Note: the document is only a basic reference, willing to know friends can consult at any time.
Section 1: Introduction to single sign-on
Step 1: Understand single sign-on
The main features of SSO are as follows: SSO applications use Web protocols (such as HTTPS) and only one login portal.
There are three roles in the SSO system:
-
The User (multiple)
-
Web applications (multiple)
-
SSO Certification Center (one)
An SSO implementation contains the following three principles:
1) All logins are performed at the SSO authentication center.
-
The SSO authentication authority has several methods to tell the Web application whether the currently accessing user is an authenticated user.
-
The SSO certification authority establishes a trust relationship with all Web applications.
The Central Authentication Service (CAS) is a Java open source project initiated by Yale University to build Web SSO.
1.CAS Terms:
Sso-single Sign On Single sign-on
Tgt-ticket Granting Ticket Indicates a user identity Granting Ticket
St-service Ticket Indicates the Service license Ticket
Tgc-ticket Granting Cookie Cookie used to store a user identity Granting voucher.
Step 2: Understand the single sign-on architecture
1) The CAS Server authenticates user information. When deployed independently, the CAS Server processes the Credentials such as user names and passwords.
2) The CAS Client is deployed on the Client. If a request for accessing protected resources of a local Web application needs to be authenticated, the request is redirected to the CAS Server for authentication.
Step 3: Single sign-on environment preparation
1) Cas-server-3.5.0-release.zip (CAS server)
2) Cas-client-3.3.3 -release.zip (CAS client)
3) the apache tomcat — 7.0.40
4) cas – the client – core – 3.2.1. Jar
5) the cas server – core – 3.5.0. Jar
6) the cas server – support – JDBC – 3.5.0. Jar
Section 2: Single sign-on environment setup and deployment
Step 1: Environment deployment
1. Use the Java JDK to generate a certificate trilogy
The certificate is very important for the realization of this single sign-on. The certificate is the certificate for the secure communication between the server and the client. This tutorial is just a demonstration, all using the JDK certificate generation tool Keytool.
Of course in the actual project you can go to a special certificate certification center to buy a certificate.
Use the keytool delivered with the JDK to generate a certificate
Step 1 Generate the certificate:
keytool -genkey -alias mycacerts -keyalg RSA -keystore C:/common/keys/keycard
Note: Enter the relevant information to generate the certificate. The first and last names are best written in your domain name. If you click on the test, you can map a virtual domain name to the C:\Windows\System32\drivers\etc\hosts file.
Do not write IP addresses.
Step 2 Export the certificate:
keytool -export -file C:/common/keys/keycard.crt -alias mycacerts -keystoreC:/common/keys/keycard
Step 3 Import the JDK installation directory certificate:
Keytool – import – keystore C: / “ProgramFiles/Java/jdk1.6.0 _32 / jre/lib/security/cacerts – fileC: / common/keys/keycard. CRT -alias mycacerts
2. Decompress the cas-server-3.5.0-release.zip file.
Cas-server-webapp-3.5.0. war = cas-server-3.5.0-release cas-server-3.5.0. modules = cas-server-webapp-3.5.0.war = cas.war And copy it to the webapps directory in the Tomcat root directory.
The diagram below:
3. Add the following configuration to the hosts file (C:\Windows\System32\drivers\etc)
127.0.0.1 jeesz.cn (Configure your own domain name.)
Note: If you want to simulate this single sign-on on a PC, you must use domain name redirection. If you want to simulate this single sign-on on multiple PCS, you do not need to configure this item. The following is useful for fast-web.cn
4. Modify server. XML (apache-tomcat-7.0.40\conf\server.xml) in Tomcat file and add the following contents:
In the server.xml file
maxThreads=”150″ scheme=”https”secure=”true”
clientAuth=”false” sslProtocol=”TLS” />
Change it to the following:
port=”8443″
protocol=”org.apache.coyote.http11.Http11Protocol”
maxThreads=”150″
SSLEnabled=”true”
scheme=”https”
secure=”true”
clientAuth=”false”
sslProtocol=”TLS”
keystoreFile=”C:/common/keys/keycard”
keystorePass=”xxxxxx “
ciphers=”TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC _SHA256,TLS_RSA_WITH_AES_256_CBC_SHA”
/>
5. Start the Tomcat service and view the information. (If an error occurs, locate the error based on the information.) Open the browser and enter http://jeesz.cn:8080/cas.
Note: this is the simplest CAS service. As long as the user name and password are the same, you can log in normally. In our actual development, this authentication is compared with the database, and then we will configure the database verification.
Step 2: Configure database authentication
1. The apache tomcat – 7.0.2 \ webapps \ cas \ WEB – find deployerConfigContext INF directory. The XML file, find the following code:
Add the following code:
SQL > select * from user;
2. Add dataSource,
XML in deployerConfigContext., (the same file with the above)
Add the following code below:
com.mysql.jdbc.Driver
JDBC: mysql: / / 127.0.0.1:3306 / sso according to their own database URL – >
Root based on its own database user name –>
According to your own database password –>
Mysql > create table t_user; create table t_user
Jar, cas-server-core-3.5.0.jar, cas-server-support-jdbc-3.5.0.jar to apache-tomcat-7.0.2\we Bapps \cas\ web-INF \lib
5. Restart Tomcat, open the browser, and enter http://jeesz.cn:8080/ to enter the database user name and password. If the following page is displayed, the configuration is successful.
Now that our CAS server is configured, let’s configure the client
Section 2: Configuring your Own Web Project (Client)
1. Add the following code to the host file:
127.0.0.1 www.sso1.com
127.0.0.1www.sso2.com
Note: it is best not to use an existing domain name on the Internet, otherwise you will not be able to access the address.
If you want to simulate single sign-on (SSO) on one PC, you must use domain name redirection. If you want to simulate sso on multiple PCS, you do not need to configure domain name redirection. You can use the IP addresses of corresponding PCS instead
1. Create sSO1 and sSO2 directories in the Tomcat root directory. Such as:
2 Create two Web projects in Eclipse, named sSO1 and SSO2.
3 add cas-client-core.jar, commons-logging-1.1.jar, (unzip cas-client-3.2.0-release.zip), In cas-client-3.2.0-release.zip\ cas-client-3.2.0-modules, find the JAR package)
Add to sSO1 and SSO2 project lib respectively.
Complete project source code welcome to study the relevant technology together, source code access please add :2670716182