概述:主要是介绍下CAS4.0.0的版本和LDAP整合实现步骤
CAS4.0以下版本网上例子多的一比,随便找一下就知道该怎么配置了,也不难。但是4.0的版本网上的例子还是太少了,尤其中文的更是没有多少,我这种英文水平来弄这个真是花了大把的时间,下面我来整理下,也方便以后用到的人
详细步骤:
4.0.0版本整合ldap一共有四种方式:我选择的是直接绑定的方法
- 在windows里面装好ldap,这里就不多介绍了,给大家推荐篇文章,照着这个来配置就ok了:http://www.micmiu.com/enterprise-app/sso/openldap-windows-config/
- 配置安全证书:生成证书->导出证书->导入证书到jdk 在cmd中敲以下3行代码:
keytool -genkey -alias tomcat -keyalg RSA -storepass changeit -keystore d:\keys\.keystore -validity 3600
keytool -export -trustcacerts -alias tomcat -file d:\keys\tomcat.cer -keystore d:\keys\.keystore -storepass changeit
keytool -import -trustcacerts -alias tomcat -file d:\keys\tomcat.cer -keystore "D:\Program Files\Java\jdk1.7.0_51\jre\lib\security\cacerts" -storepass changeit
详细情况可以浏览这片文章:http://www.micmiu.com/enterprise-app/sso/sso-cas-sample/ 这里我就不多说了
3. 下载cas-server-4.0.0-release.zip
4. 解压cas-server-4.0.0-release.zip,并把里面的modules文件夹中的cas-server-webapp-4.0.0.war改名成cas(仅仅是为了方便)拷出来放到tomcat中的webapp中
5. 修改tomcat里面的8443端口内容,修改成如下:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="d:/keys/.keystore" <!--你的证书所放的位置-->
keystorePass="password" /> <!--认证证书的密码-->
到此为止的操作和之前的版本都是没有区别的,下面是重点
下载这些jar包,将这些jar包放入cas中的lib文件夹中
cas-server-support-ldap-4.0.0.jar
spring-ldap-core-2.0.2.RELEASE.jar
ldaptive-1.0.5.jarCAS整合LDAP:
和CAS4.0以下版本一样,CAS整合LDAP只需要修改deployerConfigContext.xml文件就可以了,但是之前的版本只要修改下authenticationManager的配置就可以了,感兴趣的可以进入这个链接看下:http://www.micmiu.com/enterprise-app/sso/sso-cas-ldap-auth/
4.0的版本中需要增加的内容太多了,首先需要的是修改认证入口:
<bean id="authenticationManager" class="org.jasig.cas.authentication.PolicyBasedAuthenticationManager">
<constructor-arg>
<map>
<!--
| IMPORTANT
| Every handler requires a unique name.
| If more than one instance of the same handler class is configured, you must explicitly
| set its name to something other than its default name (typically the simple class name).
-->
<entry key-ref="proxyAuthenticationHandler" value-ref="proxyPrincipalResolver" />
<!--<entry key-ref="primaryAuthenticationHandler" value-ref="primaryPrincipalResolver" /> --> 将这个默认的入口隐藏掉
<entry key-ref="ldapAuthHandler" value-ref="proxyPrincipalResolver"/> 新增ldap认证的入口
</map>
</constructor-arg>
然后就是新增ldap中的LDAP配置文件,可以直接把我下面的代码拷贝到你的deployerConfigContext.xml,将相应的参数修改成自己的就可以了
<bean id="ldapAuthHandler"
class="org.jasig.cas.authentication.LdapAuthenticationHandler"
p:principalIdAttribute="uid"
c:authenticator-ref="authenticator">
<property name="principalAttributeMap">
<map>
<!--
| This map provides a simple attribute resolution mechanism.
| Keys are LDAP attribute names, values are CAS attribute names.
| Use this facility instead of a PrincipalResolver if LDAP is
| the only attribute source.
-->
<entry key="member" value="member" />
<entry key="mail" value="mail" />
<entry key="uid" value="uid" />
</map>
</property>
</bean>
<bean id="authenticator" class="org.ldaptive.auth.Authenticator"
c:resolver-ref="dnResolver"
c:handler-ref="authHandler" />
<!--
| The following DN format works for many directories, but may need to be
| customized.
-->
<bean id="dnResolver"
class="org.ldaptive.auth.FormatDnResolver"
c:format="uid=%s,ou=Developer,dc=micmiu,dc=com" /> <!--根据自己的LDAP内容来配置-->
<bean id="authHandler" class="org.ldaptive.auth.PooledBindAuthenticationHandler"
p:connectionFactory-ref="pooledLdapConnectionFactory" />
<bean id="pooledLdapConnectionFactory"
class="org.ldaptive.pool.PooledConnectionFactory"
p:connectionPool-ref="connectionPool" />
<bean id="connectionPool"
class="org.ldaptive.pool.BlockingConnectionPool"
init-method="initialize"
p:poolConfig-ref="ldapPoolConfig"
p:blockWaitTime="3000"
p:validator-ref="searchValidator"
p:pruneStrategy-ref="pruneStrategy"
p:connectionFactory-ref="connectionFactory" />
<bean id="ldapPoolConfig" class="org.ldaptive.pool.PoolConfig"
p:minPoolSize="3"
p:maxPoolSize="10"
p:validateOnCheckOut="false"
p:validatePeriodically="true"
p:validatePeriod="300" />
<bean id="connectionFactory" class="org.ldaptive.DefaultConnectionFactory"
p:connectionConfig-ref="connectionConfig" />
<bean id="connectionConfig" class="org.ldaptive.ConnectionConfig"
p:ldapUrl="ldap://192.168.1.183:389"
p:connectTimeout="3000"
p:useStartTLS="false"
p:sslConfig-ref="sslConfig" /><!--上面内容根据自己的LDAP内容来配置-->
<bean id="sslConfig" class="org.ldaptive.ssl.SslConfig">
<property name="credentialConfig">
<bean class="org.ldaptive.ssl.X509CredentialConfig"
p:trustCertificates="d:/keys/.keystore" /> <!--证书地址-->
</property>
</bean>
<bean id="pruneStrategy" class="org.ldaptive.pool.IdlePruneStrategy"
p:prunePeriod="300"
p:idleTime="600" />
<bean id="searchValidator" class="org.ldaptive.pool.SearchValidator" />
上面这些都配置好之后,可以直接启动你的tomcat,进入https://localhost:8443/cas/login来查看结果了