參考文獻:
CAS集成ldap:https://wiki.jasig.org/display/CASUM/LDAP
CAS集成restful api:https://wiki.jasig.org/display/CASUM/RESTful+API
下載jar包
在參考文獻當中,我們看到不論是集成ldap還是集成restful api都需要另外單獨下載jar包。如果有maven的話,直接通過配置文件即可下載,但是當前我們沒有配置,所以需要手動下載。Google搜索cas-server-support-ldap可以找到相關jar包的下載地址,當前我們的cas.version=3.5.2,根據這個版本好下載相應的jar文件。在cas-server-support-ldap的jar包頁面,我們可以看到這個jar包還要依賴於其他jar,也要一並下載了。
在下載jar包之前,可以先比對/usr/local/tomcat7/webapps/cas/WEB-INF/lib當中是否已經有這個jar包了,如果沒有再去下載。下載完畢以后將jar包放在/usr/local/tomcat7/webapps/cas/WEB-INF/lib目錄下。
CAS與LDAP集成
Cas與ldap集成有FastBindLdapAuthenticationHandler和BindLdapAuthenticationHandler這兩種接口,前者適用於CAS的驗證登錄名就直接是ldap當中uid的情況,這種情況比較單一,當前我是按照BindLdapAuthenticationHandler進行配置的。
配置deployerConfigContext.xml
所有關於cas集成ldap的修改都在 cas-server-webapp/src/main/webapp/WEB-INF/deployerConfigContext.xml這個配置文件當中。
首先在這個配置文件當中添加以下這個bean
<bean id="contextSource" class="org.springframework.ldap.core.support.LdapContextSource"> <!-- DO NOT enable JNDI pooling for context sources that perform LDAP bind operations. --> <property name="pooled" value="false"/> <!-- Although multiple URLs may defined, it's strongly recommended to avoid this configuration since the implementation attempts hosts in sequence and requires a connection timeout prior to attempting the next host, which incurs unacceptable latency on node failure. A proper HA setup for LDAP directories should use a single virtual host that maps to multiple real hosts using a hardware load balancer. --> <property name="url" value="ldap://localhost" /> <!-- Manager credentials are only required if your directory does not support anonymous searches. Never provide these credentials for FastBindLdapAuthenticationHandler since the user's credentials are used for the bind operation. --> <property name="userDn" value="cn=admin,dc=envisioncn,dc=com"/> <property name="password" value="12345678"/> <!-- Place JNDI environment properties here. --> <property name="baseEnvironmentProperties"> <map> <!-- Three seconds is an eternity to users. --> <entry key="com.sun.jndi.ldap.connect.timeout" value="3000" /> <entry key="com.sun.jndi.ldap.read.timeout" value="3000" /> <!-- Explained at http://docs.oracle.com/javase/jndi/tutorial/ldap/security/auth.html --> <entry key="java.naming.security.authentication" value="simple" /> </map> </property> </bean>
在配置文檔當中有一欄關於“SSL Considerations”的介紹,里面說的就是,如果我們沒有為LDAP Server配置SSL的話,我們就不能ldaps,只能用ldap協議,也就是像我上面那樣使用<property name="url" value="ldap://localhost" />,而不是<property name="url" value="ldaps://localhost" />。驗證自己是否配置了SSL,可以查看636端口是否開啟。通過netstat查看發現ldap只開啟了389端口,那么就按照我上面的進行配置。LDAP開啟SSL的方法可以參考https://help.ubuntu.com/12.04/serverguide/openldap-server.html里面的“TLS”這一章節。
enadmin@cgnmon:~$ netstat -ln Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 127.0.0.1:587 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN tcp6 0 0 :::8080 :::* LISTEN tcp6 0 0 :::22 :::* LISTEN tcp6 0 0 :::8443 :::* LISTEN tcp6 0 0 :::389 :::* LISTEN tcp6 0 0 :::8009 :::* LISTEN udp 0 0 0.0.0.0:68 0.0.0.0:* udp 0 0 10.0.2.15:123 0.0.0.0:* udp 0 0 127.0.0.1:123 0.0.0.0:* udp 0 0 0.0.0.0:123 0.0.0.0:* udp6 0 0 ::1:123 :::* udp6 0 0 fe80::a00:27ff:fe22:123 :::* udp6 0 0 :::123 :::* Active UNIX domain sockets (only servers) Proto RefCnt Flags Type State I-Node Path unix 2 [ ACC ] STREAM LISTENING 6704 @/com/ubuntu/upstart unix 2 [ ACC ] STREAM LISTENING 8508 /var/run/acpid.socket unix 2 [ ACC ] STREAM LISTENING 8259 /var/run/dbus/system_bus_socket unix 2 [ ACC ] STREAM LISTENING 9035 /var/run/slapd/ldapi unix 2 [ ACC ] STREAM LISTENING 8553 /var/run/apache2/cgisock.978 unix 2 [ ACC ] STREAM LISTENING 8669 /var/run/sendmail/mta/smcontrol unix 2 [ ACC ] SEQPACKET LISTENING 6889 /run/udev/control
添加完上面那個bean以后,我們還需要修改authenticationManager這個bean,需要將原先的SimpleTestUsernamePasswordAuthenticationHandler修改為我們的BindLdapAuthenticationHandler。具體配置如下:
<bean id="authenticationManager" class="org.jasig.cas.authentication.AuthenticationManagerImpl"> <property name="credentialsToPrincipalResolvers"> <list> <bean class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" > <property name="attributeRepository" ref="attributeRepository" /> </bean> <bean class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" /> </list> </property> <property name="authenticationHandlers"> <list> <bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" p:httpClient-ref="httpClient" /> <bean class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler" p:filter="uid=%u" p:searchBase="ou=People,dc=envisioncn,dc=com" p:contextSource-ref="contextSource" /> </list> </property> <property name="authenticationMetaDataPopulators"> <list> <bean class="org.jasig.cas.authentication.SamlAuthenticationMetaDataPopulator" /> </list> </property> </bean>
配置到這里,CAS與LDAP的集成就已經基本完成了。還可以優化的地方有以下幾方面,這個在后面有時間了再進行配置。
- 為LDAP配置連接池
- 為LDAP配置SSL驗證
CAS與Restful api集成
下載相關的jar包
跟ldap一樣,也是需要下載jar包的,google搜索cas-server-integration-restlet找到相應的下載地址。
配置
所有針對restful的配置都在/usr/local/tomcat7/webapps/cas/WEB-INF/web.xml這個配置文件當中。
修改web.xml,添加servlet和servlet-mapping,具體如下所示:
<servlet> <servlet-name>cas</servlet-name> <servlet-class> org.jasig.cas.web.init.SafeDispatcherServlet </servlet-class> <init-param> <param-name>publishContext</param-name> <param-value>false</param-value> </init-param> <load-on-startup>1</load-on-startup> </servlet> <servlet> <servlet-name>restlet</servlet-name> <servlet-class>com.noelios.restlet.ext.spring.RestletFrameworkServlet</servlet-class> <load-on-startup>1</load-on-startup> </servlet> <servlet-mapping> <servlet-name>restlet</servlet-name> <url-pattern>/v1/*</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>cas</servlet-name> <url-pattern>/login</url-pattern> </servlet-mapping>
測試:
在ubuntu任意目錄下下創建一個testcas.sh文件,並賦予這個文件可執行權限,執行命令如下
#sudo touch testcas.sh
#sudo chmod 777 testcas.sh
該文本內容如下所示。
# This file is used to store the Ticket Getting Ticket rm tgt.txt # This file is used to store the Service Ticket rm serviceTicket.txt #This file is used to store the service call response rm response.txt export CAS_LOGIN_URL=https://localhost:8443/cas/v1/tickets export GET_URL=https://localhost:8443/cas export USERNAME=username export PASSWORD=password # Request a new Ticket Getting Ticket (TGT). This returns HTML which is put into tgt.txt. wget --no-check-certificate -O tgt.txt --post-data="username=$USERNAME&password=$PASSWORD" $CAS_LOGIN_URL # Extract from the HTML the TGT and put back into tgt.txt echo TGT`grep -oEi 'action=\".*\"' tgt.txt | grep -oEi '\-.*\-cas'` > tgt.txt # display the TGT cat tgt.txt # Request a new Service Ticket and store in serviceTicket.txt wget --no-check-certificate --post-data="service=$GET_URL" -O serviceTicket.txt $CAS_LOGIN_URL/`cat tgt.txt` # Get the data at from the service at GET_URL and store in response.txt wget --no-check-certificate -O response.txt $GET_URL?ticket=`cat serviceTicket.txt` # Display the data from the service call cat response.txt
運行此testcas.sh文件,看一下能否正常生成tgt,
運行結果如下:
enadmin@cgnmon:~/test$ ./testcas.sh
--2013-12-11 22:51:38-- https://localhost:8443/cas/v1/tickets
Resolving localhost (localhost)... 127.0.0.1
Connecting to localhost (localhost)|127.0.0.1|:8443... connected.
WARNING: cannot verify localhost's certificate, issued by `/C=cn/ST=shanghai/L=shanghai/O=envision/OU=en/CN=test':
Self-signed certificate encountered.
WARNING: certificate common name `test' doesn't match requested host name `localhost'.
HTTP request sent, awaiting response... 201 Created //這表示生成tgt成功。
Length: 443 [text/html]
Saving to: `tgt.txt'
100%[=============================================================================================================================>] 443 --.-K/s in 0s
2013-12-11 22:51:38 (218 MB/s) - `tgt.txt' saved [443/443]
TGT-1-4CeCylfHfbis9kttoqPsYIpMA17ajV5TJ4fWifA6pHjncKfR9E-cas//tgt
--2013-12-11 22:51:38-- https://localhost:8443/cas/v1/tickets/TGT-1-4CeCylfHfbis9kttoqPsYIpMA17ajV5TJ4fWifA6pHjncKfR9E-cas
Resolving localhost (localhost)... 127.0.0.1
Connecting to localhost (localhost)|127.0.0.1|:8443... connected.
WARNING: cannot verify localhost's certificate, issued by `/C=cn/ST=shanghai/L=shanghai/O=envision/OU=en/CN=test':
Self-signed certificate encountered.
WARNING: certificate common name `test' doesn't match requested host name `localhost'.
HTTP request sent, awaiting response... 404 Not Found
2013-12-11 22:51:38 ERROR 404: Not Found.
--2013-12-11 22:51:38-- https://localhost:8443/cas?ticket=
Resolving localhost (localhost)... 127.0.0.1
Connecting to localhost (localhost)|127.0.0.1|:8443... connected.
WARNING: cannot verify localhost's certificate, issued by `/C=cn/ST=shanghai/L=shanghai/O=envision/OU=en/CN=test':
Self-signed certificate encountered.
WARNING: certificate common name `test' doesn't match requested host name `localhost'.
HTTP request sent, awaiting response... 302 Found
Location: https://localhost:8443/cas/?ticket= [following]
--2013-12-11 22:51:38-- https://localhost:8443/cas/?ticket=
Reusing existing connection to localhost:8443.
HTTP request sent, awaiting response... 302 Found
Location: https://localhost:8443/cas/login?ticket= [following]
--2013-12-11 22:51:39-- https://localhost:8443/cas/login?ticket=
Reusing existing connection to localhost:8443.
HTTP request sent, awaiting response... 200 OK
Length: 6161 (6.0K) [text/html]
Saving to: `response.txt'
100%[=============================================================================================================================>] 6,161 --.-K/s in 0s
2013-12-11 22:51:41 (320 MB/s) - `response.txt' saved [6161/6161]