`
wu_quanyin
  • 浏览: 208133 次
  • 性别: Icon_minigender_1
  • 来自: 福建省
社区版块
存档分类
最新评论

CAS(单点登陆)---总结一

阅读更多

单点登录(sso)是指基于用户/会话认证的一个过程,用户只需一次性提供凭证(仅一次登录),就可以访问多个应用。  

 

 一, 最近一段时间公司进行系统整合,公司决定采用yale cas 单点登录进行整合,在这里对在项目整合中遇到的问题进行总结:

  1,到官方上下载CAS2.x服务器改名为ssoAuth

 

  2,以ssoAuth/login为所有系统的登录页,对每个系统进行配置,配置如下:

 可查看这篇文章:http://129-cat-163-com.iteye.com/blog/477506

 

 3,在登录之后,遇到一个问题,就是重新刷新又回到登录页(在登录之后会产生一个CASTGC的cookie)

 解决:

更改ssoAuth/WebContent/spring-configuration/ticketGrantingTicketCookieGenerator.xml中的  p:cookiePath="/ssoAuth" 和warnCookieGenerator.xml中的p:cookiePath="/ssoAuth" 因为更改了登录名之后,cookie path设置的值没有相应的改变..在验证时获取不到castgc的cookie

 

  4,不跳转到ssoAuth/login下每一个系统都自定义登录页,

 可查看这这里面的三篇文章:http://hi.baidu.com/fallenlord/blog/item/ecaa5f263e52cf0b908f9d21.html

 

  5,代理问题

 代理可解决的问题:

  当一个系统1要去取另一个系统2的数据时,两台不在同一台电脑上,而这两个又被同时都加到单点登录中,这时当你1系统已经登录要去取2系统的数据时,而2系统还没有登录,这时取不到数据??

这时候代理就派上用场.代理票据的产生

http://www.blogjava.net/security/archive/2006/04/26/SSO_CASProxy.html

 解决:

 可先查看这篇文章http://fallenlord.blogbus.com/logs/57175888.html 

 再以下详解:

 在ssoProxyClient(代理端) ssoProxyBackClient(被代理端) ssoAuth上都要进行配置,

 ssoAuth:在整合时发现一个问题,查找源代码,客户端配置正确而不返回代理票据

 deployerConfigContext.xml下配置

 

下面的httpClient要添加上去	

<bean
					class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
					p:httpClient-ref="httpClient" p:requireSecure="false" />

  代理端与被代理端都要进行配置(配置较长,不一一介绍)有需要留下联系地址,我发过去...

 

7,代理性能问题解决:

 如以上问题所述,系统2变成了被代理的系统,代理系统1每次要到被代理服务器去取一次票据之后,传到系统2去,这时系统2也要到服务器去取下验证的代理票据,进行比对,,

这样一来,每次都要与服务器通信两次,,,性能耗费很大,在不考虑安全性的前提下,可以对双方进行保存一个票据,这样一来,不管访问多少次,只在服务器通信了两次.

我对以上的代理与被代理系统进行了扩展,,一样)有需要留下联系地址,我发过去...

 

8,客户端可以返回更多的用户数据,这个有两处要进行配置

 以下提供一个较完整的deployerConfigContext.xml的配置,一般有用到都在这里面

 <?xml version="1.0" encoding="UTF-8"?>

	<!--
		| deployerConfigContext.xml centralizes into one file some of the
		declarative configuration that | all CAS deployers will need to
		modify. | | This file declares some of the Spring-managed JavaBeans
		that make up a CAS deployment. | The beans declared in this file are
		instantiated at context initialization time by the Spring |
		ContextLoaderListener declared in web.xml. It finds this file because
		this | file is among those declared in the context parameter
		"contextConfigLocation". | | By far the most common change you will
		need to make in this file is to change the last bean | declaration to
		replace the default SimpleTestUsernamePasswordAuthenticationHandler
		with | one implementing your approach for authenticating usernames and
		passwords. +
	-->

<beans xmlns="http://www.springframework.org/schema/beans"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p"
	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd">
	<!--
		cas数据源。 
	 -->
	<bean id="casDataSource" class="org.apache.commons.dbcp.BasicDataSource">
		<property name="driverClassName">
			<value>net.sourceforge.jtds.jdbc.Driver</value>
		</property>
		<property name="url">
			<value>jdbc:jtds:sqlserver://192.168.4.22:3433/db</value>
		</property>
		<property name="username">
			<value>****</value>
		</property>
		<property name="password">
			<value>****</value>
		</property>
	</bean>
 

	<bean id="passwordEncoder"
		class="org.jasig.cas.authentication.handler.DefaultPasswordEncoder"
		autowire="byName">
		<constructor-arg value="MD5" />
	</bean>
	
	<bean id="passwordEncoder2"
		class="org.jasig.cas.authentication.handler.PlainTextPasswordEncoder">
	</bean>
	
	<!--
		| This bean declares our AuthenticationManager. The
		CentralAuthenticationService service bean | declared in
		applicationContext.xml picks up this AuthenticationManager by
		reference to its id, | "authenticationManager". Most deployers will be
		able to use the default AuthenticationManager | implementation and so
		do not need to change the class of this bean. We include the whole |
		AuthenticationManager here in the userConfigContext.xml so that you
		can see the things you will | need to change in context. +
	-->
	<bean id="authenticationManager" class="org.jasig.cas.authentication.AuthenticationManagerImpl">
		<!--
			| This is the List of CredentialToPrincipalResolvers that identify
			what Principal is trying to authenticate. | The
			AuthenticationManagerImpl considers them in order, finding a
			CredentialToPrincipalResolver which | supports the presented
			credentials. | | AuthenticationManagerImpl uses these resolvers for
			two purposes. First, it uses them to identify the Principal |
			attempting to authenticate to CAS /login . In the default
			configuration, it is the DefaultCredentialsToPrincipalResolver | that
			fills this role. If you are using some other kind of credentials than
			UsernamePasswordCredentials, you will need to replace |
			DefaultCredentialsToPrincipalResolver with a
			CredentialsToPrincipalResolver that supports the credentials you are
			| using. | | Second, AuthenticationManagerImpl uses these resolvers
			to identify a service requesting a proxy granting ticket. | In the
			default configuration, it is the
			HttpBasedServiceCredentialsToPrincipalResolver that serves this
			purpose. | You will need to change this list if you are identifying
			services by something more or other than their callback URL. +
		-->
		<property name="credentialsToPrincipalResolvers">
			<list>

				<!--
					| UsernamePasswordCredentialsToPrincipalResolver supports the
					UsernamePasswordCredentials that we use for /login | by default and
					produces SimplePrincipal instances conveying the username from the
					credentials. | | If you've changed your LoginFormAction to use
					credentials other than UsernamePasswordCredentials then you will
					also | need to change this bean declaration (or add additional
					declarations) to declare a CredentialsToPrincipalResolver that
					supports the | Credentials you are using. +
				-->
				<bean
					class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver">
					<property name="attributeRepository">
						<ref local="attributeRepository" />
					</property>
				</bean>
				<!--
					| HttpBasedServiceCredentialsToPrincipalResolver supports
					HttpBasedCredentials. It supports the CAS 2.0 approach of |
					authenticating services by SSL callback, extracting the callback
					URL from the Credentials and representing it as a | SimpleService
					identified by that callback URL. | | If you are representing
					services by something more or other than an HTTPS URL whereat they
					are able to | receive a proxy callback, you will need to change
					this bean declaration (or add additional declarations). +
				-->
				<bean
					class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" />
			</list>
		</property>

		<!--
			| Whereas CredentialsToPrincipalResolvers identify who it is some
			Credentials might authenticate, | AuthenticationHandlers actually
			authenticate credentials. Here we declare the AuthenticationHandlers
			that | authenticate the Principals that the
			CredentialsToPrincipalResolvers identified. CAS will try these
			handlers in turn | until it finds one that both supports the
			Credentials presented and succeeds in authenticating. +
		-->
		<property name="authenticationHandlers">
			<list>
                       <!--这里面的用户表验证,可以配置多个,由上向下的表验证,只要有一个成功就退出-->
			<!-- support EAP database -->
				<bean
					class="org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler">
					<property name="dataSource" ref="casDataSource" />
					<property name="sql"
						value="SELECT Password FROM table1 WHERE Id = ?" />
					<property name="passwordEncoder" ref="passwordEncoder" />
				</bean>
				
				<!-- support another user table,对以上的类进行扩展,不采用那样的验证机制 -->
				<bean
					class="com.wqy.sso.auth.QueryDatabaseAuthenticationHandler2">
					<property name="dataSource" ref="casDataSource" />
					<property name="sql"
						value="SELECT FGUID FROM table2 WHERE FUserID = ? and cast(ID as varchar(50))=?" />
                <!--改变加密机制-->
				<property name="passwordEncoder" ref="passwordEncoder2" />
				</bean>
				<!--
					| This is the authentication handler that authenticates services by
					means of callback via SSL, thereby validating | a server side SSL
					certificate. +
				-->
				<bean
					class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
					p:httpClient-ref="httpClient" p:requireSecure="false" />
				<!--
					| This is the authentication handler declaration that every CAS
					deployer will need to change before deploying CAS | into
					production. The default
					SimpleTestUsernamePasswordAuthenticationHandler authenticates
					UsernamePasswordCredentials | where the username equals the
					password. You will need to replace this with an
					AuthenticationHandler that implements your | local authentication
					strategy. You might accomplish this by coding a new such handler
					and declaring | edu.someschool.its.cas.MySpecialHandler here, or
					you might use one of the handlers provided in the adaptors modules.
					+				
				<bean
					class="org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler" />
				-->	
			</list>
		</property>
	</bean>


	<!--
		This bean defines the security roles for the Services Management
		application. Simple deployments can use the in-memory version. More
		robust deployments will want to use another option, such as the Jdbc
		version. The name of this should remain "userDetailsService" in order
		for Acegi to find it. To use this, you should add an entry similar to
		the following between the two value tags: battags=notused,ROLE_ADMIN

		where battags is the username you want to grant access to. You can put
		one entry per line.
	-->
	<bean id="userDetailsService"
		class="org.springframework.security.userdetails.memory.InMemoryDaoImpl">
		<property name="userMap">
			<value>

			</value>
		</property>
	</bean>

	<!--
		Bean that defines the attributes that a service may return. This
		example uses the Stub/Mock version. A real implementation may go
		against a database or LDAP server. The id should remain
		"attributeRepository" though.
返回更多的用户信息,在这里进行配置
	-->
	<bean id="attributeRepository"
		class="org.jasig.services.persondir.support.jdbc.SingleRowJdbcPersonAttributeDao">
		<constructor-arg index="0" ref="casDataSource" />
			<constructor-arg index="1"
			value="SELECT FBy5 AS type,deptId,id,position FROM table  WHERE Fid=?" />
		<property name="queryAttributeMapping">
			<map>
               <!--
                                username:为登录的用户名 uid:系统内部会赋给以上的fid
                                 -->
				<entry key="username" value="uid" />
			</map>
		</property>
		<property name="resultAttributeMapping">
			<map>
				<entry key="id" value="id1" />
				<entry key="deptId" value="dept1" />
				<entry key="Position" value="position1"/>
				<entry key="type" value="type1" />
			</map>
		</property>
	</bean>

	<!--
		Sample, in-memory data store for the ServiceRegistry. A real
		implementation would probably want to replace this with the JPA-backed
		ServiceRegistry DAO The name of this bean should remain
		"serviceRegistryDao".
	-->
	<bean id="serviceRegistryDao" class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl" />
</beans>

--->看下一章节

 

 

分享到:
评论
2 楼 elan1986 2010-03-29  
正好 准备用到这个单点登录

谢谢了
1 楼 mingxiao2010 2010-03-29  
学习了,呵呵!

相关推荐

    struts2+cas单点登陆例子

    Struts2和CAS单点登录(SSO)的集成是一个常见的Web应用安全实践,它允许用户在一个系统登录后,无须再次输入凭证就能访问其他相互信任的系统。在这个例子中,我们将深入探讨如何在MyEclipse环境下使用Struts2框架与...

    tomcat cas 单点登陆

    ### Tomcat与CAS单点登录实现详解 #### 一、背景介绍 在现代企业级应用环境中,多个系统之间往往需要进行集成,以便于提供统一的用户体验和服务。其中一个关键的需求是实现单点登录(SSO, Single Sign-On)功能,即...

    cas单点登陆集成到简单maven项目的全部war包

    总结,这个压缩包提供了集成CAS单点登录到Maven项目所需的全部资源,包括服务端war包和客户端DEMO,是学习和实践SSO技术的好材料。通过深入理解和操作这些内容,你可以更好地掌握CAS的工作原理以及如何在实际项目中...

    CAS单点登陆测试实例demo,源码

    CAS(Central Authentication Service)是Java开发的一个开源的单点登录(Single Sign-On,简称SSO)系统,广泛应用于各类Web应用程序的身份验证。SSO允许用户通过一次登录,就能访问多个相互信任的应用系统,无需多...

    cas单点登陆带attribute客户端示例程序

    总结起来,这个"cas单点登陆带attribute客户端示例程序"是学习和实现CAS SSO的一个宝贵资源。通过研究和调整这个示例,开发者可以快速地将CAS集成到自己的Java应用中,同时处理中文属性,提高应用的安全性和用户体验...

    CAS3.5.2单点登录详解.docx

    CAS(Central Authentication Service)是一种流行的单点登录解决方案,主要用于提供统一身份验证和授权管理。CAS 3.5.2 是 CAS 的一个稳定版本,提供了许多实用的功能和配置项。在本文中,我们将详细介绍如何使用 ...

    JEECG 单点登录集成文档(kisso集成)

    Kisso是一个基于Java的单点登录框架,其核心机制是利用加密的会话cookie进行用户认证。其具备无状态和分散验证的特点,意味着用户登录信息存储在客户端,减轻了服务器的负担,并能实现跨域认证。 #### Session与...

    让CAS支持客户端自定义登陆页面----服务器篇-.pdf

    CAS是一种开源的身份验证框架,它提供单点登录(SSO)功能,通常用于集中管理多个应用系统的用户认证。以下是对文章内容的详细解析: **一、目标与原则** 1. **不影响原有统一登录界面功能**:修改的目标是在保留...

    spring boot 1.5.4 集成shiro+cas,实现单点登录和权限控制

    CAS(Central Authentication Service)是一种开源的身份验证协议,提供了单点登录和单点退出功能。CAS Server 是一个独立的服务器,负责处理身份验证请求。 Spring Boot 集成 Shiro+Cas 要在 Spring Boot 应用...

    cas 自定义登录页面

    CAS(Central Authentication Service)是一种广泛使用的开放源代码单点登录(Single Sign-On,SSO)框架,它允许用户通过一个中央认证服务访问多个应用系统,而无需为每个系统单独进行登录。在实际的企业环境中,...

    tomcat配置单点登录

    【单点登录(SSO)】单点登录(Single Sign-On,简称SSO)是一种让用户在访问多个相互信任的应用系统时只需登录一次的技术。它提高了用户体验,减少了因反复登录带来的不便,同时也强化了系统的安全性。SSO的核心...

    jsp如何实现单点登录

    在Web应用程序中,单点登录(Single Sign-On,SSO)是一种便捷的身份验证机制,允许用户在一次登录后,就能访问多个相互关联的应用系统,而无需再次输入凭证。在Java Web开发中,JSP常常用于构建用户界面,与Servlet...

    CAS SSO配置文档详解

    单点登录(Single Sign-On,简称SSO)是一种用户身份验证机制,允许用户在一个安全领域内访问多个应用系统,而无需多次输入身份验证信息。在税务行业信息化发展中,应用整合成为关键,SSO作为其核心组成部分,对于...

    完全跨域的单点登录 完全跨域的单点登录

    本篇文章将深入探讨这一主题,并基于给定的标签"SSO"、"Java"和"单点登陆"进行详细解析。 1. SSO原理: SSO的核心思想是用户只需在一个地方验证身份,然后这个验证结果可以被其他所有系统接受。这通常通过一个中心...

    前后端未分离的单点登录

    总结来说,"前后端未分离的单点登录"涉及到Java编程、SSO认证流程、CAS服务器的配置和使用,以及在非前后端分离架构下的安全性考虑。理解并实践这些知识点对于构建和维护大型企业级应用至关重要。

    统一身份认证4.1_接入文档 .doc

    统一身份认证 4.1 接入文档 ...统一身份认证 4.1 接入文档提供了一个完整的单点登录解决方案,使用 Spring Boot、CAS 和 Security 实现了单点登录。该解决方案可以应用于各种应用系统,提高用户的使用体验和安全性。

    jcifs-ext-0.9.4.jar/jcifs-1.3.3.jar

    描述中提到的"单点登陆(Single Sign-On,简称SSO)"是一种身份验证机制,允许用户在一次登录后访问多个相互信任的应用系统,无需为每个系统分别输入凭证。CAS(Central Authentication Service)是一个广泛使用的...

    spring security2 安全手册(牛人写的)

    - **运行配置了CAS的子系统**:部署并运行配置了CAS的子系统,确保单点登录功能正常工作。 - **为CAS配置SSL** - **生成密钥**:生成用于HTTPS连接的密钥。 - **为jetty配置SSL**:配置jetty服务器以支持HTTPS。 ...

Global site tag (gtag.js) - Google Analytics