CAS 5.3 uses http protocol instead of https protocol to provide services
1. Version description
CAS Server uses the https protocol to provide services by default. The https protocol requires an ssl certificate. You can use the jdk tool keytool to generate a self-signed certificate, or you can apply for a certificate from a certificate authority ( fees apply ).
cas.version 5.3.16
springboot.version 1.5.18.RELEASE
jdk self-signed certificate-keytool
2. Use http protocol to provide services
1. Springboot embedded tomcat deployment
- Modify application.yml or application.properties configuration file
server:
port: 8080
ssl:
key-store: classpath:server.keystore
key-store-password: tomcat
key-password: tomcat
# 改为false
enabled: false
cas:
tgc:
secure: false
warningCookie:
secure: false
serviceRegistry:
initFromJson: true
server:
name: http://cas.example.org:8080
prefix: http://cas.example.org:8080/cas
- Added resources/services/test.json file to allow http client
{
"@class": "org.apereo.cas.services.RegexRegisteredService",
"serviceId": "^(https|imaps|http)://.*",
"name": "测试",
"id": 1000,
"description": "测试",
"evaluationOrder": 1000
}
- Finally, don't forget to modify the CAS client server url address
server:
name: http://cas.example.org:8080
prefix: http://cas.example.org:8080/cas
2. Tomcat deployment (non-embedded)
- Annotate part of server.xml in the tomcat/config directory
<!-- <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https"
secure="true" clientAuth="false" sslProtocol="TLS"
keystoreFile="D:\softs\apache-tomcat-8.5.37\server.keystore" keystorePass="tomcat">
</Connector> -->
- Modify application.yml or application.properties configuration file
cas:
tgc:
secure: false
warningCookie:
secure: false
serviceRegistry:
initFromJson: true
server:
name: http://cas.example.org:8080
prefix: http://cas.example.org:8080/cas
- Added resources/services/test.json file to allow http client
{
"@class": "org.apereo.cas.services.RegexRegisteredService",
"serviceId": "^(https|imaps|http)://.*",
"name": "测试",
"id": 1000,
"description": "测试",
"evaluationOrder": 1000
}
- Finally, don't forget to modify the CAS client server url address
server:
name: http://cas.example.org:8080
prefix: http://cas.example.org:8080/cas
3. Clean up the configuration under the https protocol
- Clean up the keytool self-signed certificate
keytool -delete -alias tomcat -keystore "%JAVA_HOME%/jre/lib/security/cacerts" -storepass changeit
- Clear the browser cache (especially cookies)
Note : If the http protocol is used from the beginning, this step can be omitted!
4. Matters needing attention
-
After opening the browser, do not switch the https and http protocols back and forth to avoid session loss when the protocol is switched. The
coexistence of http and https may cause session loss -
Note that the domain name should be consistent
During the test, the 127.0.0.1 cas.example.org mapping was added to the hosts file, but when the browser accesses it, localhost is used. Note that although both cas.example.org and localhost point to IP 127.0.0.1, the browser Think of it as two domains, cookies cannot be shared (CAS TGC cannot be shared).
http://localhost:8080/cas/login login successfully, but the client CAS Server prefix is http://cas.example.org:8080/cas, you still need to log in again, that is, the login status is not synchronized!
Readers can use Google Chrome to check network-request address-cookie to confirm this phenomenon.