Research on cas

CAS has become very popular as an open-source single-point login framework. Because of its low scalability to existing systems and support many languages, it has attracted the attention of developers. It is also the preferred framework for many companies to use it as a single-point login. How to Set up CAsArticleThere are already a lot of online searches. I will not write repeated things, but sometimes online things are incomplete, or many people are confused about version problems. I used to be confused. If you have just been in contact with CAS, please continue to look down. If you are a CAS Master, please correct me where I was wrong.

CAS was first developed by Yale University (versions earlier than cas2.0). later it was open-source and developed by JASIG (Versions later than cas2.0 ). Therefore, when you prepare an article to get started with the exercise, please differentiate the version. It is recommended that you read the JASIG official documentation. Https://wiki.jasig.org/display/CASC

A complete single-point login solution consists of two parts:

CAS Server

The basic steps are as follows:

1. Download the CAS server package

2. Configure HTTPS access settings for Tomcat

3. To deploy CAS server, copy the. War file to the Tomcat directory.

4. Generate a certificate (you can buy or use a self-signed certificate, or simply use the HTTP protocol, so you do not need a certificate)

5. Modify user access configuration (CAS supports relational databases, LDAP, and other data storage)

 

CAS Client

CAS client is deployed on the application end, because single-point login usually involves transformation of existing systems. Therefore, the client-side intrusion becomes very important. The less invasive, the easier it is to deploy and test. One of the advantages of the CAS framework is that its client side is less invasive to the application system. For Java Web projects, you only need to add a filter in Web. XML, copy the jar package of CAS client to the application system, and then modify the login authentication process. If the CAS server uses https, you also need to import the certificate to the trusted Certificate domain of the JVM, usually ($ java_home/lib/security/cacerts ).

 

Everything looks simple, but you may encounter various problems in actual deployment. There are a lot of questions answered on the Internet. Here I will record a question that I have not found the answer?

Symptom:

After you have configured the CAS server and deployed the CAS client. It's okay to log on to the CAS server using HTTPS. However, you cannot jump to the desired page after login. Although everything seems to be configured correctly, the certificate is also exported, https is also configured, and filter is also added. However, the CAS Ticket Validation expection and CAS server no response errors are continuously thrown.

Solution:

Check whether your client has configured all the four filters and the order is correct.

<! -- Cas sso --> <filter-Name> CAS authentication filter </filter-Name> <filter-class> Org. JASIG. CAS. client. authentication. authenticationfilter </filter-class> <init-param> <param-Name> casserverloginurl </param-Name> <param-value> https: // cas-Server: 8443/CAS/login </param-value> </init-param> <param-Name> renew </param-Name> <param-value> false </param-value> </init-param> <param-Name> gateway </param-Name> <param-value> false </param-Value> </init-param> <param-Name> servername </param-Name> <param-value> HTTP: // client-Host: 8080 </param-value> </init-param> </filter> <filter-Name> CAS validation filter </filter-Name> <filter-class> org. JASIG. CAS. client. validation. cas20proxypolicingticketvalidationfilter </filter-class> <init-param> <param-Name> casserverurlprefix </param-Name> <param-value> https: // cas-Server: 8443/CAS/</param-value> </init-param> <param-Name> servername </param-Name> <param-value> HTTP: // client-Host: 8080 </param-value> </init-param> <param-Name> usesession </param-Name> <param-value> true </param- value> </init-param> <param-Name> redirectaftervalidation </param-Name> <param-value> true </param-value> </init -param> </filter> <filter-Name> CAS httpservletrequest wrapper filter </filter-Name> <filter-class> Org. JASIG. CAS. client. util. httpservletrequestwrapperfilter </filter-class> </filter> <filter-Name> CAS assertion Thread Local filter </filter-Name> <filter-class> Org. JASIG. CAS. client. util. assertionthreadlocalfilter </filter-class> </filter> <filter-mapping> <filter-Name> CAS authentication filter </filter-Name> <URL-pattern>/SSO/* </url-pattern> </filter-mapping> <filter-Name> CAS validation filter </filter-Name> <URL-pattern>/SSO/* </url-pattern> </filter-mapping> <filter-Name> CAS httpservletrequest wrapper filter </filter-Name> <URL-pattern>/SSO /* </url-pattern> </filter-mapping> <filter-Name> CAS assertion Thread Local filter </filter-Name> <URL-pattern>/SSO /* </url-pattern> </filter-mapping>

The official documents indicate that these four filters are required.

The correct order of the filters in Web. XML isNecessary:

1. Authenticationfilter
2. Ticketvalidationfilter (whichever one is chosen)
3. Httpservletrequestwrapperfilter
4. Assertionthreadlocalfilter

Here I want to explain why these four filters must be configured.

Authenticationfilter is used to intercept SSO login requests. When the request you submit complies with the SSO login rules, the CAS client will use this filter to redirect the login request to the login interface of the CAS server. Because this is the first step, it must be at the top.

Ticketvalidationfilter is used to intercept jump requests returned by login. After CAS server confirms the login username and password, a server ticket will be returned. This ticket will be sent back to the CAS client on the application server for verification to prevent counterfeit attacks.

The purpose of httpservletrequestwrapperfilter is to encapsulate the information returned by the CAS server into the HTTP request, so that the client can use request. getremoteuser () to obtain the user name and other information.

Assertionthreadlocalfilter is used for front-endProgram(Usually a Front-End scripting program), because at this time you cannot obtain information through the request.

If these four filters are not correctly configured, various errors will be reported.