Jasig CAS java

coldwaterphewΔιακομιστές

17 Νοε 2013 (πριν από 3 χρόνια και 4 μήνες)

149 εμφανίσεις

J
asig CAS java
客户端


https://wiki.jasig.org/display/CASC/CAS+Client+for+Java+3.1

1.

Configuring the CAS Client

Let's take a look at how to configure the JA
-
SIG CAS Client for Java 3.1:

1.1.

Configuring the Jasig CAS Client for Java in the web.xml

The CAS
Client for Java 3.1/3.2 can be configured via web.xml via a series of context
-
params and filter init
-
params.
Each filter for the CAS Client has a required (and optional) set of properties. The filters are designed to look for these
properties in the follow
ing way:

1.

Check the filter's local init
-
params for a parameter matching the required property name.

2.

Check the context's parameters for a parameter matching the required property name.

If two properties are found with the same name in the init
-
params and the

context's params, the init
-
param takes
precedence. This method of configuration is useful in the scenario where two filters share properties (such as the
renew property).

Note:

The correct order of the filters in web.xml is necessary:

1.

AuthenticationFilter

2.

TicketValidationFilter (whichever one is chosen)

3.

HttpServletRequestWrapperFilter

4.

AssertionThreadLocalFilter


If you're using the serverName

property (see below), you should note well that the fragment
-
URI (the stuff after the
#) is not sent to the server by all browsers, thus the CAS client can't capture it as part of the URL.

Available filters are as follows:

org.jasig.cas.client.authentica
tion.AuthenticationFilter

The AuthenticationFilter is what detects whether a user needs to be authenticated or not. If a user needs to be
authenticated, it will redirect the user to the CAS server.

?

<filter>

<filter
-
name>CAS Authentication Filter</filter
-
name>

<filter
-
class>org.jasig.cas.client.authentication.AuthenticationFilter</filter
-
class>

<init
-
param>

<param
-
name>casServerLoginUrl</param
-
name>

<param
-
value>
https://battags.ad.ess.rutgers.edu:8443/cas/login
</param
-
value>

</init
-
param>

<init
-
param>

<param
-
name>serverName</param
-
name>

<param
-
value>
http://www.acme
-
client.com
</param
-
value>

</init
-
param>

</filter>

Required Properties



casServerLoginUrl
-

Defines the location of the CAS server login URL, i.e.
https://localhost:8443/cas/login



service or serverName


service
-

the service URL to send to the CAS server, e.g.
https://localhost:8443/yourwebapp/i
ndex.html


serverName
-

the server name of the server this application is hosted on. Service URL will be dynamically constructed
using this, i.e.
https://localhost:8443

(you must include the protocol, but port is optional if it's a standard port).

Optional Properties



renew
-

specifies whether renew=true should be sent to the CAS server. Valid values are either "true" or "false" (or no
value at all).



gateway
-

specifies w
hether gateway=true should be sent to the CAS server. Valid values are either "true" or "false" (or
no value at all).



artifactParameterName
-

specifies the name of the request parameter on where to find the artifact (i.e. "ticket").



serviceParameterName
-

specifies the name of the request parameter on where to find the service (i.e. "service").

org.jasig.cas.client.authentication.Saml11AuthenticationFilter

The AuthenticationFilter is what detects whether a user needs to be authenticated or not. If a user ne
eds to be
authenticated, it will redirect the user to the CAS server.

?

<filter>

<filter
-
name>CAS Authentication Filter</filter
-
name>

<filter
-
class
>org.jasig.cas.client.authentication.Saml11AuthenticationFilter</filter
-
cl
ass>

<init
-
param>

<param
-
name>casServerLoginUrl</param
-
name>

<param
-
value>
https://battags.ad.ess.rutgers.edu:8443/cas/login
</param
-
value>

</init
-
param>

<init
-
param>

<param
-
name>serverName</param
-
name>

<param
-
value>
http://www.acme
-
client.com
</param
-
value>

</init
-
param>

</filter>

Required Properties



casServerLoginUrl
-

Defines the location of the CAS server login URL, i.e.
https://localhost:8443/cas/login



service or serverName :


service
-

the service URL to send to the CAS server, e.
g.
https://localhost:8443/yourwebapp/index.html


serverName
-

the server name of the server this application is hosted on. Service URL will be dynamically constructed
using this, i.e.
https://localhost:8443

(you must include the protocol, but port is optional if it's a standard port).

Optional Properties



renew

-

specifies whether renew=true should be sent to the CAS server. Valid values are either "true" or "false" (or no
value at all).



gateway
-

specifies whether gateway=true should be sent to the CAS server. Valid values are either "true" or "false" (or
no va
lue at all).



artifactParameterName
-

specifies the name of the request parameter on where to find the artifact (i.e. "SAMLArt").



serviceParameterName
-

specifies the name of the request parameter on where to find the service (i.e. "TARGET").

org.jasig.cas.
client.validation.Cas10TicketValidationFilter

Validates tickets using the CAS 1.0 Protocol.

?

<filter>

<filter
-
name>CAS Validation Filter</filter
-
n
ame>

<filter
-
class>org.jasig.cas.client.validation.Cas10TicketValidationFilter</filter
-
class
>

<init
-
param>

<param
-
name>casServerUrlPrefix</param
-
name>

<param
-
value>
https://battags.ad.ess.rutgers.e
du:8443/cas
</param
-
value>

</init
-
param>

</filter>

Required Properties



casServerUrlPrefix
-

the start of the CAS server URL, i.e.
https://localhost:8443/cas
.



serverName

-

the server name of the server this application is hosted on. Service URL will be dynamically constructed
using this, i.e.
https://localhost:8443

(you must include the protocol, but port is optional if it's a standa
rd port).

Optional Properties



redirectAfterValidation (default: true)
-

whether to redirect to the same URL after ticket validation, but without the ticket
in the parameter.



useSession (default: true)
-

whether to store the Assertion in session or not. If
sessions are not used, tickets will be
required for each request.



exceptionOnValidationFailure (default: true)
-

whether to throw an exception or not on ticket validation failure.



renew (default: false)
-

specifies whether renew=true should be sent to the
CAS server. Valid values are either "true" or
"false"

org.jasig.cas.client.validation.Saml11TicketValidationFilter

Validates tickets using the SAML 1.1 protocol.

?

<filter>

<filter
-
name>CAS Validation Filter</filter
-
name>

<filter
-
class>org.jasig.cas.client.validation.Saml11TicketValidationFilter</filter
-
clas
s>

<init
-
param>

<param
-
name>casServerUrlPrefix</param
-
name>

<param
-
value>
https://battags.ad.ess.rutgers.edu:8443/cas
</param
-
value>

</init
-
param>

<init
-
param>

<param
-
name>serverName</param
-
name>

<par
am
-
value>
http://www.acme
-
client.com
</param
-
value>

</init
-
param>

</filter>

Required Properties



casServerUrlPrefix
-

the start of the CAS server URL, i.e.
https://localhost:8443/cas
.



serverName or service :


serverName
-

the server name of the server this application is hosted on. Service URL will be dynamically constructed
using this, i.e.
https://localhost:8443

(you must include the protocol, but port is optional if it's a standard port).


service
-

the service URL to send to the CAS server, e.g.
https://localhost:8443/yourwebapp/index.html

Optional Pro
perties



redirectAfterValidation (default: true)
-

whether to redirect to the same URL after ticket validation, but without the ticket
in the parameter.



useSession (default: true)
-

whether to store the Assertion in session or not. If sessions are not used,

tickets will be
required for each request.



exceptionOnValidationFailure (default: true)
-

whether to throw an exception or not on ticket validation failure.



tolerance (default: 1000 mSec)
-

the tolerance for drifting clocks when validating SAML tickets. N
ote that 10 seconds
should be more than enough for most environments that have NTP time synchronization.



renew (default: false)
-

specifies whether renew=true should be sent to the CAS server. Valid values are either "true" or
"false" (
NOTE:

Available as o
f version 3.1.6.)

org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidation
Filter

Validates the tickets using the CAS 2.0 protocol. If you provide either the acceptAnyProxy or the allowedProxyChains
parameters, a Cas20ProxyTicketValidator will be

constructed. Otherwise a general Cas20ServiceTicketValidator will
be constructed that does not accept proxy tickets.


Proxy Authentication

If you are using proxy validation
, you should map the validation filter
before

the authentication filter.

?

<filter>

<filter
-
name>CAS Validation Filter</filter
-
name>

<filter
-
class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter
</
filter
-
class>

<init
-
param>

<param
-
name>casServerUrlPrefix</param
-
name>

<param
-
value>
https://battags.ad.ess.rutgers.edu:8443/cas
</param
-
value>

</init
-
param>

<init
-
param>

<param
-
name>serverName</par
am
-
name>

<param
-
value>
http://www.acme
-
client.com
</param
-
value>

</init
-
param>

</filter>

Required Properties



casServerUrlPrefix
-

the start of the CAS server URL, i.e.
https://localhost:8443/cas
.



serverName
-

the start of the URL that this application is running on. Service URL will be dynamically constructed using
this, i.e.
https://localhost:8443

(you must include the protocol, bu
t port is optional if it's a standard port). Service URL is
passed to the CAS server for ticket validation.

Optional Properties



redirectAfterValidation (default: true)
-

whether to redirect to the same URL after ticket validation, but without the ticket
in

the parameter.



useSession (default: true)
-

whether to store the Assertion in session or not. If sessions are not used, tickets will be
required for each request.



exceptionOnValidationFailure (default: true)
-

whether to throw an exception or not on ticke
t validation failure.



proxyReceptorUrl (default: null)
-

the URL to watch for PGTIOU/PGT responses from the CAS server. Should be
defined from the root of the context. For example, ff your application is deployed in /cas
-
client
-
app and you want the
proxy r
eceptor URL to be /cas
-
client
-
app/my/receptor you need to configure proxyReceptorUrl to be /my/receptor



renew (default: false)
-

specifies whether renew=true should be sent to the CAS server. Valid values are either "true" or
"false."



acceptAnyProxy (defau
lt: false)
-

specifies whether any proxy is OK.



allowedProxyChains (default: null)
-

specifies the proxy chain. Each acceptable proxy chain should include a
space
-
separated list of URLs. Each acceptable proxy chain should appear on its own line.



proxyCallb
ackUrl (default: none)
-

the callback URL to provide the CAS server to accept Proxy Granting Tickets.



proxyGrantingTicketStorageClass (@since 3.1.9) (default: none)
-

specify an implementation of the
ProxyGrantingTicketStorage class that has a no
-
arg const
ructor.

Replicating PGT using "proxyGrantingTicketStorageClass" and Distributed
Caching

The Java CAS client has support for clustering and distributing the TGT state among application nodes that are behind
a load balancer. In order to do so, the parameter
needs to be defined as such in the web.xml file for the filter:

?

<init
-
param>

<param
-
name>proxyGrantingTicketStorageClass</param
-
name>

<param
-
valu
e>org.jasig.cas.client.proxy.EhcacheBackedProxyGrantingTicketStorageImpl</pa
ram
-
value>

</init
-
param>

The setting
provides an implementation for proxy storage using EhCache

to take advantage of its replication features
so that the PGT is successfully replicated and shared among nodes, regardless which node is selected as the result of
the load balancer rerouting.

Note: A
similar implementation based on Memcached

is also available.

Configuration of this parameter is not enou
gh. The EhCache configuration needs to enable the replication mechanism
through once of its suggested ways. A
sample of tha
t configuration based on RMI replication

can be found here. Please
note that while the sample is done for a distributed ticket registry implementation, the basic idea and configuration
should easily be transferable.

org.jasig.cas.client.util.HttpServletRe
questWrapperFilter

Wraps an HttpServletRequest so that the getRemoteUser and getPrincipal return the CAS related entries.

?

<filter>

<filter
-
name>
CAS HttpServletRequest Wrapper Filter</filter
-
name>

<filter
-
class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter
-
class>

</filter>

Required Properties

None

Optional Properties

None

org.jasig.cas.client.util.AssertionThreadLocalFilter

Places the Assertion in a ThreadLocal for portions of the application that need access to it. This is useful when the Web
application that this filter "fronts" needs to get the Principal name, but it has no access to the HttpServletRequest,
hence making ge
tRemoteUser() call impossible.

?

<filter>

<filter
-
name>CAS Assertion Thread Local Filter</filter
-
name>

<filter
-
class>
org.jasig.cas.client.util.AssertionThreadLocalFilter</filter
-
class>

</filter>


1.2.

Configuring the JA
-
SIG CAS Client for Java using Spring


Configuration of the CAS Client for Java via Spring IoC will depend heavily on their DelegatingFilterProxy class. For
each filter that will be configured for CAS via Spring, a corresponding DelegatingFilterProxy is needed in the web.xml.

As the SingleSignO
utFilter, HttpServletRequestWrapperFilter and AssertionThreadLocalFilter have no configuration
options, we recommend you just configure them in the web.xml

Note: A sample authentication configuration is attached to this page.

Bean definition examples:

?

<filter>

<filter
-
name>CAS Authentication Filter</filter
-
name>

<filter
-
class>org.springframework.web.filter.DelegatingFilterProxy</filter
-
class>

<
init
-
param>

<param
-
name>targetBeanName</param
-
name>

<param
-
value>authenticationFilter</param
-
value>

</init
-
param>

</filter>

?

<filter
-
mapping>

<fil
ter
-
name>CAS Authentication Filter</filter
-
name>

<url
-
pattern>/*</url
-
pattern>

</filter
-
mapping>

The specific filters can be configured in the following ways. Please see the JavaDocs

included in the distribution for
specific required and optional properties:

AuthenticationFilter

?

<bean

name="authenticationFilter"

class="
org.jasig.cas.client.authentication.AuthenticationFilter"

p:casServerLoginUrl="
https://localhost:8443/cas/login"

p:renew="false"

p:gateway="false"

p:service="
https://my.local.service.com/cas
-
client"

/>

Cas10TicketValidationFilter

?

<bean

name="ticketValidationFilter"

class="org.jasig.cas.client.validation.Cas10TicketValidationFilter"

p:service="
https://my.local.service.com/cas
-
client"
>

<property

name="ticketValidator">

<bean

class="org.jasig.cas.client.validation.
Cas10TicketValidator">

<constructor
-
arg

index="0"

value="
https://localhost:8443/cas"

/>

</bean>

</property>

</bean>

Saml11TicketValidationFilter

?

<bean

name="ticketValidationFilter"

class="org.jasig.cas.client.validation.Saml11TicketValidationFilter"

p:service="
https://my.local.service.com/cas
-
client"
>

<property

name="ticketValidator">

<bean

class="org.jasig.cas.client.validation.Saml11TicketValidator">

<constructor
-
arg

index="0"

value="
https://localhost:8443/cas"

/>

</bean>

</property>

</bean>

Note: When using the Saml11TicketValidationFilter for non
-
SAML authentication with attribute release the
artifactParameterName

must be set to "ticket" for the ticket to be consumed by the filter. Add
p:artifactParameterName="ticket" to the bean definition above.

Cas20ProxyReceivingTicketValidationFilter

Configuration to just validate service tickets:

?

<bean

name="ticketValidationFilter"

class="org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter"

p:service="
https://my.local.service.com/cas
-
client"
>

<property

name="ticketValidator">

<bean

class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">

<constructor
-
arg

index="0"

value="
https://localhost:8443/cas"

/>

</bean>

</property>

</bean>

Configuration to accept a Proxy Granting Ticket:

?

<bean

name="ticketValidationFilter"

class="org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter"

p:service="
https://my.local.service.com/cas
-
client"

p:proxyReceptorUrl="/proxy/receptor"
>

<property

name="ticketValidator">

<bean

class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator"

p:proxyCallbackUrl="/proxy/receptor">

<constructor
-
arg

index="0"

value="
https://localhost:8443/cas"

/>

</bean>

</property>

</bean>

Configuration to accept any Proxy Ticket (and Proxy Granting Tickets):

?

<bean

name="ticketValidationFilter"

class="org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter"

p:service="
https://my.local.service.com/cas
-
client"

p:proxyReceptorUrl="/proxy/receptor">

<property

name="ticketValida
tor">

<bean

class="org.jasig.cas.client.validation.Cas20ProxyTicketValidator"

p:acceptAnyProxy="true"

p:proxyCallbackUrl="/proxy/receptor">

<constructor
-
arg

index="0"

value="
https://localhost:8443/cas"

/>

</bean>

</property>

</bean>

Configuration to accept Proxy Ticket from a chain (and Proxy Granting Tickets):

?

<bean

name="ticketValidationFilter"

class="org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter"

p:service="
https://my.local.service.com/cas
-
client"

p:proxyReceptorUrl="/proxy/receptor">

<property

name="ticketValida
tor">

<bean

class="org.jasig.cas.client.validation.Cas20ProxyTicketValidator"

p:proxyCallbackUrl="/proxy/receptor">

<constructor
-
arg

index="0"

value="
https://localhost:8443/cas"

/>

<property

name="
allowedProxyChains">

<list>

<value>
http://proxy1

http://proxy2
</value>

</list>

</property>

</bean>

</property>

</bean>


1.3.

Configuring the JA
-
SIG CAS Client for Java using JNDI


Configuring the JASIG CAS Client for Java via JNDI is essentially the same as configuring the cli
ent via the web.xml,
except the properties will reside in JNDI and not in the web.xml.

All properties that are placed in JNDI should be placed under java:comp/env/cas

We use the following conventions:

1.

JNDI will first look in java:comp/env/cas/{SHORT FILTER

NAME}/{PROPERTY NAME} (i.e.
java:comp/env/cas/AuthenticationFilter/serverName)

2.

JNDI will as a last resort look in java:comp/env/cas/{PROPERTY NAME} (i.e. java:comp/env/cas/serverName)

Example:

(this is an update to the META
-
INF/context.xml that is
included in Tomcat 6's Manager application)

?

<?xml

version="1.0"

encoding="UTF
-
8"?>

<!
--

Licensed to the Apache Software Foundation (ASF) under one
or more

contributor license agreements. See the NOTICE file distributed with

this work for additional information regarding copyright ownership.

The ASF licenses this file to You under the Apache License, Version 2.0

(the "License"); you may not use this f
ile except in compliance with

the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE
-
2.0

Unless required by applicable law or agreed to in writing, software

dis
tributed under the License is distributed on an "AS IS" BASIS,

WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

See the License for the specific language governing permissions and

limitations under the License.

--
>

<Context

antiReso
urceLocking="false"

privileged="true">

<Environment

description=""

name="cas/serverName"

override="false"

type="java.lang.String"

value="
http://localhost:8080"
/>

<Environment

description=""

name="cas/
AuthenticationFilter/casServerLoginUrl"

override="false"

type="java.lang.String"

value="
https://www.ja
-
sig.org/cas/login"
/>

<Environment

description=""

name="cas/Cas20ProxyReceivingTicketValidationFilter/cas
ServerUrlPrefix"

override="false"

type="java.lang.String"

value="
https://www.ja
-
sig.org/cas"
/>

</Context>


1.4.

Configuring Single Sign O
ut


The SingleSignOutFilter can affect character encoding. This becomes most obvious when used in conjunction with
Confluence. Its recommended you explicitly configure either the
VT Character Encoding Filter

or the
Spring Character
Encoding Filter

with explicit encodings.

The Single Sign Out support in CAS consists of configuring one filter and one ContextListener
. Please note that if you
have configured the CAS Client for Java as Web filters, this filter must come before the other filters as described on the
preceding page

Add the following configuration to your web.xml where appropriate:

With CAS 2.0 Protocol

?

<filter>

<filter
-
name>CAS Single Sign Out Filter<
/filter
-
name>

<filter
-
class>org.jasig.cas.client.session.SingleSignOutFilter</filter
-
class>

</filter>

...

<filter
-
mapping>

<filter
-
name>CAS Single Sign Out Filter</filter
-
name>

<url
-
pattern>/*</url
-
pattern>

</filter
-
mapping>

...

<listener>

<listener
-
class>
org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener
-
class>

</listener>

With SAML 1.1 Protocol

?

<filter>

<filter
-
name>CAS Single Sign Out Filter<
/filter
-
name>

<filter
-
class>org.jasig.cas.client.session.SingleSignOutFilter</filter
-
class>

<init
-
param>

<param
-
name>artifactParameterName</param
-
name>

<param
-
value>SAMLart</param
-
value>

</init
-
param>

</filter>

...

<filter
-
mapping>

<filter
-
name>CAS Single
Sign Out Filter</filter
-
name>

<url
-
pattern>/*</url
-
pattern>

</filter
-
mapping>

...

<listener>

<listener
-
class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener
-
class>

</listener>



2.

Order of Required Filters

How to configure the filter
s is described on the pages above. This section details the order in which the filters should
appear:

1.

SingleLogOutFilter (if you're using it)

2.

AuthenticationFilter

3.

TicketValidationFilter (whichever one is chosen)

4.

HttpServletRequestWrapperFilter

5.

AssertionThreadLocalFilter


Please note that the order of the filters is determined by the filter
-
mapping not the filter definitions

.

3.

Recommend Logout Procedure

The CAS Client for Java has no code to help you handle log out. The client merely places objects in session. Therefore,
we recommend you do a session.invalidate() call when you log a user out. However, that's entirely your application's
responsibility.

The

CAS Client for Java team has recommended guidelines for logout pages for CAS Clients. We recommend that text
similar to the following appear when the application's session is ended.

Recommended logout text

You have been logged out of APPLICATION NAME GOES

HERE.

To log out of all applications, click here. (provide link to CAS server's logout)

4.

Examples



web.xml for Tomcat 5.5 Tomcat Manager

(just authentication)



JA
-
SIG Java Client Simple WebApp Sample

(authentication, public and protected pages and proxy ticket generation)



Saml11TicketValidationFilter Example

authentication and attribute display

5.

Git source code access

Point your favorite git client at the link below:

https://github.com/Jas
ig/java
-
cas
-
client