Jenkins node name is case-sensitive.
tinyLog
為一拓荒者
星期二, 11月 05, 2024
星期二, 3月 28, 2023
Spring HTTP Strict Transport Security Guide
1. demo site
1.
2. generate, download, unzip, cd
3. docker run -it --rm --name my-maven-project -v "$(pwd)":/usr/src/mymaven -w /usr/src/mymaven maven:3.9.0-eclipse-temurin-17 mvn clean install
4. java -jar target/demo-0.0.1-SNAPSHOT.jar
5. get generated security password
6. visit http://localhost:8080 with username user and generated password
7.
2. index page
1. create src/main/java/com/example/demo/controller/WebController.java
package com.example.demo.controller;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
@Controller
public class WebController {
@RequestMapping(value = "/index")
public String index() {
return "index";
}
}
2. create src/main/resources/templates/index.html
<!DOCTYPE html>
<html>
<head>
<meta charset = "ISO-8859-1" />
<title>Spring Boot Application</title>
</head>
<body>
<h4>Welcome to Thymeleaf Spring Boot web application</h4>
</body>
</html>
3. repeat 1.3 ~ 1.6
4.
3. https
1. create self-signed keystore: demo.keystore
keytool -genkeypair -alias demo -keyalg RSA -keystore demo.keystore -storetype JKS -dname "CN=localhost" -keypass keyPass -storepass storePass
2. create spring config: demo.yml
server:
port: 8443
ssl:
enabled: true
key-alias: demo
key-store: "/your/path/to/demo.keystore"
key-store-type: jks
key-store-password: storePass
key-password: keyPass
3. java -jar demo-0.0.1-SNAPSHOT.jar --spring.config.location=demo.yml
4. repeat 1.5
5. visit https://localhost:8443 with username user and generated password, ignore self-signed certificate warning.
6.
星期六, 1月 07, 2023
Docker CAS 6.6.x with AD (just like LDAP)
- cas.authn.ldap[0].ldap-url=ldaps://azuread.abc.com.tw
- cas.authn.ldap[0].base-dn=ou=AADDC\ Users,dc=abc,dc=com,dc=tw
- cas.authn.ldap[0].type=AUTHENTICATED
- cas.authn.ldap[0].bind-dn=your_account@abc.com.tw
- cas.authn.ldap[0].bind-credential=yourPassword
- cas.authn.ldap[0].search-filter=(&(objectClass=user)(sAMAccountName={user}))
- cas.authn.ldap[0].principal-attribute-list=cn,displayName,sAMAccountName
Docker CAS 6.6.x with LDAP, not Anonymous
change
- cas.authn.ldap[0].type=ANONYMOUS
to
- cas.authn.ldap[0].type=AUTHENTICATED
- cas.authn.ldap[0].bind-dn=CN=user01,ou=users,dc=example,dc=org
- cas.authn.ldap[0].bind-credential=bitnami1
Docker CAS 6.6.x with LDAP
之前我們已確認了 Docker CAS 可以運作,預設帳密是 casuser / Mellon 這組,姑且稱之為「靜態帳密表」。接著利用這篇所述(注意版本,行文時已升到 2.6.3),來試試 CAS 如何與後端 LDAP 合作。首先開好 LDAP 與之前的 CAS,並進去確認連往 LDAP 的網路通暢:
- docker run -d --name cas -p 8080:8080 -v ./cas.properties:/etc/cas/config/cas.properties apereo/cas:6.6.4
- docker exec -it cas /bin/bash
- echo < /dev/tcp/172.18.8.166/1389 && echo on || echo off
- on
接著在 cas.properties 加入以下幾行:
- cas.authn.ldap[0].ldap-url=ldap://172.18.8.166:1389
- cas.authn.ldap[0].base-dn=ou=users,dc=example,dc=org
- cas.authn.ldap[0].type=ANONYMOUS
- cas.authn.ldap[0].search-filter=(&(objectClass=posixAccount)(cn={user}))
重啟帶有新設定的 CAS 雖然順利,但仍僅能驗證 casuser / Mellon 而不能驗證 LDAP user01 / bitnami1 這組帳密。注意看,log 裡面有這段:
- user01 not found in backing map.
意思是 CAS 把輸入的 user01 / bitnami1 這組帳密交給「靜態帳密表」了。為防止混淆,可以關掉它。在 cas.properties 加入一行:
- cas.authn.accept.users=
重啟之後情況不變?這時得把 log4j2.xml 抓出來改設定,看看發生了什麼問題?
- docker cp cas:/etc/cas/config/log4j2.xml .
- vi log4j2.xml
- <Property name="cas.log.level">debug</Property>
- vi cas.properties
- logging.config=file:/etc/cas/config/log4j2.xml
- docker stop cas
- docker rm cas
- lsof -i :8080
- <PID>
- kill <PID>
- docker run -d --name cas -p 8080:8080 -v ./cas.properties:/etc/cas/config/cas.properties -v ./log4j2.xml:/etc/cas/config/log4j2.xml apereo/cas:6.6.4
在海一般的訊息之中,唯一有幫助的是這條:
- <Authentication handler [HttpBasedServiceCredentialsAuthenticationHandler] does not support the credential type [UsernamePasswordCredential(username=user01, source=null, customFields={})].>
這意思很難懂?沒錯,它其實要表達的是「現在這個 Docker CAS 並不支援 LDAP」。我們得學習這篇的做法,在這裡挑 6.6 或你想要的分支下載,在 build.gradle 檔案中找到 dependencies 段落,在其中新增一行:
- implementation "org.apereo.cas:cas-server-support-ldap"
這裡千萬要注意拼字是否正確?原文把 implementation 拼錯,複製貼上並不管用,也不會有錯誤訊息,我就這樣又去多走彎路了。然後在同目錄執行指令:
- gradlew clean build
幾分鐘後,可以看到一個新的 cas.war 在 build/libs 目錄下,大小應該會比 Docker Image 裡面那個要大一些,我們要用這個新的:
- docker run -d --name cas -p 8080:8080 -v ./cas.properties:/etc/cas/config/cas.properties -v ./log4j2.xml:/etc/cas/config/log4j2.xml -v ./cas.war:/docker/cas/war/cas.war apereo/cas:6.6.4
這次要有耐心一點,原本一分鐘就能開好的 CAS 可能要拉長到三分多鐘,不是壞了。能驗證 LDAP 的帳密,算是值得吧?
星期三, 1月 04, 2023
Docker CAS 6.6.x without SSL
- vi cas.properties
- server.port=8080
- server.ssl.enabled=false
- docker run -d --name cas -p 8080:8080 -v ./cas.properties:/etc/cas/config/cas.properties apereo/cas:6.6.4
星期二, 1月 03, 2023
Docker CAS 6.6.x needs /etc/cas/thekeystore
We can create the /etc/cas/thekeystore immediately like this:
docker run -d --name cas -p 8443:8443 apereo/cas:6.6.4; docker exec -it cas keytool -genkeypair -alias cas -keyalg RSA -keypass changeit -storepass changeit -keystore /etc/cas/thekeystore -dname "CN=localhost"