Brother song teaches you how to get started with spring boot + CAS single sign on

Time:2021-10-7

In microservices and distributed systems, single sign on is becoming more and more common. SongGe also introduced the single sign on Scheme in two previous articles:

  • Oauth2 + JWT scheme
  • @Enableoauth2sso annotation scheme

In these two schemes, JWT has a problem of logout and login, which needs some effort to be [email protected] Enableoauth2sso notes that this scheme does not have the problem of logging out, but it is not as flexible as JWT.

No silver bullets!

In the actual project, we can only see which scheme is more suitable for ourselves according to our actual needs, and then transform it on this basis!

Now it is much more convenient for us to use oauth2 + JWT or @ enableouth2sso annotation in spring cloud security than before. SongGe only recently switched the project to the spring cloud security technology stack. Before that, CAS single sign on was used for single sign on. I believe many small partners may still use CAS single sign on in the company. Today, SongGe will spend some time talking about CAS + spring security to achieve single sign on. How should this scheme be played.

There may be several articles to introduce CAS single sign on. This article will first talk about the theory and login process. In addition, because CAS and Spring Cloud OAuth2 have certain similarities in some aspects, it is strongly recommended that you first take a look at brother’s OAuth2 series, and then read this article will be much easier (official account back to OAuth2 has related tutorials).

This article is the 23rd in the spring security series. Reading the previous articles in this series will help you better understand this article:

  1. Dig a big hole, spring security!
  2. Brother song takes you to spring security. Don’t ask how to decrypt the password
  3. Teach you how to customize the form login in spring security
  4. Spring security separates the front end from the back end. Let’s not jump the page! All JSON interactions
  5. The authorization operation in spring security is as simple as before
  6. How does spring security store user data into the database?
  7. Spring Security + spring data JPA work together to make security management simpler!
  8. Spring boot + spring security realize automatic login function
  9. How to control security risks when spring boot automatically logs in?
  10. In the microservice project, where is spring security better than Shiro?
  11. Two ways for spring security to customize authentication logic (advanced play)
  12. How to quickly view the login user’s IP address and other information in spring security?
  13. Spring security automatically kicks out the previous login user and completes the configuration!
  14. Spring boot + Vue front and back end separation project, how to kick off logged in users?
  15. Spring security comes with its own firewall! You don’t even know how secure your system is!
  16. What is session fixation attack? How to defend against session fixation attacks in spring boot?
  17. How does spring security handle session sharing for clustered deployment?
  18. Brother song teaches you how to defend against CSRF attacks in springboot! so easy!
  19. Learn thoroughly if you want to learn! Analysis of CSRF defense source code in spring security
  20. Two postures of password encryption in spring boot!
  21. How to learn spring security? Why must we study systematically?
  22. Spring security has two resource release strategies. Don’t use them wrong!

1. What is CAS

The full name of CAS is called central authentication service. In English, it is central authentication service.

This is an open source project initiated by Yale University. The purpose is to help web applications build a reliable single sign on solution. From the current actual projects of enterprises, CAS is still a very popular single sign on solution.

1.1 CAS architecture

CAS is divided into two parts:

  • One is CAS server, which is a single point authentication service. Its function is similar to the authorization server in our oauth2 + JWT scheme. It is used to verify user names / passwords. Generally speaking, it is deployed independently.
  • The other is CAS client, which is equivalent to one (micro) service.

Let’s look at an architecture diagram officially given by CAS:

Brother song teaches you how to get started with spring boot + CAS single sign on

It can be seen that users access CAS clients. The communication between CAS clients and CAS server supports a variety of protocols. CAS server handles specific authentication matters, and CAS server supports very diverse data sources.

CAS client supports the following platforms:

  • Apache httpd Server (mod_auth_cas module)
  • Java (Java CAS Client)
  • .NET (.NET CAS Client)
  • PHP (phpCAS)
  • Perl (PerlCAS)
  • Python (pycas)
  • Ruby (rubycas-client)

CAS supports the following communication protocols:

  • CAS (versions 1, 2, and 3)
  • SAML 1.1 and 2
  • OpenID Connect
  • OpenID
  • OAuth 2.0
  • WS Federation

It can also be seen from the figure that CAS supports many different authentication mechanisms, including:

  • JAAS
  • LDAP
  • RDBMS
  • SPNEGO

1.2 three concepts

In the whole process of CAS login, there are three important concepts. Here I’ll touch them with you first.

  1. TGT: the full name of TGT is called ticket granting ticket. This is equivalent to the role of httpsession we usually see. After the user logs in successfully, the user’s basic information, such as user name, login validity and so on, will be stored here.
  2. TGC: the full name of TGC is called ticket granting cookie. TGC is saved in the browser in the form of cookie. According to TGC, users can find the corresponding TGT. Therefore, this TGC is somewhat similar to the session ID.
  3. ST: the full name of ST is service ticket, which is a ticket issued by CAS server to users through TGT. When users access other services and find that there is no cookie or ST, they will go to CAS server 302 to obtain st, and then come back with ST 302. CAS client will go to CAS server through st to obtain the user’s login status.

2. CAS login process

Next, let’s see what the CAS login process looks like through an official flow chart!

Brother song teaches you how to get started with spring boot + CAS single sign on

This picture is actually quite clear. I’ll explain it with words:

Terms: application 1 and application 2 respectively represent protected applications.

  1. The user accesses application 1 through the browser. Application 1 finds that the user has not logged in, so it returns 302 and carries the previous service parameter to let the user log in to the CAS server.
  2. The browser automatically redirects to the CAS server. The CAS server obtains the TGC carried in the user’s cookie to verify whether the user has logged in. If the user has logged in, the identity verification is completed (at this time, the CAS server can find the TGT according to the user’s TGC and obtain the user’s information); If you do not log in, you will be redirected to the login page of CAS server. After the user enters the user name / password, CAS server will generate TGT, issue an ST according to the TGT, and then put the TGC in the user’s cookie to complete identity verification.
  3. After the CAS server completes the identity verification, it will splice the st into the service and return 302. The browser will first store the TGC in the cookie, and then redirect the st to application 1 according to the instructions of 302.
  4. After receiving the st from the browser, application 1 takes it to the CAS server for verification to judge the user’s login status. If the user’s login is legal, CAS server will return the user information to application 1.
  5. The browser then accesses application 2. Application 2 finds that the user is not logged in and redirects to CAS server.
  6. CAS server finds that the user has actually logged in at this time, so it redirects back to application 2 and carries the St.
  7. Application 2 takes st to CAS server for verification and obtains user login information.

During the whole login process, the browser establishes sessions with CAS server, application 1 and application 2 respectively. The sessions established with CAS server are called global sessions, and the sessions established with application 1 and application 2 are called local sessions; Once the local session is successfully established, the user will not go through CAS server when accessing application 1 and application 2 in the future.

3. CAS server setup

Having said so much, let’s be practical.

Since the whole CAS single sign on is still troublesome, let’s take it step by step. Today, I’ll teach you how to build CAS server.

3.1 version selection

At present, the latest CAS server is 6. X, which is built based on gradle. Considering that many small partners may not be familiar with gradle operation, I choose the version of 5.3, which is built based on the familiar Maven.

The official provides us with the template for building CAS server at: https://github.com/apereo/cas… 。

We select version 5.3 to download in the branch:

Brother song teaches you how to get started with spring boot + CAS single sign on

Or you can clone directly and switch to the 5.3 branch. I don’t need to teach you this. I believe all the partners can do it by themselves.

3.2 HTTPS certificate

CAS server starts from version 4 and uses HTTPS communication, so we have to prepare HTTPS Certificate in advance. For projects in the company, you need to buy HTTPS certificates. If you play by yourself, you can also apply for free HTTPS certificates from cloud service manufacturers.

Now we test locally and directly use the keytool tool provided with JDK to generate an HTTPS certificate by ourselves.

The generation command is as follows:

keytool -genkey -alias casserver -keyalg RSA -keystore ./keystore
  • -Alias indicates the generated certificate alias
  • -Keyalg represents the algorithm used to generate the certificate
  • -Keystore indicates the storage location of the generated certificate

When the certificate is executed, you need to give a keystore password. You can give it at will, but remember how much you give. In addition, inWhat is your first and last name?Options,You need to fill in the domain name of CAS server. Remember this

Brother song teaches you how to get started with spring boot + CAS single sign on

After that, we will have our HTTPS certificate. Although this certificate is not recognized by major manufacturers, it is enough to practice by ourselves.

3.3 configure and start

Next, configure.

In the downloaded CAS overlay template project, create a new Src / main / resources directory, and copy the overlays / org.apereo.cas.cas-server-webapp-tomcat-5.3.14/web-inf/classes/application.properties file and the just generated keystore file:

Brother song teaches you how to get started with spring boot + CAS single sign on

Then modify application.properties to configure the keystore location and key as follows:

server.ssl.key-store=classpath:keystore
server.ssl.key-store-password=111111
server.ssl.key-password=111111

After configuration, execute the following command under the project root directory to start the project:

./build.sh bootrun

According to the personal network speed, the first startup may be very long. Just wait patiently.

During startup, errors may be reported, but don’t worry. If you see the ready icon, it means that the startup is successful:

Brother song teaches you how to get started with spring boot + CAS single sign on

3.4 testing

After successful startup, enter https://cas.javaboy.org:8443/cas/login You can enter the login page (note HTTPS):

Brother song teaches you how to get started with spring boot + CAS single sign on

The default user name is casuser and the password is Mellon. Enter the user name and password to log in.

Brother song teaches you how to get started with spring boot + CAS single sign on

The default user name / password can also be modified in the application.properties file. The last line of the file:

cas.authn.accept.users=casuser::Mellon

After modification, restart the project to take effect.

4. Summary

Today, I’ll mainly talk about the basic concept of CAS with my friends, and then we’ll build a CAS server. Interested friends can have a try. In the next article, we’ll see how to develop CAS client with spring boot

Well, if you feel you have something to gain, remember to watch and encourage brother song