenticationhandler"
Class= "Org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
p:httpclient-ref= "HttpClient" p:requiresecure= "false"/>
2) Open Cas-server\web-inf\spring-configuration\ticketgrantingticketcookiegenerator.xml and find the following configuration:
<bean id= "Ticketgrantingticketcookiegenerator" class= " Org.jasig.cas.web.support.CookieRetrievingCookieGenerator "
P:cookiesecure= "true"
P:cookiemaxage= "-1"
P:cookiename= "CASTGC"
P:cookiepath= "/cas"/>
Modify P:cookiesecure= "true" to P:cookiesecure= "false"
That is, HTTPS authentication is not turned on
3) Open Cas-server\web-inf\spring-configuration\warncookiegenerator.xml and find the following configuration:
<bean id= "Warncookiegenerator" class= "Org.jasig.cas.web.support.CookieRetrievingCookieGenerator"
P:cookiesecure= "true"
P:cookiemaxage= "-1"
P:cookiename= "Casprivacy"
P:cookiepath= "/cas"/>
Modify P:cookiesecure= "true" to P:cookiesecure= "false"
That is, HTTPS authentication is not turned on
5. Start Tomcat-cas, Access Http://localhost:18080/cas-server, you can see the following interface
Note:The default validation rule before cas-server4.0: Authentication is done as long as the user name and password are the same
After 4.0 the rule changed, the default is configured in the Deployerconfigcontext.xml configuration file, you can see the user name password is casuser/mellon.
<bean id= "Primaryauthenticationhandler"
class= "Org.jasig.cas.authentication.AcceptUsersAuthenticationHandler" >
<property name= "Users" >
<map>
<entry key= "Casuser" value= "Mellon"/>
</map>
</property>
</bean>
Configuration of the third step, client (cas-client)
Note: We directly use Tomcat's own examples project as a client example
- Unzip our downloaded Cas-client-3.3.3-release.zip package, copy the Cas-client-3.3.3\modules\cas-client-core-3.3.3.jar package
- Put it under the Tomcat-app1\webapps\examples\web-inf\lib (two client Tomcat needs to be put, only one of them is listed here)
- Modify the Examples\web-inf\web.xml file to add the following:
<!--======================== Single Sign-on start ========================
<!--is used for single-point exit, which is used for single-point logout functions, optional configuration-
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
<!--This filter is used for single-point logout, optional configuration. -
<filter>
<filter-name>cassingle Sign Outfilter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>cassingle Sign Outfilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>CASFilter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>http://localhost:18080/cas-server/login</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://localhost:8081</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CASFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--the filter is responsible for verifying the ticket, it must be enabled--
<filter>
<filter-name>CASValidationFilter</filter-name>
<filter-class>
Org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter
</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>http://localhost:18080/cas-server</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://localhost:8081</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CASValidationFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--the filter is responsible for implementing the HttpServletRequest request package, such as allowing the developer to obtain the login name of the SSO login user through the HttpServletRequest getremoteuser () method, optional configuration. -
<filter>
<filter-name>cashttpservletrequest wrapperfilter</filter-name>
<filter-class>
Org.jasig.cas.client.util.HttpServletRequestWrapperFilter
</filter-class>
</filter>
<filter-mapping>
<filter-name>cashttpservletrequest wrapperfilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--This filter allows developers to get the user's login name through Org.jasig.cas.client.util.AssertionHolder. such as Assertionholder.getassertion (). Getprincipal (). GetName (). -
<filter>
<filter-name>casassertion Thread localfilter</filter-name>
<filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>casassertion Thread localfilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--======================== Single Sign-on end ========================-
4. Start Tomcat-app1, then visit Http://localhost:8081/examples, and the page will jump to
Http://localhost:18080/cas-server/login?service=http%3A%2F%2Flocalhost%3A8081%2Fexamples%2F
Description Single Point success
The same tomcat-app2, I don't have a demo on this side.
I uploaded the modified two Web. xml
Tomcat-app1:web.xml
Tomcat-app2:web.xml
Fourth Step, single point process demo
We start with three Tomcat in turn, we first visit two clients to see the effect
1. Visit Http://localhost:8081/examples = = "Jump to http://localhost:18080/cas-server/login?service=http%3A%2F%2Flocalhost% 3a8081%2fexamples%2f
2. Visit Http://localhost:8082/examples = = "Jump to http://localhost:18080/cas-server/login?service=http%3A%2F%2Flocalhost% 3a8082%2fexamples%2f
Indicates that both clients need to jump to Cas-server for authentication the first time they visit
Next: We log in one of the client http://localhost:8081/examples, account password Casuser/mellon
The following interface is displayed after successful login
Then we open a new tab and access the Http://localhost:8082/examples directly
Can see not jump to Cas-server login interface directly display the following interface
Two client Single sign-on success, log in one, the other does not need to login to access.
"SSO single Point Series" (1): Setting up the environment of CAS4.0