配置票据组件
有两个配置票据的组件:
-
TicketRegistry
- 用于票据持久化. -
ExpirationPolicy
- Provides a policy framework for ticket expiration semantics.
票据注册
The deployment environment and technology expertise generally determine the particular TicketRegistry
component. A cache-backed implementation is recommended for HA deployments, while the defaultDefaultTicketRegistry
in-memory component may be suitable for small deployments.
默认(In-Memory) 票据注册
DefaultTicketRegistry
uses a ConcurrentHashMap
for memory-backed ticket storage and retrieval. This component does not preserve ticket state across restarts. There are a few configuration knobs available:
-
initialCapacity
-ConcurrentHashMap
initial capacity. -
loadFactor
-ConcurrentHashMap
load factor. -
concurrencyLevel
- Allows tuning theConcurrentHashMap
for concurrent write support.
All three arguments map to those of the ConcurrentHashMap
constructor.
<bean id="ticketRegistry" class="org.jasig.cas.ticket.registry.DefaultTicketRegistry" c:initialCapacity="10000" c:loadFactor="1" c:concurrencyLevel="20" />
Cache-Based 票据注册
Cached-based ticket registries provide a high-performance solution for ticket storage in high availability deployments. Components for the following caching technologies are provided:
RDBMS Ticket Registries
RDBMS-based ticket registries provide a distributed ticket store across multiple CAS nodes. Components for the following caching technologies are provided:
票据生成器
CAS presents a pluggable architecture for generating unique ticket ids for each ticket type. The configuration of each generator is defined at src\main\webapp\WEB-INF\spring-configuration\uniqueIdGenerators.xml
. Here’s a brief sample:
<bean id="ticketGrantingTicketUniqueIdGenerator" class="org.jasig.cas.util.DefaultUniqueTicketIdGenerator" c:maxLength="50" c:suffix="${host.name}" /> <bean id="serviceTicketUniqueIdGenerator" class="org.jasig.cas.util.DefaultUniqueTicketIdGenerator" c:maxLength="20" c:suffix="${host.name}" /> <bean id="loginTicketUniqueIdGenerator" class="org.jasig.cas.util.DefaultUniqueTicketIdGenerator" c:maxLength="30" c:suffix="${host.name}" /> <bean id="proxy20TicketUniqueIdGenerator" class="org.jasig.cas.util.DefaultUniqueTicketIdGenerator" c:maxLength="20" c:suffix="${host.name}" /> <util:map id="uniqueIdGeneratorsMap"> <entry key="org.jasig.cas.authentication.principal.SimpleWebApplicationServiceImpl" value-ref="serviceTicketUniqueIdGenerator" /> </util:map>
Components
UniqueTicketIdGenerator
Strategy parent interface that describes operations needed to generate a unique id for a ticket.
DefaultUniqueTicketIdGenerator
Uses numeric and random string generators to create a unique id, while supporting prefixes for each ticket type, as is outlined by the CAS protocol, as well as a suffix that typically is mapped to the CAS server node identifier in order to indicate which node is the author of this ticket. The latter configuration point helps with troubleshooting and diagnostics in a clustered CAS environment.
HostNameBasedUniqueTicketIdGenerator
An extension of DefaultUniqueTicketIdGenerator
that is able auto-configure the suffix based on the underlying host name. In order to assist with multi-node deployments, in scenarios where CAS configuration and speciallycas.properties
file is externalized, it would be ideal to simply just have one set of configuration files for all nodes, such that there would for instance be one cas.properties
file for all nodes. This would remove the need to copy/sync configuration files over across nodes, again in a situation where they are externalized.
The drawback is that in keeping only one cas.properties
file, we’d lose the ability to define unique host.name
property values for each node as the suffix, which would assist with troubleshooting and diagnostics. To provide a remedy, this ticket generator is able to retrieve the host.name
value directly from the actual node name, rather than relying on the configuration, only if one isn’t specified in the cas.properties
file.
SamlCompliantUniqueTicketIdGenerator
Unique Ticket Id Generator compliant with the SAML 1.1 specification for artifacts, that is also compliant with the SAML v2 specification.
Ticket Registry Cleaner
The ticket registry cleaner should be used for ticket registries that cannot manage their own state. That would include the default in-memory registry and the JPA ticket registry. Cache-based ticket registry implementations such as Memcached, Hazelcast or Ehcache do not require a registry cleaner. The ticket registry cleaner configuration is specified in the spring-configuration/ticketRegistry.xml
file.
Components
RegistryCleaner
Strategy interface to denote the start of cleaning the registry.
DefaultTicketRegistryCleaner
The default ticket registry cleaner scans the entire CAS ticket registry for expired tickets and removes them. This process is only required so that the size of the ticket registry will not grow beyond a reasonable size. The functionality of CAS is not dependent on a ticket being removed as soon as it is expired. Locking strategies may be used to support high availability environments. In a clustered CAS environment with several CAS nodes executing ticket cleanup, it is desirable to execute cleanup from only one CAS node at a time.
LockingStrategy
Strategy pattern for defining a locking strategy in support of exclusive execution of some process.
NoOpLockingStrategy
No-Op locking strategy that allows the use of DefaultTicketRegistryCleaner
in environments where exclusive access to the registry for cleaning is either unnecessary or not possible.
Configuration
If you’re using the default ticket registry configuration, your /cas-server-webapp/WEB-INF/spring-configuration/ticketRegistry.xml
probably looks like this:
<!-- TICKET REGISTRY CLEANER --> <bean id="ticketRegistryCleaner" class="org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner" c:centralAuthenticationService-ref="centralAuthenticationService" c:ticketRegistry-ref="ticketRegistry"/> <bean id="jobDetailTicketRegistryCleaner" class="org.springframework.scheduling.quartz.MethodInvokingJobDetailFactoryBean" p:targetObject-ref="ticketRegistryCleaner" p:targetMethod="clean" /> <bean id="triggerJobDetailTicketRegistryCleaner" class="org.springframework.scheduling.quartz.SimpleTriggerFactoryBean" p:jobDetail-ref="jobDetailTicketRegistryCleaner" p:startDelay="20000" p:repeatInterval="5000000" />
Ticket Expiration Policies
CAS supports a pluggable and extensible policy framework to control the expiration policy of ticket-granting tickets (TGT) and service tickets (ST). See this guide for details on how to configure the expiration policies.
相关推荐
CAS协议,包括cas1.0和cas2.0的协议,cas 协议分为两部分,一部分是票据-ticket,一部分是url。
cas 配置 cas 配置 cas 配置 cas 配置 cas 配置 cas 配置 cas 配置 cas 配置 cas 配置 cas 配置 cas 配置 cas 配置
spring security 结合cas 单点登录系统 cas客户端的配置文件
02 H3C CAS-云容器引擎配置指导 03 H3C CAS 虚拟机快照配置指导 04 H3C CAS-虚拟机防病毒配置指导 05 H3C CAS SR-IOV配置指导 06 H3C CAS vGPU热迁移配置指导 07 H3C CAS 内存管理最佳实践 08 H3C CAS 磁盘...
CAS restFul 接口调用 获取票据
Liferay5.2.3和CAS配置成SSO
CAS原理和配置过程.,轻轻松松搞定CAS配置。。。。。。。。
解压缩,根据配置CAS.txt说明进行单点登录配置,实现单点登录
CAS学习笔记 --CAS的服务器配置和各种客户端的配置
包含cas源码、cas使用说明文档(包含配置信息)、连接数据库所需jar包、cas服务端自定义返回值等
CAS配置全攻略 客户端、服务器端配置
关于weblogic下配置部署cas证书,实现单点登录。客户端配置
cas 3.5配置指南
主要讲述了CAS单点登录多数据及获取更多用户信息配置。
此文档自己亲手从0开始一步一步配置的详尽过程,其中包括keytool创建 、ticket、tomcat配置cas、自定义登录页面,处理服务器返回的乱码,服务退出、cas服务器返回多数据等等文档 包括SSO原理图,以及认证流程图等
cas 配置client 1.0 &2.0 及proxy DEMO 说明 1 cas server 搭建 1.1 资源准备 cas server 下载 http://www.ja-sig.org/downloads/cas/cas-server-3.3.1-release.zip 1.2 解压后打开cas-server-3.3.1-release\cas-...
1. 配置SSL a) 生成证书 b) 将证书导出为证书文件 c) 将证书文件导入到java证书库cacerts中 d) 修改<TOMCAT_HOME>/conf下面得server.xml文件 2. 部署CAS服务器 3. 修改CAS登录的用户库 4. 测试是否配置成功 5. ...
cas客户端登录配置详细文档,支持客户端自定义登录和服务端统一登录。
CAS5.3.2Docker 部署方案CAS5.3.2Docker 部署方案CAS5.3.2Docker 部署方案
CAS配置手册.docx,这是CAS单点登录的技术文档,希望可以帮助学习者