Shulou(Shulou.com)06/01 Report--

Single sign-on Integration Scheme of JEESZ distributed Framework

Section 1: introduction to single sign-on

Step 1: learn about single sign-on

The main features of SSO are: Web protocol (such as HTTPS) is used between SSO applications, and there is only one login entry.

There are three roles in the SSO system:

1) User (multiple)

2) Web applications (multiple)

3) SSO Certification Authority (one)

The SSO implementation includes the following three principles:

1) all logins are carried out at the SSO Certification Authority.

2) SSO authentication authority uses some methods to tell Web application whether the current visiting user is an authenticated user or not.

3) establish a trust relationship between SSO certification authority and all Web applications.

The basic principle of CAS CAS (Central Authentication Service) is an open source Java project launched by Yale Yale University to build Web SSO.

The 1.CAS term explains:

SSO-Single Sign On single sign-on

TGT-Ticket Granting Ticket user authentication credential

ST-Service Ticket service license certificate

TGC-Ticket Granting Cookie stores the cookie of user authentication credentials.

Step 2: understand the single sign-on architecture

1) CAS Server is responsible for the authentication of user information, which needs to be deployed separately. CAS Server will handle user name / password and other credentials (Credentials).

2) CAS Client is deployed on the client. When there is a request for access to the protected resources of the local Web application, and the requester needs to be authenticated, redirect to CAS Server for authentication.

Step 3: prepare for the single sign-on environment

1) cas-server-3.5.0-release.zip (CAS server)

2) cas-client-3.3.3-release.zip (CAS client)

3) apache-tomcat-7.0.40

4) cas-client-core-3.2.1.jar

5) cas-server-core-3.5.0.jar

6) cas-server-support-jdbc-3.5.0.jar

Section 2: construction and deployment of single sign-on environment

Step 1: environment deployment

1. Generate certificate trilogy through Java JDK

Certificate is very important to achieve this single sign-on. Certificate is the certificate for secure communication between server and client. This tutorial is just a demonstration, all using the certificate generation tool keytool that comes with JDK.

Of course, in the actual project, you can buy a certificate from a special certificate certification authority.

Official Chinese website: http://www.verisign.com/cn/

Generate a certificate using keytool that comes with JDK

The first step is to generate certificates:

Keytool-genkey-alias mycacerts-keyalg RSA-keystore C:/common/keys/keycard

Note: enter the relevant information to generate the certificate. The first name and last name are best to write your domain name. If you click to test, you can map a virtual domain name in C:\ Windows\ System32\ drivers\ etc\ hosts file.

Be careful not to write IP.

Step 2: export the certificate:

Keytool-export-file C:/common/keys/keycard.crt-alias mycacerts-keystore C:/common/keys/keycard

The third step is to import to the JDK installation directory certificate:

Keytool-import-keystore Program Files / "Program Files" / Java/jdk1.6.0_32/jre/lib/security/cacerts-file C:/common/keys/keycard.crt-alias mycacerts

two。 Extract the cas-server-3.5.0-release.zip file

Locate the cas-server-webapp-3.5.0.war file in the cas-server-3.5.0-release\ cas-server-3.5.0\ modules directory and name it cas.war, and copy it to the webapps directory in the Tomcat root directory

As shown below:

3. Modify the host file (C:\ Windows\ System32\ drivers\ etc) to add the following configuration to the hosts file

127.0.0.1 jeesz.cn (configure your own domain name.)

Note: if you want to simulate this single sign-on on one PC, you must redirect the domain name. If you have more than one PC, you can not configure this item. The following article is useful to jeesz.cn and can be replaced by the IP of the corresponding PC.

4. Modify the server.xml under the Tomcat file (apache-tomcat-7.0.40\ conf\ server.xml) by adding the following:

In the server.xml file

Modify it as follows:

Ciphers= "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA"

/ >

5. Start the Tomcat service to view the information (if an error is reported, you can find the error based on the information), open the browser and enter http://jeesz.cn:8080/cas. If the following interface appears, it means that the configuration of the CAS server is successful.

Note: this is the simplest CAS service, as long as the user name entered is the same as the password, you can log in normally. In our actual development, this verification is compared with the database, and then we configure the database verification.

Step 2: configure database validation

1. Locate the deployerConfigContext.xml file in the apache-tomcat-7.0.2\ webapps\ cas\ WEB-INF directory and find the following code:

Add the following code:

two。 Add data source dataSource

Find it in deployerConfigContext.xml (same file as above)

Add the following code below:

Com.mysql.jdbc.Driver

Jdbc:mysql://127.0.0.1:3306/sso

Root

3. Add user tables and data to the database (the mysql used here), such as the t _ user table in the mysql database

4. Add the jar package and copy the cas-client-core-3.2.1.jar, cas-server-core-3.5.0.jar and cas-server-support-jdbc-3.5.0.jar packages to the apache-tomcat-7.0.2\ webapps\ cas\ WEB-INF\ lib directory.

5. Restart Tomcat, open the browser, enter http://jeesz.cn:8080/, and enter the user name and password in the database. If the following interface appears, the configuration is successful.

Now that our CAS server is configured, let's configure the client

Section 3: configure your own Web project (client)

1. Under the host file, add the following code:

127.0.0.1 www.sso1.com

127.0.0.1 www.sso2.com

Note: this URL had better not use the domain name that already exists on the Internet, otherwise you will not be able to access the address.

If you want to simulate this single sign-on on one PC, you must redirect the domain name. If you have more than one PC, you can not configure this item. The following article is useful to www.sso1.com,www.sso2.com and can be replaced by the IP of the corresponding PC.

two。 Create a sso1,sso2 directory under the Tomcat root. It is as follows:

(2) two new web projects are built in eclipse, namely sso1,sso2.

3. Add cas-client-core.jar,commons-logging-1.1.jar to your Web project (extract cas-client-3.2.0-release.zip, find the JAR package in cas-client-3.2.0-release.zip\ cas-client-3.2.0\ modules)

Add to the lib of the sso1,sso2 project respectively.

4. Modify the web.xml under sso1. Add the following code:

Org.jasig.cas.client.session.SingleSignOutHttpSessionListener

SingleSignOutFilter

Org.jasig.cas.client.session.SingleSignOutFilter

SingleSignOutFilter

/ *

CASValidationFilter

Org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter

CasServerUrlPrefix

Https://jeesz.cn:8443/cas;

ServerName

Http://www.sso1.com;

UseSession

True

ExceptionOnValidationFailure

False

RedirectAfterValidation

True

CASValidationFilter

/ *

CASFilter

Org.jasig.cas.client.authentication.AuthenticationFilter

CasServerLoginUrl

Https://jeesz.cn:8443/cas/login;

ServerName

Http://www.sso1.com;

CASFilter

/ *

CASHttpServletRequestWrapperFilter

Org.jasig.cas.client.util.HttpServletRequestWrapperFilter

CASHttpServletRequestWrapperFilter

/ *

CASAssertionThreadLocalFilter

Org.jasig.cas.client.util.AssertionThreadLocalFilter

CASAssertionThreadLocalFilter

/ *

SSO4InvokeContextFilter

Com.common.core.busi.other.filter.SSO4InvokeContextFilter

SSO4InvokeContextFilter

/ *

5. Modify the web.xml under sso2. Add the following code:

Org.jasig.cas.client.session.SingleSignOutHttpSessionListener

SingleSignOutFilter

Org.jasig.cas.client.session.SingleSignOutFilter

SingleSignOutFilter

/ *

CASValidationFilter

Org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter

CasServerUrlPrefix

Https://jeesz.cn:8443/cas;

ServerName

Http://www.sso2.com;

UseSession

True

ExceptionOnValidationFailure

False

RedirectAfterValidation

True

CASValidationFilter

/ *

CASFilter

Org.jasig.cas.client.authentication.AuthenticationFilter

CasServerLoginUrl

Https://jeesz.cn:8443/cas/login;

ServerName

Http://www.sso2.com;

CASFilter

/ *

CASHttpServletRequestWrapperFilter

Org.jasig.cas.client.util.HttpServletRequestWrapperFilter

CASHttpServletRequestWrapperFilter

/ *

CASAssertionThreadLocalFilter

Org.jasig.cas.client.util.AssertionThreadLocalFilter

CASAssertionThreadLocalFilter

/ *

SSO4InvokeContextFilter

Com.common.web.filter.SSO4InvokeContextFilter

SSO4InvokeContextFilter

/ *

6. Edit the sso1,sso2 index.jsp page and copy the following code:

Sso1 index.jsp:

This is www.sso1.com.

Hello, I am the sso1 page:

Sso2 index.jsp:

This is www.sso2.com.

Hello, I am the sso2 page:

7. Publish to the Tomcat server through eclipse. Find the sso1,sso2 folder under Tomcat,webapps, copy all the files under sso1 and sso2, find the sso1,sso2 under the root directory of Tomcat (the new directory we created in the previous step), create a new ROOT directory under sso1,sso2, and paste the files you just copied.

Configure the server.xml file under Tomcat and add the following code:

8. Restart Tomcat, open the browser and enter the URL: www.sso1.com:8080, and enter the user name and password. If the following information appears, it will be successful.

Type www.sso1.com:8080 on the browser and you will find that you will jump back to the login page. Don't worry. Open the ticketGrantingTicketCookieGenerator.xml path in apache-tomcat-7.0.40\ cas\ ROOT\ WEB-INF\ spring-configuration. Find the Tomcat Security = "true", change it to "false", restart the cookie, and test it.

Note: we only returned a user name in the previous step, which is returned by default on the CAS server.

Friends who are willing to understand the framework technology or source code directly ask (Penguin): 2042849237

For more details, source code reference: http:// × × / technology

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.