CAS5.1.x overlay使用体验,希望能帮助大家少遇到一些坑。
官方文档:
https://apereo.github.io/cas/5.1.x/installation/Maven-Overlay-Installation.html
1)准备工作
编辑hosts
增加 127.0.0.1 cas.example.org
cas-overlay github地址
https://github.com/apereo/cas-overlay-template
2)证书相关
注:JAVA_HOME目录的jre下cacerts
keytool -list -keystore cacerts -alias cas
#生成证书,此处CN为前面设定的host的域名
keytool -genkey -alias cas -keyalg RSA -keysize 2048 -keypass 123456 -storepass 123456 -keystore /etc/cas/keystore -dname "CN=cas.example.org,OU=duodian.com,O=duodian,L=Beijing,ST=BeiJing,C=CN"
#导出证书
keytool -exportcert -alias cas -keystore /etc/cas/keystore -file /etc/cas/cas.cer -storepass 123456
#倒入证书到java cacerts中
keytool -import -alias cas -keystore ./cacerts -file /etc/cas/cas.cer
#删除证书
keytool -delete -alias cas -keystore ./cacerts
-alias 产生别名
-keystore 指定密钥库的名称(产生的各类信息将不在.keystore文件中)
-keyalg 指定密钥的算法 (如 RSA DSA(如果不指定默认采用DSA))
-validity 指定创建的证书有效期多少天
-keysize 指定密钥长度
-storepass 指定密钥库的密码(获取keystore信息所需的密码)
-keypass 指定别名条目的密码(私钥的密码)
-dname 指定证书拥有者信息 例如: "CN=名字与姓氏,OU=组织单位名称,O=组织名称,L=城市或区域名称,ST=州或省份名称,C=单位的两字母国家代码"
-list 显示密钥库中的证书信息
-v 显示密钥库中的证书详细信息
-export 将别名指定的证书导出到文件
-file 参数指定导出到文件的文件名
-delete 删除密钥库中某条目
-printcert 查看导出的证书信息
-keypasswd 修改密钥库中指定条目口令
-storepasswd 修改keystore口令
-import 将已签名数字证书导入密钥库
证书1.png
import.png
3)基于mysql数据库的依赖pom
4.0.0
org.apereo.cas
cas-overlay
war
1.0
org.springframework.boot
spring-boot-maven-plugin
${springboot.version}
org.springframework.boot.loader.WarLauncher
true
org.apache.maven.plugins
maven-war-plugin
2.6
cas
false
false
false
${project.build.directory}/war/work/org.apereo.cas/cas-server-webapp${app.server}/META-INF/MANIFEST.MF
org.apereo.cas
cas-server-webapp${app.server}
org.apache.maven.plugins
maven-compiler-plugin
3.3
cas
org.apereo.cas
cas-server-webapp${app.server}
${cas.version}
war
runtime
org.apereo.cas
cas-server-support-json-service-registry
${cas.version}
org.apereo.cas
cas-server-support-jdbc-drivers
${cas.version}
org.apereo.cas
cas-server-support-jdbc
${cas.version}
mysql
mysql-connector-java
6.0.6
5.1.1
1.5.3.RELEASE
-tomcat
1.8
1.8
UTF-8
4)配置文件etc/cas/config/cas.properties中的域名
cas.server.name: https://cas.example.org:8443
cas.server.prefix: https://cas.example.org:8443/cas
cas.adminPagesSecurity.ip=127\.0\.0\.1
logging.config: file:/etc/cas/config/log4j2.xml
# cas.serviceRegistry.config.location: classpath:/services
5)重要配置文件src/main/resources/application.properties
# CAS Server Context Configuration
#
# CAS Server Context Configuration
#
server.context-path=/cas
server.port=8443
server.ssl.key-store=file:/etc/cas/keystore
server.ssl.key-store-password=123456
server.ssl.key-password=123456
# server.ssl.ciphers=
# server.ssl.client-auth=
server.ssl.enabled=true
server.ssl.key-alias=cas
# server.ssl.key-store-provider=
# server.ssl.key-store-type=
# server.ssl.protocol=
# server.ssl.trust-store=
# server.ssl.trust-store-password=
# server.ssl.trust-store-provider=
# server.ssl.trust-store-type=
server.max-http-header-size=2097152
server.use-forward-headers=true
server.connection-timeout=20000
server.error.include-stacktrace=ALWAYS
server.tomcat.max-http-post-size=2097152
server.tomcat.basedir=build/tomcat
server.tomcat.accesslog.enabled=true
server.tomcat.accesslog.pattern=%t %a "%r" %s (%D ms)
server.tomcat.accesslog.suffix=.log
server.tomcat.max-threads=10
server.tomcat.port-header=X-Forwarded-Port
server.tomcat.protocol-header=X-Forwarded-Proto
server.tomcat.protocol-header-https-value=https
server.tomcat.remote-ip-header=X-FORWARDED-FOR
server.tomcat.uri-encoding=UTF-8
spring.http.encoding.charset=UTF-8
spring.http.encoding.enabled=true
spring.http.encoding.force=true
##
# CAS Cloud Bus Configuration
#
spring.cloud.bus.enabled=false
# spring.cloud.bus.refresh.enabled=true
# spring.cloud.bus.env.enabled=true
# spring.cloud.bus.destination=CasCloudBus
# spring.cloud.bus.ack.enabled=true
endpoints.enabled=false
endpoints.sensitive=true
endpoints.restart.enabled=false
endpoints.shutdown.enabled=false
management.security.enabled=true
management.security.roles=ACTUATOR,ADMIN
management.security.sessions=if_required
management.context-path=/status
management.add-application-context-header=false
security.basic.authorize-mode=role
security.basic.enabled=false
security.basic.path=/cas/status/**
##
# CAS Web Application Session Configuration
#
server.session.timeout=300
server.session.cookie.http-only=true
server.session.tracking-modes=COOKIE
##
# CAS Thymeleaf View Configuration
#
spring.thymeleaf.encoding=UTF-8
spring.thymeleaf.cache=true
spring.thymeleaf.mode=HTML
##
# CAS Log4j Configuration
#
# logging.config=file:/etc/cas/log4j2.xml
server.context-parameters.isLog4jAutoInitializationDisabled=true
##
# CAS AspectJ Configuration
#
spring.aop.auto=true
spring.aop.proxy-target-class=true
##
# CAS Authentication Credentials
#
#当启用该配置时,为默认静态认证,登陆名为ideal密码为ideal
#cas.authn.accept.users=ideal::ideal
#注释掉上面一条配置,配置数据库认证方式,示例为query方式
#注意数据库字段与数据库名字默认时区分大小写的,CAS_USER不能查到该表
cas.authn.jdbc.query[0].sql=select password from cas_user where name=?
cas.authn.jdbc.query[0].healthQuery=
cas.authn.jdbc.query[0].isolateInternalQueries=false
cas.authn.jdbc.query[0].url=jdbc:mysql://127.0.0.1:3306/cas?useUnicode=true&characterEncoding=UTF-8&autoReconnect=true&useSSL=false
cas.authn.jdbc.query[0].failFast=true
cas.authn.jdbc.query[0].isolationLevelName=ISOLATION_READ_COMMITTED
cas.authn.jdbc.query[0].dialect=org.hibernate.dialect.MySQLDialect
cas.authn.jdbc.query[0].leakThreshold=10
cas.authn.jdbc.query[0].propagationBehaviorName=PROPAGATION_REQUIRED
cas.authn.jdbc.query[0].batchSize=1
cas.authn.jdbc.query[0].user=root
cas.authn.jdbc.query[0].ddlAuto=create-drop
cas.authn.jdbc.query[0].maxAgeDays=180
cas.authn.jdbc.query[0].password=123456
cas.authn.jdbc.query[0].autocommit=false
cas.authn.jdbc.query[0].driverClass=com.mysql.cj.jdbc.Driver
cas.authn.jdbc.query[0].idleTimeout=5000
#cas.authn.jdbc.query[0].credentialCriteria=
#cas.authn.jdbc.query[0].name=
#cas.authn.jdbc.query[0].order=0
#cas.authn.jdbc.query[0].dataSourceName=
#cas.authn.jdbc.query[0].dataSourceProxy=false
#此处很关键,必须要配置查询字段的名字,否则认证失败,官方文档中未找到说明,跟踪源代码找到的。
cas.authn.jdbc.query[0].fieldPassword=password
#cas.authn.jdbc.query[0].fieldExpired=
#cas.authn.jdbc.query[0].fieldDisabled=
#cas.authn.jdbc.query[0].principalAttributeList=sn,cn:commonName,givenName
#默认为NONE密码明文认证,可以自定义加密算法类(implements PasswordEncoder)
#cas.authn.jdbc.query[0].passwordEncoder.type=NONE|DEFAULT|STANDARD|BCRYPT|SCRYPT|PBKDF2|com.example.CustomPasswordEncoder
#cas.authn.jdbc.query[0].passwordEncoder.characterEncoding=
#当passwordEncoder.type为default时,算法可定义MD5等算法。
#cas.authn.jdbc.query[0].passwordEncoder.encodingAlgorithm=
#cas.authn.jdbc.query[0].passwordEncoder.secret=
#cas.authn.jdbc.query[0].passwordEncoder.strength=16
#cas.authn.jdbc.query[0].principalTransformation.suffix=
#cas.authn.jdbc.query[0].principalTransformation.caseConversion=NONE|UPPERCASE|LOWERCASE
#cas.authn.jdbc.query[0].principalTransformation.prefix=
#多属性返回(同样是各种试验,同事解决的哈)
cas.authn.attributeRepository.jdbc[0].singleRow=true
cas.authn.attributeRepository.jdbc[0].order=0
cas.authn.attributeRepository.jdbc[0].url=jdbc:mysql://127.0.0.1:3306/cas?useUnicode=true&characterEncoding=UTF-8&autoReconnect=true&useSSL=false
cas.authn.attributeRepository.jdbc[0].username=name
cas.authn.attributeRepository.jdbc[0].user=root
cas.authn.attributeRepository.jdbc[0].password=123456
cas.authn.attributeRepository.jdbc[0].sql=select * from cas_user where name=?
#取消以下两行则在返回属性中仅包含表中的这两个字段属性,注释情况下返回该表行所有属性
#cas.authn.attributeRepository.jdbc[0].attributes.id=id
#cas.authn.attributeRepository.jdbc[0].attributes.name=name
cas.authn.attributeRepository.jdbc[0].dialect=org.hibernate.dialect.MySQLDialect
cas.authn.attributeRepository.jdbc[0].ddlAuto=none
cas.authn.attributeRepository.jdbc[0].driverClass=com.mysql.cj.jdbc.Driver
cas.authn.attributeRepository.jdbc[0].leakThreshold=10
cas.authn.attributeRepository.jdbc[0].propagationBehaviorName=PROPAGATION_REQUIRED
cas.authn.attributeRepository.jdbc[0].batchSize=1
cas.authn.attributeRepository.jdbc[0].healthQuery=SELECT 1
cas.authn.attributeRepository.jdbc[0].failFast=true
6)服务注册--增加多属性配置20170705
匹配全部应用,仅用作测试
src/main/resources/services/HTTPSandIMAPS-10000001.json
第一种ReturnAllAttributeReleasePolicy返回所有属性由5中#cas.authn.attributeRepository.jdbc[0].attributes.id=id来控制
{
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "^(https|imaps|http)://.*",
"name" : "HTTPS and IMAPS",
"id" : 10000001,
"description" : "This service definition authorizes all application urls that support HTTPS and IMAPS and HTTP protocols.",
"evaluationOrder" : 1,
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
}
}
第二种ReturnAllowedAttributeReleasePolicy多属性方案,由allowedAttributes控制属性
"attributeReleasePolicy": {
"@class": "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"allowedAttributes": ["java.util.ArrayList", ["id", "name", "phone"]]
}
7)我的数据库
CREATE TABLE `cas_user` (
`id` int(11) NOT NULL AUTO_INCREMENT COMMENT '主键',
`name` varchar(50) DEFAULT NULL,
`password` varchar(50) DEFAULT NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=utf8;
8)认证体检
项目结构.png
启动.png
登陆页.png
认证成功.png
