CAS4.0.0集成OpenLdap並返回用戶信息配置講解

最近公司要求CAS3.5.2支持saml而目前使用的版本不支持saml，因此升級成4.0.0版本，但是升級cas到cas4.0.0版本後也需要支持ldap，網上關於4.0.0版本的文章很少而支持ldap的少之又少，本人花了很長的時間整理了關於cas4集成ldap的完美解決方案的文章，如果對該文章有什麼問題，歡迎在素文宅www.yoodb.com留言詢問。

首先下載cas4版本，cas-server服務端，其官方下載地址：https://github.com/apereo/cas/tree/4.0.x

在cas-server-webapp工程中的pom.xml文件中，添加以下依賴關係：

<dependency> 
     <groupId>org.jasig.cas</groupId> 
     <artifactId>cas-server-support-ldap</artifactId> 
     <version>${cas.version}</version> 
</dependency>

關於ssl的方面略過（此不可以跳過），修改tomcat裏面的8443端口內容，修改成如下：

<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"  

               maxThreads="150" scheme="https" secure="true"  

               clientAuth="false" sslProtocol="TLS"  

               keystoreFile="d:/keys/yoodb.keystore"      <!--你的證書所放的位置--> 

               keystorePass="password" />         <!--認證證書的密碼-->




4.0.0的版本需要增加許多配置，逐步增加配置首先需要的是修改認證入口，編輯deployerConfigContext.xml文件，具體配置如下：

    <bean id="authenticationManager" class="org.jasig.cas.authentication.PolicyBasedAuthenticationManager"> 

        <constructor-arg> 

            <map> 

                <!-- 

                   | IMPORTANT 

                   | Every handler requires a unique name. 

                   | If more than one instance of the same handler class is configured, you must explicitly 

                   | set its name to something other than its default name (typically the simple class name). 

                   --> 

                <entry key-ref="proxyAuthenticationHandler" value-ref="proxyPrincipalResolver" /> 

                <entry key-ref="ldapAuthHandler" value-ref="primaryPrincipalResolver" /> <!--新增ldap認證的入口 --> 

            </map> 

        </constructor-arg>
        <!-- Uncomment the metadata populator to allow clearpass to capture and cache the password 
             This switch effectively will turn on clearpass. 
        <property name="authenticationMetaDataPopulators"> 
           <util:list> 
              <bean class="org.jasig.cas.extension.clearpass.CacheCredentialsMetaDataPopulator" 
                    c:credentialCache-ref="encryptedMap" /> 
           </util:list> 
        </property> 
        -->

        <!-- 
           | Defines the security policy around authentication. Some alternative policies that ship with CAS: 
           | 
           | * NotPreventedAuthenticationPolicy - all credential must either pass or fail authentication 
           | * AllAuthenticationPolicy - all presented credential must be authenticated successfully 
           | * RequiredHandlerAuthenticationPolicy - specifies a handler that must authenticate its credential to pass 
           --> 
        <property name="authenticationPolicy"> 
            <bean class="org.jasig.cas.authentication.AnyAuthenticationPolicy" /> 
        </property> 
    </bean>

    <!-- Required for proxy ticket mechanism. --> 
    <bean id="proxyAuthenticationHandler" 
          class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" 
          p:httpClient-ref="httpClient" />

    <!-- 
       | TODO: Replace this component with one suitable for your enviroment. 
       | 
       | This component provides authentication for the kind of credential used in your environment. In most cases 
       | credential is a username/password pair that lives in a system of record like an LDAP directory. 
       | The most common authentication handler beans: 
       | 
       | * org.jasig.cas.authentication.LdapAuthenticationHandler 
       | * org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler 
       | * org.jasig.cas.adaptors.x509.authentication.handler.support.X509CredentialsAuthenticationHandler 
       | * org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler 
       --> 
    <!-- Required for proxy ticket mechanism --> 
    <bean id="proxyPrincipalResolver" 
          class="org.jasig.cas.authentication.principal.BasicPrincipalResolver" />

然後新增ldap中的LDAP配置文件，修改deployerConfigContext.xml文件，具體代碼如下：
注意：org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao 這個類的目的將Principal與後端的LDAP目錄進行匹配（queryAttributeMapping屬性，將Principal的username域與LDAP查詢的uid屬性相匹配，即queryAttributeMapping屬性中必須配置）。提供的baseDN屬性要使用LDAP進行查詢（uid=ldapguest） ，並且屬性要從匹配的條目進行讀取。 匹配到Principal屬性使用resultAttributeMapping屬性中的鍵值對——我們將LDAP的cn和sn屬性匹配到有意義的名字，而description屬性匹配到role屬性，而role屬性就是GrantedAuthorityFromAssertionAttributesUserDetailsService要進行查找的。到這一步cas4集成ldap並返回更多用戶信息就完成了。

CAS4.0.0關於service的存儲方式有以下幾種：

1）InMemoryServiceRegistryDaoImpl

2）JsonServiceRegistryDao

3）JpaServiceRegistryDaoImpl：如果啓用了oauth，因爲每一個第三方都被認爲是一個service，最好存儲在數據庫中，管理方便

4）MongoServiceRegistryDao

CAS4.0.0默認配置是使用InMemoryServiceRegistryDaoImpl，此步驟主要是將service服務存儲至數據庫中，如果只是cas4.0.0集成ldap並返回更多數據，上述步驟操作完之後即可此步驟省略，如果需要將service服務存儲至數據庫，修改deployerConfigContext.xml文件具體代碼如下：

    <bean class="org.jasig.cas.services.JpaServiceRegistryDaoImpl" id="serviceRegistryDao" /> 



    <bean class="org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean" 

    id="factoryBean" 

    p:dataSource-ref="dataSource" 

    p:jpaVendorAdapter-ref="jpaVendorAdapter" 

    p:packagesToScan-ref="packagesToScan"> 

    <property name="jpaProperties"> 

      <props> 

        <prop key="hibernate.dialect">${database.dialect}</prop> 

        <prop key="hibernate.hbm2ddl.auto">update</prop> 

        <prop key="hibernate.jdbc.batch_size">${database.batchSize}</prop> 

      </props> 

    </property> 

  </bean>

  <bean class="org.springframework.jdbc.datasource.SimpleDriverDataSource" 

    id="dataSource" 

    p:driverClass="${database.driverClass}" 

    p:username="${database.user}" 

    p:password="${database.password}" 

    p:url="${database.url}" /> 



    <util:list id="packagesToScan"> 

   <value>org.jasig.cas.services</value> 

   <value>org.jasig.cas.ticket</value> 

 </util:list> 



    <bean class="org.springframework.orm.jpa.vendor.HibernateJpaVendorAdapter" 

    id="jpaVendorAdapter" 

    p:generateDdl="true" 

    p:showSql="true" /> 



    <bean class="org.springframework.orm.jpa.JpaTransactionManager" id="transactionManager" 

    p:entityManagerFactory-ref="factoryBean" /> 





    <bean id="auditTrailManager" class="com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager" /> 



    <bean id="healthCheckMonitor" class="org.jasig.cas.monitor.HealthCheckMonitor" p:monitors-ref="monitorsList" /> 



    <util:list id="monitorsList"> 

      <bean class="org.jasig.cas.monitor.MemoryMonitor" p:freeMemoryWarnThreshold="10" /> 

      <!-- 

        NOTE 

        The following ticket registries support SessionMonitor: 

          * DefaultTicketRegistry 

          * JpaTicketRegistry 

        Remove this monitor if you use an unsupported registry. 

      --> 

      <bean class="org.jasig.cas.monitor.SessionMonitor" 

          p:ticketRegistry-ref="ticketRegistry" 

          p:serviceTicketCountWarnThreshold="5000" 

          p:sessionCountWarnThreshold="100000" /> 

    </util:list> 



    <bean class="org.springframework.orm.jpa.support.PersistenceAnnotationBeanPostProcessor"/> 

</beans>

在cas-server-webapp工程中cas.properties文件增加關於數據庫配置信息，具體配置如下：

oracle 連接數據庫配置

database.driverClass=oracle.jdbc.driver.OracleDriver

database.user=admin

database.password=123456

database.url=jdbc:oracle:thin:@127.0.0.1:1521:orcl

database.dialect=org.hibernate.dialect.Oracle9Dialect

mysql 連接數據庫配置

database.driverClass=com.mysql.jdbc.Driver

database.dialect=org.hibernate.dialect.MySQLDialect

database.url=jdbc:mysql://127.0.0.1:3306/db_test?useUnicode=true&characterEncoding=utf8

database.user=root

database.password=123456

轉載自：http://blog.yoodb.com/yoodb/article/detail/1275