Shulou(Shulou.com)06/01 Report--

How to analyze the solution of JEESZ-SSO, I believe that many inexperienced people are at a loss about it. Therefore, this paper summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

Section 1: introduction to single sign-on

Step 1: learn about single sign-on

The main features of SSO are: Web protocol (such as HTTPS) is used between SSO applications, and there is only one login entry.

There are three roles in the SSO system:

1) User (multiple)

2) Web applications (multiple)

3) SSO Certification Authority (one)

The SSO implementation includes the following three principles:

1) all logins are carried out at the SSO Certification Authority.

2) SSO authentication authority uses some methods to tell Web application whether the current visiting user is an authenticated user or not.

3) establish a trust relationship between SSO certification authority and all Web applications.

The basic principle of CAS CAS (Central Authentication Service) is an open source Java project launched by Yale Yale University to build Web SSO.

The 1.CAS term explains:

SSO-Single Sign On single sign-on

TGT-Ticket Granting Ticket user authentication voucher ticket

ST-Service Ticket service license ticket

TGC-Ticket Granting Cookie is the cookie that stores user authentication vouchers.

Step 2: understand the single sign-on architecture

1) CAS Server is responsible for the authentication of user information, which needs to be deployed separately. CAS Server will handle user name / password and other credentials (Credentials).

2) CAS Client is deployed on the client. When there is a request for access to the protected resources of the local Web application, and the requester needs to be authenticated, redirect to CAS Server for authentication.

Step 3: prepare for the single sign-on environment

1) cas-server-3.5.0-release.zip (CAS server)

2) cas-client-3.3.3-release.zip (CAS client)

3) apache-tomcat-7.0.40

4) cas-client-core-3.2.1.jar

5) cas-server-core-3.5.0.jar

6) cas-server-support-jdbc-3.5.0.jar

Section 2: construction and deployment of single sign-on environment

Step 1: environment deployment

1. Generate certificate trilogy through Java JDK

Certificate is very important to achieve this single sign-on. Certificate is the certificate for secure communication between server and client. This tutorial is just a demonstration, all using the certificate generation tool keytool that comes with JDK.

Of course, in the actual project, you can buy a certificate from a special certificate certification authority.

Generate a certificate using keytool that comes with JDK

The first step is to generate certificates:

Keytool-genkey-alias mycacerts-keyalg RSA-keystore C:/common/keys/keycard

Note: enter the relevant information to generate the certificate. The first name and last name are best to write your domain name. If you click to test, you can map a virtual domain name in C:\ Windows\ System32\ drivers\ etc\ hosts file.

Be careful not to write IP.

Step 2: export the certificate:

Keytool-export-file C:/common/keys/keycard.crt-alias mycacerts-keystoreC:/common/keys/keycard

The third step is to import to the JDK installation directory certificate:

Keytool-import-keystore ProgramFiles / "ProgramFiles" / Java/jdk1.6.0_32/jre/lib/security/cacerts-fileC:/common/keys/keycard.crt-alias mycacerts

two。 Extract the cas-server-3.5.0-release.zip file

Locate the cas-server-webapp-3.5.0.war file in the cas-server-3.5.0-release\ cas-server-3.5.0\ modules directory and name it cas.war, and copy it to the webapps directory in the Tomcat root directory

As shown below:

3. Modify the host file (C:\ Windows\ System32\ drivers\ etc) to add the following configuration to the hosts file

127.0.0.1 jeesz.cn (configure your own domain name.)

Note: if you want to simulate this single sign-on on one PC, you must redirect the domain name. If you have more than one PC, you can not configure this item. The following article is useful to fast-web.cn and can be replaced by the IP of the corresponding PC.

4. Modify the server.xml under the Tomcat file (apache-tomcat-7.0.40\ conf\ server.xml) by adding the following:

In the server.xml file

MaxThreads= "150" scheme= "https" secure= "true"

ClientAuth= "false" sslProtocol= "TLS" / >

Modify it as follows:

Port= "8443"

Protocol= "org.apache.coyote.http11.Http11Protocol"

MaxThreads= "150"

SSLEnabled= "true"

Scheme= "https"

Secure= "true"

ClientAuth= "false"

SslProtocol= "TLS"

KeystoreFile= "C:/common/keys/keycard"

KeystorePass= "xxxxxx"

Ciphers= "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA"

/ >

5. Start the Tomcat service to view the information (if an error is reported, you can find the error based on the information), open the browser and enter jeesz.cn:8080/cas. If the following interface appears, it means that the CAS server has been configured successfully.

Note: this is the simplest CAS service, as long as the user name entered is the same as the password, you can log in normally. In our actual development, this verification is compared with the database, and then we configure the database verification.

Step 2: configure database validation

1. Find the deployerConfigContext.xml file in the apache-tomcat-7.0.2\ webapps\ cas\ WEB-INF directory

Where the sql attribute looks up the password from the user table based on the cas login name-- >

two。 Add data source dataSource

Find it in deployerConfigContext.xml (same file as above)

Add the following code below:

Com.mysql.jdbc.Driver

Jdbc:mysql://127.0.0.1:3306/sso according to its own database URL address-- >

Root based on its own database user name-- >

According to your own database password-- >

3. Add user tables and data to the database (the mysql used here), such as the t _ user table in the mysql database

4. Add the jar package and copy the cas-client-core-3.2.1.jar, cas-server-core-3.5.0.jar and cas-server-support-jdbc-3.5.0.jar packages to the apache-tomcat-7.0.2\ webapps\ cas\ WEB-INF\ lib directory.

5. Restart Tomcat, open the browser, enter jeesz.cn:8080/, and enter the user name and password in the database. If the following interface appears, the configuration is successful.

Now that our CAS server is configured, let's configure the client

Section 2: configure your own Web project (client)

1. Under the host file, add the following code:

127.0.0.1 www.sso1.com

127.0.0.1 www.sso2.com

Note: this URL had better not use the domain name that already exists on the Internet, otherwise you will not be able to access the address.

If you want to simulate this single sign-on on one PC, you must redirect the domain name. If you have more than one PC, you can not configure this item. The following article is useful to www.sso1.com,www.sso2.com and can be replaced by the IP of the corresponding PC.

1. Create a sso1,sso2 directory under the Tomcat root. It is as follows:

(2) two new web projects are built in eclipse, namely sso1,sso2.

3 add cas-client-core.jar,commons-logging-1.1.jar to your Web project, (extract cas-client-3.2.0-release.zip, find the JAR package in cas-client-3.2.0-release.zip\ cas-client-3.2.0\ modules) and add to the lib of sso1,sso2 project respectively.

After reading the above, have you mastered how to analyze the solution of JEESZ-SSO? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.