[[CAS 6]]
This is an old revision of the document!
CAS 6
ref
autres
contexte
Exemple de deploiement d'un serveur CAS 6.x sur une centos8 avec les produits natifs de cette distribution ⇒ JVM openjdk 11
[root@ssocas6 ~]# cat /etc/redhat-release CentOS Linux release 8.3.2011
java 11 jdk
[root@ssocas6 ~]# yum install java-11-openjdk-devel.x86_64 Installer 27 Paquets Taille totale des téléchargements : 64 M Taille des paquets installés : 246 M Installé: java-11-openjdk-devel-1:11.0.7.10-1.el8_1.x86_64 abattis-cantarell-fonts-0.0.25-4.el8.noarch dconf-0.28.0-3.el8.x86_64 gtk3-3.22.30-5.el8.x86_64 adwaita-cursor-theme-3.28.0-2.el8.noarch adwaita-icon-theme-3.28.0-2.el8.noarch at-spi2-atk-2.26.2-1.el8.x86_64 at-spi2-core-2.28.0-1.el8.x86_64 cairo-gobject-1.15.12-3.el8.x86_64 colord-libs-1.4.2-1.el8.x86_64 java-11-openjdk-1:11.0.7.10-1.el8_1.x86_64 java-11-openjdk-headless-1:11.0.7.10-1.el8_1.x86_64 lcms2-2.9-2.el8.x86_64 libepoxy-1.5.3-1.el8.x86_64 libwayland-client-1.17.0-1.el8.x86_64 libwayland-cursor-1.17.0-1.el8.x86_64 libwayland-egl-1.17.0-1.el8.x86_64 libxkbcommon-0.9.1-1.el8.x86_64 rest-0.8.1-2.el8.x86_64 xkeyboard-config-2.28-1.el8.noarch glib-networking-2.56.1-1.1.el8.x86_64 gsettings-desktop-schemas-3.32.0-4.el8.x86_64 json-glib-1.4.4-1.el8.x86_64 libgusb-0.3.0-1.el8.x86_64 libmodman-2.0.1-17.el8.x86_64 libproxy-0.4.15-5.2.el8.x86_64 libsoup-2.62.3-1.el8.x86_64
alternatives java-11
Passer par defaut sur java-11 si presence aussi du 1.8 avec alternatives
[root@ssocas6 ~]# alternatives --config java Il existe 2 programmes qui fournissent « java ». Sélection Commande ----------------------------------------------- *+ 1 java-1.8.0-openjdk.x86_64 (/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.252.b09-2.el8_1.x86_64/jre/bin/java) 2 java-11-openjdk.x86_64 (/usr/lib/jvm/java-11-openjdk-11.0.7.10-1.el8_1.x86_64/bin/java)
Il existe 2 programmes qui fournissent « java ».
[root@ssocas6 ~]# alternatives --config java Sélection Commande ----------------------------------------------- * 1 java-1.8.0-openjdk.x86_64 (/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.252.b09-2.el8_1.x86_64/jre/bin/java) + 2 java-11-openjdk.x86_64 (/usr/lib/jvm/java-11-openjdk-11.0.7.10-1.el8_1.x86_64/bin/java)
test java version
[root@ssocas6 ~]# java -version openjdk version "11.0.9.1" 2020-11-04 LTS OpenJDK Runtime Environment 18.9 (build 11.0.9.1+1-LTS) OpenJDK 64-Bit Server VM 18.9 (build 11.0.9.1+1-LTS, mixed mode, sharing)
tomcat
redhat et donc centos n'offre plus de package tomcat (ils mettent en avant JBoss) , donc on va installer un tomcat 9 en tar.gz :
tomcat user
[root@ssocas6 ~]# useradd -m -d /opt/tomcat -U -s /bin/false tomcat
tomcat package tgz
[root@ssocas6 ~]# wget https://downloads.apache.org/tomcat/tomcat-9/v9.0.45/bin/apache-tomcat-9.0.45.tar.gz [root@ssocas6 ~]# cd /opt [root@ssocas6 opt]# tar xvfz /root/apache-tomcat-9.0.45.tar.gz [root@ssocas6 opt]# ln -s apache-tomcat-9.0.45 tomcat [root@ssocas6 opt]# ls -ld tomcat lrwxrwxrwx 1 root root 20 10 mai 19:49 tomcat -> apache-tomcat-9.0.45
positionnement des droits d'acces au comte tomcat
[root@ssocas6 opt]# chown -R tomcat:tomcat /opt/tomcat/ # ls -l tomcat/ total 148 drwxr-x--- 2 tomcat tomcat 4096 10 mai 16:09 bin -rw-r----- 1 tomcat tomcat 18984 30 mars 12:29 BUILDING.txt drwx------ 2 tomcat tomcat 4096 30 mars 12:29 conf -rw-r----- 1 tomcat tomcat 5587 30 mars 12:29 CONTRIBUTING.md drwxr-x--- 2 tomcat tomcat 4096 10 mai 16:09 lib -rw-r----- 1 tomcat tomcat 57092 30 mars 12:29 LICENSE drwxr-x--- 2 tomcat tomcat 4096 30 mars 12:29 logs -rw-r----- 1 tomcat tomcat 2333 30 mars 12:29 NOTICE -rw-r----- 1 tomcat tomcat 3257 30 mars 12:29 README.md -rw-r----- 1 tomcat tomcat 6898 30 mars 12:29 RELEASE-NOTES -rw-r----- 1 tomcat tomcat 16507 30 mars 12:29 RUNNING.txt drwxr-x--- 2 tomcat tomcat 4096 10 mai 16:09 temp drwxr-x--- 7 tomcat tomcat 4096 30 mars 12:29 webapps drwxr-x--- 2 tomcat tomcat 4096 30 mars 12:29 work
parametrage tomcat
acces à la webapps manager, autoriser notre @IP dans webapps/manager/META-INF/context.xml
[root@ssocas6 opt]# diff /opt/tomcat/webapps/manager/META-INF/context.xml /opt/tomcat/webapps/manager/META-INF/context.xml.orig 20c20 < allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|157.19.19.13" /> --- > allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
compte admin d'acces au l'appli manager/html (http://ssocas6.domain.fr:8080/manager/html , le :8080 sera effacer par la suite en mettant en place d'un proxy-ajp apache en frontal de tomcat)
[root@ssocas6 opt]# diff /opt/tomcat/conf/tomcat-users.xml /opt/tomcat/conf/tomcat-users.xml.orig 44,46d43 < <role rolename="manager-gui"/> < <role rolename="admin-gui"/> < <user username="dsi" password="secret" roles="manager-gui,admin-gui"/>
activation par systemd
[root@ssocas6 opt]# vim /etc/systemd/system/tomcat.service [root@ssocas6 opt]# cat /etc/systemd/system/tomcat.service [Unit] Description=Tomcat 9 After=network.target [Service] Type=forking User=tomcat Group=tomcat Environment="JAVA_HOME=/usr/lib/jvm/jre" Environment="JAVA_OPTS=-Djava.security.egd=file:///dev/urandom" Environment="CATALINA_BASE=/opt/tomcat" Environment="CATALINA_HOME=/opt/tomcat" Environment="CATALINA_PID=/opt/tomcat/temp/tomcat.pid" Environment="CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC" ExecStart=/opt/tomcat/bin/startup.sh ExecStop=/opt/tomcat/bin/shutdown.sh [Install] WantedBy=multi-user.target
start
[root@ssocas6 ~]# systemctl daemon-reload [root@ssocas6 ~]# systemctl enable tomcat.service [root@ssocas6 ~]# systemctl start tomcat.service
firewall
[root@ssocas6 opt]# firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="157.19.19.0/24" port port=8080 protocol=tcp log prefix="http8080" accept' success [root@ssocas6 opt]# firewall-cmd --reload success [root@ssocas6 opt]# firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="157.19.19.0/16" service name="http" log prefix="http" accept' success [root@ssocas6 opt]# firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="157.19.19.0/16" service name="https" log prefix="https" accept' success [root@ssocas6 opt]# firewall-cmd --reload success
ou plus generalement
firewall-cmd –zone=public –permanent –add-port=8080/tcp
acces tomcat
le serveur est maintenant accessible , exemple
http://ssocas6.tem-tsp.eu:8080/manager/html (login/pass definit plus haut)
firewalld option a base de service
on peux aussi recopier la definition du service ssh vers un service tomcat afin d'ouvrir via un service firewalld notre port tomcat 8080 .
[root@ssocasd6 ~]# cp /usr/lib/firewalld/services/ssh.xml /etc/firewalld/services/tomcat.xml [root@ssocasd6 ~]# vim /etc/firewalld/services/tomcat.xml [root@ssocasd6 ~]# cat /etc/firewalld/services/tomcat.xml <?xml version="1.0" encoding="utf-8"?> <service> <short>tomcat</short> <description>tomcat is a java servlet container/server</description> <port protocol="tcp" port="8080"/> </service>
dans cette option a base de service on ajoute de maniere permanente (disponible aux prochains boot) le service tomcat
[root@ssocasd6 ~]# firewall-cmd --zone=public --add-service=tomcat success
malgres tout, pour obtenir cette ouverture de maniere stable, un ajout du service dans la zone active (ici public) est necessaire
[root@ssocasd6 ~]# grep tomcat /etc/firewalld/zones/public.xml <service name="tomcat"/> [root@ssocasd6 ~]# systemctl restart firewalld.service
autres dependances
git maven
il sera necessaire d'avoir maven et git entre autre, installation des packages
[root@ssocas6 ~]# yum install git maven
CAS6 template overlay
on commence par recuperer le template overlay de CAS
cf https://apereo.github.io/cas/6.3.x/installation/WAR-Overlay-Installation.html pour des explication sur les Overlays
[root@ssocas6 ~]# cd /opt/ [root@ssocas6 opt]# git clone https://github.com/apereo/cas-overlay-template Clonage dans 'cas-overlay-template'... remote: Enumerating objects: 1894, done. remote: Counting objects: 100% (53/53), done. remote: Compressing objects: 100% (38/38), done. remote: Total 1894 (delta 24), reused 29 (delta 11), pack-reused 1841 Réception d'objets: 100% (1894/1894), 10.61 Mio | 18.83 Mio/s, fait. Résolution des deltas: 100% (1050/1050), fait.
on se retrouve avec cette distribution
[root@ssocas6 opt]# cd cas-overlay-template [root@ssocas6 cas-overlay-template]# [root@ssocas6 cas-overlay-template]# ls build.gradle docker-compose.yml docker-push.sh etc gradle.properties gradlew.bat lombok.config settings.gradle docker-build.sh Dockerfile docker-run.sh gradle gradlew LICENSE.txt README.md src
support LDAP
editer le fichier build.gradle pour y ajouter deux dependances pour le support-ldap et support-json, cf ci-dessous(+) :
[root@ssocas6 cas-overlay-template]# diff -ur build.gradle.dist build.gradle
--- build.gradle.dist 2021-05-21 15:29:39.722743124 +0200
+++ build.gradle 2021-05-21 15:32:01.066846707 +0200
@@ -82,6 +82,9 @@
}
// CAS dependencies/modules may be listed here statically...
implementation "org.apereo.cas:cas-server-webapp-init:${casServerVersion}"
+ // ADD support-ldap json DISI
+ implementation "org.apereo.cas:cas-server-support-ldap:${project.'cas.version'}"
+ implementation "org.apereo.cas:cas-server-support-json-service-registry:${casServerVersion}"
}
tasks.findByName("jibDockerBuild")
configurer LDAP
nous allons editer le fichier etc/cas/config/cas.properties et y definir les parametre d'acces a notre LDAP serveur
[root@ssocas6 cas-overlay-template]# diff -ur /opt/cas-overlay-template/etc/cas/config/cas.properties.dist /opt/cas-overlay-template/etc/cas/config/cas.properties
--- /opt/cas-overlay-template/etc/cas/config/cas.properties.dist 2021-05-21 15:35:20.596460271 +0200
+++ /opt/cas-overlay-template/etc/cas/config/cas.properties 2021-05-21 15:43:55.912705247 +0200
@@ -1,6 +1,19 @@
-cas.server.name=https://cas.example.org:8443
+cas.server.name=https://ssocas6.domain.fr:443
cas.server.prefix=${cas.server.name}/cas
logging.config=file:/etc/cas/config/log4j2.xml
-# cas.authn.accept.users=
+cas.authn.accept.users=
+### Connexion LDAP
+cas.authn.ldap\[0\].providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider
+cas.authn.ldap\[0\].type=AUTHENTICATED
+cas.authn.ldap\[0\].useSsl=true
+cas.authn.ldap\[0\].ldapUrl=ldaps://ldap.domain.fr
+cas.authn.ldap\[0\].baseDn= dc=int,dc=fr
+cas.authn.ldap\[0\].subtreeSearch=true
+cas.authn.ldap\[0\].searchFilter=uid=\{user\}
+cas.authn.ldap\[0\].principalAttributeList=cn,givenName,mail,uid
+
+### Credential to connect to LDAP
+cas.authn.ldap\[0\].bindDn=CN=dsi,ou=dsa,dc=int,dc=fr
+cas.authn.ldap\[0\].bindCredential=S3cr3T
Dossier Logs pour CAS
[root@ssocas6 cas-overlay-template]# mkdir /var/log/cas [root@ssocas6 cas-overlay-template]# chown -R tomcat /var/log/cas
Modifier le fichier log4j2.xml dans le dossier /opt/cas-overlay-template-master/etc/cas/config
[root@ssocas6 config]# diff -ur log4j2.xml.dist log4j2.xml
--- log4j2.xml.dist 2021-05-21 15:50:39.775585744 +0200
+++ log4j2.xml 2021-05-21 15:50:51.429605606 +0200
@@ -2,7 +2,7 @@
<!-- Specify the refresh internal in seconds. -->
<Configuration monitorInterval="5" packages="org.apereo.cas.logging">
<Properties>
- <Property name="baseDir">/var/log</Property>
+ <Property name="baseDir">/var/log/cas</Property>
<Property name="cas.log.level">info</Property>
<Property name="spring.webflow.log.level">warn</Property>
GradleW
les sources incorporent une version de gradle Wrapper (gradlew), il n'est dont pas necessaire d'installer gradle par ailleurs, le wrapper va aller chercher lui meme gradle
la definition des actions et parametrages se trouvent dans les build.gradle et gradle.properties
Build
Gradle build permet d'executer certains goals/commands de Gradle (aka gradlew) , commençons par la command clean qui va dans un premier temps recuperer gradle et autres dependances pour notre projet .
clean
[root@ssocas6 cas-overlay-template]# ./gradlew clean Downloading https://services.gradle.org/distributions/gradle-7.0-bin.zip ..........10%...........20%...........30%..........40%...........50%...........60%...........70%..........80%...........90%...........100% Welcome to Gradle 7.0! Here are the highlights of this release: - File system watching enabled by default - Support for running with and building Java 16 projects - Native support for Apple Silicon processors - Dependency catalog feature preview For more details see https://docs.gradle.org/7.0/release-notes.html Starting a Gradle Daemon (subsequent builds will be faster) <-------------> 0% CONFIGURING [33s] > root project > Resolve dependencies of classpath > maven-metadata.xml > IDLE > IDLE > root project > Resolve dependencies of classpath > pac4j-http-5.0.1.pom > root project > Resolve dependencies of classpath > spring-webmvc-pac4j-5.0.0.pom > root project > Resolve dependencies of classpath > maven-metadata.xml > root project > Resolve dependencies of classpath > maven-metadata.xml > IDLE > root project > Resolve dependencies of classpath > oauth2-oidc-sdk-9.5.1.pom > IDLE > root project > Resolve dependencies of classpath > maven-metadata.xml > IDLE ... Deprecated Gradle features were used in this build, making it incompatible with Gradle 8.0. Use '--warning-mode all' to show the individual deprecation warnings. See https://docs.gradle.org/7.0/userguide/command_line_interface.html#sec:command_line_warnings BUILD SUCCESSFUL in 1m 29s 2 actionable tasks: 2 executed
build
[root@ssocas6 cas-overlay-template]# ./gradlew clean copyCasConfiguration build <-------------> 5% EXECUTING [2s] > :extractCasBootWarOverlay ... BUILD SUCCESSFUL in 25s 7 actionable tasks: 7 executed [root@ssocas6 cas-overlay-template]# ls -l build/libs/cas.war -rw-r--r-- 1 root root 124196573 22 mai 10:06 build/libs/cas.war
Deployer dans tomcat
avec une simple copie du cas.war dans l'arborescence webapps de tomcat , l'auto-deploy va deployer le service
[root@ssocas6 cas-overlay-template]# cp /opt/cas-overlay-template/build/libs/cas.war /opt/tomcat/webapps/ [root@ssocas6 cas-overlay-template]# ls -l /opt/tomcat/webapps/ total 121316 drwxr-x--- 5 tomcat tomcat 4096 22 mai 11:21 cas -rw-r--r-- 1 root root 124196573 22 mai 11:21 cas.war drwxr-x--- 16 tomcat tomcat 4096 4 juin 2020 docs drwxr-x--- 6 tomcat tomcat 4096 4 juin 2020 examples drwxr-x--- 5 tomcat tomcat 4096 4 juin 2020 host-manager drwxr-x--- 5 tomcat tomcat 4096 4 juin 2020 manager drwxr-x--- 3 tomcat tomcat 4096 4 juin 2020 ROOT
tomcat log CAS war
on peux voir en detail le deploiement et lancement de CAS par tomcat dans les logs catalina.out
22-May-2021 10:27:29.240 INFO [main] org.apache.catalina.startup.HostConfig.deployDescriptor Deployment of deployment descriptor [/opt/tomcat/conf/Catalina/localhost/manager.xml] has finished in [349] ms
22-May-2021 10:27:29.242 INFO [main] org.apache.catalina.startup.HostConfig.deployWAR Deploying web application archive [/opt/tomcat/webapps/cas.war]
22-May-2021 10:27:38.056 INFO [main] org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.
2021-05-22 10:27:42,024 WARN [org.springframework.http.converter.json.Jackson2ObjectMapperBuilder] - <For Jackson Kotlin classes support please add "com.fasterxml.jackson.module:jackson-module-kotlin" to the classpath>
_ ____ _____ ____ _____ ___ ____ _ ____
/ \ | _ \| ____| _ \| ____/ _ \ / ___| / \ / ___|
/ _ \ | |_) | _| | |_) | _|| | | | | | / _ \ \___ \
/ ___ \| __/| |___| _ <| |__| |_| | | |___ / ___ \ ___) |
/_/ \_\_| |_____|_| \_\_____\___/ \____/_/ \_\____/
CAS Version: 6.4.0-SNAPSHOT
CAS Branch: master
CAS Commit Id: a03f3bf03f7f1b422794c026481cd2efdf8ae847
CAS Build Date/Time: 2021-05-22T08:02:28Z
Spring Boot Version: 2.4.5
Spring Version: 5.3.7
Java Home: /usr/lib/jvm/java-11-openjdk-11.0.9.11-3.el8_3.x86_64
Java Vendor: Red Hat, Inc.
Java Version: 11.0.9.1
JVM Free Memory: 328 MB
JVM Maximum Memory: 910 MB
JVM Total Memory: 629 MB
OS Architecture: amd64
OS Name: Linux
OS Version: 4.18.0
OS Date/Time: 2021-05-22T10:27:44.189611
OS Temp Directory: /opt/tomcat/temp
------------------------------------------------------------
Apache Tomcat Version: Apache Tomcat/9.0.35
------------------------------------------------------------
2021-05-22 10:27:44,260 INFO [org.apereo.cas.configuration.DefaultCasConfigurationPropertiesSourceLocator] - <Configuration files found at [/etc/cas/config] are [[file [/etc/cas/config/cas.properties]]] under profile(s) [[standalone]]>
2021-05-22 10:27:44,407 INFO [org.apereo.cas.web.CasWebApplicationServletInitializer] - <The following profiles are active: standalone>
2021-05-22 10:27:51,366 WARN [org.hibernate.validator.internal.properties.javabean.JavaBeanExecutable] - <HV000254: Missing parameter metadata for (int, MeterFilter, String, String), which declares implicit or synthetic parameters. Automatic resolution of generic type information for method parameters may yield incorrect results if multiple parameters have the same erasure. To solve this, compile your code with the '-parameters' flag.>
2021-05-22 10:27:55,997 INFO [org.apereo.cas.config.LdapAuthenticationConfiguration] - <Registering LDAP authentication for [LdapAuthenticationHandler]>
2021-05-22 10:27:56,380 INFO [org.apereo.cas.services.resource.AbstractResourceBasedServiceRegistry] - <Watching service registry directory at [/opt/tomcat/temp/services]>
2021-05-22 10:27:56,388 INFO [org.apereo.cas.util.io.PathWatcherService] - <Watching directory path at [/opt/tomcat/temp/services]>
2021-05-22 10:27:58,020 INFO [org.springframework.boot.autoconfigure.security.servlet.UserDetailsServiceAutoConfiguration] - <
Using generated security password: 18fSECRETdb14
>
2021-05-22 10:27:58,190 INFO [org.springframework.security.web.DefaultSecurityFilterChain] - <Will secure Ant [pattern='/login/**'] with []>
2021-05-22 10:27:58,190 INFO [org.springframework.security.web.DefaultSecurityFilterChain] - <Will secure Ant [pattern='/logout/**'] with []>
2021-05-22 10:27:58,191 INFO [org.springframework.security.web.DefaultSecurityFilterChain] - <Will secure Ant [pattern='/validate/**'] with []>
2021-05-22 10:27:58,191 INFO [org.springframework.security.web.DefaultSecurityFilterChain] - <Will secure Ant [pattern='/serviceValidate/**'] with []>
2021-05-22 10:27:58,191 INFO [org.springframework.security.web.DefaultSecurityFilterChain] - <Will secure Ant [pattern='/p3/serviceValidate/**'] with []>
2021-05-22 10:27:58,191 INFO [org.springframework.security.web.DefaultSecurityFilterChain] - <Will secure Ant [pattern='/proxyValidate/**'] with []>
2021-05-22 10:27:58,191 INFO [org.springframework.security.web.DefaultSecurityFilterChain] - <Will secure Ant [pattern='/p3/proxyValidate/**'] with []>
2021-05-22 10:27:58,191 INFO [org.springframework.security.web.DefaultSecurityFilterChain] - <Will secure Ant [pattern='/proxy/**'] with []>
2021-05-22 10:27:58,263 INFO [org.springframework.security.web.access.channel.ChannelProcessingFilter] - <Validated configuration attributes>
2021-05-22 10:27:58,291 INFO [org.springframework.security.web.DefaultSecurityFilterChain] - <Will secure any request with [org.springframework.security.web.access.channel.ChannelProcessingFilter@eab31b4, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@68a8bdb1, org.springframework.security.web.context.SecurityContextPersistenceFilter@1cd7f4a2, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@560e50d4, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@6c15605e, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@58b7eb53, org.springframework.security.web.session.SessionManagementFilter@37d269d5, org.springframework.security.web.access.ExceptionTranslationFilter@20d87607, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@48056bdc]>
2021-05-22 10:27:59,626 INFO [org.apereo.cas.config.LdapAuthenticationConfiguration] - <Registering LDAP authentication for [LdapAuthenticationHandler]>
2021-05-22 10:27:59,895 WARN [org.apereo.cas.config.CasCoreTicketsConfiguration] - <Runtime memory is used as the persistence storage for retrieving and managing tickets. Tickets that are issued during runtime will be LOST when the web server is restarted. This MAY impact SSO functionality.>
2021-05-22 10:27:59,899 INFO [org.apereo.cas.util.CoreTicketUtils] - <Ticket registry encryption/signing is turned off. This MAY NOT be safe in a clustered production environment. Consider using other choices to handle encryption, signing and verification of ticket registry tickets, and verify the chosen ticket registry does support this behavior.>
2021-05-22 10:28:00,197 WARN [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Secret key for encryption is not defined for [Ticket-granting Cookie]; CAS will attempt to auto-generate the encryption key>
2021-05-22 10:28:00,226 WARN [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Generated encryption key [szXKgSECRETFCQ] of size [256] for [Ticket-granting Cookie]. The generated key MUST be added to CAS settings under setting [cas.tgc.crypto.encryption.key].>
2021-05-22 10:28:00,229 WARN [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Secret key for signing is not defined for [Ticket-granting Cookie]. CAS will attempt to auto-generate the signing key>
2021-05-22 10:28:00,229 WARN [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Generated signing key [68DkrB3Sr-mSECRETrqSYA] of size [512] for [Ticket-granting Cookie]. The generated key MUST be added to CAS settings under setting [cas.tgc.crypto.signing.key].>
2021-05-22 10:28:00,408 WARN [org.apereo.cas.util.cipher.BaseBinaryCipherExecutor] - <Secret key for signing is not defined under [cas.webflow.crypto.signing.key]. CAS will attempt to auto-generate the signing key>
2021-05-22 10:28:00,409 WARN [org.apereo.cas.util.cipher.BaseBinaryCipherExecutor] - <Generated signing key [oDrASECRETqCiyP-3RQxi2VGGwHiw3G7h3pHHPOprtIjSisWhnDx2Q] of size [512]. The generated key MUST be added to CAS settings under setting [cas.webflow.crypto.signing.key].>
2021-05-22 10:28:00,409 WARN [org.apereo.cas.util.cipher.BaseBinaryCipherExecutor] - <Secret key for encryption is not defined under [cas.webflow.crypto.encryption.key]. CAS will attempt to auto-generate the encryption key>
2021-05-22 10:28:00,411 WARN [org.apereo.cas.util.cipher.BaseBinaryCipherExecutor] - <Generated encryption key [rcagcSECRETScsw] of size [16]. The generated key MUST be added to CAS settings under setting [cas.webflow.crypto.encryption.key].>
2021-05-22 10:28:00,650 INFO [org.apereo.cas.web.CasWebApplicationServletInitializer] - <Started CasWebApplicationServletInitializer in 20.636 seconds (JVM running for 33.242)>
2021-05-22 10:28:00,671 INFO [org.apereo.cas.web.CasWebApplication] - <>
2021-05-22 10:28:00,671 INFO [org.apereo.cas.web.CasWebApplication] - <
____ _____ _ ______ __
| _ \| ____| / \ | _ \ \ / /
| |_) | _| / _ \ | | | \ V /
| _ <| |___ / ___ \| |_| || |
|_| \_\_____/_/ \_\____/ |_|
>
2021-05-22 10:28:00,671 INFO [org.apereo.cas.web.CasWebApplication] - <>
2021-05-22 10:28:00,671 INFO [org.apereo.cas.web.CasWebApplication] - <Ready to process requests @ [2021-05-22T09:28:00.670Z]>
22-May-2021 10:28:00.696 INFO [main] org.apache.catalina.startup.HostConfig.deployWAR Deployment of web application archive [/opt/tomcat/webapps/cas.war] has finished in [31,454] ms
22-May-2021 10:28:00.697 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory [/opt/tomcat/webapps/examples]
2021-05-22 10:28:01,033 INFO [org.apereo.cas.services.AbstractServicesManager] - <Loaded [1] service(s) from [JsonServiceRegistry].>
22-May-2021 10:28:01.049 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web application directory [/opt/tomcat/webapps/examples] has finished in [352] ms
22-May-2021 10:28:01.050 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory [/opt/tomcat/webapps/docs]
22-May-2021 10:28:01.071 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web application directory [/opt/tomcat/webapps/docs] has finished in [21] ms
22-May-2021 10:28:01.071 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory [/opt/tomcat/webapps/ROOT]
22-May-2021 10:28:01.088 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web application directory [/opt/tomcat/webapps/ROOT] has finished in [17] ms
22-May-2021 10:28:01.088 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory [/opt/tomcat/webapps/idp]
22-May-2021 10:28:05.363 INFO [main] org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.
Warning: Nashorn engine is planned to be removed from a future JDK release
acces web
maintenant que tout est deployé, nous allons profiter du proxy-ajp d'apache pour renvoyer les requetes https servient par apache vers le context tomcat approrié , ici /cas est renvoyé vers le port ajp en localhost 8009 où tomcat ecoute, idem pour notre applaication tomcat /manager .
[root@cas6 ~]# cat /etc/httpd/conf.d/cas.conf ProxyRequests off ProxyPass /cas ajp://127.0.0.1:8009/idp retry=0 ProxyPassReverse /cas ajp://127.0.0.1:8009/idp ProxyPass /manager ajp://127.0.0.1:8009/manager ProxyPassReverse /manager ajp://127.0.0.1:8009/manager
1er login test
sans target (application cliente) specifique , faisons un premier test de connexion CAS afin de valider le service d'authN et la recuperation d'attributs
depuis un navigateur accedons a notre service CAS : https://ssocas6.domain.fr/cas/login
une fois le login/password saisie, on aboutit sur une page d'affichage des attributs, ce qui valide le process d'authentifcation et de recuperation d'information depuis notre annuaire ldap.
on retrouve bien dans catalina.out et dans /var/log/cas/cas/log cet acces .
2021-05-22 10:38:58,242 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: {source=RankedMultifactorAuthenticationProviderWebflowEventResolver, event=success, timestamp=Sat May 22 10:38:58 GMT+01:00 2021}
ACTION: AUTHENTICATION_EVENT_TRIGGERED
APPLICATION: CAS
WHEN: Sat May 22 10:38:58 GMT+01:00 2021
CLIENT IP ADDRESS: 157.19.19.19
SERVER IP ADDRESS: 157.19.19.10
=============================================================
>
2021-05-22 10:39:20,687 INFO [org.apereo.cas.services.AbstractServicesManager] - <Loaded [1] service(s) from [JsonServiceRegistry].>
2021-05-22 10:40:20,690 INFO [org.apereo.cas.services.AbstractServicesManager] - <Loaded [1] service(s) from [JsonServiceRegistry].>
2021-05-22 10:40:30,750 INFO [org.apereo.cas.ticket.registry.DefaultTicketRegistryCleaner] - <[0] expired tickets removed.>
2021-05-22 10:40:31,502 INFO [org.apereo.cas.authentication.DefaultAuthenticationManager] - <Authenticated principal [test] with attributes [{cn=[STUDENT Test], givenName=[Test], mail=[test@telecom.fr], uid=[test]}] via credentials [[UsernamePasswordCredential(username=test, source=null, customFields={})]].>
2021-05-22 10:40:31,504 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: test
WHAT: [UsernamePasswordCredential(username=teststud, source=null, customFields={})]
ACTION: AUTHENTICATION_SUCCESS
APPLICATION: CAS
WHEN: Sat May 22 10:40:31 GMT+01:00 2021
CLIENT IP ADDRESS: 157.19.19.19
SERVER IP ADDRESS: 157.19.19.10
=============================================================
>
2021-05-22 10:40:31,554 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: teststud
WHAT: TGT-1-*****oXABZDg6kM-cas6
ACTION: TICKET_GRANTING_TICKET_CREATED
APPLICATION: CAS
WHEN: Sat May 22 10:40:31 GMT+01:00 2021
CLIENT IP ADDRESS: 157.19.19.19
SERVER IP ADDRESS: 157.19.19.10
=============================================================
on notera aussi que l'acces au serveur LDAP a été établit au demarrage de l'apllication CAS par tomcat et qu'il se fait bien en TLS/636 avec le binddn definit dans cas.properties
[root@ldap log]# tail -500 ldap.log May 22 11:27:55 ldap slapd[2086]: conn=1161 fd=13 ACCEPT from IP=157.19.19.10:35994 (IP=0.0.0.0:636) May 22 11:27:55 ldap slapd[2086]: conn=1161 fd=13 TLS established tls_ssf=256 ssf=256 May 22 11:27:55 ldap slapd[2086]: conn=1161 fd=13 TLS established tls_ssf=256 ssf=256 May 22 11:27:55 ldap slapd[2086]: conn=1161 op=0 BIND dn="cn=dsi,ou=dsa,dc=int,dc=fr" method=128 May 22 11:27:55 ldap slapd[2086]: conn=1161 op=0 BIND dn="cn=dsi,ou=dsa,dc=int,dc=fr" mech=SIMPLE ssf=0 May 22 11:27:55 ldap slapd[2086]: conn=1161 op=0 BIND dn="cn=dsi,ou=dsa,dc=int,dc=fr" method=128 May 22 11:27:55 ldap slapd[2086]: conn=1161 op=0 RESULT tag=97 err=0 text= May 22 11:27:55 ldap slapd[2086]: conn=1161 op=0 BIND dn="cn=dsi,ou=dsa,dc=int,dc=fr" mech=SIMPLE ssf=0 May 22 11:27:55 ldap slapd[2086]: conn=1161 op=0 RESULT tag=97 err=0 text=
Registering Applications
les appplications clientes qui doivent utiliser notre serveur CAS doivent etre declarée a priori . cela peut se faire au travers d'uj simple fichier de type json .
nous délarons dans cas.prpoerties le chemin d'acces a ce fichier json
[root@ssocas6 cas-overlay-template]# tail -2 etc/cas/config/cas.properties ### Registering Applications cas.serviceRegistry.json.location: file:/etc/cas/services
Il est recommandé de nommer les nouveaux fichiers JSON comme ceci: “serviceName-serviceNumericId.json”
Pour créer l'ID nous utilisons la commande date +%s
[root@ssocas6 cas-overlay-template]# mkdir /etc/cas/services [root@ssocas6 cas-overlay-template]# cd /etc/cas/services [root@ssocas6 services]# touch disi_wikis-`date +%s`.json [root@ssocas6 services]# vim disi_wikis-1621678622.json
on peux ensuite ajouter d'autres services (ici un 3eme cf logs CAS [1]) , le serveur CAS lit regulierement le directory /etc/cas/services pour les charger dynamiquement sans necessité de restart de tomcat/cas .
[root@ssocas6 services]# touch dsi_ws_domain1-fr-`date +%s`.json
[root@ssocas6 services]#cat dsi_ws_domain1-fr-1622207781.json
{
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "^https://.*.domain1.fr/.*",
"name" : "Dsi_ws-tem-tsp-eu",
"id" : 1622207781,
"evaluationOrder" : 99997
}
logs CAS associés
[1]
2021-05-28 14:18:03,506 INFO [org.apereo.cas.services.AbstractServicesManager] - <Loaded [3] service(s) from [JsonServiceRegistry].>
taches disponibles
./gradlew tasks va nous donner la liste des taches disponibles
[root@ssocas6 cas-overlay-template]# ./gradlew tasks Starting a Gradle Daemon (subsequent builds will be faster) > Task :tasks ------------------------------------------------------------ Tasks runnable from root project 'cas' ------------------------------------------------------------ Application tasks ----------------- bootRun - Runs this project as a Spring Boot application. Build tasks ----------- allDependencies - Display a graph of all project dependencies allDependenciesInsight - Produce insight information for all dependencies assemble - Assembles the outputs of this project. bootBuildImage - Builds an OCI image of the application using the output of the bootJar task bootBuildInfo - Generates a META-INF/build-info.properties file. bootJar - Assembles an executable jar archive containing the main classes and their dependencies. bootJarMainClassName - Resolves the name of the application's main class for the bootJar task. bootRunMainClassName - Resolves the name of the application's main class for the bootRun task. bootRunSourcesClasses - Assembles boot run sources classes. bootWar - Assembles an executable war archive containing webapp content, and the main classes and their dependencies. bootWarMainClassName - Resolves the name of the application's main class for the bootWar task. build - Assembles and tests this project. buildDependents - Assembles and tests this project and all projects that depend on it. buildNeeded - Assembles and tests this project and all projects it depends on. ... Build Setup tasks ----------------- init - Initializes a new Gradle build. wrapper - Generates Gradle wrapper files. CAS tasks --------- casVersion - Display the current CAS version copyCasConfiguration - Copy the CAS configuration from this project to /etc/cas/config createKeystore - Create CAS keystore debug - Debug the CAS web application in embedded mode on port 5005 ...
personalisation des views
pour personaliser des pages, il faut d'abord les extraires de l'overlay distribué afin de les mettres dans notre environement de personalisations locales
pour ce faire nous allons utiliser la tache gradle listTemplateViews afin de lister l'ensembles des fichiers (css, html, png ..) qui compose la view du formulaire :
[root@ssocas6 cas-overlay-template]# ./gradlew listTemplateViews | more Starting a Gradle Daemon (subsequent builds will be faster) > Task :bootBuildInfo > Task :generateLombokConfig UP-TO-DATE > Task :compileJava NO-SOURCE > Task :processResources UP-TO-DATE > Task :classes > Task :extractCasBootWarOverlay UP-TO-DATE > Task :bootWar > Task :war SKIPPED > Task :assemble > Task :compileTestJava NO-SOURCE > Task :processTestResources NO-SOURCE > Task :testClasses UP-TO-DATE > Task :test NO-SOURCE > Task :check UP-TO-DATE > Task :build > Task :explodeWarOnly Exploded WAR into /opt/test-6.3-cas-overlay-template/cas-overlay-template/build/cas > Task :explodeWar Exploded WAR resources into /opt/test-6.3-cas-overlay-template/cas-overlay-template/build/cas-resources > Task :listTemplateViews /templates/casAcceptableUsagePolicyView.html /templates/casAccepttoRegistrationView.html /templates/casAccountDisabledView.html /templates/casAccountLockedView.html /templates/casAdminLoginView.html /templates/casAuthenticationBlockedView.html /templates/casAuthyLoginView.html /templates/casBadHoursView.html /templates/casBadWorkstationView.html /templates/casCompositeMfaProviderSelectionView.html /templates/casConfirmLogoutView.html /templates/casConfirmView.html /templates/casConsentView.html /templates/casDelegatedAuthnErrorView.html /templates/casDuoLoginView.html /templates/casExpiredPassView.html /templates/casForgotUsernameSendInfoView.html /templates/casForgotUsernameSentInfoView.html /templates/casGenericSuccessView.html /templates/casGoogleAuthenticatorConfirmRegistrationView.html /templates/casGoogleAuthenticatorLoginView.html /templates/casGoogleAuthenticatorRegistrationView.html /templates/casGuaDisplayUserGraphicsView.html /templates/casGuaGetUserIdView.html /templates/casInterruptView.html /templates/casLoginMessageView.html /templates/casLoginView.html /templates/casLogoutView.html /templates/casMfaDeniedView.html /templates/casMfaRegisterDeviceView.html /templates/casMfaUnavailableView.html /templates/casMustChangePassView.html /templates/casPac4jStopWebflow.html /templates/casPasswordUpdateSuccessView.html /templates/casPasswordlessDisplayView.html /templates/casPasswordlessGetUserIdView.html /templates/casPropagateLogoutView.html /templates/casRadiusLoginView.html /templates/casResetPasswordErrorView.html /templates/casResetPasswordSendInstructionsView.html /templates/casResetPasswordSentInstructionsView.html /templates/casResetPasswordVerifyQuestionsView.html /templates/casRiskAuthenticationBlockedView.html /templates/casSamlIdPDiscoveryView.html /templates/casServiceErrorView.html /templates/casSimpleMfaLoginView.html /templates/casSurrogateAuthnListView.html /templates/casSwivelLoginView.html /templates/casU2fLoginView.html /templates/casU2fRegistrationView.html /templates/casWebAuthnLoginView.html /templates/casWebAuthnRegistrationView.html /templates/casWsFedStopWebflow.html /templates/casYubiKeyLoginView.html /templates/casYubiKeyRegistrationView.html /templates/error.html /templates/error/401.html /templates/error/403.html /templates/error/404.html /templates/error/405.html /templates/error/423.html /templates/fragments/accepttoQRCode.html /templates/fragments/footer.html /templates/fragments/header.html /templates/fragments/loginProviders.html /templates/fragments/loginform.html /templates/fragments/loginsidebar.html /templates/fragments/pmlinks.html /templates/fragments/pwdupdateform.html /templates/fragments/qrAuthentication.html /templates/fragments/recaptcha.html /templates/fragments/scripts.html /templates/fragments/serviceui.html /templates/fragments/submitbutton.html /templates/fragments/webAuthnLogin.html /templates/layout.html /templates/protocol/2.0/casProxyFailureView.html /templates/protocol/2.0/casProxySuccessView.html /templates/protocol/2.0/casServiceValidationFailure.html /templates/protocol/2.0/casServiceValidationSuccess.html /templates/protocol/3.0/casServiceValidationFailure.html /templates/protocol/3.0/casServiceValidationSuccess.html /templates/protocol/casPostResponseView.html /templates/protocol/oauth/confirm.html /templates/protocol/oauth/deviceCodeApproval.html /templates/protocol/oauth/deviceCodeApproved.html /templates/protocol/oauth/sessionStaleMismatchError.html /templates/protocol/oidc/confirm.html /templates/protocol/openid/casOpenIdAssociationSuccessView.html /templates/protocol/openid/casOpenIdServiceFailureView.html /templates/protocol/openid/casOpenIdServiceSuccessView.html /templates/protocol/openid/user.html
le fichier casLoginView.html est le point d'entré, on l'extrait avec la tache getResource
[root@ssocas6 cas-overlay-template]# ./gradlew getResource -PresourceName=casLoginView.html > Task :getResource Copied file /opt/test-6.3-cas-overlay-template/cas-overlay-template/build/cas-resources/templates/casLoginView.html to src/main/resources/templates/casLoginView.html
on va egalement prendre header.html (extrait vers src/main/resources/templates/fragments/header.html) pour y changer le logo
[root@ssocas6 cas-overlay-template]# grep logo src/main/resources/templates/fragments/header.html
<img class="cas-logo"
th:src="@{${#strings.defaultString(#themes.code('cas.logo.file'), '/images/our-logo.png')}}" />
on peux aussi extraire le cas.logo.png afin de disposer de l'arborescence locale depo des images et y copier notre fichier image / logo
[root@ssocas6 cas-overlay-template]# cp /root/our-logo.png src/main/resources/static/images/
enfin on redeploie le tout (il est possible de faire usage ./gradlew bootRun pour changer les views a chaud)
[root@ssocas6 cas-overlay-template]#./gradlew clean copyCasConfiguration build [root@ssocas6 cas-overlay-template]#cp /opt/test-6.3-cas-overlay-template/cas-overlay-template/build/libs/cas.war /opt/tomcat/webapps/ [root@ssocas6 cas-overlay-template]#chown tomcat /opt/tomcat/webapps/cas.war
Pour le text qui apparait dans la page , il s'agit de reference vers le systeme d'internationalisation des messages qu'on retrouve dans messages.properties et messages_fr.properties (_de, _it etc pour les autres langues)
on extrait le fr
[root@ssocas6 cas-overlay-template]# ls /opt/test-6.3-cas-overlay-template/cas-overlay-template/build/cas-resources/ Copied file /opt/test-6.3-cas-overlay-template/cas-overlay-template/build/cas-resources/messages_fr.properties to src/main/resources/messages_fr.properties
health monitor
si besoin d'avoir des info sur la status du service, on peux activer le module visoible sous le endpoint : /actuator
/status est deprecated au profit de /actuator/health
https://apereo.github.io/cas/6.3.x/monitoring/Monitoring-Statistics.html
Gradle
si besoin d'une installation gradle independante du projet CAS (non indispensable du fait de l'integration de gradlew dans l'overlay ) :
https://tecadmin.net/install-gradle-centos-8/
[root@ssocas6 ~]# wget https://downloads.gradle-dn.com/distributions/gradle-6.3-bin.zip [root@ssocas6 ~]# cd /opt/ [root@ssocas6 opt]# unzip /root/gradle-6.3-bin.zip [root@ssocas6 opt]# ln -s gradle-6.3 gradle [root@ssocas6 opt]# ls -l gradle lrwxrwxrwx 1 root root 10 22 mai 09:11 gradle -> gradle-6.3
definir dans la variable PATH l'acces au binaire gradle
[root@ssocas6 opt]# vim /etc/profile.d/gradle.sh [root@ssocas6 opt]# cat /etc/profile.d/gradle.sh export PATH=/opt/gradle/bin:$PATH [root@cas6 opt]# source /etc/profile.d/gradle.sh [root@cas6 opt]# gradle -v Welcome to Gradle 6.3!
