[SSO single point series] (1): Set up the CAS environment, ssocas

[SSO single point series] (1): Set up the CAS environment, ssocas
I. Overview

Today, I wrote the first article on CAS. This article mainly describes the combination of CAS environments, provides a Getting Started Guide to CAS, and demonstrates the simplest example of CAS.

 

II. Environment requirements

The blogger's environment is as follows:

Three tomcat servers need to be deployed, I named them apache-tomcat-8.0.15-app1, apache-tomcat-8.0.15-app2, apache-tomcat-8.0.15-cas

The usage is as follows:

Serial number	Server Name	Purpose
1	Tomcat-app1	Client Server 1: deploy app app1
2	Tomcat-app2	Client Server 2: deploy app app2
3	Tomcat-cas	Cas server: Used to deploy CAS server

 

Iii. Special Instructions

CAS uses the HTTPS protocol by default. If the security is not high, we recommend that you cancel the change to HTTP. If this feature is enabled, the system will often prompt that the certificate has expired and needs to be confirmed by the user. This will not affect the customer's perception. You can enable it if necessary.

If you need HTTPS, refer to this article for certificate generation: CAS Single Sign-On certificate Import

The method for canceling the HTTPS protocol will be described in detail at the fourth point. You can continue to look at it!

 

4. Step 1 of instance explanation and Tomcat Modification

Modify the startup ports of tomcat so that the machine can run multiple tomcat servers. My access ports correspond to the following:

Serial number	Server Name	Access Port
1	Tomcat-app1	8081
2	Tomcat-app2	8082
3	Tomcat-cas	18080

Port modification method: Open the x: \ tomcat-app1 \ conf \ server. xml file, find

First: Modify the Shutdown port (default: Port 8005)
<Server port = "8005" shutdown = "SHUTDOWN">
Second: Modify the http access port (default port 8080) <Connector port = "8080" protocol = "HTTP/1.1" connectionTimeout = "20000" redirectPort = "8443"/>

Third: Modify port 8009
<Connector port = "8009" protocol = "AJP/1.3" redirectPort = "8443"/>

Modify it to the port you need.

　　　　　　　　

Step 2: deployment of CAS-SERVER Server

1) Open the cas-server \ WEB-INF \ deployerConfigContext. xml file and find the following Configuration:

 

<! -- Required for proxy ticket mechanic. --> <bean id = "proxyAuthenticationHandler"
Class = "org. jasig. cas. authentication. handler. support. httpBasedServiceCredentialsAuthenticationHandler "p: httpClient-ref =" httpClient "/> added the parameter p: requireSecure =" false ". whether security verification is required, that is, HTTPS or false. After modification: <bean id = "proxyAuthenticationHandler"
Class = "org. jasig. cas. authentication. handler. support. HttpBasedServiceCredentialsAuthenticationHandler" p: httpClient-ref = "httpClient" p: requireSecure = "false"/>

 

2) Open cas-server \ WEB-INF \ spring-configuration \ ticketGrantingTicketCookieGenerator. xml and find the following configuration:

 

<Bean id = "ticketGrantingTicketCookieGenerator" class = "org. jasig. cas. web. support. cookieRetrievingCookieGenerator "p: cookieSecure =" true "p: cookieMaxAge ="-1 "p: cookieName =" CASTGC "p: cookiePath ="/cas "/> modify p: cookieSecure = "true" is p: cookieSecure = "false". https verification is disabled.

 

3) Open cas-server \ WEB-INF \ spring-configuration \ warnCookieGenerator. xml and find the following configuration:

 

<bean id="warnCookieGenerator" class="org.jasig.cas.web.support.CookieRetrievingCookieGenerator"        p:cookieSecure="true"        p:cookieMaxAge="-1"        p:cookieName="CASPRIVACY"        p:cookiePath="/cas" />

Modify p: cookieSecure = "true" to p: cookieSecure = "false" to disable https authentication.

 

　

 

5. start tomcat-cas and access http: // localhost: 18080/cas-server. The following page is displayed:

　　

　　　　　　

　　Note:Default verification rules before cas-server4.0: authenticated as long as the user name and password are the same

After 4.0, the rule is changed. By default, it is configured in the deployerConfigContext. xml configuration file. You can see that the username and password are casuser/Mellon.

　　　　　　

<bean id="primaryAuthenticationHandler"          class="org.jasig.cas.authentication.AcceptUsersAuthenticationHandler">        <property name="users">            <map>                <entry key="casuser" value="Mellon"/>            </map>        </property>    </bean>

 

 

Step 3: configure the client (cas-client)

Note: We directly use the examples project that comes with tomcat as the client example.

 

 

<! -- ===================================== Start of Single Sign-on =================--> <! -- Used for single-point exit. This filter is used for single-point logout. Optional. --> <listener-class> org. jasig. cas. client. session. singleSignOutHttpSessionListener </listener-class> </listener> <! -- This filter is optional for single-point logout. --> <Filter-name> CASSingle Sign OutFilter </filter-name> <filter-class> org. jasig. cas. client. session. singleSignOutFilter </filter-class> </filter> <filter-mapping> <filter-name> CASSingle Sign OutFilter </filter-name> <url-pattern>/* </url -pattern> </filter-mapping> <filter-name> CASFilter </filter-name> <filter-class> org. jasig. cas. client. authentication. authenticationFilter </filter-class> <Init-param> <param-name> casServerLoginUrl </param-name> <param-value> http: // localhost: 18080/cas-server/login </param-value> </init-param> <param-name> serverName </param-name> <param-value> http: // localhost: 8081 </param-value> </init-param> </filter> <filter-mapping> <filter-name> CASFilter </filter-name> <url-pattern>/ * </url-pattern> </filter-mapping> <! -- This filter is used for Ticket verification and must be enabled --> <filter-name> CASValidationFilter </filter-name> <filter-class> org. jasig. cas. client. validation. cas20proxypolicingticketvalidationfilter </filter-class> <init-param> <param-name> casServerUrlPrefix </param-name> <param-value> http: // localhost: 18080/cas-server </param-value> </init-param> <param-name> serverName </param-name> <param-value> http: // localhos T: 8081 </param-value> </init-param> </filter> <filter-mapping> <filter-name> CASValidationFilter </filter-name> <url-pattern>/ * </url-pattern> </filter-mapping> <! -- This filter is used to implement the package of the HttpServletRequest request. For example, you can use the getRemoteUser () method of HttpServletRequest to obtain the login name of the SSO logon user. Optional. --> <Filter-name> CASHttpServletRequest WrapperFilter </filter-name> <filter-class> org. jasig. cas. client. util. httpServletRequestWrapperFilter </filter-class> </filter> <filter-mapping> <filter-name> CASHttpServletRequest WrapperFilter </filter-name> <url-pattern>/* </url- pattern> </filter-mapping> <! -- This filter allows developers to use org. jasig. cas. client. util. AssertionHolder to obtain the user's login name. For example, AssertionHolder. getAssertion (). getPrincipal (). getName (). --> <Filter-name> CASAssertion Thread LocalFilter </filter-name> <filter-class> org. jasig. cas. client. util. assertionThreadLocalFilter </filter-class> </filter> <filter-mapping> <filter-name> CASAssertion Thread LocalFilter </filter-name> <url-pattern>/* </url -pattern> </filter-mapping> <! -- = ============== -->

 

4. Start the tomcat-app1, then access http: // localhost: 8081/examples, the page will jump

Http: // localhost: 18080/cas-server/login? Service = http % 3A % 2F % 2 Flocalhost % 3A8081% 2 Fexamples % 2F

Indicates that the spof is successful.

 

 

I won't demonstrate the same tomcat-app2 here,

I uploaded the modified two web. xml files.

Tomcat-app1: web. xml

Tomcat-app2: web. xml

 

Step 4: single-point process demonstration

After we start all three tomcat servers in turn, we can access the two clients separately to see the results.

1. Access http: // localhost: 8081/examples = and jump to http: // localhost: 18080/cas-server/login? Service = http % 3A % 2F % 2 Flocalhost % 3A8081% 2 Fexamples % 2F

2. Access http: // localhost: 8082/examples = and jump to http: // localhost: 18080/cas-server/login? Service = http % 3A % 2F % 2 Flocalhost % 3A8082% 2 Fexamples % 2F

The two clients must jump to cas-server for authentication upon first access.

 

Next, we will log on to one of the clients, such as http: // localhost: 8081/examples and the account password casuser/Mellon.

The following interface is displayed after logon.

 

Then we open a new tab and directly access http: // localhost: 8082/examples

You can see that the following interface is not displayed on the cas-server logon interface.

 

It indicates that the two clients have successfully logged on to one of them, and the other can be accessed without logon.

 

 

Summary,

Single Sign On (SSO) is one of the most popular solutions for enterprise business integration. SSO enables, you only need to log on once to access all mutually trusted application systems.

The above is just the simplest single sign-on example, which cannot be used in actual development. If you need to apply the application to a project, you also need to customize the application, such as beautifying login pages, passing database authentication, and interacting with client user information. These will be introduced in later articles.

 

Okay, this is probably the first article. If there is no code, you won't upload the source code. Let's take a look!

Next Introduction[Personalized login page ].

 

After finishing the work...

!

!