CAS網址:https://apereo.github.io/cas/5.0.x/index.html
目前穩定版本是5.2.*
CAS包含衆多功能推薦server使用一體化版本的overlay,按官網說法按需導入依賴即可
下載 https://github.com/apereo/cas-overlay-template
修改POM,添加依賴
<dependencies> <dependency> <groupId>mysql</groupId> <artifactId>mysql-connector-java</artifactId> <version>${mysql.driver.version}</version> <scope>runtime</scope> </dependency> <dependency> <groupId>org.apereo.cas</groupId> <artifactId>cas-server-webapp</artifactId> <version>${cas.version}</version> <type>war</type> <scope>runtime</scope> </dependency> <dependency> <groupId>org.apereo.cas</groupId> <artifactId>cas-server-support-jdbc</artifactId> <version>${cas.version}</version> </dependency> <!-- cas rest ticket start--> <dependency> <groupId>org.apereo.cas</groupId> <artifactId>cas-server-support-rest</artifactId> <version>${cas.version}</version> <scope>runtime</scope> </dependency> <dependency> <groupId>org.apereo.cas</groupId> <artifactId>cas-server-support-rest-services</artifactId> <version>${cas.version}</version> <scope>runtime</scope> </dependency> <!-- cas rest ticket end--> <!-- <dependency> <groupId>org.apereo.cas</groupId> <artifactId>cas-server-support-json-service-registry</artifactId> <version>${cas.version}</version> </dependency> --> <dependency> <groupId>org.apereo.cas</groupId> <artifactId>cas-server-support-ldap</artifactId> <version>${cas.version}</version> </dependency> <dependency> <groupId>org.apereo.cas</groupId> <artifactId>cas-server-support-oauth-webflow</artifactId> <version>${cas.version}</version> </dependency> <dependency> <groupId>org.apereo.cas</groupId> <artifactId>cas-server-support-jpa-ticket-registry</artifactId> <version>${cas.version}</version> </dependency> <dependency> <groupId>org.apereo.cas</groupId> <artifactId>cas-server-support-jpa-service-registry</artifactId> <version>${cas.version}</version> </dependency> </dependencies> <properties> <cas.version>5.2.1</cas.version> <springboot.version>1.4.2.RELEASE</springboot.version> <maven.compiler.source>1.8</maven.compiler.source> <maven.compiler.target>1.8</maven.compiler.target> <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> <mysql.driver.version>6.0.6</mysql.driver.version> </properties>
打包cas.war,放到linux環境,我用的是centos7(安裝jdk什麼的不贅述了)
添加application.properties, 根據pom可知我需要db和ldap驗證, ticket和service使用db保存
## # CAS Server Context Configuration # server.context-path=/cas server.port=8443 #####################https configuration############################ server.ssl.enabled=true server.ssl.key-store=file:///home/admin/keystore/casssl.keystore server.ssl.key-store-password=123456 server.ssl.key-password=123456 server.max-http-header-size=2097152 server.max-http-post-size=2097152 server.use-forward-headers=true ###very important##### cas.serviceRegistry.config.location=file:///home/admin/cas/services # server.ssl.ciphers= # server.ssl.client-auth= # server.ssl.enabled= # server.ssl.key-alias= # server.ssl.key-store-provider= # server.ssl.key-store-type= # server.ssl.protocol= # server.ssl.trust-store= # server.ssl.trust-store-password= # server.ssl.trust-store-provider= # server.ssl.trust-store-type= server.tomcat.basedir=build/tomcat server.tomcat.accesslog.enabled=true server.tomcat.accesslog.pattern=%t %a "%r" %s (%D ms) server.tomcat.accesslog.suffix=.log server.tomcat.max-threads=5 server.tomcat.port-header=X-Forwarded-Port server.tomcat.protocol-header=X-Forwarded-Proto server.tomcat.protocol-header-https-value=https server.tomcat.remote-ip-header=X-FORWARDED-FOR server.tomcat.uri-encoding=UTF-8 server.error.include-stacktrace=ALWAYS spring.http.encoding.charset=UTF-8 spring.http.encoding.enabled=true spring.http.encoding.force=true ## # CAS Cloud Bus Configuration # spring.cloud.bus.enabled=false # spring.cloud.bus.refresh.enabled=true # spring.cloud.bus.env.enabled=true # spring.cloud.bus.destination=CasCloudBus # spring.cloud.bus.ack.enabled=true endpoints.enabled=true endpoints.sensitive=true management.context-path=/status endpoints.restart.enabled=false endpoints.shutdown.enabled=false ## # CAS Web Application Session Configuration # server.session.timeout=300 server.session.cookie.http-only=true server.session.tracking-modes=COOKIE ## # CAS Thymeleaf View Configuration # spring.thymeleaf.encoding=UTF-8 spring.thymeleaf.cache=false spring.thymeleaf.mode=HTML ## # CAS Log4j Configuration # logging.config=file:///home/admin/cas/log4j2.xml server.context-parameters.isLog4jAutoInitializationDisabled=true ## # CAS AspectJ Configuration # spring.aop.auto=true spring.aop.proxy-target-class=true ## # CAS Authentication Credentials # #cas.authn.accept.users=casuser::123456 #############jdbc authentication################## cas.authn.jdbc.query[0].sql=SELECT password FROM sys_user WHERE login_name=? cas.authn.jdbc.query[0].healthQuery=SELECT 1 cas.authn.jdbc.query[0].isolateInternalQueries=false cas.authn.jdbc.query[0].url=jdbc:mysql://172.16.37.64:3306/cas-local?useUnicode=true&useSSL=false&characterEncoding=utf-8&serverTimezone=GMT%2B8 cas.authn.jdbc.query[0].failFast=true cas.authn.jdbc.query[0].isolationLevelName=ISOLATION_READ_COMMITTED cas.authn.jdbc.query[0].dialect=org.hibernate.dialect.MySQLDialect cas.authn.jdbc.query[0].leakThreshold=10 cas.authn.jdbc.query[0].propagationBehaviorName=PROPAGATION_REQUIRED cas.authn.jdbc.query[0].batchSize=1 cas.authn.jdbc.query[0].user=root cas.authn.jdbc.query[0].ddlAuto=update cas.authn.jdbc.query[0].maxAgeDays=180 cas.authn.jdbc.query[0].password=123456 cas.authn.jdbc.query[0].autocommit=false cas.authn.jdbc.query[0].driverClass=com.mysql.cj.jdbc.Driver cas.authn.jdbc.query[0].idleTimeout=5000 cas.authn.jdbc.query[0].credentialCriteria= cas.authn.jdbc.query[0].pool.minSize=10 cas.authn.jdbc.query[0].pool.maxSize=100 cas.authn.jdbc.query[0].passwordEncoder.type=NONE ##################jdbc attribute########################### cas.authn.attributeRepository.jdbc.singleRow=false cas.authn.attributeRepository.jdbc.requireAllAttributes=true cas.authn.attributeRepository.jdbc.caseCanonicalization=NONE cas.authn.attributeRepository.jdbc.queryType=OR cas.authn.attributeRepository.jdbc.sql=SELECT * FROM user_info WHERE uid = ? cas.authn.attributeRepository.jdbc.username=root cas.authn.attributeRepository.jdbc.healthQuery=SELECT 1 cas.authn.attributeRepository.jdbc.url=jdbc:mysql://172.16.37.64:3306/cas-local?useUnicode=true&useSSL=false&characterEncoding=utf-8&serverTimezone=GMT%2B8 cas.authn.attributeRepository.jdbc.dialect=org.hibernate.dialect.MySQL5Dialect cas.authn.attributeRepository.jdbc.driverClass=com.mysql.cj.jdbc.Driver cas.authn.attributeRepository.jdbc.user=root cas.authn.attributeRepository.jdbc.password=123456 cas.authn.attributeRepository.jdbc.ddlAuto=validate cas.authn.attributeRepository.expireInMinutes=30 cas.authn.attributeRepository.maximumCacheSize=10000 cas.authn.attributeRepository.merger=REPLACE cas.authn.attributeRepository.jdbc.columnMappings.key=key cas.authn.attributeRepository.jdbc.columnMappings.value=value cas.authn.attributeRepository.attributes.cname=cname cas.authn.attributeRepository.attributes.mail=mail cas.authn.attributeRepository.defaultAttributesToRelease=cname,mail ###################ldap authentication###################### cas.authn.ldap[0].type=AUTHENTICATED cas.authn.ldap[0].ldapUrl=配置ldapurl cas.authn.ldap[0].useSsl=false cas.authn.ldap[0].connectTimeout=5000 cas.authn.ldap[0].baseDn=配置dn cas.authn.ldap[0].userFilter=(|(uid={user})(mail={user})(mobile={user})) cas.authn.ldap[0].subtreeSearch=true
cas.authn.ldap[0].usePasswordPolicy=false cas.authn.ldap[0].bindDn=配置Manager dn cas.authn.ldap[0].bindCredential=manager密碼
cas.authn.ldap[0].principalAttributeId=uid
cas.authn.ldap[0].principalAttributePassword=userPassword
cas.authn.ldap[0].principalAttributeList=uid,sn,cn,o,mail,mobile
cas.authn.ldap[0].allowMultiplePrincipalAttributeValues=true
cas.authn.ldap[0].allowMultiplePrincipalAttributeValue=true
##
#此處是個坑,開始我以爲這裏是配置密碼加密方式,於是和LDAP裏面配置一樣的MD5或者SHA,結果一直認證不成功,後來才發現,原來這裏是在密碼驗證之前
#對密碼再做一次encode,如果配置爲NONE,則什麼都不做,直接使用默認的SHA加密方式(AbstractCompareAuthenticationHandler裏面配置)加密密碼後與LDAP裏面的密碼比對,如果配置爲DEFAULT則先用配置的#algorithm encode明文一次,再使用默認的SHA加密方式加密後與LDAP裏面的密碼比對cas.authn.ldap[0].passwordEncoder.type=NONE
#cas.authn.ldap[0].passwordEncoder.characterEncoding=UTF-8
#cas.authn.ldap[0].passwordEncoder.encodingAlgorithm=MD5
cas.authn.ldap[0].enhanceWithEntryResolver=true
cas.authn.ldap[0].dnFormat=配置format
cas.authn.ldap[0].additionalAttributes=
cas.authn.ldap[0].principalAttributeList=displayName,givenName,mail,sn,cn,commonName,department,title,description,telephoneNumber,physicalDeliveryOfficeName,memberOf
cas.authn.ldap[0].minPoolSize=3
cas.authn.ldap[0].maxPoolSize=50
cas.authn.ldap[0].validateOnCheckout=true
cas.authn.ldap[0].validatePeriodically=true
cas.authn.ldap[0].validatePeriod=600
cas.authn.ldap[0].failFast=true
cas.authn.ldap[0].idleTime=5000
cas.authn.ldap[0].prunePeriod=5000
cas.authn.ldap[0].blockWaitTime=5000
#############ticket registry##################
cas.ticket.registry.jpa.jpaLockingTimeout=3600
cas.ticket.registry.jpa.healthQuery=SELECT 1
cas.ticket.registry.jpa.isolateInternalQueries=false
cas.ticket.registry.jpa.url=jdbc:mysql://172.16.37.64:3306/cas-local?useUnicode=true&characterEncoding=utf-8&useSSL=false&serverTimezone=GMT%2B8
cas.ticket.registry.jpa.failFast=true
cas.ticket.registry.jpa.dialect=org.hibernate.dialect.MySQL5Dialect
# cas.ticket.registry.jpa.leakThreshold=10
cas.ticket.registry.jpa.jpaLockingTgtEnabled=false
cas.ticket.registry.jpa.batchSize=1
# cas.ticket.registry.jpa.defaultCatalog=
cas.ticket.registry.jpa.defaultSchema=cas-local
cas.ticket.registry.jpa.user=root
cas.ticket.registry.jpa.ddlAuto=validate
cas.ticket.registry.jpa.password=123456
cas.ticket.registry.jpa.autocommit=true
cas.ticket.registry.jpa.driverClass=com.mysql.cj.jdbc.Driver
######service registry##################
cas.serviceRegistry.jpa.healthQuery=SELECT 1
cas.serviceRegistry.jpa.isolateInternalQueries=false
cas.serviceRegistry.jpa.url=jdbc:mysql://172.16.37.64:3306/cas-local2?useUnicode=true&characterEncoding=utf-8&useSSL=false&serverTimezone=GMT%2B8
cas.serviceRegistry.jpa.failFast=true
cas.serviceRegistry.jpa.dialect=org.hibernate.dialect.MySQL5Dialect
# cas.serviceRegistry.jpa.leakThreshold=10
# cas.serviceRegistry.jpa.batchSize=1
# cas.serviceRegistry.jpa.defaultCatalog=
# cas.serviceRegistry.jpa.defaultSchema=
cas.serviceRegistry.jpa.user=root
cas.serviceRegistry.jpa.ddlAuto=validate
cas.serviceRegistry.jpa.password=123456
cas.serviceRegistry.jpa.autocommit=true
cas.serviceRegistry.jpa.driverClass=com.mysql.cj.jdbc.Driver
配一個啓動的shell
ID=`ps -ef|grep cas.war|grep -v "grep"|awk '{print $2}'` echo cas PROCESS ID $ID kill -9 $ID rm -rf *.log rm -rf logs/*.log java -jar cas.war
ok cas server 搞定
ticket保存到db需要4張表,ddlauto爲create時會自動創建,不過建議是validate
CREATE TABLE `locks` ( `application_id` varchar(255) NOT NULL, `expiration_date` datetime DEFAULT NULL, `unique_id` varchar(255) DEFAULT NULL, `lockVer` int(11) NOT NULL DEFAULT '0', PRIMARY KEY (`application_id`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8 CREATE TABLE `oauth_tokens` ( `TYPE` varchar(31) NOT NULL, `ID` varchar(255) NOT NULL, `NUMBER_OF_TIMES_USED` int(11) DEFAULT NULL, `CREATION_TIME` datetime DEFAULT NULL, `EXPIRATION_POLICY` longblob NOT NULL, `LAST_TIME_USED` datetime DEFAULT NULL, `PREVIOUS_LAST_TIME_USED` datetime DEFAULT NULL, `AUTHENTICATION` longblob NOT NULL, `SERVICE` longblob NOT NULL, PRIMARY KEY (`ID`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8 CREATE TABLE `serviceticket` ( `TYPE` varchar(31) NOT NULL, `ID` varchar(255) NOT NULL, `NUMBER_OF_TIMES_USED` int(11) DEFAULT NULL, `CREATION_TIME` datetime DEFAULT NULL, `EXPIRATION_POLICY` longblob NOT NULL, `LAST_TIME_USED` datetime DEFAULT NULL, `PREVIOUS_LAST_TIME_USED` datetime DEFAULT NULL, `FROM_NEW_LOGIN` bit(1) NOT NULL, `TICKET_ALREADY_GRANTED` bit(1) NOT NULL, `SERVICE` longblob NOT NULL, `ticketGrantingTicket_ID` varchar(255) DEFAULT NULL, PRIMARY KEY (`ID`), KEY `FK60oigifivx01ts3n8vboyqs38` (`ticketGrantingTicket_ID`), CONSTRAINT `FK60oigifivx01ts3n8vboyqs38` FOREIGN KEY (`ticketGrantingTicket_ID`) REFERENCES `ticketgrantingticket` (`ID`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8 CREATE TABLE `ticketgrantingticket` ( `TYPE` varchar(31) NOT NULL, `ID` varchar(255) NOT NULL, `NUMBER_OF_TIMES_USED` int(11) DEFAULT NULL, `CREATION_TIME` datetime DEFAULT NULL, `EXPIRATION_POLICY` longblob NOT NULL, `LAST_TIME_USED` datetime DEFAULT NULL, `PREVIOUS_LAST_TIME_USED` datetime DEFAULT NULL, `AUTHENTICATION` longblob NOT NULL, `EXPIRED` bit(1) NOT NULL, `PROXIED_BY` longblob, `SERVICES_GRANTED_ACCESS_TO` longblob NOT NULL, `ticketGrantingTicket_ID` varchar(255) DEFAULT NULL, PRIMARY KEY (`ID`), KEY `FKiqyu3qw2fxf5qaqin02mox8r4` (`ticketGrantingTicket_ID`), CONSTRAINT `FKiqyu3qw2fxf5qaqin02mox8r4` FOREIGN KEY (`ticketGrantingTicket_ID`) REFERENCES `ticketgrantingticket` (`ID`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8
因爲service 註冊官網推薦使用Management Webapp來配置,所以還要配個這個
下載 https://github.com/Apereo/cas-services-management-overlay
修改pom添加依賴
<dependencies> <dependency> <groupId>org.apereo.cas</groupId> <artifactId>cas-management-webapp</artifactId> <version>${cas.version}</version> <type>war</type> <scope>runtime</scope> </dependency> <dependency> <groupId>org.apereo.cas</groupId> <artifactId>cas-server-support-jdbc</artifactId> <version>${cas.version}</version> </dependency> <dependency> <groupId>org.apereo.cas</groupId> <artifactId>cas-server-support-jpa-service-registry</artifactId> <version>${cas.version}</version> </dependency> <dependency> <groupId>mysql</groupId> <artifactId>mysql-connector-java</artifactId> <version>${mysql.driver.version}</version> <scope>runtime</scope> </dependency> </dependencies> <properties> <cas.version>5.0.5</cas.version> <maven.compiler.source>1.8</maven.compiler.source> <maven.compiler.target>1.8</maven.compiler.target> <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> <mysql.driver.version>6.0.6</mysql.driver.version> </properties>
注意其中mysql版本默認6.0.3有問題,升級成6.0.6
打包放到linux,添加application.properties
## # CAS Thymeleaf Views # spring.thymeleaf.cache=false spring.thymeleaf.mode=HTML ## # Embedded CAS Tomcat Container # server.context-path=/casmgr server.port=443 server.ssl.key-store=file:///home/admin/keystore/casssl.keystore server.ssl.key-store-password=123456 server.ssl.key-password=123456 ## # Log4J Configuration # server.context-parameters.isLog4jAutoInitializationDisabled=true logging.config=file:///home/admin/casmgr/log4j2.xml ## # CAS # cas.server.name=https://n2:8443 cas.server.prefix=${cas.server.name}/cas cas.mgmt.adminRoles=ROLE_ADMIN cas.mgmt.userPropertiesFile=file:///home/admin/casmgr/user-details.properties cas.mgmt.serverName=https://n2 ## # CAS Authentication Attributes # cas.authn.attributeRepository.attributes.uid=uid cas.authn.attributeRepository.attributes.displayName=displayName cas.authn.attributeRepository.attributes.cn=commonName cas.authn.attributeRepository.attributes.affiliation=groupMembership cas.authn.attributeRepository.attributes.lastName=lastName cas.authn.attributeRepository.attributes.firstName=firstName cas.authn.attributeRepository.attributes.givenName=givenName ## # CAS Web Application Config # server.session.timeout=1800 server.session.cookie.http-only=true server.session.tracking-modes=COOKIE ## # CAS Cloud Bus Configuration # Please leave spring.cloud.bus.enabled set to false # spring.cloud.bus.enabled=false cas.serviceRegistry.jpa.healthQuery=SELECT 1 cas.serviceRegistry.jpa.isolateInternalQueries=false cas.serviceRegistry.jpa.url=jdbc:mysql://172.16.37.64:3306/cas-local2?useUnicode=true&useSSL=false&characterEncoding=utf-8&serverTimezone=GMT%2B8 cas.serviceRegistry.jpa.failFast=true cas.serviceRegistry.jpa.dialect=org.hibernate.dialect.MySQL5Dialect cas.serviceRegistry.jpa.user=root cas.serviceRegistry.jpa.ddlAuto=validate cas.serviceRegistry.jpa.password=123456 cas.serviceRegistry.jpa.autocommit=false cas.serviceRegistry.jpa.driverClass=com.mysql.cj.jdbc.Driver
注意cas.serviceRegistry.jpa.ddlAuto如果值爲create server和management都會創建4張表,但是其中regexregisteredservice表 Management會多創建幾個字段,所以使用Management創建的表即可
表sql:
CREATE TABLE `hibernate_sequence` ( `next_val` bigint(20) DEFAULT NULL ) ENGINE=InnoDB DEFAULT CHARSET=utf8; CREATE TABLE `regexregisteredservice` ( `expression_type` varchar(15) NOT NULL DEFAULT 'ant', `id` bigint(20) NOT NULL, `access_strategy` longblob, `attribute_release` longblob, `description` varchar(255) NOT NULL, `evaluation_order` int(11) NOT NULL, `logo` varchar(255) DEFAULT NULL, `logout_type` int(11) DEFAULT NULL, `logout_url` varchar(255) DEFAULT NULL, `mfa_policy` longblob, `name` varchar(255) NOT NULL, `proxy_policy` longblob, `public_key` longblob, `required_handlers` longblob, `serviceId` varchar(255) NOT NULL, `theme` varchar(255) DEFAULT NULL, `username_attr` longblob, `bypassApprovalPrompt` bit(1) DEFAULT NULL, `clientId` varchar(255) DEFAULT NULL, `clientSecret` varchar(255) DEFAULT NULL, `generateRefreshToken` bit(1) DEFAULT NULL, `jsonFormat` bit(1) DEFAULT NULL, `jwks` varchar(255) DEFAULT NULL, `signIdToken` bit(1) DEFAULT NULL, `encryptAssertions` bit(1) DEFAULT NULL, `metadataCriteriaDirection` varchar(255) DEFAULT NULL, `metadataCriteriaPattern` varchar(255) DEFAULT NULL, `metadataCriteriaRemoveEmptyEntitiesDescriptors` bit(1) DEFAULT NULL, `metadataCriteriaRemoveRolelessEntityDescriptors` bit(1) DEFAULT NULL, `metadataCriteriaRoles` varchar(255) DEFAULT NULL, `metadataLocation` varchar(255) DEFAULT NULL, `metadataMaxValidity` bigint(20) DEFAULT NULL, `metadataSignatureLocation` varchar(255) DEFAULT NULL, `requiredAuthenticationContextClass` varchar(255) DEFAULT NULL, `requiredNameIdFormat` varchar(255) DEFAULT NULL, `signAssertions` bit(1) DEFAULT NULL, `signResponses` bit(1) DEFAULT NULL, PRIMARY KEY (`id`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8; CREATE TABLE `regexregisteredserviceproperty` ( `id` bigint(20) NOT NULL, `property_values` longblob, PRIMARY KEY (`id`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8; CREATE TABLE `registeredserviceimpl_props` ( `AbstractRegisteredService_id` bigint(20) NOT NULL, `properties_id` bigint(20) NOT NULL, `properties_KEY` varchar(255) NOT NULL, PRIMARY KEY (`AbstractRegisteredService_id`,`properties_KEY`), UNIQUE KEY `UK_i2mjaqjwxpvurc6aefjkx5x97` (`properties_id`), CONSTRAINT `FK1xan7uamsa94y2451jgksjkj4` FOREIGN KEY (`properties_id`) REFERENCES `regexregisteredserviceproperty` (`id`), CONSTRAINT `FK5ghaknoplphay7reury7n3vcm` FOREIGN KEY (`AbstractRegisteredService_id`) REFERENCES `regexregisteredservice` (`id`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
添加登錄用戶配置user-details.properties, 使用默認casuser或者dba登錄可以成功獲得權限,但是ldap還不行原因不明
casuser=notused,ROLE_ADMIN
testAD=notused,ROLE_ADMIN
啓動Management後會自動跳到server的登錄頁面,登錄後可以添加service。
如果配置都正確server的console會定時刷新service的配置
[localhost-startStop-1] INFO org.apereo.cas.services.DefaultServicesManagerImpl - Loaded 4 services from JpaServiceRegistryDaoImpl.