下面的讲解基于CAS Server 3.3.5版本。
CAS Server 配置文件
login-webflow.xml:其中内容指定了当访问cas/login时的程序流程,初始“initialFlowSetup”
cas-servlet.xml:servlet与class对应关系
deployerConfigContext.xml:认证管理器相关
cas.properties:系统属性设置
applicationContext.xml:系统属性相关
argumentExtractorsConfiguration.xml:不是很了解它的用途
ticketExpirationPolicies.xml:ticket过期时间设置
ticketGrantingTicketCookieGenerator.xml:TGT cookie属性相关,是否支持http也在这儿修改
ticketRegistry.xml:保存ticket的类相关设置
uniqueIdGenerators.xml:ticket自动生成类设置
warnCookieGenerator.xml:同ticketGrantingTicketCookieGenerator.xml,生成的
cookie名为CASPRIVACY
/login
:
当访问/login时,会调用login-webflow.xml中的流程图:
/serviceValidate:
对应的处理类是org.jasig.cas.web.ServiceValidateController,主要负责对service ticket的验证,失败返回casServiceValidationFailure.jsp,成功返回casServiceValidationSuccess.jsp
对service ticket的验证是通过client端向server端发送http(或https)实现的
逻辑:
1.通过由client端传来的ticket到DefaultTicketRegistry中获取缓存的ServiceTicketImpl对象,并判断其是否已经过期(ST过期时间默认是5分钟,TGT默认是2个小时,可以在ticketExpirationPolicies.xml中进行修改)以及与当前service的id是否相一,以上都满足则表示验证通过。
2.通过ServiceTicketImpl对象获取到登录之后的Authentication对象,借助于它生成ImmutableAssertionImpl对象并返回
3.成功返回
CAS数据流程
Credentials-->Principal-->Authentication
定义自己的AuthenticationHandler
在中心认证进行认证的过程中会调用deployerConfigContext.xml中设置的AuthenticationHandler来进行认证工作。
<property name="authenticationHandlers">
<list>
<!--
This is the authentication handler that authenticates services by means of callback via SSL, thereby validating
a server side SSL certificate.
-->
<bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
p:httpClient-ref="httpClient" />
<!--
This is the authentication handler declaration that every CAS deployer will need to change before deploying CAS
into production. The default SimpleTestUsernamePasswordAuthenticationHandler authenticates UsernamePasswordCredentials
where the username equals the password. You will need to replace this with an AuthenticationHandler that implements your
local authentication strategy. You might accomplish this by coding a new such handler and declaring
edu.someschool.its.cas.MySpecialHandler here, or you might use one of the handlers provided in the adaptors modules.
-->
<bean
class="org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler" />
<bean class="com.goldarmor.live800.cas.Live800CasAuthenticationHandler">
<property name="dataSource" ref="casDataSource" />
</bean>
</list
</property>
如上,我们定义了3个AuthenticationHandler,这正是CAS的一个
,通过配置,我们可以实现针对不同的应用提供不同的认证方式,这样可以实现任意的中心认证。再来看看AuthenticationHandler的代码
/**
* Method to determine if the credentials supplied are valid.
*
* @param credentials The credentials to validate.
* @return true if valid, return false otherwise.
* @throws AuthenticationException An AuthenticationException can contain
* details about why a particular authentication request failed.
*/
boolean authenticate(Credentials credentials)
throws AuthenticationException;
/**
* Method to check if the handler knows how to handle the credentials
* provided. It may be a simple check of the Credentials class or something
* more complicated such as scanning the information contained in the
* Credentials object.
*
* @param credentials The credentials to check.
* @return true if the handler supports the Credentials, false othewrise.
*/
boolean supports(Credentials credentials);
我们要做的就是实现这俩个方法而已,特别提醒:可以在cas-servlet.xml中设置你所使用的Credentials,如下:(其中的p:formObjectClass值,如果不指定默认使用UsernamePasswordCredentials)
<bean id="authenticationViaFormAction" class="org.jasig.cas.web.flow.AuthenticationViaFormAction"
p:formObjectClass="com.goldarmor.live800.cas.Live800CasCredentials"
p:centralAuthenticationService-ref="centralAuthenticationService"
p:warnCookieGenerator-ref="warnCookieGenerator" />
定义自己的credentialsToPrincipalResolvers
通过AuthenticationHandler的认证后,会调用在deployerConfigContext.xml中配置的credentialsToPrincipalResolvers来处理Credentials,生成Principal对象:
<property name="credentialsToPrincipalResolvers">
<list>
<!--
UsernamePasswordCredentialsToPrincipalResolver supports the UsernamePasswordCredentials that we use for /login
by default and produces SimplePrincipal instances conveying the username from the credentials.
If you've changed your LoginFormAction to use credentials other than UsernamePasswordCredentials then you will also
need to change this bean declaration (or add additional declarations) to declare a CredentialsToPrincipalResolver that supports the
Credentials you are using.
--> <bean
class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" />
<!--
HttpBasedServiceCredentialsToPrincipalResolver supports HttpBasedCredentials. It supports the CAS 2.0 approach of
authenticating services by SSL callback, extracting the callback URL from the Credentials and representing it as a
SimpleService identified by that callback URL.
If you are representing services by something more or other than an HTTPS URL whereat they are able to
receive a proxy callback, you will need to change this bean declaration (or add additional declarations).
-->
<bean
class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" />
<bean class="com.goldarmor.live800.cas.Live800CasCredentialsToPrincipalResolver"/>
</list>
</property>
如上:我们也可以像定义AuthenticationHandler一样,可以定义多个credentialsToPrincipalResolvers来处理Credentials,返回你所需要的Principal对象,下面来看看credentialsToPrincipalResolvers的方法:
/**
* Turn Credentials into a Principal object by analyzing the information
* provided in the Credentials and constructing a Principal object based on
* that information or information derived from the Credentials object.
*
* @param credentials from which to resolve Principal
* @return resolved Principal, or null if the principal could not be resolved.
*/
Principal resolvePrincipal(Credentials credentials);
/**
* Determine if a credentials type is supported by this resolver. This is
* checked before calling resolve principal.
*
* @param credentials The credentials to check if we support.
* @return true if we support these credentials, false otherwise.
*/
boolean supports(Credentials credentials);
在CAS验证的时候,通过访问/serviceValidate可知:验证成功之后返回的casServiceValidationSuccess.jsp中的数据来源于Assertion,下面来看看它的代码:
List<Authentication> getChainedAuthentications();
/**
* True if the validated ticket was granted in the same transaction as that
* in which its grantor GrantingTicket was originally issued.
*
* @return true if validated ticket was granted simultaneous with its
* grantor's issuance
*/
boolean isFromNewLogin();
/**
* Method to obtain the service for which we are asserting this ticket is
* valid for.
*
* @return the service for which we are asserting this ticket is valid for.
*/
Service getService();
通过getChainedAuthentications()方法,我们可以得到Authentication对象列表,再看看Authentication的代码:
/**
* Method to obtain the Principal.
*
* @return a Principal implementation
*/
Principal getPrincipal();
/**
* Method to retrieve the timestamp of when this Authentication object was
* created.
*
* @return the date/time the authentication occurred.
*/
Date getAuthenticatedDate();
/**
* Attributes of the authentication (not the Principal).
* @return the map of attributes.
*/
Map<String, Object> getAttributes();
而这其中的Principal就来源于上面提到的由credentialsToPrincipalResolvers处理得到的Principal对象,最后看一下Principal的代码,我们只要再做一个实现他的代码,整个CAS Server就可以信手拈来了,呵呵
/**
* Returns the unique id for the Principal
* @return the unique id for the Principal.
*/
String getId();
/**
*
* @return
*/
Map<String, Object> getAttributes();
我们还可以自定义自己的casServiceValidationSuccess.jsp和casLoginView.jsp页面等,具体的操作办法也是最简单的办法就是备份以前的页面之后修改成自己需要的页面。
- 大小: 150.5 KB
分享到:
相关推荐
单点登录服务端项目cas-server单点登录服务端项目cas-server 单点登录服务端项目cas-server 单点登录服务端项目cas-server 单点登录服务端项目cas-server 单点登录服务端项目cas-server 单点登录服务端项目cas-...
CAS单点登录,SERVER端代码,内付instruction文件,可以直接将war包部署在服务器上,座位sso的认证server端,具体参看本人博文
cas server 5.2 版 war包。直接丢在tomcat的webapps下面,重启tomcat即可。
CAS单点登录操作文档 CAS 是 Yale 大学发起的一个开源项目,旨在为 Web 应用系统提供一种可靠的单点登录方法,CAS 在 2004 年 12 月正式成为 JA-SIG 的一个项目。CAS 具有以下特点: • 开源的企业级单点登录解决...
CAS-Server-Client单点登录demo,将cas-server和cas-client进行整合,并且提供tomcat自带的examples实例进行测试,可用。
cas 单点登录 server client
本课程主要通过CAS来实现SSO,本教程会从最基本的基础知识讲起,由浅入深再到实战,完成多应用的单点登录功能。 本课程内容如下: 1、 什么是SSO和CAS 2、 CAS Server服务端和客户端的搭建和配置 3、 单点登录和单...
本文在已有的禅道集成CAS单点登录的客户端插件基础上进行的修改,因原有插件在我们的系统上调试无法成功,做了一些定制,环境如下: 1. CAS server 版本:4.0.0 2. 禅道开源版本: 9.6.3 3. 禅道CAS client 插件版本...
CAS(Central Authentication Service)是一款不错的针对 Web 应用的单点登录框架,本文介绍了 CAS 的原理、协议、在 Tomcat 中的配置和使用,研究如何采用 CAS 实现轻量级单点登录解决方案。 CAS 是 Yale 大学发起的...
单点登录 sso cas带超详细文档,包含(cas-server-webapp-4.0.0.war、c3p0-0.9.1.2.jar、cas-client-core-3.3.3.jar、cas-server-support-jdbc-4.0.0.jar、cas-server-webapp-support-4.0.0.jar、commons-logging-...
资源列表(1:cas CAS Server,2:Cas_Client_One 授权系统,3:graduationDesign 用户组织管理系统,4:CAS单点登录论文.doc,5:CAS单点登录文献综述.doc,6:基于CAS的用户管理单点登录门户系统ppt.ppt)
单点登录第一种:cookie+filter实现,第二种:使用cas-server,这种方式使用范围更广更好用,防止cookie的更改,可以对cookie进行md5加密。使用cas-server导入本地,方便在本地调试
spring下使用shiro+cas配置单点登录,多个系统之间的访问,每次只需要登录一次 ## 系统模块说明 1. cas: 单点登录模块,这里直接拿的是cas的项目改了点样式而已 2. doc: 文档目录,里面有数据库生成语句,采用的...
CAS单点登录的详细讲解文档,所需jar包和tomcat6,CAS Server和CAS Client
CAS 是 Yale 大学发起的一个开源项目,旨在为 Web 应用系统提供一种可靠的单点登录方法,CAS 在 2004 年 12 月正式成为 JA-SIG 的一个项目。CAS 具有以下特点: • 开源的企业级单点登录解决方案。 • CAS Server ...
本人亲自试验的cas单点登录配置,服务端用cas-server-3.5.2,客户端用cas-client-3.2.1,里边详细描述了具体每一步的配置过程及遇到的问题及异常,相信你也会碰到的,cas-client-3.2.1中需要修改一个java类的源代码...
单点登录cas-server4.0+client,把压缩包内的cas4放在tomcat-7.0.81安装目录的webapps文件夹下面,运行tomcat会自动安装服务端。客户端用的是官网ExampleWebSite,由于没有配置casproxy,已经把web.config的...
四、部署CAS Server 5 步骤1.配置CAS Server应用服务器的Https 协议 5 ●生成服务器证书 5 ●配置Tomcat的https 8 步骤2.部署CAS Server 8 ●扩展认证接口 8 ●JDBC 认证方法 11 五、部署CAS Client 15 步骤1.与 CAS...
使用struts2+spring+cas实现的单点登录功能,里面包括cas-server3.5.2项目一个,cas-client3.2.1 web项目两个,数据库脚本,请按照里面的说明文档进行部署,希望你们也能配置成功。
cas单点登录版本为4.0,相关配置基本完成,只需要建立测试表既可以试运行