下面是CAS-4.0.3服務端的來自cas.PRoperties中的一些配置項介紹
1、cas.securityContext.status.allowedSubnet=127.0.0.1
可以訪問的服務端統計頁面:http://sso.jadyer.com:8080/cas-server-web/status
可以訪問的服務端統計頁面:http://sso.jadyer.com:8080/cas-server-web/statistics
2、host.name=S3
uniqueIdGenerators.xml中的各種UniqueTicketIdGenerator生成TGT/ST等ticket時會用到host.name作為ticket的后綴
host.name通常用在集群環境下,其值對于每個節點來說都必須是唯一的,這樣整個集群環境生成的各種ticket也必定是唯一的
單機環境下就沒必要修改它了
3、slo.callbacks.disabled=false:是否禁用單點登出
4、cas.logout.followServiceRedirects=true:是否允許客戶端Logout后重定向到service參數指定的資源
5、tgt.maxTimeToLiveInSeconds=28800:指定session的最大有效時間,即從生成到指定時間后便超時,默認28800s,即8小時
6、tgt.timeToKillInSeconds=7200
指定用戶操作的超時時間,即用戶在多久不操作后就超時,默認7200s,即2小時
經本人親測:在測試tgt.timeToKillInSeconds時還要注意客戶端web.xml配置的超時時間
即只有客戶端配置超時時間不大于tgt.timeToKillInSeconds時才能看見服務端設置的效果
7、st.timeToKillInSeconds=10
指定ServiceTicket的有效時間,默認10s
這也是debug追蹤CAS應用認證過程中經常會失敗的原因,因為追蹤的時候ServiceTicket已經過了10秒有效期了
RememberMe也就是記住密碼,可以讓用戶登錄成功后,關閉瀏覽器再重新打開瀏覽器訪問應用時不需要再次登錄
實現方式可參考官方文檔,網址如下(下面兩個網址描述的都是一樣的,只是第二個額外還有其它描述)
http://jasig.github.io/cas/development/installation/Configuring-LongTerm-Authentication.html
http://jasig.github.io/cas/4.0.x/installation/Configuring-Authentication-Components.html#long-term-authentication
具體修改步驟如下
1、cas.properties中新增配置項rememberMeDuration=1209600
2、ticketExpirationPolicies.xml中新增RememberMe過期策略的配置
3、ticketGrantingTicketCookieGenerator.xml中新增屬性項p:rememberMeMaxAge=”${rememberMeDuration:1209600}”
4、deployerConfigContext.xml
5、casLoginView.jsp表單中增加rememberMe字段
6、login-webflow.xml增加接收表單rememberMe字段的配置
7、UsernamePassWordCaptchaCredential.java集成RememberMeUsernamePasswordCredential使得可以接收表單的rememberMe字段
本文源碼下載:(下面兩個地址的文件的內容,都是一樣的,并包含了本系列的所有代碼)
http://oirr30q6q.bkt.clouddn.com/jadyer/code/sso-cas-remember-me.rar
http://download.csdn.net/detail/jadyer/8940967
下面是ticketExpirationPolicies.xml的修改
<?xml version="1.0" encoding="UTF-8"?><!-- Licensed to Jasig under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. Jasig licenses this file to you under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at the following location: http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.--><beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p" xmlns:c="http://www.springframework.org/schema/c" xmlns:util="http://www.springframework.org/schema/util" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"> <description> Assignment of expiration policies for the different tickets generated by CAS including ticket granting ticket (TGT), service ticket (ST), proxy granting ticket (PGT), and proxy ticket (PT). These expiration policies determine how long the ticket they are assigned to can be used and even how often they can be used before becoming expired / invalid. </description> <!-- Expiration policies --> <util:constant id="SECONDS" static-field="java.util.concurrent.TimeUnit.SECONDS"/> <bean id="serviceTicketExpirationPolicy" class="org.jasig.cas.ticket.support.MultiTimeUSEOrTimeoutExpirationPolicy" c:numberOfUses="1" c:timeToKill="${st.timeToKillInSeconds:10}" c:timeUnit-ref="SECONDS"/> <!-- TicketGrantingTicketExpirationPolicy: Default as of 3.5 --> <!-- Provides both idle and hard timeouts, for instance 2 hour sliding window with an 8 hour max lifetime --> <!-- <bean id="grantingTicketExpirationPolicy" class="org.jasig.cas.ticket.support.TicketGrantingTicketExpirationPolicy" p:maxTimeToLiveInSeconds="${tgt.maxTimeToLiveInSeconds:28800}" p:timeToKillInSeconds="${tgt.timeToKillInSeconds:7200}"/> --> <!-- 以下為RememberMe所需配置 --> <!-- 這里要先把原有的<bean id="grantingTicketExpirationPolicy">注釋掉,如上所示 --> <!-- 之所以注釋是因為applicationContext.xml的第117行要用到<bean id="grantingTicketExpirationPolicy"> --> <!-- 而我們實現RememberMe需要用到的是RememberMeDelegatingExpirationPolicy,而非默認的TicketGrantingTicketExpirationPolicy --> <!-- 看看下面的配置就一目了然了 --> <!-- | The following policy applies to standard CAS SSO sessions. | Default 2h (7200s) sliding expiration with default 8h (28800s) maximum lifetime. --> <bean id="standardSessionTGTExpirationPolicy" class="org.jasig.cas.ticket.support.TicketGrantingTicketExpirationPolicy" p:maxTimeToLiveInSeconds="${tgt.maxTimeToLiveInSeconds:28800}" p:timeToKillInSeconds="${tgt.timeToKillInSeconds:7200}"/> <!-- | The following policy applies to long term CAS SSO sessions. | Default duration is two weeks (1209600s). --> <bean id="longTermSessionTGTExpirationPolicy" class="org.jasig.cas.ticket.support.TimeoutExpirationPolicy" c:timeToKillInMilliSeconds="#{ ${rememberMeDuration:1209600} * 1000 }"/> <bean id="grantingTicketExpirationPolicy" class="org.jasig.cas.ticket.support.RememberMeDelegatingExpirationPolicy" p:sessionExpirationPolicy-ref="standardSessionTGTExpirationPolicy" p:rememberMeExpirationPolicy-ref="longTermSessionTGTExpirationPolicy"/></beans>下面是cas.properties中增加的rememberMeDuration配置
# Long term authentication session length in seconds#服務端RememberMe的有效期,默認為1209600s,即兩周rememberMeDuration=1209600下面是ticketGrantingTicketCookieGenerator.xml的修改
<?xml version="1.0" encoding="UTF-8"?><beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd"> <description> Defines the cookie that stores the TicketGrantingTicket. You most likely should never modify these (especially the "secure" property). You can change the name if you want to make it harder for people to guess. </description> <!-- 針對RememberMe需增加p:rememberMeMaxAge屬性配置 --> <bean id="ticketGrantingTicketCookieGenerator" class="org.jasig.cas.web.support.CookieRetrievingCookieGenerator" p:cookieSecure="false" p:cookieMaxAge="-1" p:rememberMeMaxAge="${rememberMeDuration:1209600}" p:cookieName="CASTGC" p:cookiePath="/cas" /></beans>下面是deployerConfigContext.xml修改的部分
<bean id="authenticationManager" class="org.jasig.cas.authentication.PolicyBasedAuthenticationManager"> <constructor-arg> <map> <entry key-ref="proxyAuthenticationHandler" value-ref="proxyPrincipalResolver" /> <entry key-ref="primaryAuthenticationHandler" value-ref="primaryPrincipalResolver" /> </map> </constructor-arg> <property name="authenticationPolicy"> <bean class="org.jasig.cas.authentication.AnyAuthenticationPolicy" /> </property> <!-- 針對RememberMe需增加的屬性配置 --> <property name="authenticationMetaDataPopulators"> <list> <bean class="org.jasig.cas.authentication.SuccessfulHandlerMetaDataPopulator"/> <bean class="org.jasig.cas.authentication.principal.RememberMeAuthenticationMetaDataPopulator"/> </list> </property></bean>下面是login-webflow.xml修改的部分
<view-state id="viewLoginForm" view="casLoginView" model="credential"> <binder> <binding property="username"/> <binding property="password"/> <!-- 前臺表單添加驗證碼字段captcha --> <binding property="captcha"/> <!-- 前臺表單添加RememberMe字段 --> <binding property="rememberMe"/> </binder> <on-entry> <set name="viewScope.commandName" value="'credential'" /> </on-entry> <transition on="submit" bind="true" validate="true" to="validateCaptcha"> <evaluate expression="authenticationViaCaptchaFormAction.doBind(flowRequestContext, flowScope.credential)" /> </transition></view-state>下面是UsernamePasswordCaptchaCredential.java
package com.jadyer.sso.model;import org.jasig.cas.authentication.RememberMeUsernamePasswordCredential;/** * 自定義的接收登錄驗證碼的實體類 * Created by 玄玉<https://jadyer.github.io/> on 2015/07/14 16:28. *///public class UsernamePasswordCaptchaCredential extends UsernamePasswordCredential {public class UsernamePasswordCaptchaCredential extends RememberMeUsernamePasswordCredential { private static final long serialVersionUID = 8317889802836113837L; private String captcha; /*-- setter和getter略 --*/}最后是/WEB-INF/view/jsp/jadyer/ui/casLoginView.jsp
<%@ page pageEncoding="UTF-8"%><%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%><%@ taglib prefix="form" uri="http://www.springframework.org/tags/form"%><c:set var="ctx" value="${pageContext.request.contextPath}" scope="session"/><!DOCTYPE HTML><html><head> <meta charset="UTF-8"/> <title>CAS單點登錄系統</title> <link rel="icon" type="image/x-icon" href="${ctx}/favicon.ico"/> <script type="text/Javascript" src="${ctx}/js/jquery-1.10.2.min.js"></script> <script type="text/javascript" src="${ctx}/js/jquery-ui-1.10.2.min.js"></script> <script type="text/javascript" src="${ctx}/js/cas.js"></script> <!--[if lt IE 9]> <script src="${ctx}/js/html5shiv-3.7.2.min.js" type="text/javascript"></script> <![endif]--></head><style>body {background-color: #CBE0C9;}#msg {padding:20px; margin-bottom:10px;}#msg.errors {border:1px dotted #BB0000; color:#BB0000; padding-left:100px; background:url(${ctx}/images/error.gif) no-repeat 20px center;}</style><body><c:if test="${not pageContext.request.secure}"> <div id="msg" class="errors"> <h2>Non-secure Connection</h2> <p>You are currently accessing CAS over a non-secure connection. Single Sign On WILL NOT WORK. In order to have single sign on work, you MUST log in over HTTPS.</p> </div></c:if><form:form method="post" commandName="${commandName}" htmlEscape="true"> <!-- CSSClass用于指定表單元素CSS樣式名,相當于HTML元素的class屬性 cssStyle用于指定表單元素樣式,相當于HTML元素的style屬性 cssErrorClass用于指定表單元素發生錯誤時對應的樣式 path屬性用于綁定表單對象的屬性值,它支持級聯屬性,比如path="user.userName"將調用表單對象getUser.getUserName()綁定表單對象的屬性值 --> <form:errors path="*" id="msg" cssClass="errors" element="div" htmlEscape="false"/> <input type="hidden" name="lt" value="${loginTicket}"/> <input type="hidden" name="execution" value="${flowExecutionKey}"/> <input type="hidden" name="_eventId" value="submit"/> <table border="9"> <tr> <td> <c:if test="${not empty sessionScope.openIdLocalId}"> <strong>${sessionScope.openIdLocalId}</strong> <input type="hidden" name="username" value="${sessionScope.openIdLocalId}"/> </c:if> <c:if test="${empty sessionScope.openIdLocalId}"> <form:input tabindex="1" path="username" placeholder="帳號" htmlEscape="true" maxlength="16" size="25"/> </c:if> </td> </tr> <tr> <td> <form:password tabindex="2" path="password" placeholder="密碼" htmlEscape="true" maxlength="16" size="25"/> </td> </tr> <tr> <td> <form:input tabindex="3" path="captcha" placeholder="驗證碼" htmlEscape="true" maxlength="4" size="15"/> <img style="cursor:pointer; vertical-align:middle;" src="captcha.jsp" onClick="this.src='captcha.jsp?time'+Math.random();"> </td> </tr> <tr> <td> <input type="checkbox" tabindex="4" name="rememberMe" value="true"/> <label for="warn">RememberMe</label> </td> </tr> <!-- <tr> <td> <input type="checkbox" tabindex="3" name="warn" value="true"/> <label for="warn">轉向其他站點前提示我</label> </td> </tr> --> <tr> <td> <input type="submit" tabindex="5" value="登錄"/> </td> </tr> </table></form:form></body></html>
新聞熱點
疑難解答
