Overview
官方文档正在迁移当中,主要在以下几个位置:
- 老的文档 -> https://wiki.jasig.org/display/CASUM/Home
- github.io -> http://jasig.github.io/cas/4.0.x/index.html
- wiki -> https://github.com/Jasig/cas/wiki/Installation-Guide
- specification -> http://jasig.github.io/cas/development/protocol/CAS-Protocol-Specification.html
Security Terminologies
- Security Principal(安全主体): an entity that can be authenticated by a computer system or network. Principals can be individual people, computers, services, computational entities such as processes and threads, or any group of such things. They need to be identified and authenticated before they can be assigned rights and privileges over resources in the network.
- Security credentials(安全凭证): a piece of evidence that a communicating party possesses that can be used to create or obtain a security token. Thus, credentials are typically longer-lived than security tokens, and a security token can be viewed as the runtime manifestation of the security credentials. Example of credentials include a machine certificate (which can be converted into an X.509 security token at runtime) or a username/password pair for a domain (which can be used to obtain a Kerberos security token).
- Security policy(安全策略): a definition of what it means to be secure for a system, organization or other entity.
- principal -> identity + role
- certification authority(认证机构), self-certify, trusted third party like Verisign
- SSL: digital signatures certifying servers and clients; data confidentiality through encryption; data integrity through message-specific codes
Reference:
CAS Architecture and Design
System components
- CAS server
- CAS clients
CAS server includes three layered subsystems:
- Web(Spring MVC/Spring Webflow)
- Ticketing
- Authentication
Authentication components (deployerConfigContext.xml):
- AuthenticationManager: CAS ships with a single yet flexible authentication manager, PolicyBasedAuthenticationManager
- AuthenticationHandler
- PrincipalResolver
- PrincipalResolver Versus AuthenticationHandler: The principal resolution machinery provided by AuthenticationHandler components should be used in preference to PrincipalResolver in any situation where the former provides adequate functionality.
- AuthenticationMetaDataPopulator
Ticketing components:
- TicketRegistry(ticketRegistry.xml): Provides for durable ticket storage.
- ExpirationPolicy(ticketExpirationPolicies.xml): Provides a policy framework for ticket expiration semantics.
Logout and Single Logout (SLO):
- Application logout: ends a single application session
- CAS logout: ends the CAS SSO session
Service Management:
- The service management console is a Web application (cas-management-webapp) that may be deployed along side CAS that provides a GUI to manage service registry data.
Reference
- http://jasig.github.io/cas/4.0.x/planning/Architecture.html
- Best Entry Point and sourcecode
- Official Documentation
- 主要的配置在Wiki上(https://github.com/Jasig/cas/wiki/Installation-Guide)
CAS Protocol
The current CAS protocol is the version 3.0, implemented by the CAS server 4.0.
References:
CAS SSO Server Configuration
Non-secure Connection
You are currently accessing CAS over a non-secure connection. Single Sign On WILL NOT WORK. In order to have single sign on work, you MUST log in over HTTPS.
References:
CAS SSO Client Configuration
Reference:
Design and Extension
Build using Maven War Overlay method
It is recommended to build and deploy CAS locally using the Maven War Overlay method. This approach does not require the adopter to explicitly download any version of CAS, but rather utilizes Maven’s overlay mechanism to combine CAS original artifacts and local customizations to further ease future upgrades and maintenance.
Design Tips
- you will need to ensure that any roles, privileges etc are taken care of within client application. To mix authentication and authorization is a bad idea.
Key and Certificate Management
keytool
reference:
CSR
Convert JKS file to pem/key for nginx
制作负载均衡使用的证书文件。从相关部门获取对应的证书文件(my.jks)、证书的密码(mypass)、证书对应的名称,通常为IP或者域名(myalias),通常jks文件包含了服务器的私钥(server.key),服务器证书(server.crt)、根证书(ca.crt)
(1)通过java的keytool工具导出成PKCS12格式文件(my.p12)。 下述命令在一行执行。
keytool -importkeystore -srckeystore my.jks -destkeystore my.p12 -srcstoretype JKS -deststoretype PKCS12 \
-srcstorepass mypass -deststorepass mypass -srcalias myalias -destalias myalias -srckeypass mypass -destkeypass mypass -noprompt
(2)使用openssl把PKCS12文件(my.p12)转换成我们需要的pem文件(my.pem)
openssl pkcs12 -in my.p12 -out my.pem -passin pass:mypass -passout pass:mypass
(3)分离my.pem文件,导出服务器配置所需文件
my.pem一个文件里面实际上包含了服务器做双向SSL证书认证的所有文件,打开my.pem能查看所有的key和证书。得到配置服务器使用的 server.crt,server.key,ca.crt 文件,上述访问的命令分别为:
openssl pkcs12 -in my.p12 -nodes -nocerts -out server.key
openssl pkcs12 -in my.p12 -nodes -nokeys -clcerts -out server.crt
openssl pkcs12 -in my.p12 -nodes -nokeys -cacerts -out ca.crt
(4)配置NGINX
ssl on;
ssl_certificate /path/to/server.crt;
ssl_certificate_key /path/to/server.key;
ssl_client_certificate /path/to/ca.crt;
ssl_verify_client on;
# 此行方便在java中能够得到证书信息
proxy_set_header X-Forwarded-Proto https;
(5)上述配置后,在重新启动服务器的时候,老是让你输入私有key的密码,为此
openssl rsa -in server.key -out server.key.unsecure
修改NGINX配置:
ssl_certificate_key /path/to/server.key.unsecure;
References:
About “Remember Me”
自动登录
Referencs:
Single Sign Out
URL是/logout?servive=xxx
,登出之后redirect到service指定地址
if a service parameter is specified, the browser might be automatically redirected to the URL specified by service after the logout was performed by the CAS server. If redirection by the CAS Server is actually performed depends on the server configuration. As a HTTP request parameter, the service value MUST be URL-encoded.
修改CAS服务器配置(cas.properties),默认不跳转:
# CAS Logout Behavior
# WEB-INF/cas-servlet.xml
#
# Specify whether CAS should redirect to the specified service parameter on /logout requests
# cas.logout.followServiceRedirects=false
cas.logout.followServiceRedirects=true