CAS5.0.X 使用经历
公司要做统一SSO,以前都是自己做后来有同事推荐使用CAS,于是开始一起研究。
CAS网址:https://apereo.github.io/cas/5.0.x/index.html
目前稳定版本是5.0.5
CAS包含众多功能推荐server使用一体化版本的overlay,按官网说法按需导入依赖即可
下载 https://github.com/apereo/cas-overlay-template
修改POM,添加依赖
<dependencies>
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<version>${mysql.driver.version}</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-webapp</artifactId>
<version>${cas.version}</version>
<type>war</type>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-jdbc</artifactId>
<version>${cas.version}</version>
</dependency>
<!-- cas rest ticket start-->
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-rest</artifactId>
<version>${cas.version}</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-rest-services</artifactId>
<version>${cas.version}</version>
<scope>runtime</scope>
</dependency>
<!-- cas rest ticket end-->
<!--
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-json-service-registry</artifactId>
<version>${cas.version}</version>
</dependency>
-->
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-ldap</artifactId>
<version>${cas.version}</version>
</dependency>
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-oauth-webflow</artifactId>
<version>${cas.version}</version>
</dependency>
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-jpa-ticket-registry</artifactId>
<version>${cas.version}</version>
</dependency>
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-jpa-service-registry</artifactId>
<version>${cas.version}</version>
</dependency>
</dependencies>
<properties>
<cas.version>5.0.5</cas.version>
<springboot.version>1.4.2.RELEASE</springboot.version>
<maven.compiler.source>1.8</maven.compiler.source>
<maven.compiler.target>1.8</maven.compiler.target>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<mysql.driver.version>6.0.6</mysql.driver.version>
</properties>
打包cas.war,放到linux环境,我用的是centos7(安装jdk什么的不赘述了)
添加application.properties, 根据pom可知我需要db和ldap验证, ticket和service使用db保存
## # CAS Server Context Configuration # server.context-path=/cas server.port=8443 #####################https configuration############################ server.ssl.enabled=true server.ssl.key-store=file:///home/admin/keystore/casssl.keystore server.ssl.key-store-password=123456 server.ssl.key-password=123456 server.max-http-header-size=2097152 server.max-http-post-size=2097152 server.use-forward-headers=true ###very important##### cas.serviceRegistry.config.location=file:///home/admin/cas/services # server.ssl.ciphers= # server.ssl.client-auth= # server.ssl.enabled= # server.ssl.key-alias= # server.ssl.key-store-provider= # server.ssl.key-store-type= # server.ssl.protocol= # server.ssl.trust-store= # server.ssl.trust-store-password= # server.ssl.trust-store-provider= # server.ssl.trust-store-type= server.tomcat.basedir=build/tomcat server.tomcat.accesslog.enabled=true server.tomcat.accesslog.pattern=%t %a "%r" %s (%D ms) server.tomcat.accesslog.suffix=.log server.tomcat.max-threads=5 server.tomcat.port-header=X-Forwarded-Port server.tomcat.protocol-header=X-Forwarded-Proto server.tomcat.protocol-header-https-value=https server.tomcat.remote-ip-header=X-FORWARDED-FOR server.tomcat.uri-encoding=UTF-8 server.error.include-stacktrace=ALWAYS spring.http.encoding.charset=UTF-8 spring.http.encoding.enabled=true spring.http.encoding.force=true ## # CAS Cloud Bus Configuration # spring.cloud.bus.enabled=false # spring.cloud.bus.refresh.enabled=true # spring.cloud.bus.env.enabled=true # spring.cloud.bus.destination=CasCloudBus # spring.cloud.bus.ack.enabled=true endpoints.enabled=true endpoints.sensitive=true management.context-path=/status endpoints.restart.enabled=false endpoints.shutdown.enabled=false ## # CAS Web Application Session Configuration # server.session.timeout=300 server.session.cookie.http-only=true server.session.tracking-modes=COOKIE ## # CAS Thymeleaf View Configuration # spring.thymeleaf.encoding=UTF-8 spring.thymeleaf.cache=false spring.thymeleaf.mode=HTML ## # CAS Log4j Configuration # logging.config=file:///home/admin/cas/log4j2.xml server.context-parameters.isLog4jAutoInitializationDisabled=true ## # CAS AspectJ Configuration # spring.aop.auto=true spring.aop.proxy-target-class=true ## # CAS Authentication Credentials # #cas.authn.accept.users=casuser::123456 #############jdbc authentication################## cas.authn.jdbc.query[0].sql=SELECT password FROM sys_user WHERE login_name=? cas.authn.jdbc.query[0].healthQuery=SELECT 1 cas.authn.jdbc.query[0].isolateInternalQueries=false cas.authn.jdbc.query[0].url=jdbc:mysql://172.16.37.64:3306/cas-local?useUnicode=true&useSSL=false&characterEncoding=utf-8&serverTimezone=GMT%2B8 cas.authn.jdbc.query[0].failFast=true cas.authn.jdbc.query[0].isolationLevelName=ISOLATION_READ_COMMITTED cas.authn.jdbc.query[0].dialect=org.hibernate.dialect.MySQLDialect cas.authn.jdbc.query[0].leakThreshold=10 cas.authn.jdbc.query[0].propagationBehaviorName=PROPAGATION_REQUIRED cas.authn.jdbc.query[0].batchSize=1 cas.authn.jdbc.query[0].user=root cas.authn.jdbc.query[0].ddlAuto=update cas.authn.jdbc.query[0].maxAgeDays=180 cas.authn.jdbc.query[0].password=123456 cas.authn.jdbc.query[0].autocommit=false cas.authn.jdbc.query[0].driverClass=com.mysql.cj.jdbc.Driver cas.authn.jdbc.query[0].idleTimeout=5000 cas.authn.jdbc.query[0].credentialCriteria= cas.authn.jdbc.query[0].pool.minSize=10 cas.authn.jdbc.query[0].pool.maxSize=100 cas.authn.jdbc.query[0].passwordEncoder.type=NONE ##################jdbc attribute########################### cas.authn.attributeRepository.jdbc.singleRow=false cas.authn.attributeRepository.jdbc.requireAllAttributes=true cas.authn.attributeRepository.jdbc.caseCanonicalization=NONE cas.authn.attributeRepository.jdbc.queryType=OR cas.authn.attributeRepository.jdbc.sql=SELECT * FROM user_info WHERE uid = ? cas.authn.attributeRepository.jdbc.username=root cas.authn.attributeRepository.jdbc.healthQuery=SELECT 1 cas.authn.attributeRepository.jdbc.url=jdbc:mysql://172.16.37.64:3306/cas-local?useUnicode=true&useSSL=false&characterEncoding=utf-8&serverTimezone=GMT%2B8 cas.authn.attributeRepository.jdbc.dialect=org.hibernate.dialect.MySQL5Dialect cas.authn.attributeRepository.jdbc.driverClass=com.mysql.cj.jdbc.Driver cas.authn.attributeRepository.jdbc.user=root cas.authn.attributeRepository.jdbc.password=123456 cas.authn.attributeRepository.jdbc.ddlAuto=validate cas.authn.attributeRepository.expireInMinutes=30 cas.authn.attributeRepository.maximumCacheSize=10000 cas.authn.attributeRepository.merger=REPLACE cas.authn.attributeRepository.jdbc.columnMappings.key=key cas.authn.attributeRepository.jdbc.columnMappings.value=value cas.authn.attributeRepository.attributes.cname=cname cas.authn.attributeRepository.attributes.mail=mail cas.authn.attributeRepository.defaultAttributesToRelease=cname,mail ###################ldap authentication###################### cas.authn.ldap[0].type=AD cas.authn.ldap[0].ldapUrl=配置ldapurl cas.authn.ldap[0].useSsl=false cas.authn.ldap[0].connectTimeout=5000 cas.authn.ldap[0].baseDn=配置dn cas.authn.ldap[0].userFilter=sAMAccountName={user} cas.authn.ldap[0].subtreeSearch=true cas.authn.ldap[0].bindDn=配置dn cas.authn.ldap[0].bindCredential=用户名 cas.authn.ldap[0].enhanceWithEntryResolver=true cas.authn.ldap[0].dnFormat=配置format cas.authn.ldap[0].principalAttributeId=sAMAccountName cas.authn.ldap[0].allowMultiplePrincipalAttributeValues=true cas.authn.ldap[0].additionalAttributes= cas.authn.ldap[0].principalAttributeList=displayName,givenName,mail,sn,cn,commonName,department,title,description,telephoneNumber,physicalDeliveryOfficeName,memberOf cas.authn.ldap[0].minPoolSize=3 cas.authn.ldap[0].maxPoolSize=50 cas.authn.ldap[0].validateOnCheckout=true cas.authn.ldap[0].validatePeriodically=true cas.authn.ldap[0].validatePeriod=600 cas.authn.ldap[0].failFast=true cas.authn.ldap[0].idleTime=5000 cas.authn.ldap[0].prunePeriod=5000 cas.authn.ldap[0].blockWaitTime=5000 #############ticket registry################## cas.ticket.registry.jpa.jpaLockingTimeout=3600 cas.ticket.registry.jpa.healthQuery=SELECT 1 cas.ticket.registry.jpa.isolateInternalQueries=false cas.ticket.registry.jpa.url=jdbc:mysql://172.16.37.64:3306/cas-local?useUnicode=true&characterEncoding=utf-8&useSSL=false&serverTimezone=GMT%2B8 cas.ticket.registry.jpa.failFast=true cas.ticket.registry.jpa.dialect=org.hibernate.dialect.MySQL5Dialect # cas.ticket.registry.jpa.leakThreshold=10 cas.ticket.registry.jpa.jpaLockingTgtEnabled=false cas.ticket.registry.jpa.batchSize=1 # cas.ticket.registry.jpa.defaultCatalog= cas.ticket.registry.jpa.defaultSchema=cas-local cas.ticket.registry.jpa.user=root cas.ticket.registry.jpa.ddlAuto=validate cas.ticket.registry.jpa.password=123456 cas.ticket.registry.jpa.autocommit=true cas.ticket.registry.jpa.driverClass=com.mysql.cj.jdbc.Driver ######service registry################## cas.serviceRegistry.jpa.healthQuery=SELECT 1 cas.serviceRegistry.jpa.isolateInternalQueries=false cas.serviceRegistry.jpa.url=jdbc:mysql://172.16.37.64:3306/cas-local2?useUnicode=true&characterEncoding=utf-8&useSSL=false&serverTimezone=GMT%2B8 cas.serviceRegistry.jpa.failFast=true cas.serviceRegistry.jpa.dialect=org.hibernate.dialect.MySQL5Dialect # cas.serviceRegistry.jpa.leakThreshold=10 # cas.serviceRegistry.jpa.batchSize=1 # cas.serviceRegistry.jpa.defaultCatalog= # cas.serviceRegistry.jpa.defaultSchema= cas.serviceRegistry.jpa.user=root cas.serviceRegistry.jpa.ddlAuto=validate cas.serviceRegistry.jpa.password=123456 cas.serviceRegistry.jpa.autocommit=true cas.serviceRegistry.jpa.driverClass=com.mysql.cj.jdbc.Driver
配一个启动的shell
ID=`ps -ef|grep cas.war|grep -v "grep"|awk '{print $2}'`
echo cas PROCESS ID $ID
kill -9 $ID
rm -rf *.log
rm -rf logs/*.log
java -jar cas.war
ok cas server 搞定
ticket保存到db需要4张表,ddlauto为create时会自动创建,不过建议是validate
CREATE TABLE `locks` ( `application_id` varchar(255) NOT NULL, `expiration_date` datetime DEFAULT NULL, `unique_id` varchar(255) DEFAULT NULL, `lockVer` int(11) NOT NULL DEFAULT '0', PRIMARY KEY (`application_id`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8 CREATE TABLE `oauth_tokens` ( `TYPE` varchar(31) NOT NULL, `ID` varchar(255) NOT NULL, `NUMBER_OF_TIMES_USED` int(11) DEFAULT NULL, `CREATION_TIME` datetime DEFAULT NULL, `EXPIRATION_POLICY` longblob NOT NULL, `LAST_TIME_USED` datetime DEFAULT NULL, `PREVIOUS_LAST_TIME_USED` datetime DEFAULT NULL, `AUTHENTICATION` longblob NOT NULL, `SERVICE` longblob NOT NULL, PRIMARY KEY (`ID`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8 CREATE TABLE `serviceticket` ( `TYPE` varchar(31) NOT NULL, `ID` varchar(255) NOT NULL, `NUMBER_OF_TIMES_USED` int(11) DEFAULT NULL, `CREATION_TIME` datetime DEFAULT NULL, `EXPIRATION_POLICY` longblob NOT NULL, `LAST_TIME_USED` datetime DEFAULT NULL, `PREVIOUS_LAST_TIME_USED` datetime DEFAULT NULL, `FROM_NEW_LOGIN` bit(1) NOT NULL, `TICKET_ALREADY_GRANTED` bit(1) NOT NULL, `SERVICE` longblob NOT NULL, `ticketGrantingTicket_ID` varchar(255) DEFAULT NULL, PRIMARY KEY (`ID`), KEY `FK60oigifivx01ts3n8vboyqs38` (`ticketGrantingTicket_ID`), CONSTRAINT `FK60oigifivx01ts3n8vboyqs38` FOREIGN KEY (`ticketGrantingTicket_ID`) REFERENCES `ticketgrantingticket` (`ID`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8 CREATE TABLE `ticketgrantingticket` ( `TYPE` varchar(31) NOT NULL, `ID` varchar(255) NOT NULL, `NUMBER_OF_TIMES_USED` int(11) DEFAULT NULL, `CREATION_TIME` datetime DEFAULT NULL, `EXPIRATION_POLICY` longblob NOT NULL, `LAST_TIME_USED` datetime DEFAULT NULL, `PREVIOUS_LAST_TIME_USED` datetime DEFAULT NULL, `AUTHENTICATION` longblob NOT NULL, `EXPIRED` bit(1) NOT NULL, `PROXIED_BY` longblob, `SERVICES_GRANTED_ACCESS_TO` longblob NOT NULL, `ticketGrantingTicket_ID` varchar(255) DEFAULT NULL, PRIMARY KEY (`ID`), KEY `FKiqyu3qw2fxf5qaqin02mox8r4` (`ticketGrantingTicket_ID`), CONSTRAINT `FKiqyu3qw2fxf5qaqin02mox8r4` FOREIGN KEY (`ticketGrantingTicket_ID`) REFERENCES `ticketgrantingticket` (`ID`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8
因为service 注册官网推荐使用Management Webapp来配置,所以还要配个这个
下载 https://github.com/Apereo/cas-services-management-overlay
修改pom添加依赖
<dependencies>
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-management-webapp</artifactId>
<version>${cas.version}</version>
<type>war</type>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-jdbc</artifactId>
<version>${cas.version}</version>
</dependency>
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-jpa-service-registry</artifactId>
<version>${cas.version}</version>
</dependency>
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<version>${mysql.driver.version}</version>
<scope>runtime</scope>
</dependency>
</dependencies>
<properties>
<cas.version>5.0.5</cas.version>
<maven.compiler.source>1.8</maven.compiler.source>
<maven.compiler.target>1.8</maven.compiler.target>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<mysql.driver.version>6.0.6</mysql.driver.version>
</properties>
注意其中mysql版本默认6.0.3有问题,升级成6.0.6
打包放到linux,添加application.properties
## # CAS Thymeleaf Views # spring.thymeleaf.cache=false spring.thymeleaf.mode=HTML ## # Embedded CAS Tomcat Container # server.context-path=/casmgr server.port=443 server.ssl.key-store=file:///home/admin/keystore/casssl.keystore server.ssl.key-store-password=123456 server.ssl.key-password=123456 ## # Log4J Configuration # server.context-parameters.isLog4jAutoInitializationDisabled=true logging.config=file:///home/admin/casmgr/log4j2.xml ## # CAS # cas.server.name=https://n2:8443 cas.server.prefix=${cas.server.name}/cas cas.mgmt.adminRoles=ROLE_ADMIN cas.mgmt.userPropertiesFile=file:///home/admin/casmgr/user-details.properties cas.mgmt.serverName=https://n2 ## # CAS Authentication Attributes # cas.authn.attributeRepository.attributes.uid=uid cas.authn.attributeRepository.attributes.displayName=displayName cas.authn.attributeRepository.attributes.cn=commonName cas.authn.attributeRepository.attributes.affiliation=groupMembership cas.authn.attributeRepository.attributes.lastName=lastName cas.authn.attributeRepository.attributes.firstName=firstName cas.authn.attributeRepository.attributes.givenName=givenName ## # CAS Web Application Config # server.session.timeout=1800 server.session.cookie.http-only=true server.session.tracking-modes=COOKIE ## # CAS Cloud Bus Configuration # Please leave spring.cloud.bus.enabled set to false # spring.cloud.bus.enabled=false cas.serviceRegistry.jpa.healthQuery=SELECT 1 cas.serviceRegistry.jpa.isolateInternalQueries=false cas.serviceRegistry.jpa.url=jdbc:mysql://172.16.37.64:3306/cas-local2?useUnicode=true&useSSL=false&characterEncoding=utf-8&serverTimezone=GMT%2B8 cas.serviceRegistry.jpa.failFast=true cas.serviceRegistry.jpa.dialect=org.hibernate.dialect.MySQL5Dialect cas.serviceRegistry.jpa.user=root cas.serviceRegistry.jpa.ddlAuto=validate cas.serviceRegistry.jpa.password=123456 cas.serviceRegistry.jpa.autocommit=false cas.serviceRegistry.jpa.driverClass=com.mysql.cj.jdbc.Driver
注意cas.serviceRegistry.jpa.ddlAuto如果值为create server和management都会创建4张表,但是其中regexregisteredservice表 Management会多创建几个字段,所以使用Management创建的表即可
表sql:
CREATE TABLE `hibernate_sequence` ( `next_val` bigint(20) DEFAULT NULL ) ENGINE=InnoDB DEFAULT CHARSET=utf8; CREATE TABLE `regexregisteredservice` ( `expression_type` varchar(15) NOT NULL DEFAULT 'ant', `id` bigint(20) NOT NULL, `access_strategy` longblob, `attribute_release` longblob, `description` varchar(255) NOT NULL, `evaluation_order` int(11) NOT NULL, `logo` varchar(255) DEFAULT NULL, `logout_type` int(11) DEFAULT NULL, `logout_url` varchar(255) DEFAULT NULL, `mfa_policy` longblob, `name` varchar(255) NOT NULL, `proxy_policy` longblob, `public_key` longblob, `required_handlers` longblob, `serviceId` varchar(255) NOT NULL, `theme` varchar(255) DEFAULT NULL, `username_attr` longblob, `bypassApprovalPrompt` bit(1) DEFAULT NULL, `clientId` varchar(255) DEFAULT NULL, `clientSecret` varchar(255) DEFAULT NULL, `generateRefreshToken` bit(1) DEFAULT NULL, `jsonFormat` bit(1) DEFAULT NULL, `jwks` varchar(255) DEFAULT NULL, `signIdToken` bit(1) DEFAULT NULL, `encryptAssertions` bit(1) DEFAULT NULL, `metadataCriteriaDirection` varchar(255) DEFAULT NULL, `metadataCriteriaPattern` varchar(255) DEFAULT NULL, `metadataCriteriaRemoveEmptyEntitiesDescriptors` bit(1) DEFAULT NULL, `metadataCriteriaRemoveRolelessEntityDescriptors` bit(1) DEFAULT NULL, `metadataCriteriaRoles` varchar(255) DEFAULT NULL, `metadataLocation` varchar(255) DEFAULT NULL, `metadataMaxValidity` bigint(20) DEFAULT NULL, `metadataSignatureLocation` varchar(255) DEFAULT NULL, `requiredAuthenticationContextClass` varchar(255) DEFAULT NULL, `requiredNameIdFormat` varchar(255) DEFAULT NULL, `signAssertions` bit(1) DEFAULT NULL, `signResponses` bit(1) DEFAULT NULL, PRIMARY KEY (`id`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8; CREATE TABLE `regexregisteredserviceproperty` ( `id` bigint(20) NOT NULL, `property_values` longblob, PRIMARY KEY (`id`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8; CREATE TABLE `registeredserviceimpl_props` ( `AbstractRegisteredService_id` bigint(20) NOT NULL, `properties_id` bigint(20) NOT NULL, `properties_KEY` varchar(255) NOT NULL, PRIMARY KEY (`AbstractRegisteredService_id`,`properties_KEY`), UNIQUE KEY `UK_i2mjaqjwxpvurc6aefjkx5x97` (`properties_id`), CONSTRAINT `FK1xan7uamsa94y2451jgksjkj4` FOREIGN KEY (`properties_id`) REFERENCES `regexregisteredserviceproperty` (`id`), CONSTRAINT `FK5ghaknoplphay7reury7n3vcm` FOREIGN KEY (`AbstractRegisteredService_id`) REFERENCES `regexregisteredservice` (`id`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
添加登录用户配置user-details.properties, 使用默认casuser或者dba登录可以成功获得权限,但是ldap还不行原因不明
casuser=notused,ROLE_ADMIN
testAD=notused,ROLE_ADMIN
启动Management后会自动跳到server的登录页面,登录后可以添加service。
如果配置都正确server的console会定时刷新service的配置
[localhost-startStop-1] INFO org.apereo.cas.services.DefaultServicesManagerImpl - Loaded 4 services from JpaServiceRegistryDaoImpl.
