CAS & AD 配置
这里我们基于LDAP协议连接AD
1. 切换到cas-server源代码目录, 在cas-server-webapp\pom.xml文件中增加ldap支持
<dependency>
<groupId>org.jasig.cas</groupId>
<artifactId>cas-server-support-ldap</artifactId>
<version>${project.version}</version>
</dependency>
<groupId>org.jasig.cas</groupId>
<artifactId>cas-server-support-ldap</artifactId>
<version>${project.version}</version>
</dependency>
2. 命令行, 执行mvn package install ,在cas-server-webapp\taget 下生成了 cas.war 包文件 ,把cas.war 文件copy到 tomcat的webapps下
3. 修改cas server的deployerConfigContext.xml
找到如下节点
<bean id="authenticationManager" class="org.jasig.cas.authentication.AuthenticationManagerImpl"></bean>
在<property name="authenticationHandlers">中添加注释掉如下内容SimpleTestUsernamePasswordAuthenticationHandler,修改后如下
1 <property name="authenticationHandlers">
2 <list>
3 <!--
4 | This is the authentication handler that authenticates services by means of callback via SSL, thereby validating
5 | a server side SSL certificate.
6 +-->
7 <bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
8 p:httpClient-ref="httpClient" />
9 <!--
10 | This is the authentication handler declaration that every CAS deployer will need to change before deploying CAS
11 | into production. The default SimpleTestUsernamePasswordAuthenticationHandler authenticates UsernamePasswordCredentials
12 | where the username equals the password. You will need to replace this with an AuthenticationHandler that implements your
13 | local authentication strategy. You might accomplish this by coding a new such handler and declaring
14 | edu.someschool.its.cas.MySpecialHandler here, or you might use one of the handlers provided in the adaptors modules.
15
16 <bean
17 class="org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler" />
18 +-->
19
20
21 <bean class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler"
22 p:filter="sAMAccountName=%u"
23 p:searchBase="ou=yourOU,dc=microsoft,dc=com"
24 p:contextSource-ref="contextSource"
25 p:ignorePartialResultException="true" />
26 </list>
27 </property>
2 <list>
3 <!--
4 | This is the authentication handler that authenticates services by means of callback via SSL, thereby validating
5 | a server side SSL certificate.
6 +-->
7 <bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
8 p:httpClient-ref="httpClient" />
9 <!--
10 | This is the authentication handler declaration that every CAS deployer will need to change before deploying CAS
11 | into production. The default SimpleTestUsernamePasswordAuthenticationHandler authenticates UsernamePasswordCredentials
12 | where the username equals the password. You will need to replace this with an AuthenticationHandler that implements your
13 | local authentication strategy. You might accomplish this by coding a new such handler and declaring
14 | edu.someschool.its.cas.MySpecialHandler here, or you might use one of the handlers provided in the adaptors modules.
15
16 <bean
17 class="org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler" />
18 +-->
19
20
21 <bean class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler"
22 p:filter="sAMAccountName=%u"
23 p:searchBase="ou=yourOU,dc=microsoft,dc=com"
24 p:contextSource-ref="contextSource"
25 p:ignorePartialResultException="true" />
26 </list>
27 </property>
然后在<bean id="authenticationManager" >的下面添加contextSource bean
1 <bean id="contextSource" class="org.springframework.ldap.core.support.LdapContextSource">
2 <!-- DO NOT enable JNDI pooling for context sources that perform LDAP bind operations. -->
3 <property name="pooled" value="false"/>
4
5 <!--
6 Although multiple URLs may defined, it's strongly recommended to avoid this configuration
7 since the implementation attempts hosts in sequence and requires a connection timeout
8 prior to attempting the next host, which incurs unacceptable latency on node failure.
9 A proper HA setup for LDAP directories should use a single virtual host that maps to multiple
10 real hosts using a hardware load balancer.
11 -->
12 <property name="url" value="LDAP://ADServer.microsoft.com" />
13
14 <!--
15 Manager credentials are only required if your directory does not support anonymous searches.
16 Never provide these credentials for FastBindLdapAuthenticationHandler since the user's
17 credentials are used for the bind operation.
18 -->
19 <property name="userDn" value="yourADUser"/>
20 <property name="password" value="yourpassword"/>
21
22 <!-- Place JNDI environment properties here. -->
23 <property name="baseEnvironmentProperties">
24 <map>
25 <!-- Three seconds is an eternity to users. -->
26 <entry key="com.sun.jndi.ldap.connect.timeout" value="3000" />
27 <entry key="com.sun.jndi.ldap.read.timeout" value="3000" />
28
29 <!-- Explained at http://download.oracle.com/javase/1.3/docs/api/javax/naming/Context.html#SECURITY_AUTHENTICATION -->
30 <entry key="java.naming.security.authentication" value="simple" />
31 </map>
32 </property>
2 <!-- DO NOT enable JNDI pooling for context sources that perform LDAP bind operations. -->
3 <property name="pooled" value="false"/>
4
5 <!--
6 Although multiple URLs may defined, it's strongly recommended to avoid this configuration
7 since the implementation attempts hosts in sequence and requires a connection timeout
8 prior to attempting the next host, which incurs unacceptable latency on node failure.
9 A proper HA setup for LDAP directories should use a single virtual host that maps to multiple
10 real hosts using a hardware load balancer.
11 -->
12 <property name="url" value="LDAP://ADServer.microsoft.com" />
13
14 <!--
15 Manager credentials are only required if your directory does not support anonymous searches.
16 Never provide these credentials for FastBindLdapAuthenticationHandler since the user's
17 credentials are used for the bind operation.
18 -->
19 <property name="userDn" value="yourADUser"/>
20 <property name="password" value="yourpassword"/>
21
22 <!-- Place JNDI environment properties here. -->
23 <property name="baseEnvironmentProperties">
24 <map>
25 <!-- Three seconds is an eternity to users. -->
26 <entry key="com.sun.jndi.ldap.connect.timeout" value="3000" />
27 <entry key="com.sun.jndi.ldap.read.timeout" value="3000" />
28
29 <!-- Explained at http://download.oracle.com/javase/1.3/docs/api/javax/naming/Context.html#SECURITY_AUTHENTICATION -->
30 <entry key="java.naming.security.authentication" value="simple" />
31 </map>
32 </property>
33 </bean>