参考文献:

CAS集成ldap:https://wiki.jasig.org/display/CASUM/LDAP

CAS集成restful api:https://wiki.jasig.org/display/CASUM/RESTful+API

下载jar包

在参考文献当中,我们看到不论是集成ldap还是集成restful api都需要另外单独下载jar包。如果有maven的话,直接通过配置文件即可下载,但是当前我们没有配置,所以需要手动下载。Google搜索cas-server-support-ldap可以找到相关jar包的下载地址,当前我们的cas.version=3.5.2,根据这个版本好下载相应的jar文件。在cas-server-support-ldap的jar包页面,我们可以看到这个jar包还要依赖于其他jar,也要一并下载了。

在下载jar包之前,可以先比对/usr/local/tomcat7/webapps/cas/WEB-INF/lib当中是否已经有这个jar包了,如果没有再去下载。下载完毕以后将jar包放在/usr/local/tomcat7/webapps/cas/WEB-INF/lib目录下。

CAS与LDAP集成

Cas与ldap集成有FastBindLdapAuthenticationHandler和BindLdapAuthenticationHandler这两种接口,前者适用于CAS的验证登录名就直接是ldap当中uid的情况,这种情况比较单一,当前我是按照BindLdapAuthenticationHandler进行配置的。

配置deployerConfigContext.xml

所有关于cas集成ldap的修改都在 cas-server-webapp/src/main/webapp/WEB-INF/deployerConfigContext.xml这个配置文件当中

首先在这个配置文件当中添加以下这个bean

<bean id="contextSource" class="org.springframework.ldap.core.support.LdapContextSource">

  <!-- DO NOT enable JNDI pooling for context sources that perform LDAP bind operations. -->

  <property name="pooled" value="false"/>

  <!--

    Although multiple URLs may defined, it's strongly recommended to avoid this configuration

    since the implementation attempts hosts in sequence and requires a connection timeout

    prior to attempting the next host, which incurs unacceptable latency on node failure.

    A proper HA setup for LDAP directories should use a single virtual host that maps to multiple

    real hosts using a hardware load balancer.

  -->

  <property name="url" value="ldap://localhost" />

  <!--

    Manager credentials are only required if your directory does not support anonymous searches.

    Never provide these credentials for FastBindLdapAuthenticationHandler since the user's

    credentials are used for the bind operation.

  -->

  <property name="userDn" value="cn=admin,dc=envisioncn,dc=com"/>

  <property name="password" value="12345678"/>

  <!-- Place JNDI environment properties here. -->

  <property name="baseEnvironmentProperties">

    <map>

      <!-- Three seconds is an eternity to users. -->

      <entry key="com.sun.jndi.ldap.connect.timeout" value="3000" />

      <entry key="com.sun.jndi.ldap.read.timeout" value="3000" />

      <!-- Explained at http://docs.oracle.com/javase/jndi/tutorial/ldap/security/auth.html -->

      <entry key="java.naming.security.authentication" value="simple" />

    </map>

  </property>

</bean>

在配置文档当中有一栏关于“SSL Considerations”的介绍,里面说的就是,如果我们没有为LDAP Server配置SSL的话,我们就不能ldaps,只能用ldap协议,也就是像我上面那样使用<property name="url" value="ldap://localhost" />,而不是<property name="url" value="ldaps://localhost" />。验证自己是否配置了SSL,可以查看636端口是否开启。通过netstat查看发现ldap只开启了389端口,那么就按照我上面的进行配置。LDAP开启SSL的方法可以参考https://help.ubuntu.com/12.04/serverguide/openldap-server.html里面的“TLS”这一章节。

enadmin@cgnmon:~$ netstat -ln

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address           Foreign Address         State

tcp               127.0.0.1:           0.0.0.0:*               LISTEN

tcp               0.0.0.0:              0.0.0.0:*               LISTEN

tcp               0.0.0.0:              0.0.0.0:*               LISTEN

tcp               0.0.0.0:              0.0.0.0:*               LISTEN

tcp               127.0.0.1:            0.0.0.0:*               LISTEN

tcp               0.0.0.0:             0.0.0.0:*               LISTEN

tcp6              :::                 :::*                    LISTEN

tcp6              :::                   :::*                    LISTEN

tcp6              :::                 :::*                    LISTEN

tcp6              :::                  :::*                    LISTEN

tcp6              :::                 :::*                    LISTEN

udp               0.0.0.0:              0.0.0.0:*

udp               10.0.2.15:           0.0.0.0:*

udp               127.0.0.1:           0.0.0.0:*

udp               0.0.0.0:             0.0.0.0:*

udp6              :::                 :::*

udp6              fe80::a00:27ff:fe22: :::*

udp6              :::                  :::*

Active UNIX domain sockets (only servers)

Proto RefCnt Flags       Type       State         I-Node   Path

unix        [ ACC ]     STREAM     LISTENING          @/com/ubuntu/upstart

unix        [ ACC ]     STREAM     LISTENING          /var/run/acpid.socket

unix        [ ACC ]     STREAM     LISTENING          /var/run/dbus/system_bus_socket

unix        [ ACC ]     STREAM     LISTENING          /var/run/slapd/ldapi

unix        [ ACC ]     STREAM     LISTENING          /var/run/apache2/cgisock.

unix        [ ACC ]     STREAM     LISTENING          /var/run/sendmail/mta/smcontrol

unix        [ ACC ]     SEQPACKET  LISTENING          /run/udev/control

添加完上面那个bean以后,我们还需要修改authenticationManager这个bean,需要将原先的SimpleTestUsernamePasswordAuthenticationHandler修改为我们的BindLdapAuthenticationHandler。具体配置如下:

 <bean id="authenticationManager" class="org.jasig.cas.authentication.AuthenticationManagerImpl">

       <property name="credentialsToPrincipalResolvers">

         <list>

             <bean class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" >

                <property name="attributeRepository" ref="attributeRepository" />

               </bean>

               <bean class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" />

           </list>

       </property>

       <property name="authenticationHandlers">

         <list>

            <bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"

                    p:httpClient-ref="httpClient" />

              <bean class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler"

                   p:filter="uid=%u"

                    p:searchBase="ou=People,dc=envisioncn,dc=com"

                    p:contextSource-ref="contextSource" />

           </list>

         </property>

         <property name="authenticationMetaDataPopulators">

           <list>

              <bean class="org.jasig.cas.authentication.SamlAuthenticationMetaDataPopulator" />

             </list>

          </property>

  </bean>

配置到这里,CAS与LDAP的集成就已经基本完成了。还可以优化的地方有以下几方面,这个在后面有时间了再进行配置。

  1. 为LDAP配置连接池
  2. 为LDAP配置SSL验证

CAS与Restful api集成

下载相关的jar包

跟ldap一样,也是需要下载jar包的,google搜索cas-server-integration-restlet找到相应的下载地址

配置

所有针对restful的配置都在/usr/local/tomcat7/webapps/cas/WEB-INF/web.xml这个配置文件当中。

修改web.xml,添加servlet和servlet-mapping,具体如下所示:

  <servlet>

    <servlet-name>cas</servlet-name>

    <servlet-class>

      org.jasig.cas.web.init.SafeDispatcherServlet

    </servlet-class>

    <init-param>

      <param-name>publishContext</param-name>

      <param-value>false</param-value>

    </init-param>

    <load-on-startup>1</load-on-startup>

  </servlet>

<servlet>

    <servlet-name>restlet</servlet-name>

    <servlet-class>com.noelios.restlet.ext.spring.RestletFrameworkServlet</servlet-class>

    <load-on-startup>1</load-on-startup>

</servlet>

<servlet-mapping>

    <servlet-name>restlet</servlet-name>

    <url-pattern>/v1/*</url-pattern>

</servlet-mapping>

  <servlet-mapping>

    <servlet-name>cas</servlet-name>

    <url-pattern>/login</url-pattern>

  </servlet-mapping>

测试:

在ubuntu任意目录下下创建一个testcas.sh文件,并赋予这个文件可执行权限,执行命令如下

#sudo touch testcas.sh

#sudo chmod 777 testcas.sh

该文本内容如下所示。

# This file is used to store the Ticket Getting Ticket

rm tgt.txt

# This file is used to store the Service Ticket

rm serviceTicket.txt

#This file is used to store the service call response

rm response.txt

export CAS_LOGIN_URL=https://localhost:8443/cas/v1/tickets

export GET_URL=https://localhost:8443/cas

export USERNAME=username

export PASSWORD=password

# Request a new Ticket Getting Ticket (TGT).  This returns HTML which is put into tgt.txt.

wget --no-check-certificate -O tgt.txt --post-data="username=$USERNAME&password=$PASSWORD" $CAS_LOGIN_URL

# Extract from the HTML the TGT and put back into tgt.txt

echo TGT`grep -oEi 'action=\".*\"' tgt.txt | grep -oEi '\-.*\-cas'` > tgt.txt

# display the TGT

cat tgt.txt

# Request a new Service Ticket and store in serviceTicket.txt

wget --no-check-certificate --post-data="service=$GET_URL" -O serviceTicket.txt $CAS_LOGIN_URL/`cat tgt.txt`

# Get the data at from the service at GET_URL and store in response.txt

wget --no-check-certificate -O response.txt $GET_URL?ticket=`cat serviceTicket.txt`

# Display the data from the service call

cat response.txt

运行此testcas.sh文件,看一下能否正常生成tgt,

运行结果如下:

enadmin@cgnmon:~/test$ ./testcas.sh

--2013-12-11 22:51:38--  https://localhost:8443/cas/v1/tickets

Resolving localhost (localhost)... 127.0.0.1

Connecting to localhost (localhost)|127.0.0.1|:8443... connected.

WARNING: cannot verify localhost's certificate, issued by `/C=cn/ST=shanghai/L=shanghai/O=envision/OU=en/CN=test':

  Self-signed certificate encountered.

    WARNING: certificate common name `test' doesn't match requested host name `localhost'.

HTTP request sent, awaiting response... 201 Created //这表示生成tgt成功。

Length: 443 [text/html]

Saving to: `tgt.txt'

100%[=============================================================================================================================>] 443         --.-K/s   in 0s      

2013-12-11 22:51:38 (218 MB/s) - `tgt.txt' saved [443/443]

TGT-1-4CeCylfHfbis9kttoqPsYIpMA17ajV5TJ4fWifA6pHjncKfR9E-cas//tgt

--2013-12-11 22:51:38--  https://localhost:8443/cas/v1/tickets/TGT-1-4CeCylfHfbis9kttoqPsYIpMA17ajV5TJ4fWifA6pHjncKfR9E-cas

Resolving localhost (localhost)... 127.0.0.1

Connecting to localhost (localhost)|127.0.0.1|:8443... connected.

WARNING: cannot verify localhost's certificate, issued by `/C=cn/ST=shanghai/L=shanghai/O=envision/OU=en/CN=test':

  Self-signed certificate encountered.

    WARNING: certificate common name `test' doesn't match requested host name `localhost'.

HTTP request sent, awaiting response... 404 Not Found

2013-12-11 22:51:38 ERROR 404: Not Found.

--2013-12-11 22:51:38--  https://localhost:8443/cas?ticket=

Resolving localhost (localhost)... 127.0.0.1

Connecting to localhost (localhost)|127.0.0.1|:8443... connected.

WARNING: cannot verify localhost's certificate, issued by `/C=cn/ST=shanghai/L=shanghai/O=envision/OU=en/CN=test':

  Self-signed certificate encountered.

    WARNING: certificate common name `test' doesn't match requested host name `localhost'.

HTTP request sent, awaiting response... 302 Found

Location: https://localhost:8443/cas/?ticket= [following]

--2013-12-11 22:51:38--  https://localhost:8443/cas/?ticket=

Reusing existing connection to localhost:8443.

HTTP request sent, awaiting response... 302 Found

Location: https://localhost:8443/cas/login?ticket= [following]

--2013-12-11 22:51:39--  https://localhost:8443/cas/login?ticket=

Reusing existing connection to localhost:8443.

HTTP request sent, awaiting response... 200 OK

Length: 6161 (6.0K) [text/html]

Saving to: `response.txt'

100%[=============================================================================================================================>] 6,161       --.-K/s   in 0s      

2013-12-11 22:51:41 (320 MB/s) - `response.txt' saved [6161/6161]

CAS与LDAP集成的更多相关文章

  1. No.1 CAS 之LDAP认证服务端集群配置

    建档日期:   2016/08/31 最后修改日期:   2016/12/09   1 概述 本文描述了CAS单点登录服务端配置的大概流程,希望抛砖引玉,帮助你完成CAS服务端的配置. 本文采用apa ...

  2. ldap集成bitbucket

    confluence ldap配置跟jira ldap集成一样,请参考:https://www.cnblogs.com/imcati/p/9378668.html 需在 Global permissi ...

  3. ldap集成jenkins

    jenkins版本:2.5.3,ldap插件:1.15 jenkins ldap支持需要安装ldap plugin,强烈建议插件安装版本为1.15及以上(支持ldap 配置测试) 安装插件: 系统管理 ...

  4. ldap集成confluence

    confluence ldap配置跟jira ldap集成一样,请参考:https://www.cnblogs.com/imcati/p/9378668.html

  5. apache+svn+ldap集成

    apache+svn搭建方式如下:http://www.cnblogs.com/uglyliu/p/6914056.html SVN和ldap集成,我用的方式只需要更改 /etc/http/conf. ...

  6. CAS 与.net 集成的 “循环重定向”问题分析

    转自:http://www.cnblogs.com/xingshao/archive/2011/09/29/2195746.html 近期的一个项目,项目包含了若干的子系统,因为人员配备的原因,项目会 ...

  7. ldap 集成harbor

    harbor: 1.6 默认配置文件在harbor.cfg,我们可以先不添加配置,直接在harbor web界面进行配置(harbor 1.6 如果db 启动失败提示postgresql 数据目录已存 ...

  8. ldap集成grafana

    grafana版本: 5.0.3 grafana通过k8s方式安装,所以需将配置文件挂载过去. cat grafana-configmap.yaml apiVersion: v1 kind: Conf ...

  9. ldap集成x-pack

    ldap配置支持x-pack有两种格式: 1.  User Search Mode 2. User DN Templates Mode 由于第一种方式需要明文填入ldap管理员账号信息,我这边采用第二 ...

随机推荐

  1. TensorFlow 从零到helloWorld

    目录 1.git安装与使用 1.1 git安装 1.2 修改git bash默认路径 1.3 git常用操作 2.环境搭建   2.1 tensorflow安装   2.2 CUDA安装   2.3 ...

  2. how-to-pass-a-class-variable-to-a-decorator-inside-class-definition

    https://stackoverflow.com/questions/17522706/how-to-pass-a-class-variable-to-a-decorator-inside-clas ...

  3. Newtonsoft 反序列化字符串

    string json=“[{“name”:”zhangsan”,”age”:”12”},{“name”:”zhangsan”,”age”:”12”}]” 方法1: JArray arr = (JAr ...

  4. 目标检测--Selective Search for Object Recognition(IJCV, 2013)

    Selective Search for Object Recognition 作者: J. R. R. Uijlings, K. E. A. van de Sande, T. Gevers, A. ...

  5. 解决MySQL忘记root密码

    网上有很多关于忘记MySQL root密码的一些文章,里面都有写怎么去解决,但有时觉得写得太恶心,要么一字不漏的抄别人的,要么就说得不清不楚,好了,不吐槽了,以下是解决的整个过程. 首先我们要知道忘记 ...

  6. 上传文件异常问题 | 413 Request Entity Too Large

    开发中遇到这样的问题:一个上传文件的功能,内网测试都正常了,但是发布到外网就无法上传大点的(大于1MB)文件,更奇怪的是,后台还没有任何的异常信息. 于是就用Http抓包工具(HttpDetect)看 ...

  7. Java编程的逻辑 (21) - 内部类的本质

    本系列文章经补充和完善,已修订整理成书<Java编程的逻辑>,由机械工业出版社华章分社出版,于2018年1月上市热销,读者好评如潮!各大网店和书店有售,欢迎购买,京东自营链接:http:/ ...

  8. #JS 前端javascript规范文档

    一.规范目的 为提高团队协作效率,便于前端后期优化维护,输出高质量的文档. 二.基本准则 符合web标准,结构表现行为分离,兼容性优良.页面性能方面,代码要求简洁明了有序, 尽可能的减小服务器负载,保 ...

  9. CSS 浮动和清除

    CSS 浮动和清除浮动 在写页面布局的过程中,浮动是大家经常用的属性.在好多的排版布局中都是用的的浮动比如说下面这些地方都是应用到了浮动. 在我学习浮动的时候可是熬坏了脑筋,在这里我分享一下我对浮动这 ...

  10. js字符串驼峰和下划线互相转换

    // 下划线转换驼峰 function toHump(name) { return name.replace(/\_(\w)/g, function(all, letter){ return lett ...