Background Information
Access Control
Access control systems provide the essential services of authorization, identification and authentication, access approval, and accountability:
· authorization specifies what a subject can do
· identification and authentication ensure that only legitimate subjects can log on to a system
· access approval grants access during operations, by association of users with the resources that they are allowed to access, based on the authorization policy
· accountability identifies what a subject (or all subjects associated with a user) did
Central Authentication Service (CAS) is a solution for Authentication Service.
Single Sign-On
Single sign-on (SSO) is a property of access control of multiple related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them. Conversely, single sign-off is the property whereby a single action of signing out terminates access to multiple software systems.
To implement a single sign-on system, the following two requirments must be considered:
· An unified authentication service
· Change all the web apps which need SSO service to make sure they use the unified authentication service.
Transport Layer Security (TLS) and its predecessor Secure Sockets Layer (SSL)
JASIG Central Authentication Service (CAS)
The CAS protocol involves at least three parties: a client web browser, the web application requesting authentication, and the CAS server. It may also involve a back-end service, such as a database server, that does not have its own HTTP interface but communicates with a web application.
When the client visits an application desiring to authenticate to it, the application redirects it to CAS. CAS validates the client's authenticity, usually by checking a username and password against a database (such as Kerberos or Active Directory).
If the authentication succeeds, CAS returns the client to the application, passing along a security ticket. The application then validates the ticket by contacting CAS over a secure connection and providing its own service identifier and the ticket. CAS then gives the application trusted information about whether a particular user has successfully authenticated.
CAS allows multi-tier authentication via proxy address. A cooperating back-end service, like a database or mail server, can participate in CAS, validating the authenticity of users via information it receives from web applications. Thus, a webmail client and a webmail server can all implement CAS.
Preparation Work
Download CAS server and client
Download CAS server and client from internet:
· cas-client-3.2.1
· cas-server-3.5.2
User Keytool to generate keystore file and import certificate file
It includes 3 steps:
· Delete the certificate and keystore file if they exist
· Create the .keystore file and export .crt file from keystore
· Import the created certificate into java trusted certficate repository
Before you run below batch script, you need to make sure:
· JDK is better not installed in default path: C:\program files\java because “program files” contains a blank character which could cause weird problems.
· Make sure the same JDK is used by tomcat server in eclipse.
· JAVA_HOME is set in system environment variable
· Java bin executables are included in PATH
The batch script is listed as below:
keytool -delete -alias tomcatsso -keystore %JAVA_HOME%/jre/lib/security/cacerts -storepass changeit
keytool -delete -alias tomcatsso -storepass changeit
keytool -genkey -keyalg RSA -keysize 1024 -alias tomcatsso -dname "CN=localhost" -storepass changeit
keytool -export -alias tomcatsso -file %java_home%/jre/lib/security/tomcatsso.crt -storepass changeit
keytool -import -alias tomcatsso -file %java_home%/jre/lib/security/tomcatsso.crt -keystore %java_home%/jre/lib/security/cacerts -storepass changeit
Keytool is provied by jdk.
The password for –storepass is used the access the jdk trusted certficate repository, and its default password is changeit.
-dname represents the certificat owners information. It has the following options:
CN=Computer Name, OU=Organization Unit Name, O=Organization Name, L=City or Region Name, ST=State Name, C=Country Name
CN should be the full computer name, but it can be localhost
CAS Server Deployment
Create the CasServer project
Click Eclipse->File->New->Dynamic Web Project to create the web project, select Target Runtime as Apache Tomcat v7.0, select Dynamic web module version as 3.0, select configuration as Default Configuration for Apache Tomcat v7.0
Unzip cas-server-3.5.2.zip file, in the extracted folder you can find cas-server-uber-webapp-3.5.2.war, unzip this file to the project folder: /CasServer/WebContent
Configure server.xml to enable HTTPS connection
If you have created a tomcat server for CasServer, the configuration file for this tomcat server should be under project Servers.
Open server.xml file in /Servers/Tomcat v7.0 Server at localhost-config/server.xml
Add/Replace the follow xml script to Tenable HTTPS connector:
<Connector SSLEnabled="true" clientAuth="false"
keystoreFile="C:/Documents and Settings/yourname/.keystore" keystorePass="changeit"
maxThreads="150" port="8443" protocol="HTTP/1.1" scheme="https"
secure="true" sslProtocol="TLS"
truststoreFile="C:/Java/jdk1.7.0_45/jre/lib/security/cacerts" />
Login CasServer by using HTTPS connection
Add CasServer to tomcat for the deployment
Start tomcat server
Access CasServer web application by using url: https://localhost:8443/CasServer
If login successful, the following screen should be displayed:
CAS Application Deployment
Create the CasSample project
Click Eclipse->File->New->Dynamic Web Project to create the web project, select Target Runtime as Apache Tomcat v7.0, select Dynamic web module version as 3.0, select configuration as Default Configuration for Apache Tomcat v7.0
Unzip cas-client-3.2.1.zip file, in the extracted folder you can find all the lib jars under cas-client-3.2.1\modules, copy the following required jar to project folder: /CasSample/WebContent/WEB-INF/lib:
· cas-client-core-3.1.12.jar
· commons-codec-1.8.jar
· log4j-1.2.16.jar
· opensaml1-1.1.jar
· xmlsec-1.4.3.jar
Configure web.xml to enable SSO
Copy the follow script into web.xml,
serverName should be the same as CN value of created certificate(-dname "CN=localhost")
<filter>
<filter-name>CAS Authentication Filter</filter-name>
<filter-class>org.jasig.cas.client.authentication.Saml11AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>https://localhost:8443/CasServer/login</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>https://localhost:8443</param-value>
</init-param>
</filter>
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>org.jasig.cas.client.validation.Saml11TicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://localhost:8443/CasServer</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>https://localhost:8443</param-value>
</init-param>
<init-param>
<param-name>redirectAfterValidation</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>useSession</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>acceptAnyProxy</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Authentication Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Login CasSample by using SSO
Add CasSample to tomcat for the deployment
Start tomcat server
Access CasServer web application by using url: http://localhost:8080/CasSample/
If login successful, the following screen should be displayed:
Click Yes and the CAS login screen is displayed, input any username and password as same string.
The index.jsp for CasSample is displayed, and Authenticated Usr Id is displayed correctly.
相关推荐
Maven坐标:org.jasig.cas.client:cas-client-core:3.2.1; 标签:jasig、client、cas、core、中英对照文档、jar包、java; 使用方法:解压翻译后的API文档,用浏览器打开“index.html”文件,即可纵览文档内容。 ...
1. CAS基础概念: - **单点登录**:用户只需登录一次,就能访问所有相互信任的应用系统,简化了用户的登录流程。 - **服务提供商(Service Provider)**:需要集成CAS的外部应用,它们依赖CAS进行用户身份验证。 ...
标题 "jasig-本地环境搭建二-使用简单demo运行" 指向的是一个关于 Jasig 开源项目在本地环境中进行部署和运行的教程。Jasig 是一个专注于高等教育技术的开源社区,其项目通常涉及身份认证、门户管理和集成解决方案。...
1. **克隆模板**:从`jasig-cas-4.0.x-overlay-template-master`克隆项目到本地开发环境。 2. **配置项目**:根据需求修改`pom.xml`以定制构建过程,包括依赖管理和插件配置。 3. **定制Web应用**:修改`src/main/...
- **克隆项目**:获取`modify-jasig-cas-master`源码。 - **环境准备**:确保Java运行环境(JDK)和构建工具(如Maven)已安装。 - **构建和运行**:使用Maven构建项目并启动CAS服务器。 - **配置调整**:根据...
1. 客户端应用向 CAS Server 发送身份认证请求。 2. CAS Server 对客户端应用进行身份认证,如果认证成功,将生成一个 Ticket。 3. CAS Server 将 Ticket 返回给客户端应用。 4. 客户端应用使用 Ticket 访问受保护...
这是已经调整过的cas服务端,maven项目 已完成内容 登录页面已做调整 验证码功能 记住我功能 多数据源支持(根据传入参数client确定用哪个数据源和sql语句) 运行该项目 先建立sys_account表,直接导入sys_...
接下来,`cas-server-support-jdbc`是 Jasig Central Authentication Service (CAS) 的一个模块,用于实现基于数据库的身份验证和授权。CAS是一种开放源代码的单点登录(Single Sign-On,SSO)框架,广泛应用于教育...
3. **票证验证**:CAS使用Ticket Granting Ticket(TGT)和Service Ticket的概念,确保了会话的安全性。TGT允许用户在多个服务之间移动,而无需重新认证;Service Ticket是为每个特定服务生成的一次性凭据。 4. **...
maven-jasig-legal-plugin-1.0.2-sources.jar
maven-jasig-legal-plugin-1.0.1-sources.jar
maven-jasig-legal-plugin-1.0.0-sources.jar
org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter </filter-class> <init-param> <param-name>casServerUrlPrefix</param-name> <param-value>http://192.168.156.120:8080/cas</...
CAS(Central Authentication Service)是 Jasig 组织开发的一个开源的身份验证框架,它提供了一种集中式的、基于Web的单点登录(Single Sign-On, SSO)解决方案。"cas-server-3.5.2.1-release.zip" 是 CAS 服务器的...
予org.jasig.cas.client.util.CommonUtils 加入 public static void disableSSLVerification(){ try { // Create a trust manager that does not validate certificate chains TrustManager[] ...
### Jasig (CAS) 单点登录时序图解析 #### 一、概述 Jasig 开源项目下的 CAS(Central Authentication Service)是一款强大的单点登录解决方案,它为 Web 应用提供了一种集中式的认证服务。CAS 通过提供一个中心化...
5. **客户端集成**:对于每个要接入SSO的应用,需要集成CAS客户端库,如Java的 `jasig-cas-client`。客户端库负责在用户访问应用时跳转到CAS服务器进行认证,认证成功后返回到应用,并传递服务票据供应用验证。 6. ...
maven-jasig-legal-plugin-1.0.0.jar
** Jasig CAS 4.1.4 概述** Jasig Central Authentication Service(CAS)是一个开源的身份验证框架,主要用于实现单点登录(Single Sign-On, SSO)。它允许用户在一个应用系统中登录后,无需再次认证即可访问其他...