preface
In the work, with more and more projects in contact, different development languages, different deployment systems, different projects have to maintain their own user authentication system, is there a good solution to solve this pain point? The answer is definitely there, that is the industry famous SSO single sign-on system, maybe you have heard the word, but only hear its sound, do not know its meaning, we will practice a CAS single sign-on system without saying, let’s begin.
Environment to prepare
- jdk1.8
- maven3.x
- centos7.x
- tomcat8.0
HTTPS Certificate
- Generate server.keystore alias: alias Tomcat keyalg: certificate algorithm, RSA keystore: target path and file name for certificate generation keypass: key protection password storePass: storage password
keytool -genkey -alias tomcat -keyalg RSA -keypass 123456 -storepass 123456 -keystore tomcat.keystore -validity 3600
Copy the code
- Generate the server.cer certificate
keytool -export -trustcacerts -alias tomcat -file server.cer -keystore tomcat.keystore -storepass 123456
Copy the code
- Certificate was added to keystore. In -storepass Changeit, Changeit is the default password, which is unrelated to the previous password
keytool -import -trustcacerts -alias tomcat -keystore "/ home/jdk1.8.0 _171 / jre/lib/security/cacerts" -file "/root/software/server.cer" -storepass changeit
Copy the code
- Delete certificates (if required)
keytool -delete -alias tomcat -keystore "/ home/jdk1.8.0 _171 / jre/lib/security/cacerts" -storepass changeit
Copy the code
Tomcat configuration Https
- The editor
Vi /root/software/apache-tomcat-8.5.37/conf/server. XML Add the configuration item <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" keystoreFile="tomcat.keystore" keystorePass="123456" />
Copy the code
- Start tomcat test port 8443
./bin/startup.sh
Copy the code
Enter HTTPS // IP :8443 test port in your browser
Downloading the CAS System
Address github.com/apereo/cas-… From version 6.0, the project has been compiled using Gradle. I am familiar with Maven, so I choose version 5.3. In addition, the JAR that Gradle depends on cannot be downloaded without scientific Internet access
Download, unpack
Unzip wget https://github.com/apereo/cas-overlay-template/archive/5.3.zip 5.3. ZipCopy the code
If the unzip command is not installed, run the following command to install it
yum install -y unzip zip
Copy the code
Enter the decompressed file, compile the package file, and wait for the package file to complete
mvn package
Copy the code
When you’re done packing
Start CAS project
Start Tomcat by placing the compiled WAR package in webapps under Tomcat
cd/ root/software/cas - overlay - the template - 5.3 / target cp cas. The war/root/software/apache tomcat -- 8.0.53 / webapps /cd/ root/software/apache tomcat - 8.0.53. / bin/startup. ShCopy the code
Login successful
In addition, you can use HTTP to access IP address 8080/ CAS
Principle:
When we access the system for the first time, there is no TGC Cookie in the memory occupied by the client browser process, so the CAS Server considers that the user has not logged in and forwards the request to the login page. When we access the login processing again after login, it will directly forward to the login page.
The CAS Server determines whether a user has logged in based on the Cookie(whether a TGC matches a TGT). The default value is TGC The Cookie is stored in the memory occupied by the browser process. Therefore, the Cookie is invalid (TGC is invalid) when the browser is closed. You need to log in to the CAS login page again.
After a user logs in, the CAS Server maintains the relationship between the TGT and user identity information. All CAS clients can obtain the identity information of the current user from the CAS Server.
If you access the logout address in the logged in state, a message will be displayed indicating that the logout is successful. The procedure is as follows:
1. Clear the TGC Cookie(null) saved in the client browser.
2. Clear the TGT stored on the server.
3. Destroy all Session objects of the CAS Client.
If you log out successfully, you need to log in to the login page again.
conclusion
We have completed a basic CAS authentication service system and understood the authentication principle, but how to integrate it with our business system? In the next article we will put this system into action.