单点登录 - CAS【九】CAS支持HTTP协议

我们知道CAS SSO 是基于HTTPS协议的单点登陆，如果要用HTTP协议进行传输，那么就需要修改CAS的相关的配置文件，图了方便，但是安全性大打折扣，对于单点登录，一旦被攻击，那么你的所有属于CAS管理的业务系统都可以被自由访问了。个人并不赞成使用HTTP协议，牺牲一点性能换取更好的安全性是值得的。

 

一、软件环境

  1、cas-client：cas-client-3.2.1-release

  2、cas-server：cas-server-3.5.2-release

 

二、修改步骤

  1、文件warnCookieGenerator.xml

     

<bean id="warnCookieGenerator" class="org.jasig.cas.web.support.CookieRetrievingCookieGenerator"
		p:cookieSecure="true"
		p:cookieMaxAge="-1"
		p:cookieName="CASPRIVACY"
		p:cookiePath="/cas" />

 

 

  2、文件ticketGrantingTicketCookieGenerator.xml

    

<bean id="ticketGrantingTicketCookieGenerator" class="org.jasig.cas.web.support.CookieRetrievingCookieGenerator"
		p:cookieSecure="true"
		p:cookieMaxAge="-1"
		p:cookieName="CASTGC"
		p:cookiePath="/cas" />

 

 

   将bean中的p:cookieSecure="true "修改为p:cookieSecure="false"

 

  3、文件deployerConfigContext.xml

    

<bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
					p:httpClient-ref="httpClient" />

 添加p:requireSecure="false"

 

 

 如果我们使用的是基于Filter在web.xml中的方式，至此使用HTTP协议就可以单点登录了。

 如果我们使用的Java Core Object的方式，那么还需要进行的下面的步骤

   

  4、文件SecureURL.java

  

/*
 *  Copyright (c) 2000-2003 Yale University. All rights reserved.
 *
 *  THIS SOFTWARE IS PROVIDED "AS IS," AND ANY EXPRESS OR IMPLIED
 *  WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
 *  MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ARE EXPRESSLY
 *  DISCLAIMED. IN NO EVENT SHALL YALE UNIVERSITY OR ITS EMPLOYEES BE
 *  LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
 *  CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED, THE COSTS OF
 *  PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA OR
 *  PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
 *  LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
 *  NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
 *  SOFTWARE, EVEN IF ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH
 *  DAMAGE.
 *
 *  Redistribution and use of this software in source or binary forms,
 *  with or without modification, are permitted, provided that the
 *  following conditions are met:
 *
 *  1. Any redistribution must include the above copyright notice and
 *  disclaimer and this list of conditions in any related documentation
 *  and, if feasible, in the redistributed software.
 *
 *  2. Any redistribution must include the acknowledgment, "This product
 *  includes software developed by Yale University," in any related
 *  documentation and, if feasible, in the redistributed software.
 *
 *  3. The names "Yale" and "Yale University" must not be used to endorse
 *  or promote products derived from this software.
 */

package org.jasig.cas.client.corejavaobject.util;

import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.net.URL;
import java.net.URLConnection;

import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;

/**
 * A class housing some utility functions exposing secure URL validation
 * and content retrieval.  The rules are intended to be about as restrictive
 * as a common browser with respect to server-certificate validation.
 */
public class SecureURL {

		private static Log log = LogFactory.getLog(SecureURL.class);
	
    /**
     * For testing only...
     */
    public static void main(String args[]) throws IOException {
        System.setProperty(
            "java.protocol.handler.pkgs",
            "com.sun.net.ssl.internal.www.protocol");
        System.out.println(SecureURL.retrieve(args[0]));
    }

    /** 
     * Retrieve the contents from the given URL as a String, assuming the
     * URL's server matches what we expect it to match.
     */
    public static String retrieve(String url) throws IOException {
    	if (log.isTraceEnabled()){
    		log.trace("entering retrieve(" + url + ")");
    	}
        BufferedReader r = null;
        try {
            URL u = new URL(url);
            if (!u.getProtocol().equals("https")){
            	// IOException may not be the best exception we could throw here
            	// since the problem is with the URL argument we were passed, not
            	// IO. -awp9
            	log.error("retrieve(" + url + ") on an illegal URL since protocol was not https.");
							throw new IOException("only 'https' URLs are valid for this method");
            }
                
            URLConnection uc = u.openConnection();
            uc.setRequestProperty("Connection", "close");
            r = new BufferedReader(new InputStreamReader(uc.getInputStream()));
            String line;
            StringBuffer buf = new StringBuffer();
            while ((line = r.readLine()) != null)
                buf.append(line + "\n");
            return buf.toString();
        } finally {
            try {
                if (r != null)
                    r.close();
            } catch (IOException ex) {
                // ignore
            }
        }
    }
}

 

找到下面的部分

 

if (!u.getProtocol().equals("https")){
            	// IOException may not be the best exception we could throw here
            	// since the problem is with the URL argument we were passed, not
            	// IO. -awp9
            	log.error("retrieve(" + url + ") on an illegal URL since protocol was not https.");
							throw new IOException("only 'https' URLs are valid for this method");
            }

 相信大家应该明白了吧，只需要将此部分注释掉即可。

 

备注：cookieSecure都修改false，我们来看下其作用是什么？

   Secure是Cookie的一个属性。

   属性值

         如果客户端仅在使用安全超文本传输协议 (HTTPS) 的后继请求中返回 Cookie，则为 true；否则为 false。默认为 false。 

 

实际上，当此属性为 true 时，该 Cookie 只能通过 https:// 请求来发送。即使用http协议是无法传递Cookie的。