1. for Java using Spring

Configuration of the CAS Client for Java via Spring IoC will depend heavily on their DelegatingFilterProxy class. For each filter that will be configured for CAS via Spring, a corresponding DelegatingFilterProxy is needed in the web.xml.

As the SingleSignOutFilter, HttpServletRequestWrapperFilter and AssertionThreadLocalFilter have no configuration options, we recommend you just configure them in the web.xml

Note: A sample authentication configuration is attached to this page.

Bean definition examples:

<filter>
    <filter-name>CAS Authentication Filter</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    <init-param>
        <param-name>targetBeanName</param-name>
        <param-value>authenticationFilter</param-value>
    </init-param>
  </filter>
<filter-mapping>
    <filter-name>CAS Authentication Filter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

The specific filters can be configured in the following ways. Please see the JavaDocs included in the distribution for specific required and optional properties:

AuthenticationFilter

<bean
    name="authenticationFilter"
    class="org.jasig.cas.client.authentication.AuthenticationFilter"
    p:casServerLoginUrl="https://localhost:8443/cas/login"
    p:renew="false"
    p:gateway="false"

Cas10TicketValidationFilter

<bean
    name="ticketValidationFilter"
    class="org.jasig.cas.client.validation.Cas10TicketValidationFilter"
    <property name="ticketValidator">
        <bean class="org.jasig.cas.client.validation.Cas10TicketValidator">
            <constructor-arg index="0" value="https://localhost:8443/cas" />
        </bean>
    </property>
</bean>

Saml11TicketValidationFilter

<bean
    name="ticketValidationFilter"
    class="org.jasig.cas.client.validation.Saml11TicketValidationFilter"
    <property name="ticketValidator">
        <bean class="org.jasig.cas.client.validation.Saml11TicketValidator">
            <constructor-arg index="0" value="https://localhost:8443/cas" />
        </bean>
    </property>
</bean>

Note: When using the Saml11TicketValidationFilter for non-SAML authentication with attribute release the artifactParameterName must be set to "ticket" for the ticket to be consumed by the filter. Add p:artifactParameterName="ticket" to the bean definition above.

Cas20ProxyReceivingTicketValidationFilter

Configuration to just validate service tickets:

<bean
    name="ticketValidationFilter"
    class="org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter"
    <property name="ticketValidator">
        <bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
            <constructor-arg index="0" value="https://localhost:8443/cas" />
        </bean>
    </property>
</bean>

Configuration to accept a Proxy Granting Ticket:

<bean
    name="ticketValidationFilter"
    class="org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter"
    p:proxyReceptorUrl="/proxy/receptor">
    <property name="ticketValidator">
        <bean
            class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator"
            p:proxyCallbackUrl="/proxy/receptor">
            <constructor-arg index="0" value="https://localhost:8443/cas" />
        </bean>
    </property>
</bean>

Configuration to accept any Proxy Ticket (and Proxy Granting Tickets):

<bean
    name="ticketValidationFilter"
    class="org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter"
    p:proxyReceptorUrl="/proxy/receptor">
    <property name="ticketValidator">
        <bean class="org.jasig.cas.client.validation.Cas20ProxyTicketValidator"
            p:acceptAnyProxy="true"
            p:proxyCallbackUrl="/proxy/receptor">
            <constructor-arg index="0" value="https://localhost:8443/cas" />
        </bean>
    </property>
</bean>

Configuration to accept Proxy Ticket from a chain (and Proxy Granting Tickets):

<bean

    name="ticketValidationFilter"

    class="org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter"

    p:service="https://my.local.service.com/cas-client"

    p:proxyReceptorUrl="/proxy/receptor">

    <property name="ticketValidator">

        <bean class="org.jasig.cas.client.validation.Cas20ProxyTicketValidator"

            p:proxyCallbackUrl="/proxy/receptor">

            <constructor-arg index="0" value="https://localhost:8443/cas" />

            <property name="allowedProxyChains">

                <list>

                    <value>http://proxy1 http://proxy2</value>

                </list>

            </property>

        </bean>

    </property>

</bean>

2. for Java in the web.xml

The CAS Client for Java 3.1/3.2 can be configured via web.xml via a series of context-params and filter init-params. Each filter for the CAS Client has a required (and optional) set of properties. The filters are designed to look for these properties in the following way:

  1. Check the filter's local init-params for a parameter matching the required property name.
  2. Check the context's parameters for a parameter matching the required property name.

If two properties are found with the same name in the init-params and the context's params, the init-param takes precedence. This method of configuration is useful in the scenario where two filters share properties (such as the renew property).

Note:

The correct order of the filters in web.xml is necessary:

  1. AuthenticationFilter
  2. TicketValidationFilter (whichever one is chosen)
  3. HttpServletRequestWrapperFilter
  4. AssertionThreadLocalFilter
Icon

If you're using the serverName property (see below), you should note well that the fragment-URI (the stuff after the #) is not sent to the server by all browsers, thus the CAS client can't capture it as part of the URL.

Available filters are as follows:

org.jasig.cas.client.authentication.AuthenticationFilter

The AuthenticationFilter is what detects whether a user needs to be authenticated or not. If a user needs to be authenticated, it will redirect the user to the CAS server.

<filter>
  <filter-name>CAS Authentication Filter</filter-name>
  <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
  <init-param>
    <param-name>casServerLoginUrl</param-name>
    <param-value>https://battags.ad.ess.rutgers.edu:8443/cas/login</param-value>
  </init-param>
  <init-param>
    <param-name>serverName</param-name>
    <param-value>http://www.acme-client.com</param-value>
  </init-param>
</filter>

Required Properties

Optional Properties

  • renew - specifies whether renew=true should be sent to the CAS server. Valid values are either "true" or "false" (or no value at all).
  • gateway - specifies whether gateway=true should be sent to the CAS server. Valid values are either "true" or "false" (or no value at all).
  • artifactParameterName - specifies the name of the request parameter on where to find the artifact (i.e. "ticket").
  • serviceParameterName - specifies the name of the request parameter on where to find the service (i.e. "service").

org.jasig.cas.client.authentication.Saml11AuthenticationFilter

The AuthenticationFilter is what detects whether a user needs to be authenticated or not. If a user needs to be authenticated, it will redirect the user to the CAS server.

<filter>
  <filter-name>CAS Authentication Filter</filter-name>
  <filter-class>org.jasig.cas.client.authentication.Saml11AuthenticationFilter</filter-class>
  <init-param>
    <param-name>casServerLoginUrl</param-name>
    <param-value>https://battags.ad.ess.rutgers.edu:8443/cas/login</param-value>
  </init-param>
  <init-param>
    <param-name>serverName</param-name>
    <param-value>http://www.acme-client.com</param-value>
  </init-param>
 </filter>

Required Properties

Optional Properties

  • renew - specifies whether renew=true should be sent to the CAS server. Valid values are either "true" or "false" (or no value at all).
  • gateway - specifies whether gateway=true should be sent to the CAS server. Valid values are either "true" or "false" (or no value at all).
  • artifactParameterName - specifies the name of the request parameter on where to find the artifact (i.e. "SAMLArt").
  • serviceParameterName - specifies the name of the request parameter on where to find the service (i.e. "TARGET").

org.jasig.cas.client.validation.Cas10TicketValidationFilter

Validates tickets using the CAS 1.0 Protocol.

<filter>
  <filter-name>CAS Validation Filter</filter-name>
  <filter-class>org.jasig.cas.client.validation.Cas10TicketValidationFilter</filter-class>
  <init-param>
    <param-name>casServerUrlPrefix</param-name>
    <param-value>https://battags.ad.ess.rutgers.edu:8443/cas</param-value>
  </init-param>
</filter>

Required Properties

  • casServerUrlPrefix - the start of the CAS server URL, i.e. https://localhost:8443/cas.
  • serverName - the server name of the server this application is hosted on. Service URL will be dynamically constructed using this, i.e.https://localhost:8443 (you must include the protocol, but port is optional if it's a standard port).

Optional Properties

  • redirectAfterValidation (default: true) - whether to redirect to the same URL after ticket validation, but without the ticket in the parameter.
  • useSession (default: true) - whether to store the Assertion in session or not. If sessions are not used, tickets will be required for each request.
  • exceptionOnValidationFailure (default: true) - whether to throw an exception or not on ticket validation failure.
  • renew (default: false) - specifies whether renew=true should be sent to the CAS server. Valid values are either "true" or "false"

org.jasig.cas.client.validation.Saml11TicketValidationFilter

Validates tickets using the SAML 1.1 protocol.

<filter>
  <filter-name>CAS Validation Filter</filter-name>
  <filter-class>org.jasig.cas.client.validation.Saml11TicketValidationFilter</filter-class>
  <init-param>
    <param-name>casServerUrlPrefix</param-name>
    <param-value>https://battags.ad.ess.rutgers.edu:8443/cas</param-value>
  </init-param>
  <init-param>
    <param-name>serverName</param-name>
    <param-value>http://www.acme-client.com</param-value>
  </init-param>
 </filter>

Required Properties

Optional Properties

  • redirectAfterValidation (default: true) - whether to redirect to the same URL after ticket validation, but without the ticket in the parameter.
  • useSession (default: true) - whether to store the Assertion in session or not. If sessions are not used, tickets will be required for each request.
  • exceptionOnValidationFailure (default: true) - whether to throw an exception or not on ticket validation failure.
  • tolerance (default: 1000 mSec) - the tolerance for drifting clocks when validating SAML tickets. Note that 10 seconds should be more than enough for most environments that have NTP time synchronization.
  • renew (default: false) - specifies whether renew=true should be sent to the CAS server. Valid values are either "true" or "false" (NOTE: Available as of version 3.1.6.)

org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter

Validates the tickets using the CAS 2.0 protocol. If you provide either the acceptAnyProxy or the allowedProxyChains parameters, a Cas20ProxyTicketValidator will be constructed. Otherwise a general Cas20ServiceTicketValidator will be constructed that does not accept proxy tickets.

Proxy Authentication

Icon

If you are using proxy validation, you should map the validation filter before the authentication filter.
<filter>
  <filter-name>CAS Validation Filter</filter-name>
  <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
  <init-param>
    <param-name>casServerUrlPrefix</param-name>
    <param-value>https://battags.ad.ess.rutgers.edu:8443/cas</param-value>
  </init-param>
  <init-param>
    <param-name>serverName</param-name>
    <param-value>http://www.acme-client.com</param-value>
  </init-param>
</filter>

Required Properties

  • casServerUrlPrefix - the start of the CAS server URL, i.e. https://localhost:8443/cas.
  • serverName - the start of the URL that this application is running on. Service URL will be dynamically constructed using this, i.e. https://localhost:8443(you must include the protocol, but port is optional if it's a standard port). Service URL is passed to the CAS server for ticket validation.

Optional Properties

  • redirectAfterValidation (default: true) - whether to redirect to the same URL after ticket validation, but without the ticket in the parameter.
  • useSession (default: true) - whether to store the Assertion in session or not. If sessions are not used, tickets will be required for each request.
  • exceptionOnValidationFailure (default: true) - whether to throw an exception or not on ticket validation failure.
  • proxyReceptorUrl (default: null) - the URL to watch for PGTIOU/PGT responses from the CAS server. Should be defined from the root of the context. For example, ff your application is deployed in /cas-client-app and you want the proxy receptor URL to be /cas-client-app/my/receptor you need to configure proxyReceptorUrl to be /my/receptor
  • renew (default: false) - specifies whether renew=true should be sent to the CAS server. Valid values are either "true" or "false."
  • acceptAnyProxy (default: false) - specifies whether any proxy is OK.
  • allowedProxyChains (default: null) - specifies the proxy chain. Each acceptable proxy chain should include a space-separated list of URLs. Each acceptable proxy chain should appear on its own line.
  • proxyCallbackUrl (default: none) - the callback URL to provide the CAS server to accept Proxy Granting Tickets.
  • proxyGrantingTicketStorageClass (@since 3.1.9) (default: none) - specify an implementation of the ProxyGrantingTicketStorage class that has a no-arg constructor.

Replicating PGT using "proxyGrantingTicketStorageClass" and Distributed Caching

The Java CAS client has support for clustering and distributing the TGT state among application nodes that are behind a load balancer. In order to do so, the parameter needs to be defined as such in the web.xml file for the filter:

<init-param>
  <param-name>proxyGrantingTicketStorageClass</param-name>
  <param-value>org.jasig.cas.client.proxy.EhcacheBackedProxyGrantingTicketStorageImpl</param-value>
</init-param>

The setting provides an implementation for proxy storage using EhCache to take advantage of its replication features so that the PGT is successfully replicated and shared among nodes, regardless which node is selected as the result of the load balancer rerouting.

Note: A similar implementation based on Memcached is also available.

Configuration of this parameter is not enough. The EhCache configuration needs to enable the replication mechanism through once of its suggested ways. Asample of that configuration based on RMI replication can be found here. Please note that while the sample is done for a distributed ticket registry implementation, the basic idea and configuration should easily be transferable.

org.jasig.cas.client.util.HttpServletRequestWrapperFilter

Wraps an HttpServletRequest so that the getRemoteUser and getPrincipal return the CAS related entries.

<filter>
  <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
  <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>

Required Properties
None

Optional Properties
None

org.jasig.cas.client.util.AssertionThreadLocalFilter

Places the Assertion in a ThreadLocal for portions of the application that need access to it. This is useful when the Web application that this filter "fronts" needs to get the Principal name, but it has no access to the HttpServletRequest, hence making getRemoteUser() call impossible.

<filter>
  <filter-name>CAS Assertion Thread Local Filter</filter-name>
  <filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
</filter>

3. for Java using JNDI

Configuring the JASIG CAS Client for Java via JNDI is essentially the same as configuring the client via the web.xml, except the properties will reside in JNDI and not in the web.xml.

All properties that are placed in JNDI should be placed under java:comp/env/cas

We use the following conventions:

  1. JNDI will first look in java:comp/env/cas/{SHORT FILTER NAME}/{PROPERTY NAME} (i.e. java:comp/env/cas/AuthenticationFilter/serverName)
  2. JNDI will as a last resort look in java:comp/env/cas/{PROPERTY NAME} (i.e. java:comp/env/cas/serverName)

Example:
(this is an update to the META-INF/context.xml that is included in Tomcat 6's Manager application)

<?xml version="1.0" encoding="UTF-8"?>

<!--

  Licensed to the Apache Software Foundation (ASF) under one or more

  contributor license agreements.  See the NOTICE file distributed with

  this work for additional information regarding copyright ownership.

  The ASF licenses this file to You under the Apache License, Version 2.0

  (the "License"); you may not use this file except in compliance with

  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software

  distributed under the License is distributed on an "AS IS" BASIS,

  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  See the License for the specific language governing permissions and

  limitations under the License.

-->

<Context antiResourceLocking="false" privileged="true">

<Environment description="" name="cas/serverName" override="false"

type="java.lang.String" value="http://localhost:8080"/>

<Environment description="" name="cas/AuthenticationFilter/casServerLoginUrl" override="false"

type="java.lang.String" value="https://www.ja-sig.org/cas/login"/>

<Environment description="" name="cas/Cas20ProxyReceivingTicketValidationFilter/casServerUrlPrefix" override="false"

type="java.lang.String" value="https://www.ja-sig.org/cas"/>

</Context>

Configuring Single Sign Out

The Single Sign Out support in CAS consists of configuring one filter and one ContextListener. Please note that if you have configured the CAS Client for Java as Web filters, this filter must come before the other filters as described on the preceding page

Add the following configuration to your web.xml where appropriate:

/* With CAS 2.0 Protocol */
<filter>

   <filter-name>CAS Single Sign Out Filter</filter-name>

   <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>

</filter>

...

<filter-mapping>

   <filter-name>CAS Single Sign Out Filter</filter-name>

   <url-pattern>/*</url-pattern>

</filter-mapping>

...

<listener>

    <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>

</listener>
/* With SAML 1.1 Protocol */

<filter>

   <filter-name>CAS Single Sign Out Filter</filter-name>

   <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>

   <init-param>

      <param-name>artifactParameterName</param-name>

      <param-value>SAMLart</param-value>

   </init-param>

</filter>

...

<filter-mapping>

   <filter-name>CAS Single Sign Out Filter</filter-name>

   <url-pattern>/*</url-pattern>

</filter-mapping>

...

<listener>

    <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>

</listener>

原文地址:https://wiki.jasig.org/display/CASC/CAS+Client+for+Java+3.1

Configuring the JA-SIG CAS Client --官方的更多相关文章

  1. CAS单点登录实践(spring cas client配置)

    前言: 最近的项目需要将多个站点统一登录,查阅了资料Jasig cas(Central Authentication Service)(官方站点:http://www.jasig.org/cas)使用 ...

  2. CAS Client集群环境的Session问题及解决方案

    [原创申明:文章为原创,欢迎非盈利性转载,但转载必须注明来源] 之前写过一篇文章,介绍单点登录的基本原理.这篇文章重点介绍开源单点登录系统CAS的登录和注销的实现方法.并结合实际工作中碰到的问题,探讨 ...

  3. (转)基于CAS实现单点登录(SSO):cas client端的退出问题

    出处:http://blog.csdn.net/tch918/article/details/22276627 自从CAS 3.4就很好的支持了单点注销功能,配置也很简单. 之前版本因为在CAS服务器 ...

  4. cas 单点登录出现org.jasig.cas.client.util.CommonUtils.getResponseFromServer - 拒绝连接 Connection refused

    cas 单点登录出现org.jasig.cas.client.util.CommonUtils.getResponseFromServer - 拒绝连接 Connection refused 环境: ...

  5. Eclipse配置CAS client

    1.新建一个Maven项目 2.Next,选择 3.输入group id 和 artifact id -->  Finish 4.项目创建完成的目录结构 编辑pom.xml文件,写上依赖 注意把 ...

  6. cas+tomcat+shiro实现单点登录-4-Apache Shiro 集成Cas作为cas client端实现

    目录 1.tomcat添加https安全协议 2.下载cas server端部署到tomcat上 3.CAS服务器深入配置(连接MYSQL) 4.Apache Shiro 集成Cas作为cas cli ...

  7. [原]基于CAS实现单点登录(SSO):cas client端的退出问题

    自从CAS 3.4就很好的支持了单点注销功能,配置也很简单. 之前版本因为在CAS服务器通过HttpClient发送消息时并未指定为POST方式,所以在CAS客户端的注销Filter中没有收到POST ...

  8. [原]基于CAS实现单点登录(SSO):登录成功后,cas client如何返回更多用户信息

    从cas server登录成功后,默认只能从casclient得到用户名.但程序中也可能遇到需要得到更多如姓名,手机号,email等更多用户信息的情况. cas client拿到用户名后再到数据库中查 ...

  9. CAS Client集群环境的Session问题及解决方案 不能退出登录

    casclient源代码下载链接:https://github.com/apereo/java-cas-client cas官网链接:https://www.apereo.org/projects/c ...

随机推荐

  1. WPF 弱事件

    因为在接触WPF的过程中追查INotifyPropertyChanged的通知原理的时候,发现了 PropertyChangedEventManager这个类,它是继承与WeakEventManage ...

  2. centOS 7配置Apache + MySQL + PHP

    一.配置防火墙,开启80端口.3306端口 CentOS 7.0默认使用的是firewall作为防火墙,这里改为iptables防火墙. 1.关闭firewall: #停止firewall服务 sys ...

  3. Lang语言包

    \languages\zh_cn\admin\common.php里配置后台所有常量

  4. SpringMVC入门2-注解开发

    Spring MVC 注解开发 <context:component-scan base-package="com.controls" /> Springmvc的扫描器 ...

  5. BeanUtils API中使用ConvertUtils向BeanUtils注册一个日期转换器

    ConvertUtils.register(new Converter(){ public Object convert(Class type, Object value){ if(value == ...

  6. 324篇CSS应用效果集合(梦想天空,可同时应用于Web开发与Qt界面开发)

    http://www.cnblogs.com/lhb25/category/146075.html http://www.yyyweb.com/

  7. 《how to design programs》13章用list构造表

    使用cons构造一个包含多个元素的表十分麻烦,因此scheme提供了list操作,该操作接受任意量的值作为输入以创建一个表,下面是扩展的语法: <prm>=list 扩展的scheme值的 ...

  8. jstack(Stack Trace for Java)

    功能   用于生成虚拟机当前时刻的线程快照(一般称为threaddump或javacore文件).线程快照就是当前虚拟机内每一条线程正在执行的方法堆栈的集合,生成线程快照的主要目的是定位线程出现长时间 ...

  9. 跨站脚本(XSS)

    跨站脚本: cross-site scripting或者XSS, 即攻击者向目标Web站点注入HTML标签或者脚本 如果网站没有通过移除任何嵌入的HTML标签来消毒,那么web页面很容易受到跨站脚本攻 ...

  10. delphi操作文本文件的方法简介

    delphi操作文本文件的方法简介减小字体 增大字体 作者佚名来源不详发布时间2008-5-31 10:31:16发布人xuedelphi1 文件类型和标准过程       Delphi同Object ...