[[CAS 6]]
This is an old revision of the document!
CAS 6
ref
autres
contexte
Exemple de deploiement d'un serveur CAS 6.x sur une centos8 avec les produits natifs de cette distribution ⇒ JVM openjdk 11
[root@ssocas6 ~]# cat /etc/redhat-release CentOS Linux release 8.3.2011
java 11 jdk
[root@ssocas6 ~]# yum install java-11-openjdk-devel.x86_64 Installer 27 Paquets Taille totale des téléchargements : 64 M Taille des paquets installés : 246 M Installé: java-11-openjdk-devel-1:11.0.7.10-1.el8_1.x86_64 abattis-cantarell-fonts-0.0.25-4.el8.noarch dconf-0.28.0-3.el8.x86_64 gtk3-3.22.30-5.el8.x86_64 adwaita-cursor-theme-3.28.0-2.el8.noarch adwaita-icon-theme-3.28.0-2.el8.noarch at-spi2-atk-2.26.2-1.el8.x86_64 at-spi2-core-2.28.0-1.el8.x86_64 cairo-gobject-1.15.12-3.el8.x86_64 colord-libs-1.4.2-1.el8.x86_64 java-11-openjdk-1:11.0.7.10-1.el8_1.x86_64 java-11-openjdk-headless-1:11.0.7.10-1.el8_1.x86_64 lcms2-2.9-2.el8.x86_64 libepoxy-1.5.3-1.el8.x86_64 libwayland-client-1.17.0-1.el8.x86_64 libwayland-cursor-1.17.0-1.el8.x86_64 libwayland-egl-1.17.0-1.el8.x86_64 libxkbcommon-0.9.1-1.el8.x86_64 rest-0.8.1-2.el8.x86_64 xkeyboard-config-2.28-1.el8.noarch glib-networking-2.56.1-1.1.el8.x86_64 gsettings-desktop-schemas-3.32.0-4.el8.x86_64 json-glib-1.4.4-1.el8.x86_64 libgusb-0.3.0-1.el8.x86_64 libmodman-2.0.1-17.el8.x86_64 libproxy-0.4.15-5.2.el8.x86_64 libsoup-2.62.3-1.el8.x86_64
alternatives java-11
Passer par defaut sur java-11 si presence aussi du 1.8 avec alternatives
[root@ssocas6 ~]# alternatives --config java Il existe 2 programmes qui fournissent « java ». Sélection Commande ----------------------------------------------- *+ 1 java-1.8.0-openjdk.x86_64 (/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.252.b09-2.el8_1.x86_64/jre/bin/java) 2 java-11-openjdk.x86_64 (/usr/lib/jvm/java-11-openjdk-11.0.7.10-1.el8_1.x86_64/bin/java)
Il existe 2 programmes qui fournissent « java ».
[root@ssocas6 ~]# alternatives --config java Sélection Commande ----------------------------------------------- * 1 java-1.8.0-openjdk.x86_64 (/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.252.b09-2.el8_1.x86_64/jre/bin/java) + 2 java-11-openjdk.x86_64 (/usr/lib/jvm/java-11-openjdk-11.0.7.10-1.el8_1.x86_64/bin/java)
test java version
[root@ssocas6 ~]# java -version openjdk version "11.0.9.1" 2020-11-04 LTS OpenJDK Runtime Environment 18.9 (build 11.0.9.1+1-LTS) OpenJDK 64-Bit Server VM 18.9 (build 11.0.9.1+1-LTS, mixed mode, sharing)
tomcat
redhat et donc centos n'offre plus de package tomcat (ils mettent en avant JBoss) , donc on va installer un tomcat 9 en tar.gz :
tomcat user
[root@ssocas6 ~]# useradd -m -d /opt/tomcat -U -s /bin/false tomcat
tomcat package tgz
[root@ssocas6 ~]# wget https://downloads.apache.org/tomcat/tomcat-9/v9.0.45/bin/apache-tomcat-9.0.45.tar.gz [root@ssocas6 ~]# cd /opt [root@ssocas6 opt]# tar xvfz /root/apache-tomcat-9.0.45.tar.gz [root@ssocas6 opt]# ln -s apache-tomcat-9.0.45 tomcat [root@ssocas6 opt]# ls -ld tomcat lrwxrwxrwx 1 root root 20 10 mai 19:49 tomcat -> apache-tomcat-9.0.45
positionnement des droits d'acces au comte tomcat
[root@ssocas6 opt]# chown -R tomcat:tomcat /opt/tomcat/ # ls -l tomcat/ total 148 drwxr-x--- 2 tomcat tomcat 4096 10 mai 16:09 bin -rw-r----- 1 tomcat tomcat 18984 30 mars 12:29 BUILDING.txt drwx------ 2 tomcat tomcat 4096 30 mars 12:29 conf -rw-r----- 1 tomcat tomcat 5587 30 mars 12:29 CONTRIBUTING.md drwxr-x--- 2 tomcat tomcat 4096 10 mai 16:09 lib -rw-r----- 1 tomcat tomcat 57092 30 mars 12:29 LICENSE drwxr-x--- 2 tomcat tomcat 4096 30 mars 12:29 logs -rw-r----- 1 tomcat tomcat 2333 30 mars 12:29 NOTICE -rw-r----- 1 tomcat tomcat 3257 30 mars 12:29 README.md -rw-r----- 1 tomcat tomcat 6898 30 mars 12:29 RELEASE-NOTES -rw-r----- 1 tomcat tomcat 16507 30 mars 12:29 RUNNING.txt drwxr-x--- 2 tomcat tomcat 4096 10 mai 16:09 temp drwxr-x--- 7 tomcat tomcat 4096 30 mars 12:29 webapps drwxr-x--- 2 tomcat tomcat 4096 30 mars 12:29 work
parametrage tomcat
acces à la webapps manager, autoriser notre @IP dans webapps/manager/META-INF/context.xml
[root@ssocas6 opt]# diff /opt/tomcat/webapps/manager/META-INF/context.xml /opt/tomcat/webapps/manager/META-INF/context.xml.orig 20c20 < allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|157.19.19.13" /> --- > allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
compte admin d'acces au l'appli manager/html (http://ssocas6.domain.fr:8080/manager/html , le :8080 sera effacer par la suite en mettant en place d'un proxy-ajp apache en frontal de tomcat)
[root@ssocas6 opt]# diff /opt/tomcat/conf/tomcat-users.xml /opt/tomcat/conf/tomcat-users.xml.orig 44,46d43 < <role rolename="manager-gui"/> < <role rolename="admin-gui"/> < <user username="dsi" password="secret" roles="manager-gui,admin-gui"/>
activation par systemd
[root@ssocas6 opt]# vim /etc/systemd/system/tomcat.service [root@ssocas6 opt]# cat /etc/systemd/system/tomcat.service [Unit] Description=Tomcat 9 After=network.target [Service] Type=forking User=tomcat Group=tomcat Environment="JAVA_HOME=/usr/lib/jvm/jre" Environment="JAVA_OPTS=-Djava.security.egd=file:///dev/urandom" Environment="CATALINA_BASE=/opt/tomcat" Environment="CATALINA_HOME=/opt/tomcat" Environment="CATALINA_PID=/opt/tomcat/temp/tomcat.pid" Environment="CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC" ExecStart=/opt/tomcat/bin/startup.sh ExecStop=/opt/tomcat/bin/shutdown.sh [Install] WantedBy=multi-user.target
start
[root@ssocas6 ~]# systemctl daemon-reload [root@ssocas6 ~]# systemctl enable tomcat.service [root@ssocas6 ~]# systemctl start tomcat.service
firewall
[root@ssocas6 opt]# firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="157.19.19.0/24" port port=8080 protocol=tcp log prefix="http8080" accept' success [root@ssocas6 opt]# firewall-cmd --reload success [root@ssocas6 opt]# firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="157.19.19.0/16" service name="http" log prefix="http" accept' success [root@ssocas6 opt]# firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="157.19.19.0/16" service name="https" log prefix="https" accept' success [root@ssocas6 opt]# firewall-cmd --reload success
ou plus generalement
firewall-cmd –zone=public –permanent –add-port=8080/tcp
acces tomcat
le serveur est maintenant accessible , exemple
http://ssocas6.tem-tsp.eu:8080/manager/html (login/pass definit plus haut)
firewalld option a base de service
on peux aussi recopier la definition du service ssh vers un service tomcat afin d'ouvrir via un service firewalld notre port tomcat 8080 .
[root@ssocasd6 ~]# cp /usr/lib/firewalld/services/ssh.xml /etc/firewalld/services/tomcat.xml [root@ssocasd6 ~]# vim /etc/firewalld/services/tomcat.xml [root@ssocasd6 ~]# cat /etc/firewalld/services/tomcat.xml <?xml version="1.0" encoding="utf-8"?> <service> <short>tomcat</short> <description>tomcat is a java servlet container/server</description> <port protocol="tcp" port="8080"/> </service>
dans cette option a base de service on ajoute de maniere permanente (disponible aux prochains boot) le service tomcat
[root@ssocasd6 ~]# firewall-cmd --zone=public --add-service=tomcat success
malgres tout, pour obtenir cette ouverture de maniere stable, un ajout du service dans la zone active (ici public) est necessaire
[root@ssocasd6 ~]# grep tomcat /etc/firewalld/zones/public.xml <service name="tomcat"/> [root@ssocasd6 ~]# systemctl restart firewalld.service
autres dependances
git maven
il sera necessaire d'avoir maven et git entre autre, installation des packages
[root@ssocas6 ~]# yum install git maven
CAS6 template overlay
on commence par recuperer le template overlay de CAS
cf https://apereo.github.io/cas/6.3.x/installation/WAR-Overlay-Installation.html pour des explication sur les Overlays
[root@ssocas6 ~]# cd /opt/ [root@ssocas6 opt]# git clone https://github.com/apereo/cas-overlay-template Clonage dans 'cas-overlay-template'... remote: Enumerating objects: 1894, done. remote: Counting objects: 100% (53/53), done. remote: Compressing objects: 100% (38/38), done. remote: Total 1894 (delta 24), reused 29 (delta 11), pack-reused 1841 Réception d'objets: 100% (1894/1894), 10.61 Mio | 18.83 Mio/s, fait. Résolution des deltas: 100% (1050/1050), fait.
on se retrouve avec cette distribution
[root@ssocas6 opt]# cd cas-overlay-template [root@ssocas6 cas-overlay-template]# [root@ssocas6 cas-overlay-template]# ls build.gradle docker-compose.yml docker-push.sh etc gradle.properties gradlew.bat lombok.config settings.gradle docker-build.sh Dockerfile docker-run.sh gradle gradlew LICENSE.txt README.md src
support LDAP
editer le fichier build.gradle pour y ajouter deux dependances pour le support-ldap et support-json, cf ci-dessous(+) :
[root@ssocas6 cas-overlay-template]# diff -ur build.gradle.dist build.gradle
--- build.gradle.dist 2021-05-21 15:29:39.722743124 +0200
+++ build.gradle 2021-05-21 15:32:01.066846707 +0200
@@ -82,6 +82,9 @@
}
// CAS dependencies/modules may be listed here statically...
implementation "org.apereo.cas:cas-server-webapp-init:${casServerVersion}"
+ // ADD support-ldap json DISI
+ implementation "org.apereo.cas:cas-server-support-ldap:${project.'cas.version'}"
+ implementation "org.apereo.cas:cas-server-support-json-service-registry:${casServerVersion}"
}
tasks.findByName("jibDockerBuild")
configurer LDAP
nous allons editer le fichier etc/cas/config/cas.properties et y definir les parametre d'acces a notre LDAP serveur
[root@ssocas6 cas-overlay-template]# diff -ur /opt/cas-overlay-template/etc/cas/config/cas.properties.dist /opt/cas-overlay-template/etc/cas/config/cas.properties
--- /opt/cas-overlay-template/etc/cas/config/cas.properties.dist 2021-05-21 15:35:20.596460271 +0200
+++ /opt/cas-overlay-template/etc/cas/config/cas.properties 2021-05-21 15:43:55.912705247 +0200
@@ -1,6 +1,19 @@
-cas.server.name=https://cas.example.org:8443
+cas.server.name=https://ssocas6.domain.fr:443
cas.server.prefix=${cas.server.name}/cas
logging.config=file:/etc/cas/config/log4j2.xml
-# cas.authn.accept.users=
+cas.authn.accept.users=
+### Connexion LDAP
+cas.authn.ldap\[0\].providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider
+cas.authn.ldap\[0\].type=AUTHENTICATED
+cas.authn.ldap\[0\].useSsl=true
+cas.authn.ldap\[0\].ldapUrl=ldaps://ldap.domain.fr
+cas.authn.ldap\[0\].baseDn= dc=int,dc=fr
+cas.authn.ldap\[0\].subtreeSearch=true
+cas.authn.ldap\[0\].searchFilter=uid=\{user\}
+cas.authn.ldap\[0\].principalAttributeList=cn,givenName,mail,uid
+
+### Credential to connect to LDAP
+cas.authn.ldap\[0\].bindDn=CN=dsi,ou=dsa,dc=int,dc=fr
+cas.authn.ldap\[0\].bindCredential=S3cr3T
Dossier Logs pour CAS
[root@ssocas6 cas-overlay-template]# mkdir /var/log/cas [root@ssocas6 cas-overlay-template]# chown -R tomcat /var/log/cas
Modifier le fichier log4j2.xml dans le dossier /opt/cas-overlay-template-master/etc/cas/config
[root@ssocas6 config]# diff -ur log4j2.xml.dist log4j2.xml
--- log4j2.xml.dist 2021-05-21 15:50:39.775585744 +0200
+++ log4j2.xml 2021-05-21 15:50:51.429605606 +0200
@@ -2,7 +2,7 @@
<!-- Specify the refresh internal in seconds. -->
<Configuration monitorInterval="5" packages="org.apereo.cas.logging">
<Properties>
- <Property name="baseDir">/var/log</Property>
+ <Property name="baseDir">/var/log/cas</Property>
<Property name="cas.log.level">info</Property>
<Property name="spring.webflow.log.level">warn</Property>
GradleW
les sources incorporent une version de gradle Wrapper (gradlew), il n'est dont pas necessaire d'installer gradle par ailleurs, le wrapper va aller chercher lui meme gradle
la definition des actions et parametrages se trouvent dans les build.gradle et gradle.properties
Build
Gradle build permet d'executer certains goals/commands de Gradle (aka gradlew) , commençons par la command clean qui va dans un premier temps recuperer gradle et autres dependances pour notre projet .
clean
[root@ssocas6 cas-overlay-template]# ./gradlew clean Downloading https://services.gradle.org/distributions/gradle-7.0-bin.zip ..........10%...........20%...........30%..........40%...........50%...........60%...........70%..........80%...........90%...........100% Welcome to Gradle 7.0! Here are the highlights of this release: - File system watching enabled by default - Support for running with and building Java 16 projects - Native support for Apple Silicon processors - Dependency catalog feature preview For more details see https://docs.gradle.org/7.0/release-notes.html Starting a Gradle Daemon (subsequent builds will be faster) <-------------> 0% CONFIGURING [33s] > root project > Resolve dependencies of classpath > maven-metadata.xml > IDLE > IDLE > root project > Resolve dependencies of classpath > pac4j-http-5.0.1.pom > root project > Resolve dependencies of classpath > spring-webmvc-pac4j-5.0.0.pom > root project > Resolve dependencies of classpath > maven-metadata.xml > root project > Resolve dependencies of classpath > maven-metadata.xml > IDLE > root project > Resolve dependencies of classpath > oauth2-oidc-sdk-9.5.1.pom > IDLE > root project > Resolve dependencies of classpath > maven-metadata.xml > IDLE ... Deprecated Gradle features were used in this build, making it incompatible with Gradle 8.0. Use '--warning-mode all' to show the individual deprecation warnings. See https://docs.gradle.org/7.0/userguide/command_line_interface.html#sec:command_line_warnings BUILD SUCCESSFUL in 1m 29s 2 actionable tasks: 2 executed
build
[root@ssocas6 cas-overlay-template]# ./gradlew clean copyCasConfiguration build <-------------> 5% EXECUTING [2s] > :extractCasBootWarOverlay ... BUILD SUCCESSFUL in 25s 7 actionable tasks: 7 executed [root@ssocas6 cas-overlay-template]# ls -l build/libs/cas.war -rw-r--r-- 1 root root 124196573 22 mai 10:06 build/libs/cas.war
Deployer dans tomcat
avec une simple copie du cas.war dans l'arborescence webapps de tomcat , l'auto-deploy va deployer le service
[root@ssocas6 cas-overlay-template]# cp /opt/cas-overlay-template/build/libs/cas.war /opt/tomcat/webapps/ [root@ssocas6 cas-overlay-template]# ls -l /opt/tomcat/webapps/ total 121316 drwxr-x--- 5 tomcat tomcat 4096 22 mai 11:21 cas -rw-r--r-- 1 root root 124196573 22 mai 11:21 cas.war drwxr-x--- 16 tomcat tomcat 4096 4 juin 2020 docs drwxr-x--- 6 tomcat tomcat 4096 4 juin 2020 examples drwxr-x--- 5 tomcat tomcat 4096 4 juin 2020 host-manager drwxr-x--- 5 tomcat tomcat 4096 4 juin 2020 manager drwxr-x--- 3 tomcat tomcat 4096 4 juin 2020 ROOT
tomcat log CAS war
on peux voir en detail le deploiement et lancement de CAS par tomcat dans les logs catalina.out
22-May-2021 10:27:29.240 INFO [main] org.apache.catalina.startup.HostConfig.deployDescriptor Deployment of deployment descriptor [/opt/tomcat/conf/Catalina/localhost/manager.xml] has finished in [349] ms
22-May-2021 10:27:29.242 INFO [main] org.apache.catalina.startup.HostConfig.deployWAR Deploying web application archive [/opt/tomcat/webapps/cas.war]
22-May-2021 10:27:38.056 INFO [main] org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.
2021-05-22 10:27:42,024 WARN [org.springframework.http.converter.json.Jackson2ObjectMapperBuilder] - <For Jackson Kotlin classes support please add "com.fasterxml.jackson.module:jackson-module-kotlin" to the classpath>
_ ____ _____ ____ _____ ___ ____ _ ____
/ \ | _ \| ____| _ \| ____/ _ \ / ___| / \ / ___|
/ _ \ | |_) | _| | |_) | _|| | | | | | / _ \ \___ \
/ ___ \| __/| |___| _ <| |__| |_| | | |___ / ___ \ ___) |
/_/ \_\_| |_____|_| \_\_____\___/ \____/_/ \_\____/
CAS Version: 6.4.0-SNAPSHOT
CAS Branch: master
CAS Commit Id: a03f3bf03f7f1b422794c026481cd2efdf8ae847
CAS Build Date/Time: 2021-05-22T08:02:28Z
Spring Boot Version: 2.4.5
Spring Version: 5.3.7
Java Home: /usr/lib/jvm/java-11-openjdk-11.0.9.11-3.el8_3.x86_64
Java Vendor: Red Hat, Inc.
Java Version: 11.0.9.1
JVM Free Memory: 328 MB
JVM Maximum Memory: 910 MB
JVM Total Memory: 629 MB
OS Architecture: amd64
OS Name: Linux
OS Version: 4.18.0
OS Date/Time: 2021-05-22T10:27:44.189611
OS Temp Directory: /opt/tomcat/temp
------------------------------------------------------------
Apache Tomcat Version: Apache Tomcat/9.0.35
------------------------------------------------------------
2021-05-22 10:27:44,260 INFO [org.apereo.cas.configuration.DefaultCasConfigurationPropertiesSourceLocator] - <Configuration files found at [/etc/cas/config] are [[file [/etc/cas/config/cas.properties]]] under profile(s) [[standalone]]>
2021-05-22 10:27:44,407 INFO [org.apereo.cas.web.CasWebApplicationServletInitializer] - <The following profiles are active: standalone>
2021-05-22 10:27:51,366 WARN [org.hibernate.validator.internal.properties.javabean.JavaBeanExecutable] - <HV000254: Missing parameter metadata for (int, MeterFilter, String, String), which declares implicit or synthetic parameters. Automatic resolution of generic type information for method parameters may yield incorrect results if multiple parameters have the same erasure. To solve this, compile your code with the '-parameters' flag.>
2021-05-22 10:27:55,997 INFO [org.apereo.cas.config.LdapAuthenticationConfiguration] - <Registering LDAP authentication for [LdapAuthenticationHandler]>
2021-05-22 10:27:56,380 INFO [org.apereo.cas.services.resource.AbstractResourceBasedServiceRegistry] - <Watching service registry directory at [/opt/tomcat/temp/services]>
2021-05-22 10:27:56,388 INFO [org.apereo.cas.util.io.PathWatcherService] - <Watching directory path at [/opt/tomcat/temp/services]>
2021-05-22 10:27:58,020 INFO [org.springframework.boot.autoconfigure.security.servlet.UserDetailsServiceAutoConfiguration] - <
Using generated security password: 18fSECRETdb14
>
2021-05-22 10:27:58,190 INFO [org.springframework.security.web.DefaultSecurityFilterChain] - <Will secure Ant [pattern='/login/**'] with []>
2021-05-22 10:27:58,190 INFO [org.springframework.security.web.DefaultSecurityFilterChain] - <Will secure Ant [pattern='/logout/**'] with []>
2021-05-22 10:27:58,191 INFO [org.springframework.security.web.DefaultSecurityFilterChain] - <Will secure Ant [pattern='/validate/**'] with []>
2021-05-22 10:27:58,191 INFO [org.springframework.security.web.DefaultSecurityFilterChain] - <Will secure Ant [pattern='/serviceValidate/**'] with []>
2021-05-22 10:27:58,191 INFO [org.springframework.security.web.DefaultSecurityFilterChain] - <Will secure Ant [pattern='/p3/serviceValidate/**'] with []>
2021-05-22 10:27:58,191 INFO [org.springframework.security.web.DefaultSecurityFilterChain] - <Will secure Ant [pattern='/proxyValidate/**'] with []>
2021-05-22 10:27:58,191 INFO [org.springframework.security.web.DefaultSecurityFilterChain] - <Will secure Ant [pattern='/p3/proxyValidate/**'] with []>
2021-05-22 10:27:58,191 INFO [org.springframework.security.web.DefaultSecurityFilterChain] - <Will secure Ant [pattern='/proxy/**'] with []>
2021-05-22 10:27:58,263 INFO [org.springframework.security.web.access.channel.ChannelProcessingFilter] - <Validated configuration attributes>
2021-05-22 10:27:58,291 INFO [org.springframework.security.web.DefaultSecurityFilterChain] - <Will secure any request with [org.springframework.security.web.access.channel.ChannelProcessingFilter@eab31b4, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@68a8bdb1, org.springframework.security.web.context.SecurityContextPersistenceFilter@1cd7f4a2, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@560e50d4, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@6c15605e, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@58b7eb53, org.springframework.security.web.session.SessionManagementFilter@37d269d5, org.springframework.security.web.access.ExceptionTranslationFilter@20d87607, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@48056bdc]>
2021-05-22 10:27:59,626 INFO [org.apereo.cas.config.LdapAuthenticationConfiguration] - <Registering LDAP authentication for [LdapAuthenticationHandler]>
2021-05-22 10:27:59,895 WARN [org.apereo.cas.config.CasCoreTicketsConfiguration] - <Runtime memory is used as the persistence storage for retrieving and managing tickets. Tickets that are issued during runtime will be LOST when the web server is restarted. This MAY impact SSO functionality.>
2021-05-22 10:27:59,899 INFO [org.apereo.cas.util.CoreTicketUtils] - <Ticket registry encryption/signing is turned off. This MAY NOT be safe in a clustered production environment. Consider using other choices to handle encryption, signing and verification of ticket registry tickets, and verify the chosen ticket registry does support this behavior.>
2021-05-22 10:28:00,197 WARN [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Secret key for encryption is not defined for [Ticket-granting Cookie]; CAS will attempt to auto-generate the encryption key>
2021-05-22 10:28:00,226 WARN [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Generated encryption key [szXKgSECRETFCQ] of size [256] for [Ticket-granting Cookie]. The generated key MUST be added to CAS settings under setting [cas.tgc.crypto.encryption.key].>
2021-05-22 10:28:00,229 WARN [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Secret key for signing is not defined for [Ticket-granting Cookie]. CAS will attempt to auto-generate the signing key>
2021-05-22 10:28:00,229 WARN [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Generated signing key [68DkrB3Sr-mSECRETrqSYA] of size [512] for [Ticket-granting Cookie]. The generated key MUST be added to CAS settings under setting [cas.tgc.crypto.signing.key].>
2021-05-22 10:28:00,408 WARN [org.apereo.cas.util.cipher.BaseBinaryCipherExecutor] - <Secret key for signing is not defined under [cas.webflow.crypto.signing.key]. CAS will attempt to auto-generate the signing key>
2021-05-22 10:28:00,409 WARN [org.apereo.cas.util.cipher.BaseBinaryCipherExecutor] - <Generated signing key [oDrASECRETqCiyP-3RQxi2VGGwHiw3G7h3pHHPOprtIjSisWhnDx2Q] of size [512]. The generated key MUST be added to CAS settings under setting [cas.webflow.crypto.signing.key].>
2021-05-22 10:28:00,409 WARN [org.apereo.cas.util.cipher.BaseBinaryCipherExecutor] - <Secret key for encryption is not defined under [cas.webflow.crypto.encryption.key]. CAS will attempt to auto-generate the encryption key>
2021-05-22 10:28:00,411 WARN [org.apereo.cas.util.cipher.BaseBinaryCipherExecutor] - <Generated encryption key [rcagcSECRETScsw] of size [16]. The generated key MUST be added to CAS settings under setting [cas.webflow.crypto.encryption.key].>
2021-05-22 10:28:00,650 INFO [org.apereo.cas.web.CasWebApplicationServletInitializer] - <Started CasWebApplicationServletInitializer in 20.636 seconds (JVM running for 33.242)>
2021-05-22 10:28:00,671 INFO [org.apereo.cas.web.CasWebApplication] - <>
2021-05-22 10:28:00,671 INFO [org.apereo.cas.web.CasWebApplication] - <
____ _____ _ ______ __
| _ \| ____| / \ | _ \ \ / /
| |_) | _| / _ \ | | | \ V /
| _ <| |___ / ___ \| |_| || |
|_| \_\_____/_/ \_\____/ |_|
>
2021-05-22 10:28:00,671 INFO [org.apereo.cas.web.CasWebApplication] - <>
2021-05-22 10:28:00,671 INFO [org.apereo.cas.web.CasWebApplication] - <Ready to process requests @ [2021-05-22T09:28:00.670Z]>
22-May-2021 10:28:00.696 INFO [main] org.apache.catalina.startup.HostConfig.deployWAR Deployment of web application archive [/opt/tomcat/webapps/cas.war] has finished in [31,454] ms
22-May-2021 10:28:00.697 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory [/opt/tomcat/webapps/examples]
2021-05-22 10:28:01,033 INFO [org.apereo.cas.services.AbstractServicesManager] - <Loaded [1] service(s) from [JsonServiceRegistry].>
22-May-2021 10:28:01.049 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web application directory [/opt/tomcat/webapps/examples] has finished in [352] ms
22-May-2021 10:28:01.050 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory [/opt/tomcat/webapps/docs]
22-May-2021 10:28:01.071 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web application directory [/opt/tomcat/webapps/docs] has finished in [21] ms
22-May-2021 10:28:01.071 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory [/opt/tomcat/webapps/ROOT]
22-May-2021 10:28:01.088 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web application directory [/opt/tomcat/webapps/ROOT] has finished in [17] ms
22-May-2021 10:28:01.088 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory [/opt/tomcat/webapps/idp]
22-May-2021 10:28:05.363 INFO [main] org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.
Warning: Nashorn engine is planned to be removed from a future JDK release
acces web
maintenant que tout est deployé, nous allons profiter du proxy-ajp d'apache pour renvoyer les requetes https servient par apache vers le context tomcat approrié , ici /cas est renvoyé vers le port ajp en localhost 8009 où tomcat ecoute, idem pour notre applaication tomcat /manager .
[root@cas6 ~]# cat /etc/httpd/conf.d/cas.conf ProxyRequests off ProxyPass /cas ajp://127.0.0.1:8009/idp retry=0 ProxyPassReverse /cas ajp://127.0.0.1:8009/idp ProxyPass /manager ajp://127.0.0.1:8009/manager ProxyPassReverse /manager ajp://127.0.0.1:8009/manager
1er login test
sans target (application cliente) specifique , faisons un premier test de connexion CAS afin de valider le service d'authN et la recuperation d'attributs
depuis un navigateur accedons a notre service CAS : https://ssocas6.domain.fr/cas/login
une fois le login/password saisie, on aboutit sur une page d'affichage des attributs, ce qui valide le process d'authentifcation et de recuperation d'information depuis notre annuaire ldap.
on retrouve bien dans catalina.out et dans /var/log/cas/cas/log cet acces .
2021-05-22 10:38:58,242 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: {source=RankedMultifactorAuthenticationProviderWebflowEventResolver, event=success, timestamp=Sat May 22 10:38:58 GMT+01:00 2021}
ACTION: AUTHENTICATION_EVENT_TRIGGERED
APPLICATION: CAS
WHEN: Sat May 22 10:38:58 GMT+01:00 2021
CLIENT IP ADDRESS: 157.19.19.19
SERVER IP ADDRESS: 157.19.19.10
=============================================================
>
2021-05-22 10:39:20,687 INFO [org.apereo.cas.services.AbstractServicesManager] - <Loaded [1] service(s) from [JsonServiceRegistry].>
2021-05-22 10:40:20,690 INFO [org.apereo.cas.services.AbstractServicesManager] - <Loaded [1] service(s) from [JsonServiceRegistry].>
2021-05-22 10:40:30,750 INFO [org.apereo.cas.ticket.registry.DefaultTicketRegistryCleaner] - <[0] expired tickets removed.>
2021-05-22 10:40:31,502 INFO [org.apereo.cas.authentication.DefaultAuthenticationManager] - <Authenticated principal [test] with attributes [{cn=[STUDENT Test], givenName=[Test], mail=[test@telecom.fr], uid=[test]}] via credentials [[UsernamePasswordCredential(username=test, source=null, customFields={})]].>
2021-05-22 10:40:31,504 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: test
WHAT: [UsernamePasswordCredential(username=teststud, source=null, customFields={})]
ACTION: AUTHENTICATION_SUCCESS
APPLICATION: CAS
WHEN: Sat May 22 10:40:31 GMT+01:00 2021
CLIENT IP ADDRESS: 157.19.19.19
SERVER IP ADDRESS: 157.19.19.10
=============================================================
>
2021-05-22 10:40:31,554 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: teststud
WHAT: TGT-1-*****oXABZDg6kM-cas6
ACTION: TICKET_GRANTING_TICKET_CREATED
APPLICATION: CAS
WHEN: Sat May 22 10:40:31 GMT+01:00 2021
CLIENT IP ADDRESS: 157.19.19.19
SERVER IP ADDRESS: 157.19.19.10
=============================================================
on notera aussi que l'acces au serveur LDAP a été établit au demarrage de l'apllication CAS par tomcat et qu'il se fait bien en TLS/636 avec le binddn definit dans cas.properties
[root@ldap log]# tail -500 ldap.log May 22 11:27:55 ldap slapd[2086]: conn=1161 fd=13 ACCEPT from IP=157.19.19.10:35994 (IP=0.0.0.0:636) May 22 11:27:55 ldap slapd[2086]: conn=1161 fd=13 TLS established tls_ssf=256 ssf=256 May 22 11:27:55 ldap slapd[2086]: conn=1161 fd=13 TLS established tls_ssf=256 ssf=256 May 22 11:27:55 ldap slapd[2086]: conn=1161 op=0 BIND dn="cn=dsi,ou=dsa,dc=int,dc=fr" method=128 May 22 11:27:55 ldap slapd[2086]: conn=1161 op=0 BIND dn="cn=dsi,ou=dsa,dc=int,dc=fr" mech=SIMPLE ssf=0 May 22 11:27:55 ldap slapd[2086]: conn=1161 op=0 BIND dn="cn=dsi,ou=dsa,dc=int,dc=fr" method=128 May 22 11:27:55 ldap slapd[2086]: conn=1161 op=0 RESULT tag=97 err=0 text= May 22 11:27:55 ldap slapd[2086]: conn=1161 op=0 BIND dn="cn=dsi,ou=dsa,dc=int,dc=fr" mech=SIMPLE ssf=0 May 22 11:27:55 ldap slapd[2086]: conn=1161 op=0 RESULT tag=97 err=0 text=
Registering Applications
les appplications clientes qui doivent utiliser notre serveur CAS doivent etre declarée a priori . cela peut se faire au travers d'uj simple fichier de type json .
nous délarons dans cas.prpoerties le chemin d'acces a ce fichier json
[root@ssocas6 cas-overlay-template]# tail -2 etc/cas/config/cas.properties ### Registering Applications cas.serviceRegistry.json.location: file:/etc/cas/services
Il est recommandé de nommer les nouveaux fichiers JSON comme ceci: “serviceName-serviceNumericId.json”
Pour créer l'ID nous utilisons la commande date +%s
[root@ssocas6 cas-overlay-template]# mkdir /etc/cas/services [root@ssocas6 cas-overlay-template]# cd /etc/cas/services [root@ssocas6 services]# touch disi_wikis-`date +%s`.json [root@ssocas6 services]# vim disi_wikis-1621678622.json
on peux ensuite ajouter d'autres services (ici un 3eme cf logs CAS [1]) , le serveur CAS lit regulierement le directory /etc/cas/services pour les charger dynamiquement sans necessité de restart de tomcat/cas .
[root@ssocas6 services]# touch dsi_ws_domain1-fr-`date +%s`.json
[root@ssocas6 services]#cat dsi_ws_domain1-fr-1622207781.json
{
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "^https://.*.domain1.fr/.*",
"name" : "Dsi_ws-tem-tsp-eu",
"id" : 1622207781,
"evaluationOrder" : 99997
}
logs CAS associés
[1]
2021-05-28 14:18:03,506 INFO [org.apereo.cas.services.AbstractServicesManager] - <Loaded [3] service(s) from [JsonServiceRegistry].>
taches disponibles
./gradlew tasks va nous donner la liste des taches disponibles
[root@ssocas6 cas-overlay-template]# ./gradlew tasks Starting a Gradle Daemon (subsequent builds will be faster) > Task :tasks ------------------------------------------------------------ Tasks runnable from root project 'cas' ------------------------------------------------------------ Application tasks ----------------- bootRun - Runs this project as a Spring Boot application. Build tasks ----------- allDependencies - Display a graph of all project dependencies allDependenciesInsight - Produce insight information for all dependencies assemble - Assembles the outputs of this project. bootBuildImage - Builds an OCI image of the application using the output of the bootJar task bootBuildInfo - Generates a META-INF/build-info.properties file. bootJar - Assembles an executable jar archive containing the main classes and their dependencies. bootJarMainClassName - Resolves the name of the application's main class for the bootJar task. bootRunMainClassName - Resolves the name of the application's main class for the bootRun task. bootRunSourcesClasses - Assembles boot run sources classes. bootWar - Assembles an executable war archive containing webapp content, and the main classes and their dependencies. bootWarMainClassName - Resolves the name of the application's main class for the bootWar task. build - Assembles and tests this project. buildDependents - Assembles and tests this project and all projects that depend on it. buildNeeded - Assembles and tests this project and all projects it depends on. ... Build Setup tasks ----------------- init - Initializes a new Gradle build. wrapper - Generates Gradle wrapper files. CAS tasks --------- casVersion - Display the current CAS version copyCasConfiguration - Copy the CAS configuration from this project to /etc/cas/config createKeystore - Create CAS keystore debug - Debug the CAS web application in embedded mode on port 5005 ...
personalisation des views
pour personaliser des pages, il faut d'abord les extraires de l'overlay distribué afin de les mettres dans notre environement de personalisations locales
pour ce faire nous allons utiliser la tache gradle listTemplateViews afin de lister l'ensembles des fichiers (css, html, png ..) qui compose la view du formulaire :
[root@ssocas6 cas-overlay-template]# ./gradlew listTemplateViews | more Starting a Gradle Daemon (subsequent builds will be faster) > Task :bootBuildInfo > Task :generateLombokConfig UP-TO-DATE > Task :compileJava NO-SOURCE > Task :processResources UP-TO-DATE > Task :classes > Task :extractCasBootWarOverlay UP-TO-DATE > Task :bootWar > Task :war SKIPPED > Task :assemble > Task :compileTestJava NO-SOURCE > Task :processTestResources NO-SOURCE > Task :testClasses UP-TO-DATE > Task :test NO-SOURCE > Task :check UP-TO-DATE > Task :build > Task :explodeWarOnly Exploded WAR into /opt/test-6.3-cas-overlay-template/cas-overlay-template/build/cas > Task :explodeWar Exploded WAR resources into /opt/test-6.3-cas-overlay-template/cas-overlay-template/build/cas-resources > Task :listTemplateViews /templates/casAcceptableUsagePolicyView.html /templates/casAccepttoRegistrationView.html /templates/casAccountDisabledView.html /templates/casAccountLockedView.html /templates/casAdminLoginView.html /templates/casAuthenticationBlockedView.html /templates/casAuthyLoginView.html /templates/casBadHoursView.html /templates/casBadWorkstationView.html /templates/casCompositeMfaProviderSelectionView.html /templates/casConfirmLogoutView.html /templates/casConfirmView.html /templates/casConsentView.html /templates/casDelegatedAuthnErrorView.html /templates/casDuoLoginView.html /templates/casExpiredPassView.html /templates/casForgotUsernameSendInfoView.html /templates/casForgotUsernameSentInfoView.html /templates/casGenericSuccessView.html /templates/casGoogleAuthenticatorConfirmRegistrationView.html /templates/casGoogleAuthenticatorLoginView.html /templates/casGoogleAuthenticatorRegistrationView.html /templates/casGuaDisplayUserGraphicsView.html /templates/casGuaGetUserIdView.html /templates/casInterruptView.html /templates/casLoginMessageView.html /templates/casLoginView.html /templates/casLogoutView.html /templates/casMfaDeniedView.html /templates/casMfaRegisterDeviceView.html /templates/casMfaUnavailableView.html /templates/casMustChangePassView.html /templates/casPac4jStopWebflow.html /templates/casPasswordUpdateSuccessView.html /templates/casPasswordlessDisplayView.html /templates/casPasswordlessGetUserIdView.html /templates/casPropagateLogoutView.html /templates/casRadiusLoginView.html /templates/casResetPasswordErrorView.html /templates/casResetPasswordSendInstructionsView.html /templates/casResetPasswordSentInstructionsView.html /templates/casResetPasswordVerifyQuestionsView.html /templates/casRiskAuthenticationBlockedView.html /templates/casSamlIdPDiscoveryView.html /templates/casServiceErrorView.html /templates/casSimpleMfaLoginView.html /templates/casSurrogateAuthnListView.html /templates/casSwivelLoginView.html /templates/casU2fLoginView.html /templates/casU2fRegistrationView.html /templates/casWebAuthnLoginView.html /templates/casWebAuthnRegistrationView.html /templates/casWsFedStopWebflow.html /templates/casYubiKeyLoginView.html /templates/casYubiKeyRegistrationView.html /templates/error.html /templates/error/401.html /templates/error/403.html /templates/error/404.html /templates/error/405.html /templates/error/423.html /templates/fragments/accepttoQRCode.html /templates/fragments/footer.html /templates/fragments/header.html /templates/fragments/loginProviders.html /templates/fragments/loginform.html /templates/fragments/loginsidebar.html /templates/fragments/pmlinks.html /templates/fragments/pwdupdateform.html /templates/fragments/qrAuthentication.html /templates/fragments/recaptcha.html /templates/fragments/scripts.html /templates/fragments/serviceui.html /templates/fragments/submitbutton.html /templates/fragments/webAuthnLogin.html /templates/layout.html /templates/protocol/2.0/casProxyFailureView.html /templates/protocol/2.0/casProxySuccessView.html /templates/protocol/2.0/casServiceValidationFailure.html /templates/protocol/2.0/casServiceValidationSuccess.html /templates/protocol/3.0/casServiceValidationFailure.html /templates/protocol/3.0/casServiceValidationSuccess.html /templates/protocol/casPostResponseView.html /templates/protocol/oauth/confirm.html /templates/protocol/oauth/deviceCodeApproval.html /templates/protocol/oauth/deviceCodeApproved.html /templates/protocol/oauth/sessionStaleMismatchError.html /templates/protocol/oidc/confirm.html /templates/protocol/openid/casOpenIdAssociationSuccessView.html /templates/protocol/openid/casOpenIdServiceFailureView.html /templates/protocol/openid/casOpenIdServiceSuccessView.html /templates/protocol/openid/user.html
le fichier casLoginView.html est le point d'entré, on l'extrait avec la tache getResource
[root@ssocas6 cas-overlay-template]# ./gradlew getResource -PresourceName=casLoginView.html > Task :getResource Copied file /opt/test-6.3-cas-overlay-template/cas-overlay-template/build/cas-resources/templates/casLoginView.html to src/main/resources/templates/casLoginView.html
on va egalement prendre header.html (extrait vers src/main/resources/templates/fragments/header.html) pour y changer le logo
[root@ssocas6 cas-overlay-template]# grep logo src/main/resources/templates/fragments/header.html
<img class="cas-logo"
th:src="@{${#strings.defaultString(#themes.code('cas.logo.file'), '/images/our-logo.png')}}" />
on peux aussi extraire le cas.logo.png afin de disposer de l'arborescence locale depo des images et y copier notre fichier image / logo
[root@ssocas6 cas-overlay-template]# cp /root/our-logo.png src/main/resources/static/images/
enfin on redeploie le tout (il est possible de faire usage ./gradlew bootRun pour changer les views a chaud)
[root@ssocas6 cas-overlay-template]#./gradlew clean copyCasConfiguration build [root@ssocas6 cas-overlay-template]#cp /opt/test-6.3-cas-overlay-template/cas-overlay-template/build/libs/cas.war /opt/tomcat/webapps/ [root@ssocas6 cas-overlay-template]#chown tomcat /opt/tomcat/webapps/cas.war
Cas4 UniconLabs/simple-cas4-overlay-template
suivant la documentation officielle (http://jasig.github.io/cas/4.0.x/installation/Maven-Overlay-Installation.html) nous partons du Maven WAR overlay founis par UniconLabs
git clone
on recupere les sources via github :
[disi@cas4 UniconLabs]$ git clone https://github.com/UniconLabs/simple-cas4-overlay-template Cloning into 'simple-cas4-overlay-template'... remote: Counting objects: 95, done. remote: Total 95 (delta 0), reused 0 (delta 0) Unpacking objects: 100% (95/95), done. [disi@cas4 UniconLabs]$ cd simple-cas4-overlay-template/ [disi@cas4 simple-cas4-overlay-template]$ ls build.xml etc LICENSE.txt pom.xml README.md src
parametrage cas.properties
le fichier de parametrage “cas.properties” est definie dans
[disi@cas4 simple-cas4-overlay-template]$ grep cas.properties ./src/main/webapp/WEB-INF/spring-configuration/propertyFileConfigurer.xml <context:property-placeholder location="file:/etc/cas/cas.properties"/>
pour le moment nous faisons un simple (server.name, host.name ) parametrage initiale pour le test primaire avec le login password de test (casuser / M..n) cf deployerConfigContext.xml où ce login est definit en dure dans le bean “primaryAuthenticationHandler” .
[disi@cas4 UniconLabs]$ cd simple-cas4-overlay-template/ [disi@cas4 simple-cas4-overlay-template]$ ls build.xml etc LICENSE.txt pom.xml README.md src [disi@cas4 simple-cas4-overlay-template]$ cd etc/ [disi@cas4 etc]$ ls cas.properties log4j.xml [disi@cas4 etc]$ vim cas.properties
petit backup/versionning git pour le forme
[disi@cas4 etc]$ git commit -a -m "custom cas.properties" [master cd5dbb4] custom cas.properties 1 file changed, 3 insertions(+), 3 deletions(-)
/etc/cas directory
[root@cas4 etc]# mkdir cas [root@cas4 etc]# chgrp disi /etc/cas/ [root@cas4 etc]# chmod 775 /etc/cas/ [disi@cas4 etc]$ cp cas.properties log4j.xml /etc/cas/
build
on lance la premiere compilation :
[disi@cas4 simple-cas4-overlay-template]$ mvn clean package [INFO] Scanning for projects... [INFO] [INFO] ------------------------------------------------------------------------ [INFO] Building cas4-overlay 1.0 [INFO] ------------------------------------------------------------------------ Downloading: http://repo.maven.apache.org/maven2/org/apache/maven/plugins/maven-compiler-plugin/3.1/maven-compiler-plugin-3.1.pom ... Downloaded: http://oss.sonatype.org/content/repositories/releases/org/jasig/cas/cas-server-webapp/4.0.0/cas-server-webapp-4.0.0.war (24474 KB at 3628.4 KB/sec) [INFO] [INFO] --- maven-clean-plugin:2.4.1:clean (default-clean) @ cas4-overlay --- [INFO] [INFO] --- maven-resources-plugin:2.5:resources (default-resources) @ cas4-overlay --- [debug] execute contextualize [INFO] Using 'UTF-8' encoding to copy filtered resources. [INFO] skip non existing resourceDirectory /home/disi/UniconLabs/simple-cas4-overlay-template/src/main/resources [INFO] [INFO] --- maven-compiler-plugin:3.1:compile (default-compile) @ cas4-overlay --- Downloading: http://repo.maven.apache.org/maven2/org/codehaus/plexus/plexus-utils/1.5.1/plexus-utils-1.5.1.pom ... Downloaded: http://repo.maven.apache.org/maven2/log4j/log4j/1.2.12/log4j-1.2.12.jar (350 KB at 3208.2 KB/sec) Downloaded: http://repo.maven.apache.org/maven2/com/google/collections/google-collections/1.0/google-collections-1.0.jar (625 KB at 3528.8 KB/sec) [INFO] No sources to compile [INFO] [INFO] --- maven-resources-plugin:2.5:testResources (default-testResources) @ cas4-overlay --- [debug] execute contextualize [INFO] Using 'UTF-8' encoding to copy filtered resources. [INFO] skip non existing resourceDirectory /home/disi/UniconLabs/simple-cas4-overlay-template/src/test/resources [INFO] [INFO] --- maven-compiler-plugin:3.1:testCompile (default-testCompile) @ cas4-overlay --- [INFO] No sources to compile [INFO] [INFO] --- maven-surefire-plugin:2.10:test (default-test) @ cas4-overlay --- [INFO] No tests to run. [INFO] Surefire report directory: /home/disi/UniconLabs/simple-cas4-overlay-template/target/surefire-reports ------------------------------------------------------- T E S T S ------------------------------------------------------- Results : Tests run: 0, Failures: 0, Errors: 0, Skipped: 0 ... Downloaded: http://repo.maven.apache.org/maven2/org/codehaus/plexus/plexus-utils/3.0.8/plexus-utils-3.0.8.jar (227 KB at 3059.3 KB/sec) Downloaded: http://repo.maven.apache.org/maven2/com/thoughtworks/xstream/xstream/1.4.3/xstream-1.4.3.jar (471 KB at 2996.7 KB/sec) [INFO] Packaging webapp [INFO] Assembling webapp [cas4-overlay] in [/home/disi/UniconLabs/simple-cas4-overlay-template/target/cas] [INFO] Processing war project [INFO] Copying webapp resources [/home/disi/UniconLabs/simple-cas4-overlay-template/src/main/webapp] [INFO] Processing overlay [ id org.jasig.cas:cas-server-webapp] [INFO] Webapp assembled in [1023 msecs] [INFO] Building war: /home/disi/UniconLabs/simple-cas4-overlay-template/target/cas.war [INFO] ------------------------------------------------------------------------ [INFO] BUILD SUCCESS [INFO] ------------------------------------------------------------------------ [INFO] Total time: 21.857s [INFO] Finished at: Tue Dec 23 16:00:14 CET 2014 [INFO] Final Memory: 10M/25M [INFO] ------------------------------------------------------------------------
deploy
et on deploie le cas.war fraichement créé dans le webapps de tomcat qui deploira automatiquement l'appli :
[disi@cas4 ~]$ cp /home/disi/UniconLabs/simple-cas4-overlay-template/target/cas.war /var/lib/tomcat/webapps/ [disi@cas4 ~]$ ls -al /var/lib/tomcat/webapps/ total 24484 drwxrwxr-x. 6 root tomcat 4096 6 janv. 11:46 . drwxr-xr-x. 3 root tomcat 20 20 nov. 10:44 .. drwxr-xr-x 7 tomcat tomcat 101 6 janv. 11:46 cas -rw-rw-r-- 1 disi disi 25057390 6 janv. 11:46 cas.war
catalina log de deploiement
janv. 06, 2015 11:46:17 AM org.apache.catalina.startup.HostConfig deployWAR INFOS: Déploiement de l'archive /var/lib/tomcat/webapps/cas.war de l'application web log4j:WARN No appenders could be found for logger (org.springframework.web.context.ContextLoader). log4j:WARN Please initialize the log4j system properly. log4j:WARN See http://logging.apache.org/log4j/1.2/faq.html#noconfig for more info. log4j:ERROR setFile(null,true) call failed. java.io.FileNotFoundException: /var/log/cas/cas.log (Aucun fichier ou dossier de ce type)
correction du pb de cas.log
[root@cas4 log]# mkdir cas [root@cas4 log]# chown root:tomcat cas [root@cas4 log]# chmod 775 cas
FR CAS4 cas-overlay-demo
autre exemple de source d'overlay fr , a poursuivre ….
[disi@cas4 ~]$ mkdir leleuj [disi@cas4 ~]$ cd leleuj/ [disi@cas4 leleuj]$ git clone https://github.com/leleuj/cas-overlay-demo Cloning into 'cas-overlay-demo'... remote: Counting objects: 307, done. remote: Total 307 (delta 0), reused 0 (delta 0) Receiving objects: 100% (307/307), 60.10 KiB | 0 bytes/s, done. Resolving deltas: 100% (104/104), done.
…
httpd et proxy ajp
il faut que le serveur reponde en https, avoir un apache en frontal de tomcat pour rediriger les requetes https vers tomcat est pratique
activation du service apache
[root@cas4 log]# systemctl enable httpd.service ln -s '/usr/lib/systemd/system/httpd.service' '/etc/systemd/system/multi-user.target.wants/httpd.service'
firewall pour https (http://www.certdepot.net/rhel7-get-started-firewalld/)
[root@cas4 certs]# firewall-cmd --permanent --add-service=https success [root@cas4 certs]# firewall-cmd --reload success [root@cas4 certs]# firewall-cmd --list-services dhcpv6-client https ssh tomcat
lien ajp
[root@cas4 certs]# cat /etc/httpd/conf.d/proxy-ajp.conf ProxyPass /cas ajp://localhost:8009/cas retry=3 min=0 max=100 smax=50 ttl=10 timeout=60 ProxyPass /manager ajp://localhost:8009/manager retry=3 min=0 max=100 smax=50 ttl=10 timeout=60
recharge de cette configuration apache
[root@cas4 certs]# systemctl reload httpd.service
CAS login URL
premier test d'usage
https://cas4.exemple.fr/cas/login
saisie du login casuser et le password associé , log associés sur le serveur tomcat :
2015-01-07 11:36:24,185 INFO [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - <AcceptUsersAuthenticationHandler successfully authenticated casuser+password>
2015-01-07 11:36:24,185 DEBUG [org.jasig.cas.authentication.principal.PersonDirectoryPrincipalResolver] - <Attempting to resolve a principal...>
2015-01-07 11:36:24,185 DEBUG [org.jasig.cas.authentication.principal.PersonDirectoryPrincipalResolver] - <Creating SimplePrincipal for [casuser]>
2015-01-07 11:36:24,186 DEBUG [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - <org.jasig.cas.authentication.principal.PersonDirectoryPrincipalResolver@3e8d4630 resolved casuser from casuser+password>
2015-01-07 11:36:24,189 INFO [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - <Authenticated casuser with credentials [casuser+password].>
2015-01-07 11:36:24,189 DEBUG [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - <Attribute map for casuser: {uid=uid, eduPersonAffiliation=eduPersonAffiliation, groupMembership=groupMembership}>
2015-01-07 11:36:24,189 INFO [org.perf4j.TimingLogger] - <start[1420626984170] time[19] tag[AUTHENTICATE]>
2015-01-07 11:36:24,190 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: supplied credentials: [casuser+password]
ACTION: AUTHENTICATION_SUCCESS
APPLICATION: CAS
WHEN: Wed Jan 07 11:36:24 CET 2015
CLIENT IP ADDRESS: 157.158.211.9
SERVER IP ADDRESS: cas4.exemple.fr
=============================================================
Cela marche bien avec un compte en dure !.
Ldap authentication Handler
reference : http://jasig.github.io/cas/4.0.x/installation/LDAP-Authentication.html
il y a 3 etapes / fichiers a modifier
pom.xml
indiquer au fichier de definition du projet qu'on veux utiliser le support-ldap :
[disi@cas4 simple-cas4-overlay-template]$ diff pom.xml.orig pom.xml
53a54,59
> <dependency>
> <groupId>org.jasig.cas</groupId>
> <artifactId>cas-server-support-ldap</artifactId>
> <version>${cas.version}</version>
> </dependency>
>
deployerConfigContext.xml
les sources de l'overlay UniconLabs ne modifient pas par defaut le fichier deployerConfigContext.xml, il faut donc en mettre une copie dans le repertoire src afin que nos modifications soient prisent en compte lors du deploiement
[disi@cas4 simple-cas4-overlay-template]$ cp ./target/cas/WEB-INF/deployerConfigContext.xml src/main/webapp/WEB-INF/deployerConfigContext.xml
il faut ajouter toutes les directives présentées sur http://jasig.github.io/cas/4.0.x/installation/LDAP-Authentication.html mais aussi faire le lien vers ce ldap authentication Handler ( ce qui a premiere vue n'est pas indiqué dans cette doc, info reprise de https://lists.wisc.edu/read/messages?id=37789779 )
notament dans le bean id=“authenticationManager”
<entry key-ref="ldapAuthenticationHandler" value-ref="usernamePasswordCredentialsResolver" />
et ajouter aussi le bean referencé usernamePasswordCredentialsResolver
<bean id="usernamePasswordCredentialsResolver"
class="org.jasig.cas.authentication.principal.BasicPrincipalResolver" />
j'ai aussi remplacé principalIdAttribute=“uid” au lieu de =“mail” (on utilise l'uid ici) et pour le map d'attribut member par uid ,
au final voici tout ce qui a été changé dans deployerConfigContext.xml
[disi@cas4 disi]$ diff ./simple-cas4-overlay-template/target/cas/WEB-INF/deployerConfigContext.xml /home/disi/UniconLabs/simple-cas4-overlay-template/src/main/webapp/WEB-INF/deployerConfigContext.xml
64a65
> <entry key-ref="ldapAuthenticationHandler" value-ref="usernamePasswordCredentialsResolver" />
127a129,214
>
> <bean id="usernamePasswordCredentialsResolver"
> class="org.jasig.cas.authentication.principal.BasicPrincipalResolver" />
>
> <!-- http://jasig.github.io/cas/4.0.x/installation/LDAP-Authentication.html LDAP Supporting Direct Bind -->
> <bean id="ldapAuthenticationHandler"
> class="org.jasig.cas.authentication.LdapAuthenticationHandler"
> p:principalIdAttribute="uid"
> c:authenticator-ref="authenticator">
> <property name="principalAttributeMap">
> <map>
> <!--
> | This map provides a simple attribute resolution mechanism.
> | Keys are LDAP attribute names, values are CAS attribute names.
> | Use this facility instead of a PrincipalResolver if LDAP is
> | the only attribute source.
> -->
> <entry key="uid" value="uid" />
> <entry key="mail" value="mail" />
> <entry key="displayName" value="displayName" />
> </map>
> </property>
> </bean>
>
> <bean id="authenticator" class="org.ldaptive.auth.Authenticator"
> c:resolver-ref="dnResolver"
> c:handler-ref="authHandler" />
>
> <bean id="dnResolver" class="org.ldaptive.auth.PooledSearchDnResolver"
> p:baseDn="${ldap.baseDn}"
> p:allowMultipleDns="false"
> p:connectionFactory-ref="searchPooledLdapConnectionFactory"
> p:userFilter="${ldap.authn.searchFilter}" />
>
> <bean id="searchPooledLdapConnectionFactory"
> class="org.ldaptive.pool.PooledConnectionFactory"
> p:connectionPool-ref="searchConnectionPool" />
>
> <bean id="searchConnectionPool" parent="abstractConnectionPool" />
>
> <bean id="abstractConnectionPool" abstract="true"
> class="org.ldaptive.pool.BlockingConnectionPool"
> init-method="initialize"
> p:poolConfig-ref="ldapPoolConfig"
> p:blockWaitTime="${ldap.pool.blockWaitTime}"
> p:validator-ref="searchValidator"
> p:pruneStrategy-ref="pruneStrategy"
> p:connectionFactory-ref="connectionFactory" />
>
> <bean id="ldapPoolConfig" class="org.ldaptive.pool.PoolConfig"
> p:minPoolSize="${ldap.pool.minSize}"
> p:maxPoolSize="${ldap.pool.maxSize}"
> p:validateOnCheckOut="${ldap.pool.validateOnCheckout}"
> p:validatePeriodically="${ldap.pool.validatePeriodically}"
> p:validatePeriod="${ldap.pool.validatePeriod}" />
>
> <bean id="connectionFactory" class="org.ldaptive.DefaultConnectionFactory"
> p:connectionConfig-ref="connectionConfig" />
>
> <bean id="connectionConfig" class="org.ldaptive.ConnectionConfig"
> p:ldapUrl="${ldap.url}"
> p:connectTimeout="${ldap.connectTimeout}"
> p:useStartTLS="${ldap.useStartTLS}"
> p:sslConfig-ref="sslConfig" />
>
> <bean id="sslConfig" class="org.ldaptive.ssl.SslConfig">
> <property name="credentialConfig">
> <bean class="org.ldaptive.ssl.X509CredentialConfig"
> p:trustCertificates="${ldap.trustedCert}" />
> </property>
> </bean>
>
> <bean id="pruneStrategy" class="org.ldaptive.pool.IdlePruneStrategy"
> p:prunePeriod="${ldap.pool.prunePeriod}"
> p:idleTime="${ldap.pool.idleTime}" />
>
> <bean id="searchValidator" class="org.ldaptive.pool.SearchValidator" />
>
> <bean id="authHandler" class="org.ldaptive.auth.PooledBindAuthenticationHandler"
> p:connectionFactory-ref="bindPooledLdapConnectionFactory" />
>
> <bean id="bindPooledLdapConnectionFactory"
> class="org.ldaptive.pool.PooledConnectionFactory"
> p:connectionPool-ref="bindConnectionPool" />
>
> <bean id="bindConnectionPool" parent="abstractConnectionPool" />
voici le fichier complet :
cas.properties
enfin , pour alimenter les variables definies dans le deployerConfigContext.xml ci-dessus, voici le cas.properties associé, idem j'ai du ajouter:
ldap.baseDn=ou=people,dc=exemple,dc=fr ldap.trustedCert=/etc/pki/tls/certs/chain-24222-cas4.exemple.fr-3-AddTrust_External_CA_Root.pem
variables appelées dans deployerConfigContext.xml mais pas definies dans le cas.properties d'exemple .
(cf http://comments.gmane.org/gmane.comp.java.jasig.cas.user/27717 )
voici le fichier exemple complet :
maintenant une authentification CAS4 + ldap fonctionne
debug info
une fois cette configuration en place (mvn clean package et relance du tomcat + effacement manuel du cas.war et repertoire cas dans le webapps tomcat, car le nouveau fichier deployerConfigContext.xml n'etait pas automatiquement repositionné !) , une authentification via ldap fonctionne enfin .
log tomcat :
2015-01-07 16:18:36,027 DEBUG [org.jasig.cas.authentication.AcceptUsersAuthenticationHandler] - <test was not found in the map.>
2015-01-07 16:18:36,028 INFO [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - <AcceptUsersAuthenticationHandler failed authenticating test+password>
2015-01-07 16:18:36,028 DEBUG [org.jasig.cas.authentication.LdapAuthenticationHandler] - <Attempting LDAP authentication for test+password>
2015-01-07 16:18:36,030 DEBUG [org.ldaptive.auth.PooledSearchDnResolver] - <resolve user=test>
2015-01-07 16:18:36,030 DEBUG [org.ldaptive.auth.PooledSearchDnResolver] - <searching for DN using userFilter>
2015-01-07 16:18:36,053 DEBUG [org.ldaptive.SearchOperation] - <execute request=[org.ldaptive.SearchRequest@1830579154::baseDn=ou=people,dc=exemple,dc=fr, searchFilter=[org.ldaptive.SearchFilter@929747261::filter=(uid={user}), parameters={user=test}], returnAttributes=[1.1], searchScope=ONELEVEL, timeLimit=0, sizeLimit=0, derefAliases=null, typesOnly=false
....
....
[displayName[Test TEST]]], responseControls=null, messageId=-1], accountState=null, result=true, resultCode=SUCCESS, message=null, controls=null]>
2015-01-07 16:18:36,380 DEBUG [org.jasig.cas.authentication.LdapAuthenticationHandler] - <Found principal attribute: [uid[test]]>
2015-01-07 16:18:36,380 DEBUG [org.jasig.cas.authentication.LdapAuthenticationHandler] - <Found principal attribute: [mail[test@exemple.fr]]>
2015-01-07 16:18:36,380 DEBUG [org.jasig.cas.authentication.LdapAuthenticationHandler] - <Found principal attribute: [displayName[Test TEST]]>
2015-01-07 16:18:36,388 INFO [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - <LdapAuthenticationHandler successfully authenticated test+password>
2015-01-07 16:18:36,388 DEBUG [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - <org.jasig.cas.authentication.principal.BasicPrincipalResolver@303cfcca resolved test from test+password>
2015-01-07 16:18:36,391 INFO [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - <Authenticated test with credentials [test+password].>
2015-01-07 16:18:36,391 DEBUG [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - <Attribute map for test: {}>
2015-01-07 16:18:36,392 INFO [org.perf4j.TimingLogger] - <start[1420643916024] time[367] tag[AUTHENTICATE]>
2015-01-07 16:18:36,410 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: supplied credentials: [test+password]
ACTION: AUTHENTICATION_SUCCESS
APPLICATION: CAS
WHEN: Wed Jan 07 16:18:36 CET 2015
CLIENT IP ADDRESS: 157.158.211.9
SERVER IP ADDRESS: cas4.exemple.fr
=============================================================
>
2015-01-07 16:18:36,413 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Added ticket [TGT-1-I9PM7KyilG0eFfHYLp23qvUymsveWehnNUtQn7BEAtJtSidyBP-cas4.exemple.fr] to registry.>
2015-01-07 16:18:36,414 INFO [org.perf4j.TimingLogger] - <start[1420643916022] time[391] tag[CREATE_TICKET_GRANTING_TICKET]>
2015-01-07 16:18:36,414 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: TGT-1-I9PM7KyilG0eFfHYLp23qvUymsveWehnNUtQn7BEAtJtSidyBP-cas4.exemple.fr
ACTION: TICKET_GRANTING_TICKET_CREATED
APPLICATION: CAS
WHEN: Wed Jan 07 16:18:36 CET 2015
CLIENT IP ADDRESS: 157.158.211.9
SERVER IP ADDRESS: cas4.exemple.fr
=============================================================
requete dans ldap.log coté ldap serveur :
Jan 7 16:59:36 ldap4 slapd[1236]: conn=32062 op=0 SRCH base="ou=people,dc=exemple,dc=fr" scope=1 deref=0 filter="(uid=test)" Jan 7 16:59:36 ldap4 slapd[1236]: conn=32062 op=0 SRCH attr=1.1 Jan 7 16:59:36 ldap4 slapd[1236]: conn=32062 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text= Jan 7 16:59:36 ldap4 slapd[1236]: conn=32059 op=0 BIND dn="uid=test,ou=people,dc=exemple,dc=fr" method=128 Jan 7 16:59:36 ldap4 slapd[1236]: conn=32059 op=0 BIND dn="uid=test,ou=People,dc=exemple,dc=fr" mech=SIMPLE ssf=0 Jan 7 16:59:36 ldap4 slapd[1236]: conn=32059 op=0 RESULT tag=97 err=0 text= Jan 7 16:59:36 ldap4 slapd[1236]: conn=32059 op=1 SRCH base="uid=test,ou=people,dc=exemple,dc=fr" scope=0 deref=0 filter="(objectClass=*)" Jan 7 16:59:36 ldap4 slapd[1236]: conn=32059 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
redeploiement cas
On reconstruit a nouveau Cas
[disi@cas4 simple-cas4-overlay-template]$ mvn -Dmaven.test.skip\=true package
puis on fait un RAZ du war dans l'arborescence tomcat
[root@cas4 cas-server-webapp]# systemctl stop tomcat.service [root@cas4 cas-server-webapp]# rm -rf /var/lib/tomcat/webapps/cas [root@cas4 cas-server-webapp]# rm -rf /var/lib/tomcat/webapps/cas.war [root@cas4 cas-server-webapp]# systemctl start tomcat.service ; tail -f /var/log/cas/cas.log
Gradle
si besoin d'une installation gradle independante du projet CAS :
https://tecadmin.net/install-gradle-centos-8/
[root@ssocas6 ~]# wget https://downloads.gradle-dn.com/distributions/gradle-6.3-bin.zip [root@ssocas6 ~]# cd /opt/ [root@ssocas6 opt]# unzip /root/gradle-6.3-bin.zip [root@ssocas6 opt]# ln -s gradle-6.3 gradle [root@ssocas6 opt]# ls -l gradle lrwxrwxrwx 1 root root 10 22 mai 09:11 gradle -> gradle-6.3
definir dans la variable PATH l'acces au binaire gradle
[root@ssocas6 opt]# vim /etc/profile.d/gradle.sh [root@ssocas6 opt]# cat /etc/profile.d/gradle.sh export PATH=/opt/gradle/bin:$PATH [root@cas6 opt]# source /etc/profile.d/gradle.sh [root@cas6 opt]# gradle -v Welcome to Gradle 6.3!
