1. for Java using Spring

Configuration of the CAS Client for Java via Spring IoC will depend heavily on their DelegatingFilterProxy class. For each filter that will be configured for CAS via Spring, a corresponding DelegatingFilterProxy is needed in the web.xml.

As the SingleSignOutFilter, HttpServletRequestWrapperFilter and AssertionThreadLocalFilter have no configuration options, we recommend you just configure them in the web.xml

Note: A sample authentication configuration is attached to this page.

Bean definition examples:

<filter>
    <filter-name>CAS Authentication Filter</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    <init-param>
        <param-name>targetBeanName</param-name>
        <param-value>authenticationFilter</param-value>
    </init-param>
  </filter>
<filter-mapping>
    <filter-name>CAS Authentication Filter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

The specific filters can be configured in the following ways. Please see the JavaDocs included in the distribution for specific required and optional properties:

AuthenticationFilter

<bean
    name="authenticationFilter"
    class="org.jasig.cas.client.authentication.AuthenticationFilter"
    p:casServerLoginUrl="https://localhost:8443/cas/login"
    p:renew="false"
    p:gateway="false"

Cas10TicketValidationFilter

<bean
    name="ticketValidationFilter"
    class="org.jasig.cas.client.validation.Cas10TicketValidationFilter"
    <property name="ticketValidator">
        <bean class="org.jasig.cas.client.validation.Cas10TicketValidator">
            <constructor-arg index="0" value="https://localhost:8443/cas" />
        </bean>
    </property>
</bean>

Saml11TicketValidationFilter

<bean
    name="ticketValidationFilter"
    class="org.jasig.cas.client.validation.Saml11TicketValidationFilter"
    <property name="ticketValidator">
        <bean class="org.jasig.cas.client.validation.Saml11TicketValidator">
            <constructor-arg index="0" value="https://localhost:8443/cas" />
        </bean>
    </property>
</bean>

Note: When using the Saml11TicketValidationFilter for non-SAML authentication with attribute release the artifactParameterName must be set to "ticket" for the ticket to be consumed by the filter. Add p:artifactParameterName="ticket" to the bean definition above.

Cas20ProxyReceivingTicketValidationFilter

Configuration to just validate service tickets:

<bean
    name="ticketValidationFilter"
    class="org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter"
    <property name="ticketValidator">
        <bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
            <constructor-arg index="0" value="https://localhost:8443/cas" />
        </bean>
    </property>
</bean>

Configuration to accept a Proxy Granting Ticket:

<bean
    name="ticketValidationFilter"
    class="org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter"
    p:proxyReceptorUrl="/proxy/receptor">
    <property name="ticketValidator">
        <bean
            class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator"
            p:proxyCallbackUrl="/proxy/receptor">
            <constructor-arg index="0" value="https://localhost:8443/cas" />
        </bean>
    </property>
</bean>

Configuration to accept any Proxy Ticket (and Proxy Granting Tickets):

<bean
    name="ticketValidationFilter"
    class="org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter"
    p:proxyReceptorUrl="/proxy/receptor">
    <property name="ticketValidator">
        <bean class="org.jasig.cas.client.validation.Cas20ProxyTicketValidator"
            p:acceptAnyProxy="true"
            p:proxyCallbackUrl="/proxy/receptor">
            <constructor-arg index="0" value="https://localhost:8443/cas" />
        </bean>
    </property>
</bean>

Configuration to accept Proxy Ticket from a chain (and Proxy Granting Tickets):

  1. <bean
  2. name="ticketValidationFilter"
  3. class="org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter"
  4. p:service="https://my.local.service.com/cas-client"
  5. p:proxyReceptorUrl="/proxy/receptor">
  6. <property name="ticketValidator">
  7. <bean class="org.jasig.cas.client.validation.Cas20ProxyTicketValidator"
  8. p:proxyCallbackUrl="/proxy/receptor">
  9. <constructor-arg index="0" value="https://localhost:8443/cas" />
  10. <property name="allowedProxyChains">
  11. <list>
  12. <value>http://proxy1 http://proxy2</value>
  13. </list>
  14. </property>
  15. </bean>
  16. </property>
  17. </bean>

2. for Java in the web.xml

The CAS Client for Java 3.1/3.2 can be configured via web.xml via a series of context-params and filter init-params. Each filter for the CAS Client has a required (and optional) set of properties. The filters are designed to look for these properties in the following way:

  1. Check the filter's local init-params for a parameter matching the required property name.
  2. Check the context's parameters for a parameter matching the required property name.

If two properties are found with the same name in the init-params and the context's params, the init-param takes precedence. This method of configuration is useful in the scenario where two filters share properties (such as the renew property).

Note:

The correct order of the filters in web.xml is necessary:

  1. AuthenticationFilter
  2. TicketValidationFilter (whichever one is chosen)
  3. HttpServletRequestWrapperFilter
  4. AssertionThreadLocalFilter
Icon

If you're using the serverName property (see below), you should note well that the fragment-URI (the stuff after the #) is not sent to the server by all browsers, thus the CAS client can't capture it as part of the URL.

Available filters are as follows:

org.jasig.cas.client.authentication.AuthenticationFilter

The AuthenticationFilter is what detects whether a user needs to be authenticated or not. If a user needs to be authenticated, it will redirect the user to the CAS server.

<filter>
  <filter-name>CAS Authentication Filter</filter-name>
  <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
  <init-param>
    <param-name>casServerLoginUrl</param-name>
    <param-value>https://battags.ad.ess.rutgers.edu:8443/cas/login</param-value>
  </init-param>
  <init-param>
    <param-name>serverName</param-name>
    <param-value>http://www.acme-client.com</param-value>
  </init-param>
</filter>

Required Properties

Optional Properties

  • renew - specifies whether renew=true should be sent to the CAS server. Valid values are either "true" or "false" (or no value at all).
  • gateway - specifies whether gateway=true should be sent to the CAS server. Valid values are either "true" or "false" (or no value at all).
  • artifactParameterName - specifies the name of the request parameter on where to find the artifact (i.e. "ticket").
  • serviceParameterName - specifies the name of the request parameter on where to find the service (i.e. "service").

org.jasig.cas.client.authentication.Saml11AuthenticationFilter

The AuthenticationFilter is what detects whether a user needs to be authenticated or not. If a user needs to be authenticated, it will redirect the user to the CAS server.

<filter>
  <filter-name>CAS Authentication Filter</filter-name>
  <filter-class>org.jasig.cas.client.authentication.Saml11AuthenticationFilter</filter-class>
  <init-param>
    <param-name>casServerLoginUrl</param-name>
    <param-value>https://battags.ad.ess.rutgers.edu:8443/cas/login</param-value>
  </init-param>
  <init-param>
    <param-name>serverName</param-name>
    <param-value>http://www.acme-client.com</param-value>
  </init-param>
 </filter>

Required Properties

Optional Properties

  • renew - specifies whether renew=true should be sent to the CAS server. Valid values are either "true" or "false" (or no value at all).
  • gateway - specifies whether gateway=true should be sent to the CAS server. Valid values are either "true" or "false" (or no value at all).
  • artifactParameterName - specifies the name of the request parameter on where to find the artifact (i.e. "SAMLArt").
  • serviceParameterName - specifies the name of the request parameter on where to find the service (i.e. "TARGET").

org.jasig.cas.client.validation.Cas10TicketValidationFilter

Validates tickets using the CAS 1.0 Protocol.

<filter>
  <filter-name>CAS Validation Filter</filter-name>
  <filter-class>org.jasig.cas.client.validation.Cas10TicketValidationFilter</filter-class>
  <init-param>
    <param-name>casServerUrlPrefix</param-name>
    <param-value>https://battags.ad.ess.rutgers.edu:8443/cas</param-value>
  </init-param>
</filter>

Required Properties

  • casServerUrlPrefix - the start of the CAS server URL, i.e. https://localhost:8443/cas.
  • serverName - the server name of the server this application is hosted on. Service URL will be dynamically constructed using this, i.e.https://localhost:8443 (you must include the protocol, but port is optional if it's a standard port).

Optional Properties

  • redirectAfterValidation (default: true) - whether to redirect to the same URL after ticket validation, but without the ticket in the parameter.
  • useSession (default: true) - whether to store the Assertion in session or not. If sessions are not used, tickets will be required for each request.
  • exceptionOnValidationFailure (default: true) - whether to throw an exception or not on ticket validation failure.
  • renew (default: false) - specifies whether renew=true should be sent to the CAS server. Valid values are either "true" or "false"

org.jasig.cas.client.validation.Saml11TicketValidationFilter

Validates tickets using the SAML 1.1 protocol.

<filter>
  <filter-name>CAS Validation Filter</filter-name>
  <filter-class>org.jasig.cas.client.validation.Saml11TicketValidationFilter</filter-class>
  <init-param>
    <param-name>casServerUrlPrefix</param-name>
    <param-value>https://battags.ad.ess.rutgers.edu:8443/cas</param-value>
  </init-param>
  <init-param>
    <param-name>serverName</param-name>
    <param-value>http://www.acme-client.com</param-value>
  </init-param>
 </filter>

Required Properties

Optional Properties

  • redirectAfterValidation (default: true) - whether to redirect to the same URL after ticket validation, but without the ticket in the parameter.
  • useSession (default: true) - whether to store the Assertion in session or not. If sessions are not used, tickets will be required for each request.
  • exceptionOnValidationFailure (default: true) - whether to throw an exception or not on ticket validation failure.
  • tolerance (default: 1000 mSec) - the tolerance for drifting clocks when validating SAML tickets. Note that 10 seconds should be more than enough for most environments that have NTP time synchronization.
  • renew (default: false) - specifies whether renew=true should be sent to the CAS server. Valid values are either "true" or "false" (NOTE: Available as of version 3.1.6.)

org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter

Validates the tickets using the CAS 2.0 protocol. If you provide either the acceptAnyProxy or the allowedProxyChains parameters, a Cas20ProxyTicketValidator will be constructed. Otherwise a general Cas20ServiceTicketValidator will be constructed that does not accept proxy tickets.

Proxy Authentication

Icon

If you are using proxy validation, you should map the validation filter before the authentication filter.
<filter>
  <filter-name>CAS Validation Filter</filter-name>
  <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
  <init-param>
    <param-name>casServerUrlPrefix</param-name>
    <param-value>https://battags.ad.ess.rutgers.edu:8443/cas</param-value>
  </init-param>
  <init-param>
    <param-name>serverName</param-name>
    <param-value>http://www.acme-client.com</param-value>
  </init-param>
</filter>

Required Properties

  • casServerUrlPrefix - the start of the CAS server URL, i.e. https://localhost:8443/cas.
  • serverName - the start of the URL that this application is running on. Service URL will be dynamically constructed using this, i.e. https://localhost:8443(you must include the protocol, but port is optional if it's a standard port). Service URL is passed to the CAS server for ticket validation.

Optional Properties

  • redirectAfterValidation (default: true) - whether to redirect to the same URL after ticket validation, but without the ticket in the parameter.
  • useSession (default: true) - whether to store the Assertion in session or not. If sessions are not used, tickets will be required for each request.
  • exceptionOnValidationFailure (default: true) - whether to throw an exception or not on ticket validation failure.
  • proxyReceptorUrl (default: null) - the URL to watch for PGTIOU/PGT responses from the CAS server. Should be defined from the root of the context. For example, ff your application is deployed in /cas-client-app and you want the proxy receptor URL to be /cas-client-app/my/receptor you need to configure proxyReceptorUrl to be /my/receptor
  • renew (default: false) - specifies whether renew=true should be sent to the CAS server. Valid values are either "true" or "false."
  • acceptAnyProxy (default: false) - specifies whether any proxy is OK.
  • allowedProxyChains (default: null) - specifies the proxy chain. Each acceptable proxy chain should include a space-separated list of URLs. Each acceptable proxy chain should appear on its own line.
  • proxyCallbackUrl (default: none) - the callback URL to provide the CAS server to accept Proxy Granting Tickets.
  • proxyGrantingTicketStorageClass (@since 3.1.9) (default: none) - specify an implementation of the ProxyGrantingTicketStorage class that has a no-arg constructor.

Replicating PGT using "proxyGrantingTicketStorageClass" and Distributed Caching

The Java CAS client has support for clustering and distributing the TGT state among application nodes that are behind a load balancer. In order to do so, the parameter needs to be defined as such in the web.xml file for the filter:

<init-param>
  <param-name>proxyGrantingTicketStorageClass</param-name>
  <param-value>org.jasig.cas.client.proxy.EhcacheBackedProxyGrantingTicketStorageImpl</param-value>
</init-param>

The setting provides an implementation for proxy storage using EhCache to take advantage of its replication features so that the PGT is successfully replicated and shared among nodes, regardless which node is selected as the result of the load balancer rerouting.

Note: A similar implementation based on Memcached is also available.

Configuration of this parameter is not enough. The EhCache configuration needs to enable the replication mechanism through once of its suggested ways. Asample of that configuration based on RMI replication can be found here. Please note that while the sample is done for a distributed ticket registry implementation, the basic idea and configuration should easily be transferable.

org.jasig.cas.client.util.HttpServletRequestWrapperFilter

Wraps an HttpServletRequest so that the getRemoteUser and getPrincipal return the CAS related entries.

<filter>
  <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
  <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>

Required Properties
None

Optional Properties
None

org.jasig.cas.client.util.AssertionThreadLocalFilter

Places the Assertion in a ThreadLocal for portions of the application that need access to it. This is useful when the Web application that this filter "fronts" needs to get the Principal name, but it has no access to the HttpServletRequest, hence making getRemoteUser() call impossible.

<filter>
  <filter-name>CAS Assertion Thread Local Filter</filter-name>
  <filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
</filter>

3. for Java using JNDI

Configuring the JASIG CAS Client for Java via JNDI is essentially the same as configuring the client via the web.xml, except the properties will reside in JNDI and not in the web.xml.

All properties that are placed in JNDI should be placed under java:comp/env/cas

We use the following conventions:

  1. JNDI will first look in java:comp/env/cas/{SHORT FILTER NAME}/{PROPERTY NAME} (i.e. java:comp/env/cas/AuthenticationFilter/serverName)
  2. JNDI will as a last resort look in java:comp/env/cas/{PROPERTY NAME} (i.e. java:comp/env/cas/serverName)

Example:
(this is an update to the META-INF/context.xml that is included in Tomcat 6's Manager application)

  1. <?xml version="1.0" encoding="UTF-8"?>
  2. <!--
  3. Licensed to the Apache Software Foundation (ASF) under one or more
  4. contributor license agreements. See the NOTICE file distributed with
  5. this work for additional information regarding copyright ownership.
  6. The ASF licenses this file to You under the Apache License, Version 2.0
  7. (the "License"); you may not use this file except in compliance with
  8. the License. You may obtain a copy of the License at
  9.  
  10. http://www.apache.org/licenses/LICENSE-2.0
  11.  
  12. Unless required by applicable law or agreed to in writing, software
  13. distributed under the License is distributed on an "AS IS" BASIS,
  14. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  15. See the License for the specific language governing permissions and
  16. limitations under the License.
  17. -->
  18. <Context antiResourceLocking="false" privileged="true">
  19.  
  20. <Environment description="" name="cas/serverName" override="false"
  21. type="java.lang.String" value="http://localhost:8080"/>
  22.  
  23. <Environment description="" name="cas/AuthenticationFilter/casServerLoginUrl" override="false"
  24. type="java.lang.String" value="https://www.ja-sig.org/cas/login"/>
  25.  
  26. <Environment description="" name="cas/Cas20ProxyReceivingTicketValidationFilter/casServerUrlPrefix" override="false"
  27. type="java.lang.String" value="https://www.ja-sig.org/cas"/>
  28. </Context>

Configuring Single Sign Out

The Single Sign Out support in CAS consists of configuring one filter and one ContextListener. Please note that if you have configured the CAS Client for Java as Web filters, this filter must come before the other filters as described on the preceding page

Add the following configuration to your web.xml where appropriate:

  1. /* With CAS 2.0 Protocol */
    <filter>
  2. <filter-name>CAS Single Sign Out Filter</filter-name>
  3. <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
  4. </filter>
  5. ...
  6. <filter-mapping>
  7. <filter-name>CAS Single Sign Out Filter</filter-name>
  8. <url-pattern>/*</url-pattern>
  9. </filter-mapping>
  10. ...
  11. <listener>
  12. <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
  13. </listener>
  1. /* With SAML 1.1 Protocol */
  2.  
  3. <filter>
  4. <filter-name>CAS Single Sign Out Filter</filter-name>
  5. <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
  6. <init-param>
  7. <param-name>artifactParameterName</param-name>
  8. <param-value>SAMLart</param-value>
  9. </init-param>
  10. </filter>
  11. ...
  12. <filter-mapping>
  13. <filter-name>CAS Single Sign Out Filter</filter-name>
  14. <url-pattern>/*</url-pattern>
  15. </filter-mapping>
  16. ...
  17. <listener>
  18. <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
  19. </listener>

原文地址:https://wiki.jasig.org/display/CASC/CAS+Client+for+Java+3.1

Configuring the JA-SIG CAS Client --官方的更多相关文章

  1. CAS单点登录实践(spring cas client配置)

    前言: 最近的项目需要将多个站点统一登录,查阅了资料Jasig cas(Central Authentication Service)(官方站点:http://www.jasig.org/cas)使用 ...

  2. CAS Client集群环境的Session问题及解决方案

    [原创申明:文章为原创,欢迎非盈利性转载,但转载必须注明来源] 之前写过一篇文章,介绍单点登录的基本原理.这篇文章重点介绍开源单点登录系统CAS的登录和注销的实现方法.并结合实际工作中碰到的问题,探讨 ...

  3. (转)基于CAS实现单点登录(SSO):cas client端的退出问题

    出处:http://blog.csdn.net/tch918/article/details/22276627 自从CAS 3.4就很好的支持了单点注销功能,配置也很简单. 之前版本因为在CAS服务器 ...

  4. cas 单点登录出现org.jasig.cas.client.util.CommonUtils.getResponseFromServer - 拒绝连接 Connection refused

    cas 单点登录出现org.jasig.cas.client.util.CommonUtils.getResponseFromServer - 拒绝连接 Connection refused 环境: ...

  5. Eclipse配置CAS client

    1.新建一个Maven项目 2.Next,选择 3.输入group id 和 artifact id -->  Finish 4.项目创建完成的目录结构 编辑pom.xml文件,写上依赖 注意把 ...

  6. cas+tomcat+shiro实现单点登录-4-Apache Shiro 集成Cas作为cas client端实现

    目录 1.tomcat添加https安全协议 2.下载cas server端部署到tomcat上 3.CAS服务器深入配置(连接MYSQL) 4.Apache Shiro 集成Cas作为cas cli ...

  7. [原]基于CAS实现单点登录(SSO):cas client端的退出问题

    自从CAS 3.4就很好的支持了单点注销功能,配置也很简单. 之前版本因为在CAS服务器通过HttpClient发送消息时并未指定为POST方式,所以在CAS客户端的注销Filter中没有收到POST ...

  8. [原]基于CAS实现单点登录(SSO):登录成功后,cas client如何返回更多用户信息

    从cas server登录成功后,默认只能从casclient得到用户名.但程序中也可能遇到需要得到更多如姓名,手机号,email等更多用户信息的情况. cas client拿到用户名后再到数据库中查 ...

  9. CAS Client集群环境的Session问题及解决方案 不能退出登录

    casclient源代码下载链接:https://github.com/apereo/java-cas-client cas官网链接:https://www.apereo.org/projects/c ...

随机推荐

  1. Linux系统配置成简单的路由器

    一.两个不同网段的子网相互访问或通信 废话不多说了,直接上图,一目了然吧. 按照如图配置,就可以实现两个不同网段的子网相互通信. 二.连接上网的配置: 如果想让这两个子网,不仅可以相互通信,而且还可以 ...

  2. C#实现的异步Socket服务器

    介绍 我最近需要为一个.net项目准备一个内部线程通信机制. 项目有多个使用ASP.NET,Windows 表单和控制台应用程序的服务器和客户端构成. 考虑到实现的可能性,我下定决心要使用原生的soc ...

  3. Java学习----方法的重载

    一个类中有多个同名的参数不一样的方法. 作用:可以根据不同的条件调用不同的方法. 注意:java不会因为方法的返回类型或者权限的不同而判断为不同的两个方法. public class Student ...

  4. php中的双引号和单引号的区别?

    1.单引号里面的字符串直接全部转义,原样输出(即:单引号内部的变量不会被执行) 2.双引号里面的变量会被替换(即:变量会执行) 例如:$name = 'hello';echo "the $n ...

  5. PHP图形计算器(计算三角形矩形周长面积)

    运用PHP面向对象的知识设计一个图形计算器,同时也运用到了抽象类知识,这个计算器可以计算三角形的周长和面积以及矩形的周长和面积.本图形计算器有4个页面:1.PHP图形计算器主页index.php;   ...

  6. iTunes 安装终极解决方案

    近日手贱升级了Itunes,升级过程即报失败,然后卸载所有相关东西,再重装,Itunes安装成功,但是报告无法使用iphone,经过几天摸索,发现是Apple Mobile Device Suppor ...

  7. 转:开源项目学习方法ABC

    文章来自于 http://yizhaolingyan.net/?p=123#comment-207 学习各种开源项目,已经成为很多朋友不可回避的工作内容了.笔者本人也是如此.在接触并学习了若干个开源项 ...

  8. 《FPGA零基础入门到精通视频教程》-第002计数器(Modelsim前仿真)

    高清视频和配套讲义这里下载 http://www.fpgaw.com/thread-68524-1-1.html 优酷视频

  9. Android的布局优化之include、merge 、viewstub

    以前在写布局的时候总是喜欢用自己熟悉的方式去写,从来也没有想过优化怎么的,后来又一次在上班的时候老大拿着我写的一个页面说我这个不行.我说这不是和设计图上的一模一样的么?怎么就不行了?然后他就跟我说了一 ...

  10. (转载)python多行注释

    (转载)http://www.cnblogs.com/pylemon/archive/2011/05/23/2054090.html python本身不带多行注释,编辑时每行敲一个“#”相当的不方便, ...