JEESZ distributed framework single sign-on integration solution
Section 1: Introduction to single sign-on
Step 1: Understand single sign-on
The main features of SSO are as follows: SSO applications use Web protocols (such as HTTPS) and only one login portal.
There are three roles in the SSO system:
1) User(multiple)
2) Web applications (multiple)
3) SSO Certification Center (one)
An SSO implementation contains the following three principles:
1) All logins are performed at the SSO authentication center.
2) SSO authentication authority has some methods to tell the Web application whether the current accessing user is an authenticated user.
3) Establish a trust relationship between SSO certification authority and all Web applications.
The Central Authentication Service (CAS) is a Java open source project initiated by Yale University to build Web SSO.
1.CAS Terms:
Sso-single Sign On Single sign-on
Tgt-ticket Granting Ticket Indicates a user identity authentication Ticket
St-service Ticket Indicates the license of the Service
Tgc-ticket Granting Cookie Cookie used to store a user’s identity authentication credentials.
Step 2: Understand the single sign-on architecture
1) The CAS Server authenticates user information. When deployed independently, the CAS Server processes the Credentials such as user names and passwords.
2) The CAS Client is deployed on the Client. If a request for accessing protected resources of a local Web application needs to be authenticated, the request is redirected to the CAS Server for authentication.
Step 3: Single sign-on environment preparation
1) Cas-server-3.5.0-release.zip (CAS server)
2) Cas-client-3.3.3 -release.zip (CAS client)
3) the apache tomcat — 7.0.40
4) cas – the client – core – 3.2.1. Jar
5) the cas server – core – 3.5.0. Jar
6) the cas server – support – JDBC – 3.5.0. Jar
Section 2: Single sign-on environment setup and deployment
Step 1: Environment deployment
1. Use the Java JDK to generate a certificate trilogy
The certificate is very important for the realization of this single sign-on. The certificate is the certificate for the secure communication between the server and the client. This tutorial is just a demonstration, all using the JDK certificate generation tool Keytool.
Of course in the actual project you can go to a special certificate certification center to buy a certificate.
Chinese official website: www.verisign.com/cn/
Use the keytool delivered with the JDK to generate a certificate
Step 1 Generate the certificate:
keytool -genkey -alias mycacerts -keyalg RSA -keystore C:/common/keys/keycard
Note: Enter the relevant information to generate the certificate. The first and last names are best written in your domain name. If you click on the test, you can map a virtual domain name to the C:\Windows\System32\drivers\etc\hosts file.
Do not write IP addresses.
Step 2 Export the certificate:
keytool -export -file C:/common/keys/keycard.crt -alias mycacerts -keystore C:/common/keys/keycard
Step 3 Import the JDK installation directory certificate:
Keytool – import – keystore C: / “Program Files”/Java/jdk1.6.0 _32 / jre/lib/security/cacerts – the file C: / common/keys/keycard. CRT -alias mycacerts
2. Decompress the cas-server-3.5.0-release.zip file.
Cas-server-webapp-3.5.0. war = cas-server-3.5.0-release cas-server-3.5.0. modules = cas-server-webapp-3.5.0.war = cas.war And copy it to the webapps directory in the Tomcat root directory.
The diagram below:
3. Add the following configuration to the hosts file (C:\Windows\System32\drivers\etc)
127.0.0.1 jeesz.cn (Configure your own domain name.)
Note: If you want to simulate this single sign-on on one PC, you must use domain name redirection. If you want to simulate this single sign-on on multiple PCS, you can skip this configuration
4. Modify server. XML (apache-tomcat-7.0.40\conf\server.xml) in Tomcat file and add the following contents:
In the server.xml file
maxThreads=”150″ scheme=”https” secure=”true”
clientAuth=”false” sslProtocol=”TLS” />
Change it to the following:
port=”8443″
protocol=”org.apache.coyote.http11.Http11Protocol”
maxThreads=”150″
SSLEnabled=”true”
scheme=”https”
secure=”true”
clientAuth=”false”
sslProtocol=”TLS”
keystoreFile=”C:/common/keys/keycard”
keystorePass=”xxxxxx ”
ciphers=”TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC _SHA256,TLS_RSA_WITH_AES_256_CBC_SHA”
/>
5. Start the Tomcat service and view information. (If an error occurs, you can locate the error based on the information.) Open the browser and enter jeesz.cn:8080/cas.
Note: this is the simplest CAS service. As long as the user name and password are the same, you can log in normally. In our actual development, this authentication is compared with the database, and then we will configure the database verification.
Step 2: Configure database authentication
1. The apache tomcat – 7.0.2 \ webapps \ cas \ WEB – find deployerConfigContext INF directory. The XML file, find the following code:
Add the following code:
2. Add dataSource,
XML in deployerConfigContext., (the same file with the above)
Add the following code below:
com.mysql.jdbc.Driver
JDBC: mysql: / / 127.0.0.1:3306 / sso
root
Mysql > create table t_user; create table t_user
4. Add jar packages Jar, cas-server-core-3.5.0.jar, cas-server-support-jdbC-3.5.0. jar to apache-tomcat-7.0.2\webapps\cas Web-inf \lib directory.
5. Restart Tomcat, open the browser, and enterjeesz.cn:8080/Enter the user name and password of the database. If the following dialog box is displayed, the configuration is successful.
Now that our CAS server is configured, let’s configure the client
Section 3: Configuring your Own Web Project (Client)
1. Add the following code to the host file:
127.0.0.1 www.sso1.com
127.0.0.1 www.sso2.com
Note: it is best not to use an existing domain name on the Internet, otherwise you will not be able to access the address.
If you want to simulate single sign-on (SSO) on one PC, you must use domain name redirection. If you want to simulate sso on multiple PCS, you do not need to configure domain name redirection. You can use the IP addresses of corresponding PCS instead
2. Create directories sSO1 and sSO2 in the Tomcat root directory. Such as:
2 Create two Web projects in Eclipse, named sSO1 and SSO2.
3. Add cas-client-core.jar, commons-logging-1.1.jar, (unzip cas-client-3.2.0-release.zip,) In cas-client-3.2.0-release.zip\ cas-client-3.2.0-modules, find the JAR package)
Add to sSO1 and SSO2 project lib respectively.
4. Modify web. XML in SSO1. Add the following code:
org.jasig.cas.client.session.SingleSignOutHttpSessionListener
SingleSignOutFilter
org.jasig.cas.client.session.SingleSignOutFilter
SingleSignOutFilter
/ *
CASValidationFilter
org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter
casServerUrlPrefix
jeesz.cn:8443/cas;
serverName
www.sso1.com;
useSession
true
exceptionOnValidationFailure
false
redirectAfterValidation
true
CASValidationFilter
/ *
CASFilter
org.jasig.cas.client.authentication.AuthenticationFilter
casServerLoginUrl
jeesz.cn:8443/cas/login;
serverName
www.sso1.com;
CASFilter
/ *
CASHttpServletRequestWrapperFilter
org.jasig.cas.client.util.HttpServletRequestWrapperFilter
CASHttpServletRequestWrapperFilter
/ *
CASAssertionThreadLocalFilter
org.jasig.cas.client.util.AssertionThreadLocalFilter
CASAssertionThreadLocalFilter
/ *
SSO4InvokeContextFilter
com.common.core.busi.other.filter.SSO4InvokeContextFilter
SSO4InvokeContextFilter
/ *
5. Modify web. XML in SSO2. Add the following code:
org.jasig.cas.client.session.SingleSignOutHttpSessionListener
SingleSignOutFilter
org.jasig.cas.client.session.SingleSignOutFilter
SingleSignOutFilter
/ *
CASValidationFilter
org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter
casServerUrlPrefix
jeesz.cn:8443/cas;
serverName
www.sso2.com;
useSession
true
exceptionOnValidationFailure
false
redirectAfterValidation
true
CASValidationFilter
/ *
CASFilter
org.jasig.cas.client.authentication.AuthenticationFilter
casServerLoginUrl
jeesz.cn:8443/cas/login;
serverName
www.sso2.com;
CASFilter
/ *
CASHttpServletRequestWrapperFilter
org.jasig.cas.client.util.HttpServletRequestWrapperFilter
CASHttpServletRequestWrapperFilter
/ *
CASAssertionThreadLocalFilter
org.jasig.cas.client.util.AssertionThreadLocalFilter
CASAssertionThreadLocalFilter
/ *
SSO4InvokeContextFilter
com.common.web.filter.SSO4InvokeContextFilter
SSO4InvokeContextFilter
/ *
6. Edit the sSO1, sSO2 index.jsp page and copy the following code:
sso1 index.jsp:
This is www.sso1.com
Hello, I am SSO1 page:
<%= request.getRemoteUser()== null ? “null” : request.getRemoteUser() %>
Sso2 index.jsp:
This is www.sso2.com
Hello, I am SSO2 page:
<%= request.getRemoteUser()== null ? “null” : request.getRemoteUser() %>
7. Publish to the Tomcat server through Eclipse. Find sso1 and sSO2 folders under Tomcat and webapps, copy all files under sSO1 and sSO2 respectively, find sso1 and sso2 directories under Tomcat ROOT, and create ROOT directories under sso1 and sSO2. Paste the file you just copied.
Add the following code to the server. XML file in Tomcat:
8. Restart Tomcat, open the browser, enter www.sso1.com:8080, and enter the user name and password
Type www.sso1.com:8080 into your browser and you’ll find it jumps back to the login page. Don’t worry. Open the ticketGrantingTicketCookieGenerator. XML path on apache tomcat – 7.0.40 / cas/ROOT/WEB – INF \ spring – the configuration. Find p:cookieSecure=”true”, change it to p:cookieSecure=”false”, restart Tomcat and test it.
Note: We returned only one user name in the previous steps. The CAS server returns this information by default.
Section 1: Modify the single sign-on default interface
Step 1: Find its own page
Open the CAS project and go to G:\SoftWare\tomcat\apache-tomcat-7.0.2\apache-tomcat-7.0.2\webapps\cas\ web-INF \view\ JSP \default Make a copy and rename it in G:\SoftWare\tomcat\apache-tomcat-7.0.2\apache-tomcat-7.0.2\webapps\cas\ web-INF \view\ JSP \
Step 2: Modify the default login page
Name it Mydefalut as shown below:
Then the apache tomcat – 7.0.2 \ webapps \ cas \ WEB – INF \ classes
Make a copy of default_views.properties and rename it mydefault_views.properties. Modify the contents inside, change all inside path default to mydefault. And then modify the WEB – under the INF of cas. The properties will be the inside of the cas. ViewResolver. The basename behind the value of the modified into mydefault_views:
cas.viewResolver.basename=mydefault_views
To modify the login interface, simply modify casloginView.jsp.
Section 5: Single sign-off configuration
Step 1: Configure single sign-on listeners and filters
Tomcat sSO1, sSO2 project, add code to web. XML:
org.jasig.cas.client.session.SingleSignOutHttpSessionListener
CAS Single Sign Out Filter
org.jasig.cas.client.session.SingleSignOutFilter
CAS Single Sign Out Filter
/ *
Note: This code should be placed at the top of the other filters in the web.xml file.
Add the following code to the index.jsp page of sSO1 and sSO2:
Jeesz.cn :8080/logout”
3. Restart Tomcat, visit jeesz.cn:8080/ click the single point exit, if successful…
Generally, logout means jumping to the login page of the original project, so we need to configure CAS as follows:
1. Modify the cas-servlet. XML configuration (apache-tomcat-7.0.40\cas\ROOT\WEB-INF) on the server and find the
Added attribute P :followServiceRedirects=”true”
Sso1,sso2 index.jsp; sso1,sso2 index.jsp;
Sso1: jeesz. Cn: 8080 / logout? Serv…
Sso2: jeesz. Cn: 8080 / logout? Serv…
Restart Tomcat. The test is normal.
Section 6: Multi-project integration single sign-on configuration
Step 1: Single sign-on system integration with other projects
In the WEB. XML file in the WEB-INF directory of your WEB project, add the following configuration.
org.jasig.cas.client.session.SingleSignOutHttpSessionListener
SingleSignOutFilter
org.jasig.cas.client.session.SingleSignOutFilter
SingleSignOutFilter
/ *
CASValidationFilter
org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter
casServerUrlPrefix
jeesz.cn:8443/cas;
serverName
www.sso3.com:6060;
useSession
true
exceptionOnValidationFailure
false
redirectAfterValidation
true
CASValidationFilter
/ *
CASFilter
org.jasig.cas.client.authentication.AuthenticationFilter
casServerLoginUrl
jeesz.cn:8443/cas/login;
serverName
http:// www.sso3.com:6060
CASFilter
/ *
CASHttpServletRequestWrapperFilter
org.jasig.cas.client.util.HttpServletRequestWrapperFilter
CASHttpServletRequestWrapperFilter
/ *
CASAssertionThreadLocalFilter
org.jasig.cas.client.util.AssertionThreadLocalFilter
CASAssertionThreadLocalFilter
/ *
SSO4InvokeContextFilter
com.common.web.filter.SSO4InvokeContextFilter
SSO4InvokeContextFilter
/ *
When sso authentication is complete and the client system needs to receive the results returned by the SSO system, define a filter to obtain the returned results and process the returned results.
Note: If no processing is required, Filter can be omitted.
package com.common.web.filter;
import java.io.IOException;
import java.util.Date;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.jasig.cas.client.util.AssertionHolder;
import org.springframework.web.context.WebApplicationContext;
import org.springframework.web.context.support.WebApplicationContextUtils;
import com.common.base.pbi.CommonConstants;
import com.common.base.util.DateUtil;
import com.common.base.util.IDUtil;
import com.common.base.util.IPUtil;
import com.common.base.util.UserUtil;
import com.common.core.busi.historylogin.manager.HistoryLoginManager;
import com.common.core.busi.login.manager.LoginManager;
import com.common.entity.common.AbstractEntity;
import com.common.entity.historylogin.HistoryLoginEntity;
import com.common.entity.user.UserEntity;
/ * *
* When the SSO system is successfully logged in, the system returns the login userID and establishes a session based on the userID.
* @ClassName: SessionFilter
* @description: TODO(here is a one-sentence Description of what this class does)
*@authorjeesz
*@date2015-10-01
*
* /
public class SSO4InvokeContextFilter implements Filter{
private final static Log log = LogFactory.getLog(SSO4InvokeContextFilter.class);
private WebApplicationContext applicationContext;
public SSO4InvokeContextFilter() {
super();
}
/ * *
* This method is triggered when the filter is logged out;
* /
public void destroy() {
// Do nothing for the time being;
}
/ * *
* Get user information based on the user ID and put the user information into the session session;
*@Title: doFilter
* @description: TODO(here is a one-sentence Description of what this method does)
* @Params
* @throws
* /
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest)req;
HttpServletResponse response = (HttpServletResponse)res;
HttpSession session = request.getSession();
// Get the login user from session;
Object userObject = session.getAttribute(CommonConstants.USER_INFO_SESSION);
if(userObject == null){
// Get the user name;
String userName = AssertionHolder.getAssertion().getPrincipal().getName();
LoginManager loginManager = applicationContext.getBean(LoginManager.class);
UserEntity userEntity = loginManager.loginByUserName(userName);
session.setAttribute(CommonConstants.USER_INFO_SESSION,userEntity);
session.setAttribute(CommonConstants.IS_SYSTEM_ADMIN,userEntity.getUserType()==1? true:false);
UserUtil.setLoginUserInfo(userEntity);
// Query user information according to the user name and add it to the session;
Log. info(“UserName:[“+ UserName +”] login succeeds. The CLIENT IP address is [“+ iputil. getIpAddr(request)+”]. [“+ dateutil.dateToString (new Date())+”]”);
// Add login record;
HistoryLoginEntity historyLoginEntity = new HistoryLoginEntity();
historyLoginEntity.setUserId(userName);
historyLoginEntity.setHid(IDUtil.generateId());
historyLoginEntity.setLoginCount(“1”);
setCommonValue(request,historyLoginEntity);
boolean hlBol = applicationContext.getBean(HistoryLoginManager.class).addLoginRecord(historyLoginEntity);
Log.debug (” Login history [“+(hlBol?” success :” failure “)+”].”);
}
chain.doFilter(request, response);
}
/ * *
* Set public properties;
* @Title: setCommonValue
* @description: TODO(here is a one-sentence Description of what this method does)
* @throws
* /
private void setCommonValue(HttpServletRequest request,AbstractEntity entity){
if(request ! = null){
// Get the current object;
UserEntity userEntity = (UserEntity) request.getSession().getAttribute(CommonConstants.USER_INFO_SESSION);
if(entity ! =null){
String currUser = userEntity.getUserId();
// Set the creator, creation date, modifier, and modification time
entity.setCreatedBy(currUser);
entity.setModifiedBy(currUser);
entity.setCreationDate(DateUtil.getNowDate());
entity.setModifiedDate(DateUtil.getNowDate());
}
}
}
/ * *
Initialize the Spring context;
* /
@Override
public void init(FilterConfig filterConfig) throws ServletException {
WebApplicationContext applicationContext = WebApplicationContextUtils.getWebApplicationContext(filterConfig.getServletContext());
this.applicationContext = applicationContext;
}
}
More detailed source code reference source is willing to understand the framework technology or source code of friends directly beg: 2042849237