CAS 3.4.2.1 摘要心得

CAS Server 3.4.2.1安裝
1. 直接從 http://www.jasig.org/cas/download 就可以下載到最新版的Server端程式,
    直接使用就可以初步感受一下!!…
   
2. 下載壓縮檔後, 解壓縮
    在 ~/modules/目錄下會有一個 cas-server-webapp-3.4.2.1.war
    這個檔案就是可以直接使用的 WAR檔!!

3. 上述那個WAR檔案, 並沒有cas server 其他的模組,  因此記得放進相關模組,
    cas-server-support-generic-3.4.2.1.jar
    cas-server-support-jdbc-3.4.2.1.jar
    cas-server-support-ldap-3.4.2.1.jar
    cas-server-support-openid-3.4.2.1.jar
    cas-server-support-trusted-3.4.2.1.jar
    cas-server-support-x509-3.4.2.1.jar
   
4. 修改帳號密碼認證 :
    在那個 WAR 檔案裡面,  WEB-INF/ 目錄下,  會有一個 deployerConfigContext.xml 檔案,
    請 先找到 認證模組 設定位置,  authenticationHandlers ( 他是一個 bean id ),
    然後將 SimpleTestUsernamePasswordAuthenticationHandler 拿掉!!….(  他只是一個範例檔案  )
   
    4-1. 最簡單的帳號密碼設定: 有兩種

         4-1-1. 直接設在裡面:
         <bean class="org.jasig.cas.adaptors.generic.AcceptUsersAuthenticationHandler">
             <property name="users">
                <map>
                   <entry key="scott" value="password" />
                </map>
             </property>
         </bean>

        4-1-2. 另外設一個密碼檔案:        
         <bean class="org.jasig.cas.adaptors.generic.FileAuthenticationHandler" p:fileName="file:/opt/cas/file_of_passwords.txt" />
        
         /opt/cas/file_of_passwords.txt 檔案內容寫法:
         scott::password
         bob::password2
        
     4-2. 除上述的帳號密碼設定外,  當然也可以使用 資料庫 方式,  不過別忘記要加入資料庫的JDBC Lib
    
        <!– Security : Using JDBC security –>
        <bean class="org.jasig.cas.adaptors.jdbc.SearchModeSearchDatabaseAuthenticationHandler">
            <property name="tableUsers" value="users" />
            <property name="fieldUser" value="user_name" />
            <property name="fieldPassword" value="user_pass" />
            <property name="dataSource" ref="dataSource"/>
        </bean>
        <bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource">
            <property name="driverClassName" value="com.mysql.jdbc.Driver"/>
            <property name="url" value="jdbc:mysql://localhost:3306/pns"/>
            <property name="username" value="midc"/>
            <property name="password" value="midc"/>
        </bean>
        <!–
            <bean id="dataSource" class="org.springframework.jndi.JndiObjectFactoryBean">
                <property name="jndiName" value="java:comp/env/jdbc/pns" />
            </bean>
        –>

  
利用 Spring Security 3.0做為CAS Client設定:
1. securityContext.xml 設定如下 :

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans&quot;
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance&quot;
       xmlns:p="http://www.springframework.org/schema/p&quot;
       xmlns:tx="http://www.springframework.org/schema/tx&quot;
       xmlns:sec="http://www.springframework.org/schema/security&quot;
       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
       http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.0.xsd
       http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd"&gt;

    <bean id="propertyConfigurer" class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
        <property name="location" value = "WEB-INF/securityContext.properties" />
    </bean>

    <sec:global-method-security secured-annotations="enabled">
        <!– AspectJ pointcut expression that locates our "post" method and applies security that way
        <sec:protect-pointcut expression="execution(* bigbank.*Service.post*(..))" access="ROLE_TELLER"/>
        –>
    </sec:global-method-security>

    <sec:http auto-config="false" entry-point-ref="casEntryPoint" servlet-api-provision="true">
        <sec:intercept-url pattern="/intranet/**" access="ROLE_SUPERVISOR"/>
        <sec:intercept-url pattern="/intranet/**" access="IS_AUTHENTICATED_REMEMBERED" />
       
        <sec:intercept-url pattern="/samplestore/**" access="ROLE_SUPERVISOR"/>
        <sec:intercept-url pattern="/samplestore/**" access="IS_AUTHENTICATED_REMEMBERED" />
        <!– Disable web URI authorization, as we’re using <global-method-security> and have @Secured the services layer instead
        <sec:intercept-url pattern="/listAccounts.html" access="IS_AUTHENTICATED_REMEMBERED" />
        <sec:intercept-url pattern="/post.html" access="ROLE_TELLER" />
        <sec:intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <sec:intercept-url pattern="/**" filters="none" />
        –>
        <sec:intercept-url pattern="/**" filters="none" />
        <!– Uncomment to enable X509 client authentication support
        <sec:x509 />
        –>
        <!– <sec:form-login login-page=’/index.jsp?mode=login’ default-target-url=’/intranet/init.do’ always-use-default-target=’true’ /> –>
        <sec:logout logout-url="/j_spring_security_logout" logout-success-url="/index.jsp" />
        <!– All of this is unnecessary if auto-config="true"
        <sec:form-login />
        <sec:anonymous />
        <sec:http-basic />
        <sec:logout />
        <sec:remember-me /> –>
        <sec:custom-filter position="FORM_LOGIN_FILTER" ref="casFilter" />

        <!– Uncomment to limit the number of sessions a user can have –>
        <!– <sec:concurrent-session-control max-sessions="1" exception-if-maximum-exceeded="true"/> –>
    </sec:http>

    <!–
    Usernames/Passwords are
        rod/koala
        dianne/emu
        scott/wombat
        peter/opal
    –>
   
    <sec:authentication-manager alias="authenticationManager">
        <sec:authentication-provider ref="casAuthenticationProvider"  />
    </sec:authentication-manager>

    <bean id="serviceProperties" class="org.springframework.security.cas.ServiceProperties"
        p:service="${cas.securityContext.serviceProperties.service}"
        p:sendRenew="false" />

    <bean id="casFilter" class="org.springframework.security.cas.web.CasAuthenticationFilter">
        <property name="authenticationManager" ref="authenticationManager"/>
    </bean>

    <bean id="casEntryPoint" class="org.springframework.security.cas.web.CasAuthenticationEntryPoint"
        p:loginUrl="${cas.securityContext.casProcessingFilterEntryPoint.loginUrl}"
        p:serviceProperties-ref="serviceProperties" />
   
    <bean id="casAuthenticationProvider" class="org.springframework.security.cas.authentication.CasAuthenticationProvider"
        p:key="an_id_for_this_auth_provider_only"
        p:serviceProperties-ref="serviceProperties"
        p:userDetailsService-ref="userService">
        <property name="ticketValidator">
          <bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
            <constructor-arg index="0" value="${cas.securityContext.ticketValidator.casServerUrlPrefix}" />
            </bean>
        </property>
    </bean>

    <bean id="dataSource" class="org.springframework.jndi.JndiObjectFactoryBean">
        <property name="jndiName" value="java:comp/env/jdbc/pns" />
    </bean>

    <bean id="userService" class="gov.vghtpe.wps.security.AuthJdbcUserDetailsManager">
        <property name="dataSource" ref="dataSource"/>
        <property name="usersByUsernameQuery" value="SELECT username, password FROM usertable WHERE username = ?" />
        <property name="authoritiesByUsernameQuery" value="SELECT username, rolename FROM roletable WHERE username = ?" />
    </bean>

</beans>

另外, 如果看到 SunCertPathBuilderException 就代表, Keystore 沒有對到,
很簡單就重新 產生一個 cacerts 就可以了!!…

命令有兩個:
請參考 http://fenjj.spaces.live.com/default.aspx?_c01_BlogPart=blogentry&_c=BlogPart&handle=cns!331D3CB02AB129C0!368

keytool -export -file $JAVA_HOME/jre/lib/security/server.crt -keystore $CATALINA_HOME/.keystore -alias tomcat -storepass changeit

keytool -import -file $JAVA_HOME/jre/lib/security/server.crt -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit

廣告

About fenjj

Perfect !!??...
本篇發表於 Uncategorized。將永久鏈結加入書籤。

發表迴響

在下方填入你的資料或按右方圖示以社群網站登入:

WordPress.com Logo

您的留言將使用 WordPress.com 帳號。 登出 / 變更 )

Twitter picture

您的留言將使用 Twitter 帳號。 登出 / 變更 )

Facebook照片

您的留言將使用 Facebook 帳號。 登出 / 變更 )

Google+ photo

您的留言將使用 Google+ 帳號。 登出 / 變更 )

連結到 %s