• 设为首页
  • 点击收藏
  • 手机版
    手机扫一扫访问
    迪恩网络手机版
  • 关注官方公众号
    微信扫一扫关注
    迪恩网络公众号
登陆 注册
描述文字

apereo/java-cas-client: Apereo Java CAS Client

原作者: [db:作者] 来自: 网络 收藏 邀请

开源软件名称:

apereo/java-cas-client

开源软件地址:

https://github.com/apereo/java-cas-client

开源编程语言:

Java 99.8%

开源软件介绍:

Java Apereo CAS Client Maven Central

Intro

This is the official home of the Java Apereo CAS client. The client consists of a collection of Servlet filters that are suitable for most Java-based web applications. It also serves as an API platform to interact with the CAS server programmatically to make authentication requests, validate tickets and consume principal attributes.

All client artifacts are published to Maven central. Depending on functionality, applications will need include one or more of the listed dependencies in their configuration.

Build Build Status

git clone [email protected]:apereo/java-cas-client.git
cd java-cas-client
mvn clean package

Please note that to be deployed in Maven Central, we mark a number of JARs as provided (related to JBoss and Memcache Clients). In order to build the clients, you must enable the commented out repositories in the appropriate pom.xml files in the modules (cas-client-integration-jboss and cas-client-support-distributed-memcached) or follow the instructions on how to install the file manually.

Components

  • Core functionality, which includes CAS authentication/validation filters.
<dependency>
    <groupId>org.jasig.cas.client</groupId>
    <artifactId>cas-client-core</artifactId>
    <version>${java.cas.client.version}</version>
</dependency>
  • Support for SAML functionality is provided by this dependency:
<dependency>
   <groupId>org.jasig.cas.client</groupId>
   <artifactId>cas-client-support-saml</artifactId>
   <version>${java.cas.client.version}</version>
</dependency>
  • Distributed proxy ticket caching with Ehcache is provided by this dependency:
<dependency>
   <groupId>org.jasig.cas.client</groupId>
   <artifactId>cas-client-support-distributed-ehcache</artifactId>
   <version>${java.cas.client.version}</version>
</dependency>
  • Distributed proxy ticket caching with Memcached is provided by this dependency:
<dependency>
   <groupId>org.jasig.cas.client</groupId>
   <artifactId>cas-client-support-distributed-memcached</artifactId>
   <version>${java.cas.client.version}</version>
</dependency>
  • Atlassian integration (Deprecated) is provided by this dependency:
<dependency>
   <groupId>org.jasig.cas.client</groupId>
   <artifactId>cas-client-integration-atlassian</artifactId>
   <version>${java.cas.client.version}</version>
</dependency>
  • JBoss integration is provided by this dependency:
<dependency>
   <groupId>org.jasig.cas.client</groupId>
   <artifactId>cas-client-integration-jboss</artifactId>
   <version>${java.cas.client.version}</version>
</dependency>
  • Tomcat 6 integration is provided by this dependency:
<dependency>
   <groupId>org.jasig.cas.client</groupId>
   <artifactId>cas-client-integration-tomcat-v6</artifactId>
   <version>${java.cas.client.version}</version>
</dependency>
  • Tomcat 7 is provided by this dependency:
<dependency>
   <groupId>org.jasig.cas.client</groupId>
   <artifactId>cas-client-integration-tomcat-v7</artifactId>
   <version>${java.cas.client.version}</version>
</dependency>
  • Tomcat 8.0.x is provided by this dependency:
<dependency>
   <groupId>org.jasig.cas.client</groupId>
   <artifactId>cas-client-integration-tomcat-v8</artifactId>
   <version>${java.cas.client.version}</version>
</dependency>
  • Tomcat 8.5.x is provided by this dependency:
<dependency>
   <groupId>org.jasig.cas.client</groupId>
   <artifactId>cas-client-integration-tomcat-v85</artifactId>
   <version>${java.cas.client.version}</version>
</dependency>
  • Tomcat 9.0.x is provided by this dependency:
<dependency>
   <groupId>org.jasig.cas.client</groupId>
   <artifactId>cas-client-integration-tomcat-v90</artifactId>
   <version>${java.cas.client.version}</version>
</dependency>
  • Spring Boot AutoConfiguration is provided by this dependency:
<dependency>
   <groupId>org.jasig.cas.client</groupId>
   <artifactId>cas-client-support-springboot</artifactId>
   <version>${java.cas.client.version}</version>
</dependency>

Configuration

Strategies

The client provides multiple strategies for the deployer to provide client settings. The following strategies are supported:

  • JNDI (JNDI)
  • Properties File (PROPERTY_FILE). The configuration is provided via an external properties file. The path may be specified in the web context as such:
<context-param>
    <param-name>configFileLocation</param-name>
    <param-value>/etc/cas/file.properties</param-value>
</context-param>

If no location is specified, by default /etc/java-cas-client.properties will be used.

  • System Properties (SYSTEM_PROPERTIES)
  • Web Context (WEB_XML)
  • Default (DEFAULT)

In order to instruct the client to pick a strategy, strategy name must be specified in the web application's context:

<context-param>
    <param-name>configurationStrategy</param-name>
    <param-value>DEFAULT</param-value>
</context-param>

If no configurationStrategy is defined, DEFAULT is used which is a combination of WEB_XML and JNDI.

Client Configuration Using web.xml

The client can be configured in web.xml via a series of context-params and filter init-params. Each filter for the client has a required (and optional) set of properties. The filters are designed to look for these properties in the following way:

  • Check the filter's local init-params for a parameter matching the required property name.
  • Check the context-params for a parameter matching the required property name.
  • If two properties are found with the same name in the init-params and the context-params, the init-param takes precedence.

Note: If you're using the serverName property, you should note well that the fragment-URI (the stuff after the #) is not sent to the server by all browsers, thus the CAS client can't capture it as part of the URL.

An example application that is protected by the client is available here.

org.jasig.cas.client.authentication.AuthenticationFilter

The AuthenticationFilter is what detects whether a user needs to be authenticated or not. If a user needs to be authenticated, it will redirect the user to the CAS server.

<filter>
  <filter-name>CAS Authentication Filter</filter-name>
  <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
  <init-param>
    <param-name>casServerUrlPrefix</param-name>
    <param-value>https://battags.ad.ess.rutgers.edu:8443/cas</param-value>
  </init-param>
  <init-param>
    <param-name>serverName</param-name>
    <param-value>http://www.acme-client.com</param-value>
  </init-param>
</filter>
<filter-mapping>
    <filter-name>CAS Authentication Filter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>
Property Description Required
casServerUrlPrefix The start of the CAS server URL, i.e. https://localhost:8443/cas Yes (unless casServerLoginUrl is set)
casServerLoginUrl Defines the location of the CAS server login URL, i.e. https://localhost:8443/cas/login. This overrides casServerUrlPrefix, if set. Yes (unless casServerUrlPrefix is set)
serverName The name of the server this application is hosted on. Service URL will be dynamically constructed using this, i.e. https://localhost:8443 (you must include the protocol, but port is optional if it's a standard port). Yes
service The service URL to send to the CAS server, i.e. https://localhost:8443/yourwebapp/index.html No
renew specifies whether renew=true should be sent to the CAS server. Valid values are either true/false (or no value at all). Note that renew cannot be specified as local init-param setting. No
gateway specifies whether gateway=true should be sent to the CAS server. Valid values are either true/false (or no value at all) No
artifactParameterName specifies the name of the request parameter on where to find the artifact (i.e. ticket). No
serviceParameterName specifies the name of the request parameter on where to find the service (i.e. service) No
encodeServiceUrl Whether the client should auto encode the service url. Defaults to true No
ignorePattern Defines the url pattern to ignore, when intercepting authentication requests. No
ignoreUrlPatternType Defines the type of the pattern specified. Defaults to REGEX. Other types are CONTAINS, EXACT, FULL_REGEX. Can also accept a fully-qualified class name that implements UrlPatternMatcherStrategy. No
gatewayStorageClass The storage class used to record gateway requests No
authenticationRedirectStrategyClass The class name of the component to decide how to handle authn redirects to CAS No
method The method used by the CAS server to send the user back to the application. Defaults to null No
Ignore Patterns

The following types are supported:

Type Description
REGEX Matches the URL the ignorePattern using Matcher#find(). It matches the next occurrence within the substring that matches the regex.
CONTAINS Uses the String#contains() operation to determine if the url contains the specified pattern. Behavior is case-sensitive.
EXACT Uses the String#equals() operation to determine if the url exactly equals the specified pattern. Behavior is case-sensitive.
FULL_REGEX Matches the URL the ignorePattern using Matcher#matches(). It matches the expression against the entire string as it implicitly add a ^ at the start and $ at the end of the pattern, so it will not match substring or part of the string. ^ and $ are meta characters that represents start of the string and end of the string respectively.

org.jasig.cas.client.authentication.Saml11AuthenticationFilter

The SAML 1.1 AuthenticationFilter is what detects whether a user needs to be authenticated or not. If a user needs to be authenticated, it will redirect the user to the CAS server.

<filter>
  <filter-name>CAS Authentication Filter</filter-name>
  <filter-class>org.jasig.cas.client.authentication.Saml11AuthenticationFilter</filter-class>
  <init-param>
    <param-name>casServerLoginUrl</param-name>
    <param-value>https://somewhere.cas.edu:8443/cas/login</param-value>
  </init-param>
  <init-param>
    <param-name>serverName</param-name>
    <param-value>http://www.the-client.com</param-value>
  </init-param>
</filter>
<filter-mapping>
    <filter-name>CAS Authentication Filter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>
Property Description Required
casServerUrlPrefix The start of the CAS server URL, i.e. https://localhost:8443/cas Yes (unless casServerLoginUrl is set)
casServerLoginUrl Defines the location of the CAS server login URL, i.e. https://localhost:8443/cas/login. This overrides casServerUrlPrefix, if set. Yes (unless casServerUrlPrefix is set)
serverName The name of the server this application is hosted on. Service URL will be dynamically constructed using this, i.e. https://localhost:8443 (you must include the protocol, but port is optional if it's a standard port). Yes
service The service URL to send to the CAS server, i.e. https://localhost:8443/yourwebapp/index.html No
renew specifies whether renew=true should be sent to the CAS server. Valid values are either true/false (or no value at all). Note that renew cannot be specified as local init-param setting. No
gateway specifies whether gateway=true should be sent to the CAS server. Valid values are either true/false (or no value at all) No
artifactParameterName specifies the name of the request parameter on where to find the artifact (i.e. SAMLart). No
serviceParameterName specifies the name of the request parameter on where to find the service (i.e. TARGET) No
encodeServiceUrl Whether the client should auto encode the service url. Defaults to true No
method The method used by the CAS server to send the user back to the application. Defaults to null No

org.jasig.cas.client.validation.Cas10TicketValidationFilter

Validates tickets using the CAS 1.0 Protocol.

<filter>
  <filter-name>CAS Validation Filter</filter-name>
  <filter-class>org.jasig.cas.client.validation.Cas10TicketValidationFilter</filter-class>
  <init-param>
    <param-name>casServerUrlPrefix</param-name>
    <param-value>https://somewhere.cas.edu:8443/cas</param-value>
  </init-param>
  <init-param>
    <param-name>serverName</param-name>
    <param-value>http://www.the-client.com</param-value>
  </init-param>    
</filter>
<filter-mapping>
    <filter-name>CAS Validation Filter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>
Property Description Required
casServerUrlPrefix The start of the CAS server URL, i.e. https://localhost:8443/cas Yes
serverName The name of the server this application is hosted on. Service URL will be dynamically constructed using this, i.e. https://localhost:8443 (you must include the protocol, but port is optional if it's a standard port). Yes
renew Specifies whether renew=true should be sent to the CAS server. Valid values are either true/false (or no value at all). Note that renew cannot be specified as local init-param setting. No
redirectAfterValidation Whether to redirect to the same URL after ticket validation, but without the ticket in the parameter. Defaults to true. No
useSession Whether to store the Assertion in session or not. If sessions are not used, tickets will be required for each request. Defaults to true. No
exceptionOnValidationFailure Whether to throw an exception or not on ticket validation failure. Defaults to true. No
sslConfigFile A reference to a properties file that includes SSL settings for client-side SSL config, used during back-channel calls. The configuration includes keys for protocol which defaults to SSL, keyStoreType, keyStorePath, keyStorePass, keyManagerType which defaults to SunX509 and certificatePassword. No.
encoding Specifies the encoding charset the client should use No
hostnameVerifier Hostname verifier class name, used when making back-channel calls No

org.jasig.cas.client.validation.Saml11TicketValidationFilter

Validates tickets using the SAML 1.1 protocol.

<filter>
  <filter-name>CAS Validation Filter</filter-name>
  <filter-class>org.jasig.cas.client.validation.Saml11TicketValidationFilter</filter-class>
  <init-param>
    <param-name>casServerUrlPrefix</param-name>
    <param-value>https://battags.ad.ess.rutgers.edu:8443/cas</param-value>
  </init-param>
  <init-param>
    <param-name>serverName</param-name>
    <param-value>http://www.acme-client.com</param-value>
  </init-param>
</filter>
<filter-mapping>
    <filter-name>CAS Validation Filter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>
Property Description Required
casServerUrlPrefix The start of the CAS server URL, i.e. https://localhost:8443/cas Yes
serverName The name of the server this application is hosted on. Service URL will be dynamically constructed using this, i.e. https://localhost:8443 (you must include the protocol, but port is optional if it's a standard port). Yes
renew Specifies whether renew=true should be sent to the CAS server. Valid values are either true/false (or no value at all). Note that renew cannot be specified as local init-param setting. No
redirectAfterValidation Whether to redirect to the same URL after ticket validation, but without the ticket in the parameter. Defaults to true. No
useSession Whether to store the Assertion in session or not. If sessions are not used, tickets will be required for each request. Defaults to true. No
exceptionOnValidationFailure whether to throw an exception or not on ticket validation failure. Defaults to true No
tolerance The tolerance for drifting clocks when validating SAML tickets. Note that 10 seconds should be more than enough for most environments that have NTP time synchronization. Defaults to 1000 msec No
sslConfigFile A reference to a properties file that includes SSL settings for client-side SSL config, used during back-channel calls. The configuration includes keys for protocol which defaults to SSL, keyStoreType, keyStorePath, keyStorePass, keyManagerType which defaults to SunX509 and certificatePassword. No.
encoding Specifies the encoding charset the client should use No
hostnameVerifier Hostname verifier class name, used when making back-channel calls No

org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter

Validates the tickets using the CAS 2.0 protocol. If you provide either the acceptAnyProxy or the allowedProxyChains parameters, a Cas20ProxyTicketValidator will be constructed. Otherwise a general Cas20ServiceTicketValidator will be constructed that does not accept proxy tickets.

Note: If you are using proxy validation, you should place the filter-mapping of the validation filter before the authentication filter.

<filter>
  <filter-name>CAS Validation Filter</filter-name>
  <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
  <init-param>
    <param-name>casServerUrlPrefix</param-name>
    <param-value>https://battags.ad.ess.rutgers.edu:8443/cas</param-value>
  </init-param>
  <init-param>
    <param-name>serverName</param-name>
    <param-value>http://www.acme-client.com</param-value>
  </init-param>
</filter>
<filter-mapping>
    <filter-name>CAS Validation Filter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>
Property Description Required
casServerUrlPrefix The start of the CAS server URL, i.e. https://localhost:8443/cas Yes
serverName The name of the server this application is hosted on. Service URL will be dynamically constructed using this, i.e. https://localhost:8443 (you must include the protocol, but port is optional if it's a standard port). Yes
renew Specifies whether renew=true should be sent to the CAS server. Valid values are either true/false (or no value at all). Note that renew cannot be specified as local init-param setting. No
redirectAfterValidation Whether to redirect to the same URL after ticket validation, but without the ticket in the parameter. Defaults to true. No
useSession Whether to store the Assertion in session or not. If sessions are not used, tickets will be required for each request. Defaults to true. No
exceptionOnValidationFailure whether to throw an exception or not on ticket validation failure. Defaults to true No
proxyReceptorUrl The URL to watch for PGTIOU/PGT responses from the CAS server. Should be defined from the root of the context. For example, if your application is deployed in /cas-client-app and you want the proxy receptor URL to be /cas-client-app/my/receptor you need to configure proxyReceptorUrl to be /my/receptor. No
acceptAnyProxy Specifies whether any proxy is OK. Defaults to false. No
allowedProxyChains Specifies the proxy chain. Each acceptable proxy chain should include a space-separated list of URLs (for exact match) or regular expressions of URLs (starting by the ^ character). Each acceptable proxy chain should appear on its own line. No
proxyCallbackUrl The callback URL to provide the CAS server to accept Proxy Granting Tickets. No
proxyGrantingTicketStorageClass Specify an implementation of the ProxyGrantingTicketStorage class that has a no-arg constructor. No
sslConfigFile A reference to a properties file that includes SSL settings for client-side SSL config, used during back-channel calls. The configuration includes keys for protocol which defaults to SSL, keyStoreType, keyStorePath, keyStorePass, keyManagerType which defaults to SunX509 and certificatePassword. No.
encoding Specifies the encoding charset the client should use No
secretKey The secret key used by the proxyGrantingTicketStorageClass if it supports encryption. No
cipherAlgorithm The algorithm used by the proxyGrantingTicketStorageClass if it supports encryption. Defaults to DESede No
millisBetweenCleanUps Startup delay for the cleanup task to remove expired tickets from the storage. Defaults to 60000 msec No
ticketValidatorClass Ticket validator class to use/create No
hostnameVerifier Hostname verifier class name, used when making back-channel calls No
privateKeyPath The path to a private key to decrypt PGTs directly sent encrypted as an attribute No
privateKeyAlgorithm The algorithm of the private key. Defaults to RSA No

org.jasig.cas.client.validation.Cas30ProxyReceivingTicketValidationFilter

Validates the tickets using the CAS 3.0 protocol. If you provide either the acceptAnyProxy or the allowedProxyChains parameters, a Cas30ProxyTicketValidator will be constructed. Otherwise a general Cas30ServiceTicketValidator will be constructed that does not accept proxy tickets. Supports all configurations that are available for Cas20ProxyReceivingTicketValidationFilter.

org.jasig.cas.client.validation.json.Cas30JsonProxyReceivingTicketValidationFilter

Indentical to Cas30ProxyReceivingTicketValidationFilter, yet the filter is able to accept validation responses from CAS that are formatted as JSON per guidelines laid out by the CAS protocol. See the protocol documentation for more info.

Proxy Authentication vs. Distributed Caching

The client has support for clustering and distributing the TGT state among application nodes that are behind a load balancer. In order to do so, the parameter needs to be defined as such for the filter.

Ehcache

Configure the client:

<init-param>
  <param-name>proxyGrantingTicketStorageClass</param-name>
  <param-value>org.jasig.cas.client.proxy.EhcacheBackedProxyGrantingTicketStorageImpl</param-value>
</init-param>

The setting provides an implementation for proxy storage using EhCache to take advantage of its replication features so that the PGT is successfully replicated and shared among nodes, regardless which node is selected as the result of the load balancer rerouting.

Configuration of this parameter is not enough. The EhCache configuration needs to enable the replication mechanism through once of its suggested ways. A sample of that configuration based on RMI replication can be found here. Please note that while the sample is done for a distributed ticket registry implementation, the basic idea and configuration should easily be transferable.

When loading from the web.xml, the Jasig CAS Client relies on a series of default values, one of which being that the cache must be configured in the default location (i.e. classpath:ehcache.xml).

<cacheManagerPeerProviderFactory class="net.sf.ehcache.distribution.RMICacheManagerPeerProviderFactory"
   properties="peerDiscovery=automatic,
   multicastGroupAddress=230.0.0.1, multicastGroupPort=4446"/>
 
<cacheManagerPeerListenerFactory class="net.sf.ehcache.distribution.RMICacheManagerPeerListenerFactory"/>
 
<cache
   name="org.jasig.cas.client.proxy.EhcacheBackedProxyGrantingTicketStorageImpl.cache"
   maxElementsInMemory="100"
   eternal="false"
   timeToIdleSeconds="100"
   timeToLiveSeconds="100"
   overflowToDisk="false">
   <cacheEventListenerFactory class="net.sf.ehcache.distribution.RMICacheReplicatorFactory"/>
</cache>
Memcached

A similar implementation based on Memcached is also available.

Configure the client:

<init-param>
  <param-name>proxyGrantingTicketStorageClass</param-name>
  <param-value>org.jasig.cas.client.proxy. MemcachedBackedProxyGrantingTicketStorageImpl</param-value>
</init-param>

When loading from the web.xml, the Client relies on a series of default values, one of which being that the list of memcached servers must be defined in /cas/casclient_memcached_hosts.txt on the classpath). The file is a simple list of <hostname>:<ports> on separat


鲜花
握手
雷人
路过
鸡蛋
该文章已有0人参与评论

请发表评论

全部评论

专题导读
More+
上一篇:
appium/java-client: Java language binding for writing Appium Tests, conforms to ...发布时间:2022-06-22
下一篇:
shakeelstha/java: Java Sample Code发布时间:2022-06-22
热门推荐
More+
热门话题
More+
阅读排行榜

扫描微信二维码

查看手机版网站

随时了解更新最新资讯

139-2527-9053

在线客服(服务时间 9:00~18:00)

在线QQ客服
地址:深圳市南山区西丽大学城创智工业园
电邮:jeky_zhao#qq.com
移动电话:139-2527-9053

Powered by 互联科技 X3.4© 2001-2213 极客世界.|Sitemap