最近公司要求CAS3.5.2支持saml而目前使用的版本不支持saml,因此升級成4.0.0版本,但是升級cas到cas4.0.0版本後也需要支持ldap,網上關於4.0.0版本的文章很少而支持ldap的少之又少,本人花了很長的時間整理了關於cas4集成ldap的完美解決方案的文章,如果對該文章有什麼問題,歡迎在素文宅www.yoodb.com留言詢問。
首先下載cas4版本,cas-server服務端,其官方下載地址:https://github.com/apereo/cas/tree/4.0.x
在cas-server-webapp工程中的pom.xml文件中,添加以下依賴關係:
<dependency>
<groupId>org.jasig.cas</groupId>
<artifactId>cas-server-support-ldap</artifactId>
<version>${cas.version}</version>
</dependency>
關於ssl的方面略過(此不可以跳過),修改tomcat裏面的8443端口內容,修改成如下:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="d:/keys/yoodb.keystore" <!--你的證書所放的位置-->
keystorePass="password" /> <!--認證證書的密碼-->
4.0.0的版本需要增加許多配置,逐步增加配置首先需要的是修改認證入口,編輯deployerConfigContext.xml文件,具體配置如下:
<bean id="authenticationManager" class="org.jasig.cas.authentication.PolicyBasedAuthenticationManager">
<constructor-arg>
<map>
<!--
| IMPORTANT
| Every handler requires a unique name.
| If more than one instance of the same handler class is configured, you must explicitly
| set its name to something other than its default name (typically the simple class name).
-->
<entry key-ref="proxyAuthenticationHandler" value-ref="proxyPrincipalResolver" />
<entry key-ref="ldapAuthHandler" value-ref="primaryPrincipalResolver" /> <!--新增ldap認證的入口 -->
</map>
</constructor-arg>
<!-- Uncomment the metadata populator to allow clearpass to capture and cache the password
This switch effectively will turn on clearpass.
<property name="authenticationMetaDataPopulators">
<util:list>
<bean class="org.jasig.cas.extension.clearpass.CacheCredentialsMetaDataPopulator"
c:credentialCache-ref="encryptedMap" />
</util:list>
</property>
-->
<!--
| Defines the security policy around authentication. Some alternative policies that ship with CAS:
|
| * NotPreventedAuthenticationPolicy - all credential must either pass or fail authentication
| * AllAuthenticationPolicy - all presented credential must be authenticated successfully
| * RequiredHandlerAuthenticationPolicy - specifies a handler that must authenticate its credential to pass
-->
<property name="authenticationPolicy">
<bean class="org.jasig.cas.authentication.AnyAuthenticationPolicy" />
</property>
</bean>
<!-- Required for proxy ticket mechanism. -->
<bean id="proxyAuthenticationHandler"
class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
p:httpClient-ref="httpClient" />
<!--
| TODO: Replace this component with one suitable for your enviroment.
|
| This component provides authentication for the kind of credential used in your environment. In most cases
| credential is a username/password pair that lives in a system of record like an LDAP directory.
| The most common authentication handler beans:
|
| * org.jasig.cas.authentication.LdapAuthenticationHandler
| * org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler
| * org.jasig.cas.adaptors.x509.authentication.handler.support.X509CredentialsAuthenticationHandler
| * org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler
-->
<!-- Required for proxy ticket mechanism -->
<bean id="proxyPrincipalResolver"
class="org.jasig.cas.authentication.principal.BasicPrincipalResolver" />
然後新增ldap中的LDAP配置文件,修改deployerConfigContext.xml文件,具體代碼如下:
注意:org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao 這個類的目的將Principal與後端的LDAP目錄進行匹配(queryAttributeMapping屬性,將Principal的username域與LDAP查詢的uid屬性相匹配,即queryAttributeMapping屬性中必須配置)。提供的baseDN屬性要使用LDAP進行查詢(uid=ldapguest) ,並且屬性要從匹配的條目進行讀取。 匹配到Principal屬性使用resultAttributeMapping屬性中的鍵值對——我們將LDAP的cn和sn屬性匹配到有意義的名字,而description屬性匹配到role屬性,而role屬性就是GrantedAuthorityFromAssertionAttributesUserDetailsService要進行查找的。到這一步cas4集成ldap並返回更多用戶信息就完成了。
CAS4.0.0關於service的存儲方式有以下幾種:
1)InMemoryServiceRegistryDaoImpl
2)JsonServiceRegistryDao
3)JpaServiceRegistryDaoImpl:如果啓用了oauth,因爲每一個第三方都被認爲是一個service,最好存儲在數據庫中,管理方便
4)MongoServiceRegistryDao
CAS4.0.0默認配置是使用InMemoryServiceRegistryDaoImpl,此步驟主要是將service服務存儲至數據庫中,如果只是cas4.0.0集成ldap並返回更多數據,上述步驟操作完之後即可此步驟省略,如果需要將service服務存儲至數據庫,修改deployerConfigContext.xml文件具體代碼如下:
<bean class="org.jasig.cas.services.JpaServiceRegistryDaoImpl" id="serviceRegistryDao" />
<bean class="org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean"
id="factoryBean"
p:dataSource-ref="dataSource"
p:jpaVendorAdapter-ref="jpaVendorAdapter"
p:packagesToScan-ref="packagesToScan">
<property name="jpaProperties">
<props>
<prop key="hibernate.dialect">${database.dialect}</prop>
<prop key="hibernate.hbm2ddl.auto">update</prop>
<prop key="hibernate.jdbc.batch_size">${database.batchSize}</prop>
</props>
</property>
</bean>
<bean class="org.springframework.jdbc.datasource.SimpleDriverDataSource"
id="dataSource"
p:driverClass="${database.driverClass}"
p:username="${database.user}"
p:password="${database.password}"
p:url="${database.url}" />
<util:list id="packagesToScan">
<value>org.jasig.cas.services</value>
<value>org.jasig.cas.ticket</value>
</util:list>
<bean class="org.springframework.orm.jpa.vendor.HibernateJpaVendorAdapter"
id="jpaVendorAdapter"
p:generateDdl="true"
p:showSql="true" />
<bean class="org.springframework.orm.jpa.JpaTransactionManager" id="transactionManager"
p:entityManagerFactory-ref="factoryBean" />
<bean id="auditTrailManager" class="com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager" />
<bean id="healthCheckMonitor" class="org.jasig.cas.monitor.HealthCheckMonitor" p:monitors-ref="monitorsList" />
<util:list id="monitorsList">
<bean class="org.jasig.cas.monitor.MemoryMonitor" p:freeMemoryWarnThreshold="10" />
<!--
NOTE
The following ticket registries support SessionMonitor:
* DefaultTicketRegistry
* JpaTicketRegistry
Remove this monitor if you use an unsupported registry.
-->
<bean class="org.jasig.cas.monitor.SessionMonitor"
p:ticketRegistry-ref="ticketRegistry"
p:serviceTicketCountWarnThreshold="5000"
p:sessionCountWarnThreshold="100000" />
</util:list>
<bean class="org.springframework.orm.jpa.support.PersistenceAnnotationBeanPostProcessor"/>
</beans>
在cas-server-webapp工程中cas.properties文件增加關於數據庫配置信息,具體配置如下:
oracle 連接數據庫配置
database.driverClass=oracle.jdbc.driver.OracleDriver
database.user=admin
database.password=123456
database.url=jdbc:oracle:thin:@127.0.0.1:1521:orcl
database.dialect=org.hibernate.dialect.Oracle9Dialect
mysql 連接數據庫配置
database.driverClass=com.mysql.jdbc.Driver
database.dialect=org.hibernate.dialect.MySQLDialect
database.url=jdbc:mysql://127.0.0.1:3306/db_test?useUnicode=true&characterEncoding=utf8
database.user=root
database.password=123456