CAS网址:https://apereo.github.io/cas/5.0.x/index.html
目前稳定版本是5.2.*
CAS包含众多功能推荐server使用一体化版本的overlay,按官网说法按需导入依赖即可
下载 https://github.com/apereo/cas-overlay-template
修改POM,添加依赖
mysql mysql-connector-java ${mysql.driver.version} runtime org.apereo.cas cas-server-webapp ${cas.version} war runtime org.apereo.cas cas-server-support-jdbc ${cas.version} org.apereo.cas cas-server-support-rest ${cas.version} runtime org.apereo.cas cas-server-support-rest-services ${cas.version} runtime org.apereo.cas cas-server-support-ldap ${cas.version} org.apereo.cas cas-server-support-oauth-webflow ${cas.version} org.apereo.cas cas-server-support-jpa-ticket-registry ${cas.version} org.apereo.cas cas-server-support-jpa-service-registry ${cas.version} 5.2.1 1.4.2.RELEASE 1.8 1.8 UTF-8 6.0.6
打包cas.war,放到linux环境,我用的是centos7(安装jdk什么的不赘述了)
添加application.properties, 根据pom可知我需要db和ldap验证, ticket和service使用db保存
## # CAS Server Context Configuration # server.context-path=/cas server.port=8443 #####################https configuration############################ server.ssl.enabled=true server.ssl.key-store=file:///home/admin/keystore/casssl.keystore server.ssl.key-store-password=123456 server.ssl.key-password=123456 server.max-http-header-size=2097152 server.max-http-post-size=2097152 server.use-forward-headers=true ###very important##### cas.serviceRegistry.config.location=file:///home/admin/cas/services # server.ssl.ciphers= # server.ssl.client-auth= # server.ssl.enabled= # server.ssl.key-alias= # server.ssl.key-store-provider= # server.ssl.key-store-type= # server.ssl.protocol= # server.ssl.trust-store= # server.ssl.trust-store-password= # server.ssl.trust-store-provider= # server.ssl.trust-store-type= server.tomcat.basedir=build/tomcat server.tomcat.accesslog.enabled=true server.tomcat.accesslog.pattern=%t %a "%r" %s (%D ms) server.tomcat.accesslog.suffix=.log server.tomcat.max-threads=5 server.tomcat.port-header=X-Forwarded-Port server.tomcat.protocol-header=X-Forwarded-Proto server.tomcat.protocol-header-https-value=https server.tomcat.remote-ip-header=X-FORWARDED-FOR server.tomcat.uri-encoding=UTF-8 server.error.include-stacktrace=ALWAYS spring.http.encoding.charset=UTF-8 spring.http.encoding.enabled=true spring.http.encoding.force=true ## # CAS Cloud Bus Configuration # spring.cloud.bus.enabled=false # spring.cloud.bus.refresh.enabled=true # spring.cloud.bus.env.enabled=true # spring.cloud.bus.destination=CasCloudBus # spring.cloud.bus.ack.enabled=true endpoints.enabled=true endpoints.sensitive=true management.context-path=/status endpoints.restart.enabled=false endpoints.shutdown.enabled=false ## # CAS Web Application Session Configuration # server.session.timeout=300 server.session.cookie.http-only=true server.session.tracking-modes=COOKIE ## # CAS Thymeleaf View Configuration # spring.thymeleaf.encoding=UTF-8 spring.thymeleaf.cache=false spring.thymeleaf.mode=HTML ## # CAS Log4j Configuration # logging.config=file:///home/admin/cas/log4j2.xml server.context-parameters.isLog4jAutoInitializationDisabled=true ## # CAS AspectJ Configuration # spring.aop.auto=true spring.aop.proxy-target-class=true ## # CAS Authentication Credentials # #cas.authn.accept.users=casuser::123456 #############jdbc authentication################## cas.authn.jdbc.query[0].sql=SELECT password FROM sys_user WHERE login_name=? cas.authn.jdbc.query[0].healthQuery=SELECT 1 cas.authn.jdbc.query[0].isolateInternalQueries=false cas.authn.jdbc.query[0].url=jdbc:mysql://172.16.37.64:3306/cas-local?useUnicode=true&useSSL=false&characterEncoding=utf-8&serverTimezone=GMT%2B8 cas.authn.jdbc.query[0].failFast=true cas.authn.jdbc.query[0].isolationLevelName=ISOLATION_READ_COMMITTED cas.authn.jdbc.query[0].dialect=org.hibernate.dialect.MySQLDialect cas.authn.jdbc.query[0].leakThreshold=10 cas.authn.jdbc.query[0].propagationBehaviorName=PROPAGATION_REQUIRED cas.authn.jdbc.query[0].batchSize=1 cas.authn.jdbc.query[0].user=root cas.authn.jdbc.query[0].ddlAuto=update cas.authn.jdbc.query[0].maxAgeDays=180 cas.authn.jdbc.query[0].password=123456 cas.authn.jdbc.query[0].autocommit=false cas.authn.jdbc.query[0].driverClass=com.mysql.cj.jdbc.Driver cas.authn.jdbc.query[0].idleTimeout=5000 cas.authn.jdbc.query[0].credentialCriteria= cas.authn.jdbc.query[0].pool.minSize=10 cas.authn.jdbc.query[0].pool.maxSize=100 cas.authn.jdbc.query[0].passwordEncoder.type=NONE ##################jdbc attribute########################### cas.authn.attributeRepository.jdbc.singleRow=false cas.authn.attributeRepository.jdbc.requireAllAttributes=true cas.authn.attributeRepository.jdbc.caseCanonicalization=NONE cas.authn.attributeRepository.jdbc.queryType=OR cas.authn.attributeRepository.jdbc.sql=SELECT * FROM user_info WHERE uid = ? cas.authn.attributeRepository.jdbc.username=root cas.authn.attributeRepository.jdbc.healthQuery=SELECT 1 cas.authn.attributeRepository.jdbc.url=jdbc:mysql://172.16.37.64:3306/cas-local?useUnicode=true&useSSL=false&characterEncoding=utf-8&serverTimezone=GMT%2B8 cas.authn.attributeRepository.jdbc.dialect=org.hibernate.dialect.MySQL5Dialect cas.authn.attributeRepository.jdbc.driverClass=com.mysql.cj.jdbc.Driver cas.authn.attributeRepository.jdbc.user=root cas.authn.attributeRepository.jdbc.password=123456 cas.authn.attributeRepository.jdbc.ddlAuto=validate cas.authn.attributeRepository.expireInMinutes=30 cas.authn.attributeRepository.maximumCacheSize=10000 cas.authn.attributeRepository.merger=REPLACE cas.authn.attributeRepository.jdbc.columnMappings.key=key cas.authn.attributeRepository.jdbc.columnMappings.value=value cas.authn.attributeRepository.attributes.cname=cname cas.authn.attributeRepository.attributes.mail=mail cas.authn.attributeRepository.defaultAttributesToRelease=cname,mail ###################ldap authentication###################### cas.authn.ldap[0].type=AUTHENTICATED cas.authn.ldap[0].ldapUrl=配置ldapurl cas.authn.ldap[0].useSsl=false cas.authn.ldap[0].connectTimeout=5000 cas.authn.ldap[0].baseDn=配置dn cas.authn.ldap[0].userFilter=(|(uid={user})(mail={user})(mobile={user})) cas.authn.ldap[0].subtreeSearch=true
cas.authn.ldap[0].usePasswordPolicy=false cas.authn.ldap[0].bindDn=配置Manager dn cas.authn.ldap[0].bindCredential=manager密码
cas.authn.ldap[0].principalAttributeId=uid
cas.authn.ldap[0].principalAttributePassword=userPassword
cas.authn.ldap[0].principalAttributeList=uid,sn,cn,o,mail,mobile
cas.authn.ldap[0].allowMultiplePrincipalAttributeValues=true
cas.authn.ldap[0].allowMultiplePrincipalAttributeValue=true
##
#此处是个坑,开始我以为这里是配置密码加密方式,于是和LDAP里面配置一样的MD5或者SHA,结果一直认证不成功,后来才发现,原来这里是在密码验证之前
#对密码再做一次encode,如果配置为NONE,则什么都不做,直接使用默认的SHA加密方式(AbstractCompareAuthenticationHandler里面配置)加密密码后与LDAP里面的密码比对,如果配置为DEFAULT则先用配置的#algorithm encode明文一次,再使用默认的SHA加密方式加密后与LDAP里面的密码比对
cas.authn.ldap[0].enhanceWithEntryResolver=true
cas.authn.ldap[0].dnFormat=配置format
cas.authn.ldap[0].additionalAttributes=
cas.authn.ldap[0].principalAttributeList=displayName,givenName,mail,sn,cn,commonName,department,title,description,telephoneNumber,physicalDeliveryOfficeName,memberOf
cas.authn.ldap[0].minPoolSize=3
cas.authn.ldap[0].maxPoolSize=50
cas.authn.ldap[0].validateOnCheckout=true
cas.authn.ldap[0].validatePeriodically=true
cas.authn.ldap[0].validatePeriod=600
cas.authn.ldap[0].failFast=true
cas.authn.ldap[0].idleTime=5000
cas.authn.ldap[0].prunePeriod=5000
cas.authn.ldap[0].blockWaitTime=5000
#############ticket registry##################
cas.ticket.registry.jpa.jpaLockingTimeout=3600
cas.ticket.registry.jpa.healthQuery=SELECT 1
cas.ticket.registry.jpa.isolateInternalQueries=false
cas.ticket.registry.jpa.url=jdbc:mysql://172.16.37.64:3306/cas-local?useUnicode=true&characterEncoding=utf-8&useSSL=false&serverTimezone=GMT%2B8
cas.ticket.registry.jpa.failFast=true
cas.ticket.registry.jpa.dialect=org.hibernate.dialect.MySQL5Dialect
# cas.ticket.registry.jpa.leakThreshold=10
cas.ticket.registry.jpa.jpaLockingTgtEnabled=false
cas.ticket.registry.jpa.batchSize=1
# cas.ticket.registry.jpa.defaultCatalog=
cas.ticket.registry.jpa.defaultSchema=cas-local
cas.ticket.registry.jpa.user=root
cas.ticket.registry.jpa.ddlAuto=validate
cas.ticket.registry.jpa.password=123456
cas.ticket.registry.jpa.autocommit=true
cas.ticket.registry.jpa.driverClass=com.mysql.cj.jdbc.Driver
######service registry##################
cas.serviceRegistry.jpa.healthQuery=SELECT 1
cas.serviceRegistry.jpa.isolateInternalQueries=false
cas.serviceRegistry.jpa.url=jdbc:mysql://172.16.37.64:3306/cas-local2?useUnicode=true&characterEncoding=utf-8&useSSL=false&serverTimezone=GMT%2B8
cas.serviceRegistry.jpa.failFast=true
cas.serviceRegistry.jpa.dialect=org.hibernate.dialect.MySQL5Dialect
# cas.serviceRegistry.jpa.leakThreshold=10
# cas.serviceRegistry.jpa.batchSize=1
# cas.serviceRegistry.jpa.defaultCatalog=
# cas.serviceRegistry.jpa.defaultSchema=
cas.serviceRegistry.jpa.user=root
cas.serviceRegistry.jpa.ddlAuto=validate
cas.serviceRegistry.jpa.password=123456
cas.serviceRegistry.jpa.autocommit=true
cas.serviceRegistry.jpa.driverClass=com.mysql.cj.jdbc.Driver
配一个启动的shell
ID=`ps -ef|grep cas.war|grep -v "grep"|awk '{print $2}'` echo cas PROCESS ID $ID kill -9 $ID rm -rf *.log rm -rf logs/*.log java -jar cas.war
ok cas server 搞定
ticket保存到db需要4张表,ddlauto为create时会自动创建,不过建议是validate
CREATE TABLE `locks` ( `application_id` varchar(255) NOT NULL, `expiration_date` datetime DEFAULT NULL, `unique_id` varchar(255) DEFAULT NULL, `lockVer` int(11) NOT NULL DEFAULT '0', PRIMARY KEY (`application_id`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8 CREATE TABLE `oauth_tokens` ( `TYPE` varchar(31) NOT NULL, `ID` varchar(255) NOT NULL, `NUMBER_OF_TIMES_USED` int(11) DEFAULT NULL, `CREATION_TIME` datetime DEFAULT NULL, `EXPIRATION_POLICY` longblob NOT NULL, `LAST_TIME_USED` datetime DEFAULT NULL, `PREVIOUS_LAST_TIME_USED` datetime DEFAULT NULL, `AUTHENTICATION` longblob NOT NULL, `SERVICE` longblob NOT NULL, PRIMARY KEY (`ID`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8 CREATE TABLE `serviceticket` ( `TYPE` varchar(31) NOT NULL, `ID` varchar(255) NOT NULL, `NUMBER_OF_TIMES_USED` int(11) DEFAULT NULL, `CREATION_TIME` datetime DEFAULT NULL, `EXPIRATION_POLICY` longblob NOT NULL, `LAST_TIME_USED` datetime DEFAULT NULL, `PREVIOUS_LAST_TIME_USED` datetime DEFAULT NULL, `FROM_NEW_LOGIN` bit(1) NOT NULL, `TICKET_ALREADY_GRANTED` bit(1) NOT NULL, `SERVICE` longblob NOT NULL, `ticketGrantingTicket_ID` varchar(255) DEFAULT NULL, PRIMARY KEY (`ID`), KEY `FK60oigifivx01ts3n8vboyqs38` (`ticketGrantingTicket_ID`), CONSTRAINT `FK60oigifivx01ts3n8vboyqs38` FOREIGN KEY (`ticketGrantingTicket_ID`) REFERENCES `ticketgrantingticket` (`ID`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8 CREATE TABLE `ticketgrantingticket` ( `TYPE` varchar(31) NOT NULL, `ID` varchar(255) NOT NULL, `NUMBER_OF_TIMES_USED` int(11) DEFAULT NULL, `CREATION_TIME` datetime DEFAULT NULL, `EXPIRATION_POLICY` longblob NOT NULL, `LAST_TIME_USED` datetime DEFAULT NULL, `PREVIOUS_LAST_TIME_USED` datetime DEFAULT NULL, `AUTHENTICATION` longblob NOT NULL, `EXPIRED` bit(1) NOT NULL, `PROXIED_BY` longblob, `SERVICES_GRANTED_ACCESS_TO` longblob NOT NULL, `ticketGrantingTicket_ID` varchar(255) DEFAULT NULL, PRIMARY KEY (`ID`), KEY `FKiqyu3qw2fxf5qaqin02mox8r4` (`ticketGrantingTicket_ID`), CONSTRAINT `FKiqyu3qw2fxf5qaqin02mox8r4` FOREIGN KEY (`ticketGrantingTicket_ID`) REFERENCES `ticketgrantingticket` (`ID`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8
因为service 注册官网推荐使用Management Webapp来配置,所以还要配个这个
下载 https://github.com/Apereo/cas-services-management-overlay
修改pom添加依赖
org.apereo.cas cas-management-webapp ${cas.version} war runtime org.apereo.cas cas-server-support-jdbc ${cas.version} org.apereo.cas cas-server-support-jpa-service-registry ${cas.version} mysql mysql-connector-java ${mysql.driver.version} runtime 5.0.5 1.8 1.8 UTF-8 6.0.6
注意其中mysql版本默认6.0.3有问题,升级成6.0.6
打包放到linux,添加application.properties
## # CAS Thymeleaf Views # spring.thymeleaf.cache=false spring.thymeleaf.mode=HTML ## # Embedded CAS Tomcat Container # server.context-path=/casmgr server.port=443 server.ssl.key-store=file:///home/admin/keystore/casssl.keystore server.ssl.key-store-password=123456 server.ssl.key-password=123456 ## # Log4J Configuration # server.context-parameters.isLog4jAutoInitializationDisabled=true logging.config=file:///home/admin/casmgr/log4j2.xml ## # CAS # cas.server.name=https://n2:8443 cas.server.prefix=${cas.server.name}/cas cas.mgmt.adminRoles=ROLE_ADMIN cas.mgmt.userPropertiesFile=file:///home/admin/casmgr/user-details.properties cas.mgmt.serverName=https://n2 ## # CAS Authentication Attributes # cas.authn.attributeRepository.attributes.uid=uid cas.authn.attributeRepository.attributes.displayName=displayName cas.authn.attributeRepository.attributes.cn=commonName cas.authn.attributeRepository.attributes.affiliation=groupMembership cas.authn.attributeRepository.attributes.lastName=lastName cas.authn.attributeRepository.attributes.firstName=firstName cas.authn.attributeRepository.attributes.givenName=givenName ## # CAS Web Application Config # server.session.timeout=1800 server.session.cookie.http-only=true server.session.tracking-modes=COOKIE ## # CAS Cloud Bus Configuration # Please leave spring.cloud.bus.enabled set to false # spring.cloud.bus.enabled=false cas.serviceRegistry.jpa.healthQuery=SELECT 1 cas.serviceRegistry.jpa.isolateInternalQueries=false cas.serviceRegistry.jpa.url=jdbc:mysql://172.16.37.64:3306/cas-local2?useUnicode=true&useSSL=false&characterEncoding=utf-8&serverTimezone=GMT%2B8 cas.serviceRegistry.jpa.failFast=true cas.serviceRegistry.jpa.dialect=org.hibernate.dialect.MySQL5Dialect cas.serviceRegistry.jpa.user=root cas.serviceRegistry.jpa.ddlAuto=validate cas.serviceRegistry.jpa.password=123456 cas.serviceRegistry.jpa.autocommit=false cas.serviceRegistry.jpa.driverClass=com.mysql.cj.jdbc.Driver
注意cas.serviceRegistry.jpa.ddlAuto如果值为create server和management都会创建4张表,但是其中regexregisteredservice表 Management会多创建几个字段,所以使用Management创建的表即可
表sql:
CREATE TABLE `hibernate_sequence` ( `next_val` bigint(20) DEFAULT NULL ) ENGINE=InnoDB DEFAULT CHARSET=utf8; CREATE TABLE `regexregisteredservice` ( `expression_type` varchar(15) NOT NULL DEFAULT 'ant', `id` bigint(20) NOT NULL, `access_strategy` longblob, `attribute_release` longblob, `description` varchar(255) NOT NULL, `evaluation_order` int(11) NOT NULL, `logo` varchar(255) DEFAULT NULL, `logout_type` int(11) DEFAULT NULL, `logout_url` varchar(255) DEFAULT NULL, `mfa_policy` longblob, `name` varchar(255) NOT NULL, `proxy_policy` longblob, `public_key` longblob, `required_handlers` longblob, `serviceId` varchar(255) NOT NULL, `theme` varchar(255) DEFAULT NULL, `username_attr` longblob, `bypassApprovalPrompt` bit(1) DEFAULT NULL, `clientId` varchar(255) DEFAULT NULL, `clientSecret` varchar(255) DEFAULT NULL, `generateRefreshToken` bit(1) DEFAULT NULL, `jsonFormat` bit(1) DEFAULT NULL, `jwks` varchar(255) DEFAULT NULL, `signIdToken` bit(1) DEFAULT NULL, `encryptAssertions` bit(1) DEFAULT NULL, `metadataCriteriaDirection` varchar(255) DEFAULT NULL, `metadataCriteriaPattern` varchar(255) DEFAULT NULL, `metadataCriteriaRemoveEmptyEntitiesDescriptors` bit(1) DEFAULT NULL, `metadataCriteriaRemoveRolelessEntityDescriptors` bit(1) DEFAULT NULL, `metadataCriteriaRoles` varchar(255) DEFAULT NULL, `metadataLocation` varchar(255) DEFAULT NULL, `metadataMaxValidity` bigint(20) DEFAULT NULL, `metadataSignatureLocation` varchar(255) DEFAULT NULL, `requiredAuthenticationContextClass` varchar(255) DEFAULT NULL, `requiredNameIdFormat` varchar(255) DEFAULT NULL, `signAssertions` bit(1) DEFAULT NULL, `signResponses` bit(1) DEFAULT NULL, PRIMARY KEY (`id`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8; CREATE TABLE `regexregisteredserviceproperty` ( `id` bigint(20) NOT NULL, `property_values` longblob, PRIMARY KEY (`id`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8; CREATE TABLE `registeredserviceimpl_props` ( `AbstractRegisteredService_id` bigint(20) NOT NULL, `properties_id` bigint(20) NOT NULL, `properties_KEY` varchar(255) NOT NULL, PRIMARY KEY (`AbstractRegisteredService_id`,`properties_KEY`), UNIQUE KEY `UK_i2mjaqjwxpvurc6aefjkx5x97` (`properties_id`), CONSTRAINT `FK1xan7uamsa94y2451jgksjkj4` FOREIGN KEY (`properties_id`) REFERENCES `regexregisteredserviceproperty` (`id`), CONSTRAINT `FK5ghaknoplphay7reury7n3vcm` FOREIGN KEY (`AbstractRegisteredService_id`) REFERENCES `regexregisteredservice` (`id`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
添加登录用户配置user-details.properties, 使用默认casuser或者dba登录可以成功获得权限,但是ldap还不行原因不明
casuser=notused,ROLE_ADMIN
testAD=notused,ROLE_ADMIN
启动Management后会自动跳到server的登录页面,登录后可以添加service。
如果配置都正确server的console会定时刷新service的配置
[localhost-startStop-1] INFO org.apereo.cas.services.DefaultServicesManagerImpl - Loaded 4 services from JpaServiceRegistryDaoImpl.