Reference documentation:
cas certificate login good text
Using the logic of certificate authentication, it can be simply completed by X509CredentialsAuthenticationHandler. After the authentication is passed, it will directly jump back to the client and will not stay on a certain page on the server.
1. Version
jdk:1.8
tomcat 7.0.39
Server: cas-server 3.4.1
Client: cas-client 3.4.1
2, tomcat two-way authentication configuration
You only need to configure https on the cas-server side, and the cas-client can still use the http link method
tomcat 7.0.39 bidirectional
The authentication valid configuration is as follows:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true" clientAuth="true" sslProtocol="TLS"
keystoreFile="C:/temp/tomcat.keystore" keystorePass="password"
truststoreFile="C:/temp/tomcat.keystore" truststorePass="password"/>
Refer to the following link:
The command related to the certificate is as follows:
keytool -genkey -v -alias tomcat -keyalg RSA -keystore F:\cas\keystore\tomcat.keystore -validity 36500
keytool -keystore F:\cas\keystore\tomcat.keystore -export -alias tomcat -file F:\cas\keystore\tomcat.cer
keytool -genkey -v -alias mykey -keyalg RSA -storetype PKCS12 -keystore F:\cas\keystore\client.key.p12
keytool -export -alias mykey -keystore F:\cas\keystore\client.key.p12 -storetype PKCS12 -storepass password -rfc -file F:\cas\keystore\client.key.cer
keytool -import -v -file F:\cas\keystore\client.key.cer -keystore F:\cas\keystore\tomcat.keystore
keytool -import -keystore %JAVA_HOME%/jre/lib/security/cacerts -file F:\cas\keystore\tomcat.cer -alias tomcat
keytool -import -keystore %JAVA_HOME%/jre/lib/security/cacerts -file F:\cas\keystore\client.key.cer -alias mykey
Notice:
1) In the case of two-way authentication, each browser is different, it is better to use Google Chrome, and the certificate selection box will pop up every time;
2) When creating a server certificate, the dn must be consistent with the domain name of the url (personal understanding, yet to be verified);
3) %JAVA_HOME%/jre/lib/security/cacerts sometimes needs to be deleted and rebuilt (unable to find valid certification path to requested target)
3. Installation test:
1)
The client has the problem of No principal was found. Refer to the third method in the following link to solve this problem:
a) Configuration in client side web.xml:
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
<!--<filter-class>org.jasig.cas.client.validation.Cas30ProxyReceivingTicketValidationFilter</filter-class>-->
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://localhost:8443/cas-server</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://localhost:7080</param-value>
</init-param>
<init-param>
<param-name>redirectAfterValidation</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>useSession</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>encoding</param-name>
<param-value>utf-8</param-value>
</init-param>
<init-param>
<param-name>authn_method</param-name>
<param-value>mfa-duo</param-value>
</init-param>
</filter>
b) In casServiceValidationSuccess.jsp on the server side
<%@ page session="false" contentType="application/xml;charset=utf-8" %>
2) Key configuration on the cas-server side:
Note that the configuration of multiple Authentication Handler and Principal Resolver will mess up the logic, and only keep x.509 related, if multiple coexist, x.509 should be placed first
a)login-webflow.xml
<decision-state id="gatewayRequestCheck">
<if test="externalContext.requestParameterMap['gateway'] neq '' && externalContext.requestParameterMap['gateway'] neq null && flowScope.service neq null" then="redirect" else="
startAuthenticate
" />
</decision-state>
<decision-state id="renewRequestCheck">
<if test="externalContext.requestParameterMap['renew'] neq '' && externalContext.requestParameterMap['renew'] neq null" then="
startAuthenticate
" else="generateServiceTicket" />
</decision-state>
<action-state id="startAuthenticate">
<evaluate expression="x509Check" />
<transition on="success" to="sendTicketGrantingTicket" />
<transition on="warn" to="warn" />
<transition on="error" to="viewLoginForm" />
</action-state>
b)cas-servlet.xml
<bean
id="x509Check"
p:centralAuthenticationService-ref="centralAuthenticationService"
class="org.jasig.cas.adaptors.x509.web.flow.X509CertificateCredentialsNonInteractiveAction" >
<property name="centralAuthenticationService" ref="centralAuthenticationService"/>
</bean>
c)deployerConfigContext.xml
<property name="credentialsToPrincipalResolvers">
<list>
<bean
class="org.jasig.cas.adaptors.x509.authentication.principal.X509CertificateCredentialsToIdentifierPrincipalResolver">
<property name="identifier" value="$OU $CN" />
</bean>
</list>
</property>
<property name="authenticationHandlers">
<list>
<bean
class="org.jasig.cas.adaptors.x509.authentication.handler.support.X509CredentialsAuthenticationHandler">
<property name="trustedIssuerDnPattern" value="
CN=mykey.+
" />
</bean>
</list>
</property>
</bean>
The above trustedIssuerDnPattern is adjusted according to the actual situation, this property is mandatory
3) The last question, after the cas server verification is completed, the following exception is reported when turning to the cas client:
java.lang.RuntimeException: java.net.SocketException: Software caused connection abort: recv failed org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:341) org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:305) org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:50) org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:207) org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:169) org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:76)
This problem took a lot of troubles, and finally found out the reason for the configuration clientAuth="true" in the tomcat of the cas-server side, and changed it to clientAuth="want". When the ticket is verified, the client certificate is not passed, and if it is changed to want, an error will not be reported.