說明Jasig CAS Proxy的配置,及CAS Proxy Authentication的運作,CAS Server的相關設定這裡不做說明,只著重在Jasig CAS Proxy Configuration。
準備執行環境
只須配置CAS Client所以只要以下環境即可
- JDK (Java Development Kit) version 1.6+
- Apache Tomcat 6+
- JA-SIG CAS 3.4.2.1+
下載JA-SIG CAS Java Client Simple WebApp Sample
下載 EsiGate Modules,因 EsiGate 有採用 CAS Proxy Authentication,所以直接下載sample來做說明
CAS Proxy Protocol
CAS Proxy 的使用如同 Portal 跟 Mail Server 的架構,當員工John登入Portal Server後接著使用Mail Server收信,這時Mail Server須認證John的身份,如果不使用CAS Proxy則Portal Server跟Mail Server各自向CAS Server取得認證,採用CAS Proxy後Portal Server取代CAS Server,Mail Server只須向Portal Server取得認證。
角色定義
- CAS Server:Single Sign On Authentication
- Portal Server:Proxying Application、CAS Client Proxy、Proxy Service
- Mail Server:Proxied Application、Back-End Service、Target Service
Configuration Proxying Application
- 這裡Proxying Application是
mywebapp,佈署後修改 %TOMCAT_HOME%\webapps\mywebapp\WEB-INF\web.xml,與 Proxy 相關的配置是 line - 55、59、105 這幾行,網路上有人提出CAS Validation Filter(line-105) 配置時要在CAS Authentication Filter之前,但測試的結果無此需要,直接採用sample配置即可;接下來修改CAS Server的相關配置,因測試環境為 port 8080,casServerLoginUrl 相關參數都做了對應修改
<?xml version="1.0" encoding="UTF-8"?>
<web-app id="mywebapp" version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
<display-name>mywebapp</display-name>
<description>
Simple sample, how to use CAS Java Client 3.x.
In this sample exists a public area (/)
and a private area (/protected/*).
</description>
<!-- Sign out not yet implemented -->
<!--
<filter>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
-->
<filter>
<filter-name>CAS Authentication Filter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>http://localhost:8080/cas/login</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://localhost:8080</param-value>
</init-param>
<init-param>
<param-name>renew</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>gateway</param-name>
<param-value>false</param-value>
</init-param>
</filter>
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>http://localhost:8080/cas/</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://localhost:8080</param-value>
</init-param>
<init-param>
<param-name>proxyCallbackUrl</param-name>
<param-value>http://localhost:8080/mywebapp/proxyCallback</param-value>
</init-param>
<init-param>
<param-name>proxyReceptorUrl</param-name>
<param-value>/mywebapp/proxyCallback</param-value>
</init-param>
</filter>
<filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<filter>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
</filter>
<!-- ************************* -->
<!-- Sign out not yet implemented -->
<!--
<filter-mapping>
<filter-name>CAS Single Sign Out Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
-->
<filter-mapping>
<filter-name>CAS Authentication Filter</filter-name>
<url-pattern>/protected/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/proxyCallback</url-pattern>
</filter-mapping>
<!-- *********************** -->
<!-- Sign out not yet implemented -->
<!--
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
-->
<!-- *********************** -->
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
</web-app>
- 修改
$TOMCAT_HOME\webapps\mywebapp\protected\getpt.jsp,以下僅列出修改的部份,只要修改 targetService 變數,esigate-app-casified-aggregated1 是ESIGate module,接下來會佈署。
<%-- ====================================================================== --%>
Fetch new proxy ticket from CAS server
<%
//String targetService = "http://otherserver/legacy/service";
String targetService = "http://localhost:8080/esigate-app-casified-aggregated1/block.jsp";
String result1 = assertion1.getPrincipal().getProxyTicketFor(targetService);
String result2 = assertion2.getPrincipal().getProxyTicketFor(targetService);
%>
- Valid for service:
- <%= targetService %>
- PT (from assertion 1):
- <%= result1 %>
- PT (from assertion 2):
- <%= result2 %>
Configuration Proxied Application
- 將下載的 ESIGate module 解壓縮後佈署以下三個 module:
esigate-app-casified-aggregator、esigate-app-casified-aggregated1、esigate-app-casified-aggregated2,esigate-app-casified-aggregated1和esigate-app-casified-aggregated2都是Proxied Application。
與 Proxy 相關的配置是 line - 32、33 這幾行,同樣要修改CAS Server的配置,esigate-app-casified-aggregated2也是比照修改。
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
<filter>
<filter-name>CAS Authentication Filter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>http://localhost:8080/cas/login</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://localhost:8080</param-value>
</init-param>
</filter>
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>http://localhost:8080/cas</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://localhost:8080</param-value>
</init-param>
<init-param>
<param-name>redirectAfterValidation</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>acceptAnyProxy</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<filter>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Authentication Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
- 以上都配置好之後啟動 Tomcat。
測試結果
Browser 執行以下連結,再點選
got to protected area連結。
http://localhost:8080/mywebapp/
登入後可看到 User Name,再點選
request a proxy ticket連結,可以看到如下的畫面,已取得
proxy ticket。
另外一個已經佈署的module
esigate-app-casified-aggregator 角色是 Proxying Application,因此可比照
mywebapp 配置,但只需修改
web.xml ,修改後執行結果如下,當對
aggregated1(黃色背景)和
aggregated2(青色背景) 提出 request 時因採用Proxy Authentication 只會向Proxying Application Authentication ,而不會像跟 CAS Server Authentication 時,會由 CAS Server redirect CAS Client(
aggregated1),因此Proxy Authentication不會看到 redirect 的畫面。
PS.
- 於測試期間發現此sample不能於CAS 3.4.3執行,但因時間不足無法完全確認是
CAS 3.4.3 的問題,還是另有原因,如果有進一步發現會在此做後續補充。
相關設定及說明可參考:
JA-SIG Java Client Simple WebApp Sample
Configuring the JA-SIG CAS Client for Java in the web.xml
CAS 3.x Proxy配置
ESIGate - Implementing SSO using JASIG CAS
Why do we need proxy authentication?
CASinstallClient
Proxy CAS Walkthrough
CAS总结之Ticket篇
沒有留言:
張貼留言