`
iwindyforest
  • 浏览: 235925 次
  • 性别: Icon_minigender_1
  • 来自: 上海
社区版块
存档分类
最新评论

JASIG CAS 3 Learning Note 1 -- getting started

阅读更多

 

Background Information

 

Access Control

 

Access control systems provide the essential services of authorization, identification and authentication, access approval, and accountability:

 

·         authorization specifies what a subject can do

 

·         identification and authentication ensure that only legitimate subjects can log on to a system

 

·         access approval grants access during operations, by association of users with the resources that they are allowed to access, based on the authorization policy

 

·         accountability identifies what a subject (or all subjects associated with a user) did

 

Central Authentication Service (CAS) is a solution for Authentication Service.

 

Single Sign-On

 

Single sign-on (SSO) is a property of access control of multiple related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them. Conversely, single sign-off is the property whereby a single action of signing out terminates access to multiple software systems.

 

To implement a single sign-on system, the following two requirments must be considered:

 

·         An unified authentication service

 

·         Change all the web apps which need SSO service to make sure they use the unified authentication service.

 

Transport Layer Security (TLS) and its predecessor Secure Sockets Layer (SSL)

 

JASIG Central Authentication Service (CAS)

The CAS protocol involves at least three parties: a client web browser, the web application requesting authentication, and the CAS server. It may also involve a back-end service, such as a database server, that does not have its own HTTP interface but communicates with a web application.

When the client visits an application desiring to authenticate to it, the application redirects it to CAS. CAS validates the client's authenticity, usually by checking a username and password against a database (such as Kerberos or Active Directory).

If the authentication succeeds, CAS returns the client to the application, passing along a security ticket. The application then validates the ticket by contacting CAS over a secure connection and providing its own service identifier and the ticket. CAS then gives the application trusted information about whether a particular user has successfully authenticated.

CAS allows multi-tier authentication via proxy address. A cooperating back-end service, like a database or mail server, can participate in CAS, validating the authenticity of users via information it receives from web applications. Thus, a webmail client and a webmail server can all implement CAS.

 

 

Preparation Work

Download CAS server and client

Download CAS server and client from internet:

·         cas-client-3.2.1

·         cas-server-3.5.2

User Keytool to generate keystore file and import certificate file

It includes 3 steps:

·         Delete the certificate and keystore file if they exist

·         Create the .keystore file and export .crt file from keystore

·         Import the created certificate into java trusted certficate repository

Before you run below batch script, you need to make sure:

·         JDK is better not installed in default path: C:\program files\java because “program files” contains a blank character which could cause weird problems.

·         Make sure the same JDK is used by tomcat server in eclipse.

·         JAVA_HOME is set in system environment variable

·         Java bin executables are included in PATH

The batch script is listed as below:

keytool -delete -alias tomcatsso -keystore %JAVA_HOME%/jre/lib/security/cacerts -storepass changeit

keytool -delete -alias tomcatsso -storepass changeit

keytool -genkey -keyalg RSA -keysize 1024 -alias tomcatsso -dname "CN=localhost" -storepass changeit

keytool -export -alias tomcatsso -file %java_home%/jre/lib/security/tomcatsso.crt -storepass changeit

keytool -import -alias tomcatsso -file %java_home%/jre/lib/security/tomcatsso.crt -keystore %java_home%/jre/lib/security/cacerts -storepass changeit

Keytool is provied by jdk.

The password for –storepass is used the access the jdk trusted certficate repository, and its default password is changeit.

-dname represents the certificat owners information. It has the following options:

CN=Computer Name, OU=Organization Unit Name,  O=Organization Name, L=City or Region Name, ST=State Name, C=Country Name

CN should be the full computer name, but it can be localhost

CAS Server Deployment

Create the CasServer project

Click Eclipse->File->New->Dynamic Web Project to create the web project, select Target Runtime as Apache Tomcat v7.0, select Dynamic web module version as 3.0, select configuration as Default Configuration for Apache Tomcat v7.0

Unzip cas-server-3.5.2.zip file, in the extracted folder you can find cas-server-uber-webapp-3.5.2.war, unzip this file to the project folder: /CasServer/WebContent

Configure server.xml to enable HTTPS connection

If you have created a tomcat server for CasServer, the configuration file for this tomcat server should be under project Servers.

Open server.xml file in /Servers/Tomcat v7.0 Server at localhost-config/server.xml

Add/Replace the follow xml script to Tenable HTTPS connector:

<Connector SSLEnabled="true" clientAuth="false"

                  keystoreFile="C:/Documents and Settings/yourname/.keystore" keystorePass="changeit"

                  maxThreads="150" port="8443" protocol="HTTP/1.1" scheme="https"

                  secure="true" sslProtocol="TLS"

                  truststoreFile="C:/Java/jdk1.7.0_45/jre/lib/security/cacerts" />

Login CasServer by using HTTPS connection

Add CasServer to tomcat for the deployment

Start tomcat server

Access CasServer web application by using url: https://localhost:8443/CasServer

If login successful, the following screen should be displayed:

CAS Application Deployment

Create the CasSample project

Click Eclipse->File->New->Dynamic Web Project to create the web project, select Target Runtime as Apache Tomcat v7.0, select Dynamic web module version as 3.0, select configuration as Default Configuration for Apache Tomcat v7.0

Unzip cas-client-3.2.1.zip file, in the extracted folder you can find all the lib jars under cas-client-3.2.1\modules, copy the following required jar to project folder: /CasSample/WebContent/WEB-INF/lib:

·         cas-client-core-3.1.12.jar

·         commons-codec-1.8.jar

·         log4j-1.2.16.jar

·         opensaml1-1.1.jar

·         xmlsec-1.4.3.jar

Configure web.xml to enable SSO

Copy the follow script into web.xml,

serverName should be the same as CN value of created certificate(-dname "CN=localhost")

 

<filter>

      <filter-name>CAS Authentication Filter</filter-name>

      <filter-class>org.jasig.cas.client.authentication.Saml11AuthenticationFilter</filter-class>

      <init-param>

            <param-name>casServerLoginUrl</param-name>

            <param-value>https://localhost:8443/CasServer/login</param-value>

      </init-param>

      <init-param>

            <param-name>serverName</param-name>

            <param-value>https://localhost:8443</param-value>

      </init-param>

</filter>

 

<filter>

      <filter-name>CAS Validation Filter</filter-name>

      <filter-class>org.jasig.cas.client.validation.Saml11TicketValidationFilter</filter-class>

      <init-param>

            <param-name>casServerUrlPrefix</param-name>

            <param-value>https://localhost:8443/CasServer</param-value>

      </init-param>

      <init-param>

            <param-name>serverName</param-name>

            <param-value>https://localhost:8443</param-value>

      </init-param>

      <init-param>

            <param-name>redirectAfterValidation</param-name>

            <param-value>true</param-value>

      </init-param>

      <init-param>

            <param-name>useSession</param-name>

            <param-value>true</param-value>

      </init-param>

      <init-param>

            <param-name>acceptAnyProxy</param-name>

            <param-value>true</param-value>

      </init-param>

</filter>

 

<filter>

      <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>

      <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>

</filter>

 

<filter-mapping>

      <filter-name>CAS Validation Filter</filter-name>

      <url-pattern>/*</url-pattern>

</filter-mapping>

 

<filter-mapping>

      <filter-name>CAS Authentication Filter</filter-name>

      <url-pattern>/*</url-pattern>

</filter-mapping>

 

<filter-mapping>

      <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>

      <url-pattern>/*</url-pattern>

</filter-mapping>

Login CasSample by using SSO

Add CasSample to tomcat for the deployment

Start tomcat server

Access CasServer web application by using url: http://localhost:8080/CasSample/

If login successful, the following screen should be displayed:

 

Click Yes and the CAS login screen is displayed, input any username and password as same string.

The index.jsp for CasSample is displayed, and Authenticated Usr Id is displayed correctly.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

  • 大小: 41 KB
  • 大小: 37.2 KB
  • 大小: 27.2 KB
  • 大小: 16.4 KB
  • 大小: 21.5 KB
0
0
分享到:
评论

相关推荐

    cas-client-core-3.2.1-API文档-中英对照版 (1).zip

    Maven坐标:org.jasig.cas.client:cas-client-core:3.2.1; 标签:jasig、client、cas、core、中英对照文档、jar包、java; 使用方法:解压翻译后的API文档,用浏览器打开“index.html”文件,即可纵览文档内容。 ...

    cas-server-4.0.0-release单点登录源码和war包-原版

    1. CAS基础概念: - **单点登录**:用户只需登录一次,就能访问所有相互信任的应用系统,简化了用户的登录流程。 - **服务提供商(Service Provider)**:需要集成CAS的外部应用,它们依赖CAS进行用户身份验证。 ...

    jasig-本地环境搭建二-使用简单demo运行

    标题 "jasig-本地环境搭建二-使用简单demo运行" 指向的是一个关于 Jasig 开源项目在本地环境中进行部署和运行的教程。Jasig 是一个专注于高等教育技术的开源社区,其项目通常涉及身份认证、门户管理和集成解决方案。...

    jasig-cas-4.0.x-overlay-template:ala-cas从jasig cas 3.4.2升级到4.0.1

    1. **克隆模板**:从`jasig-cas-4.0.x-overlay-template-master`克隆项目到本地开发环境。 2. **配置项目**:根据需求修改`pom.xml`以定制构建过程,包括依赖管理和插件配置。 3. **定制Web应用**:修改`src/main/...

    modify-jasig-cas:基于jasig-cas自定义自己的cas服务器

    - **克隆项目**:获取`modify-jasig-cas-master`源码。 - **环境准备**:确保Java运行环境(JDK)和构建工具(如Maven)已安装。 - **构建和运行**:使用Maven构建项目并启动CAS服务器。 - **配置调整**:根据...

    spring boot整合CAS Client实现单点登陆验证的示例

    1. 客户端应用向 CAS Server 发送身份认证请求。 2. CAS Server 对客户端应用进行身份认证,如果认证成功,将生成一个 Ticket。 3. CAS Server 将 Ticket 返回给客户端应用。 4. 客户端应用使用 Ticket 访问受保护...

    cas-server服务端maven项目

    这是已经调整过的cas服务端,maven项目 已完成内容 登录页面已做调整 验证码功能 记住我功能 多数据源支持(根据传入参数client确定用哪个数据源和sql语句) 运行该项目 先建立sys_account表,直接导入sys_...

    c3p0.jar、cas-server-support-jdbc、mysql-connector-java-bin.jar

    接下来,`cas-server-support-jdbc`是 Jasig Central Authentication Service (CAS) 的一个模块,用于实现基于数据库的身份验证和授权。CAS是一种开放源代码的单点登录(Single Sign-On,SSO)框架,广泛应用于教育...

    cas-4.2.1服务端代码(内含通过gradle打包成功的war)

    3. **票证验证**:CAS使用Ticket Granting Ticket(TGT)和Service Ticket的概念,确保了会话的安全性。TGT允许用户在多个服务之间移动,而无需重新认证;Service Ticket是为每个特定服务生成的一次性凭据。 4. **...

    maven-jasig-legal-plugin-1.0.2-sources.jar

    maven-jasig-legal-plugin-1.0.2-sources.jar

    maven-jasig-legal-plugin-1.0.1-sources.jar

    maven-jasig-legal-plugin-1.0.1-sources.jar

    maven-jasig-legal-plugin-1.0.0-sources.jar

    maven-jasig-legal-plugin-1.0.0-sources.jar

    CAS客户端JAR包版本3.3.3

    org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter &lt;/filter-class&gt; &lt;init-param&gt; &lt;param-name&gt;casServerUrlPrefix&lt;/param-name&gt; &lt;param-value&gt;http://192.168.156.120:8080/cas&lt;/...

    cas-server-3.5.2.1-release.zip

    CAS(Central Authentication Service)是 Jasig 组织开发的一个开源的身份验证框架,它提供了一种集中式的、基于Web的单点登录(Single Sign-On, SSO)解决方案。"cas-server-3.5.2.1-release.zip" 是 CAS 服务器的...

    org.jasig.cas.client.util.CommonUtils

    予org.jasig.cas.client.util.CommonUtils 加入 public static void disableSSLVerification(){ try { // Create a trust manager that does not validate certificate chains TrustManager[] ...

    Jasig(cas)单点登录时序图

    ### Jasig (CAS) 单点登录时序图解析 #### 一、概述 Jasig 开源项目下的 CAS(Central Authentication Service)是一款强大的单点登录解决方案,它为 Web 应用提供了一种集中式的认证服务。CAS 通过提供一个中心化...

    cas-server-webapp-4.0.0实现单点登录

    5. **客户端集成**:对于每个要接入SSO的应用,需要集成CAS客户端库,如Java的 `jasig-cas-client`。客户端库负责在用户访问应用时跳转到CAS服务器进行认证,认证成功后返回到应用,并传递服务票据供应用验证。 6. ...

    maven-jasig-legal-plugin-1.0.0.jar

    maven-jasig-legal-plugin-1.0.0.jar

    jasig cas4.1.4+oracle数据库认证

    ** Jasig CAS 4.1.4 概述** Jasig Central Authentication Service(CAS)是一个开源的身份验证框架,主要用于实现单点登录(Single Sign-On, SSO)。它允许用户在一个应用系统中登录后,无需再次认证即可访问其他...

Global site tag (gtag.js) - Google Analytics