JEESZ distributed framework single sign-on integration solution
Section 1: Introduction to single sign-on
Step 1: Understand single sign-on
The main features of SSO are as follows: SSO applications use Web protocols (such as HTTPS) and only one login portal.
There are three roles in the SSO system:
-
The User (multiple)
-
Web applications (multiple)
-
SSO Certification Center (one)
An SSO implementation contains the following three principles:
-
All logins are performed at the SSO authentication center.
-
The SSO authentication authority has several methods to tell the Web application whether the currently accessing user is an authenticated user.
-
The SSO certification authority establishes a trust relationship with all Web applications.
The Central Authentication Service (CAS) is a Java open source project initiated by Yale University to build Web SSO.
1.CAS Terms:
Sso-single Sign On Single sign-on
Tgt-ticket Granting Ticket Indicates a user identity authentication Ticket
St-service Ticket Indicates the license of the Service
Tgc-ticket Granting Cookie Cookie used to store a user’s identity authentication credentials.
Step 2: Understand the single sign-on architecture
-
The CAS Server authenticates user information. Deployed independently, the CAS Server processes the Credentials such as user names and passwords.
-
The CAS Client is deployed on the Client. When a request to access the protected resources of a local Web application needs to be authenticated, the request is redirected to the CAS Server for authentication.Copy the code
Step 3: Single sign-on environment preparation
-
Cas-server-3.5.0-release.zip (CAS server)
-
Cas-client-3.3.3 -release.zip (CAS client)
-
Apache tomcat — 7.0.40
-
Cas – the client – core – 3.2.1. Jar
-
Cas server – core – 3.5.0. Jar
-
Cas server – support – JDBC – 3.5.0. Jar
Section 2: Single sign-on environment setup and deployment
Step 1: Environment deployment
- Generate certificate trilogy using Java JDK
The certificate is very important for the realization of this single sign-on. The certificate is the certificate for the secure communication between the server and the client. This tutorial is just a demonstration, all using the JDK certificate generation tool Keytool.
Of course in the actual project you can go to a special certificate certification center to buy a certificate.
Chinese official website: http://www.verisign.com/cn/
Use the keytool delivered with the JDK to generate a certificate
Step 1 Generate the certificate:
keytool -genkey -alias mycacerts -keyalg RSA -keystore C:/common/keys/keycard
Note: Enter the relevant information to generate the certificate. The first and last names are best written in your domain name. If you click on the test, you can map a virtual domain name to the C:\Windows\System32\drivers\etc\hosts file.
Do not write IP addresses.
Step 2 Export the certificate:
keytool -export -file C:/common/keys/keycard.crt -alias mycacerts -keystore C:/common/keys/keycard
Step 3 Import the JDK installation directory certificate:
Keytool – import – keystore C: / “Program Files”/Java/jdk1.6.0 _32 / jre/lib/security/cacerts – the file C: / common/keys/keycard. CRT -alias mycacerts
- Unzip cas-server-3.5.0-release.zip
Cas-server-webapp-3.5.0. war = cas-server-3.5.0-release cas-server-3.5.0. modules = cas-server-webapp-3.5.0.war = cas.war And copy it to the webapps directory in the Tomcat root directory.
The diagram below:
- Add the following configuration to the host file (C:\Windows\System32\drivers\etc)
127.0.0.1 jeesz.cn (Configure your own domain name.)
Note: If you want to simulate this single sign-on on one PC, you must use domain name redirection. If you want to simulate this single sign-on on multiple PCS, you can skip this configuration
- Add the following contents to server. XML (apache-tomcat-7.0.40\conf\server.xml) in Tomcat:
In the server.xml file
maxThreads=”150″ scheme=”https” secure=”true”
clientAuth=”false” sslProtocol=”TLS” />
Change it to the following:
port=”8443″
protocol=”org.apache.coyote.http11.Http11Protocol”
maxThreads=”150″
SSLEnabled=”true”
scheme=”https”
secure=”true”
clientAuth=”false”
sslProtocol=”TLS”
keystoreFile=”C:/common/keys/keycard”
keystorePass=”xxxxxx “
ciphers=”TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC _SHA256,TLS_RSA_WITH_AES_256_CBC_SHA”
/>
5. Start the Tomcat service and view the information. (If an error occurs, locate the error based on the information.) Open the browser and enter http://jeesz.cn:8080/cas.
Note: this is the simplest CAS service. As long as the user name and password are the same, you can log in normally. In our actual development, this authentication is compared with the database, and then we will configure the database verification.
Step 2: Configure database authentication
1. The apache tomcat – 7.0.2 \ webapps \ cas \ WEB – find deployerConfigContext INF directory. The XML file, find the following code:
Add the following code:
2. Add dataSource,
XML in deployerConfigContext., (the same file with the above)
Add the following code below:
com.mysql.jdbc.Driver
JDBC: mysql: / / 127.0.0.1:3306 / sso
root
Mysql > create table t_user; create table t_user
4. Add jar packages Jar, cas-server-core-3.5.0.jar, cas-server-support-jdbC-3.5.0. jar to apache-tomcat-7.0.2\webapps\cas Web-inf \lib directory.
5. Restart Tomcat, open the browser, and enter http://jeesz.cn:8080/ to enter the database user name and password. If the following page is displayed, the configuration is successful.
Now that our CAS server is configured, let’s configure the client
Section 3: Configuring your Own Web Project (Client)
1. Add the following code to the host file:
127.0.0.1 www.sso1.com
127.0.0.1 www.sso2.com
Note: it is best not to use an existing domain name on the Internet, otherwise you will not be able to access the address.
If you want to simulate single sign-on (SSO) on one PC, you must use domain name redirection. If you want to simulate sso on multiple PCS, you do not need to configure domain name redirection. You can use the IP addresses of corresponding PCS instead
2. Create directories sSO1 and sSO2 in the Tomcat root directory. Such as:
- Add cas-client-core.jar, commons-logging-1.1.jar, (unzip cas-client-3.2.0-release.zip, In cas-client-3.2.0-release.zip\ cas-client-3.2.0-modules, find the JAR package)
Add to sSO1 and SSO2 project lib respectively.
4. Modify web. XML in SSO1. Add the following code:
org.jasig.cas.client.session.SingleSignOutHttpSessionListener
SingleSignOutFilter
org.jasig.cas.client.session.SingleSignOutFilter
SingleSignOutFilter
/ *
CASValidationFilter
org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter
casServerUrlPrefix
https://jeesz.cn:8443/cas;
serverName
http://www.sso1.com;
useSession
true
exceptionOnValidationFailure
false
redirectAfterValidation
true
CASValidationFilter
/ *
CASFilter
org.jasig.cas.client.authentication.AuthenticationFilter
casServerLoginUrl
https://jeesz.cn:8443/cas/login;
serverName
http://www.sso1.com;
CASFilter
/ *
CASHttpServletRequestWrapperFilter
org.jasig.cas.client.util.HttpServletRequestWrapperFilter
CASHttpServletRequestWrapperFilter
/ *
CASAssertionThreadLocalFilter
org.jasig.cas.client.util.AssertionThreadLocalFilter
CASAssertionThreadLocalFilter
/ *
SSO4InvokeContextFilter
com.common.core.busi.other.filter.SSO4InvokeContextFilter
SSO4InvokeContextFilter
/ *
5. Modify web. XML in SSO2. Add the following code:
org.jasig.cas.client.session.SingleSignOutHttpSessionListener
SingleSignOutFilter
org.jasig.cas.client.session.SingleSignOutFilter
SingleSignOutFilter
/ *
CASValidationFilter
org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter
casServerUrlPrefix
https://jeesz.cn:8443/cas;
serverName
http://www.sso2.com;
useSession
true
exceptionOnValidationFailure
false
redirectAfterValidation
true
CASValidationFilter
/ *
CASFilter
org.jasig.cas.client.authentication.AuthenticationFilter
casServerLoginUrl
https://jeesz.cn:8443/cas/login;
serverName
http://www.sso2.com;
CASFilter
/ *
CASHttpServletRequestWrapperFilter
org.jasig.cas.client.util.HttpServletRequestWrapperFilter
CASHttpServletRequestWrapperFilter
/ *
CASAssertionThreadLocalFilter
org.jasig.cas.client.util.AssertionThreadLocalFilter
CASAssertionThreadLocalFilter
/ *
SSO4InvokeContextFilter
com.common.web.filter.SSO4InvokeContextFilter
SSO4InvokeContextFilter
/ *
6. Edit the sSO1, sSO2 index.jsp page and copy the following code:
sso1 index.jsp:
This is www.sso1.com
Hello, I am SSO1 page:
<%= request.getRemoteUser()== null ? “null” : request.getRemoteUser() %>
Sso2 index.jsp:
This is www.sso2.com
Hello, I am SSO2 page:
<%= request.getRemoteUser()== null ? “null” : request.getRemoteUser() %>
7. Publish to the Tomcat server through Eclipse. Find sso1 and sSO2 folders under Tomcat and webapps, copy all files under sSO1 and sSO2 respectively, find sso1 and sso2 directories under Tomcat ROOT, and create ROOT directories under sso1 and sSO2. Paste the file you just copied.
Add the following code to the server. XML file in Tomcat:
8. Restart Tomcat, open the browser, enter www.sso1.com:8080, and enter the user name and password
Type www.sso1.com:8080 into your browser and you’ll find it jumps back to the login page. Don’t worry. Open the ticketGrantingTicketCookieGenerator. XML path on apache tomcat – 7.0.40 / cas/ROOT/WEB – INF \ spring – the configuration. Find p:cookieSecure=”true”, change it to p:cookieSecure=”false”, restart Tomcat and test it.
Note: We returned only one user name in the previous steps. The CAS server returns this information by default.
Section 1: Modify the single sign-on default interface
Step 1: Find its own page
Open the CAS project and go to G:\SoftWare\tomcat\apache-tomcat-7.0.2\apache-tomcat-7.0.2\webapps\cas\ web-INF \view\ JSP \default Make a copy and rename it in G:\SoftWare\tomcat\apache-tomcat-7.0.2\apache-tomcat-7.0.2\webapps\cas\ web-INF \view\ JSP \
Step 2: Modify the default login page
Name it Mydefalut as shown below:
Then the apache tomcat – 7.0.2 \ webapps \ cas \ WEB – INF \ classes
Make a copy of default_views.properties and rename it mydefault_views.properties. Modify the contents inside, change all inside path default to mydefault. And then modify the WEB – under the INF of cas. The properties will be the inside of the cas. ViewResolver. The basename behind the value of the modified into mydefault_views:
cas.viewResolver.basename=mydefault_views
To modify the login interface, simply modify casloginView.jsp.
Section 5: Single sign-off configuration
Step 1: Configure single sign-on listeners and filters
Tomcat sSO1, sSO2 project, add code to web. XML:
org.jasig.cas.client.session.SingleSignOutHttpSessionListener
CAS Single Sign Out Filter
org.jasig.cas.client.session.SingleSignOutFilter
CAS Single Sign Out Filter
/ *
Note: This code should be placed at the top of the other filters in the web.xml file.
Add the following code to the index.jsp page of sSO1 and sSO2:
<a href=”http://www.jianshu.com/%3Ca%20href=” http:=”” jeesz.cn:8080=”” logout”=”” target=”_blank” style=”color: rgb(49, 148, 208); text-decoration-line: none;” > http://jeesz.cn:8080/logout “> single point out
3. Restart Tomcat, visit http://jeesz.cn:8080/ and click the single click exit. If successful, the following interface will appear:
Generally, logout means jumping to the login page of the original project, so we need to configure CAS as follows:
- Modify server cas-servlet. XML configuration (apache-tomcat-7.0.40\cas\ROOT\ web-INF), find
Added attribute P :followServiceRedirects=”true”
Sso1,sso2 index.jsp; sso1,sso2 index.jsp;
Sso1:http://jeesz.cn:8080/logout?service=http://www.sso1.com:8080
Sso2:http://jeesz.cn:8080/logout?service=http://www.sso2.com:8080
Restart Tomcat. The test is normal.
Section 6: Multi-project integration single sign-on configuration
Step 1: Single sign-on system integration with other projects
In the WEB. XML file in the WEB-INF directory of your WEB project, add the following configuration.
org.jasig.cas.client.session.SingleSignOutHttpSessionListener
SingleSignOutFilter
org.jasig.cas.client.session.SingleSignOutFilter
SingleSignOutFilter
/ *
CASValidationFilter
org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter
casServerUrlPrefix
https://jeesz.cn:8443/cas;
serverName
http://www.sso3.com:6060;
useSession
true
exceptionOnValidationFailure
false
redirectAfterValidation
true
CASValidationFilter
/ *
CASFilter
org.jasig.cas.client.authentication.AuthenticationFilter
casServerLoginUrl
https://jeesz.cn:8443/cas/login;
serverName
http:// www.sso3.com:6060
CASFilter
/ *
CASHttpServletRequestWrapperFilter
org.jasig.cas.client.util.HttpServletRequestWrapperFilter
CASHttpServletRequestWrapperFilter
/ *
CASAssertionThreadLocalFilter
org.jasig.cas.client.util.AssertionThreadLocalFilter
CASAssertionThreadLocalFilter
/ *
SSO4InvokeContextFilter
com.common.web.filter.SSO4InvokeContextFilter
SSO4InvokeContextFilter
/ *
When sso authentication is complete and the client system needs to receive the results returned by the SSO system, define a filter to obtain the returned results and process the returned results.
Note: If no processing is required, Filter can be omitted.
package com.common.web.filter;
import java.io.IOException;
import java.util.Date;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.jasig.cas.client.util.AssertionHolder;
import org.springframework.web.context.WebApplicationContext;
import org.springframework.web.context.support.WebApplicationContextUtils;
import com.common.base.pbi.CommonConstants;
import com.common.base.util.DateUtil;
import com.common.base.util.IDUtil;
import com.common.base.util.IPUtil;
import com.common.base.util.UserUtil;
import com.common.core.busi.historylogin.manager.HistoryLoginManager;
import com.common.core.busi.login.manager.LoginManager;
import com.common.entity.common.AbstractEntity;
import com.common.entity.historylogin.HistoryLoginEntity;
import com.common.entity.user.UserEntity;
/ * *
-
When the SSO system is successfully logged in, the system returns the login userID and establishes a session based on the userID.
-
@ClassName: SessionFilter
-
@description: TODO(here is a one-sentence Description of what this class does)
*@authorjeesz
*@date2015-10-01
* /
public class SSO4InvokeContextFilter implements Filter{
private final static Log log = LogFactory.getLog(SSO4InvokeContextFilter.class);
private WebApplicationContext applicationContext;
public SSO4InvokeContextFilter() {
super();
}
/ * *
- This method is triggered when a filter is logged out.
* /
public void destroy() {
// Do nothing for the time being;
}
/ * *
- Obtain user information based on the user ID and put the user information into the session session.
*@Title: doFilter
-
@description: TODO(here is a one-sentence Description of what this method does)
-
@Params
-
@throws
* /
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest)req;
HttpServletResponse response = (HttpServletResponse)res;
HttpSession session = request.getSession();
// Get the login user from session;
Object userObject = session.getAttribute(CommonConstants.USER_INFO_SESSION);
if(userObject == null){
// Get the user name;
String userName = AssertionHolder.getAssertion().getPrincipal().getName();
LoginManager loginManager = applicationContext.getBean(LoginManager.class);
UserEntity userEntity = loginManager.loginByUserName(userName);
session.setAttribute(CommonConstants.USER_INFO_SESSION,userEntity);
session.setAttribute(CommonConstants.IS_SYSTEM_ADMIN,userEntity.getUserType()==1? true:false);
UserUtil.setLoginUserInfo(userEntity);
// Query user information according to the user name and add it to the session;
Log. info(“UserName:[“+ UserName +”] login succeeds. The CLIENT IP address is [“+ iputil. getIpAddr(request)+”]. [“+ dateutil.dateToString (new Date())+”]”);
// Add login record;
HistoryLoginEntity historyLoginEntity = new HistoryLoginEntity();
historyLoginEntity.setUserId(userName);
historyLoginEntity.setHid(IDUtil.generateId());
historyLoginEntity.setLoginCount(“1”);
setCommonValue(request,historyLoginEntity);
boolean hlBol = applicationContext.getBean(HistoryLoginManager.class).addLoginRecord(historyLoginEntity);
Log.debug (” Login history [“+(hlBol?” success :” failure “)+”].”);
}
chain.doFilter(request, response);
}
/ * *
-
Set public properties;
-
@Title: setCommonValue
-
@description: TODO(here is a one-sentence Description of what this method does)
-
@throws
* /
private void setCommonValue(HttpServletRequest request,AbstractEntity entity){
if(request ! = null){
// Get the current object;
UserEntity userEntity = (UserEntity) request.getSession().getAttribute(CommonConstants.USER_INFO_SESSION);
if(entity ! =null){
String currUser = userEntity.getUserId();
// Set the creator, creation date, modifier, and modification time
entity.setCreatedBy(currUser);
entity.setModifiedBy(currUser);
entity.setCreationDate(DateUtil.getNowDate());
entity.setModifiedDate(DateUtil.getNowDate());
}
}
}
/ * *
- Initialize the Spring context;
* /
@Override
public void init(FilterConfig filterConfig) throws ServletException {
WebApplicationContext applicationContext = WebApplicationContextUtils.getWebApplicationContext(filterConfig.getServletContext());
this.applicationContext = applicationContext;
}
}
Complete project source code welcome to study the relevant technology together, source code access please add :2670716182