单点登录 - CAS【九】CAS支持HTTP协议
我们知道CAS SSO 是基于HTTPS协议的单点登陆,如果要用HTTP协议进行传输,那么就需要修改CAS的相关的配置文件,图了方便,但是安全性大打折扣,对于单点登录,一旦被攻击,那么你的所有属于CAS管理的业务系统都可以被自由访问了。个人并不赞成使用HTTP协议,牺牲一点性能换取更好的安全性是值得的。
?
一、软件环境
? 1、cas-client:cas-client-3.2.1-release
? 2、cas-server:cas-server-3.5.2-release
?
二、修改步骤
? 1、文件warnCookieGenerator.xml
? ? ?
<bean id="warnCookieGenerator" />
?
?
? 2、文件ticketGrantingTicketCookieGenerator.xml
? ??
<bean id="ticketGrantingTicketCookieGenerator" />
?
?
? ?将bean中的p:cookieSecure="true "修改为p:cookieSecure="false"
?
? 3、文件deployerConfigContext.xml
? ??
<bean />
?添加p:requireSecure="false"
?
?
?如果我们使用的是基于Filter在web.xml中的方式,至此使用HTTP协议就可以单点登录了。
?如果我们使用的Java Core Object的方式,那么还需要进行的下面的步骤
? ?
? 4、文件SecureURL.java
??
/* * Copyright (c) 2000-2003 Yale University. All rights reserved. * * THIS SOFTWARE IS PROVIDED "AS IS," AND ANY EXPRESS OR IMPLIED * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ARE EXPRESSLY * DISCLAIMED. IN NO EVENT SHALL YALE UNIVERSITY OR ITS EMPLOYEES BE * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED, THE COSTS OF * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA OR * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS * SOFTWARE, EVEN IF ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH * DAMAGE. * * Redistribution and use of this software in source or binary forms, * with or without modification, are permitted, provided that the * following conditions are met: * * 1. Any redistribution must include the above copyright notice and * disclaimer and this list of conditions in any related documentation * and, if feasible, in the redistributed software. * * 2. Any redistribution must include the acknowledgment, "This product * includes software developed by Yale University," in any related * documentation and, if feasible, in the redistributed software. * * 3. The names "Yale" and "Yale University" must not be used to endorse * or promote products derived from this software. */package org.jasig.cas.client.corejavaobject.util;import java.io.BufferedReader;import java.io.IOException;import java.io.InputStreamReader;import java.net.URL;import java.net.URLConnection;import org.apache.commons.logging.Log;import org.apache.commons.logging.LogFactory;/** * A class housing some utility functions exposing secure URL validation * and content retrieval. The rules are intended to be about as restrictive * as a common browser with respect to server-certificate validation. */public class SecureURL {private static Log log = LogFactory.getLog(SecureURL.class); /** * For testing only... */ public static void main(String args[]) throws IOException { System.setProperty( "java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol"); System.out.println(SecureURL.retrieve(args[0])); } /** * Retrieve the contents from the given URL as a String, assuming the * URL's server matches what we expect it to match. */ public static String retrieve(String url) throws IOException { if (log.isTraceEnabled()){ log.trace("entering retrieve(" + url + ")"); } BufferedReader r = null; try { URL u = new URL(url); if (!u.getProtocol().equals("https")){ // IOException may not be the best exception we could throw here // since the problem is with the URL argument we were passed, not // IO. -awp9 log.error("retrieve(" + url + ") on an illegal URL since protocol was not https.");throw new IOException("only 'https' URLs are valid for this method"); } URLConnection uc = u.openConnection(); uc.setRequestProperty("Connection", "close"); r = new BufferedReader(new InputStreamReader(uc.getInputStream())); String line; StringBuffer buf = new StringBuffer(); while ((line = r.readLine()) != null) buf.append(line + "\n"); return buf.toString(); } finally { try { if (r != null) r.close(); } catch (IOException ex) { // ignore } } }}?
找到下面的部分
?
if (!u.getProtocol().equals("https")){ // IOException may not be the best exception we could throw here // since the problem is with the URL argument we were passed, not // IO. -awp9 log.error("retrieve(" + url + ") on an illegal URL since protocol was not https.");throw new IOException("only 'https' URLs are valid for this method"); }?相信大家应该明白了吧,只需要将此部分注释掉即可。
?
备注:cookieSecure都修改false,我们来看下其作用是什么?
? ?Secure是Cookie的一个属性。
? ?属性值
? ? ? ? ?如果客户端仅在使用安全超文本传输协议 (HTTPS) 的后继请求中返回 Cookie,则为?true;否则为?false。默认为?false。?
?
实际上,当此属性为?true?时,该 Cookie 只能通过 https:// 请求来发送。即使用http协议是无法传递Cookie的。
?
?