CAS4.0.0集成OpenLdap并返回用户信息配置讲解

最近公司要求CAS3.5.2支持saml而目前使用的版本不支持saml，因此升级成4.0.0版本，但是升级cas到cas4.0.0版本后也需要支持ldap，网上关于4.0.0版本的文章很少而支持ldap的少之又少，本人花了很长的时间整理了关于cas4集成ldap的完美解决方案的文章，如果对该文章有什么问题，欢迎在素文宅www.yoodb.com留言询问。

首先下载cas4版本，cas-server服务端，其官方下载地址：https://github.com/apereo/cas/tree/4.0.x

在cas-server-webapp工程中的pom.xml文件中，添加以下依赖关系：

<dependency> 
     <groupId>org.jasig.cas</groupId> 
     <artifactId>cas-server-support-ldap</artifactId> 
     <version>${cas.version}</version> 
</dependency>

关于ssl的方面略过（此不可以跳过），修改tomcat里面的8443端口内容，修改成如下：

<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"  

               maxThreads="150" scheme="https" secure="true"  

               clientAuth="false" sslProtocol="TLS"  

               keystoreFile="d:/keys/yoodb.keystore"      <!--你的证书所放的位置--> 

               keystorePass="password" />         <!--认证证书的密码-->




4.0.0的版本需要增加许多配置，逐步增加配置首先需要的是修改认证入口，编辑deployerConfigContext.xml文件，具体配置如下：

    <bean id="authenticationManager" class="org.jasig.cas.authentication.PolicyBasedAuthenticationManager"> 

        <constructor-arg> 

            <map> 

                <!-- 

                   | IMPORTANT 

                   | Every handler requires a unique name. 

                   | If more than one instance of the same handler class is configured, you must explicitly 

                   | set its name to something other than its default name (typically the simple class name). 

                   --> 

                <entry key-ref="proxyAuthenticationHandler" value-ref="proxyPrincipalResolver" /> 

                <entry key-ref="ldapAuthHandler" value-ref="primaryPrincipalResolver" /> <!--新增ldap认证的入口 --> 

            </map> 

        </constructor-arg>
        <!-- Uncomment the metadata populator to allow clearpass to capture and cache the password 
             This switch effectively will turn on clearpass. 
        <property name="authenticationMetaDataPopulators"> 
           <util:list> 
              <bean class="org.jasig.cas.extension.clearpass.CacheCredentialsMetaDataPopulator" 
                    c:credentialCache-ref="encryptedMap" /> 
           </util:list> 
        </property> 
        -->

        <!-- 
           | Defines the security policy around authentication. Some alternative policies that ship with CAS: 
           | 
           | * NotPreventedAuthenticationPolicy - all credential must either pass or fail authentication 
           | * AllAuthenticationPolicy - all presented credential must be authenticated successfully 
           | * RequiredHandlerAuthenticationPolicy - specifies a handler that must authenticate its credential to pass 
           --> 
        <property name="authenticationPolicy"> 
            <bean class="org.jasig.cas.authentication.AnyAuthenticationPolicy" /> 
        </property> 
    </bean>

    <!-- Required for proxy ticket mechanism. --> 
    <bean id="proxyAuthenticationHandler" 
          class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" 
          p:httpClient-ref="httpClient" />

    <!-- 
       | TODO: Replace this component with one suitable for your enviroment. 
       | 
       | This component provides authentication for the kind of credential used in your environment. In most cases 
       | credential is a username/password pair that lives in a system of record like an LDAP directory. 
       | The most common authentication handler beans: 
       | 
       | * org.jasig.cas.authentication.LdapAuthenticationHandler 
       | * org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler 
       | * org.jasig.cas.adaptors.x509.authentication.handler.support.X509CredentialsAuthenticationHandler 
       | * org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler 
       --> 
    <!-- Required for proxy ticket mechanism --> 
    <bean id="proxyPrincipalResolver" 
          class="org.jasig.cas.authentication.principal.BasicPrincipalResolver" />

然后新增ldap中的LDAP配置文件，修改deployerConfigContext.xml文件，具体代码如下：
注意：org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao 这个类的目的将Principal与后端的LDAP目录进行匹配（queryAttributeMapping属性，将Principal的username域与LDAP查询的uid属性相匹配，即queryAttributeMapping属性中必须配置）。提供的baseDN属性要使用LDAP进行查询（uid=ldapguest） ，并且属性要从匹配的条目进行读取。 匹配到Principal属性使用resultAttributeMapping属性中的键值对——我们将LDAP的cn和sn属性匹配到有意义的名字，而description属性匹配到role属性，而role属性就是GrantedAuthorityFromAssertionAttributesUserDetailsService要进行查找的。到这一步cas4集成ldap并返回更多用户信息就完成了。

CAS4.0.0关于service的存储方式有以下几种：

1）InMemoryServiceRegistryDaoImpl

2）JsonServiceRegistryDao

3）JpaServiceRegistryDaoImpl：如果启用了oauth，因为每一个第三方都被认为是一个service，最好存储在数据库中，管理方便

4）MongoServiceRegistryDao

CAS4.0.0默认配置是使用InMemoryServiceRegistryDaoImpl，此步骤主要是将service服务存储至数据库中，如果只是cas4.0.0集成ldap并返回更多数据，上述步骤操作完之后即可此步骤省略，如果需要将service服务存储至数据库，修改deployerConfigContext.xml文件具体代码如下：

    <bean class="org.jasig.cas.services.JpaServiceRegistryDaoImpl" id="serviceRegistryDao" /> 



    <bean class="org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean" 

    id="factoryBean" 

    p:dataSource-ref="dataSource" 

    p:jpaVendorAdapter-ref="jpaVendorAdapter" 

    p:packagesToScan-ref="packagesToScan"> 

    <property name="jpaProperties"> 

      <props> 

        <prop key="hibernate.dialect">${database.dialect}</prop> 

        <prop key="hibernate.hbm2ddl.auto">update</prop> 

        <prop key="hibernate.jdbc.batch_size">${database.batchSize}</prop> 

      </props> 

    </property> 

  </bean>

  <bean class="org.springframework.jdbc.datasource.SimpleDriverDataSource" 

    id="dataSource" 

    p:driverClass="${database.driverClass}" 

    p:username="${database.user}" 

    p:password="${database.password}" 

    p:url="${database.url}" /> 



    <util:list id="packagesToScan"> 

   <value>org.jasig.cas.services</value> 

   <value>org.jasig.cas.ticket</value> 

 </util:list> 



    <bean class="org.springframework.orm.jpa.vendor.HibernateJpaVendorAdapter" 

    id="jpaVendorAdapter" 

    p:generateDdl="true" 

    p:showSql="true" /> 



    <bean class="org.springframework.orm.jpa.JpaTransactionManager" id="transactionManager" 

    p:entityManagerFactory-ref="factoryBean" /> 





    <bean id="auditTrailManager" class="com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager" /> 



    <bean id="healthCheckMonitor" class="org.jasig.cas.monitor.HealthCheckMonitor" p:monitors-ref="monitorsList" /> 



    <util:list id="monitorsList"> 

      <bean class="org.jasig.cas.monitor.MemoryMonitor" p:freeMemoryWarnThreshold="10" /> 

      <!-- 

        NOTE 

        The following ticket registries support SessionMonitor: 

          * DefaultTicketRegistry 

          * JpaTicketRegistry 

        Remove this monitor if you use an unsupported registry. 

      --> 

      <bean class="org.jasig.cas.monitor.SessionMonitor" 

          p:ticketRegistry-ref="ticketRegistry" 

          p:serviceTicketCountWarnThreshold="5000" 

          p:sessionCountWarnThreshold="100000" /> 

    </util:list> 



    <bean class="org.springframework.orm.jpa.support.PersistenceAnnotationBeanPostProcessor"/> 

</beans>

在cas-server-webapp工程中cas.properties文件增加关于数据库配置信息，具体配置如下：

oracle 连接数据库配置

database.driverClass=oracle.jdbc.driver.OracleDriver

database.user=admin

database.password=123456

database.url=jdbc:oracle:thin:@127.0.0.1:1521:orcl

database.dialect=org.hibernate.dialect.Oracle9Dialect

mysql 连接数据库配置

database.driverClass=com.mysql.jdbc.Driver

database.dialect=org.hibernate.dialect.MySQLDialect

database.url=jdbc:mysql://127.0.0.1:3306/db_test?useUnicode=true&characterEncoding=utf8

database.user=root

database.password=123456

转载自：http://blog.yoodb.com/yoodb/article/detail/1275