CAS Single Sign-on

This article introduces how to combine FineReport with CAS Single Sign-On (SSO).

Configuring certificates is an important part of the SSO authentication system, as the security of interactions between clients and servers hinges on certificates; for demonstration purposes, this tutorial generates a certificate through the built-in keytool in Java Developer’s Kit; in the real production environment, we have to purchase certificates from certificate providers and have these certificates authenticated by internationally recognized CA agencies such as VeriSign and GlobalSign.

The following describes how to generate a SSL certificate using a built-in tool in Windows and configure it in the Tomcat server.

1. Create a certificate

1) Install JRE first and then run cmd or Windows Powershell by right-clicking to run as an administrator, click OK to start the command prompt window. Type cd D:\java\jdk1.8.0_271\jre\bin to enter the directory bin under JRE. 

Execute the following command:

Note: this JRE is the one for configuring Tomcat.

keytool -genkey -alias tomcat-servers -keyalg RSA -keypass changeit -storepass changeit -keystore server.keystore

2) To migrate to PKCS12 which is an industry standard format, execute the following command:

keytool -importkeystore -srckeystore server.keystore -destkeystore server.keystore -deststoretype pkcs12

Enter the keystore password: changeit, as shown below:

Note: when typing your first and last name, please type a domain name instead of an IP address.

Note: in this instance, we type alex as the first and last name, but this domain name actually does not exist. Here, for demonstration purposes, this virtual domain name is used, so we have to map a virtual domain name in the file hosts, which is set as follows:

In this way, when we access alex, we actually access 127.0.0.1, or the local host.

2. Export the certificate

Execute the following command:

keytool -export -alias tomcat-servers -storepass changeit -file server.cer -keystore server.keystore

Export the certificate, as shown below:

3. Export the certificate to JDK certificate trust store

Execute the following command:

keytool -import -trustcacerts -alias servers -file server.cer -keystore cacerts -storepass changeit

When the system asks whether to trust this certificate, please type y, as shown below:

4. Move the certificate to the Tomcat installation directory

1) Navigate to the directory %JRE_HOME%\bin, copy the newly generated server.keystore,server.cer,cacerts to the Tomcat installation directory %TOMCAT_HOME%, as shown below:

2) Overwrite the file cacerts under the directory %JRE_HOME%\bin to the directory security in JRE %JRE_HOME%\lib\security, as shown below:

5. Apply the certificate to Web server

1) Configure the file server.xml, run the text editor as an administrator and open %TOMCAT_HOME%\conf\server.xml. Locate SSL configuration to add address keystoreFile and password keystorePass for the certificate, as shown below:

Note: the address can be an absolute path or a relative path in Tomcat.

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"  
           maxThreads="150" SSLEnabled="true" keystoreFile="D:\apache-tomcat-8.5.57\server.keystore" keystorePass="changeit"/>

2) Restart Tomcat server and visit https://alex:8443/, as shown below:

If the interface above appears, you have successfully completed Tomcat SSL configuration.

1) If Tomcat services are not enabled after the configuration above is completed, then the configuration for applying the certificate to Web server fails. Please check if you have completed configuration by following the steps above.

2) If the access link prompts that “There is a problem with this website’s security certificate”, this is because the use of a Java-generated certificate for https access will trigger the system to prompt that the certificate is at risk. In this case, you can apply for a free certificate from Alibaba Cloud.

CAS SSO also entails installing and configuring CAS. The following describes how to install and configure CAS.

1. Download CAS

Click to download CAS: CAS.

2. Install CAS

1) Decompress the downloaded cas-server-3.5.2-release.zip, locate cas-server-webapp-3.5.2.war in the folder %CAS%\modules and rename it as cas.war, as shown below:

2) Copy cas.war to the folder %TOMCAT_HOME%\webapps, start Tomcat and you will see that Tomcat automatically decompresses cas.war to the folder cas, as shown below:

3. Test CAS

By default, CAS deems that as long as the username equals the password, login is successful.

Note: database-based authentication can be enabled by modifying configuration; CAS is tested with default configuration here.

1) Enter the URL https://localhost:8443/cas/login in the web browser or use the virtual domain name https://alex:8443/cas/login set through the document Configure SSL Certificates to Enable HTTPS Access. If IE displays a certificate warning message, directly click Continue to browse this website (not recommended), as shown below:

2) Here enter a username and password at random, if the username equals the password, then the system indicates successful login, as shown below:

3) You may enter the URL https://localhost:8443/cas/logout in the web browser or use the virtual domain name set in the previous section: https://alex:8443/cas/logout, then the system automatically logs out, as shown below:

At this point, the server-side configuration has been completed.

Database-based authentication allows different users to log in.

This article takes MySQL databases for example.

Note: if MySQL 8.0 is used, you have to download mysql-connector-java-5.1.46.jar (Feb. 2018 version).

1. Add a dependency

Copy JAR packages cas-server-support-jdbc-3.5.2.jar and mysql-connector-java-5.1.6-bin.jar to the directory %TOMCAT_HOME%\webapps\cas\WEB-INF\lib, as shown below:

Note: if another database is used, put the corresponding JDBC driver package into the directory.

2. Create a database and a table

Set the table name as userinfo, username as username and password as userpass, as below:

3. Configure CAS to enable database-based authentication

1) Add database configuration information

Start the text editing tool as an administrator, open %TOMCAT_HOME%\webapps\cas\WEB-INF\deployerConfigContext.xml and locate the code below:

<bean id="authenticationManager"  class="org.jasig.cas.authentication.AuthenticationManagerImpl">

Insert in front of the code MySQL JDBC data source, as shown below:

<bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource">
    <property name="driverClassName"><value>driver</value></property>
    <property name="url"><value>url</value></property>
    <property name="username"><value>database username</value></property>
    <property name="password"><value>database password </value></property>
    </bean>

See the following figure:

Note: the driver is replaced with the corresponding database driver. If a MySQL database is used, then the driver is com.mysql.jdbc.Driver, the URL is jdbc:mysql://ip:port/databaseName and the database username and password are replaced with the actual username and password.

If another database is used, please refer to JDBC connection database for driver and URL.

2) Add user authentication information

Start the text editing tool as an administrator, open %TOMCAT_HOME%\webapps\cas\WEB-INF\deployerConfigContext.xml and locate the following code:

<bean class="org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler" />

Note: the configuration information uses SimpleTestUsernamePasswordAuthenticationHandler for user authentication, which means login is successful if the default username equals the password, otherwise it fails. We need to replace it with database authentication-based configuration information.

Comment out the code, as shown below:

Insert below it the following code:

<bean class="org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler">
                <property name="dataSource" ref="dataSource" />
                <property name="sql" value="select userpass from userinfo where username=?" />
                </bean>

Insert configuration information, as shown below:

3) Save the modification

Save the modification to %TOMCAT_HOME%\webapps\cas\WEB-INF\deployerConfigContext.xml.

4) Restart

Restart Tomcat service.

1. Test database-based authentication

1) Enter the URL https://alex:8443/cas/login in the web browser. If IE displays a certificate warning message, directly click “Continue to browse this website (not recommended)”, and CAS will match the username and password a user enters, with those in the table userinfo, as shown below:

2) CAS will match the username and password a user enters with those in the table userinfo. If they match, then the system displays successful login, as shown below:

The following describes how to combine FineReport with CAS SSO.

1. Copy JAR packages

Copy JAR packages of CAS, namely casclient.jar and cas-client-core-3.2.1.jar, and %Java_HOME%\jdk\lib\tools.jar to %TOMCAT_HOME%\webapps\webroot\WEB-INF\lib, as shown below:

2. Add web.xml

1) Create a new file web.xml under the directory %TOMCAT_HOME%\webapps\webroot\WEB-INF, and insert the following code:

<?xml version="1.0" encoding="UTF-8"?>
<web-app 
   xmlns="http://java.sun.com/xml/ns/j2ee" 
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" 
   version="2.4"> 
  <display-name>Template WebApp</display-name>
    <mime-mapping>
  <extension>msi</extension>
  <mime-type>application/x-msi</mime-type>
  </mime-mapping>     
  <filter>  
        <filter-name>CASFilter</filter-name>  
        <filter-class>edu.yale.its.tp.cas.client.filter.CASFilter</filter-class>  
        <init-param>  
            <param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name>  
            <param-value>https://alex:8443/cas/login</param-value>  
            <!—cas provides the URK of the login page-->  
        </init-param>  
        <init-param>  
            <param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name>  
            <param-value>https://alex:8443/cas/proxyValidate</param-value>  
            <!—cas provides the URL of service ticker or proxy ticket authentication service-->  
        </init-param>  
        <init-param>  
            <param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name>  
            <param-value>alex:8443</param-value>  
                       <!—domain name and port applied to the client-->  
        </init-param>  
    </filter>  
    <filter-mapping>  
        <filter-name>CASFilter</filter-name>  
        <url-pattern>/decision/*</url-pattern>  
    </filter-mapping> 
 <filter>    
    <filter-name>FrFilter</filter-name>    
    <filter-class>com.fr.FrFilter</filter-class>    
</filter>    
<filter-mapping>    
    <filter-name>FrFilter</filter-name>    
    <url-pattern>/decision/*</url-pattern>    
</filter-mapping>  
</web-app>

Display the code

In the code, alex is a configured virtual domain name, which should be modified as the case may be, as shown below:

2) Add filter information; for the Java code, see the link: FrFilter.java

Compile FrFilter.java into a class file: FrFilter.class and put it into the directory %TOMCAT_HOME%\webroot\WEB-INF\classes\com\fr, as shown below:

Start Tomcat server, enter https://localhost:8443/webroot/decision in the browser to go to CAS login interface, enter the username and password to jump to the corresponding user interface on the decision-making platform, as shown below: