还剩10页未读,继续阅读
本资源只提供10页预览,全部文档请下载后查看!喜欢就下载吧,查找使用更方便
文本内容:
Jasig CASjava客户端https://wiki.jasig.org/display/CASC/CAS+Client+for+Java+
3.
11.Configuring the CAS ClientLets takea lookat howto configure the JA-SIG CAS Client for Java
3.1:
1.
1.Configuring theJasig CAS Client for Java in the web.xml The CAS Client for Java
3.1/
3.2can beconfigured viaweb.xml viaa seriesof context-params andfilter init-params.Each filterfor the CAS Clienthas arequired andoptional setof properties.The filtersare designedto lookfor theseproperties in the followingway:
1.Check the filters localinit-params for a parameter matching the required property name.
2.Check the contexts parametersfor aparametermatchingtherequiredproperty name.If twoproperties arefound withthe samename in the init-params andthecontextsparams,the init-param takesprecedence.This methodof configurationis usefulin thescenario wheretwo filtersshare propertiessuch asthe renewproperty.Note:The correctorder of the filtersin web.xml isnecessary:
1.AuthenticationFilter
2.TicketValidationFilter whicheverone ischosen
3.HttpServletRequestWrapperFilter
4.AssertionThreadLocalFilter Qlfyoure usingthe serverNameproperty seebelow,you shouldnote wellthat thefragment-URI thestuff afterthe#is notsent to the serverby allbrowsers,thus the CAS clientcant captureit aspart of the URL.Available filtersare asfollows:org.jasig.cas.client.authentication.AuthenticationFilter The AuthenticationFilter is what detects whether a user needs to be authenticated or not.If auser needs to beauthenticated,it willredirect theuser to the CAS server.■filter fi11er-nameCAS AuthenticationFi1ter/fi1ter-name filter-classorg.jasig.cas.client,authentication.AuthenticationFilter/filter-class init-param param-namecasServerLoginUrl/param-name Weuse the following conventions:
1.JNDI willfirst look in java:comp/env/cas/{SHORT FILTERNAME}/{PROPERTY NAME}i.e.java:comp/env/cas/AuthenticationFilter/serverName
2.JNDI willas alast resortlookinjava:comp/env/cas/{PROPERTY NAME}i.e.java:comp/env/cas/serverName Example:this isan updateto theMETA-INF/context.xml that is included in Tomcat6*s Managerapplication■xml version=〃
1.0〃encoding二〃UTF-8〃?〉〈!一Licensed to the ApacheSoftware FoundationASF underone ormore contributorlicense agreements.See theNOTICE filedistributed withthis workfor additionalinformation regardingcopyright ownership.The ASFlicenses this file toYou under the ApacheLicense,Version
2.0the License;you maynot usethisfileexcept incompliance withthe License.You mayobtain acopy of the Licenseat http://www・apache.org/licenses/LICENSE-
2.0Unless requiredby applicablelaw oragreed toin writing,software distributedunderthe License isdistributed onan〃AS IS〃BASIS,WITHOUT WARRANTIESOR CONDITIONSOF ANYKIND,either expressor implied.See theLicense for the specificlanguage governingpermissions andlimitations undertheLicense.一〉Context antiResourceLocking=//false//privileged=〃true〃Environment description=〃〃name=〃cas/serverName〃override=〃false”type=/z java.lang.String value=〃http:〃localhost:8080〃/Environment description=〃〃name=/z cas/AuthenticationFilter/casServerLoginUrl z/override=false”type二〃java.lang.String〃value二〃https://www.ja-sig.org/cas/login〃/Environment description二〃〃name=zz cas/Cas20ProxyReceivingTicketValidationFilter/casServerUrlPref ix/z override=〃false”type=//java.lang.String value二〃https://www.ja-sig.org/cas〃//Context
1.
4.Configuring SingleSign OutThe SingleSignOutFiltercan affectcharacter encoding.This becomesmost obviouswhen usedin conjunctionwith Confluence.Its recommendedyou explicitlyconfigure eitherthe VTCharacter EncodingFilter orthe SpringCharacter ErcodirqFilter withexplicit encodings.The SingleSign Outsupport inCAS consistsof configuringone filterand oneContextListener.Please notethat ifyou haveconfigured the CAS Client for Javaas Webfilters,this filtermust comebefore theother filtersas described on thepreceding pageAdd the following configurationto yourweb.xml whereappropriate:With CAS
2.0Protocol■filter fi1ter-nameCAS SingleSign OutFilter/filter-name filter-classorg.jasig.cas.client,session.SingleSignOutFilter/filter-class/filter•••filter-mapping fi1ter-nameCAS SingleSign OutFi11er/fi11er-name url-pattern/*/url-pattern/filter-mapping•••listener listener-classorg.jasig.cas.client,session.SingleSignOutHttpSessionListener/listener-class/listener WithSAML
1.1Protocol*filter fi1ter-nameCAS SingleSign OutFi1ter/filter-name filter-classorg.jasig.cas.client,session.SingleSignOutFilter/filter-class init-param param-nameartifactParameterName/parain-name param-valueSAMLart/param-value/init-param/filter♦・♦f i1ter-mapping fi11er-nameCAS SingleSign OutFi1ter/fi1ter-name url-pattern/*/url-pattern/filter-mapping♦・♦listener listener-classorg.jasig.cas.client.session.SingleSignOutHttpSessionListener/listener-class/listener
2.Order ofRequired FiltersHow toconfigurethe filters isdescribedonthe pagesabove.This sectiondetails theorder inwhich thefilters should appear:
1.SingleLogOutFilter ifyoure usingit
2.AuthenticationFilter
3.TicketValidationFilter whicheverone ischosen
4.HttpServletRequestWrapperFilter
5.AssertionThreadLocalFilter❶Please notethat theorder of thefiltersis determinedby thefilter-mapping notthefilterdefinitions
3.Recommend LogoutProcedure TheCAS Client for Javahas nocode tohelp youhandle logout.The clientmerely placesobjects insession.Therefore,we recommendyou doa session.invalidate callwhen youlog auser out.However,thats entirelyyour applicationsresponsibility.TheCASClientforJava teamhas recommendedguidelines forlogout pagesfor CASClients.We recommendthat textsimilar to thefollowingappear whenthe applicationssession isended.Recommended logouttext Youhave beenlogged out of APPLICATIONNAME GOESHERE.To logoutofall applications,click here.provide linkto CAS servers logout
4.Examples•web.xml forTomcat
5.5Tomcat Managerjust authentication•JA-SIG JavaClient SimpleWebApp Sampleauthentication,public andprotected pagesand proxyticket generation•Samll〔TicketValidationFilter Exampleauthentication andattribute display
5.Git sourcecode accessPoint yourfavorite gitclient atthe linkbelow:https://Qithub.com/Jasiq/java-cas-client param-value〉https://battags.ad,ess,rutgers.edu:8443/cas/login/param-value/init-param init-param param-nameserverName/param-name〈param-value〉http://www.acme-client,coc〈/param-value〉/init-param/filter RequiredProperties•casServerLoginllrl-Defines thelocation of the CAS server loginURL,i.e.https:〃localhost:8443/cas/login•service orserverName service-the serviceURL tosend to the CAS server,e.g.https://localhost:8443/yourwebapp/index.html serverName-the servername of the serverthis application is hostedon.Service URLwill be dynamically constructed using this,i.e.https:〃localhost:8443you mustinclude theprotocol,but portis optionalif itsa standardport.Optional Properties•renew-specifies whetherrenew=true should be sent to the CAS server.Valid valuesare eithertrue or false**or no value at all.•gateway-specifies whethergate way=true should be sentto the CAS server.Valid valuesare eithertrue orfalse”or novalue atall.•artifactParameterName-specifies thename of the requestparameter onwhere tofind theartifact i.e.ticket.•serviceParameterName-specifies thename ofthe requestparameter onwhere tofind the service i.e.service*.org.jasig.cas.client.authentication.SamlH AuthenticationFilterTheAuthenticationFilteriswhatdetectswhetherauser needsto beauthenticatedor not.If auserneedsto beauthenticated,it willredirect theuser tothe CAS server.■filter fi1ter-nameCAS AuthenticationFilter/filter-name filter-classorg.jasig.cas.client,authentication.Sami11AuthenticationFilter/filter-cl assinit-param param-namecasServerLoginUrl/param-name param-value〉https://battags.ad,ess,rutgers.edu:8443/cas/login/param-value〉/init-param init-param param-nameserverName/param-name param-valuehttp://www.acme-client.com〈/param-value/init-param/filter RequiredProperties•casServerLoginllrl-Defines thelocation oftheCAS server loginURL,i.e.https:〃localhost:8443/cas/loqin•service orserverName:service-the serviceURL tosend totheCAS server,e.g.https:〃localhost:8443/youjwLbapp/index.htmlserverName-the servername ofthe serverthis applicationis hostedon.Service URLwill bedynamically constructedusing this,i.e.https:〃localhost:8443you mustinclude theprotocol,but portis optionalif itsa standardport.Optional Properties•renew-specifies whetherrenew=true shouldbe senttotheCAS server.Valid valuesare eithertrue orfalse ornovalue atall.•gateway-specifies whetherg ateway=t rueshouldbe senttotheCAS server.Valid valuesare eithertrue orfalse”ornovalueatall.1•artifactParameterName-specifies thename ofthe requestparameter onwhere tofind theartifact i.e.SAMLArf.•serviceParameterName-specifies thename ofthe requestparameter onwhere tofind theservice i.e.TARGET*.org.jasig.cas.client.validation.CaslOTicketValidationFilter Validatestickets usingtheCAS
1.0Protocol.■filter fi1ter-nameCAS ValidationFilter/filter-name fi1ter-classorg.jasig.cas.client,validation.Cas10TicketValidationFilter/fiIter-classinit-param param-namecasServerUrlPrefix/param-name param-value〉https://battags.ad,ess,rutgers.edu:8443/cas〈/pa/am-value〉/init-param/filter RequiredProperties•casServerllrlPrefix-the startoftheCAS serverURL,i.e.https:〃localhost:8443/cas.•serverName-the servername ofthe serverthis applicationis hostedon.Service URLwill bedynamically constructedusing this,i.e.https:〃localhost:8443you mustinclude theprotocol,but portis optionalif itsa standardport.Optional Properties•r edir ect Aft er Va Ii datio ndefault:true-whether toredirect tothe sameURL afterticket validation,but withoutthe ticketin the parameter.•useSession default:true-whether tostore the Assertion insession ornot.If sessionsare notused,tickets will be requiredfor eachrequest.•exceptionOnValidationFailure default:true-whether tothrow anexception ornot onticket validationfailure.•renew default:false-specifies whetherrenew=true shouldbe senttotheCASserver.Valid valuesare eithertrue or“false”org.jasig.cas.client.validation.Samll1TicketValidationFilter Validatestickets usingthe SAML
1.1protocol.■filter filter-nameCAS ValidationFilter/filter-name filter-classorg.jasig.cas.client,validation.Sami1ITicketValidationFi1ter/fi1ter-clas sinit-param param-namecasServerUrlPrefix/param-name param-valuehttps://battags.ad,ess,rutgers.edu:8443/cas〈/param-value/init-param init-param param-nameserverName/parani-name parani—valuehttp://www.acme—client.com〈/parani-value〉/init-param/filter RequiredProperties•casServerllrlPrefix-the startoftheCASserverURL,i.e.https:〃localhost:8443/cas.•serverName orservice:serverName-the servername ofthe serverthis applicationis hostedon.Service URLw川bedynamically constructedusing this,i.e.https:〃localhost:8443you mustinclude theprotocol,but portis optionalif itsa standardport.service-theserviceURL tosend totheCASserver,e.g.https:〃localhost:8443/yourwLbapp/index.html Optional Properties•redirectAfterValidation default:true-whether toredirect tothe sameURL afterticket validation,but withoutthe ticketin theparameter.•useSession default:true-whether tostore theAssertion insession ornot.If sessionsare notused,tickets will be requiredfor eachrequest.•exceptionOnValidationFailure default:true-whether tothrow anexception ornot onticket validationfailure.•tolerance default:1000mSec-the tolerancefor driftingclocks whenvalidating SAMLtickets.Note that10seconds shouldbe morethan enoughfor mostenvironments thathave NTPtime synchronization.•renew default:false-specifies whetherrenew=true shouldbe senttotheCASserver.Valid valuesare eithertrue1orfalse**NOTE:Available asof version
3.
1.
6.org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidation FilterValidates the tickets usingtheCAS
2.0protocol.If youprovide eitherthe acceptAnyProxyortheallowedProxyChains parameters,a Cas20ProxyTicketValidator willbe constructed.Otherwise ageneral Cas20ServiceTicketValidator w川be constructedthat doesnot acceptproxy tickets.O ProxyAuthentication Ifyou areusing proxyvalidation,you shouldmap thevalidation filterbefore theauthentication filter.■filter fi1ter-nameCAS ValidationFilter/filter-name filter-classorg.jasig.cas.client,validation.Cas20ProxyReceivingTicketValidationFilter/filter-class init-param param-naniecasServerUrlPref ix/param-nanie param-value〉https://battags.ad,ess,rutgers.edu:8443/cas〈/param-value/init-param init-param param-nameserverName/param-name〈param-value〉http://www.acme-client,coc〈/param-value〉/init-param/filter RequiredProperties•casServerllrlPrefix-the startoftheCASserverURL,i.e.https:〃localhost:8443/cas.•serverName-the startofthe URL thatthis applicationis runningon.Service URLwillbedynamicallyconstructedusingthis,i.e.https:〃localhost:8443you mustinclude theprotocol,but portis optionalif itsa standardport.Service URLis passedtotheCASserverfor ticket validation.Optional Properties•redirectAfterValidation default:true-whether toredirect tothe sameURL afterticket validation,but withouttheticketintheparameter.•useSession default:true-whether tostore theAssertion insession ornot.If sessionsare notused,tickets w川be requiredfor eachrequest.•exceptionOnValidationFailure default:true-whether tothrow anexception ornot onticketvalidationfailure.•proxyReceptorUrl default:null-theURL to watchfor PGTIOU/PGT responsesfrom theCASserver.Should be defined fromthe rootofthecontext.For example,ff yourapplicationisdeployed in/cas-client-app andyou wantthe proxyreceptor URLto be/cas-client-app/my/receptor youneed toconfigure proxyReceptorUrltobe/my/receptor•renew default:false-specifies whetherrenew=true shouldbesenttotheCASserver.Valid valuesare eithertrue orfalse.•acceptAnyProxy default:false-specifies whetherany proxyis OK.•allowedProxyChains default:null-specifies theproxy chain.Each acceptableproxy chainshould includea space-separated listof URLs.Each acceptableproxy chainshouldappearon itsown line.•proxyCallbackllrl default:none-the callbackURLtoprovide theCASserverto acceptProxy Granting Tickets.•proxyGrantingTicketStorageClass@since
3.
1.9default:none-specify an implementation ofthe ProxyGrantingTicketStorageclass thathas ano-arg constructor.Replicating PGTusing vvproxyGrantingTicketStorageClass Mand DistributedCaching TheJava CASclient hassupport forclustering anddistributing theTGT stateamong applicationnodes thatare behinda load balancer.In orderto doso,theparameterneedstobedefinedas suchinthe web.xml filefor thefilter:■init-param param-nameproxyGrantingTicketStorageClass/param-nanie param-valueorg.jasig.cas.client,proxy.EhcacheBackedProxyGrantingTicketStoragelmpK/pa ram-value/init-param Thesetting providesanimplementationfor proxystorage usingEhCache totake advantageof itsreplication featuresso thatthe PGTis successfullyreplicated andshared amongnodes,regardless whichnode isselected asthe resultoftheloadbalancerrerouting.Note:A simila门mplementation basedon Memcachedis alsoavailable.Configuration ofthis parameteris notenough.The EhCacheconfiguration needsto enablethe replicationmechanism throughonce ofits suggestedways.A sampleof thatconfiquiation basedon RMIreplication can be foundhere.Please notethat whilethe sampleis doneforadistributed ticketregistry implementation,the basicidea andconfiguration shouldeasily betransferable.org.jasig.cas.client-util.HttpServletRequestWrapperFilter Wrapsan HttpServletRequestso thatthe getRemotellserand getPrincipalreturn theCAS relatedentries.■filter filter-nameCAS HttpServletRequestWrapper Filter/filter-name fi1ter-classorg.jasig.cas.client,util.HttpServletRequestWrapperFilter/filter-class/filter RequiredProperties NoneOptionalPropertiesNone org.jasig.cas.clientutil.AssertionThreadLocalFilter PlacestheAssertionin aThreadLocal forportions ofthe application that needaccess toit.This isuseful whenthe Webapplicationthatthis filterfronts needsto getthe Principalname,but ithas noaccess tothe HttpServletRequest,hence makinggetRemotellser callimpossible.■filter filter-nameCAS AssertionThread LocalFilter/filter-name fi1ter-classorg.jasig.cas.client,util.AssertionThreadLocalFilter/filter-class/filter12Configuring theJA-SIG CASClientforJava usingSpring ConfigurationoftheCASClientforJavavia SpringloC willdepend heavilyon theirDelegatingFilterProxy class.For eachfilter thatwillbeconfigured forCAS viaSpring,a correspondingDelegatingFilterProxy isneeded inthe web.xml.As theSingleSignOutFilter,HttpServletRequestWrapperFilter andAssertionThreadLocalFilter haveno configurationoptions,we recommendyou justconfigure themintheweb.xml Note:A sampleauthentication configurationis attachedto thispage.Bean definitionexamples:9■〈filter〉filter-nameCAS AuthenticationFilter/filter-name fi1ter-classorg.springframework.web.filter.DelegatingFilterProxy/filter-class init-param param-nametargetBeanName/param-name param-valueauthenticationFilter/param-value/init-param/filter■filter-mapping fi1ter-nameCAS AuthenticationFilter/filter-name url-pattern/*/url-pattern/fiIter-mapping Thespecific filterscanbeconfigured inthefollowingways.Please seethe JavaDocsincluded inthe distributionfor specificrequired andoptional properties:AuthenticationFilter■bean name=//authent icat ionF i11er〃class=〃org・jasig.cas.client,authentication.AuthenticationFilter^p:casServerLoginUrl=〃https://localhost:8443/cas/logirT p:renew二〃false”p:gateway=〃false”p:service二〃https://my.local,service,com/cas-client/Cas1OTicketValidationFilter■bean name=/z ticketValidationFilter/z class二〃org・jasig.cas.client,validation.Cas1OTicketValidationFilter^p:service二〃https://my.local,service,com/cas-client〉property name=//ticketValidator zzbean class二〃org・jasig.cas.client,validation.CaslOTicketValidator z/cons truetor-arg index=〃0〃value=〃https:〃localhost:8443/cas〃//bean/property/bean SamH1TicketValidationFilter bean name=/z ticketValidationFilter/z class=〃org・Ijasig.cas.client,validation.SamlllTicketValidationFilter zz p:service二〃https://my.local,service,com/cas-client〉property nalme=//ticketValidator zzbean class=〃org・jasig.cas.client,validation.SamlllTicketValidator,,constructor-arg index=〃0〃value=〃https://localhost:8443/cas〃//bean/property/bean Note:When usingthe SamH1TicketValidationFilter fornon-SAML authenticationwith attributerelease theartifactParameterName mustbe setto ticketfor theticket tobe consumedby thefilter.Add p:artifactParameterName=ticket tothe beandefinition above.Cas20ProxyReceivingTicketValidationFilter Configurationto justvalidate servicetickets:■bean name=zz ticketValidationFilter/z class=〃org・jasig.cas.client,validation.Cas20ProxyReceivingTicketValidationFilter/,p:service二〃https://my.local,service,com/cas-client property name=//ticketValidator/zbean class=〃org・jasig.cas.client,validation.Cas20ServiceTicketValidator z/constructor-arg index=〃0〃value二〃https://localhost:8443/cas〃//bean/property/bean Configurationto accepta Proxy GrantingTicket:■bean name=/z ticketValidationFilter/z class二〃org・jasig.cas.client,validation.Cas20ProxyReceivingTicketValidationFilter/z p:service=〃https:〃my.local,service,com/cas-client”p:proxyReceptorUrl=///proxy/receptor”〉property name=/z ticketValidatorz/bean class二〃org・jasig.cas.client,validation.Cas20ServiceTicketValidator/z p:proxyCalIbackUr1=〃/proxy/receptor”〈constructor-arg index=〃0〃value二〃https:〃localhost:8443/cas//bean/property/bean Configurationto acceptany Proxy Ticket andProxy GrantingTickets:■bean name=zz ticketValidationFilter/z class=〃org・jasig.cas.client,validation.Cas20ProxyReceivingTicketValidationFilter/,p:service二〃https://my.local,service,com/cas-client”p:proxyReceptorUrl=///proxy/receptor”〉property name=〃ticketValidator〃bean class=〃org・jasig.cas.client,validation.Cas20ProxyTicketValidator//p:accept AnyProxy=/,true/zp:proxyCalIbackUr1=〃/proxy/receptor”〉〈constructor-arg index=〃0〃value二〃https:〃localhost:8443/cas//bean/property/bean Configurationto acceptProxyTicketfrom achain andProxyGrantingTickets:9■beanname=/z ticketValidationFilter,z class=〃org・jasig.cas.client,validation.Cas20ProxyReceivingTicketValidationFilter z/p:service二〃https://my.local,service,com/cas-client”p:proxyReceptorUrl=zz/proxy/receptor”〉propertyname=/,ticketValidator zzbean class=〃org・jasig.cas.client,validation.Cas20ProxyTicketValidator p:proxyCalIbackUrl=〃/proxy/receptor”〉cons truetor-arg index=〃0〃value=https:〃localhost:8443/cas〃/propertyname=//allowedProxyChains//list valuehttp://proxy1http:〃proxy2〈/value〉/list/property/bean/property/bean
1.
3.Configuring theJA-SIG CASClientforJava usingJNDI Configuringthe JASIGCASClientforJavavia JNDIis essentiallythe sameas configuringthe clientvia theweb.xml,except theproperties willreside in JNDI andnot intheweb.xmL Allproperties thatare placedinJNDIshouldbeplaced underjava:comp/env/cas。