I am currently configuring my CAS Server v5.0.2 to use Database Authentication, particularly using the Encode method, using the CAS properties file. Below are the relevant property configurations from the properties file:
cas.authn.jdbc.encode[0].sql=SELECT * FROM public.vt_user WHERE email=?
cas.authn.jdbc.encode[0].driverClass=org.postgresql.Driver
cas.authn.jdbc.encode[0].url=jdbc:postgresql://localhost:5432/tracking
cas.authn.jdbc.encode[0].user=postgres
cas.authn.jdbc.encode[0].password=postgres
cas.authn.jdbc.encode[0].saltFieldName=salt
cas.authn.jdbc.encode[0].passwordFieldName=password
cas.authn.jdbc.encode[0].healthQuery=SELECT 1 FROM INFORMATION_SCHEMA.TABLES
cas.authn.jdbc.encode[0].numberOfIterations=1
cas.authn.jdbc.encode[0].numberOfIterationsFieldName=
cas.authn.jdbc.encode[0].staticSalt=
cas.authn.jdbc.encode[0].algorithmName=SHA-1
cas.authn.jdbc.encode[0].dialect=org.hibernate.dialect.PostgreSQLDialect
cas.authn.jdbc.encode[0].passwordEncoder.type=DEFAULT
cas.authn.jdbc.encode[0].passwordEncoder.characterEncoding=UTF-8
cas.authn.jdbc.encode[0].passwordEncoder.encodingAlgorithm=SHA-1
The database I am connecting with is a PostgreSQL DB. The passwords were previously encoded using Spring Security's 3.2.5 ShaPasswordEncoder with the default strength which is SHA-1 plus a salt value. I have tested the CAS DB Authentication configuration by entering valid credentials in the CAS Server's default login page, but authentication always fail and return "Invalid credentials." Additionally, I am already aware that the 3.2.5 ShaPasswordEncoder is deprecated, but I am not planning to change it's implementation. The logs show that the username can be successfully queried from the user table, but the passwords from the table and the input don't match.
Right now I am looking for any approach on resolving this issue. I am still relatively new to CAS, and I really appreciate the much needed help. Thanks!
解决方案
I resolved this issue by modifying the QueryAndEncodeDatabaseAuthenticationHandler.java file from the cas-server-upport-jdbc dependency (of the same CAS version) to use Spring Security's ShaPasswordEncoder instead of the one used by CAS which is Apache Shiro's default hash service.
Specifically, what I did was to add the modified java file (plus the AbstractJdbcUsernamePasswordAuthenticationHandler.java) inside the CAS maven overlay that I'm using inside the src/main/java/org/apereo/cas/adaptors/jdbc directory. The relevant function that I modified inside the java file is named digestEncodedPassword. I commented out the original lines of code and replaced it with my implementation of the ShaPasswordEncoder. The custom source code should be compiled alongside when building CAS.
258
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
