cas 單點登陸實戰-sso-config篇(二)
阿新 • • 發佈:2018-11-02
回顧:上章我們簡單介紹了服務端的目錄結構。現在來介紹目錄結構的第一部分 sso-config
一.看一下目錄結構
1.這裡面先重點關注兩個檔案 cas-management-dev.properties和sso-dev.properties
我分別貼一下兩個檔案的程式碼
cas-management-dev.properties:
# # 版權所有.(c)2008-2017. 卡爾科技工作室 # ## # CAS Thymeleaf Views # spring.thymeleaf.cache=false spring.thymeleaf.mode=HTML ## # Embedded CAS Tomcat Container # server.context-path=/cas-management server.port=8081 # # CAS 動態認證管理開始 # cas.server.name=https://passport.sso.com:8443/cas cas.server.prefix=${cas.server.name} cas.mgmt.serverName=http://passport.sso.com:8081 # 靜態管理認證開始 #通過sso登入後的使用者,必須存在該檔案下,否則無法登入,當然這些使用者可以通過ldap進行動態管理 cas.mgmt.userPropertiesFile=classpath:/user-details.properties cas.mgmt.defaultLocale=zh_CN # 靜態管理認證結束 ## # CAS Web Application Config # server.session.timeout=1800 server.session.cookie.http-only=true server.session.tracking-modes=COOKIE ## # CAS Cloud Bus Configuration # Please leave spring.cloud.bus.enabled set to false # spring.cloud.bus.enabled=false ## # Actuator Endpoint Security Defaults # endpoints.enabled=true endpoints.actuator.enabled=true #cas.serviceRegistry.jpa.healthQuery=SELECT 1 FROM INFORMATION_SCHEMA.SYSTEM_USERS #cas.serviceRegistry.jpa.isolateInternalQueries=false cas.serviceRegistry.jpa.url=jdbc:mysql://127.0.0.1:3306/sso cas.serviceRegistry.jpa.failFast=true cas.serviceRegistry.jpa.dialect=org.hibernate.dialect.MySQL5Dialect cas.serviceRegistry.jpa.leakThreshold=10 cas.serviceRegistry.jpa.batchSize=1 cas.serviceRegistry.jpa.defaultCatalog= cas.serviceRegistry.jpa.defaultSchema= cas.serviceRegistry.jpa.user=root cas.serviceRegistry.jpa.ddlAuto=create-drop cas.serviceRegistry.jpa.password=root cas.serviceRegistry.jpa.autocommit=true cas.serviceRegistry.jpa.driverClass=com.mysql.jdbc.Driver cas.serviceRegistry.jpa.idleTimeout=5000 cas.serviceRegistry.jpa.pool.suspension=false cas.serviceRegistry.jpa.pool.minSize=6 cas.serviceRegistry.jpa.pool.maxSize=18 cas.serviceRegistry.jpa.pool.maxIdleTime=1000 cas.serviceRegistry.jpa.pool.maxWait=2000 management.security.enabled=false #tomcat配置 server.max-http-header-size=2097152 server.use-forward-headers=true server.connection-timeout=20000 server.error.include-stacktrace=ALWAYS server.tomcat.max-http-post-size=2097152 server.tomcat.basedir=build/tomcat server.tomcat.accesslog.enabled=true server.tomcat.accesslog.pattern=%t %a "%r" %s (%D ms) server.tomcat.accesslog.suffix=.log server.tomcat.max-threads=10 server.tomcat.port-header=X-Forwarded-Port server.tomcat.protocol-header=X-Forwarded-Proto server.tomcat.protocol-header-https-value=https server.tomcat.remote-ip-header=X-FORWARDED-FOR server.tomcat.uri-encoding=UTF-8 spring.http.encoding.charset=UTF-8 spring.http.encoding.enabled=true spring.http.encoding.force=true
sso-dev.properties
# # 版權所有.(c)2008-2017. 卡爾科技工作室 # ## # CAS Server Context Configuration # server.context-path=/cas server.port=8443 #SSL配置 server.ssl.enabled=true server.ssl.key-store=classpath:tomcat.keystore server.ssl.key-store-password=123456 server.ssl.keyAlias=passport.sso.com #SSL配置 server.max-http-header-size=2097152 server.use-forward-headers=true server.connection-timeout=20000 server.error.include-stacktrace=NEVER server.tomcat.max-http-post-size=2097152 server.tomcat.basedir=build/tomcat server.tomcat.accesslog.enabled=true server.tomcat.accesslog.pattern=%t %a "%r" %s (%D ms) server.tomcat.accesslog.suffix=.log server.tomcat.max-threads=10 server.tomcat.port-header=X-Forwarded-Port server.tomcat.protocol-header=X-Forwarded-Proto server.tomcat.protocol-header-https-value=https server.tomcat.remote-ip-header=X-FORWARDED-FOR server.tomcat.uri-encoding=UTF-8 spring.http.encoding.charset=UTF-8 spring.http.encoding.enabled=true spring.http.encoding.force=true cas.server.name=https://passport.sso.com:${server.port}${server.context-path} cas.server.prefix=${cas.server.name} ## # CAS Cloud Bus Configuration # spring.cloud.bus.enabled=false ## # CAS Web Application Session Configuration # server.session.timeout=300 server.session.cookie.http-only=true server.session.tracking-modes=COOKIE ## # CAS Thymeleaf View Configuration # spring.thymeleaf.encoding=UTF-8 spring.thymeleaf.cache=true spring.thymeleaf.mode=HTML ## # CAS Log4j Configuration # # logging.config=file:/etc/cas/log4j2.xml server.context-parameters.isLog4jAutoInitializationDisabled=true ## # CAS AspectJ Configuration # spring.aop.auto=true spring.aop.proxy-target-class=true ## # CAS Authentication Credentials # #cas.authn.accept.users=casuser::Mellon # 不允許靜態使用者 staticAuthentication=false cas.serviceRegistry.initFromJson=true #Query Database Authentication 資料庫查詢校驗使用者名稱開始 #查詢賬號密碼sql,必須包含密碼欄位 cas.authn.jdbc.query[0].sql=select * from sys_user where username=? #指定上面的sql查詢欄位名(必須) cas.authn.jdbc.query[0].fieldPassword=password #指定過期欄位,1為過期,若過期不可用 cas.authn.jdbc.query[0].fieldExpired=expired #為不可用欄位段,1為不可用,需要修改密碼 cas.authn.jdbc.query[0].fieldDisabled=disabled #資料庫方言hibernate的知識 cas.authn.jdbc.query[0].dialect=org.hibernate.dialect.MySQLDialect #資料庫驅動 cas.authn.jdbc.query[0].driverClass=com.mysql.jdbc.Driver #資料庫連線 cas.authn.jdbc.query[0].url=jdbc:mysql://127.0.0.1:3306/sso #資料庫使用者名稱 cas.authn.jdbc.query[0].user=root #資料庫密碼 cas.authn.jdbc.query[0].password=root #預設加密策略,通過encodingAlgorithm來指定演算法,預設NONE不加密 cas.authn.jdbc.query[0].passwordEncoder.type=DEFAULT #cas.authn.jdbc.query[0].passwordEncoder.type=org.springframework.security.authentication.encoding.Md5PasswordEncoder cas.authn.jdbc.query[0].passwordEncoder.characterEncoding=UTF-8 cas.authn.jdbc.query[0].passwordEncoder.encodingAlgorithm=MD5 #Query Database Authentication 資料庫查詢校驗使用者名稱結束 #Encode Database Authentication 開始 #加密次數 cas.authn.jdbc.encode[0].numberOfIterations=2 #該列名的值可替代上面的值,但對密碼加密時必須取該值進行處理 cas.authn.jdbc.encode[0].numberOfIterationsFieldName= # 鹽值固定列 cas.authn.jdbc.encode[0].saltFieldName=username #靜態鹽值 cas.authn.jdbc.encode[0].staticSalt=. cas.authn.jdbc.encode[0].sql=select * from sys_user_encode where username=? #對處理鹽值後的演算法 cas.authn.jdbc.encode[0].algorithmName=MD5 cas.authn.jdbc.encode[0].passwordFieldName=${cas.authn.jdbc.query[0].fieldPassword} cas.authn.jdbc.encode[0].expiredFieldName=${cas.authn.jdbc.query[0].fieldExpired} cas.authn.jdbc.encode[0].disabledFieldName=${cas.authn.jdbc.query[0].fieldDisabled} cas.authn.jdbc.encode[0].url=${cas.authn.jdbc.query[0].url} cas.authn.jdbc.encode[0].dialect=${cas.authn.jdbc.query[0].dialect} cas.authn.jdbc.encode[0].user=${cas.authn.jdbc.query[0].user} cas.authn.jdbc.encode[0].password=${cas.authn.jdbc.query[0].password} cas.authn.jdbc.encode[0].driverClass=${cas.authn.jdbc.query[0].driverClass} #Encode Database Authentication 結束 #密碼管理 開始 #允許內建密碼管理 cas.authn.pm.enabled=true #重置資訊 https://apereo.github.io/cas/5.1.x/installation/Configuration-Properties.html#password-management cas.authn.pm.reset.from=${spring.mail.username} #傳送郵件標題 cas.authn.pm.reset.subject=SSO DEMO 重置密碼 #郵件內容,必須要有%s,因為會生成一個連線並且帶了token,否則無法開啟連結,當然這個連結也和cas.server.prefix有關係 cas.authn.pm.reset.text=開啟以下連結重置您的密碼(SSO-DEMO): %s #token失效分鐘數 cas.authn.pm.reset.expirationMinutes=10 cas.authn.pm.reset.emailAttribute=mail #是否開啟問題回答 cas.authn.pm.reset.securityQuestionsEnabled=true #新密碼必須匹配表示式 cas.authn.pm.policyPattern=\\d{3,10} #傳送郵件 spring.mail.host=smtp.qq.com spring.mail.port=465 #郵箱使用者名稱
[email protected] #郵箱授權碼 spring.mail.password=judnarjvmhsfbdji spring.mail.testConnection=false spring.mail.properties.mail.smtp.auth=true #必須ssl spring.mail.properties.mail.smtp.ssl.enable=true #郵箱查詢 #根據使用者名稱查詢問題 cas.authn.pm.jdbc.sqlSecurityQuestions=select question, answer from sys_user_question where username=? #根據使用者名稱查詢郵箱 cas.authn.pm.jdbc.sqlFindEmail=select email from sys_user where username=? #修改密碼 cas.authn.pm.jdbc.sqlChangePassword=update sys_user set password=? where username=? cas.authn.pm.jdbc.url=${cas.authn.jdbc.query[0].url} cas.authn.pm.jdbc.user=${cas.authn.jdbc.query[0].user} cas.authn.pm.jdbc.password=${cas.authn.jdbc.query[0].password} cas.authn.pm.jdbc.dialect=${cas.authn.jdbc.query[0].dialect} cas.authn.pm.jdbc.driverClass=${cas.authn.jdbc.query[0].driverClass} #密碼修改加密規則,這個必須要和原始密碼加密規則一致 cas.authn.pm.jdbc.passwordEncoder.type=${cas.authn.jdbc.query[0].passwordEncoder.type} cas.authn.pm.jdbc.passwordEncoder.characterEncoding=${cas.authn.jdbc.query[0].passwordEncoder.characterEncoding} cas.authn.pm.jdbc.passwordEncoder.encodingAlgorithm=${cas.authn.jdbc.query[0].passwordEncoder.encodingAlgorithm} cas.authn.pm.jdbc.passwordEncoder.secret=${cas.authn.jdbc.query[0].passwordEncoder.secret} #預設是false,不會提交update語句 cas.authn.pm.jdbc.autocommit=true #密碼管理 結束 #MongoDb配置(客戶端持久化)開始 # cas.serviceRegistry.jpa.healthQuery=SELECT 1 FROM INFORMATION_SCHEMA.SYSTEM_USERS # cas.serviceRegistry.jpa.isolateInternalQueries=false cas.serviceRegistry.jpa.url=jdbc:mysql://127.0.0.1:3306/sso cas.serviceRegistry.jpa.failFast=true cas.serviceRegistry.jpa.dialect=org.hibernate.dialect.MySQL5Dialect cas.serviceRegistry.jpa.leakThreshold=10 cas.serviceRegistry.jpa.batchSize=1 cas.serviceRegistry.jpa.defaultCatalog= cas.serviceRegistry.jpa.defaultSchema= cas.serviceRegistry.jpa.user=root cas.serviceRegistry.jpa.ddlAuto=create-drop cas.serviceRegistry.jpa.password=root cas.serviceRegistry.jpa.autocommit=true cas.serviceRegistry.jpa.driverClass=com.mysql.jdbc.Driver cas.serviceRegistry.jpa.idleTimeout=5000 cas.serviceRegistry.jpa.pool.suspension=false cas.serviceRegistry.jpa.pool.minSize=6 cas.serviceRegistry.jpa.pool.maxSize=18 cas.serviceRegistry.jpa.pool.maxIdleTime=1000 cas.serviceRegistry.jpa.pool.maxWait=2000 #MongoDb配置(客戶端持久化)結束 # cas 自帶監控 management.security.enabled=false management.context-path=/status management.add-application-context-header=false security.basic.authorize-mode=role security.basic.enabled=false cas.adminPagesSecurity.ip=.* endpoints.sensitive=false endpoints.enabled=true endpoints.restart.enabled=true endpoints.shutdown.enabled=true endpoints.autoconfig.enabled=true endpoints.beans.enabled=true endpoints.bus.enabled=true endpoints.configprops.enabled=true endpoints.dump.enabled=true endpoints.env.enabled=true endpoints.health.enabled=true endpoints.features.enabled=true endpoints.info.enabled=true endpoints.loggers.enabled=true endpoints.logfile.enabled=true endpoints.trace.enabled=true endpoints.docs.enabled=true endpoints.heapdump.enabled=true cas.monitor.endpoints.enabled=true cas.monitor.endpoints.sensitive=false cas.monitor.endpoints.dashboard.enabled=true cas.monitor.endpoints.dashboard.sensitive=false cas.monitor.endpoints.auditEvents.enabled=true cas.monitor.endpoints.auditEvents.sensitive=false cas.monitor.endpoints.authenticationEvents.enabled=true cas.monitor.endpoints.authenticationEvents.sensitive=false cas.monitor.endpoints.configurationState.enabled=true cas.monitor.endpoints.configurationState.sensitive=false cas.monitor.endpoints.healthCheck.enabled=true cas.monitor.endpoints.healthCheck.sensitive=false cas.monitor.endpoints.loggingConfig.enabled=true cas.monitor.endpoints.loggingConfig.sensitive=false cas.monitor.endpoints.metrics.enabled=true cas.monitor.endpoints.metrics.sensitive=false cas.monitor.endpoints.attributeResolution.enabled=true cas.monitor.endpoints.attributeResolution.sensitive=false cas.monitor.endpoints.singleSignOnReport.enabled=true cas.monitor.endpoints.singleSignOnReport.sensitive=false cas.monitor.endpoints.statistics.enabled=true cas.monitor.endpoints.statistics.sensitive=false cas.monitor.endpoints.trustedDevices.enabled=true cas.monitor.endpoints.trustedDevices.sensitive=false cas.monitor.endpoints.status.enabled=true cas.monitor.endpoints.status.sensitive=false cas.monitor.endpoints.singleSignOnStatus.enabled=true cas.monitor.endpoints.singleSignOnStatus.sensitive=false cas.monitor.endpoints.springWebflowReport.enabled=true cas.monitor.endpoints.springWebflowReport.sensitive=false # 監控系統結束 ## 多屬性返回開始 ###單行 cas.authn.attributeRepository.jdbc[0].attributes.id=id cas.authn.attributeRepository.jdbc[0].attributes.username=username cas.authn.attributeRepository.jdbc[0].attributes.password=password cas.authn.attributeRepository.jdbc[0].attributes.intime=intime cas.authn.attributeRepository.jdbc[0].attributes.attemptstime=attemptstime cas.authn.attributeRepository.jdbc[0].attributes.email=email cas.authn.attributeRepository.jdbc[0].singleRow=true cas.authn.attributeRepository.jdbc[0].order=0 cas.authn.attributeRepository.jdbc[0].url=${cas.authn.jdbc.query[0].url} # 以下屬性為查詢sql時,當為多個時逗號分隔,如填寫username、email,sql會變成 select * from sys_user where username=${?} {and/or} email=${?} cas.authn.attributeRepository.jdbc[0].username=username cas.authn.attributeRepository.jdbc[0].queryType=OR cas.authn.attributeRepository.jdbc[0].user=${cas.authn.jdbc.query[0].user} cas.authn.attributeRepository.jdbc[0].password=${cas.authn.jdbc.query[0].password} cas.authn.attributeRepository.jdbc[0].sql=select * from sys_user where {0} cas.authn.attributeRepository.jdbc[0].dialect=${cas.authn.jdbc.query[0].dialect} cas.authn.attributeRepository.jdbc[0].ddlAuto=none cas.authn.attributeRepository.jdbc[0].driverClass=${cas.authn.jdbc.query[0].driverClass} cas.authn.attributeRepository.jdbc[0].leakThreshold=10 cas.authn.attributeRepository.jdbc[0].propagationBehaviorName=PROPAGATION_REQUIRED cas.authn.attributeRepository.jdbc[0].batchSize=1 cas.authn.attributeRepository.jdbc[0].failFast=true #多行 cas.authn.attributeRepository.jdbc[1].attributes.group=group_multi cas.authn.attributeRepository.jdbc[1].attributes.school=school_multi #鍵值對 cas.authn.attributeRepository.jdbc[1].columnMappings.ATTR_KEY=ATTR_VAL cas.authn.attributeRepository.jdbc[1].singleRow=false cas.authn.attributeRepository.jdbc[1].order=1 cas.authn.attributeRepository.jdbc[1].url=${cas.authn.jdbc.query[0].url} cas.authn.attributeRepository.jdbc[1].username=username cas.authn.attributeRepository.jdbc[1].user=${cas.authn.jdbc.query[0].user} cas.authn.attributeRepository.jdbc[1].password=${cas.authn.jdbc.query[0].password} cas.authn.attributeRepository.jdbc[1].sql=select * from sys_attrs where {0} cas.authn.attributeRepository.jdbc[1].dialect=${cas.authn.jdbc.query[0].dialect} cas.authn.attributeRepository.jdbc[1].ddlAuto=none cas.authn.attributeRepository.jdbc[1].driverClass=${cas.authn.jdbc.query[0].driverClass} cas.authn.attributeRepository.jdbc[1].leakThreshold=10 cas.authn.attributeRepository.jdbc[1].propagationBehaviorName=PROPAGATION_REQUIRED cas.authn.attributeRepository.jdbc[1].batchSize=1 cas.authn.attributeRepository.jdbc[1].failFast=true ## 多屬性返回結束
未完待續。。。。