Single Sign-On (SSO) based on CAS: CAS + LDAP for Single Sign-on authentication and ssoldap

Single Sign-On (SSO) based on CAS: CAS + LDAP for Single Sign-on authentication and ssoldap

[1]. Overview CAS is the central authentication portal for N systems, and user information throughout multiple systems is shared and should be maintained separately, this information may belong to unused systems, organizations, and countries, thus forming a tree structure. Maintaining tree structure information using relational databases is its weakness, this is the original intention of CAS and LDAP integration in this article.


This document describes how to integrate CAS and LDAP to implement Single-point logon.

[2]. Detailed steps

1. LDAP installation Configuration

For details, see:

Introduction to openLDAP installation and configuration on windows

Install the configuration and add some test data as follows:




 

2. Basic CAS installation Configuration:

See demonstration of CAS single-point logon instance of SSO

 

3. Integrate LDAP configuration with CAS

For Mave build projects, add LDAP-related dependencies:

<Dependency> <groupId> org. jasig. cas </groupId> <artifactId> cas-server-support-ldap </artifactId> <version >$ {cas. version }</version> </dependency> <! -- Add the dependency <dependency> <groupId> commons-pool </groupId> <artifactId> commons-pool </artifactId> <version >$ {apache. commons. pool. version} </version> </dependency> -->

Les) and spring-ldap-core-1.3.1.RELEASE.jar

 

There are two LDAP authentication configurations:

[First], FastBindLdapAuthenticationHandler

This authentication processor is generally used for DN directly composed of user names, such as: uid = % u, ou = dev, dc = micmiu.com, dc = com, % u is the user name for CAS logon.

Modify the web configuration file WEB-INF \ deployerConfigContext. xml:

First, add the bean: ContextSource configuration under the <beans> and node:

<bean id="contextSource" class="org.springframework.ldap.core.support.LdapContextSource">  <property name="pooled" value="false"/>  <property name="url" value="ldap://127.0.0.1:389" />  <property name="userDn" value="cn=Manager"/>  <property name="password" value="secret"/>  <property name="baseEnvironmentProperties"><map>  <entry key="com.sun.jndi.ldap.connect.timeout" value="3000" />  <entry key="com.sun.jndi.ldap.read.timeout" value="3000" />  <entry key="java.naming.security.authentication" value="simple" /></map>  </property></bean>

 

ContextSource configuration instructions:

• If you have multiple LDAP servers, you can configure multiple
• When FastBindLdapAuthenticationHandler is configured, The userDn here can be configured as "cn = Manager, ou = dev, dc = micmiu, dc = com" or "cn = Manager, ou = dev, cn = Manager, or Manager.
• If the LDAP server has SSL, note that the prefix of the url configuration is ldaps: "ldaps: // 192.168.8.150: 636 ″

Under <bean id = "authenticationManager"/>, find the SimpleTestUsernamePasswordAuthenticationHandler configuration and modify it as follows:

<bean class="org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler"><property name="filter" value="uid=%u,ou=Developer,dc=micmiu,dc=com" /><property name="contextSource" ref="contextSource" /></bean>





After the configuration, start three applications: tomcat-cas, tomcat-app1, tomcat-app2, certification test:

• Enter Michael/111111 to log on successfully,
• If you enter Miumiu/111111, the logon fails.

 

[2], BindLdapAuthenticationHandler

This authentication processor is generally used to verify other attributes of the User Name of the DN, such as email, rather than the uid in the first processor (of course, the uid attribute is also applicable, the following is a configuration example using mail ).

Modify the web configuration file WEB-INF \ deployerConfigContext. xml:

Add the bean: ContextSource configuration under the <beans> and node:

<Bean id = "contextSource" class = "org. springframework. ldap. core. support. ldapContextSource "> <property name =" anonymousReadOnly "value =" false "/> <property name =" password "value =" secret "/> <property name =" pooled "value = "true"/> <property name = "urls"> <list> <value> ldap: // 127.0.0.1: 389 </value> </list> </property> <property name = "userDn" value = "cn = Manager, dc = micmiu, dc = com "/> <property name =" baseEnvironmentPrope Rties "> <map> <! -- Ldap ssl access configuration <entry key = "java. naming. security. protocol "value =" ssl "/> --> <entry key =" java. naming. security. authentication "value =" simple "/> </map> </property> </bean>

 

Modify the configuration of the authentication bean in <bean id = "authenticationManager"/> as follows:

<Bean class = "org. jasig. cas. adaptors. ldap. bindLdapAuthenticationHandler "> <property name =" filter "value =" mail = % u "/> <property name =" searchBase "value =" dc = micmiu, dc = com "/> <property name =" contextSource "ref =" contextSource "/> <! -- Allow multiple accounts --> <property name = "allowMultipleAccounts" value = "true"/> </bean>

 

After the configuration, start three applications: tomcat-cas, tomcat-app1, tomcat-app2, certification test:

• Enter Michael/111111 to log on successfully,
• If you enter Miumiu/111111, you can log on successfully.

 

If you change the value of parameter: searchBase to "ou = Developer, dc = micmiu, dc = com", the result of restarting the test authentication is as follows:

• Enter Michael/111111 to log on successfully,
• If you enter Miumiu/111111, the logon fails.

At this time, the authentication effect is the same as that of the first authentication.

For the configuration of the Connection Pool, see the official introduction: https://wiki.jasig.org/display/CASUM/LDAP

Summary CAS and LDAP are mainly used in System Integration scenarios. CAS provides uniform authentication portals for multiple systems, and you only need to log on to multiple systems at a time. LDAP is used to store information commonly used by multiple systems, such as user information and user permission information. This information is common and simple (dominated by strings) with less modification, because they belong to different organizations and systems, they form a tree structure and form a directory. In this way, you can perform efficient retrieval when matching the user name and password.
Download source code

Cas Single Sign-on

First, answer your first question. The security certificate is used by tomcat or apache to enable the ssl Secure socket link, that is, it supports the https protocol. We usually use tomcat as the application server, so we need tomcat to support the https protocol first. It is very easy to enable https. Please refer to the official documentation for a brief introduction here, first, generate a certificate for jdk on the machine where tomcat is deployed (specifically jre, but we usually install jdk instead of jre on the tomcat server, you can use the keytool that comes with jre to generate the certificate. During the certificate generation process, note that it is the CN item, the first field, and the server domain name, for example, you can use localhost for local testing. Use the following statement
1. keytool-keystore-alias acegisecurity-genkey-keyalg RSA-validity 9999-storepass password-keypass password
What is your first and last name? (This is the CN term.) Answer localhost.
You can enter any other information.
2. keytool-export-v-rfc-alias acegisecurity-file acegisecurity.txt-keystore-storepass password
This step exports the key.
3. Copy acegisecurity.txt to % JAVA_HOME % \ jre \ lib \ security

4. Copy the keystore to % CATALINA_HOME %
5. Enter % JAVA_HOME % \ jre \ lib \ security in the console window (if Windows is the dos window)
6. keytool-import-v-file acegisecurity.txt-keypass password-keystore cacerts-storepass changeit-alias acegisecurity
Import Certificates to virtual machines
Next, open % CATALINA_HOME %/conf/server. xml in the editor and find <Connector port = "8443" maxHttpHeaderSize = "8192"
MaxThreads = "150" minSpareThreads = "25" maxSpareThreads = "75"
EnableLookups = "false" disableUploadTimeout = "true"
AcceptCount = "100" scheme = "https" secure = "true"
ClientAuth = "false" sslProtocol = "TLS"/>
This line is commented out by default. Cancel the comment and add keystoreFile = "keystore" keystorePass = "passwo ...... the remaining full text>

Java implements single-point logon without a certificate. How can this problem be solved?

Is cas okay? Do you want a certificate? It's configured by yourself! Cas does not need certificates. This is a positive! We used it in the middle of the project!