1. for Java using Spring

Configuration of the CAS Client for Java via Spring IoC will depend heavily on their DelegatingFilterProxy class. For each filter that will be configured for CAS via Spring, a corresponding DelegatingFilterProxy is needed in the web.xml.

As the SingleSignOutFilter, HttpServletRequestWrapperFilter and AssertionThreadLocalFilter have no configuration options, we recommend you just configure them in the web.xml

Note: A sample authentication configuration is attached to this page.

Bean definition examples:

<filter>
    <filter-name>CAS Authentication Filter</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    <init-param>
        <param-name>targetBeanName</param-name>
        <param-value>authenticationFilter</param-value>
    </init-param>
  </filter>
<filter-mapping>
    <filter-name>CAS Authentication Filter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

The specific filters can be configured in the following ways. Please see the JavaDocs included in the distribution for specific required and optional properties:

AuthenticationFilter

<bean
    name="authenticationFilter"
    class="org.jasig.cas.client.authentication.AuthenticationFilter"
    p:casServerLoginUrl="https://localhost:8443/cas/login"
    p:renew="false"
    p:gateway="false"

Cas10TicketValidationFilter

<bean
    name="ticketValidationFilter"
    class="org.jasig.cas.client.validation.Cas10TicketValidationFilter"
    <property name="ticketValidator">
        <bean class="org.jasig.cas.client.validation.Cas10TicketValidator">
            <constructor-arg index="0" value="https://localhost:8443/cas" />
        </bean>
    </property>
</bean>

Saml11TicketValidationFilter

<bean
    name="ticketValidationFilter"
    class="org.jasig.cas.client.validation.Saml11TicketValidationFilter"
    <property name="ticketValidator">
        <bean class="org.jasig.cas.client.validation.Saml11TicketValidator">
            <constructor-arg index="0" value="https://localhost:8443/cas" />
        </bean>
    </property>
</bean>

Note: When using the Saml11TicketValidationFilter for non-SAML authentication with attribute release the artifactParameterName must be set to "ticket" for the ticket to be consumed by the filter. Add p:artifactParameterName="ticket" to the bean definition above.

Cas20ProxyReceivingTicketValidationFilter

Configuration to just validate service tickets:

<bean
    name="ticketValidationFilter"
    class="org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter"
    <property name="ticketValidator">
        <bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
            <constructor-arg index="0" value="https://localhost:8443/cas" />
        </bean>
    </property>
</bean>

Configuration to accept a Proxy Granting Ticket:

<bean
    name="ticketValidationFilter"
    class="org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter"
    p:proxyReceptorUrl="/proxy/receptor">
    <property name="ticketValidator">
        <bean
            class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator"
            p:proxyCallbackUrl="/proxy/receptor">
            <constructor-arg index="0" value="https://localhost:8443/cas" />
        </bean>
    </property>
</bean>

Configuration to accept any Proxy Ticket (and Proxy Granting Tickets):

<bean
    name="ticketValidationFilter"
    class="org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter"
    p:proxyReceptorUrl="/proxy/receptor">
    <property name="ticketValidator">
        <bean class="org.jasig.cas.client.validation.Cas20ProxyTicketValidator"
            p:acceptAnyProxy="true"
            p:proxyCallbackUrl="/proxy/receptor">
            <constructor-arg index="0" value="https://localhost:8443/cas" />
        </bean>
    </property>
</bean>

Configuration to accept Proxy Ticket from a chain (and Proxy Granting Tickets):

<bean

    name="ticketValidationFilter"

    class="org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter"

    p:service="https://my.local.service.com/cas-client"

    p:proxyReceptorUrl="/proxy/receptor">

    <property name="ticketValidator">

        <bean class="org.jasig.cas.client.validation.Cas20ProxyTicketValidator"

            p:proxyCallbackUrl="/proxy/receptor">

            <constructor-arg index="0" value="https://localhost:8443/cas" />

            <property name="allowedProxyChains">

                <list>

                    <value>http://proxy1 http://proxy2</value>

                </list>

            </property>

        </bean>

    </property>

</bean>

2. for Java in the web.xml

The CAS Client for Java 3.1/3.2 can be configured via web.xml via a series of context-params and filter init-params. Each filter for the CAS Client has a required (and optional) set of properties. The filters are designed to look for these properties in the following way:

  1. Check the filter's local init-params for a parameter matching the required property name.
  2. Check the context's parameters for a parameter matching the required property name.

If two properties are found with the same name in the init-params and the context's params, the init-param takes precedence. This method of configuration is useful in the scenario where two filters share properties (such as the renew property).

Note:

The correct order of the filters in web.xml is necessary:

  1. AuthenticationFilter
  2. TicketValidationFilter (whichever one is chosen)
  3. HttpServletRequestWrapperFilter
  4. AssertionThreadLocalFilter
Icon

If you're using the serverName property (see below), you should note well that the fragment-URI (the stuff after the #) is not sent to the server by all browsers, thus the CAS client can't capture it as part of the URL.

Available filters are as follows:

org.jasig.cas.client.authentication.AuthenticationFilter

The AuthenticationFilter is what detects whether a user needs to be authenticated or not. If a user needs to be authenticated, it will redirect the user to the CAS server.

<filter>
  <filter-name>CAS Authentication Filter</filter-name>
  <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
  <init-param>
    <param-name>casServerLoginUrl</param-name>
    <param-value>https://battags.ad.ess.rutgers.edu:8443/cas/login</param-value>
  </init-param>
  <init-param>
    <param-name>serverName</param-name>
    <param-value>http://www.acme-client.com</param-value>
  </init-param>
</filter>

Required Properties

Optional Properties

  • renew - specifies whether renew=true should be sent to the CAS server. Valid values are either "true" or "false" (or no value at all).
  • gateway - specifies whether gateway=true should be sent to the CAS server. Valid values are either "true" or "false" (or no value at all).
  • artifactParameterName - specifies the name of the request parameter on where to find the artifact (i.e. "ticket").
  • serviceParameterName - specifies the name of the request parameter on where to find the service (i.e. "service").

org.jasig.cas.client.authentication.Saml11AuthenticationFilter

The AuthenticationFilter is what detects whether a user needs to be authenticated or not. If a user needs to be authenticated, it will redirect the user to the CAS server.

<filter>
  <filter-name>CAS Authentication Filter</filter-name>
  <filter-class>org.jasig.cas.client.authentication.Saml11AuthenticationFilter</filter-class>
  <init-param>
    <param-name>casServerLoginUrl</param-name>
    <param-value>https://battags.ad.ess.rutgers.edu:8443/cas/login</param-value>
  </init-param>
  <init-param>
    <param-name>serverName</param-name>
    <param-value>http://www.acme-client.com</param-value>
  </init-param>
 </filter>

Required Properties

Optional Properties

  • renew - specifies whether renew=true should be sent to the CAS server. Valid values are either "true" or "false" (or no value at all).
  • gateway - specifies whether gateway=true should be sent to the CAS server. Valid values are either "true" or "false" (or no value at all).
  • artifactParameterName - specifies the name of the request parameter on where to find the artifact (i.e. "SAMLArt").
  • serviceParameterName - specifies the name of the request parameter on where to find the service (i.e. "TARGET").

org.jasig.cas.client.validation.Cas10TicketValidationFilter

Validates tickets using the CAS 1.0 Protocol.

<filter>
  <filter-name>CAS Validation Filter</filter-name>
  <filter-class>org.jasig.cas.client.validation.Cas10TicketValidationFilter</filter-class>
  <init-param>
    <param-name>casServerUrlPrefix</param-name>
    <param-value>https://battags.ad.ess.rutgers.edu:8443/cas</param-value>
  </init-param>
</filter>

Required Properties

  • casServerUrlPrefix - the start of the CAS server URL, i.e. https://localhost:8443/cas.
  • serverName - the server name of the server this application is hosted on. Service URL will be dynamically constructed using this, i.e.https://localhost:8443 (you must include the protocol, but port is optional if it's a standard port).

Optional Properties

  • redirectAfterValidation (default: true) - whether to redirect to the same URL after ticket validation, but without the ticket in the parameter.
  • useSession (default: true) - whether to store the Assertion in session or not. If sessions are not used, tickets will be required for each request.
  • exceptionOnValidationFailure (default: true) - whether to throw an exception or not on ticket validation failure.
  • renew (default: false) - specifies whether renew=true should be sent to the CAS server. Valid values are either "true" or "false"

org.jasig.cas.client.validation.Saml11TicketValidationFilter

Validates tickets using the SAML 1.1 protocol.

<filter>
  <filter-name>CAS Validation Filter</filter-name>
  <filter-class>org.jasig.cas.client.validation.Saml11TicketValidationFilter</filter-class>
  <init-param>
    <param-name>casServerUrlPrefix</param-name>
    <param-value>https://battags.ad.ess.rutgers.edu:8443/cas</param-value>
  </init-param>
  <init-param>
    <param-name>serverName</param-name>
    <param-value>http://www.acme-client.com</param-value>
  </init-param>
 </filter>

Required Properties

Optional Properties

  • redirectAfterValidation (default: true) - whether to redirect to the same URL after ticket validation, but without the ticket in the parameter.
  • useSession (default: true) - whether to store the Assertion in session or not. If sessions are not used, tickets will be required for each request.
  • exceptionOnValidationFailure (default: true) - whether to throw an exception or not on ticket validation failure.
  • tolerance (default: 1000 mSec) - the tolerance for drifting clocks when validating SAML tickets. Note that 10 seconds should be more than enough for most environments that have NTP time synchronization.
  • renew (default: false) - specifies whether renew=true should be sent to the CAS server. Valid values are either "true" or "false" (NOTE: Available as of version 3.1.6.)

org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter

Validates the tickets using the CAS 2.0 protocol. If you provide either the acceptAnyProxy or the allowedProxyChains parameters, a Cas20ProxyTicketValidator will be constructed. Otherwise a general Cas20ServiceTicketValidator will be constructed that does not accept proxy tickets.

Proxy Authentication

Icon

If you are using proxy validation, you should map the validation filter before the authentication filter.
<filter>
  <filter-name>CAS Validation Filter</filter-name>
  <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
  <init-param>
    <param-name>casServerUrlPrefix</param-name>
    <param-value>https://battags.ad.ess.rutgers.edu:8443/cas</param-value>
  </init-param>
  <init-param>
    <param-name>serverName</param-name>
    <param-value>http://www.acme-client.com</param-value>
  </init-param>
</filter>

Required Properties

  • casServerUrlPrefix - the start of the CAS server URL, i.e. https://localhost:8443/cas.
  • serverName - the start of the URL that this application is running on. Service URL will be dynamically constructed using this, i.e. https://localhost:8443(you must include the protocol, but port is optional if it's a standard port). Service URL is passed to the CAS server for ticket validation.

Optional Properties

  • redirectAfterValidation (default: true) - whether to redirect to the same URL after ticket validation, but without the ticket in the parameter.
  • useSession (default: true) - whether to store the Assertion in session or not. If sessions are not used, tickets will be required for each request.
  • exceptionOnValidationFailure (default: true) - whether to throw an exception or not on ticket validation failure.
  • proxyReceptorUrl (default: null) - the URL to watch for PGTIOU/PGT responses from the CAS server. Should be defined from the root of the context. For example, ff your application is deployed in /cas-client-app and you want the proxy receptor URL to be /cas-client-app/my/receptor you need to configure proxyReceptorUrl to be /my/receptor
  • renew (default: false) - specifies whether renew=true should be sent to the CAS server. Valid values are either "true" or "false."
  • acceptAnyProxy (default: false) - specifies whether any proxy is OK.
  • allowedProxyChains (default: null) - specifies the proxy chain. Each acceptable proxy chain should include a space-separated list of URLs. Each acceptable proxy chain should appear on its own line.
  • proxyCallbackUrl (default: none) - the callback URL to provide the CAS server to accept Proxy Granting Tickets.
  • proxyGrantingTicketStorageClass (@since 3.1.9) (default: none) - specify an implementation of the ProxyGrantingTicketStorage class that has a no-arg constructor.

Replicating PGT using "proxyGrantingTicketStorageClass" and Distributed Caching

The Java CAS client has support for clustering and distributing the TGT state among application nodes that are behind a load balancer. In order to do so, the parameter needs to be defined as such in the web.xml file for the filter:

<init-param>
  <param-name>proxyGrantingTicketStorageClass</param-name>
  <param-value>org.jasig.cas.client.proxy.EhcacheBackedProxyGrantingTicketStorageImpl</param-value>
</init-param>

The setting provides an implementation for proxy storage using EhCache to take advantage of its replication features so that the PGT is successfully replicated and shared among nodes, regardless which node is selected as the result of the load balancer rerouting.

Note: A similar implementation based on Memcached is also available.

Configuration of this parameter is not enough. The EhCache configuration needs to enable the replication mechanism through once of its suggested ways. Asample of that configuration based on RMI replication can be found here. Please note that while the sample is done for a distributed ticket registry implementation, the basic idea and configuration should easily be transferable.

org.jasig.cas.client.util.HttpServletRequestWrapperFilter

Wraps an HttpServletRequest so that the getRemoteUser and getPrincipal return the CAS related entries.

<filter>
  <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
  <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>

Required Properties
None

Optional Properties
None

org.jasig.cas.client.util.AssertionThreadLocalFilter

Places the Assertion in a ThreadLocal for portions of the application that need access to it. This is useful when the Web application that this filter "fronts" needs to get the Principal name, but it has no access to the HttpServletRequest, hence making getRemoteUser() call impossible.

<filter>
  <filter-name>CAS Assertion Thread Local Filter</filter-name>
  <filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
</filter>

3. for Java using JNDI

Configuring the JASIG CAS Client for Java via JNDI is essentially the same as configuring the client via the web.xml, except the properties will reside in JNDI and not in the web.xml.

All properties that are placed in JNDI should be placed under java:comp/env/cas

We use the following conventions:

  1. JNDI will first look in java:comp/env/cas/{SHORT FILTER NAME}/{PROPERTY NAME} (i.e. java:comp/env/cas/AuthenticationFilter/serverName)
  2. JNDI will as a last resort look in java:comp/env/cas/{PROPERTY NAME} (i.e. java:comp/env/cas/serverName)

Example:
(this is an update to the META-INF/context.xml that is included in Tomcat 6's Manager application)

<?xml version="1.0" encoding="UTF-8"?>

<!--

  Licensed to the Apache Software Foundation (ASF) under one or more

  contributor license agreements.  See the NOTICE file distributed with

  this work for additional information regarding copyright ownership.

  The ASF licenses this file to You under the Apache License, Version 2.0

  (the "License"); you may not use this file except in compliance with

  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software

  distributed under the License is distributed on an "AS IS" BASIS,

  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  See the License for the specific language governing permissions and

  limitations under the License.

-->

<Context antiResourceLocking="false" privileged="true">

<Environment description="" name="cas/serverName" override="false"

type="java.lang.String" value="http://localhost:8080"/>

<Environment description="" name="cas/AuthenticationFilter/casServerLoginUrl" override="false"

type="java.lang.String" value="https://www.ja-sig.org/cas/login"/>

<Environment description="" name="cas/Cas20ProxyReceivingTicketValidationFilter/casServerUrlPrefix" override="false"

type="java.lang.String" value="https://www.ja-sig.org/cas"/>

</Context>

Configuring Single Sign Out

The Single Sign Out support in CAS consists of configuring one filter and one ContextListener. Please note that if you have configured the CAS Client for Java as Web filters, this filter must come before the other filters as described on the preceding page

Add the following configuration to your web.xml where appropriate:

/* With CAS 2.0 Protocol */
<filter>

   <filter-name>CAS Single Sign Out Filter</filter-name>

   <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>

</filter>

...

<filter-mapping>

   <filter-name>CAS Single Sign Out Filter</filter-name>

   <url-pattern>/*</url-pattern>

</filter-mapping>

...

<listener>

    <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>

</listener>
/* With SAML 1.1 Protocol */

<filter>

   <filter-name>CAS Single Sign Out Filter</filter-name>

   <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>

   <init-param>

      <param-name>artifactParameterName</param-name>

      <param-value>SAMLart</param-value>

   </init-param>

</filter>

...

<filter-mapping>

   <filter-name>CAS Single Sign Out Filter</filter-name>

   <url-pattern>/*</url-pattern>

</filter-mapping>

...

<listener>

    <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>

</listener>

原文地址:https://wiki.jasig.org/display/CASC/CAS+Client+for+Java+3.1

Configuring the JA-SIG CAS Client --官方的更多相关文章

  1. CAS单点登录实践(spring cas client配置)

    前言: 最近的项目需要将多个站点统一登录,查阅了资料Jasig cas(Central Authentication Service)(官方站点:http://www.jasig.org/cas)使用 ...

  2. CAS Client集群环境的Session问题及解决方案

    [原创申明:文章为原创,欢迎非盈利性转载,但转载必须注明来源] 之前写过一篇文章,介绍单点登录的基本原理.这篇文章重点介绍开源单点登录系统CAS的登录和注销的实现方法.并结合实际工作中碰到的问题,探讨 ...

  3. (转)基于CAS实现单点登录(SSO):cas client端的退出问题

    出处:http://blog.csdn.net/tch918/article/details/22276627 自从CAS 3.4就很好的支持了单点注销功能,配置也很简单. 之前版本因为在CAS服务器 ...

  4. cas 单点登录出现org.jasig.cas.client.util.CommonUtils.getResponseFromServer - 拒绝连接 Connection refused

    cas 单点登录出现org.jasig.cas.client.util.CommonUtils.getResponseFromServer - 拒绝连接 Connection refused 环境: ...

  5. Eclipse配置CAS client

    1.新建一个Maven项目 2.Next,选择 3.输入group id 和 artifact id -->  Finish 4.项目创建完成的目录结构 编辑pom.xml文件,写上依赖 注意把 ...

  6. cas+tomcat+shiro实现单点登录-4-Apache Shiro 集成Cas作为cas client端实现

    目录 1.tomcat添加https安全协议 2.下载cas server端部署到tomcat上 3.CAS服务器深入配置(连接MYSQL) 4.Apache Shiro 集成Cas作为cas cli ...

  7. [原]基于CAS实现单点登录(SSO):cas client端的退出问题

    自从CAS 3.4就很好的支持了单点注销功能,配置也很简单. 之前版本因为在CAS服务器通过HttpClient发送消息时并未指定为POST方式,所以在CAS客户端的注销Filter中没有收到POST ...

  8. [原]基于CAS实现单点登录(SSO):登录成功后,cas client如何返回更多用户信息

    从cas server登录成功后,默认只能从casclient得到用户名.但程序中也可能遇到需要得到更多如姓名,手机号,email等更多用户信息的情况. cas client拿到用户名后再到数据库中查 ...

  9. CAS Client集群环境的Session问题及解决方案 不能退出登录

    casclient源代码下载链接:https://github.com/apereo/java-cas-client cas官网链接:https://www.apereo.org/projects/c ...

随机推荐

  1. 苹果被拒的血泪史。。。(update 2015.11)

    项目提交了N此了,也审核N次了,苹果的审核机制依旧那么不急不慢.昨天刚刚又被拒了.回忆下之前的,总结一下吧. 2015.04.28 昨天被拒非常亏,app的评级是17+,但是在app展示图里有一个比较 ...

  2. Android获取屏幕的高度和宽度

    方法一: DisplayMetrics metrics=new DisplayMetrics(); getWindowManager().getDefaultDisplay().getMetrics( ...

  3. Qt Painter放大时,event处理应该注意的要点

    比如当你Qt中用QPainter进行window和viewport,逻辑和物理坐标分离的形式进行绘图放大的时候,你会发现鼠标的移动和放大之后的图像有点不跟手,比如你是用QTransform进行放大变换 ...

  4. Android学习-----Button点击事件几种写法

    Button点击事件:大概可以分为以下几种: 匿名内部类 定义内部类,实现OnClickListener接口 定义的构造方法 用Activity实现OnClickListener接口 指定Button ...

  5. Tinkphp定时发布文章的教程

    第一步:在文章表中加一个字段,用来保存定时发布的时间 假定我把这个字段设为 push_time 默认为 0 第二步:写一个方法来检查文章列表,把文章列表到时间的文章改为发布状态 //定时发布文章 pu ...

  6. solr拼写检查配置

    拼写检查功能,能在搜索时,提供一个较好用户体验,所以,主流的搜索引擎都有这个功能. 那么什么是拼写检查,其实很好理解,就是你输入的搜索词,可能是你输错了,也有可能在它的检索库里面根本不存在这个词,但是 ...

  7. spring framework 4 源码阅读

    前面写了几篇spring 的介绍文章,感觉与主题不是很切合.重新整理下思路,从更容易理解的角度来写下文章. spring 的骨架 spring 的骨架,也是spring 的核心包.主要包含三个内容 1 ...

  8. .net Web.Config配置文件 转

    .net Web.Config配置文件 博客分类: .net   .net Web.Config配置文件 一.配置信息 <?xml version="1.0" encodin ...

  9. Error on SVN checkout:SSL handshake failed

    最近遇到了一个恼火的问题,在Ubuntu上尝试用svn命令checkout一个https的repository时遇到个错误信息: svn: E175002: Unable to connect to ...

  10. Linux项目一

    Linux项目一 引言: 这是我去年做的东西,一直没有时间整理,今天又要做一个基于这个项目的客户端与服务器版本. 以前我写的库文件中的函数耦合度很大,在一个函数中调用另一个函数,导致一无法拆开使用! ...