前置文章:CAS学习教程
前面我们已经知道,cas默认是使用https协议请求验证,https相对于http无疑在安全性是更高的,但是https协议在实际开发中会比较麻烦,首先域名访问,对于企业内网或者专网的应用系统一般都是使用ip访问,这个给cas集成造成了很大的问题,其次https的证书部署也比较麻烦,所以有时会使用http协议部署,当然在能使用https的情况下还是尽量使用https,之前也说了对于单点登录,一旦被攻击,那么你的所有属于CAS管理的业务系统都可以被自由访问或者都无法访问了。
所以具体具体采用何种方式还是需要开发团队和客户协商确认,以下说下如何修改配置,可以让cas使用http访问。
1.打开WEB-INF/spring-configuration/warnCookieGenerator.xml文件cookieSecure设置为false
<!-- cookieSecure设置为false,表示取消https限制,直接通过http访问 -->
<!-- cookieMaxAge设置为-1,表示cookie没有生命周期,新session需要重新认证 -->
<bean id="warnCookieGenerator" class="org.jasig.cas.web.support.CookieRetrievingCookieGenerator"
p:cookieSecure="false"
p:cookieMaxAge="-1"
p:cookieName="CASPRIVACY"
p:cookiePath="/cas" />
2.打开WEB-INF/spring-configuration/ticketGrantingTicketCookieGenerator.xml文件cookieSecure设置为false
<!-- cookieSecure设置为false,表示取消https限制,直接通过http访问 -->
<!-- cookieMaxAge设置为-1,表示cookie没有生命周期,新session需要重新认证 -->
<bean id="ticketGrantingTicketCookieGenerator" class="org.jasig.cas.web.support.CookieRetrievingCookieGenerator"
p:cookieSecure="false"
p:cookieMaxAge="-1"
p:cookieName="CASTGC"
p:cookiePath="/cas" />
3.打开WEB-INF/deployerConfigContext.xml文件requireSecure设置为false
<!-- requireSecure设置为false,表示取消https限制,直接通过http访问 wz -->
<bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
p:httpClient-ref="httpClient" p:requireSecure="false"/>
如果我们使用的是基于Filter在web.xml中的方式,至此使用HTTP协议就可以单点登录了。
如果我们使用的Java Core Object的方式,那么还需要进行的下面的步骤
4.打开文件SecureURL.java
/*
* Copyright (c) 2000-2003 Yale University. All rights reserved.
*
* THIS SOFTWARE IS PROVIDED "AS IS," AND ANY EXPRESS OR IMPLIED
* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ARE EXPRESSLY
* DISCLAIMED. IN NO EVENT SHALL YALE UNIVERSITY OR ITS EMPLOYEES BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED, THE COSTS OF
* PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA OR
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH
* DAMAGE.
*
* Redistribution and use of this software in source or binary forms,
* with or without modification, are permitted, provided that the
* following conditions are met:
*
* 1. Any redistribution must include the above copyright notice and
* disclaimer and this list of conditions in any related documentation
* and, if feasible, in the redistributed software.
*
* 2. Any redistribution must include the acknowledgment, "This product
* includes software developed by Yale University," in any related
* documentation and, if feasible, in the redistributed software.
*
* 3. The names "Yale" and "Yale University" must not be used to endorse
* or promote products derived from this software.
*/
package org.jasig.cas.client.corejavaobject.util;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.net.URL;
import java.net.URLConnection;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
/**
* A class housing some utility functions exposing secure URL validation
* and content retrieval. The rules are intended to be about as restrictive
* as a common browser with respect to server-certificate validation.
*/
public class SecureURL {
private static Log log = LogFactory.getLog(SecureURL.class);
/**
* For testing only...
*/
public static void main(String args[]) throws IOException {
System.setProperty(
"java.protocol.handler.pkgs",
"com.sun.net.ssl.internal.www.protocol");
System.out.println(SecureURL.retrieve(args[0]));
}
/**
* Retrieve the contents from the given URL as a String, assuming the
* URL's server matches what we expect it to match.
*/
public static String retrieve(String url) throws IOException {
if (log.isTraceEnabled()){
log.trace("entering retrieve(" + url + ")");
}
BufferedReader r = null;
try {
URL u = new URL(url);
if (!u.getProtocol().equals("https")){
// IOException may not be the best exception we could throw here
// since the problem is with the URL argument we were passed, not
// IO. -awp9
log.error("retrieve(" + url + ") on an illegal URL since protocol was not https.");
throw new IOException("only 'https' URLs are valid for this method");
}
URLConnection uc = u.openConnection();
uc.setRequestProperty("Connection", "close");
r = new BufferedReader(new InputStreamReader(uc.getInputStream()));
String line;
StringBuffer buf = new StringBuffer();
while ((line = r.readLine()) != null)
buf.append(line + "\n");
return buf.toString();
} finally {
try {
if (r != null)
r.close();
} catch (IOException ex) {
// ignore
}
}
}
}
找到下面的部分
if (!u.getProtocol().equals("https")){
// IOException may not be the best exception we could throw here
// since the problem is with the URL argument we were passed, not
// IO. -awp9
log.error("retrieve(" + url + ") on an illegal URL since protocol was not https.");
throw new IOException("only 'https' URLs are valid for this method");
}
相信大家应该明白了吧,只需要将此部分注释掉即可。
备注:cookieSecure都修改false,我们来看下其作用是什么?
Secure是Cookie的一个属性。
如果客户端仅在使用安全超文本传输协议 (HTTPS) 的后继请求中返回 Cookie,则为 true;否则为 false。默认为 false。
实际上,当此属性为 true 时,该 Cookie 只能通过 https:// 请求来发送。即使用http协议是无法传递Cookie的。
我们常用的是基于Filter在web.xml中的方式,所以步骤4基本不需要修改。