CAS client certificate authentication login

Front-end time required to achieve certification within the company network automatically login CAS.

Because of the underlying CAS is not so special about the next study, read the next source.

Here I explain the top-down implementation process.

1.Web Flow

We all know that CAS now using Spring Web Flow,

In the CAS in Spring Web Flow configuration file for the login-webflow.xml

The main configuration inside the login process. The graph to indicate if the use of the words that should be a state diagram,

Some nodes have some check and then have different branches.

Here an increase startX509Authenticate this node, the time when the need to log into the node to verify first, if unsuccessful, then there will verify the login screen to enter general. Is directly responsible for a successful login, or logon failures.

The modified profile is as follows:

<?xml version="1.0" encoding="UTF-8"?>
    <flow xmlns=""

        <start-state idref="initialFlowSetup"/>

                <action bean="initialFlowSetupAction" />
                <transition on="success" to="ticketGrantingTicketExistsCheck" />

                <if test="${flowScope.ticketGrantingTicketId != null}" then="hasServiceCheck" else="gatewayRequestCheck" />

                <if test="${externalContext.requestParameterMap['gateway'] != '' &amp;&amp; externalContext.requestParameterMap['gateway'] != null &amp;&amp; flowScope.service != null}" then="redirect" else="startX509Authenticate" />

                <if test="${flowScope.service != null}" then="renewRequestCheck" else="viewGenericLoginSuccess" />

                <if test="${externalContext.requestParameterMap['renew'] != '' &amp;&amp; externalContext.requestParameterMap['renew'] != null}" then="startX509Authenticate" else="generateServiceTicket" />

                <if test="${flowScope.warnCookieValue}" then="showWarningView" else="redirect" />

                <action bean="x509Check" />
                <transition on="success" to="sendTicketGrantingTicket" />
                <transition on="error" to="viewLoginForm" />

        <view-state view="casLoginView">
                        <action bean="authenticationViaFormAction" method="setupForm"/>
                        <action bean="authenticationViaFormAction" method="referenceData"/>
                <transition on="submit" to="bindAndValidate" />

                <action bean="authenticationViaFormAction" />
                <transition on="success" to="submit" />
                <transition on="error" to="viewLoginForm" />

                <action bean="authenticationViaFormAction" method="submit" />
                <transition on="warn" to="warn" />
                <transition on="success" to="sendTicketGrantingTicket" />
                <transition on="error" to="viewLoginForm" />

                <action bean="sendTicketGrantingTicketAction" />
                <transition on="success" to="serviceCheck" />

                <if test="${flowScope.service != null}" then="generateServiceTicket" else="viewGenericLoginSuccess" />

                <action bean="generateServiceTicketAction" />
                <transition on="success" to ="warn" />
                <transition on="error" to="viewLoginForm" />
                <transition on="gateway" to="redirect" />

        <end-state view="casLoginGenericSuccessView" />
        <end-state view="casLoginConfirmView" />
        <end-state view="bean:alibabaDynamicRedirectViewSelector" />
        <end-state view="viewServiceErrorView" />
        <end-state view="viewServiceSsoErrorView" />

                <transition to="viewServiceErrorView" on-exception="org.springframework.webflow.execution.repository.NoSuchFlowExecutionException" />
        <transition to="viewServiceSsoErrorView" on-exception="" />
                <transition to="viewServiceErrorView" on-exception="" />

2. Proceed from X509Check

From the above we can see startX509Authenticate configuration file corresponding to this node is x509Check Bean

Then we need to increase such a Bean

We are in the cas-servlet.xml this configuration file to add the class configuration, because the CAS comes with a Certificate of Action


Here is what had inserted in the implementation of the time how is the mechanism.

When a request came after, web flow Action node arrangements should be handled

Action will be carried out through its centralAuthenticationService createTicketGrantingTicket, passing the parameter is the credentials.

centralAuthenticationService, which org.jasig.cas.CentralAuthenticationServiceImpl this class.

Before the issuance of TGT to verify through their own authenticationManager pass over the credentials current legality.

To authenticationManager home, use any credentials to verify it, on a variety of authenticationHandlers the play, and these authenticationHandlers have also been a time when the configuration authenticationManager xml configuration into the. Here would be able to choose a credential of authenticationHandler to address the current validation work (authenticationHandler.supports (credentials)). that is, these processors need to realize supports this approach.

If the verification is successful, we need some of the label information into the cas of the client-side A, there need this information.

So, after verification, credentialsToPrincipalResolvers they play, they could well bring out the need to return to cas client information.

Through the above analysis, we need our own Handler and credentialsToPrincipalResolvers to authenticationManager configuration

                <property name="credentialsToPrincipalResolvers">
                                <bean />
                                <bean />
                <property name="authenticationHandlers">
                                        p:httpClient-ref="httpClient" />
                                <ref bean="dynamicAuthenticationHandler" />
                                <ref bean="x509CredentialsAuthenticationHandler"/>

x509CredentialsAuthenticationHandler the CAS own, but we need to return to the CAS Client for certificate-mail, but CAS did not provide such a Resolver, so I wrote out a certificate obtained from the X509CertificateCredentialsToDNEmailPrincipalResolver email

Reference to the class here, of course, also need to be configured in the Spring of

   <bean >
        <property name="trustedIssuerDnPattern" value="CN=intranet.+"/>

That will be.

3.Tomcat configuration

Next, we need to CA's certificate to in servlet container TrustStore. And open the client.

   <Connector port="8447" maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               clientAuth="want" sslProtocol="TLS"
               keystoreFile="conf/ssl/keystore.jks" keystorePass="changeit"
                           truststoreFile="conf/ssl/keystore.jks" truststorePass="changeit"

clientAuth = "want" does not insist configured want that, if used, configured to true, then it must pass the certificate, or directly back to 404

We here can also be used to go without regular login page, so take the want of this parameter.

Start the CAS, all OK.

-------------------------------------------------- -------------------------------------------

PS: Get Email from the certificate attached to the code

package org.jasig.cas.adaptors.x509.authentication.principal;

import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.bouncycastle.asn1.x509.X509NameTokenizer;

public class X509CertificateCredentialsToDNEmailPrincipalResolver extends AbstractX509CertificateCredentialsToPrincipalResolver {

    public static final String EMAIL = "rfc822name";
    public static final String EMAIL1 = "email";
    public static final String EMAIL2 = "EmailAddress";
    public static final String EMAIL3 = "E";
    private static final String[] EMAILIDS = { EMAIL, EMAIL1, EMAIL2, EMAIL3 };
    protected final Log log = LogFactory.getLog(this.getClass());

        protected String resolvePrincipalInternal(X509Certificate certificate) {
                String email =  getEmailFromDN(certificate.getSubjectDN().getName());
                        return email;
                return null;

     * Convenience method for getting an email address from a DN.
     * @param dn the DN
     * @return the found email address, or <code>null</code> if none is found
    public  String getEmailFromDN(String dn) {">getEmailFromDN(" + dn + ")");
        String email = null;
        for (int i = 0; (i < EMAILIDS.length) && (email == null); i++) {
            email = getPartFromDN(dn, EMAILIDS[i]);

        log.error("<getEmailFromDN(" + dn + "): " + email);

        return email;

     * Gets a specified part of a DN. Specifically the first occurrence it the DN contains several
     * instances of a part (i.e. cn=x, cn=y returns x).
     * @param dn String containing DN, The DN string has the format "C=SE, O=xx, OU=yy, CN=zz".
     * @param dnpart String specifying which part of the DN to get, should be "CN" or "OU" etc.
     * @return String containing dnpart or null if dnpart is not present
    public  String getPartFromDN(String dn, String dnpart) {
        log.debug(">getPartFromDN: dn:'" + dn + "', dnpart=" + dnpart);

        String part = null;

        if ((dn != null) && (dnpart != null)) {
            String o;
            dnpart += "="; // we search for 'CN=' etc.

            X509NameTokenizer xt = new X509NameTokenizer(dn);

            while (xt.hasMoreTokens()) {
                o = xt.nextToken();

                //log.debug("checking: "+o.substring(0,dnpart.length()));
                if ((o.length() > dnpart.length()) &&
                    o.substring(0, dnpart.length()).equalsIgnoreCase(dnpart)) {
                    part = o.substring(dnpart.length());


        log.debug("<getpartFromDN: resulting DN part=" + part);

        return part;
    } //getPartFromDN

分类:Java 时间:2010-04-18 人气:523
blog comments powered by Disqus


  • [Reserved] XML document with Schema specification 2010-12-02

    [Reserved] XML document with Schema specification XML Schema is a XML-based alternative to DTD. XML Schema is also known as XML framework or XML model. And norms can be described by XML Schema document's data model and organizational structure, provi

  • Struts2.0 configuration file (web.xml) 2010-04-19

    web.xml is the web application loads the important information about servlet configuration file, play initialization servlet, filter, etc. The role of web programs. In general, all of the MVC framework for Web applications need to load a core control

  • maven2 configuration file pom.xml setting.xml 2010-02-04

    This article is mainly about maven2 core set of two documents with the understanding: pom.xml and setting.xml. pom.xml in folder to create the project, setting.xml maven package in the conf folder after extracting. Start with settings.xml, settings.x

  • Persistence.xml JPA configuration file 2010-04-19

    JPA specification requirements in the class path META-INF directory to place persistence.xml, the file name is fixed, configuration templates are as follows: Xml Code <? Xml version = "1.0"?> <Persistence xmlns = "http://java.sun.c

  • Tomcat web.xml configuration file Xiangjie 2010-06-03

    Each station has a WEB-INF web.xml settings under the file, it provides our site's configuration settings. web.xml definition: . The site name and description . For the environmental parameters (Context) to do the initial work . Servlet name and mapp

  • [Zhang Bing Struts2 study notes] 0502.struts.xml Detailed configuration of the five Action Configuration 2 2010-11-26

    Detailed configuration of the five Action struts.xml Configuration 2 1. Action configuration 1.1, method attributes and dynamic method calls attention to points 1, method attribute can automatically match doXXX () methods, such as doAdd (), visited t

  • sruts2.0 web.xml configuration file 2011-05-04

    Any MVC framework and Web application integration needs, which had to resort to web.xml file, only the configuration in the web.xml file in the Servlet will be applied load. Usually, all the MVC framework for Web application needs to load a core cont

  • Hibernate.cfg.xml configuration file (including the primary key generation strategy Introduction) 2009-02-27

    Hibernate.cfg.xml configuration file: <? xml version = "1.0" encoding = "utf-8"?> <! DOCTYPE hibernate-configuration PUBLIC "- / / Hibernate / Hibernate Configuration DTD / / EN" "hibernate-configuration-2.0.dtd

  • DWR.xml configuration file specification 2009-05-24

    1, set up configuration files dwr.xml Dwr.xml any of the required documents are included in the statement DWR DOCTYPE line in the following format: <! DOCTYPE dwr PUBLIC "- / / GetAhead Limited / / DTD Direct Web Remoting 1.0 / / EN" "ht

  • dwr configuration file dwr.xml 2009-06-26

    I dwr Chinese document on a collation do dwr.xml purely jobs they take, there are useful do not forget to top friend you, leave a contact with the exchange of learning! Welcome to my site to exchange technical dwr.xml is the DWR confi

iOS 开发

Android 开发

Python 开发



PHP 开发

Ruby 开发






Javascript 开发

.NET 开发



Copyright (C), All Rights Reserved. 版权所有 黔ICP备15002463号-1

processed in 0.486 (s). 10 q(s)