单点登录(十三)-----实战-----cas4.2.X登录启用mongodb验证方式完整流程
2017-02-10 14:57
921 查看
我们在之前的文章中中已经讲到了正确部署运行cas server 和 在cas client中配置。
在此基础上 我们去掉了https的验证,启用了http访问的模式。
单点登录(七)-----实战-----cas server去掉https验证
但是我们之前部署的cas server,用户登录时使用的是简单的文本配置方式。
deployerConfigContext.xml中的配置方式是
<alias name="acceptUsersAuthenticationHandler" alias="primaryAuthenticationHandler" />
配置的帐号密码
##
# Accepted Users Authentication
#
accept.authn.users=casuser::Mellon
帐号密码就是casuser和Mellon。
想要新增帐号密码只要在accept.authn.users=casuser::Mellon下增加就行了。
例如
accept.authn.users=casuser::Mellon
accept.authn.users=crm::1234567
但是帐号密码配置到配置文件中不符合我们新增用户和安全的考虑。
一般帐号密码应该存储在数据库或者服务器中。
cas在这方面支持很多种帐号密码的验证方式。
例如网上有很多资料 写到的 LDAP 以及 JDBC 方式。
因为我们一直是在使用mongodb数据库,但是现在网络中关于mongodb验证方式的文档比较少,官网中也没有详细的步骤。
本章我们就记录cas4.2.X登录启用mongodb验证方式完整流程。
首先我们要确保cas框架能正常运行并且acceptUsersAuthenticationHandler配置文件简单的帐号密码验证方式能登录成功。
在此基础上我们进行改动。
这里需要的是 建议使用maven或者gradle框架来引入,不要手动引入子项目。
因为手动引入子项目不会自动引入子项目依赖的jar包,运行的时候会出现各种问题。
而maven或者gradle引入的话会自动下载关联依赖的jar包。
刚好cas 4.2.X以上都是使用gradle配置的,所以我们只需要在build.gradle中加入需要的子项目即可。
mongodb验证需要的子项目是 cas-server-support-mongo。
参考
https://apereo.github.io/cas/5.0.x/installation/MongoDb-Authentication.html#mongodb-authentication
我们在build.gradle中dependencies里 添加 compile project(':cas-server-support-mongo')
然后在对着项目右键 gradle ---->refresh gradle project
项目就会自动下载需要的jar包了。
我们可以查看项目的包库中是否包含pac4j-mongo包就知道是否成功依赖了关联的jar包。
所以我们需要把大部分的子项目或者全部的子项目用设置成jar包的形式发布。
让子项目在父项目部署发布时以jar包的方式放入lib文件夹中,而不是源码编辑文件进入classes文件夹。右键->properties->MyEclipse->Deployement Assembly在下方点开Merged deployment of modules将默认的Enable merged deployment of Utility and EJB modules复选框勾去掉即可选中Enable project specific settings
验证方法是否生效:部署时父项目显示Exploded,而引入的子项目是:packaged,在到工程的lib目录下面去查看就可以看到构建好的jar包了。
这说明设置生效。
去掉勾之后配置的地方都会变成disabled了。
如果我们不是要把所有的子项目都这样处理成jar包引入,而是有选择性的一些放入jar包可以不去掉勾,而是在merged deployment里配置,on是引入的工程合并到WEB-INFO/classes目录下,能看到编译文件class,off是打成jar包,放入lib。
打成jar包的子项目的配置文件xml不会影响到父项目。
更多解释详见:单点登录(五)-----遇到问题-----cas server 源码部署tomcat运行报错BeanCreationException:Error creating bean with name 's
"username": "casuser",
"password": "34598dfkjdjk3487jfdkh874395",
"first_name": "john",
"last_name": "smith"
}
如图:
https://apereo.github.io/cas/5.0.x/installation/MongoDb-Authentication.html#mongodb-authentication
经过我的测试 其实文档格式也随意,只要后面设置帐号密码字段对应起来就可以了。例如我这里的文档是:{
"_id": ObjectId('5743bf4e0cf2b3488bad9c98'),
"_class": "com.test.domain.entity.DataManager",
"username": "crm",
"password": "1234567",
"permissionList": [
"parseResultAdd",
"parseResultAddMulti",
"resultlist"
],
"roleList": [
"normal"
],
"createtime": "May 24, 2016 10:41:18 AM",
"ower": "crm"
}
<alias name="acceptUsersAuthenticationHandler" alias="primaryAuthenticationHandler" />
注释掉,
修改成
<alias name="mongoAuthenticationHandler" alias="primaryAuthenticationHandler" />
如图:
完整deployerConfigContext.xml见附录。
注释accept.authn.users=casuser::Mellon
变成#accept.authn.users=casuser::Mellon
新增cas.authn.mongo.collection.name=dataManager
cas.authn.mongo.db.host=mongodb://192.168.30.249:27017/testCrm
#cas.authn.mongo.attributes=username,password,permissionList,roleList,createtime,ower
cas.authn.mongo.username.attribute=username
cas.authn.mongo.password.attribute=password
cas.authn.mongo.collection.name 对应集合名
cas.authn.mongo.db.host是使用uri方式的连接方式,我这里是不带帐号密码的方式,192.168.30.249是ip,27017是端口,test是数据库名。
如果是加了验证方式的mongodb,则需要在uri连接里增加帐号密码。例如mongodb://帐号:密码@192.168.30.249:27017/test
cas.authn.mongo.attributes是说明集合中有哪些属性,默认可以空着不填或者不设置
cas.authn.mongo.username.attribute是使用哪个字段对应帐号
cas.authn.mongo.password.attribute是使用哪个字段对应密码
其他参数参考官方文档https://apereo.github.io/cas/5.0.x/installation/Configuration-Properties.html
MongoDb Authentication
To learn more about this topic, please review this guide.
# cas.authn.mongo.mongoHostUri=mongodb://uri
# cas.authn.mongo.usernameAttribute=username
# cas.authn.mongo.attributes=
# cas.authn.mongo.passwordAttribute=password
# cas.authn.mongo.collectionName=users
# cas.authn.mongo.principalTransformation.suffix=
# cas.authn.mongo.principalTransformation.caseConversion=NONE|UPPERCASE|LOWERCASE
# cas.authn.mongo.principalTransformation.prefix=
# cas.authn.mongo.passwordEncoder.type=NONE|DEFAULT|STANDARD|BCRYPT
# cas.authn.mongo.passwordEncoder.characterEncoding=
# cas.authn.mongo.passwordEncoder.encodingAlgorithm=
# cas.authn.mongo.passwordEncoder.secret=
# cas.authn.mongo.passwordEncoder.strength=16
完整cas.properties见附录。
重启加载部署启动项目后 发现使用mongodb中的帐号crm和密码1234567可以登录了,这里是明文存储的密码,不合理,在一下章节我们讲加密。
但是在cas-server的代码中有一个子项目叫做cas-server-documentation。
里面有相对详细的配置步骤。
除了mongodb的认证配置,其他配置也可以参考。
如图:
---
layout: default
title: CAS - MongoDb Authentication
---
# MongoDb Authentication
Verify and authenticate credentials against a [MongoDb](https://www.mongodb.org/) instance.
```xml
<alias name="mongoAuthenticationHandler" alias="primaryAuthenticationHandler" />
```
Support is enabled by including the following dependency in the Maven WAR overlay:
```xml
<dependency>
<groupId>org.jasig.cas</groupId>
<artifactId>cas-server-support-mongo</artifactId>
<version>${cas.version}</version>
</dependency>
```
The following settings are applicable:
```properties
cas.authn.mongo.collection.name=users
cas.authn.mongo.db.host=mongodb://user:password@ds061954.somewhere.com:61954/database
cas.authn.mongo.attributes=attribute1,attribute2
cas.authn.mongo.username.attribute=username
cas.authn.mongo.password.attribute=password
```
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:aop="http://www.springframework.org/schema/aop"
xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:sec="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd">
<util:map id="authenticationHandlersResolvers">
<entry key-ref="proxyAuthenticationHandler" value-ref="proxyPrincipalResolver" />
<entry key-ref="primaryAuthenticationHandler" value-ref="primaryPrincipalResolver" />
</util:map>
<util:list id="authenticationMetadataPopulators">
<ref bean="successfulHandlerMetaDataPopulator" />
<ref bean="rememberMeAuthenticationMetaDataPopulator" />
</util:list>
<bean id="attributeRepository" class="org.jasig.services.persondir.support.NamedStubPersonAttributeDao"
p:backingMap-ref="attrRepoBackingMap" />
<!-- <alias name="acceptUsersAuthenticationHandler" alias="primaryAuthenticationHandler" /> -->
<alias name="mongoAuthenticationHandler" alias="primaryAuthenticationHandler" />
<alias name="personDirectoryPrincipalResolver" alias="primaryPrincipalResolver" />
<util:map id="attrRepoBackingMap">
<entry key="username" value="uid" />
</util:map>
<alias name="serviceThemeResolver" alias="themeResolver" />
<alias name="jsonServiceRegistryDao" alias="serviceRegistryDao" />
<!-- <alias name="mongoServiceRegistryDao" alias="serviceRegistryDao" /> -->
<alias name="defaultTicketRegistry" alias="ticketRegistry" />
<alias name="ticketGrantingTicketExpirationPolicy" alias="grantingTicketExpirationPolicy" />
<alias name="multiTimeUseOrTimeoutExpirationPolicy" alias="serviceTicketExpirationPolicy" />
<alias name="anyAuthenticationPolicy" alias="authenticationPolicy" />
<alias name="acceptAnyAuthenticationPolicyFactory" alias="authenticationPolicyFactory" />
<bean id="auditTrailManager"
class="org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager"
p:entrySeparator="${cas.audit.singleline.separator:|}"
p:useSingleLine="${cas.audit.singleline:false}"/>
<alias name="neverThrottle" alias="authenticationThrottle" />
<util:list id="monitorsList">
<ref bean="memoryMonitor" />
<ref bean="sessionMonitor" />
</util:list>
<alias name="defaultPrincipalFactory" alias="principalFactory" />
<alias name="defaultAuthenticationTransactionManager" alias="authenticationTransactionManager" />
<alias name="defaultPrincipalElectionStrategy" alias="principalElectionStrategy" />
<alias name="tgcCipherExecutor" alias="defaultCookieCipherExecutor" />
</beans>
ps: attrRepoBackingMap这个属性我也有改动成
<util:map id="attrRepoBackingMap">
<entry key="username" value="uid" />
</util:map>
原来是
<util:map id="attrRepoBackingMap">
<entry key="uid" value="uid" />
<entry key="eduPersonAffiliation" value="eduPersonAffiliation" />
<entry key="groupMembership" value="groupMembership" />
<entry>
<key><value>memberOf</value></key>
<list>
<value>faculty</value>
<value>staff</value>
<value>org</value>
</list>
</entry>
</util:map>
这个主要涉及到 后面 获取登录后实体的其他属性和参数,不知道是否会影响登录。如果按好上面步骤修改登录不了 可以尝试修改这个地方。
server.prefix=${server.name}/cas
# security configuration based on IP address to access the /status and /statistics pages
# cas.securityContext.adminpages.ip=127\.0\.0\.1
##
# Unique CAS node name
# host.name is used to generate unique Service Ticket IDs and SAMLArtifacts. This is usually set to the specific
# hostname of the machine running the CAS node, but it could be any label so long as it is unique in the cluster.
# host.name=
##
# JPA Ticket Registry Database Configuration
#
# ticketreg.database.ddl.auto=create-drop
# ticketreg.database.dialect=org.hibernate.dialect.OracleDialect|MySQLInnoDBDialect|HSQLDialect
# ticketreg.database.batchSize=10
# ticketreg.database.driverClass=org.hsqldb.jdbcDriver
# ticketreg.database.url=jdbc:hsqldb:mem:cas-ticket-registry
# ticketreg.database.user=sa
# ticketreg.database.password=
# ticketreg.database.pool.minSize=6
# ticketreg.database.pool.maxSize=18
# ticketreg.database.pool.maxWait=10000
# ticketreg.database.pool.maxIdleTime=120
# ticketreg.database.pool.acquireIncrement=6
# ticketreg.database.pool.idleConnectionTestPeriod=30
# ticketreg.database.pool.connectionHealthQuery=select 1
# ticketreg.database.pool.acquireRetryAttempts=5
# ticketreg.database.pool.acquireRetryDelay=2000
# ticketreg.database.pool.connectionHealthQuery=select 1
##
# JPA Service Registry Database Configuration
#
# svcreg.database.ddl.auto=create-drop
# svcreg.database.hibernate.dialect=org.hibernate.dialect.OracleDialect|MySQLInnoDBDialect|HSQLDialect
# svcreg.database.hibernate.batchSize=10
# svcreg.database.driverClass=org.hsqldb.jdbcDriver
# svcreg.database.url=jdbc:hsqldb:mem:cas-ticket-registry
# svcreg.database.user=sa
# svcreg.database.password=
# svcreg.database.pool.minSize=6
# svcreg.database.pool.maxSize=18
# svcreg.database.pool.maxWait=10000
# svcreg.database.pool.maxIdleTime=120
# svcreg.database.pool.acquireIncrement=6
# svcreg.database.pool.idleConnectionTestPeriod=30
# svcreg.database.pool.connectionHealthQuery=select 1
# svcreg.database.pool.acquireRetryAttempts=5
# svcreg.database.pool.acquireRetryDelay=2000
# svcreg.database.pool.connectionHealthQuery=select 1
##
# CAS SSO Cookie Generation & Security
# See https://github.com/mitreid-connect/json-web-key-generator #
# Do note that the following settings MUST be generated per deployment.
#
# The encryption secret key. By default, must be a octet string of size 256.
# tgc.encryption.key=
# The signing secret key. By default, must be a octet string of size 512.
# tgc.signing.key=
# Decides whether SSO cookie should be created only under secure connections.
tgc.secure=false
# The expiration value of the SSO cookie
# tgc.maxAge=-1
# The name of the SSO cookie
# tgc.name=TGC
# The path to which the SSO cookie will be scoped
# tgc.path=/cas
# The expiration value of the SSO cookie for long-term authentications
# tgc.remember.me.maxAge=1209600
# Decides whether SSO Warning cookie should be created only under secure connections.
warn.cookie.secure=false
# The expiration value of the SSO Warning cookie
# warn.cookie.maxAge=-1
# The name of the SSO Warning cookie
# warn.cookie.name=CASPRIVACY
# The path to which the SSO Warning cookie will be scoped
# warn.cookie.path=/cas
# Whether we should track the most recent session by keeping the latest service ticket
# tgt.onlyTrackMostRecentSession = true
##
# CAS UI Theme Resolution
#
# cas.themeResolver.defaultThemeName=cas-theme-default
# cas.themeResolver.pathprefix=/WEB-INF/view/jsp/
# cas.themeResolver.param.name=theme
# Location of the Spring xml config file where views may be collected
# cas.viewResolver.xmlFile=/META-INF/spring/views.xml
##
# CAS Logout Behavior
# WEB-INF/cas-servlet.xml
#
# Specify whether CAS should redirect to the specified service parameter on /logout requests
# cas.logout.followServiceRedirects=false
##
# CAS Cached Attributes Timeouts
# Controls the cached attribute expiration policy
#
# Notes the duration in which attributes will be kept alive
# cas.attrs.timeToExpireInHours=2
##
# Single Sign-On Session
#
# Indicates whether an SSO session should be created for renewed authentication requests.
# create.sso.renewed.authn=true
#
# Indicates whether an SSO session can be created if no service is present.
# create.sso.missing.service=true
##
# CAS Authentication Policy
#
# cas.authn.policy.any.tryall=false
# cas.authn.policy.req.tryall=false
# cas.authn.policy.req.handlername=handlerName
##
# CAS PersonDirectory Principal Resolution
#
# cas.principal.resolver.persondir.principal.attribute=cn
# cas.principal.resolver.persondir.return.null=false
##
# CAS Internationalization
#
# locale.default=en
# locale.param.name=locale
# message.bundle.encoding=UTF-8
# message.bundle.cacheseconds=180
# message.bundle.fallback.systemlocale=false
# message.bundle.usecode.message=true
# message.bundle.basenames=classpath:custom_messages,classpath:messages
##
# CAS Authentication Throttling
#
#cas.throttle.failure.threshold=
#cas.throttle.failure.range.seconds=
#cas.throttle.username.parameter=
#cas.throttle.appcode=
#cas.throttle.authn.failurecode=
#cas.throttle.audit.query=
##
# CAS Health Monitoring
#
# cas.monitor.st.warn.threshold=5000
# cas.monitor.tgt.warn.threshold=10000
# cas.monitor.free.mem.threshold=10
##
# CAS MongoDB Service Registry
#
#mongodb.host=192.168.30.249
#mongodb.port=27017
#mongodb.userId=
#mongodb.userPassword=
#cas.service.registry.mongo.db=testCrm
#mongodb.timeout=5000
cas.authn.mongo.collection.name=dataManager
cas.authn.mongo.db.host=mongodb://192.168.30.249:27017/testCrm
#cas.authn.mongo.attributes=username,password,permissionList,roleList,createtime,ower
cas.authn.mongo.username.attribute=username
cas.authn.mongo.password.attribute=password
##
# Spring Webflow Web Application Session
# Define the settings that are required to encrypt and persist the CAS web application session.
# See the cas-servlet.xml file to understand how these properties are used.
#
# The encryption secret key. By default, must be a octet string of size 256.
# webflow.encryption.key=
# The signing secret key. By default, must be a octet string of size 512.
# webflow.signing.key=
##
# Remote User Authentication
#
# ip.address.range=
##
# Apache Shiro Authentication
#
# shiro.authn.requiredRoles=
# shiro.authn.requiredPermissions=
# shiro.authn.config.file=classpath:shiro.ini
##
# YubiKey Authentication
#
# yubikey.client.id=
# yubikey.secret.key=
##
# JDBC Authentication
#
# cas.jdbc.authn.query.encode.sql=
# cas.jdbc.authn.query.encode.alg=
# cas.jdbc.authn.query.encode.salt.static=
# cas.jdbc.authn.query.encode.password=
# cas.jdbc.authn.query.encode.salt=
# cas.jdbc.authn.query.encode.iterations.field=
# cas.jdbc.authn.query.encode.iterations=
# cas.jdbc.authn.query.sql=
# cas.jdbc.authn.search.password=
# cas.jdbc.authn.search.user=
# cas.jdbc.authn.search.table=
##
# Duo security 2fa authentication provider
# https://www.duosecurity.com/docs/duoweb#1.-generate-an-akey #
# cas.duo.api.host=
# cas.duo.integration.key=
# cas.duo.secret.key=
# cas.duo.application.key=
##
# File Authentication
#
# file.authn.filename=classpath:people.txt
# file.authn.separator=::
##
# General Authentication
#
# cas.principal.transform.upperCase=false
# cas.authn.password.encoding.char=UTF-8
# cas.authn.password.encoding.alg=SHA-256
# cas.principal.transform.prefix=
# cas.principal.transform.suffix=
##
# X509 Authentication
#
# cas.x509.authn.crl.checkAll=false
# cas.x509.authn.crl.throw.failure=true
# cas.x509.authn.crl.refresh.interval=
# cas.x509.authn.revocation.policy.threshold=
# cas.x509.authn.trusted.issuer.dnpattern=
# cas.x509.authn.max.path.length=
# cas.x509.authn.max.path.length.unspecified=
# cas.x509.authn.check.key.usage=
# cas.x509.authn.require.key.usage=
# cas.x509.authn.subject.dnpattern=
# cas.x509.authn.principal.descriptor=
# cas.x509.authn.principal.serial.no.prefix=
# cas.x509.authn.principal.value.delim=
##
# Accepted Users Authentication
#
#accept.authn.users=casuser::Mellon
##
# Rejected Users Authentication
#
# reject.authn.users=
##
# JAAS Authentication
#
# cas.authn.jaas.realm=CAS
# cas.authn.jaas.kerb.realm=
# cas.authn.jaas.kerb.kdc=
##
# Single Sign-On Session TGT Timeouts
#
# Inactivity Timeout Policy
# tgt.timeout.maxTimeToLiveInSeconds=28800
# Hard Timeout Policy
# tgt.timeout.hard.maxTimeToLiveInSeconds
#
# Throttled Timeout Policy
# tgt.throttled.maxTimeToLiveInSeconds=28800
# tgt.throttled.timeInBetweenUsesInSeconds=5
# Default Expiration Policy
# tgt.maxTimeToLiveInSeconds=28800
# tgt.timeToKillInSeconds=7200
##
# Service Ticket Timeout
#
# st.timeToKillInSeconds=10
# st.numberOfUses=1
##
# Http Client Settings
#
# The http client read timeout in milliseconds
# http.client.read.timeout=5000
# The http client connection timeout in milliseconds
# http.client.connection.timeout=5000
#
# The http client truststore file, in addition to the default's
# http.client.truststore.file=classpath:truststore.jks
#
# The http client truststore's password
# http.client.truststore.psw=changeit
##
# Single Logout Out Callbacks
#
# To turn off all back channel SLO requests set this to true
# slo.callbacks.disabled=false
#
# To send callbacks to endpoints synchronously, set this to false
# slo.callbacks.asynchronous=true
##
# CAS Protocol Security Filter
#
# Are multi-valued parameters accepted?
# cas.http.allow.multivalue.params=false
# Define the list of request parameters to examine for sanity
# cas.http.check.params=ticket,service,renew,gateway,warn,target,SAMLart,pgtUrl,pgt,pgtId,pgtIou,targetService
# Define the list of request parameters only allowed via POST
# cas.http.allow.post.params=username,password
##
# JSON Service Registry
#
# Directory location where JSON service files may be found.
# service.registry.config.location=classpath:services
##
# Service Registry Periodic Reloading Scheduler
# Default sourced from WEB-INF/spring-configuration/applicationContext.xml
#
# Force a startup delay of 2 minutes.
# service.registry.quartz.reloader.startDelay=120000
#
# Reload services every 2 minutes
# service.registry.quartz.reloader.repeatInterval=120000
##
# Background Scheduler
#
# Wait for scheduler to finish running before shutting down CAS.
# scheduler.shutdown.wait=true
#
# Attempt to interrupt background jobs when shutting down CAS
# scheduler.shutdown.interruptJobs=true
##
# Audits
#
# Use single line format for audit blocks
# cas.audit.singleline=true
# Separator to use between each fields in a single audit event
# cas.audit.singleline.separator=|
# Application code for audits
# cas.audit.appcode=CAS
#
## JDBC Audits
#
#cas.audit.max.agedays=
#cas.audit.database.dialect=
#cas.audit.database.batchSize=
#cas.audit.database.ddl.auto=
#cas.audit.database.gen.ddl=
#cas.audit.database.show.sql=
#cas.audit.database.driverClass=
#cas.audit.database.url=
#cas.audit.database.user=
#cas.audit.database.password=
#cas.audit.database.pool.minSize=
#cas.audit.database.pool.minSize=
#cas.audit.database.pool.maxSize=
#cas.audit.database.pool.maxIdleTime=
#cas.audit.database.pool.maxWait=
#cas.audit.database.pool.acquireIncrement=
#cas.audit.database.pool.acquireRetryAttempts=
#cas.audit.database.pool.acquireRetryDelay=
#cas.audit.database.pool.idleConnectionTestPeriod=
#cas.audit.database.pool.connectionHealthQuery=
##
# Metrics
# Default sourced from WEB-INF/spring-configuration/metricsConfiguration.xml:
#
# Define how often should metric data be reported. Default is 30 seconds.
# metrics.refresh.interval=30s
##
# Encoding
#
# Set the encoding to use for requests. Default is UTF-8
# httprequest.web.encoding=UTF-8
# Default is true. Switch this to "false" to not enforce the specified encoding in any case,
# applying it as default response encoding as well.
# httprequest.web.encoding.force=true
##
# Response Headers
#
# httpresponse.header.cache=false
# httpresponse.header.hsts=false
# httpresponse.header.xframe=false
# httpresponse.header.xcontent=false
# httpresponse.header.xss=false
##
# SAML
#
# Indicates the SAML response issuer
# cas.saml.response.issuer=localhost
#
# Indicates the skew allowance which controls the issue instant of the SAML response
# cas.saml.response.skewAllowance=0
#
# Indicates whether SAML ticket id generation should be saml2-compliant.
# cas.saml.ticketid.saml2=false
##
# Default Ticket Registry
#
# default.ticket.registry.initialcapacity=1000
# default.ticket.registry.loadfactor=1
# default.ticket.registry.concurrency=20
##
# Ticket Registry Cleaner
#
# Indicates how frequently the Ticket Registry cleaner should run. Configured in seconds.
# ticket.registry.cleaner.startdelay=20
# ticket.registry.cleaner.repeatinterval=5000
##
# Ticket ID Generation
#
# lt.ticket.maxlength=20
# st.ticket.maxlength=20
# tgt.ticket.maxlength=50
# pgt.ticket.maxlength=50
##
# Google Apps public/private key
#
# cas.saml.googleapps.publickey.file=file:/etc/cas/public.key
# cas.saml.googleapps.privatekey.file=file:/etc/cas/private.p8
# cas.saml.googleapps.key.alg=RSA
##
# WS-FED
#
# The claim from ADFS that should be used as the user's identifier.
# cas.wsfed.idp.idattribute=upn
#
# Federation Service identifier
# cas.wsfed.idp.id=https://adfs.example.org/adfs/services/trust
#
# The ADFS login url.
# cas.wsfed.idp.url=https://adfs.example.org/adfs/ls/
#
# Identifies resource(s) that point to ADFS's signing certificates.
# These are used verify the WS Federation token that is returned by ADFS.
# Multiple certificates may be separated by comma.
# cas.wsfed.idp.signingcerts=classpath:adfs-signing.crt
#
# Unique identifier that will be set in the ADFS configuration.
# cas.wsfed.rp.id=urn:cas:localhost
#
# Slack dealing with time-drift between the ADFS Server and the CAS Server.
# cas.wsfed.idp.tolerance=10000
#
# Decides which bundle of attributes should be resolved during WS-FED authentication.
# cas.wsfed.idp.attribute.resolver.enabled=true
# cas.wsfed.idp.attribute.resolver.type=WSFED
#
# Private/Public keypair used to decrypt assertions, if any.
# cas.wsfed.idp.enc.privateKey=classpath:private.key
# cas.wsfed.idp.enc.cert=classpath:certificate.crt
# cas.wsfed.idp.enc.privateKeyPassword=NONE
##
# LDAP User Details
#
# ldap.userdetails.service.user.attr=
# ldap.userdetails.service.role.attr=
##
# LDAP Service Registry
#
# svcreg.ldap.baseDn=dc=example,dc=org
##
# Password Policy
#
# Warn all users of expiration date regardless of warningDays value.
# password.policy.warnAll=false
# Threshold number of days to begin displaying password expiration warnings.
# password.policy.warningDays=30
# URL to which the user will be redirected to change the password.
# password.policy.url=https://password.example.edu/change
# password.policy.warn.attribute.name=attributeName
# password.policy.warn.attribute.value=attributeValue
# password.policy.warn.display.matched=true
##
# CAS REST API Services
#
# cas.rest.services.attributename=
# cas.rest.services.attributevalue=
##
# Ticket Registry
#
# Secret key to use when encrypting tickets in a distributed ticket registry.
# ticket.encryption.secretkey=C@$W3bSecretKey!
# Secret key to use when signing tickets in a distributed ticket registry.
# By default, must be a octet string of size 512.
# ticket.signing.secretkey=szxK-5_eJjs-aUj-64MpUZ-GPPzGLhYPLGl0wrYjYNVAGva2P0lLe6UGKGM7k8dWxsOVGutZWgvmY3l5oVPO3w
# Secret key algorithm used
# ticket.secretkey.alg=AES
##
# Hazelcast Ticket Registry
#
# hz.config.location=file:/etc/cas/hazelcast.xml
# hz.mapname=tickets
# hz.cluster.logging.type=slf4j
# hz.cluster.portAutoIncrement=true
# hz.cluster.port=5701
# hz.cluster.multicast.enabled=false
# hz.cluster.members=cas1.example.com,cas2.example.com
# hz.cluster.tcpip.enabled=true
# hz.cluster.multicast.enabled=false
# hz.cluster.max.heapsize.percentage=85
# hz.cluster.max.heartbeat.seconds=300
# hz.cluster.eviction.percentage=10
# hz.cluster.eviction.policy=LRU
# hz.cluster.instance.name=${host.name}
##
# Ehcache Ticket Registry
#
# ehcache.config.file=classpath:ehcache-replicated.xml
# ehcache.cachemanager.shared=false
# ehcache.cachemanager.name=ticketRegistryCacheManager
# ehcache.disk.expiry.interval.seconds=0
# ehcache.disk.persistent=false
# ehcache.eternal=false
# ehcache.max.elements.memory=10000
# ehcache.max.elements.disk=0
# ehcache.eviction.policy=LRU
# ehcache.overflow.disk=false
# ehcache.cache.st.name=org.jasig.cas.ticket.ServiceTicket
# ehcache.cache.st.timeIdle=0
# ehcache.cache.st.timeAlive=300
# ehcache.cache.tgt.name=org.jasig.cas.ticket.TicketGrantingTicket
# ehcache.cache.tgt.timeIdle=7201
# ehcache.cache.tgt.timeAlive=0
# ehcache.cache.loader.async=true
# ehcache.cache.loader.chunksize=5000000
# ehcache.repl.async.interval=10000
# ehcache.repl.async.batch.size=100
# ehcache.repl.sync.puts=true
# ehcache.repl.sync.putscopy=true
# ehcache.repl.sync.updates=true
# ehcache.repl.sync.updatesCopy=true
# ehcache.repl.sync.removals=true
##
# Ehcache Monitoring
#
# cache.monitor.warn.free.threshold=10
# cache.monitor.eviction.threshold=0
##
# Memcached Ticket Registry
#
# memcached.servers=localhost:11211
# memcached.hashAlgorithm=FNV1_64_HASH
# memcached.protocol=BINARY
# memcached.locatorType=ARRAY_MOD
# memcached.failureMode=Redistribute
##
# Memcached Monitoring
#
# cache.monitor.warn.free.threshold=10
# cache.monitor.eviction.threshold=0
##
# RADIUS Authentication Server
#
# cas.radius.client.inetaddr=localhost
# cas.radius.client.port.acct=
# cas.radius.client.socket.timeout=60
# cas.radius.client.port.authn=
# cas.radius.client.sharedsecret=N0Sh@ar3d$ecReT
# cas.radius.server.protocol=EAP_MSCHAPv2
# cas.radius.server.retries=3
# cas.radius.server.nasIdentifier=
# cas.radius.server.nasPort=-1
# cas.radius.server.nasPortId=-1
# cas.radius.server.nasRealPort=-1
# cas.radius.server.nasPortType=-1
# cas.radius.server.nasIpAddress=
# cas.radius.server.nasIpv6Address=
# cas.radius.failover.authn=false
# cas.radius.failover.exception=false
##
# SPNEGO Authentication
#
# cas.spnego.ldap.attribute=spnegoattribute
# cas.spnego.ldap.filter=host={0}
# cas.spnego.ldap.basedn=
# cas.spnego.hostname.pattern=.+
# cas.spnego.ip.pattern=
# cas.spnego.alt.remote.host.attribute
# cas.spengo.use.principal.domain=false
# cas.spnego.ntlm.allowed=true
# cas.spnego.kerb.debug=false
# cas.spnego.kerb.realm=EXAMPLE.COM
# cas.spnego.kerb.kdc=172.10.1.10
# cas.spnego.login.conf.file=/path/to/login
# cas.spnego.jcifs.domain=
# cas.spnego.jcifs.domaincontroller=
# cas.spnego.jcifs.netbios.cache.policy:600
# cas.spnego.jcifs.netbios.wins=
# cas.spnego.jcifs.password=
# cas.spnego.jcifs.service.password=
# cas.spnego.jcifs.socket.timeout:300000
# cas.spnego.jcifs.username=
# cas.spnego.kerb.conf=
# cas.spnego.ntlm=false
# cas.spnego.supportedBrowsers=MSIE,Trident,Firefox,AppleWebKit
# cas.spnego.mixed.mode.authn=false
# cas.spnego.send.401.authn.failure=false
# cas.spnego.principal.resolver.transform=NONE
# cas.spnego.service.principal=HTTP/cas.example.com@EXAMPLE.COM
##
# NTLM Authentication
#
# ntlm.authn.domain.controller=
# ntlm.authn.include.pattern=
# ntlm.authn.load.balance=true
##
# Authentication delegation using pac4j
#
# cas.pac4j.client.authn.typedidused=true
# cas.pac4j.facebook.id=
# cas.pac4j.facebook.secret=
# cas.pac4j.facebook.scope=
# cas.pac4j.facebook.fields=
# cas.pac4j.twitter.id=
# cas.pac4j.twitter.secret=
# cas.pac4j.saml.keystorePassword=
# cas.pac4j.saml.privateKeyPassword=
# cas.pac4j.saml.keystorePath=
# cas.pac4j.saml.identityProviderMetadataPath=
# cas.pac4j.saml.maximumAuthenticationLifetime=
# cas.pac4j.saml.serviceProviderEntityId=
# cas.pac4j.saml.serviceProviderMetadataPath=
# cas.pac4j.cas.loginUrl=
# cas.pac4j.cas.protocol=
# cas.pac4j.oidc.id=
# cas.pac4j.oidc.secret=
# cas.pac4j.oidc.discoveryUri=
# cas.pac4j.oidc.useNonce=
# cas.pac4j.oidc.preferredJwsAlgorithm=
# cas.pac4j.oidc.maxClockSkew=
# cas.pac4j.oidc.customParamKey1=
# cas.pac4j.oidc.customParamValue1=
# cas.pac4j.oidc.customParamKey2=
# cas.pac4j.oidc.customParamValue2=
##
# CAS Acceptable Usage Policy Settings
#
# cas.aup.ldap.search.filter=cn={0}
# cas.aup.ldap.url=ldap://127.0.0.1:1389
# cas.aup.ldap.ssl=false
# cas.aup.ldap.startTLS=false
# cas.aup.ldap.basedn=dc=example,dc=org
# cas.aup.attribute=
在此基础上 我们去掉了https的验证,启用了http访问的模式。
单点登录(七)-----实战-----cas server去掉https验证
但是我们之前部署的cas server,用户登录时使用的是简单的文本配置方式。
deployerConfigContext.xml中的配置方式是
<alias name="acceptUsersAuthenticationHandler" alias="primaryAuthenticationHandler" />
配置的帐号密码
##
# Accepted Users Authentication
#
accept.authn.users=casuser::Mellon
帐号密码就是casuser和Mellon。
想要新增帐号密码只要在accept.authn.users=casuser::Mellon下增加就行了。
例如
accept.authn.users=casuser::Mellon
accept.authn.users=crm::1234567
但是帐号密码配置到配置文件中不符合我们新增用户和安全的考虑。
一般帐号密码应该存储在数据库或者服务器中。
cas在这方面支持很多种帐号密码的验证方式。
例如网上有很多资料 写到的 LDAP 以及 JDBC 方式。
因为我们一直是在使用mongodb数据库,但是现在网络中关于mongodb验证方式的文档比较少,官网中也没有详细的步骤。
本章我们就记录cas4.2.X登录启用mongodb验证方式完整流程。
首先我们要确保cas框架能正常运行并且acceptUsersAuthenticationHandler配置文件简单的帐号密码验证方式能登录成功。
在此基础上我们进行改动。
引入jar包
首先需要引入需要的包。这里需要的是 建议使用maven或者gradle框架来引入,不要手动引入子项目。
因为手动引入子项目不会自动引入子项目依赖的jar包,运行的时候会出现各种问题。
而maven或者gradle引入的话会自动下载关联依赖的jar包。
刚好cas 4.2.X以上都是使用gradle配置的,所以我们只需要在build.gradle中加入需要的子项目即可。
mongodb验证需要的子项目是 cas-server-support-mongo。
参考
https://apereo.github.io/cas/5.0.x/installation/MongoDb-Authentication.html#mongodb-authentication
我们在build.gradle中dependencies里 添加 compile project(':cas-server-support-mongo')
然后在对着项目右键 gradle ---->refresh gradle project
项目就会自动下载需要的jar包了。
我们可以查看项目的包库中是否包含pac4j-mongo包就知道是否成功依赖了关联的jar包。
设置子项目发布时以jar包方式
因为在之前的文章中也说过,如果cas中子项目如果用编译文件的方式发布的话,会多出一些想xml文件导致 引用错误。所以我们需要把大部分的子项目或者全部的子项目用设置成jar包的形式发布。
让子项目在父项目部署发布时以jar包的方式放入lib文件夹中,而不是源码编辑文件进入classes文件夹。右键->properties->MyEclipse->Deployement Assembly在下方点开Merged deployment of modules将默认的Enable merged deployment of Utility and EJB modules复选框勾去掉即可选中Enable project specific settings
不要选中Enable merged deployment of Utility and EJB modules.他下面的提示信息其实也很明显,如果勾选的话会将你所引入的工程合并到WEB-INFO/classes目录下
验证方法是否生效:部署时父项目显示Exploded,而引入的子项目是:packaged,在到工程的lib目录下面去查看就可以看到构建好的jar包了。
这说明设置生效。
去掉勾之后配置的地方都会变成disabled了。
如果我们不是要把所有的子项目都这样处理成jar包引入,而是有选择性的一些放入jar包可以不去掉勾,而是在merged deployment里配置,on是引入的工程合并到WEB-INFO/classes目录下,能看到编译文件class,off是打成jar包,放入lib。
打成jar包的子项目的配置文件xml不会影响到父项目。
更多解释详见:单点登录(五)-----遇到问题-----cas server 源码部署tomcat运行报错BeanCreationException:Error creating bean with name 's
帐号密码数据准备
创建mongodb数据库和集合插入文档。数据库名和集合名称都随意起,在后面设置中可以对应。我这里起的数据库名是testCrm,集合名是dataManager。官方推荐的文档样式是{"username": "casuser",
"password": "34598dfkjdjk3487jfdkh874395",
"first_name": "john",
"last_name": "smith"
}
如图:
https://apereo.github.io/cas/5.0.x/installation/MongoDb-Authentication.html#mongodb-authentication
经过我的测试 其实文档格式也随意,只要后面设置帐号密码字段对应起来就可以了。例如我这里的文档是:{
"_id": ObjectId('5743bf4e0cf2b3488bad9c98'),
"_class": "com.test.domain.entity.DataManager",
"username": "crm",
"password": "1234567",
"permissionList": [
"parseResultAdd",
"parseResultAddMulti",
"resultlist"
],
"roleList": [
"normal"
],
"createtime": "May 24, 2016 10:41:18 AM",
"ower": "crm"
}
修改配置文件
jar包处理好之后我们就可以修改配置文件了。deployerConfigContext.xml
首先是deployerConfigContext.xml中注释掉默认的简单认证,启用mongodb认证方式。deployerConfigContext.xml中的配置方式是<alias name="acceptUsersAuthenticationHandler" alias="primaryAuthenticationHandler" />
注释掉,
修改成
<alias name="mongoAuthenticationHandler" alias="primaryAuthenticationHandler" />
如图:
完整deployerConfigContext.xml见附录。
cas.properties
cas.properties需要把默认的简单验证参数注释掉,新增mongodb验证参数。注释accept.authn.users=casuser::Mellon
变成#accept.authn.users=casuser::Mellon
新增cas.authn.mongo.collection.name=dataManager
cas.authn.mongo.db.host=mongodb://192.168.30.249:27017/testCrm
#cas.authn.mongo.attributes=username,password,permissionList,roleList,createtime,ower
cas.authn.mongo.username.attribute=username
cas.authn.mongo.password.attribute=password
cas.authn.mongo.collection.name 对应集合名
cas.authn.mongo.db.host是使用uri方式的连接方式,我这里是不带帐号密码的方式,192.168.30.249是ip,27017是端口,test是数据库名。
如果是加了验证方式的mongodb,则需要在uri连接里增加帐号密码。例如mongodb://帐号:密码@192.168.30.249:27017/test
cas.authn.mongo.attributes是说明集合中有哪些属性,默认可以空着不填或者不设置
cas.authn.mongo.username.attribute是使用哪个字段对应帐号
cas.authn.mongo.password.attribute是使用哪个字段对应密码
其他参数参考官方文档https://apereo.github.io/cas/5.0.x/installation/Configuration-Properties.html
MongoDb Authentication
To learn more about this topic, please review this guide.
# cas.authn.mongo.mongoHostUri=mongodb://uri
# cas.authn.mongo.usernameAttribute=username
# cas.authn.mongo.attributes=
# cas.authn.mongo.passwordAttribute=password
# cas.authn.mongo.collectionName=users
# cas.authn.mongo.principalTransformation.suffix=
# cas.authn.mongo.principalTransformation.caseConversion=NONE|UPPERCASE|LOWERCASE
# cas.authn.mongo.principalTransformation.prefix=
# cas.authn.mongo.passwordEncoder.type=NONE|DEFAULT|STANDARD|BCRYPT
# cas.authn.mongo.passwordEncoder.characterEncoding=
# cas.authn.mongo.passwordEncoder.encodingAlgorithm=
# cas.authn.mongo.passwordEncoder.secret=
# cas.authn.mongo.passwordEncoder.strength=16
完整cas.properties见附录。
重启加载部署启动项目后 发现使用mongodb中的帐号crm和密码1234567可以登录了,这里是明文存储的密码,不合理,在一下章节我们讲加密。
参考文档
我们在配置过程中发现官方文档很多步骤都有点缺失,没有详细的操作流程。但是在cas-server的代码中有一个子项目叫做cas-server-documentation。
里面有相对详细的配置步骤。
除了mongodb的认证配置,其他配置也可以参考。
如图:
---
layout: default
title: CAS - MongoDb Authentication
---
# MongoDb Authentication
Verify and authenticate credentials against a [MongoDb](https://www.mongodb.org/) instance.
```xml
<alias name="mongoAuthenticationHandler" alias="primaryAuthenticationHandler" />
```
Support is enabled by including the following dependency in the Maven WAR overlay:
```xml
<dependency>
<groupId>org.jasig.cas</groupId>
<artifactId>cas-server-support-mongo</artifactId>
<version>${cas.version}</version>
</dependency>
```
The following settings are applicable:
```properties
cas.authn.mongo.collection.name=users
cas.authn.mongo.db.host=mongodb://user:password@ds061954.somewhere.com:61954/database
cas.authn.mongo.attributes=attribute1,attribute2
cas.authn.mongo.username.attribute=username
cas.authn.mongo.password.attribute=password
```
附录
完整deployerConfigContext.xml
<?xml version="1.0" encoding="UTF-8"?><beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:aop="http://www.springframework.org/schema/aop"
xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:sec="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd">
<util:map id="authenticationHandlersResolvers">
<entry key-ref="proxyAuthenticationHandler" value-ref="proxyPrincipalResolver" />
<entry key-ref="primaryAuthenticationHandler" value-ref="primaryPrincipalResolver" />
</util:map>
<util:list id="authenticationMetadataPopulators">
<ref bean="successfulHandlerMetaDataPopulator" />
<ref bean="rememberMeAuthenticationMetaDataPopulator" />
</util:list>
<bean id="attributeRepository" class="org.jasig.services.persondir.support.NamedStubPersonAttributeDao"
p:backingMap-ref="attrRepoBackingMap" />
<!-- <alias name="acceptUsersAuthenticationHandler" alias="primaryAuthenticationHandler" /> -->
<alias name="mongoAuthenticationHandler" alias="primaryAuthenticationHandler" />
<alias name="personDirectoryPrincipalResolver" alias="primaryPrincipalResolver" />
<util:map id="attrRepoBackingMap">
<entry key="username" value="uid" />
</util:map>
<alias name="serviceThemeResolver" alias="themeResolver" />
<alias name="jsonServiceRegistryDao" alias="serviceRegistryDao" />
<!-- <alias name="mongoServiceRegistryDao" alias="serviceRegistryDao" /> -->
<alias name="defaultTicketRegistry" alias="ticketRegistry" />
<alias name="ticketGrantingTicketExpirationPolicy" alias="grantingTicketExpirationPolicy" />
<alias name="multiTimeUseOrTimeoutExpirationPolicy" alias="serviceTicketExpirationPolicy" />
<alias name="anyAuthenticationPolicy" alias="authenticationPolicy" />
<alias name="acceptAnyAuthenticationPolicyFactory" alias="authenticationPolicyFactory" />
<bean id="auditTrailManager"
class="org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager"
p:entrySeparator="${cas.audit.singleline.separator:|}"
p:useSingleLine="${cas.audit.singleline:false}"/>
<alias name="neverThrottle" alias="authenticationThrottle" />
<util:list id="monitorsList">
<ref bean="memoryMonitor" />
<ref bean="sessionMonitor" />
</util:list>
<alias name="defaultPrincipalFactory" alias="principalFactory" />
<alias name="defaultAuthenticationTransactionManager" alias="authenticationTransactionManager" />
<alias name="defaultPrincipalElectionStrategy" alias="principalElectionStrategy" />
<alias name="tgcCipherExecutor" alias="defaultCookieCipherExecutor" />
</beans>
ps: attrRepoBackingMap这个属性我也有改动成
<util:map id="attrRepoBackingMap">
<entry key="username" value="uid" />
</util:map>
原来是
<util:map id="attrRepoBackingMap">
<entry key="uid" value="uid" />
<entry key="eduPersonAffiliation" value="eduPersonAffiliation" />
<entry key="groupMembership" value="groupMembership" />
<entry>
<key><value>memberOf</value></key>
<list>
<value>faculty</value>
<value>staff</value>
<value>org</value>
</list>
</entry>
</util:map>
这个主要涉及到 后面 获取登录后实体的其他属性和参数,不知道是否会影响登录。如果按好上面步骤修改登录不了 可以尝试修改这个地方。
完整cas.properties
server.name=http://localhost:8080server.prefix=${server.name}/cas
# security configuration based on IP address to access the /status and /statistics pages
# cas.securityContext.adminpages.ip=127\.0\.0\.1
##
# Unique CAS node name
# host.name is used to generate unique Service Ticket IDs and SAMLArtifacts. This is usually set to the specific
# hostname of the machine running the CAS node, but it could be any label so long as it is unique in the cluster.
# host.name=
##
# JPA Ticket Registry Database Configuration
#
# ticketreg.database.ddl.auto=create-drop
# ticketreg.database.dialect=org.hibernate.dialect.OracleDialect|MySQLInnoDBDialect|HSQLDialect
# ticketreg.database.batchSize=10
# ticketreg.database.driverClass=org.hsqldb.jdbcDriver
# ticketreg.database.url=jdbc:hsqldb:mem:cas-ticket-registry
# ticketreg.database.user=sa
# ticketreg.database.password=
# ticketreg.database.pool.minSize=6
# ticketreg.database.pool.maxSize=18
# ticketreg.database.pool.maxWait=10000
# ticketreg.database.pool.maxIdleTime=120
# ticketreg.database.pool.acquireIncrement=6
# ticketreg.database.pool.idleConnectionTestPeriod=30
# ticketreg.database.pool.connectionHealthQuery=select 1
# ticketreg.database.pool.acquireRetryAttempts=5
# ticketreg.database.pool.acquireRetryDelay=2000
# ticketreg.database.pool.connectionHealthQuery=select 1
##
# JPA Service Registry Database Configuration
#
# svcreg.database.ddl.auto=create-drop
# svcreg.database.hibernate.dialect=org.hibernate.dialect.OracleDialect|MySQLInnoDBDialect|HSQLDialect
# svcreg.database.hibernate.batchSize=10
# svcreg.database.driverClass=org.hsqldb.jdbcDriver
# svcreg.database.url=jdbc:hsqldb:mem:cas-ticket-registry
# svcreg.database.user=sa
# svcreg.database.password=
# svcreg.database.pool.minSize=6
# svcreg.database.pool.maxSize=18
# svcreg.database.pool.maxWait=10000
# svcreg.database.pool.maxIdleTime=120
# svcreg.database.pool.acquireIncrement=6
# svcreg.database.pool.idleConnectionTestPeriod=30
# svcreg.database.pool.connectionHealthQuery=select 1
# svcreg.database.pool.acquireRetryAttempts=5
# svcreg.database.pool.acquireRetryDelay=2000
# svcreg.database.pool.connectionHealthQuery=select 1
##
# CAS SSO Cookie Generation & Security
# See https://github.com/mitreid-connect/json-web-key-generator #
# Do note that the following settings MUST be generated per deployment.
#
# The encryption secret key. By default, must be a octet string of size 256.
# tgc.encryption.key=
# The signing secret key. By default, must be a octet string of size 512.
# tgc.signing.key=
# Decides whether SSO cookie should be created only under secure connections.
tgc.secure=false
# The expiration value of the SSO cookie
# tgc.maxAge=-1
# The name of the SSO cookie
# tgc.name=TGC
# The path to which the SSO cookie will be scoped
# tgc.path=/cas
# The expiration value of the SSO cookie for long-term authentications
# tgc.remember.me.maxAge=1209600
# Decides whether SSO Warning cookie should be created only under secure connections.
warn.cookie.secure=false
# The expiration value of the SSO Warning cookie
# warn.cookie.maxAge=-1
# The name of the SSO Warning cookie
# warn.cookie.name=CASPRIVACY
# The path to which the SSO Warning cookie will be scoped
# warn.cookie.path=/cas
# Whether we should track the most recent session by keeping the latest service ticket
# tgt.onlyTrackMostRecentSession = true
##
# CAS UI Theme Resolution
#
# cas.themeResolver.defaultThemeName=cas-theme-default
# cas.themeResolver.pathprefix=/WEB-INF/view/jsp/
# cas.themeResolver.param.name=theme
# Location of the Spring xml config file where views may be collected
# cas.viewResolver.xmlFile=/META-INF/spring/views.xml
##
# CAS Logout Behavior
# WEB-INF/cas-servlet.xml
#
# Specify whether CAS should redirect to the specified service parameter on /logout requests
# cas.logout.followServiceRedirects=false
##
# CAS Cached Attributes Timeouts
# Controls the cached attribute expiration policy
#
# Notes the duration in which attributes will be kept alive
# cas.attrs.timeToExpireInHours=2
##
# Single Sign-On Session
#
# Indicates whether an SSO session should be created for renewed authentication requests.
# create.sso.renewed.authn=true
#
# Indicates whether an SSO session can be created if no service is present.
# create.sso.missing.service=true
##
# CAS Authentication Policy
#
# cas.authn.policy.any.tryall=false
# cas.authn.policy.req.tryall=false
# cas.authn.policy.req.handlername=handlerName
##
# CAS PersonDirectory Principal Resolution
#
# cas.principal.resolver.persondir.principal.attribute=cn
# cas.principal.resolver.persondir.return.null=false
##
# CAS Internationalization
#
# locale.default=en
# locale.param.name=locale
# message.bundle.encoding=UTF-8
# message.bundle.cacheseconds=180
# message.bundle.fallback.systemlocale=false
# message.bundle.usecode.message=true
# message.bundle.basenames=classpath:custom_messages,classpath:messages
##
# CAS Authentication Throttling
#
#cas.throttle.failure.threshold=
#cas.throttle.failure.range.seconds=
#cas.throttle.username.parameter=
#cas.throttle.appcode=
#cas.throttle.authn.failurecode=
#cas.throttle.audit.query=
##
# CAS Health Monitoring
#
# cas.monitor.st.warn.threshold=5000
# cas.monitor.tgt.warn.threshold=10000
# cas.monitor.free.mem.threshold=10
##
# CAS MongoDB Service Registry
#
#mongodb.host=192.168.30.249
#mongodb.port=27017
#mongodb.userId=
#mongodb.userPassword=
#cas.service.registry.mongo.db=testCrm
#mongodb.timeout=5000
cas.authn.mongo.collection.name=dataManager
cas.authn.mongo.db.host=mongodb://192.168.30.249:27017/testCrm
#cas.authn.mongo.attributes=username,password,permissionList,roleList,createtime,ower
cas.authn.mongo.username.attribute=username
cas.authn.mongo.password.attribute=password
##
# Spring Webflow Web Application Session
# Define the settings that are required to encrypt and persist the CAS web application session.
# See the cas-servlet.xml file to understand how these properties are used.
#
# The encryption secret key. By default, must be a octet string of size 256.
# webflow.encryption.key=
# The signing secret key. By default, must be a octet string of size 512.
# webflow.signing.key=
##
# Remote User Authentication
#
# ip.address.range=
##
# Apache Shiro Authentication
#
# shiro.authn.requiredRoles=
# shiro.authn.requiredPermissions=
# shiro.authn.config.file=classpath:shiro.ini
##
# YubiKey Authentication
#
# yubikey.client.id=
# yubikey.secret.key=
##
# JDBC Authentication
#
# cas.jdbc.authn.query.encode.sql=
# cas.jdbc.authn.query.encode.alg=
# cas.jdbc.authn.query.encode.salt.static=
# cas.jdbc.authn.query.encode.password=
# cas.jdbc.authn.query.encode.salt=
# cas.jdbc.authn.query.encode.iterations.field=
# cas.jdbc.authn.query.encode.iterations=
# cas.jdbc.authn.query.sql=
# cas.jdbc.authn.search.password=
# cas.jdbc.authn.search.user=
# cas.jdbc.authn.search.table=
##
# Duo security 2fa authentication provider
# https://www.duosecurity.com/docs/duoweb#1.-generate-an-akey #
# cas.duo.api.host=
# cas.duo.integration.key=
# cas.duo.secret.key=
# cas.duo.application.key=
##
# File Authentication
#
# file.authn.filename=classpath:people.txt
# file.authn.separator=::
##
# General Authentication
#
# cas.principal.transform.upperCase=false
# cas.authn.password.encoding.char=UTF-8
# cas.authn.password.encoding.alg=SHA-256
# cas.principal.transform.prefix=
# cas.principal.transform.suffix=
##
# X509 Authentication
#
# cas.x509.authn.crl.checkAll=false
# cas.x509.authn.crl.throw.failure=true
# cas.x509.authn.crl.refresh.interval=
# cas.x509.authn.revocation.policy.threshold=
# cas.x509.authn.trusted.issuer.dnpattern=
# cas.x509.authn.max.path.length=
# cas.x509.authn.max.path.length.unspecified=
# cas.x509.authn.check.key.usage=
# cas.x509.authn.require.key.usage=
# cas.x509.authn.subject.dnpattern=
# cas.x509.authn.principal.descriptor=
# cas.x509.authn.principal.serial.no.prefix=
# cas.x509.authn.principal.value.delim=
##
# Accepted Users Authentication
#
#accept.authn.users=casuser::Mellon
##
# Rejected Users Authentication
#
# reject.authn.users=
##
# JAAS Authentication
#
# cas.authn.jaas.realm=CAS
# cas.authn.jaas.kerb.realm=
# cas.authn.jaas.kerb.kdc=
##
# Single Sign-On Session TGT Timeouts
#
# Inactivity Timeout Policy
# tgt.timeout.maxTimeToLiveInSeconds=28800
# Hard Timeout Policy
# tgt.timeout.hard.maxTimeToLiveInSeconds
#
# Throttled Timeout Policy
# tgt.throttled.maxTimeToLiveInSeconds=28800
# tgt.throttled.timeInBetweenUsesInSeconds=5
# Default Expiration Policy
# tgt.maxTimeToLiveInSeconds=28800
# tgt.timeToKillInSeconds=7200
##
# Service Ticket Timeout
#
# st.timeToKillInSeconds=10
# st.numberOfUses=1
##
# Http Client Settings
#
# The http client read timeout in milliseconds
# http.client.read.timeout=5000
# The http client connection timeout in milliseconds
# http.client.connection.timeout=5000
#
# The http client truststore file, in addition to the default's
# http.client.truststore.file=classpath:truststore.jks
#
# The http client truststore's password
# http.client.truststore.psw=changeit
##
# Single Logout Out Callbacks
#
# To turn off all back channel SLO requests set this to true
# slo.callbacks.disabled=false
#
# To send callbacks to endpoints synchronously, set this to false
# slo.callbacks.asynchronous=true
##
# CAS Protocol Security Filter
#
# Are multi-valued parameters accepted?
# cas.http.allow.multivalue.params=false
# Define the list of request parameters to examine for sanity
# cas.http.check.params=ticket,service,renew,gateway,warn,target,SAMLart,pgtUrl,pgt,pgtId,pgtIou,targetService
# Define the list of request parameters only allowed via POST
# cas.http.allow.post.params=username,password
##
# JSON Service Registry
#
# Directory location where JSON service files may be found.
# service.registry.config.location=classpath:services
##
# Service Registry Periodic Reloading Scheduler
# Default sourced from WEB-INF/spring-configuration/applicationContext.xml
#
# Force a startup delay of 2 minutes.
# service.registry.quartz.reloader.startDelay=120000
#
# Reload services every 2 minutes
# service.registry.quartz.reloader.repeatInterval=120000
##
# Background Scheduler
#
# Wait for scheduler to finish running before shutting down CAS.
# scheduler.shutdown.wait=true
#
# Attempt to interrupt background jobs when shutting down CAS
# scheduler.shutdown.interruptJobs=true
##
# Audits
#
# Use single line format for audit blocks
# cas.audit.singleline=true
# Separator to use between each fields in a single audit event
# cas.audit.singleline.separator=|
# Application code for audits
# cas.audit.appcode=CAS
#
## JDBC Audits
#
#cas.audit.max.agedays=
#cas.audit.database.dialect=
#cas.audit.database.batchSize=
#cas.audit.database.ddl.auto=
#cas.audit.database.gen.ddl=
#cas.audit.database.show.sql=
#cas.audit.database.driverClass=
#cas.audit.database.url=
#cas.audit.database.user=
#cas.audit.database.password=
#cas.audit.database.pool.minSize=
#cas.audit.database.pool.minSize=
#cas.audit.database.pool.maxSize=
#cas.audit.database.pool.maxIdleTime=
#cas.audit.database.pool.maxWait=
#cas.audit.database.pool.acquireIncrement=
#cas.audit.database.pool.acquireRetryAttempts=
#cas.audit.database.pool.acquireRetryDelay=
#cas.audit.database.pool.idleConnectionTestPeriod=
#cas.audit.database.pool.connectionHealthQuery=
##
# Metrics
# Default sourced from WEB-INF/spring-configuration/metricsConfiguration.xml:
#
# Define how often should metric data be reported. Default is 30 seconds.
# metrics.refresh.interval=30s
##
# Encoding
#
# Set the encoding to use for requests. Default is UTF-8
# httprequest.web.encoding=UTF-8
# Default is true. Switch this to "false" to not enforce the specified encoding in any case,
# applying it as default response encoding as well.
# httprequest.web.encoding.force=true
##
# Response Headers
#
# httpresponse.header.cache=false
# httpresponse.header.hsts=false
# httpresponse.header.xframe=false
# httpresponse.header.xcontent=false
# httpresponse.header.xss=false
##
# SAML
#
# Indicates the SAML response issuer
# cas.saml.response.issuer=localhost
#
# Indicates the skew allowance which controls the issue instant of the SAML response
# cas.saml.response.skewAllowance=0
#
# Indicates whether SAML ticket id generation should be saml2-compliant.
# cas.saml.ticketid.saml2=false
##
# Default Ticket Registry
#
# default.ticket.registry.initialcapacity=1000
# default.ticket.registry.loadfactor=1
# default.ticket.registry.concurrency=20
##
# Ticket Registry Cleaner
#
# Indicates how frequently the Ticket Registry cleaner should run. Configured in seconds.
# ticket.registry.cleaner.startdelay=20
# ticket.registry.cleaner.repeatinterval=5000
##
# Ticket ID Generation
#
# lt.ticket.maxlength=20
# st.ticket.maxlength=20
# tgt.ticket.maxlength=50
# pgt.ticket.maxlength=50
##
# Google Apps public/private key
#
# cas.saml.googleapps.publickey.file=file:/etc/cas/public.key
# cas.saml.googleapps.privatekey.file=file:/etc/cas/private.p8
# cas.saml.googleapps.key.alg=RSA
##
# WS-FED
#
# The claim from ADFS that should be used as the user's identifier.
# cas.wsfed.idp.idattribute=upn
#
# Federation Service identifier
# cas.wsfed.idp.id=https://adfs.example.org/adfs/services/trust
#
# The ADFS login url.
# cas.wsfed.idp.url=https://adfs.example.org/adfs/ls/
#
# Identifies resource(s) that point to ADFS's signing certificates.
# These are used verify the WS Federation token that is returned by ADFS.
# Multiple certificates may be separated by comma.
# cas.wsfed.idp.signingcerts=classpath:adfs-signing.crt
#
# Unique identifier that will be set in the ADFS configuration.
# cas.wsfed.rp.id=urn:cas:localhost
#
# Slack dealing with time-drift between the ADFS Server and the CAS Server.
# cas.wsfed.idp.tolerance=10000
#
# Decides which bundle of attributes should be resolved during WS-FED authentication.
# cas.wsfed.idp.attribute.resolver.enabled=true
# cas.wsfed.idp.attribute.resolver.type=WSFED
#
# Private/Public keypair used to decrypt assertions, if any.
# cas.wsfed.idp.enc.privateKey=classpath:private.key
# cas.wsfed.idp.enc.cert=classpath:certificate.crt
# cas.wsfed.idp.enc.privateKeyPassword=NONE
##
# LDAP User Details
#
# ldap.userdetails.service.user.attr=
# ldap.userdetails.service.role.attr=
##
# LDAP Service Registry
#
# svcreg.ldap.baseDn=dc=example,dc=org
##
# Password Policy
#
# Warn all users of expiration date regardless of warningDays value.
# password.policy.warnAll=false
# Threshold number of days to begin displaying password expiration warnings.
# password.policy.warningDays=30
# URL to which the user will be redirected to change the password.
# password.policy.url=https://password.example.edu/change
# password.policy.warn.attribute.name=attributeName
# password.policy.warn.attribute.value=attributeValue
# password.policy.warn.display.matched=true
##
# CAS REST API Services
#
# cas.rest.services.attributename=
# cas.rest.services.attributevalue=
##
# Ticket Registry
#
# Secret key to use when encrypting tickets in a distributed ticket registry.
# ticket.encryption.secretkey=C@$W3bSecretKey!
# Secret key to use when signing tickets in a distributed ticket registry.
# By default, must be a octet string of size 512.
# ticket.signing.secretkey=szxK-5_eJjs-aUj-64MpUZ-GPPzGLhYPLGl0wrYjYNVAGva2P0lLe6UGKGM7k8dWxsOVGutZWgvmY3l5oVPO3w
# Secret key algorithm used
# ticket.secretkey.alg=AES
##
# Hazelcast Ticket Registry
#
# hz.config.location=file:/etc/cas/hazelcast.xml
# hz.mapname=tickets
# hz.cluster.logging.type=slf4j
# hz.cluster.portAutoIncrement=true
# hz.cluster.port=5701
# hz.cluster.multicast.enabled=false
# hz.cluster.members=cas1.example.com,cas2.example.com
# hz.cluster.tcpip.enabled=true
# hz.cluster.multicast.enabled=false
# hz.cluster.max.heapsize.percentage=85
# hz.cluster.max.heartbeat.seconds=300
# hz.cluster.eviction.percentage=10
# hz.cluster.eviction.policy=LRU
# hz.cluster.instance.name=${host.name}
##
# Ehcache Ticket Registry
#
# ehcache.config.file=classpath:ehcache-replicated.xml
# ehcache.cachemanager.shared=false
# ehcache.cachemanager.name=ticketRegistryCacheManager
# ehcache.disk.expiry.interval.seconds=0
# ehcache.disk.persistent=false
# ehcache.eternal=false
# ehcache.max.elements.memory=10000
# ehcache.max.elements.disk=0
# ehcache.eviction.policy=LRU
# ehcache.overflow.disk=false
# ehcache.cache.st.name=org.jasig.cas.ticket.ServiceTicket
# ehcache.cache.st.timeIdle=0
# ehcache.cache.st.timeAlive=300
# ehcache.cache.tgt.name=org.jasig.cas.ticket.TicketGrantingTicket
# ehcache.cache.tgt.timeIdle=7201
# ehcache.cache.tgt.timeAlive=0
# ehcache.cache.loader.async=true
# ehcache.cache.loader.chunksize=5000000
# ehcache.repl.async.interval=10000
# ehcache.repl.async.batch.size=100
# ehcache.repl.sync.puts=true
# ehcache.repl.sync.putscopy=true
# ehcache.repl.sync.updates=true
# ehcache.repl.sync.updatesCopy=true
# ehcache.repl.sync.removals=true
##
# Ehcache Monitoring
#
# cache.monitor.warn.free.threshold=10
# cache.monitor.eviction.threshold=0
##
# Memcached Ticket Registry
#
# memcached.servers=localhost:11211
# memcached.hashAlgorithm=FNV1_64_HASH
# memcached.protocol=BINARY
# memcached.locatorType=ARRAY_MOD
# memcached.failureMode=Redistribute
##
# Memcached Monitoring
#
# cache.monitor.warn.free.threshold=10
# cache.monitor.eviction.threshold=0
##
# RADIUS Authentication Server
#
# cas.radius.client.inetaddr=localhost
# cas.radius.client.port.acct=
# cas.radius.client.socket.timeout=60
# cas.radius.client.port.authn=
# cas.radius.client.sharedsecret=N0Sh@ar3d$ecReT
# cas.radius.server.protocol=EAP_MSCHAPv2
# cas.radius.server.retries=3
# cas.radius.server.nasIdentifier=
# cas.radius.server.nasPort=-1
# cas.radius.server.nasPortId=-1
# cas.radius.server.nasRealPort=-1
# cas.radius.server.nasPortType=-1
# cas.radius.server.nasIpAddress=
# cas.radius.server.nasIpv6Address=
# cas.radius.failover.authn=false
# cas.radius.failover.exception=false
##
# SPNEGO Authentication
#
# cas.spnego.ldap.attribute=spnegoattribute
# cas.spnego.ldap.filter=host={0}
# cas.spnego.ldap.basedn=
# cas.spnego.hostname.pattern=.+
# cas.spnego.ip.pattern=
# cas.spnego.alt.remote.host.attribute
# cas.spengo.use.principal.domain=false
# cas.spnego.ntlm.allowed=true
# cas.spnego.kerb.debug=false
# cas.spnego.kerb.realm=EXAMPLE.COM
# cas.spnego.kerb.kdc=172.10.1.10
# cas.spnego.login.conf.file=/path/to/login
# cas.spnego.jcifs.domain=
# cas.spnego.jcifs.domaincontroller=
# cas.spnego.jcifs.netbios.cache.policy:600
# cas.spnego.jcifs.netbios.wins=
# cas.spnego.jcifs.password=
# cas.spnego.jcifs.service.password=
# cas.spnego.jcifs.socket.timeout:300000
# cas.spnego.jcifs.username=
# cas.spnego.kerb.conf=
# cas.spnego.ntlm=false
# cas.spnego.supportedBrowsers=MSIE,Trident,Firefox,AppleWebKit
# cas.spnego.mixed.mode.authn=false
# cas.spnego.send.401.authn.failure=false
# cas.spnego.principal.resolver.transform=NONE
# cas.spnego.service.principal=HTTP/cas.example.com@EXAMPLE.COM
##
# NTLM Authentication
#
# ntlm.authn.domain.controller=
# ntlm.authn.include.pattern=
# ntlm.authn.load.balance=true
##
# Authentication delegation using pac4j
#
# cas.pac4j.client.authn.typedidused=true
# cas.pac4j.facebook.id=
# cas.pac4j.facebook.secret=
# cas.pac4j.facebook.scope=
# cas.pac4j.facebook.fields=
# cas.pac4j.twitter.id=
# cas.pac4j.twitter.secret=
# cas.pac4j.saml.keystorePassword=
# cas.pac4j.saml.privateKeyPassword=
# cas.pac4j.saml.keystorePath=
# cas.pac4j.saml.identityProviderMetadataPath=
# cas.pac4j.saml.maximumAuthenticationLifetime=
# cas.pac4j.saml.serviceProviderEntityId=
# cas.pac4j.saml.serviceProviderMetadataPath=
# cas.pac4j.cas.loginUrl=
# cas.pac4j.cas.protocol=
# cas.pac4j.oidc.id=
# cas.pac4j.oidc.secret=
# cas.pac4j.oidc.discoveryUri=
# cas.pac4j.oidc.useNonce=
# cas.pac4j.oidc.preferredJwsAlgorithm=
# cas.pac4j.oidc.maxClockSkew=
# cas.pac4j.oidc.customParamKey1=
# cas.pac4j.oidc.customParamValue1=
# cas.pac4j.oidc.customParamKey2=
# cas.pac4j.oidc.customParamValue2=
##
# CAS Acceptable Usage Policy Settings
#
# cas.aup.ldap.search.filter=cn={0}
# cas.aup.ldap.url=ldap://127.0.0.1:1389
# cas.aup.ldap.ssl=false
# cas.aup.ldap.startTLS=false
# cas.aup.ldap.basedn=dc=example,dc=org
# cas.aup.attribute=
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- 单点登录(十三)-----实战-----cas4.2.X登录启用mongodb验证方式完整流程
- 单点登录(十五)-----实战-----cas4.2.x登录mongodb验证方式实现自定义加密
- 单点登录(十五)-----实战-----cas4.2.x登录mongodb验证方式实现自定义加密
- 单点登录(十一)-----遇到问题-----cas启用mongodb验证方式报错--Unable to locate Spring NamespaceHandler for XML schema na
- 单点登录(十七)----cas4.2.x登录mongodb验证方式成功后返回更多信息更多属性到客户端
- 单点登录(十二)-----遇到问题-----cas启用mongodb验证方式登录后没反应-pac4j-mongo包中的MongoAuthenticatInvocationTargetException
- 单点登录(十七)----cas4.2.x登录mongodb验证方式成功后返回更多信息更多属性到客户端
- 单点登录(十一)-----遇到问题-----cas启用mongodb验证方式报错--Unable to locate Spring NamespaceHandler for XML schema na
- 单点登录(十二)-----遇到问题-----cas启用mongodb验证方式登录后没反应-pac4j-mongo包中的MongoAuthenticatInvocationTargetException
- 单点登录(十四)-----实战-----cas5.0.x登录mongodb验证方式常规的四种加密的思考和分析
- 单点登录(十四)-----实战-----cas5.0.x登录mongodb验证方式常规的四种加密的思考和分析
- 单点登录(七)-----实战-----cas server去掉https验证 标签: cas-server去掉取消https4.2 2017-02-07 16:19 2014人阅读 评论(0) 收藏
- 启用oracle密码文件验证方式登录
- 配置SQL Server 2005 Express的身份验证方式及启用sa登录名
- 数据库开发基本操作-配置SQL Server 2005 Express的身份验证方式,以及如何启用sa登录名
- CAS框架单点登录,自定义验证登录方式(添加系统标识)
- CAS 服务端登录验证流程(三)
- CAS 服务端登录验证流程(四)
- 配置SQL Server 2005 Express的身份验证方式,以及如何启用sa登录名(转)
- cas之JDBC登录验证方式