1 Introduction
Single sign-on (Single Sign On), referred to as SSO, it is one of the more popular enterprise business integration solutions. SSO is defined in multiple applications, users need only log in once to access all applications of mutual trust.
There are many subsystems our current system, and these subsystems are deployed in different servers, use the traditional way of session can not be solved, we need to use single sign-related technology to solve
2. CAS Introduction
CAS is an open source project initiated by Yale University, aims to provide a reliable method of single sign-on for Web applications, CAS officially became a project JA-SIG in December 2004. CAS is a technology to achieve single sign-on solutions
3. CAS Features
1) open source enterprise single sign-on solution.
2) CAS Server Web applications that require a separate deployment.
3) CAS Client support very large number of clients (in this case each Web application single sign-on system), including Java, .Net, PHP, Perl, Apache, uPortal, Ruby and so on.
4. CAS protocol flow
From a structural point of view, CAS consists of two parts: CAS Server and CAS Client. CAS Server requires a separate deployment, mainly responsible for the certification of the user; CAS Client is responsible for handling client requests for access to protected resources, if necessary logged redirected to the CAS Server.
The figure is the most basic protocol CAS process:
SSO single sign-on access to the process are the following steps:
1) Access Services: SSO client sends a request to access the resource service application provided by the system.
2) directional authentication: SSO client will redirect user requests to the SSO server.
3) User Authentication: User authentication.
4) issuing tickets: SSO server generates a random Service Ticket.
5) Verify bill: SSO server to verify the legitimacy of bills Service Ticket, after verification by allowing the client to access the service.
6) transfer of user information: ticket verified by the SSO server, user authentication result information transmitted to the client
5. CAS server deployment
Cas server package is actually a war, so it's fairly simple to deploy it directly to the war package thrown into the webapps directory tomcat, start the tomcat can be visited, as shown:
There is a fixed user name and password casuser / Mellon
The user name and password is the cas, is the cas \ WEB-INF / deployerConfigContext.xml default configuration file, as shown:
So, if we want to use another user name and password, you can also configure their own user name and password here.
Will jump to a successful login prompt after successful login page
cas.war download link : 4jr8
6. CAS server configuration
6.1 port modification
CAS modify the port needs to be modified in two places:
1) modify the port configuration of tomcat
2) server.name attribute modified cas / WEB-INF / cas.properties in
6.2 removal https certification
CAS HTTPS protocol is used by default, if you use the HTTPS protocol requires SSL security certificate (to be specific to the institutions to apply and purchase). If you do not ask for security or in the development and testing phase, you can use the HTTP protocol. You can modify the configuration, so that CAS using the HTTP protocol.
Steps:
1) a modified cas WEB-INF / deployerConfigContext.xml
In the HttpBasedServiceCredentialsAuthenticationHandler bean configuration file, add a property p: requireSecure = "false", for example:
requireSecure attribute meaning to the need for secure authentication, that is, HTTPS, false is not used
2)修改cas的/WEB-INF/spring-configuration/ticketGrantingTicketCookieGenerator.xml文件的id=ticketGrantingTicketCookieGenerator的配置,修改p:cookieSecure="true"的属性为false,例如:
注意:
1. p:cookieMaxAge="-1",是COOKIE的最大生命周期,-1为无生命周期,即只在当前打开的窗口有效,关闭或重新打开其它窗口,仍会要求验证。可以根据需要修改为大于0的数字,比如3600等,意思是在3600秒内,打开任意窗口,都不需要验证。
2. cookieMaxAge设为3600
3. 该配置文件和ticket(票据)有关系
3)修改cas的WEB-INF/spring-configuration/warnCookieGenerator.xml文件的id=warnCookieGenerator的cookieSecure值为发了,cookieMaxAge可以设为3600,如图:
7. CAS 入门Demo
这里我们需要创建2个web工程,采用的是cas原生的配置方式来做。
7.1 CAS客户端1
1)创建Maven工程 (war)casclient_demo1 引入cas客户端依赖并制定tomcat运行端口为9001
2)引入依赖
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.bjc.cas</groupId>
<artifactId>casclient_demo1</artifactId>
<version>0.0.1-SNAPSHOT</version>
<packaging>war</packaging>
<dependencies>
<!-- cas -->
<dependency>
<groupId>org.jasig.cas.client</groupId>
<artifactId>cas-client-core</artifactId>
<version>3.3.3</version>
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>servlet-api</artifactId>
<version>2.5</version>
<scope>provided</scope>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<version>2.3.2</version>
<configuration>
<source>1.7</source>
<target>1.7</target>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.tomcat.maven</groupId>
<artifactId>tomcat7-maven-plugin</artifactId>
<configuration>
<!-- 指定端口 -->
<port>9001</port>
<!-- 请求路径 -->
<path>/</path>
</configuration>
</plugin>
</plugins>
</build>
</project>3)配置web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5">
<!-- 用于单点退出,该过滤器用于实现单点登出功能,可选配置 -->
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
<!-- 该过滤器用于实现单点登出功能,可选配置。 -->
<filter>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Single Sign Out Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- 该过滤器负责用户的认证工作,必须启用它 -->
<filter>
<filter-name>CASFilter</filter-name> <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>http://localhost:9100/cas/login</param-value>
<!--这里的连接是cas的服务端的IP -->
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://localhost:9001</param-value>
<!--这里的连接是当前应用的根地址 -->
</init-param>
</filter>
<filter-mapping>
<filter-name>CASFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- 该过滤器负责对Ticket的校验工作,必须启用它 -->
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class> org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>http://localhost:9100/cas</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://localhost:9001</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- 该过滤器负责实现HttpServletRequest请求的包裹, 比如允许开发者通过HttpServletRequest的getRemoteUser()方法获得SSO登录用户的登录名,可选配置。 -->
<filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>
org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- 该过滤器使得开发者可以通过org.jasig.cas.client.util.AssertionHolder来获取用户的登录名。 比如AssertionHolder.getAssertion().getPrincipal().getName()。 -->
<filter>
<filter-name>CAS Assertion Thread Local Filter</filter-name> <filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
通过web.xml的配置,我们可以发现,cas基本上是通过过滤器来完成相关操作的。
4)编写index.jsp页面
<%@ page language="java" contentType="text/html; charset=utf-8"
pageEncoding="utf-8"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>cas client demo1</title>
</head>
<body>
cas client demo1 <br/>
<%=request.getRemoteUser()%>
</body>
</html>
注意:request.getRemoteUser()为获取远程登录名
7.2 CAS客户端2
客户端2的搭建与1一样,就是需要更改一下web.xml中的当前应用的IP地址
7.3 测试
1)使用http://localhost:9002 网址,需要登录,如图;
登录成功之后,如图:
2)在使用http://localhost:9001/ 网址操作,如图,输入网址就可以了,无需重复登录
8. 单点退出
单点退出,就是在一个客户端退出,其他的客户端同时退出的技术,在CAS技术中,我们只需要输入CAS服务端连接+cas/logout即可,例如:http://localhost:9100/cas/logout
然后,页面提示退出成功的提示,如图;
接下来,再看刚才的demo1和demo2的界面,发现都退出来了,如图;
我们发现,虽然我们实现了单点退出,但是这个界面不大友好,我们希望退出界面统一跳转到一个指定的页面,这个时候,我们需要更改CAS的cas\WEB-INF\cas-servlet.xml配置文件,将id为logoutAction的bean的属性p:followServiceRedirects的属性值改成true,如图;
改完之后,我们就可以通过服务重定向的方式来指定退出页面了,怎么重定向了,很简单,只需要在cas/logout后面加上如下代码即可:?service=url,例如;
http://localhost:9100/cas/logout?service=http://www.baidu.com注意:CAS的单点退出功能主要依赖web.xml的CAS Single Sign Out Filter,也就是说,我们要实现单点退出,需要配置该过滤器,代码如下;
<!-- 用于单点退出,该过滤器用于实现单点登出功能,可选配置 -->
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
<!-- 该过滤器用于实现单点登出功能,可选配置。 -->
<filter>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Single Sign Out Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
