在SSO的实现中使用最为频繁的当然是使用关系型数据库对用户进行认证,使用ESUP插件可以方便地对CAS使用DB的用户认证方式,本文描述了ESUP的配置方法。采用ESUP主要分为三种认证模式:绑定模式(即DB的用户即可通过CAS的认证),搜索模式(即DB中某张表中用户可通过CAS的认证),查询模式(即使用SQL查询语句得到的结果与用户信息匹配时即可通过CAS的认证)。
This method is esentially used by organizations of which some users, for technical or political reasons, are not registered in their LDAP directory but in a distinct database.
As well as for LDAP authentication, fault tolerance is insured by the redundancy of database servers, and three access modes are provided (bind, search and query).
Bind mode
In this mode, users should be declared in the database, i.e. be database users; authentication is successfull when the information given by the user allows CAS to connect to the database.
One may use:
<authentication debug="off">
<handler>
<classname>
org.esupportail.cas.server.handlers.database.SearchDatabaseHandler
</classname>
<config>
<server>
<jdbc_driver>com.mysql.jdbc.Driver</jdbc_driver>
<jdbc_url>jdbc:mysql://127.0.0.1</jdbc_url>
</server>
</config>
</handler>
</authentication>
Search mode
This mode uses a privileged connection to the database. The authentication informations (login and password) are stored in a table; authentication is successfull when information provided by the users are found in the database.
One may use:
<authentication debug="off">
<handler>
<classname>
org.esupportail.cas.server.handlers.database.SearchDatabaseHandler
</classname>
<config>
<table>user</table>
<login_column>login</login_column>
<password_column>password</password_column>
<bind_username>admin</bind_username>
<bind_password>secret</bind_password>
<server>
<jdbc_driver>com.mysql.jdbc.Driver</jdbc_driver>
<jdbc_url>jdbc:mysql://127.0.0.1</jdbc_url>
</server>
</config>
</handler>
</authentication>
When using this mode, the administrator should specify:
- the table of the database users are stored in;
- the columns storing the users' id and password;
- the encryption used to store the password (optional);
- the credentials used to connect to the database (optional).
Query mode
This mode also uses a privileged connection to the database. The authentication informations are stored anywhere in the database, and authentication is successfull when information provided by the users matches the informations returned by the query.
One may use:
<authentication debug="off">
<handler>
<classname>
org.esupportail.cas.server.handlers.database.QueryDatabaseHandler
</classname>
<config>
<sql_query>
SELECT md5_password FROM user WHERE login = '%u' AND NOT locked
</sql_query>
<encryption>md5</encryption>
<bind_username>admin</bind_username>
<bind_password>secret</bind_password>
<server>
<jdbc_driver>com.mysql.jdbc.Driver</jdbc_driver>
<jdbc_url>jdbc:mysql://127.0.0.1</jdbc_url>
</server>
</config>
</handler>
</authentication>
When using this mode, the administrator should specify:
- the SQL query used to query the database. This query can contain the special "%u" token, which will be replace by the users' netId at runtime;
- the encryption used to store the password (plain, des, md5 and pammd5 are allowed, md5 by default);
- the credentials used to connect to the database (optional).
Note: internally, a SearchDatabaseHandler is a QueryDatabaseHandler using the following SQL query:
SELECT <password_column> FROM <table> WHERE <login_column> = '%u'
Database servers
The database servers are defined by:
- the JDBC URL of the database;
- the JDBC driver that should be used to access the database.
When specifying several servers, all the servers are considered as replicates: when authenticationfails on one database, database authentication fails because databases are intended to contain the same data; next (redundant) servers are tried only if the first one does not respond.
JDBC drivers
CAS GH developers usually place the JARs implementing the JDBC drivers they use into the ${tomcat.home}/webapps/cas/WEB-INF/lib directory (classes are placed into ${tomcat.home}/webapps/cas/WEB-INF/classes), or, when using one of the esup-cas-server and esup-cas-quick-start packages, directly into the custom/cas-server-patch/web/WEB-INF folder (so the files get deployed with ant).
No JDBC driver is provided with CAS GH, but the following links may help to find the JDBC driver corresponding to your database:
- Hypersonic SQL: http://hsql.sourceforge.net
- MySQL: http://dev.mysql.com/downloads/connector/j/3.0.html
- Oracle: http://otn.oracle.com/software/tech/java/sqlj_jdbc/index.html
- PostgreSQL: http://jdbc.postgresql.org/download.html