- 浏览: 643150 次
- 性别:
- 来自: 成都
文章分类
最新评论
-
hsluoyz:
现在新推出了一个权限框架,叫jCasbin(https://g ...
Shiro 权限框架使用总结 -
飕飕飞:
比如说 我用私匙加密一段数据,并加密成功。那签名时用什么生成的 ...
Java使用RSA加密解密签名及校验 -
文艺吧网:
楼主讲的好详细,这里有整套 Shiro demo http:/ ...
Shiro 权限框架使用总结 -
nanshanmu:
333引用[url][*]||||[/flash][/flas ...
SpringMVC中返回值处理 -
变脸小伙:
) 业务类在Spring配置 ...
整合Struts2与Spring以及spring的自动装配
参考文章:https://wiki.jasig.org/display/CASUM/OpenID
OpenID is an open, decentralized, free framework for user-centric digital identity. Users represent themselves using URIs. For more information see the http://www.openid.net . As of CAS 3.5, CAS supports both the "dumb" and "smart" modes of the OpenID protocol. Dumb mode acts in a similar fashion to the existing CAS protocol. The smart mode differs in that it establishes an association between the client and the openId provider (OP) at the begining. Thanks to that association and the key exchange done during association, information exchanged between the client and the provider are signed and verified using this key. There is no need for the final request (which is equivalent in CAS protocol to the ticket validation).
A demo of the OpenId support in CAS server is available at : https://github.com/leleuj/cas-openid-demo .
Giving your users URIs
Configuring your users to have URIs.
OpenId identifiers are URIs. The default mechanism in CAS support is an uri ending with the actual user login (ie. http://my.cas.server/openid/fesnault where the actual user login is fesnault). This is not recommended and you should think of a more elaborated way of providing URIs to your users.
Add OpenId support module to CAS server
The first thing, with a CAS server webapp, is to add the OpenId support module dependency. This is done by adding this in the cas server webapp pom.xml.
<
dependency
>
<
groupId
>org.jasig.cas</
groupId
>
<
artifactId
>cas-server-support-openid</
artifactId
>
<
version
>${project.version}</
version
>
</
dependency
>
|
Be Careful
You must change the server prefix property of the cas server to an https url. Otherwise SSO will not work. Find the cas.properties file and edit the server.prefix url to something like this : https://localhost:443/cas . |
Now let's dive into CAS configuration itself.
Update webflow
CAS uses a spring webflow to describe the the authentication process. We need to change it a little bit to allow CAS to switch to OpenId authentication if it recognizes one. This is done in the login-webflow.xml fie. After the on-start element just add these two blocks :
<!--
If the request contains a parameter called openid.mode and is not an
association request, switch to openId. Otherwise, continue normal
webflow. -->
<
decision-state
id
=
"selectFirstAction"
>
<
if
test="externalContext.requestParameterMap['openid.mode'] neq ''
&& externalContext.requestParameterMap['openid.mode'] neq null
&& externalContext.requestParameterMap['openid.mode'] neq 'associate'"
then
=
"openIdSingleSignOnAction"
else
=
"ticketGrantingTicketExistsCheck"
/>
</
decision-state
>
<!--
The OpenID authentication action. If authentication is successful, send
the ticket granting ticker. Otherwise, redirect to the login form.
-->
<
action-state
id
=
"openIdSingleSignOnAction"
>
<
evaluate
expression
=
"openIdSingleSignOnAction"
/>
<
transition
on
=
"success"
to
=
"sendTicketGrantingTicket"
/>
<
transition
on
=
"error"
to
=
"viewLoginForm"
/>
<
transition
on
=
"warn"
to
=
"warn"
/>
</
action-state
>
|
Enable OpenId in the AuthenticationManager
The authentication manager is the place where authentication takes place. We must provide it two elements needed for a successful OpenId authentication. The first thing to do is to detect the user name from the OpenId identifier. When your CAS server will work as an OP, users will authenticate with an OpenId identifier, looking like this : http://localhost:8080/cas/openid/fesnault. Actually, in your users database, this users login is probably fesnault . We must provide the CAS server with a way to extract the user principal from the credentials he provides us. This is the first thing we'll do in this section : add an OpenIdCredentialsToPrincipalResolver to the authentication manager. The next thing to give CAS is a specialized authentication handler.
Open the deployerConfigContext.xml file, and locate the authenticationManager bean definition. It has two properties containing beans. The credentials to principal property, add this bean definition :
<!-- The openid credentials to principal resolver -->
<
bean
class
=
"org.jasig.cas.support.openid.authentication.principal.OpenIdCredentialsToPrincipalResolver"
/>
|
Then, in the authentication handler property, add this bean definition :
<!-- The open id authentication handler -->
<
bean
class
=
"org.jasig.cas.support.openid.authentication.handler.support.OpenIdCredentialsAuthenticationHandler"
p:ticketRegistry-ref
=
"ticketRegistry"
/>
|
Adapt the Spring CAS servlet configuration
We now have to make CAS handle nicely the OpenId request he will be presented with. First, we'll add a handler for the /login url, when called to validate a ticket (CAS is implementing the dumb OpenId mode, which means it does not create an association at the beginning of the authentication process. It must then check the received authentication success notification, which is done by one extra HTTP request at the end of the process). Anywhere in the cas-servlet.xml file, add this bean definition :
<
bean
id
=
"handlerMappingOpendId"
class
=
"org.jasig.cas.support.openid.web.support.OpenIdPostUrlHandlerMapping"
>
<!-- Notice we set the order value to 2, which is the order of the flow handler mapping. We'll fix that just next.
The
OpenIDPostUrlHandlerMapping MUST be called before the login webflow
action is called, otherwise we will never be able to validate the
authentication success. -->
<
property
name
=
"order"
value
=
"2"
/>
<
property
name
=
"mappings"
>
<
props
>
<
prop
key
=
"/login"
>delegatingController</
prop
>
</
props
>
</
property
>
</
bean
>
|
As we gave the order of 2 to the OpenIdPostUrlHandlerMapping, we must modify the FlowHandlerMapping order to give it the order of 3. Find the FlowHandlerMapping bean declaration and change the p:order="2"' to p:order="3".
<
bean
class
=
"org.springframework.webflow.mvc.servlet.FlowHandlerMapping"
p:flowRegistry-ref
=
"flowRegistry"
p:order
=
"3"
>
|
In the handlerMappingOpenId, we referenced a bean called delegatingController. this bean is a special controller, using the Delegate pattern, which delegates the processing of a request to the first controller of its delegates which says it can handle it. So now we'll provide two delegate controllers. The first one is handling the Smart OpenId association, and the second process the authentication and ticket validation. Add this two beans in the file.
The Smart OpenId controller :
<
bean
id
=
"smartOpenIdAssociationController"
class
=
"org.jasig.cas.support.openid.web.mvc.SmartOpenIdController"
p:serverManager-ref
=
"serverManager"
p:successView
=
"casOpenIdAssociationSuccessView"
p:failureView
=
"casOpenIdAssociationFailureView"
/>
|
The OpenId validation controller :
<
bean
id
=
"openIdValidateController"
class
=
"org.jasig.cas.web.ServiceValidateController"
p:validationSpecificationClass
=
"org.jasig.cas.validation.Cas20WithoutProxyingValidationSpecification"
p:centralAuthenticationService-ref
=
"centralAuthenticationService"
p:proxyHandler-ref
=
"proxy20Handler"
p:argumentExtractor-ref
=
"openIdArgumentExtractor"
p:successView
=
"casOpenIdServiceSuccessView"
p:failureView
=
"casOpenIdServiceFailureView"
/>
|
We are done with the delegates. Now we must create the Delegating controller itself, and give it a list of delegates referencing the two delegates we just defined. So add this definition :
<
bean
id
=
"delegatingController"
class
=
"org.jasig.cas.web.DelegatingController"
p:delegates-ref
=
"delegateControllers"
/>
<
util:list
id
=
"delegateControllers"
>
<
ref
bean
=
"smartOpenIdAssociationController"
/>
<
ref
bean
=
"openIdValidateController"
/>
</
util:list
>
|
Also, add the indicated lines to the <beans> definition at the top of the file, if they're not already there:
...
xsi:schemaLocation="...
http://www.springframework.org/schema/util
http://www.springframework.org/schema/util/spring-util-3.1.xsd
...">
|
Next, we'll give CAS a handler for the OpenIdSingleSignOnAction we added in the spring webflow definition file. So add this bean definition anywhere :
<!-- Be Careful
The OpenIdSingleSignOnAction has an additional parameter not configured here.
Its the "extractor" property which accepts a "org.jasig.cas.support.openid.web.support.OpenIdUserNameExtractor".
The default one merely accepts the value after the last "/".
A more robust implementation should check the entire URL. Note, that means the default one SHOULD NOT be used in production.
-->
<
bean
id
=
"openIdSingleSignOnAction"
class
=
"org.jasig.cas.support.openid.web.flow.OpenIdSingleSignOnAction"
p:centralAuthenticationService-ref
=
"centralAuthenticationService"
/>
|
Add an argument extractor
Finally, we must tell cas how to extract the OpenId from the authentication request (openid.mode, openid.sig, openid.assoc_handle...). This is done in the argumentExtractorsConfiguration.xml file, located in the spring-configuration directory. Add this bean into the file :
<bean id=
"openIdArgumentExtractor"
class
=
"org.jasig.cas.support.openid.web.support.OpenIdArgumentExtractor"
/>
|
Then add a reference to this bean into the arguments extractors list, just below in the file :
<
util:list
id
=
"argumentExtractors"
>
<
ref
bean
=
"casArgumentExtractor"
/>
<!-- The OpenId arguments extractor -->
<
ref
bean
=
"openIdArgumentExtractor"
/>
<
ref
bean
=
"samlArgumentExtractor"
/>
</
util:list
>
|
Next we must provide a ServerManager, which is a class from the openid4java library, which allows us to handle the Diffie-Hellman algorithm used by the association process. In the spring-configuration/applicationContext.xml file, add this bean definition :
<
bean
id
=
"serverManager"
class
=
"org.openid4java.server.ServerManager"
p:oPEndpointUrl
=
"${cas.securityContext.casProcessingFilterEntryPoint.loginUrl}"
p:enforceRpId
=
"false"
/>
|
And finally, we need an applicationContext provider , so add this bean into spring-configuration/applicationContext.xml :
<
bean
id
=
"applicationContextProvider"
class
=
"org.jasig.cas.util.ApplicationContextProvider"
/>
|
You're done ! CAS is now configured to work as an OpenId Provider.
发表评论
-
关于 SimpleDateFormat 的非线程安全问题及其解决方案
2016-06-08 18:15 912参考:http://my.oschina.net/leejun ... -
Java中的泛型方法
2015-07-23 10:59 1014泛型是什么意思在这就不多说了,而Java中泛型类的定 ... -
RTTI 和 Reflection
2015-07-22 17:03 1256outline 1) 什么是RTTI? 2)RTTI应 ... -
String、StringBuffer、StringBuilder
2015-07-07 19:14 929任何一个系统在开发的过程中, 相信都不会缺少对字符串的处理 ... -
Maven的dependencyManagement和dependencies区别
2015-03-25 20:18 1388dependencyManagement中定义的依赖子mod ... -
Java中的Exception异常 自定义异常
2015-02-06 11:48 2473Exception类是java中所有异常类的父类,比如我们经 ... -
Maven实战(九)——打包的技巧
2015-02-04 20:21 827“打包“这个词听起来 ... -
JAVA中SERIALVERSIONUID的解释
2015-02-04 16:16 737serialVersionUID作用: 序列化时 ... -
Java使用RSA加密解密签名及校验
2015-02-03 16:48 8558由于项目要用到非对称加密解密签名校验什么的,于是参考《Jav ... -
java枚举类型enum的使用
2015-01-28 15:18 846Java 中的枚举类型采用关键字enum 来定义,从jdk ... -
Java异步和回调 Demo
2015-01-07 23:45 1929public interface CallBack { ... -
volatile使用场景以及注意事项
2014-12-31 10:54 832Java 语言中的 volatile 变 ... -
Java:单例模式的七种写法
2014-12-30 21:15 842第一种(懒汉,线程不 ... -
Maven下实现多种环境下的资源配置管理
2014-12-25 16:13 1691构建项目时可能会遇到在测试(如单元测试)、开发、模拟、生产 ... -
Java实现定时任务的三种方法
2014-12-16 18:04 1029在应用里经常都有用到在后台跑定时任务的需求。举个例子,比如需 ... -
详解java定时任务
2014-12-14 17:08 755在我们编程过程中如果 ... -
java反射机制与动态代理
2014-12-01 20:32 1052在学习HadoopRPC时,用到了函数调用,函数调用都是采用 ... -
FastJson---高性能JSON开发包
2014-11-05 17:21 916Fastjson介绍 Fastjson是一个Java语言编 ... -
SortedMap接口的实现类TreeMap介绍和实现Comparator自定义比较器
2014-10-30 00:00 1773与SortedSet接口类似,SortedMap也是一个结构 ... -
Java Map遍历方式的选择
2014-10-29 23:22 8831. 阐述 对于Java中Map的遍历方式,很多文章都 ...
相关推荐
CAS支持多种协议,如CAS协议、SAML2.0等,并且可以与其他身份验证服务(如OAuth、OpenID Connect)集成。 2. 单点登录原理:SSO的核心思想是用户只需要进行一次身份验证,然后这个验证结果可以在所有信任的系统之间...
**CAS集成DEMO详解** CAS(Central Authentication Service)是一个开源的身份验证系统,它提供了一种在多个应用系统间共享用户身份认证的方式,实现单点登录(Single Sign-On, SSO)。这个"CAS集成demo"是为帮助...
CAS 5.2.3是最新的稳定版本,支持多种协议如CAS、OAuth、OpenID Connect等。在这个项目中,CAS服务器负责处理用户的登录验证,验证成功后,它会生成一个Ticket并发送给客户端,客户端再用这个Ticket向各个服务请求...
**Liferay与CAS集成步骤** 1. **Liferay部署**:首先,将Liferay安装在Tomcat服务器上,可以选择MySQL作为数据库。启动Liferay后,可以通过配置页面更改默认数据库为MySQL,初始化完成后即可访问Liferay门户。 2. **...
Restlet提供了客户端和服务器端的组件,可以方便地与Cas集成,实现基于REST的身份验证。 在Cas 3.4集成Restlet的过程中,你需要以下jar文件: 1. `cas-server-support-restlet`: 这是Cas提供的Restlet支持模块,...
1. **配置CAS Server**:在CAS服务器端,需要配置支持的认证协议,如SAML、OAuth或OpenID Connect等,这些协议允许外部系统与CAS进行安全的身份验证通信。 2. **创建服务定义**:在CAS中为每个要信任的外部系统创建...
在这个“cas4.0.7+casClient示例(原生)”中,我们将深入探讨如何配置和使用CAS 4.0.7版本与原生的CAS客户端进行集成,以及如何结合数据库实现完整的前后端解决方案。 **1. CAS 4.0.7简介** CAS 4.0.7是CAS服务器...
总之,"cas-overlay-template-6.1 服务端代码"提供了部署和配置CAS 6.1X Server的基础,而集成MySQL数据源则是确保服务正常运行的关键步骤。理解这些概念并熟练操作,将使你在IT安全和身份验证领域更进一步。
3. CAS支持OAuth、OpenID Connect等现代身份验证协议,便于与其他系统集成。 4. 提供API和事件监听机制,方便进行日志记录和审计。 **六、故障排查与监控** 1. 检查CAS服务器的日志文件,查找错误信息。 2. 使用CAS...
总之,CAS 5.2.6服务端的集成和搭建涉及到了安全、配置、性能和扩展等多个方面,需要对SSO原理和CAS框架有一定的理解。通过这个`cas-overlay-template-5.2.6`项目,开发者可以快速开始自己的CAS服务端部署,并进一步...
CAS支持与各种系统集成,如SAML 1.1和2.0,OAuth,OpenID Connect,JWT等,使得与其他身份验证标准和框架的互操作成为可能。 7. **监控与日志**: CAS服务器通常会记录详细的日志信息,以便于调试和审计。还可以...
2. 数据库集成:CAS可以与多种数据库(如MySQL、Oracle等)配合使用,需要配置相应的连接参数。 3. 配置文件:修改`cas.properties`文件以适应你的环境,如服务器地址、端口、认证策略等。 4. SSL配置:为了保护传输...
9. **cas-server-support-openid**:这部分代码支持OpenID协议,允许CAS作为OpenID提供者,让用户可以用他们的CAS账号登录支持OpenID的其他网站。 10. **cas-server-support-oauth**:CAS对OAuth的支持使得它能与...
- **API和协议更新**:CAS 5.3可能支持最新的身份验证协议,如OAuth2、OpenID Connect等,同时提供了更加友好的API接口供开发者使用。 - **模块化设计**:CAS采用模块化设计,允许开发者根据需求选择和定制功能,...
- `cas-client-integration`: 集成示例和指南,帮助开发者将CAS集成到他们的应用中。 - `pom.xml`: Maven配置文件,用于构建客户端库。 - 文档和示例代码:指导如何在Web应用程序中配置和使用CAS客户端。 安装和...
1. **协议支持**:CAS支持多种身份验证协议,如CAS Protocol、SAML 1.1、OAuth、OpenID Connect等,使得它能与各种应用系统集成。 2. **多语言支持**:CAS 4.x版本提供了多语言界面,方便不同地区的用户使用。 3. **...
3. 按照官方文档配置应用信息,包括设置回调URL等。 4. 在应用中调用SDK提供的登录接口,引导用户授权。 5. 用户授权后,SDK会返回一个授权码(Access Token)和其他必要信息。 6. 使用这个授权码通过API获取用户的...
2. **集成pac4j**:在SpringBoot应用中引入pac4j,配置CAS客户端,并指定认证服务器的URL。 3. **配置Shiro**:配置Shiro Realm,利用pac4j进行认证,设置权限规则。 4. **生成JWT**:用户认证成功后,服务端生成JWT...
5. **配置文件**:`cas.properties`是CAS的核心配置文件,其中包含了服务定义、认证策略、日志设置、邮件通知等关键配置。对于数据库连接,开发者需要在该文件中查找并修改相关的属性,如`cas.server.name`、`cas....
**CAS (Central Authentication Service) 知识点详解** CAS 是一个开源的身份验证框架,它允许用户...理解 CAS 的工作原理和配置方法,能够帮助开发者构建安全的SSO系统,同时利用 CAS 的扩展性与多种服务进行集成。