我们知道CAS SSO 是基于HTTPS协议的单点登陆,如果要用HTTP协议进行传输,那么就需要修改CAS的相关的配置文件,图了方便,但是安全性大打折扣,对于单点登录,一旦被攻击,那么你的所有属于CAS管理的业务系统都可以被自由访问了。个人并不赞成使用HTTP协议,牺牲一点性能换取更好的安全性是值得的。
一、软件环境
1、cas-client:cas-client-3.2.1-release
2、cas-server:cas-server-3.5.2-release
二、修改步骤
1、文件warnCookieGenerator.xml
- <bean id="warnCookieGenerator" class="org.jasig.cas.web.support.CookieRetrievingCookieGenerator"
- p:cookieSecure="true"
- p:cookieMaxAge="-1"
- p:cookieName="CASPRIVACY"
- p:cookiePath="/cas" />
2、文件ticketGrantingTicketCookieGenerator.xml
- <bean id="ticketGrantingTicketCookieGenerator" class="org.jasig.cas.web.support.CookieRetrievingCookieGenerator"
- p:cookieSecure="true"
- p:cookieMaxAge="-1"
- p:cookieName="CASTGC"
- p:cookiePath="/cas" />
将bean中的p:cookieSecure="true "修改为p:cookieSecure="false"
3、文件deployerConfigContext.xml
- <bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
- p:httpClient-ref="httpClient" />
添加p:requireSecure="false"
如果我们使用的是基于Filter在web.xml中的方式,至此使用HTTP协议就可以单点登录了。
如果我们使用的Java Core Object的方式,那么还需要进行的下面的步骤
4、文件SecureURL.java
- /*
- * Copyright (c) 2000-2003 Yale University. All rights reserved.
- *
- * THIS SOFTWARE IS PROVIDED "AS IS," AND ANY EXPRESS OR IMPLIED
- * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ARE EXPRESSLY
- * DISCLAIMED. IN NO EVENT SHALL YALE UNIVERSITY OR ITS EMPLOYEES BE
- * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED, THE COSTS OF
- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA OR
- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
- * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
- * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- * SOFTWARE, EVEN IF ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH
- * DAMAGE.
- *
- * Redistribution and use of this software in source or binary forms,
- * with or without modification, are permitted, provided that the
- * following conditions are met:
- *
- * 1. Any redistribution must include the above copyright notice and
- * disclaimer and this list of conditions in any related documentation
- * and, if feasible, in the redistributed software.
- *
- * 2. Any redistribution must include the acknowledgment, "This product
- * includes software developed by Yale University," in any related
- * documentation and, if feasible, in the redistributed software.
- *
- * 3. The names "Yale" and "Yale University" must not be used to endorse
- * or promote products derived from this software.
- */
- package org.jasig.cas.client.corejavaobject.util;
- import java.io.BufferedReader;
- import java.io.IOException;
- import java.io.InputStreamReader;
- import java.net.URL;
- import java.net.URLConnection;
- import org.apache.commons.logging.Log;
- import org.apache.commons.logging.LogFactory;
- /**
- * A class housing some utility functions exposing secure URL validation
- * and content retrieval. The rules are intended to be about as restrictive
- * as a common browser with respect to server-certificate validation.
- */
- public class SecureURL {
- private static Log log = LogFactory.getLog(SecureURL.class);
- /**
- * For testing only...
- */
- public static void main(String args[]) throws IOException {
- System.setProperty(
- "java.protocol.handler.pkgs",
- "com.sun.net.ssl.internal.www.protocol");
- System.out.println(SecureURL.retrieve(args[0]));
- }
- /**
- * Retrieve the contents from the given URL as a String, assuming the
- * URL's server matches what we expect it to match.
- */
- public static String retrieve(String url) throws IOException {
- if (log.isTraceEnabled()){
- log.trace("entering retrieve(" + url + ")");
- }
- BufferedReader r = null;
- try {
- URL u = new URL(url);
- if (!u.getProtocol().equals("https")){
- // IOException may not be the best exception we could throw here
- // since the problem is with the URL argument we were passed, not
- // IO. -awp9
- log.error("retrieve(" + url + ") on an illegal URL since protocol was not https.");
- throw new IOException("only 'https' URLs are valid for this method");
- }
- URLConnection uc = u.openConnection();
- uc.setRequestProperty("Connection", "close");
- r = new BufferedReader(new InputStreamReader(uc.getInputStream()));
- String line;
- StringBuffer buf = new StringBuffer();
- while ((line = r.readLine()) != null)
- buf.append(line + "\n");
- return buf.toString();
- } finally {
- try {
- if (r != null)
- r.close();
- } catch (IOException ex) {
- // ignore
- }
- }
- }
- }
找到下面的部分
- if (!u.getProtocol().equals("https")){
- // IOException may not be the best exception we could throw here
- // since the problem is with the URL argument we were passed, not
- // IO. -awp9
- log.error("retrieve(" + url + ") on an illegal URL since protocol was not https.");
- throw new IOException("only 'https' URLs are valid for this method");
- }
相信大家应该明白了吧,只需要将此部分注释掉即可。
备注:cookieSecure都修改false,我们来看下其作用是什么?
Secure是Cookie的一个属性。
属性值
如果客户端仅在使用安全超文本传输协议 (HTTPS) 的后继请求中返回 Cookie,则为 true;否则为 false。默认为 false。
实际上,当此属性为 true 时,该 Cookie 只能通过 https:// 请求来发送。即使用http协议是无法传递Cookie的。