cas4.1证书生成，服务端搭建，注意事项

来源：互联网发布：伴唱软件编辑：程序博客网时间：2024/04/29 20:25

服务器端证书

1
我们在F盘下建立一个cas文件夹，在此文件夹中生成证书文件，打开dos命令窗口，进入此目录下，这样我们就不用来回制定路径了，只用关心证书生成，它会自动生成到cas文件夹里如图：
2
生成服务器端证书，
此命令用于在当前目录下新建别名为：server,执行完此命令cas文件夹下多了一个server.keystore文件。
3
导出服务器端证书，
执行完此命令cas文件夹下多了一个server.cer文件
4
导入服务器端证书，
执行完此命令cas文件夹下多了一个cacerts文件。
如果输入密码后报错，请将密码改为changeit。
END

客户端证书

1
生成客户端证书，
执行完此命令cas文件夹下多了一个client.keystore文件。
2
导出客户端证书，
执行完此命令cas文件夹下多了一个client.cer文件。
3
导入客户端证书，
执行完此命令cas文件夹文件数量不变。
END

然后是搭建服务器端

只需要在这里http://developer.jasig.org/cas/下载cas4.1文件，然后放到tomcat里，确保tomcat根目录下（就是和webapps同一级目录）放了我们上面生成的四个证书（除了cacerts）,然后就是修改server.xml文件

修改8443端口为

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" keystoreFile="D:\cas\server.keystore"keystorePass="changeit"               maxThreads="150" scheme="https" secure="true"               clientAuth="false" sslProtocol="TLS" />

此时就可以启动项目登陆了，这时用户名密码都是写死的，　casuser　　Mellon

我们可以自己配置读取数据库修改apache-tomcat-7.0.52\webapps\cas\WEB-INF下的deployerConfigContext.xml文件

<?xml version="1.0" encoding="UTF-8"?><beans xmlns="http://www.springframework.org/schema/beans"       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"       xmlns:p="http://www.springframework.org/schema/p"       xmlns:c="http://www.springframework.org/schema/c"       xmlns:tx="http://www.springframework.org/schema/tx"       xmlns:util="http://www.springframework.org/schema/util"       xmlns:sec="http://www.springframework.org/schema/security"       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd       http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.2.xsd       http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd       http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd">    <!--       | The authentication manager defines security policy for authentication by specifying at a minimum       | the authentication handlers that will be used to authenticate credential. While the AuthenticationManager       | interface supports plugging in another implementation, the default PolicyBasedAuthenticationManager should       | be sufficient in most cases.       +-->    <bean id="authenticationManager" class="org.jasig.cas.authentication.PolicyBasedAuthenticationManager">        <constructor-arg>            <map>                <!--                   | IMPORTANT                   | Every handler requires a unique name.                   | If more than one instance of the same handler class is configured, you must explicitly                   | set its name to something other than its default name (typically the simple class name).                   -->                <entry key-ref="proxyAuthenticationHandler" value-ref="proxyPrincipalResolver" />                <entry key-ref="primaryAuthenticationHandler" value-ref="primaryPrincipalResolver" />            </map>        </constructor-arg>        <!-- Uncomment the metadata populator to allow clearpass to capture and cache the password             This switch effectively will turn on clearpass.        <property name="authenticationMetaDataPopulators">           <util:list>              <bean class="org.jasig.cas.extension.clearpass.CacheCredentialsMetaDataPopulator"                    c:credentialCache-ref="encryptedMap" />           </util:list>        </property>        -->        <property name="authenticationPolicy">            <bean class="org.jasig.cas.authentication.AnyAuthenticationPolicy" />        </property>    </bean>    <!-- Required for proxy ticket mechanism. -->    <bean id="proxyAuthenticationHandler"          class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"          p:httpClient-ref="httpClient" /> <bean id="primaryAuthenticationHandler" class="org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler"><property name="dataSource" ref="dataSource"></property><property name="sql" value="select password from user_info where username=? "></property><property name="passwordEncoder" ref="MD5PasswordEncoder"></property></bean>    <!-- Required for proxy ticket mechanism -->    <bean id="proxyPrincipalResolver"          class="org.jasig.cas.authentication.principal.BasicPrincipalResolver" />    <!--       | Resolves a principal from a credential using an attribute repository that is configured to resolve       | against a deployer-specific store (e.g. LDAP).       -->    <bean id="primaryPrincipalResolver"          class="org.jasig.cas.authentication.principal.PersonDirectoryPrincipalResolver" >        <property name="attributeRepository" ref="attributeRepository" />    </bean>    <!--    Bean that defines the attributes that a service may return.  This example uses the Stub/Mock version.  A real implementation    may go against a database or LDAP server.  The id should remain "attributeRepository" though.    +-->    <bean id="attributeRepository" class="org.jasig.services.persondir.support.StubPersonAttributeDao"            p:backingMap-ref="attrRepoBackingMap" />        <util:map id="attrRepoBackingMap">        <entry key="uid" value="uid" />        <entry key="eduPersonAffiliation" value="eduPersonAffiliation" />         <entry key="groupMembership" value="groupMembership" />    </util:map>    <!--     Sample, in-memory data store for the ServiceRegistry. A real implementation    would probably want to replace this with the JPA-backed ServiceRegistry DAO    The name of this bean should remain "serviceRegistryDao".    +-->    <bean id="serviceRegistryDao" class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl"            p:registeredServices-ref="registeredServicesList" />    <util:list id="registeredServicesList">        <bean class="org.jasig.cas.services.RegexRegisteredService"              p:id="0" p:name="HTTP and IMAP" p:description="Allows HTTP(S) and IMAP(S) protocols"              p:serviceId="^(https?|imaps?)://.*" p:evaluationOrder="10000001" />        <!--        Use the following definition instead of the above to further restrict access        to services within your domain (including sub domains).        Note that example.com must be replaced with the domain you wish to permit.        This example also demonstrates the configuration of an attribute filter        that only allows for attributes whose length is 3.        -->        <!--        <bean class="org.jasig.cas.services.RegexRegisteredService">            <property name="id" value="1" />            <property name="name" value="HTTP and IMAP on example.com" />            <property name="description" value="Allows HTTP(S) and IMAP(S) protocols on example.com" />            <property name="serviceId" value="^(https?|imaps?)://([A-Za-z0-9_-]+\.)*example\.com/.*" />            <property name="evaluationOrder" value="0" />            <property name="attributeFilter">              <bean class="org.jasig.cas.services.support.RegisteredServiceRegexAttributeFilter" c:regex="^\w{3}$" />             </property>        </bean>        -->    </util:list>        <bean id="auditTrailManager" class="com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager" />        <bean id="healthCheckMonitor" class="org.jasig.cas.monitor.HealthCheckMonitor" p:monitors-ref="monitorsList" />      <util:list id="monitorsList">      <bean class="org.jasig.cas.monitor.MemoryMonitor" p:freeMemoryWarnThreshold="10" />      <!--        NOTE        The following ticket registries support SessionMonitor:          * DefaultTicketRegistry          * JpaTicketRegistry        Remove this monitor if you use an unsupported registry.      -->      <bean class="org.jasig.cas.monitor.SessionMonitor"          p:ticketRegistry-ref="ticketRegistry"          p:serviceTicketCountWarnThreshold="5000"          p:sessionCountWarnThreshold="100000" />    </util:list><bean id="MD5PasswordEncoder" class="org.jasig.cas.authentication.handler.DefaultPasswordEncoder"><constructor-arg index="0" ><value>MD5</value></constructor-arg></bean><bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource"><property name="driverClassName"><value>com.mysql.jdbc.Driver</value></property><property name="url"><value>jdbc:mysql://localhost:3306/test</value></property><property name="username"><value>root</value></property><property name="password"><value>root</value></property></bean></beans>


至此服务端就完了，如果想让用户登出后跳到我们指定的地址，则需要在cas-servelt.xml文件里修改followServiceRedirects属性为true。

坑：

1、客户端的web.xml文件的登出过滤器一定要放在所有的filter之前，不仅仅是单点登录的filter之前，否则会一个登出了但是另外的客户端还在线。

2、cas服务端4.2以上也有是maven构建的，只不过需要tomcat8和jdk8

3、关于登出操作后不能跳转到我们自定义的页面的问题，需要我们设置cas服务端的cas-servlet.xml文件的followServiceRedirects属性为true才可以

4、在将cas客户端与springBoot整合时发现如果不在cas5.1的配置文件 HTTPSandIMAPS-10000001.json内添加支持http请求的话会报未认证授权的服务的错误，

阅读全文

0 0

伴唱软件

原创粉丝点击