`
wusuoya
  • 浏览: 641389 次
  • 性别: Icon_minigender_2
  • 来自: 成都
社区版块
存档分类
最新评论

Cas集成openid配置

 
阅读更多

参考文章:https://wiki.jasig.org/display/CASUM/OpenID

 

OpenID is an open, decentralized, free framework for user-centric digital identity. Users represent themselves using URIs. For more information see the http://www.openid.net . As of CAS 3.5, CAS supports both the "dumb" and "smart" modes of the OpenID protocol. Dumb mode acts in a similar fashion to the existing CAS protocol. The smart mode differs in that it establishes an association between the client and the openId provider (OP) at the begining. Thanks to that association and the key exchange done during association, information exchanged between the client and the provider are signed and verified using this key. There is no need for the final request (which is equivalent in CAS protocol to the ticket validation).

A demo of the OpenId support in CAS server is available at : https://github.com/leleuj/cas-openid-demo .

Giving your users URIs

Configuring your users to have URIs.

OpenId identifiers are URIs. The default mechanism in CAS support is an uri ending with the actual user login (ie. http://my.cas.server/openid/fesnault  where the actual user login is fesnault). This is not recommended and you should think of a more elaborated way of providing URIs to your users.

Add OpenId support module to CAS server

The first thing, with a CAS server webapp, is to add the OpenId support module dependency. This is done by adding this in the cas server webapp pom.xml.

< dependency >
     < groupId >org.jasig.cas</ groupId >
     < artifactId >cas-server-support-openid</ artifactId >
     < version >${project.version}</ version >
</ dependency >
Be Careful

You must change the server prefix property of the cas server to an https url. Otherwise SSO will not work. Find the cas.properties file and edit the server.prefix url to something like this : https://localhost:443/cas .

Now let's dive into CAS configuration itself.

Update webflow

CAS uses a spring webflow to describe the the authentication process. We need to change it a little bit to allow CAS to switch to OpenId authentication if it recognizes one. This is done in the login-webflow.xml fie. After the on-start element just add these two blocks :

<!-- If the request contains a parameter called openid.mode and is not an association request, switch to openId. Otherwise, continue normal webflow. -->
   < decision-state id = "selectFirstAction" >
       < if
          test="externalContext.requestParameterMap['openid.mode'] neq ''
           &amp;&amp; externalContext.requestParameterMap['openid.mode'] neq null
           &amp;&amp; externalContext.requestParameterMap['openid.mode'] neq 'associate'"
          then = "openIdSingleSignOnAction" else = "ticketGrantingTicketExistsCheck" />
   </ decision-state >
          
   <!-- The OpenID authentication action. If authentication is successful, send the ticket granting ticker. Otherwise, redirect to the login form. -->
   < action-state id = "openIdSingleSignOnAction" >
       < evaluate expression = "openIdSingleSignOnAction" />
       < transition on = "success" to = "sendTicketGrantingTicket" />
       < transition on = "error" to = "viewLoginForm" />
       < transition on = "warn" to = "warn" />
   </ action-state >

 

Enable OpenId in the AuthenticationManager

The authentication manager is the place where authentication takes place. We must provide it two elements needed for a successful OpenId authentication. The first thing to do is to detect the user name from the OpenId identifier. When your CAS server will work as an OP, users will authenticate with an OpenId identifier, looking like this : http://localhost:8080/cas/openid/fesnault.  Actually, in your users database, this users login is probably fesnault . We must provide the CAS server with a way to extract the user principal from the credentials he provides us. This is the first thing we'll do in this section : add an OpenIdCredentialsToPrincipalResolver to the authentication manager. The next thing to give CAS is a specialized authentication handler.

Open the deployerConfigContext.xml file, and locate the authenticationManager bean definition. It has two properties containing beans. The credentials to principal property, add this bean definition :

<!-- The openid credentials to principal resolver -->
      < bean class = "org.jasig.cas.support.openid.authentication.principal.OpenIdCredentialsToPrincipalResolver" />

Then, in the authentication handler property, add this bean definition :

<!-- The open id authentication handler -->
      < bean class = "org.jasig.cas.support.openid.authentication.handler.support.OpenIdCredentialsAuthenticationHandler" p:ticketRegistry-ref = "ticketRegistry" />

 

Adapt the Spring CAS servlet configuration

We now have to make CAS handle nicely the OpenId request he will be presented with. First, we'll add a handler for the /login url, when called to validate a ticket (CAS is implementing the dumb OpenId mode, which means it does not create an association at the beginning of the authentication process. It must then check the received authentication success notification, which is done by one extra HTTP request at the end of the process). Anywhere in the cas-servlet.xml file, add this bean definition :

 

< bean id = "handlerMappingOpendId"
           class = "org.jasig.cas.support.openid.web.support.OpenIdPostUrlHandlerMapping" >
         <!-- Notice we set the order value to 2, which is the order of the flow handler mapping. We'll fix that just next.
         The OpenIDPostUrlHandlerMapping MUST be called before the login webflow action is called, otherwise we will never be able to validate the authentication success. -->
         < property name = "order" value = "2" />
         < property name = "mappings" >
             < props >
                 < prop key = "/login" >delegatingController</ prop >
             </ props >
         </ property >
     </ bean >

As we gave the order of 2 to the OpenIdPostUrlHandlerMapping, we must modify the FlowHandlerMapping order to give it the order of 3. Find the FlowHandlerMapping bean declaration and change the p:order="2"' to p:order="3".

< bean class = "org.springframework.webflow.mvc.servlet.FlowHandlerMapping" p:flowRegistry-ref = "flowRegistry"
    p:order = "3" >

 

In the handlerMappingOpenId, we referenced a bean called delegatingController. this bean is a special controller, using the Delegate pattern, which delegates the processing of a request to the first controller of its delegates which says it can handle it. So now we'll provide two delegate controllers. The first one is handling the Smart OpenId association, and the second process the authentication and ticket validation. Add this two beans in the file.

The Smart OpenId controller :

< bean id = "smartOpenIdAssociationController" class = "org.jasig.cas.support.openid.web.mvc.SmartOpenIdController"
         p:serverManager-ref = "serverManager"
         p:successView = "casOpenIdAssociationSuccessView" p:failureView = "casOpenIdAssociationFailureView" />

The OpenId validation controller :

< bean id = "openIdValidateController" class = "org.jasig.cas.web.ServiceValidateController"
           p:validationSpecificationClass = "org.jasig.cas.validation.Cas20WithoutProxyingValidationSpecification"
           p:centralAuthenticationService-ref = "centralAuthenticationService"
           p:proxyHandler-ref = "proxy20Handler" p:argumentExtractor-ref = "openIdArgumentExtractor"
           p:successView = "casOpenIdServiceSuccessView" p:failureView = "casOpenIdServiceFailureView" />

We are done with the delegates. Now we must create the Delegating controller itself, and give it a list of delegates referencing the two delegates we just defined. So add this definition :

 

< bean id = "delegatingController" class = "org.jasig.cas.web.DelegatingController"
  p:delegates-ref = "delegateControllers" />
 
< util:list id = "delegateControllers" >
      < ref bean = "smartOpenIdAssociationController" />
      < ref bean = "openIdValidateController" />
  </ util:list >

Also, add the indicated lines to the <beans> definition at the top of the file, if they're not already there:

        ...
        xmlns:util = "http://www.springframework.org/schema/util"
        xsi:schemaLocation="...
        ...">

 

Next, we'll give CAS a handler for the OpenIdSingleSignOnAction we added in the spring webflow definition file. So add this bean definition anywhere :

<!-- Be Careful
          The OpenIdSingleSignOnAction has an additional parameter not configured here.
          Its the "extractor" property which accepts a "org.jasig.cas.support.openid.web.support.OpenIdUserNameExtractor".
          The default one merely accepts the value after the last "/".
          A more robust implementation should check the entire URL. Note, that means the default one SHOULD NOT be used in production.
      -->
   
     < bean id = "openIdSingleSignOnAction" class = "org.jasig.cas.support.openid.web.flow.OpenIdSingleSignOnAction"
           p:centralAuthenticationService-ref = "centralAuthenticationService" />

Add an argument extractor

Finally, we must tell cas how to extract the OpenId from the authentication request (openid.mode, openid.sig, openid.assoc_handle...). This is done in the argumentExtractorsConfiguration.xml file, located in the spring-configuration directory. Add this bean into the file :

<bean id= "openIdArgumentExtractor" class = "org.jasig.cas.support.openid.web.support.OpenIdArgumentExtractor" />

 

Then add a reference to this bean into the arguments extractors list, just below in the file :

< util:list id = "argumentExtractors" >
         < ref bean = "casArgumentExtractor" />
         <!-- The OpenId arguments extractor -->
         < ref bean = "openIdArgumentExtractor" />
         < ref bean = "samlArgumentExtractor" />
      </ util:list >

 

Next we must provide a ServerManager, which is a class from the openid4java library, which allows us to handle the Diffie-Hellman algorithm used by the association process. In the spring-configuration/applicationContext.xml file, add this bean definition :

< bean id = "serverManager" class = "org.openid4java.server.ServerManager"
          p:oPEndpointUrl = "${cas.securityContext.casProcessingFilterEntryPoint.loginUrl}"
          p:enforceRpId = "false"  />

And finally, we need an applicationContext provider , so add this bean into spring-configuration/applicationContext.xml :

< bean id = "applicationContextProvider" class = "org.jasig.cas.util.ApplicationContextProvider" />

You're done ! CAS is now configured to work as an OpenId Provider.

分享到:
评论

相关推荐

    CAS集成demo

    **CAS集成DEMO详解** CAS(Central Authentication Service)是一个开源的身份验证系统,它提供了一种在多个应用系统间共享用户身份认证的方式,实现单点登录(Single Sign-On, SSO)。这个"CAS集成demo"是为帮助...

    集成cas实现单点登录认证.zip

    CAS支持多种协议,如CAS协议、SAML2.0等,并且可以与其他身份验证服务(如OAuth、OpenID Connect)集成。 2. 单点登录原理:SSO的核心思想是用户只需要进行一次身份验证,然后这个验证结果可以在所有信任的系统之间...

    springboot+cas5.2.3+shiro+pac4j实现sso集成2

    CAS 5.2.3是最新的稳定版本,支持多种协议如CAS、OAuth、OpenID Connect等。在这个项目中,CAS服务器负责处理用户的登录验证,验证成功后,它会生成一个Ticket并发送给客户端,客户端再用这个Ticket向各个服务请求...

    Liferay集成CAS实现单点登录与应用系统集成

    **Liferay与CAS集成步骤** 1. **Liferay部署**:首先,将Liferay安装在Tomcat服务器上,可以选择MySQL作为数据库。启动Liferay后,可以通过配置页面更改默认数据库为MySQL,初始化完成后即可访问Liferay门户。 2. **...

    cas3.4集成restle所需jar文件

    Restlet提供了客户端和服务器端的组件,可以方便地与Cas集成,实现基于REST的身份验证。 在Cas 3.4集成Restlet的过程中,你需要以下jar文件: 1. `cas-server-support-restlet`: 这是Cas提供的Restlet支持模块,...

    cas4.2.7 实现其他系统和cas互相认证互信

    1. **配置CAS Server**:在CAS服务器端,需要配置支持的认证协议,如SAML、OAuth或OpenID Connect等,这些协议允许外部系统与CAS进行安全的身份验证通信。 2. **创建服务定义**:在CAS中为每个要信任的外部系统创建...

    cas-overlay-template-6.1 服务端代码

    总之,"cas-overlay-template-6.1 服务端代码"提供了部署和配置CAS 6.1X Server的基础,而集成MySQL数据源则是确保服务正常运行的关键步骤。理解这些概念并熟练操作,将使你在IT安全和身份验证领域更进一步。

    cas4.0.7+casClient示例(原生)

    在这个“cas4.0.7+casClient示例(原生)”中,我们将深入探讨如何配置和使用CAS 4.0.7版本与原生的CAS客户端进行集成,以及如何结合数据库实现完整的前后端解决方案。 **1. CAS 4.0.7简介** CAS 4.0.7是CAS服务器...

    CAS单点登录的配置

    3. CAS支持OAuth、OpenID Connect等现代身份验证协议,便于与其他系统集成。 4. 提供API和事件监听机制,方便进行日志记录和审计。 **六、故障排查与监控** 1. 检查CAS服务器的日志文件,查找错误信息。 2. 使用CAS...

    cas-client-3.2.1 cas-server-3.4.11

    CAS支持与各种系统集成,如SAML 1.1和2.0,OAuth,OpenID Connect,JWT等,使得与其他身份验证标准和框架的互操作成为可能。 7. **监控与日志**: CAS服务器通常会记录详细的日志信息,以便于调试和审计。还可以...

    Cas5.2.6(cas-overlay-template-5.2.6)服务端

    总之,CAS 5.2.6服务端的集成和搭建涉及到了安全、配置、性能和扩展等多个方面,需要对SSO原理和CAS框架有一定的理解。通过这个`cas-overlay-template-5.2.6`项目,开发者可以快速开始自己的CAS服务端部署,并进一步...

    cas-4.1.7最新

    2. 数据库集成:CAS可以与多种数据库(如MySQL、Oracle等)配合使用,需要配置相应的连接参数。 3. 配置文件:修改`cas.properties`文件以适应你的环境,如服务器地址、端口、认证策略等。 4. SSL配置:为了保护传输...

    cas-server-3.5.2

    9. **cas-server-support-openid**:这部分代码支持OpenID协议,允许CAS作为OpenID提供者,让用户可以用他们的CAS账号登录支持OpenID的其他网站。 10. **cas-server-support-oauth**:CAS对OAuth的支持使得它能与...

    cas-5.3模板

    - **API和协议更新**:CAS 5.3可能支持最新的身份验证协议,如OAuth2、OpenID Connect等,同时提供了更加友好的API接口供开发者使用。 - **模块化设计**:CAS采用模块化设计,允许开发者根据需求选择和定制功能,...

    cas-client-3.3.3-release和cas-server-4.2.1-release下载

    - `cas-client-integration`: 集成示例和指南,帮助开发者将CAS集成到他们的应用中。 - `pom.xml`: Maven配置文件,用于构建客户端库。 - 文档和示例代码:指导如何在Web应用程序中配置和使用CAS客户端。 安装和...

    cas4认证服务

    1. **协议支持**:CAS支持多种身份验证协议,如CAS Protocol、SAML 1.1、OAuth、OpenID Connect等,使得它能与各种应用系统集成。 2. **多语言支持**:CAS 4.x版本提供了多语言界面,方便不同地区的用户使用。 3. **...

    cas、第三方接口登录

    3. 按照官方文档配置应用信息,包括设置回调URL等。 4. 在应用中调用SDK提供的登录接口,引导用户授权。 5. 用户授权后,SDK会返回一个授权码(Access Token)和其他必要信息。 6. 使用这个授权码通过API获取用户的...

    springboot shiro pac4j cas jwt认证中心sso完整项目

    2. **集成pac4j**:在SpringBoot应用中引入pac4j,配置CAS客户端,并指定认证服务器的URL。 3. **配置Shiro**:配置Shiro Realm,利用pac4j进行认证,设置权限规则。 4. **生成JWT**:用户认证成功后,服务端生成JWT...

    cas5.3.zip

    5. **配置文件**:`cas.properties`是CAS的核心配置文件,其中包含了服务定义、认证策略、日志设置、邮件通知等关键配置。对于数据库连接,开发者需要在该文件中查找并修改相关的属性,如`cas.server.name`、`cas....

    cas4.2.7服务端和客户端应用

    **CAS (Central Authentication Service) 知识点详解** CAS 是一个开源的身份验证框架,它允许用户...理解 CAS 的工作原理和配置方法,能够帮助开发者构建安全的SSO系统,同时利用 CAS 的扩展性与多种服务进行集成。

Global site tag (gtag.js) - Google Analytics