CAS(单点登陆)---总结一
单点登录(sso)是指基于用户/会话认证的一个过程,用户只需一次性提供凭证(仅一次登录),就可以访问多个应用。??
?
?一, 最近一段时间公司进行系统整合,公司决定采用yale cas 单点登录进行整合,在这里对在项目整合中遇到的问题进行总结:
??1,到官方上下载CAS2.x服务器改名为ssoAuth
?
??2,以ssoAuth/login为所有系统的登录页,对每个系统进行配置,配置如下:
可查看这篇文章:http://129-cat-163-com.iteye.com/blog/477506
?
3,在登录之后,遇到一个问题,就是重新刷新又回到登录页(在登录之后会产生一个CASTGC的cookie)
解决:
更改ssoAuth/WebContent/spring-configuration/ticketGrantingTicketCookieGenerator.xml中的 p:cookiePath="/ssoAuth"?和warnCookieGenerator.xml中的p:cookiePath="/ssoAuth" 因为更改了登录名之后,cookie path设置的值没有相应的改变..在验证时获取不到castgc的cookie
?
??4,不跳转到ssoAuth/login下每一个系统都自定义登录页,
可查看这这里面的三篇文章:http://hi.baidu.com/fallenlord/blog/item/ecaa5f263e52cf0b908f9d21.html
?
??5,代理问题
代理可解决的问题:
当一个系统1要去取另一个系统2的数据时,两台不在同一台电脑上,而这两个又被同时都加到单点登录中,这时当你1系统已经登录要去取2系统的数据时,而2系统还没有登录,这时取不到数据??
这时候代理就派上用场.代理票据的产生
http://www.blogjava.net/security/archive/2006/04/26/SSO_CASProxy.html
解决:
可先查看这篇文章http://fallenlord.blogbus.com/logs/57175888.html
再以下详解:
在ssoProxyClient(代理端) ssoProxyBackClient(被代理端) ssoAuth上都要进行配置,
ssoAuth:在整合时发现一个问题,查找源代码,客户端配置正确而不返回代理票据
deployerConfigContext.xml下配置
?
下面的httpClient要添加上去<beanp:requireSecure="false" />
? 代理端与被代理端都要进行配置(配置较长,不一一介绍)有需要留下联系地址,我发过去...
?
7,代理性能问题解决:
如以上问题所述,系统2变成了被代理的系统,代理系统1每次要到被代理服务器去取一次票据之后,传到系统2去,这时系统2也要到服务器去取下验证的代理票据,进行比对,,
这样一来,每次都要与服务器通信两次,,,性能耗费很大,在不考虑安全性的前提下,可以对双方进行保存一个票据,这样一来,不管访问多少次,只在服务器通信了两次.
我对以上的代理与被代理系统进行了扩展,,一样)有需要留下联系地址,我发过去...
?
8,客户端可以返回更多的用户数据,这个有两处要进行配置
以下提供一个较完整的deployerConfigContext.xml的配置,一般有用到都在这里面
<?xml version="1.0" encoding="UTF-8"?>
<!--| deployerConfigContext.xml centralizes into one file some of thedeclarative configuration that | all CAS deployers will need tomodify. | | This file declares some of the Spring-managed JavaBeansthat make up a CAS deployment. | The beans declared in this file areinstantiated at context initialization time by the Spring |ContextLoaderListener declared in web.xml. It finds this file becausethis | file is among those declared in the context parameter"contextConfigLocation". | | By far the most common change you willneed to make in this file is to change the last bean | declaration toreplace the default SimpleTestUsernamePasswordAuthenticationHandlerwith | one implementing your approach for authenticating usernames andpasswords. +--><beans xmlns="http://www.springframework.org/schema/beans"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p"xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd"><!--cas数据源。 --><bean id="casDataSource" /></bean><bean id="passwordEncoder2"/></property></bean><!--| HttpBasedServiceCredentialsToPrincipalResolver supportsHttpBasedCredentials. It supports the CAS 2.0 approach of |authenticating services by SSL callback, extracting the callbackURL from the Credentials and representing it as a | SimpleServiceidentified by that callback URL. | | If you are representingservices by something more or other than an HTTPS URL whereat theyare able to | receive a proxy callback, you will need to changethis bean declaration (or add additional declarations). +--><bean/></list></property><!--| Whereas CredentialsToPrincipalResolvers identify who it is someCredentials might authenticate, | AuthenticationHandlers actuallyauthenticate credentials. Here we declare the AuthenticationHandlersthat | authenticate the Principals that theCredentialsToPrincipalResolvers identified. CAS will try thesehandlers in turn | until it finds one that both supports theCredentials presented and succeeds in authenticating. +--><property name="authenticationHandlers"><list> <!--这里面的用户表验证,可以配置多个,由上向下的表验证,只要有一个成功就退出--><!-- support EAP database --><beanref="casDataSource" /><property name="sql"value="SELECT Password FROM table1 WHERE Id = ?" /><property name="passwordEncoder" ref="passwordEncoder" /></bean><!-- support another user table,对以上的类进行扩展,不采用那样的验证机制 --><beanref="casDataSource" /><property name="sql"value="SELECT FGUID FROM table2 WHERE FUserID = ? and cast(ID as varchar(50))=?" /> <!--改变加密机制--><property name="passwordEncoder" ref="passwordEncoder2" /></bean><!--| This is the authentication handler that authenticates services bymeans of callback via SSL, thereby validating | a server side SSLcertificate. +--><beanp:requireSecure="false" /><!--| This is the authentication handler declaration that every CASdeployer will need to change before deploying CAS | intoproduction. The defaultSimpleTestUsernamePasswordAuthenticationHandler authenticatesUsernamePasswordCredentials | where the username equals thepassword. You will need to replace this with anAuthenticationHandler that implements your | local authenticationstrategy. You might accomplish this by coding a new such handlerand declaring | edu.someschool.its.cas.MySpecialHandler here, oryou might use one of the handlers provided in the adaptors modules.+<bean/>--></list></property></bean><!--This bean defines the security roles for the Services Managementapplication. Simple deployments can use the in-memory version. Morerobust deployments will want to use another option, such as the Jdbcversion. The name of this should remain "userDetailsService" in orderfor Acegi to find it. To use this, you should add an entry similar tothe following between the two value tags: battags=notused,ROLE_ADMINwhere battags is the username you want to grant access to. You can putone entry per line.--><bean id="userDetailsService"though.返回更多的用户信息,在这里进行配置--><bean id="attributeRepository"ref="casDataSource" /><constructor-arg index="1"value="SELECT FBy5 AS type,deptId,id,position FROM table WHERE Fid=?" /><property name="queryAttributeMapping"><map> <!-- username:为登录的用户名 uid:系统内部会赋给以上的fid --><entry key="username" value="uid" /></map></property><property name="resultAttributeMapping"><map><entry key="id" value="id1" /><entry key="deptId" value="dept1" /><entry key="Position" value="position1"/><entry key="type" value="type1" /></map></property></bean><!--Sample, in-memory data store for the ServiceRegistry. A realimplementation would probably want to replace this with the JPA-backedServiceRegistry DAO The name of this bean should remain"serviceRegistryDao".--><bean id="serviceRegistryDao" /></beans>
--->看下一章节
?
?
1 楼 mingxiao2010 2010-03-29 学习了,呵呵! 2 楼 elan1986 2010-03-29 正好 准备用到这个单点登录