Spring security3 CAS

CAS
1 CAS Yale Web
CAS 2004
12 JA-SIG CAS

2
3 CAS Server Web
4 CAS Client (
Web ) Java, .Net, PHP, Perl, Apac
he, uPortal, Ruby

 CAS

CAS CAS Server CAS Client CAS Serve

r CAS Client
CAS Server CA
S

1 CAS Client Filter

Web CA
S Client Http Service Ticket

CAS Server Service

3
CAS Server
Service Ticket
Service
Ticket Granted Cookie TGC CAS Client
Service Ticket 5 6 CAS Serve
r Service Ticket
2 CAS SSL ST
TGC 2
CAS Client CAS Server Ticket

 https
1 server key
cmd E:\
keytool -genkey -alias casserver -keyalg RSA -keypass changeit -stor
epass changeit -keystore server.keystore -validity 3600
-validity ( ) 9
0
, cas server
SSL TGC
CAS
RSA
Changeit

2 JDK

keytool -export -trustcacerts -alias casserver -file server.cer -keystore serv
er.keystore -storepass changeit

keytool -import -trustcacerts -alias casserver -file server.cer -keystore D:\Ja
va\jre1.6.0_02\lib\security\cacerts -storepass changeit
JDK jdk/jre

 cas-server
1 tomcate
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"

port="8443" minSpareThreads="5" maxSpareThreads="75"

enableLookups="true" disableUploadTimeout="true"

acceptCount="100" maxThreads="200"

scheme="https" secure="true" SSLEnabled="true"

clientAuth="false" sslProtocol="TLS"

keystoreFile=../servercas1.keystore"

keystorePass="changeit"/>

keystoreFile
keystorePass

2 CAS Server

CAS server cas-server-webapp-< >.war tomcat weba

pps cas.war tomcat https tomcat
https://localhost:8443/cas CAS CAS Server

3 cas-server
1) cas/WEB-INF/deployerConfigContext.xml
DataSource <bean id="dataSource"class="org.springframework.jdbc.datasource.DriverMan
agerDataSource">

<property name="driverClassName"><value></value></property>

<property name=url><value></value></property>

<property name="username"><value></value></property>

<property name="password"><value></value></property>

</bean>

2) AuthenticationHandler

<!-- <bean class="org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAut
henticationHandler" /> -->

<!-- sql -->

<bean class="org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler">

<property name="sql" value="select password from t_user where username=?" />

<property name="dataSource" ref="dataSource" />
</bean>
<!-- -->
<!-- <bean class="org.jasig.cas.adaptors.jdbc.SearchModeSearchDatabaseAuthenticationH
andler"
abstract="false" lazy-init="default" autowire="default">
<property name="dataSource" ref="dataSource" />
<property name=tableUsers value=t_user /> ( )
<property name="fieldUser" value="username"/>
<property name="fieldPassword" value="password"/>
</bean> -->

<!-- -->
<bean class="org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler">
<property name="sql" value="select password from users where username=?" />
<property name="dataSource" ref="dataSource" />
<property name=passwordEncoder ref=mypasswordEncoder/>
</bean>
mypasswordEncoder bean)

<bean id="mypasswordEncoder"
class="org.jasig.cas.authentication.handler.DefaultPasswordEncoder">
<constructor-arg value="MD5"/>
</bean>

MD5 SHA1
PasswordEncoder

4 cas https
4.1 cas server \WEB-INF\deployerConfigContext.xml
<bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredenti
alsAuthenticationHandler" p:httpClient-ref="httpClient" p:requireSecure="false"/>
p:requireSecure="false" HTTPS false
4.2 cas server
WEB-INF\springconfiguration\ticketGrantingTicketCookieGenerator.xml
<bean id="ticketGrantingTicketCookieGenerator" class="org.jasig.cas.web.support.Co
okieRetrievingCookieGenerator"
p:cookieSecure="false"
p:cookieMaxAge="-1"
p:cookieName="CASTGC"
p:cookiePath="/cas" />
</beans>

p:cookieSecure="true" TRUE HTTPS deployerConfigCon

text.xml
p:cookieMaxAge="-1" COOKIE -1
IE IE
0 3600 3600
IE
cas server \WEB-INF\spring-configuration\warnCookieGenerator.xml

<bean id="warnCookieGenerator" class="org.jasig.cas.web.support.CookieRetri

evingCookieGenerator"
p:cookieSecure="true"
p:cookieMaxAge="-1"
p:cookieName="CASPRIVACY"
p:cookiePath="/cas" />

5
1 bean

<bean id="attributeRepository"
class="org.jasig.services.persondir.support.StubPersonAttributeDao">
<property name="backingMap">
<map>
<entry key="uid" value="uid" />
<entry key="eduPersonAffiliation" value="eduPersonAffiliation" />
<entry key="groupMembership" value="groupMembership" />
</map>
</property>
</bean>
attributeRepository

<bean id="attributeRepository"
class="org.jasig.services.persondir.support.jdbc.SingleRowJdbcPersonAttributeDao">

<constructor-arg index="0" ref="dataSource"/>

<constructor-arg index="1" value="select username, password, enabled from users where
{0}"/>
<property name="queryAttributeMapping">
<map>
<entry key="username" value="username"></entry>
</map>
</property>
<property name="resultAttributeMapping">
<map>
<entry key="username" value="username"></entry>
<entry key="name" value="enabled"></entry>
</map>
</property>

 VIEW-INF/jsp/protocal/2.0/casServiceValidationSuccess.jsp
<c:if test="${fn:length(assertion.chainedAuthentications[fn:length(assertion.cha
inedAuthentications)-1].principal.attributes) > 0}">

<cas:attributes>

<c:forEach var="attr" items="${assertion.chainedAuthentications[fn:le

ngth(assertion.chainedAuthentications)-1].principal.attributes}">

<cas:${fn:escapeXml(attr.key)}>${fn:escapeXml(attr.value)} </cas:${f
n:escapeXml(attr.key)}>

</c:forEach>

</cas:attributes>
</c:if>
server xml ca
sServiceValidationSuccess.jsp

AttributePrincipal principal = (AttributePrincipal) request.getUserPrincipal();

Map attributes = principal.getAttributes();
String name=attributes .get(name");

 cas-client
1
cas server.cer JDK
keytool -import -trustcacerts -alias casserver -file server.cer -keysto
re D:\Java\jre1.6.0_02\lib\security\cacerts -storepass changeit
jre JDK jre
2 spring security cas jar

3 filter

<http auto-config=false" entry-point-ref="casEntryPoint" >

.
<custom-filter position="CAS_FILTER" ref="casFilter"/>
<custom-filter before="LOGOUT_FILTER"
ref="requestSingleLogout
Filter"/>
<custom-filter before=CAS_FILTER ref=singleLogoutFilter/>
</http>

casEntryPoint

<beans:bean id="casEntryPoint"
class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">
<beans:property name="loginUrl" value="https://190.100.100.56:8443/cas/login"/>
<beans:property name="serviceProperties" ref="serviceProperties"/>
</beans:bean>
cas IP
http
*entry-point-ref="casEntryPoint"
AuthenticationEntryPoin
t ExceptionTranslationFilter

<custom-filter position="CAS_FILTER" ref="casFilter"/> Filter

CAS_FILTER

 <beans:bean id="serviceProperties"

class="org.springframework.security.cas.ServiceProperties">

<beans:property name="service"
value="http://IT-56.bodacredit.local:8002/boda/j_spring_cas_security_check"/>
<beans:property name="sendRenew" value="false"/>
serviceProperties .
IP ( )
sendRenew boolean true
casFilter
<!-- cas -->
<beans:bean id="casFilter" class="org.springframework.security.cas.web.CasAuthent
icationFilter">

<beans:property name="authenticationManager"
r
ef="casAuthenticationManager"/>
<beans:property name="authenticationSuccessHandler"
ref="authenticationSuc
cessHandler" />
</beans:bean>
cas server Ticket client ticket server

Handler Handler

<!-- cas -->

<beans:bean id="authenticationSuccessHandler"
class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSu
ccessHandler">
<beans:property name="alwaysUseDefaultTargetUrl" value="true"/>
<beans:property name="defaultTargetUrl" value="/welcome/choose" />
</beans:bean>

<!-- cas -->

<beans:bean id=authenticationFailureHandler
class=org.springframework.security.web.authentication.SimpleUrlAuthenticatio
nFailureHandler>
<beans:property name=defaultFailureUrl value=**.jsp" />
</beans:bean>

<!-- cas -->

<authentication-manager alias="casAuthenticationManager">
<authentication-provider ref="casAuthenticationProvider"/>
</authentication-manager>

<!-- cas -->

<beans:bean id="casAuthenticationProvider"
class="org.springframework.security.cas.authentication.CasAuthentication
Provider"> <!-- -->
<beans:property name="userDetailsService" ref="userService"/>
<beans:property name="serviceProperties" ref="serviceProperties" />
<beans:property name="ticketValidator">
<beans:bean class="org.jasig.cas.client.validation.Cas20ServiceTicketVal
idator">
<beans:constructor-arg index=0 value=https://IT-56.bodacredit.loc
al:8443/cas /> <! IP
login.jsp-->
</beans:bean>
</beans:property>
<beans:property name="key" value="an_id_for_this_auth_provider_onl
y"/>
</beans:bean>

 Cas
Filter requestSingleLogoutFilter singleLogoutFilter

<!-- -->
<beans:bean id="singleLogoutFilter"
class="org.jasig.cas.client.session.SingleSignOutFilter" />
<!-- -->
<beans:bean id="requestSingleLogoutFilter"
class="org.springframework.security.web.authentication.logout.LogoutFilt
er" >
<beans:constructor-arg
value="https://190.100.100.56:8443/cas/lo
gout?service=http://190.100.100.56:8002/boda/signin.jsp" />
<beans:constructor-arg>
<beans:bean
class="org.springframework.security.web.authenti
cation.logout.SecurityContextLogoutHandler" />
</beans:constructor-arg>
<beans:property name="filterProcessesUrl" value="/boda_security_logout"
/>
</beans:bean>

filterProcessesUrl filter
,
cas-servlet.xml logoutController
bean followServiceRedirects true
service ,
URL
https://190.100.100.56:8443/cas/logout?service=http://190.100.100
.56:8002/boda/signin.jsp

Client Client Server t

icket
Client Server

url login url Ip

, , c
ookie