Preface
JAVA CAS single sign on one: build CAS server
JAVA CAS single sign on II: CAS common mode 1 drill
The agent mode is more complex than the normal mode in the previous section. But the configuration will be slightly different. The so-called difficult will not, will not be difficult. If you encounter a problem that you have never met before, it will be very difficult to solve. Of course, it will not be a problem after you solve it. I met a mistake of CAS. Step by step, I sit down according to other people's blogs. There is no big problem in the deployment of common mode, that is, I don't know why the agent mode is always wrong. After searching the whole network, I can't find the problem. I wonder why no one has met it. Fortunately, in the end, I used the assassin's mace to track and find the problem step by step.
primary coverage
Build a whole set of environment, including (CAS server, cas proxy client, CAS back end app client)
There are three Web applications.
Specific parameters
All parameters involved are completed in my physical machine (WIN7). According to three TOMCAT servers respectively.
| Cas Server | 8888,443 | See JAVA CAS single sign on for configuration |
| Cas Proxy Client | 8080 | Change mywebapp1 of JAVA CAS single sign on II to proxyClient |
| Cas Back-end Service Client | 8070 | Transforming JAVA CAS single sign on II mywebapp2 |
Domain name mapping (C:\Windows\System32\drivers\etc\hosts)
| 1 2 |
127.0.0.1 hellocas1.com 127.0.0.1 hellocas2.com |
host name
zhaoguoyu-pc
Operation steps
-
Modify cas Server support agent function.
This step is not mentioned in other articles at all. I don't know whether it's a version issue or something. If it is not configured, an exception of service.not.authorized.proxy will be reported when accessing the background application.
1.1 modify the deployerConfigContext.xml file to support the agent
<bean id="serviceRegistryDao" class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl"> <property name="registeredServices"> <list> <bean class="org.jasig.cas.services.RegexRegisteredService"> <property name="id" value="0" /> <property name="name" value="HTTP and IMAP" /> <property name="description" value="Allows HTTP(S) and IMAP(S) protocols" /> <property name="serviceId" value="^(https?|imaps?)://.*" /> <property name="evaluationOrder" value="10000001" /> <property name="allowedToProxy" value="true"/> </bean> <!-- Use the following definition instead of the above to further restrict access to services within your domain (including subdomains). Note that example.com must be replaced with the domain you wish to permit. --> <!-- <bean class="org.jasig.cas.services.RegexRegisteredService"> <property name="id" value="1" /> <property name="name" value="HTTP and IMAP on example.com" /> <property name="description" value="Allows HTTP(S) and IMAP(S) protocols on example.com" /> <property name="serviceId" value="^(https?|imaps?)://([A-Za-z0-9_-]+\.)*example\.com/.*" /> <property name="evaluationOrder" value="0" /> </bean> --> </list> </property> </bean>
Add this attribute tag.
<property name="allowedToProxy" value="true"/>
I've been in the pit for nearly three nights. It's hard. It's really silly in retrospect. If I don't have this episode, I think I'll spend another night or two studying CAS. It's this episode that ignites my morale, so I'll just write a series.
1.2 to facilitate the walkthrough, the deployerConfigContext.xml file is modified without a security request.
<bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" p:httpClient-ref="httpClient" p:requireSecure="false"/>
Add this property.
p:requireSecure="false"
Through the above two-step configuration, CAS service adds agents and supports normal connection access.
2. Configure agent service
On the basis of the previous section, the original web.xml is transformed to be used as a proxy.
<?xml version="1.0" encoding="UTF-8"?> <web-app id="mywebapp" version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"> <display-name>mywebapp</display-name> <!-- Sign out not yet implemented --> <!-- <filter> <filter-name>CAS Single Sign Out Filter</filter-name> <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class> </filter> --> <filter> <filter-name>CAS Authentication Filter</filter-name> <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class> <init-param> <param-name>casServerLoginUrl</param-name> <param-value>https://zhaoguoyu-pc/cas/login</param-value> </init-param> <init-param> <param-name>serverName</param-name> <param-value>http://zhaoguoyu-pc:8080</param-value> </init-param> <init-param> <param-name>renew</param-name> <param-value>false</param-value> </init-param> <init-param> <param-name>gateway</param-name> <param-value>false</param-value> </init-param> </filter> <filter> <filter-name>CAS Validation Filter</filter-name> <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class> <init-param> <param-name>casServerUrlPrefix</param-name> <param-value>https://zhaoguoyu-pc/cas/</param-value> </init-param> <init-param> <param-name>serverName</param-name> <param-value>http://zhaoguoyu-pc:8080</param-value> </init-param> <init-param> <param-name>proxyCallbackUrl</param-name> <param-value>http://zhaoguoyu-pc:8080/mywebapp/proxyCallback</param-value> </init-param> <init-param> <param-name>proxyReceptorUrl</param-name> <param-value>/proxyCallback</param-value> </init-param> </filter> <filter> <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class> </filter> <filter> <filter-name>CAS Assertion Thread Local Filter</filter-name> <filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class> </filter> <!-- ************************* --> <!-- Sign out not yet implemented --> <!-- <filter-mapping> <filter-name>CAS Single Sign Out Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> --> <filter-mapping> <filter-name>CAS Validation Filter</filter-name> <url-pattern>/proxyCallback</url-pattern> </filter-mapping> <filter-mapping> <filter-name>CAS Authentication Filter</filter-name> <url-pattern>/protected/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>CAS Validation Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>CAS Assertion Thread Local Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- *********************** --> <!-- Sign out not yet implemented --> <!-- <listener> <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class> </listener> --> <!-- *********************** --> <welcome-file-list> <welcome-file>index.jsp</welcome-file> </welcome-file-list> </web-app>
The changes are as follows
1. Add 2 configuration elements to Cas20ProxyReceivingTicketValidationFilter
<init-param>
<param-name>proxyCallbackUrl</param-name>
<param-value>http://zhaoguoyu-pc:8080/proxyClient/proxyCallback</param-value>
</init-param>
<init-param>
<param-name>proxyReceptorUrl</param-name>
<param-value>/proxyCallback</param-value>
</init-param>
2. Add mapping URL (pay attention to the order), which must be in front of other filter s.
<filter-mapping> <filter-name>CAS Validation Filter</filter-name> <url-pattern>/proxyCallback</url-pattern> </filter-mapping>
Here, it can be used as a normal service as a proxy.
3. Copy and rename another common application as a back-end service
Modify web.xml
<filter> <filter-name>CAS Validation Filter</filter-name> <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class> <init-param> <param-name>casServerUrlPrefix</param-name> <param-value>https://zhaoguoyu-pc/cas/</param-value> </init-param> <init-param> <param-name>serverName</param-name> <param-value>http://hellocas2.com:8070</param-value> </init-param> <init-param> <param-name>acceptAnyProxy</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>redirectAfterValidation</param-name> <param-value>false</param-value> </init-param> </filter>
acceptAnyProxy and redirectAfterValidation parameters were added. Receive agent support
4. Add test Servlet under proxy application
ProxyTestServlet HttpServlet {
doPost(HttpServletRequest request, HttpServletResponse response) ServletException, IOException {
String serviceUrl = "http://hellocas2.com:8070/mywebapp2/protected/";
Assertion assertion = AssertionHolder.();
String proxyTicket = assertion.getPrincipal().getProxyTicketFor(serviceUrl);
URL url = URL(serviceUrl + + proxyTicket);
HttpURLConnection conn = ;
{
conn = (HttpURLConnection) url.openConnection();
responseCode = conn.getResponseCode();
String responseMessage = conn.getResponseMessage();
System..println(+responseCode);
System..println();
System..println();
System..println(responseMessage);
} (Exception ex) {
ex.printStackTrace();
} {
(conn != ) {
conn.disconnect();
}
}
}
doGet(HttpServletRequest request, HttpServletResponse response) ServletException, IOException {
doPost(request, response);
}
}
5. Test verification
Premise: start CAS server, CAS proxy and CAS backend client respectively
5.1 enter the address, http://zhaoguoyu-pc:8080/proxyClient.
5.2 enter user name and password
5.3 accessing servlet s
http://zhaoguoyu-pc:8080/proxyClient/proxyTestServlet
After confirmation, the estoppel code is 200, and OK. Indicates that the test passed.
If you want to link more about the principle of agent mode, please refer to
http://my.oschina.net/ichatter/blog/129642
http://blog.csdn.net/emon123/article/details/6285549
http://www.blogjava.net/security/archive/2006/04/26/SSO_CASProxy.html
http://www.myexception.cn/software-architecture-design/644728.html
http://init-life.com/web/2014/11/12/cas-workflows/
http://www.mytju.com/classcode/news_readNews.asp?newsID=503
https://wiki.jasig.org/display/CASC/CAS+Client+for+Java+3.1.
During the deployment, I encountered the exception of this pit father.
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
<cas:authenticationFailure code='service.not.authorized.proxy'>
service.not.authorized.proxy
</cas:authenticationFailure>
</cas:serviceResponse>
This is because proxy authn is turned off by default. Set the proxy flag in your service registry and off it goes.
I don't think there's a parameter missing. I searched a lot of blogs, but I didn't find it. Finally, I look at the source code and trace it step by step.
Copyright belongs to the author: original works from Randy Shandong, 51CTO blogger. If you need to reprint, please indicate the source, otherwise you will be held liable.