单点登录(十三)-----实战-----cas4.2.X登录启用mongodb验证方式完整流程
我们在之前的文章中中已经讲到了正确部署运行cas server 和 在cas client中配置。
在此基础上 我们去掉了https的验证,启用了http访问的模式。
单点登录(七)-----实战-----cas server去掉https验证
但是我们之前部署的cas server,用户登录时使用的是简单的文本配置方式。
deployerConfigContext.xml中的配置方式是
<alias name="acceptUsersAuthenticationHandler" alias="primaryAuthenticationHandler" />
配置的帐号密码
##
# Accepted Users Authentication
#
accept.authn.users=casuser::Mellon
帐号密码就是casuser和Mellon。
想要新增帐号密码只要在accept.authn.users=casuser::Mellon下增加就行了。
例如
accept.authn.users=casuser::Mellon
accept.authn.users=crm::1234567
但是帐号密码配置到配置文件中不符合我们新增用户和安全的考虑。
一般帐号密码应该存储在数据库或者服务器中。
cas在这方面支持很多种帐号密码的验证方式。
例如网上有很多资料 写到的 LDAP 以及 JDBC 方式。
因为我们一直是在使用mongodb数据库,但是现在网络中关于mongodb验证方式的文档比较少,官网中也没有详细的步骤。
本章我们就记录cas4.2.X登录启用mongodb验证方式完整流程。
首先我们要确保cas框架能正常运行并且acceptUsersAuthenticationHandler配置文件简单的帐号密码验证方式能登录成功。
在此基础上我们进行改动。
引入jar包
首先需要引入需要的包。
这里需要的是 建议使用maven或者gradle框架来引入,不要手动引入子项目。
因为手动引入子项目不会自动引入子项目依赖的jar包,运行的时候会出现各种问题。
而maven或者gradle引入的话会自动下载关联依赖的jar包。
刚好cas 4.2.X以上都是使用gradle配置的,所以我们只需要在build.gradle中加入需要的子项目即可。
mongodb验证需要的子项目是 cas-server-support-mongo。
参考
https://apereo.github.io/cas/5.0.x/installation/MongoDb-Authentication.html#mongodb-authentication
我们在build.gradle中dependencies里 添加 compile project(':cas-server-support-mongo')
然后在对着项目右键 gradle ---->refresh gradle project
项目就会自动下载需要的jar包了。
我们可以查看项目的包库中是否包含pac4j-mongo包就知道是否成功依赖了关联的jar包。
设置子项目发布时以jar包方式
因为在之前的文章中也说过,如果cas中子项目如果用编译文件的方式发布的话,会多出一些想xml文件导致 引用错误。
所以我们需要把大部分的子项目或者全部的子项目用设置成jar包的形式发布。
让子项目在父项目部署发布时以jar包的方式放入lib文件夹中,而不是源码编辑文件进入classes文件夹。
右键->properties->MyEclipse->Deployement Assembly
在下方点开Merged deployment of modules
将默认的Enable merged deployment of Utility and EJB modules复选框勾去掉即可
选中Enable project specific settings
不要选中Enable merged deployment of Utility and EJB modules.
他下面的提示信息其实也很明显,如果勾选的话会将你所引入的工程合并到WEB-INFO/classes目录下
验证方法是否生效:
部署时父项目显示Exploded,而引入的子项目是:packaged,在到工程的lib目录下面去查看就可以看到构建好的jar包了。
这说明设置生效。
去掉勾之后配置的地方都会变成disabled了。
如果我们不是要把所有的子项目都这样处理成jar包引入,而是有选择性的一些放入jar包可以不去掉勾,而是在merged deployment里配置,on是引入的工程合并到WEB-INFO/classes目录下,能看到编译文件class,off是打成jar包,放入lib。
打成jar包的子项目的配置文件xml不会影响到父项目。
帐号密码数据准备
"username": "casuser",
"password": "34598dfkjdjk3487jfdkh874395",
"first_name": "john",
"last_name": "smith"
}
"_id": ObjectId('5743bf4e0cf2b3488bad9c98'),
"_class": "com.test.domain.entity.DataManager",
"username": "crm",
"password": "1234567",
"permissionList": [
"parseResultAdd",
"parseResultAddMulti",
"resultlist"
],
"roleList": [
"normal"
],
"createtime": "May 24, 2016 10:41:18 AM",
"ower": "crm"
}
修改配置文件
deployerConfigContext.xml
deployerConfigContext.xml中的配置方式是
<alias name="acceptUsersAuthenticationHandler" alias="primaryAuthenticationHandler" />
注释掉,
修改成
<alias name="mongoAuthenticationHandler" alias="primaryAuthenticationHandler" />
如图:
cas.properties
cas.authn.mongo.db.host=mongodb://192.168.30.249:27017/testCrm
#cas.authn.mongo.attributes=username,password,permissionList,roleList,createtime,ower
cas.authn.mongo.username.attribute=username
cas.authn.mongo.password.attribute=password
To learn more about this topic, please review this guide.
# cas.authn.mongo.mongoHostUri=mongodb://uri
# cas.authn.mongo.usernameAttribute=username
# cas.authn.mongo.attributes=
# cas.authn.mongo.passwordAttribute=password
# cas.authn.mongo.collectionName=users
# cas.authn.mongo.principalTransformation.suffix=
# cas.authn.mongo.principalTransformation.caseConversion=NONE|UPPERCASE|LOWERCASE
# cas.authn.mongo.principalTransformation.prefix=
# cas.authn.mongo.passwordEncoder.type=NONE|DEFAULT|STANDARD|BCRYPT
# cas.authn.mongo.passwordEncoder.characterEncoding=
# cas.authn.mongo.passwordEncoder.encodingAlgorithm=
# cas.authn.mongo.passwordEncoder.secret=
# cas.authn.mongo.passwordEncoder.strength=16
参考文档
我们在配置过程中发现官方文档很多步骤都有点缺失,没有详细的操作流程。
但是在cas-server的代码中有一个子项目叫做cas-server-documentation。
里面有相对详细的配置步骤。
除了mongodb的认证配置,其他配置也可以参考。
如图:
--- layout: default title: CAS - MongoDb Authentication --- # MongoDb Authentication Verify and authenticate credentials against a [MongoDb](https://www.mongodb.org/) instance. ```xml <alias name="mongoAuthenticationHandler" alias="primaryAuthenticationHandler" /> ``` Support is enabled by including the following dependency in the Maven WAR overlay: ```xml <dependency> <groupId>org.jasig.cas</groupId> <artifactId>cas-server-support-mongo</artifactId> <version>${cas.version}</version> </dependency> ``` The following settings are applicable: ```properties cas.authn.mongo.collection.name=users cas.authn.mongo.db.host=mongodb://user:password@ds061954.somewhere.com:61954/database cas.authn.mongo.attributes=attribute1,attribute2 cas.authn.mongo.username.attribute=username cas.authn.mongo.password.attribute=password ```
附录
完整deployerConfigContext.xml
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context" xmlns:p="http://www.springframework.org/schema/p" xmlns:c="http://www.springframework.org/schema/c" xmlns:aop="http://www.springframework.org/schema/aop" xmlns:tx="http://www.springframework.org/schema/tx" xmlns:util="http://www.springframework.org/schema/util" xmlns:sec="http://www.springframework.org/schema/security" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"> <util:map id="authenticationHandlersResolvers"> <entry key-ref="proxyAuthenticationHandler" value-ref="proxyPrincipalResolver" /> <entry key-ref="primaryAuthenticationHandler" value-ref="primaryPrincipalResolver" /> </util:map> <util:list id="authenticationMetadataPopulators"> <ref bean="successfulHandlerMetaDataPopulator" /> <ref bean="rememberMeAuthenticationMetaDataPopulator" /> </util:list> <bean id="attributeRepository" class="org.jasig.services.persondir.support.NamedStubPersonAttributeDao" p:backingMap-ref="attrRepoBackingMap" /> <!-- <alias name="acceptUsersAuthenticationHandler" alias="primaryAuthenticationHandler" /> --> <alias name="mongoAuthenticationHandler" alias="primaryAuthenticationHandler" /> <alias name="personDirectoryPrincipalResolver" alias="primaryPrincipalResolver" /> <util:map id="attrRepoBackingMap"> <entry key="username" value="uid" /> </util:map> <alias name="serviceThemeResolver" alias="themeResolver" /> <alias name="jsonServiceRegistryDao" alias="serviceRegistryDao" /> <!-- <alias name="mongoServiceRegistryDao" alias="serviceRegistryDao" /> --> <alias name="defaultTicketRegistry" alias="ticketRegistry" /> <alias name="ticketGrantingTicketExpirationPolicy" alias="grantingTicketExpirationPolicy" /> <alias name="multiTimeUseOrTimeoutExpirationPolicy" alias="serviceTicketExpirationPolicy" /> <alias name="anyAuthenticationPolicy" alias="authenticationPolicy" /> <alias name="acceptAnyAuthenticationPolicyFactory" alias="authenticationPolicyFactory" /> <bean id="auditTrailManager" class="org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager" p:entrySeparator="${cas.audit.singleline.separator:|}" p:useSingleLine="${cas.audit.singleline:false}"/> <alias name="neverThrottle" alias="authenticationThrottle" /> <util:list id="monitorsList"> <ref bean="memoryMonitor" /> <ref bean="sessionMonitor" /> </util:list> <alias name="defaultPrincipalFactory" alias="principalFactory" /> <alias name="defaultAuthenticationTransactionManager" alias="authenticationTransactionManager" /> <alias name="defaultPrincipalElectionStrategy" alias="principalElectionStrategy" /> <alias name="tgcCipherExecutor" alias="defaultCookieCipherExecutor" /> </beans>
ps: attrRepoBackingMap这个属性我也有改动成
<util:map id="attrRepoBackingMap">
<entry key="username" value="uid" />
</util:map>
原来是
<util:map id="attrRepoBackingMap">
<entry key="uid" value="uid" />
<entry key="eduPersonAffiliation" value="eduPersonAffiliation" />
<entry key="groupMembership" value="groupMembership" />
<entry>
<key><value>memberOf</value></key>
<list>
<value>faculty</value>
<value>staff</value>
<value>org</value>
</list>
</entry>
</util:map>
这个主要涉及到 后面 获取登录后实体的其他属性和参数,不知道是否会影响登录。如果按好上面步骤修改登录不了 可以尝试修改这个地方。
完整cas.properties
server.name=http://localhost:8080 server.prefix=${server.name}/cas # security configuration based on IP address to access the /status and /statistics pages # cas.securityContext.adminpages.ip=127\.0\.0\.1 ## # Unique CAS node name # host.name is used to generate unique Service Ticket IDs and SAMLArtifacts. This is usually set to the specific # hostname of the machine running the CAS node, but it could be any label so long as it is unique in the cluster. # host.name= ## # JPA Ticket Registry Database Configuration # # ticketreg.database.ddl.auto=create-drop # ticketreg.database.dialect=org.hibernate.dialect.OracleDialect|MySQLInnoDBDialect|HSQLDialect # ticketreg.database.batchSize=10 # ticketreg.database.driverClass=org.hsqldb.jdbcDriver # ticketreg.database.url=jdbc:hsqldb:mem:cas-ticket-registry # ticketreg.database.user=sa # ticketreg.database.password= # ticketreg.database.pool.minSize=6 # ticketreg.database.pool.maxSize=18 # ticketreg.database.pool.maxWait=10000 # ticketreg.database.pool.maxIdleTime=120 # ticketreg.database.pool.acquireIncrement=6 # ticketreg.database.pool.idleConnectionTestPeriod=30 # ticketreg.database.pool.connectionHealthQuery=select 1 # ticketreg.database.pool.acquireRetryAttempts=5 # ticketreg.database.pool.acquireRetryDelay=2000 # ticketreg.database.pool.connectionHealthQuery=select 1 ## # JPA Service Registry Database Configuration # # svcreg.database.ddl.auto=create-drop # svcreg.database.hibernate.dialect=org.hibernate.dialect.OracleDialect|MySQLInnoDBDialect|HSQLDialect # svcreg.database.hibernate.batchSize=10 # svcreg.database.driverClass=org.hsqldb.jdbcDriver # svcreg.database.url=jdbc:hsqldb:mem:cas-ticket-registry # svcreg.database.user=sa # svcreg.database.password= # svcreg.database.pool.minSize=6 # svcreg.database.pool.maxSize=18 # svcreg.database.pool.maxWait=10000 # svcreg.database.pool.maxIdleTime=120 # svcreg.database.pool.acquireIncrement=6 # svcreg.database.pool.idleConnectionTestPeriod=30 # svcreg.database.pool.connectionHealthQuery=select 1 # svcreg.database.pool.acquireRetryAttempts=5 # svcreg.database.pool.acquireRetryDelay=2000 # svcreg.database.pool.connectionHealthQuery=select 1 ## # CAS SSO Cookie Generation & Security # See https://github.com/mitreid-connect/json-web-key-generator # # Do note that the following settings MUST be generated per deployment. # # The encryption secret key. By default, must be a octet string of size 256. # tgc.encryption.key= # The signing secret key. By default, must be a octet string of size 512. # tgc.signing.key= # Decides whether SSO cookie should be created only under secure connections. tgc.secure=false # The expiration value of the SSO cookie # tgc.maxAge=-1 # The name of the SSO cookie # tgc.name=TGC # The path to which the SSO cookie will be scoped # tgc.path=/cas # The expiration value of the SSO cookie for long-term authentications # tgc.remember.me.maxAge=1209600 # Decides whether SSO Warning cookie should be created only under secure connections. warn.cookie.secure=false # The expiration value of the SSO Warning cookie # warn.cookie.maxAge=-1 # The name of the SSO Warning cookie # warn.cookie.name=CASPRIVACY # The path to which the SSO Warning cookie will be scoped # warn.cookie.path=/cas # Whether we should track the most recent session by keeping the latest service ticket # tgt.onlyTrackMostRecentSession = true ## # CAS UI Theme Resolution # # cas.themeResolver.defaultThemeName=cas-theme-default # cas.themeResolver.pathprefix=/WEB-INF/view/jsp/ # cas.themeResolver.param.name=theme # Location of the Spring xml config file where views may be collected # cas.viewResolver.xmlFile=/META-INF/spring/views.xml ## # CAS Logout Behavior # WEB-INF/cas-servlet.xml # # Specify whether CAS should redirect to the specified service parameter on /logout requests # cas.logout.followServiceRedirects=false ## # CAS Cached Attributes Timeouts # Controls the cached attribute expiration policy # # Notes the duration in which attributes will be kept alive # cas.attrs.timeToExpireInHours=2 ## # Single Sign-On Session # # Indicates whether an SSO session should be created for renewed authentication requests. # create.sso.renewed.authn=true # # Indicates whether an SSO session can be created if no service is present. # create.sso.missing.service=true ## # CAS Authentication Policy # # cas.authn.policy.any.tryall=false # cas.authn.policy.req.tryall=false # cas.authn.policy.req.handlername=handlerName ## # CAS PersonDirectory Principal Resolution # # cas.principal.resolver.persondir.principal.attribute=cn # cas.principal.resolver.persondir.return.null=false ## # CAS Internationalization # # locale.default=en # locale.param.name=locale # message.bundle.encoding=UTF-8 # message.bundle.cacheseconds=180 # message.bundle.fallback.systemlocale=false # message.bundle.usecode.message=true # message.bundle.basenames=classpath:custom_messages,classpath:messages ## # CAS Authentication Throttling # #cas.throttle.failure.threshold= #cas.throttle.failure.range.seconds= #cas.throttle.username.parameter= #cas.throttle.appcode= #cas.throttle.authn.failurecode= #cas.throttle.audit.query= ## # CAS Health Monitoring # # cas.monitor.st.warn.threshold=5000 # cas.monitor.tgt.warn.threshold=10000 # cas.monitor.free.mem.threshold=10 ## # CAS MongoDB Service Registry # #mongodb.host=192.168.30.249 #mongodb.port=27017 #mongodb.userId= #mongodb.userPassword= #cas.service.registry.mongo.db=testCrm #mongodb.timeout=5000 cas.authn.mongo.collection.name=dataManager cas.authn.mongo.db.host=mongodb://192.168.30.249:27017/testCrm #cas.authn.mongo.attributes=username,password,permissionList,roleList,createtime,ower cas.authn.mongo.username.attribute=username cas.authn.mongo.password.attribute=password ## # Spring Webflow Web Application Session # Define the settings that are required to encrypt and persist the CAS web application session. # See the cas-servlet.xml file to understand how these properties are used. # # The encryption secret key. By default, must be a octet string of size 256. # webflow.encryption.key= # The signing secret key. By default, must be a octet string of size 512. # webflow.signing.key= ## # Remote User Authentication # # ip.address.range= ## # Apache Shiro Authentication # # shiro.authn.requiredRoles= # shiro.authn.requiredPermissions= # shiro.authn.config.file=classpath:shiro.ini ## # YubiKey Authentication # # yubikey.client.id= # yubikey.secret.key= ## # JDBC Authentication # # cas.jdbc.authn.query.encode.sql= # cas.jdbc.authn.query.encode.alg= # cas.jdbc.authn.query.encode.salt.static= # cas.jdbc.authn.query.encode.password= # cas.jdbc.authn.query.encode.salt= # cas.jdbc.authn.query.encode.iterations.field= # cas.jdbc.authn.query.encode.iterations= # cas.jdbc.authn.query.sql= # cas.jdbc.authn.search.password= # cas.jdbc.authn.search.user= # cas.jdbc.authn.search.table= ## # Duo security 2fa authentication provider # https://www.duosecurity.com/docs/duoweb#1.-generate-an-akey # # cas.duo.api.host= # cas.duo.integration.key= # cas.duo.secret.key= # cas.duo.application.key= ## # File Authentication # # file.authn.filename=classpath:people.txt # file.authn.separator=:: ## # General Authentication # # cas.principal.transform.upperCase=false # cas.authn.password.encoding.char=UTF-8 # cas.authn.password.encoding.alg=SHA-256 # cas.principal.transform.prefix= # cas.principal.transform.suffix= ## # X509 Authentication # # cas.x509.authn.crl.checkAll=false # cas.x509.authn.crl.throw.failure=true # cas.x509.authn.crl.refresh.interval= # cas.x509.authn.revocation.policy.threshold= # cas.x509.authn.trusted.issuer.dnpattern= # cas.x509.authn.max.path.length= # cas.x509.authn.max.path.length.unspecified= # cas.x509.authn.check.key.usage= # cas.x509.authn.require.key.usage= # cas.x509.authn.subject.dnpattern= # cas.x509.authn.principal.descriptor= # cas.x509.authn.principal.serial.no.prefix= # cas.x509.authn.principal.value.delim= ## # Accepted Users Authentication # #accept.authn.users=casuser::Mellon ## # Rejected Users Authentication # # reject.authn.users= ## # JAAS Authentication # # cas.authn.jaas.realm=CAS # cas.authn.jaas.kerb.realm= # cas.authn.jaas.kerb.kdc= ## # Single Sign-On Session TGT Timeouts # # Inactivity Timeout Policy # tgt.timeout.maxTimeToLiveInSeconds=28800 # Hard Timeout Policy # tgt.timeout.hard.maxTimeToLiveInSeconds # # Throttled Timeout Policy # tgt.throttled.maxTimeToLiveInSeconds=28800 # tgt.throttled.timeInBetweenUsesInSeconds=5 # Default Expiration Policy # tgt.maxTimeToLiveInSeconds=28800 # tgt.timeToKillInSeconds=7200 ## # Service Ticket Timeout # # st.timeToKillInSeconds=10 # st.numberOfUses=1 ## # Http Client Settings # # The http client read timeout in milliseconds # http.client.read.timeout=5000 # The http client connection timeout in milliseconds # http.client.connection.timeout=5000 # # The http client truststore file, in addition to the default's # http.client.truststore.file=classpath:truststore.jks # # The http client truststore's password # http.client.truststore.psw=changeit ## # Single Logout Out Callbacks # # To turn off all back channel SLO requests set this to true # slo.callbacks.disabled=false # # To send callbacks to endpoints synchronously, set this to false # slo.callbacks.asynchronous=true ## # CAS Protocol Security Filter # # Are multi-valued parameters accepted? # cas.http.allow.multivalue.params=false # Define the list of request parameters to examine for sanity # cas.http.check.params=ticket,service,renew,gateway,warn,target,SAMLart,pgtUrl,pgt,pgtId,pgtIou,targetService # Define the list of request parameters only allowed via POST # cas.http.allow.post.params=username,password ## # JSON Service Registry # # Directory location where JSON service files may be found. # service.registry.config.location=classpath:services ## # Service Registry Periodic Reloading Scheduler # Default sourced from WEB-INF/spring-configuration/applicationContext.xml # # Force a startup delay of 2 minutes. # service.registry.quartz.reloader.startDelay=120000 # # Reload services every 2 minutes # service.registry.quartz.reloader.repeatInterval=120000 ## # Background Scheduler # # Wait for scheduler to finish running before shutting down CAS. # scheduler.shutdown.wait=true # # Attempt to interrupt background jobs when shutting down CAS # scheduler.shutdown.interruptJobs=true ## # Audits # # Use single line format for audit blocks # cas.audit.singleline=true # Separator to use between each fields in a single audit event # cas.audit.singleline.separator=| # Application code for audits # cas.audit.appcode=CAS # ## JDBC Audits # #cas.audit.max.agedays= #cas.audit.database.dialect= #cas.audit.database.batchSize= #cas.audit.database.ddl.auto= #cas.audit.database.gen.ddl= #cas.audit.database.show.sql= #cas.audit.database.driverClass= #cas.audit.database.url= #cas.audit.database.user= #cas.audit.database.password= #cas.audit.database.pool.minSize= #cas.audit.database.pool.minSize= #cas.audit.database.pool.maxSize= #cas.audit.database.pool.maxIdleTime= #cas.audit.database.pool.maxWait= #cas.audit.database.pool.acquireIncrement= #cas.audit.database.pool.acquireRetryAttempts= #cas.audit.database.pool.acquireRetryDelay= #cas.audit.database.pool.idleConnectionTestPeriod= #cas.audit.database.pool.connectionHealthQuery= ## # Metrics # Default sourced from WEB-INF/spring-configuration/metricsConfiguration.xml: # # Define how often should metric data be reported. Default is 30 seconds. # metrics.refresh.interval=30s ## # Encoding # # Set the encoding to use for requests. Default is UTF-8 # httprequest.web.encoding=UTF-8 # Default is true. Switch this to "false" to not enforce the specified encoding in any case, # applying it as default response encoding as well. # httprequest.web.encoding.force=true ## # Response Headers # # httpresponse.header.cache=false # httpresponse.header.hsts=false # httpresponse.header.xframe=false # httpresponse.header.xcontent=false # httpresponse.header.xss=false ## # SAML # # Indicates the SAML response issuer # cas.saml.response.issuer=localhost # # Indicates the skew allowance which controls the issue instant of the SAML response # cas.saml.response.skewAllowance=0 # # Indicates whether SAML ticket id generation should be saml2-compliant. # cas.saml.ticketid.saml2=false ## # Default Ticket Registry # # default.ticket.registry.initialcapacity=1000 # default.ticket.registry.loadfactor=1 # default.ticket.registry.concurrency=20 ## # Ticket Registry Cleaner # # Indicates how frequently the Ticket Registry cleaner should run. Configured in seconds. # ticket.registry.cleaner.startdelay=20 # ticket.registry.cleaner.repeatinterval=5000 ## # Ticket ID Generation # # lt.ticket.maxlength=20 # st.ticket.maxlength=20 # tgt.ticket.maxlength=50 # pgt.ticket.maxlength=50 ## # Google Apps public/private key # # cas.saml.googleapps.publickey.file=file:/etc/cas/public.key # cas.saml.googleapps.privatekey.file=file:/etc/cas/private.p8 # cas.saml.googleapps.key.alg=RSA ## # WS-FED # # The claim from ADFS that should be used as the user's identifier. # cas.wsfed.idp.idattribute=upn # # Federation Service identifier # cas.wsfed.idp.id=https://adfs.example.org/adfs/services/trust # # The ADFS login url. # cas.wsfed.idp.url=https://adfs.example.org/adfs/ls/ # # Identifies resource(s) that point to ADFS's signing certificates. # These are used verify the WS Federation token that is returned by ADFS. # Multiple certificates may be separated by comma. # cas.wsfed.idp.signingcerts=classpath:adfs-signing.crt # # Unique identifier that will be set in the ADFS configuration. # cas.wsfed.rp.id=urn:cas:localhost # # Slack dealing with time-drift between the ADFS Server and the CAS Server. # cas.wsfed.idp.tolerance=10000 # # Decides which bundle of attributes should be resolved during WS-FED authentication. # cas.wsfed.idp.attribute.resolver.enabled=true # cas.wsfed.idp.attribute.resolver.type=WSFED # # Private/Public keypair used to decrypt assertions, if any. # cas.wsfed.idp.enc.privateKey=classpath:private.key # cas.wsfed.idp.enc.cert=classpath:certificate.crt # cas.wsfed.idp.enc.privateKeyPassword=NONE ## # LDAP User Details # # ldap.userdetails.service.user.attr= # ldap.userdetails.service.role.attr= ## # LDAP Service Registry # # svcreg.ldap.baseDn=dc=example,dc=org ## # Password Policy # # Warn all users of expiration date regardless of warningDays value. # password.policy.warnAll=false # Threshold number of days to begin displaying password expiration warnings. # password.policy.warningDays=30 # URL to which the user will be redirected to change the password. # password.policy.url=https://password.example.edu/change # password.policy.warn.attribute.name=attributeName # password.policy.warn.attribute.value=attributeValue # password.policy.warn.display.matched=true ## # CAS REST API Services # # cas.rest.services.attributename= # cas.rest.services.attributevalue= ## # Ticket Registry # # Secret key to use when encrypting tickets in a distributed ticket registry. # ticket.encryption.secretkey=C@$W3bSecretKey! # Secret key to use when signing tickets in a distributed ticket registry. # By default, must be a octet string of size 512. # ticket.signing.secretkey=szxK-5_eJjs-aUj-64MpUZ-GPPzGLhYPLGl0wrYjYNVAGva2P0lLe6UGKGM7k8dWxsOVGutZWgvmY3l5oVPO3w # Secret key algorithm used # ticket.secretkey.alg=AES ## # Hazelcast Ticket Registry # # hz.config.location=file:/etc/cas/hazelcast.xml # hz.mapname=tickets # hz.cluster.logging.type=slf4j # hz.cluster.portAutoIncrement=true # hz.cluster.port=5701 # hz.cluster.multicast.enabled=false # hz.cluster.members=cas1.example.com,cas2.example.com # hz.cluster.tcpip.enabled=true # hz.cluster.multicast.enabled=false # hz.cluster.max.heapsize.percentage=85 # hz.cluster.max.heartbeat.seconds=300 # hz.cluster.eviction.percentage=10 # hz.cluster.eviction.policy=LRU # hz.cluster.instance.name=${host.name} ## # Ehcache Ticket Registry # # ehcache.config.file=classpath:ehcache-replicated.xml # ehcache.cachemanager.shared=false # ehcache.cachemanager.name=ticketRegistryCacheManager # ehcache.disk.expiry.interval.seconds=0 # ehcache.disk.persistent=false # ehcache.eternal=false # ehcache.max.elements.memory=10000 # ehcache.max.elements.disk=0 # ehcache.eviction.policy=LRU # ehcache.overflow.disk=false # ehcache.cache.st.name=org.jasig.cas.ticket.ServiceTicket # ehcache.cache.st.timeIdle=0 # ehcache.cache.st.timeAlive=300 # ehcache.cache.tgt.name=org.jasig.cas.ticket.TicketGrantingTicket # ehcache.cache.tgt.timeIdle=7201 # ehcache.cache.tgt.timeAlive=0 # ehcache.cache.loader.async=true # ehcache.cache.loader.chunksize=5000000 # ehcache.repl.async.interval=10000 # ehcache.repl.async.batch.size=100 # ehcache.repl.sync.puts=true # ehcache.repl.sync.putscopy=true # ehcache.repl.sync.updates=true # ehcache.repl.sync.updatesCopy=true # ehcache.repl.sync.removals=true ## # Ehcache Monitoring # # cache.monitor.warn.free.threshold=10 # cache.monitor.eviction.threshold=0 ## # Memcached Ticket Registry # # memcached.servers=localhost:11211 # memcached.hashAlgorithm=FNV1_64_HASH # memcached.protocol=BINARY # memcached.locatorType=ARRAY_MOD # memcached.failureMode=Redistribute ## # Memcached Monitoring # # cache.monitor.warn.free.threshold=10 # cache.monitor.eviction.threshold=0 ## # RADIUS Authentication Server # # cas.radius.client.inetaddr=localhost # cas.radius.client.port.acct= # cas.radius.client.socket.timeout=60 # cas.radius.client.port.authn= # cas.radius.client.sharedsecret=N0Sh@ar3d$ecReT # cas.radius.server.protocol=EAP_MSCHAPv2 # cas.radius.server.retries=3 # cas.radius.server.nasIdentifier= # cas.radius.server.nasPort=-1 # cas.radius.server.nasPortId=-1 # cas.radius.server.nasRealPort=-1 # cas.radius.server.nasPortType=-1 # cas.radius.server.nasIpAddress= # cas.radius.server.nasIpv6Address= # cas.radius.failover.authn=false # cas.radius.failover.exception=false ## # SPNEGO Authentication # # cas.spnego.ldap.attribute=spnegoattribute # cas.spnego.ldap.filter=host={0} # cas.spnego.ldap.basedn= # cas.spnego.hostname.pattern=.+ # cas.spnego.ip.pattern= # cas.spnego.alt.remote.host.attribute # cas.spengo.use.principal.domain=false # cas.spnego.ntlm.allowed=true # cas.spnego.kerb.debug=false # cas.spnego.kerb.realm=EXAMPLE.COM # cas.spnego.kerb.kdc=172.10.1.10 # cas.spnego.login.conf.file=/path/to/login # cas.spnego.jcifs.domain= # cas.spnego.jcifs.domaincontroller= # cas.spnego.jcifs.netbios.cache.policy:600 # cas.spnego.jcifs.netbios.wins= # cas.spnego.jcifs.password= # cas.spnego.jcifs.service.password= # cas.spnego.jcifs.socket.timeout:300000 # cas.spnego.jcifs.username= # cas.spnego.kerb.conf= # cas.spnego.ntlm=false # cas.spnego.supportedBrowsers=MSIE,Trident,Firefox,AppleWebKit # cas.spnego.mixed.mode.authn=false # cas.spnego.send.401.authn.failure=false # cas.spnego.principal.resolver.transform=NONE # cas.spnego.service.principal=HTTP/cas.example.com@EXAMPLE.COM ## # NTLM Authentication # # ntlm.authn.domain.controller= # ntlm.authn.include.pattern= # ntlm.authn.load.balance=true ## # Authentication delegation using pac4j # # cas.pac4j.client.authn.typedidused=true # cas.pac4j.facebook.id= # cas.pac4j.facebook.secret= # cas.pac4j.facebook.scope= # cas.pac4j.facebook.fields= # cas.pac4j.twitter.id= # cas.pac4j.twitter.secret= # cas.pac4j.saml.keystorePassword= # cas.pac4j.saml.privateKeyPassword= # cas.pac4j.saml.keystorePath= # cas.pac4j.saml.identityProviderMetadataPath= # cas.pac4j.saml.maximumAuthenticationLifetime= # cas.pac4j.saml.serviceProviderEntityId= # cas.pac4j.saml.serviceProviderMetadataPath= # cas.pac4j.cas.loginUrl= # cas.pac4j.cas.protocol= # cas.pac4j.oidc.id= # cas.pac4j.oidc.secret= # cas.pac4j.oidc.discoveryUri= # cas.pac4j.oidc.useNonce= # cas.pac4j.oidc.preferredJwsAlgorithm= # cas.pac4j.oidc.maxClockSkew= # cas.pac4j.oidc.customParamKey1= # cas.pac4j.oidc.customParamValue1= # cas.pac4j.oidc.customParamKey2= # cas.pac4j.oidc.customParamValue2= ## # CAS Acceptable Usage Policy Settings # # cas.aup.ldap.search.filter=cn={0} # cas.aup.ldap.url=ldap://127.0.0.1:1389 # cas.aup.ldap.ssl=false # cas.aup.ldap.startTLS=false # cas.aup.ldap.basedn=dc=example,dc=org # cas.aup.attribute=
单点登录(十三)-----实战-----cas4.2.X登录启用mongodb验证方式完整流程的更多相关文章
- 单点登录(十二)-----遇到问题-----cas启用mongodb验证方式登录后没反应-pac4j-mongo包中的MongoAuthenticatInvocationTargetException
cas启用mongodb验证方式登录后没反应 控制台输出 2017-02-09 20:27:15,766 INFO [org.jasig.cas.authentication.MongoAuthent ...
- 单点登录(十一)-----遇到问题-----cas启用mongodb验证方式报错--Unable to locate Spring NamespaceHandler for XML schema na
cas启用mongodb验证方式报错--Unable to locate Spring NamespaceHandler for XML schema namespace [http://www.sp ...
- 单点登录(十)-----遇到问题-----cas启用mongodb验证方式报错com.mongodb.CommandFailureException---Authentication failed
cas启用mongodb验证方式报错com.mongodb.CommandFailureException---Authentication failed. 完整报错信息: 二月 08, 2017 5 ...
- 单点登录(十五)-----实战-----cas4.2.x登录mongodb验证方式实现自定义加密
我们在前一篇文章中实现了cas4.2.x登录使用mongodb验证方式. 单点登录(十三)-----实战-----cas4.2.X登录启用mongodb验证方式完整流程 也学习参考了cas5.0.x版 ...
- 单点登录(十七)----cas4.2.x登录mongodb验证方式成功后返回更多信息更多属性到客户端
我们在之前已经完成了cas4.2.x登录使用mongodb验证方式登录成功了.也解决了登录名中使用中文乱码的问题. 单点登录(十三)-----实战-----cas4.2.X登录启用mongodb验证方 ...
- 单点登录(十四)-----实战-----cas5.0.x登录mongodb验证方式常规的四种加密的思考和分析
我们在上一篇文章中已经讲解了cas4.2.X登录启用mongodb验证方式 单点登录(十三)-----实战-----cas4.2.X登录启用mongodb验证方式完整流程 但是密码是明文存储的,也就是 ...
- 单点登录(十八)----cas4.2.x客户端增加权限控制shiro
我们在上面章节已经完成了cas4.2.x登录启用mongodb的验证方式. 单点登录(十三)-----实战-----cas4.2.X登录启用mongodb验证方式完整流程 也完成了获取管理员身份属性 ...
- 单点登录(十六)-----遇到问题-----cas4.2.x登录成功后报错No principal was found---cas中文乱码问题完美解决
情况 我们之前已经完成了cas4.2.x登录使用mongodb验证方式并且自定义了加密. 单点登录(十五)-----实战-----cas4.2.x登录mongodb验证方式实现自定义加密 但是悲剧的是 ...
- 遇到问题-----cas4.2.x登录成功后报错No principal was found---cas中文乱码问题完美解决
情况 我们之前已经完成了cas4.2.x登录使用MongoDB验证方式并且自定义了加密. 单点登录(十五)-----实战-----cas4.2.x登录mongodb验证方式实现自定义加密 但是悲剧的是 ...
随机推荐
- 私有云搭建:树莓派+kodexplorer可道云,几步搞定!
目前蒲公英异地组网则是推出了树莓派1.0软件客户端.无需公网IP!简单60秒设置!轻松远程访问树莓派!实现远程登录.远程配置.远程访问服务.传输数据等等操作.例如:蒲公英树莓派1.0软件客户端+可道云 ...
- django-simple_tag、filter
simple_tag与filter的用法 1.支持自定义函数处理方法 2.支持模板调用 创建步骤: a.在app目录下创建templatetags文件夹 b.在templatetags中创建任意名称. ...
- 搭建Harbor私有镜像仓库--v1.5.1
搭建Harbor私有镜像仓库--v1.5.1 1.介绍 Docker容器应用的开发和运行离不开可靠的镜像管理,虽然Docker官方也提供了公共的镜像仓库,但是从安全和效率等方面考虑,部署我们私有环境 ...
- 云计算时代,传统企业 IT 从业者如何做好转型?
本文来源于国外社区 DZone,作者 Dennis O'Reilly 撰写过多篇关于云计算.混合云等内容的文章,本文内容围绕云计算时代,企业纷纷上云,传统 IT 从业者如何做好转型. 本文由“数梦工场 ...
- linux磁盘扩容日志
//针对ext4文件格式的操作系统(如CentOS6):// umount /dev/vdb e2fsck -f /dev/vdb resize2fs /dev/vdb mount /dev/vdb ...
- Binary Tree的3种非Recursive遍历
Binary Tree Preorder Traversal Given a binary tree, return the preorder traversal of its nodes' valu ...
- Java将json字符串转成map
Map<String, Object> map = (Map<String, Object>) JSONUtils.parse(result)
- 结对项目:SudokuGame
1. Github项目地址:https://github.com/ZiJiaW/SudokuGame GUI在BIN目录下的SudokuGUI.rar中,解压后打开SudokuGame.exe即可.2 ...
- Java第二次实验20135204
一.实验过程: 1.先创建一个学号命名的文档: 2.一个百分制成绩转化为等级: 3.新建一个包,另一个测试: 4.打开UML,建模软件umbrello进行建模: 相关程序: 5.我的保存: 二.遇到的 ...
- java-switch语句
switch语句是常用的java循环判断语句,但是有的知识点并不一定清楚. 首先是switch语句括号中的判断条件,判断条件只能是整型或者字符和整型或者字符组成的表达式. 再就是case语句,可以称之 ...