CAS_SSO单点登录实例详细步骤(转)、Tomcat ssl(https) 配置

CAS_SSO单点登录实例详细步骤(转)、Tomcat ssl(https) 配置          

博客分类：
• SSO&CAS&Identity
• Java.Tomcat

 

    0, 从CAS官网下载最新版本的CAS服务器：cas-server-3.5.1-release.zip和java版客户端cas-client-3.2.1-release.zip。

1， 修改hosts文件，添加域名方便演示
127.0.0.1    cas.my.com #对应部署cas server的tomcat，这个虚拟域名还用于证书生成
127.0.0.1    app1.my.com # 对应部署app1 的tomcat
127.0.0.1    app2.my.com #对应部署app2 的tomcat

2， JDK安装， JAVA_HOME

3， 数字证书配置 - 生成数据证书文件（数据库）。所有的数字证书是以一条一条(采用别名区别)的形式存入证书库的中，证书库中的一条证书包含该条证书的私钥，公钥和对应的数字证书的信息。
keytool -genkey -alias casdemo -keyalg RSA -keysize 1024 -storepass P@ssw0rd -keypass P@ssw0rd -validity 365 -keystore E:\WorkRecords\CAS\casdemo.keystore

-storepass 指定私钥数据库keystore的密码(所有访问keystore文件的命令都要提供改密码)
-keypass 用来保护密钥对中的私钥。
-keypass 和 storepass 两个密码要一致，否则下面tomcat 配置https 访问会报错误（tomcat下配置文件对应的属性名叫keystorePass）：java.io.IOException: Cannot recover key
可以使用下述命令修改keypass 和 storepass
keytool -alias casdemo -storepasswd -keystore E:\WorkRecords\CAS\casdemo.keystore -storepass sP@ssw0rd -new P@ssw0rd
keytool -alias casdemo -keypasswd -keystore E:\WorkRecords\CAS\casdemo.keystore -storepass P@ssw0rd -keypass kP@ssw0rd -new P@ssw0rd
紧跟着输入的证书名CN必须是服务器的域名：cas.my.com

4， 数字证书配置 - 从数据证书数据库中导出指定的数字证书文件，数字证书文件只包括主体信息和对应的公钥。 
keytool -export -alias casdemo -keystore E:\WorkRecords\CAS\casdemo.keystore -file E:\WorkRecords\CAS\casdemo.crt -storepass P@ssw0rd

5，客户端导入 - 在客户端导入数字证书（包含主体信息和对应的公钥）
keytool -import -keystore %JAVA_HOME%\jre\lib\security\cacerts -file E:\WorkRecords\CAS\casdemo.crt

注意：cacerts是certified authority certificates的缩写，就是java存放证书的证书库。访问这个文件的默认密码是changeit，要把证书导入到这里时，系统会提示你输入该密码。可以通过下面的命令把cacerts的访问密码改成cP@ssw0rd
keytool -storepasswd -alias casdemo -keystore %JAVA_HOME%\jre\lib\security\cacerts -storepass changeit -new cP@ssw0rd

6,tomcat容器启用https访问
修改conf/server.xml配置文件，启用8443端口配置，并增加属性keystoreFile="E:\WorkRecords\CAS\casdemo.keystore" keystorePass="P@ssw0rd" URIEncoding="UTF-8"
然后重启tomcat
https://localhost:8443/cas-server-webapp-3.5.1/login

keystoreFile 就是创建的私钥证书的路径
keystorePass 就是创建的私钥证书的访问密码

7，部署CAS-Server相关的Tomcat，参考CAS-Server下载目录下的INSTALL.txt安装
把cas-server-3.5.1\modules\cas-server-webapp-3.5.1.war复制到tomcat webapps目录下，然后重启tomcat，用下面路径访问CAS服务器
https://localhost:8443/cas-server-webapp-3.5.1/login
默认的cas server的验证是只要用户名和密码一样就可以成功登录。（仅仅用于测试，生成环境需要根据实际情况修改）

8，部署CAS-Client相关的Tomcat:参考Configuring the Jasig CAS Client for Java in the web.xml
把cas-client-3.2.1/modules/cas-client-core-3.2.1.jar复制到你所发布的webapp的WEB-INF/lib下（测试时可以使用tomcat下的example做例子），在客户端web应用中修改WEB-INF/web.xml 在里面添加如下过滤器

Java代码  

1. <!-- 用于单点退出 -->  
2. <listener>  
3.     <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>  
4. </listener>  
5. <filter>  
6.     <filter-name>CAS Single Sign Out Filter</filter-name>  
7.     <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>  
8. </filter>  
9. <!-- 用于单点登录 -->  
10. <filter>  
11.     <filter-name>CASFilter</filter-name>  
12.     <filter-class>edu.yale.its.tp.cas.client.filter.CASFilter</filter-class>  
13.     <init-param>  
14.         <param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name>  
15.         <param-value>https://cas.my.com:8443/cas/login</param-value>  
16.         <!--这里的server是服务端的IP-->  
17.     </init-param>  
18.     <init-param>  
19.         <param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name>  
20.         <param-value>https://cas.my.com:8443/cas/proxyValidate</param-value>  
21.         <!--这里的ServerName是服务端的主机名也就是CN-->  
22.     </init-param>  
23.     <init-param>  
24.         <param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name>  
25.         <param-value>localhost:8080</param-value>  
26.         <!--client:port就是需要cas需要拦截的地址和端口,一般就是这个tomcat所启动的ip和port-->  
27.     </init-param>  
28. </filter>  
29. <filter-mapping>  
30.     <filter-name>CAS Single Sign Out Filter</filter-name>  
31.     <url-pattern>/*</url-pattern>  
32. </filter-mapping>  
33. <filter-mapping>  
34.     <filter-name>CASFilter</filter-name>  
35.     <url-pattern>/*</url-pattern>  
36. </filter-mapping>  
37.   
38. <!-- 该过滤器负责实现HttpServletRequest请求的包裹，  
39.     比如允许开发者通过HttpServletRequest的getRemoteUser()方法获得SSO登录用户的登录名，可选配置。  
40. -->  
41. <filter>  
42.     <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>  
43.     <filter-class>  
44.                     org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>  
45. </filter>  
46. <filter-mapping>  
47.     <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>  
48.     <url-pattern>/*</url-pattern>  
49. </filter-mapping>  
50.   
51. <!-- 该过滤器使得开发者可以通过org.jasig.cas.client.util.AssertionHolder来获取用户的登录名。  
52.     比如AssertionHolder.getAssertion().getPrincipal().getName()。  
53. -->  
54. <filter>  
55.     <filter-name>CAS Assertion Thread Local Filter</filter-name>  
56.     <filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>  
57. </filter>  
58. <filter-mapping>  
59.     <filter-name>CAS Assertion Thread Local Filter</filter-name>  
60.     <url-pattern>/*</url-pattern>  
61. </filter-mapping>  

<!-- 用于单点退出 --><listener><listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class></listener><filter><filter-name>CAS Single Sign Out Filter</filter-name><filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class></filter><!-- 用于单点登录 --><filter><filter-name>CASFilter</filter-name><filter-class>edu.yale.its.tp.cas.client.filter.CASFilter</filter-class><init-param><param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name><param-value>https://cas.my.com:8443/cas/login</param-value><!--这里的server是服务端的IP--></init-param><init-param><param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name><param-value>https://cas.my.com:8443/cas/proxyValidate</param-value><!--这里的ServerName是服务端的主机名也就是CN--></init-param><init-param><param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name><param-value>localhost:8080</param-value><!--client:port就是需要cas需要拦截的地址和端口,一般就是这个tomcat所启动的ip和port--></init-param></filter><filter-mapping><filter-name>CAS Single Sign Out Filter</filter-name><url-pattern>/*</url-pattern></filter-mapping><filter-mapping><filter-name>CASFilter</filter-name><url-pattern>/*</url-pattern></filter-mapping><!-- 该过滤器负责实现HttpServletRequest请求的包裹，比如允许开发者通过HttpServletRequest的getRemoteUser()方法获得SSO登录用户的登录名，可选配置。--><filter><filter-name>CAS HttpServletRequest Wrapper Filter</filter-name><filter-class>                 org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class></filter><filter-mapping><filter-name>CAS HttpServletRequest Wrapper Filter</filter-name><url-pattern>/*</url-pattern></filter-mapping><!-- 该过滤器使得开发者可以通过org.jasig.cas.client.util.AssertionHolder来获取用户的登录名。比如AssertionHolder.getAssertion().getPrincipal().getName()。--><filter><filter-name>CAS Assertion Thread Local Filter</filter-name><filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class></filter><filter-mapping><filter-name>CAS Assertion Thread Local Filter</filter-name><url-pattern>/*</url-pattern></filter-mapping>

借以tomcat默认自带的 webapps\examples 作为演示的简单web项目,访问url：http://localhost:8080/examples/servlets/
9， 获取登录用户的信息

Java代码  

1. import java.io.*;  
2. import java.util.*;  
3. import java.util.Map.Entry;  
4.    
5. import javax.servlet.*;  
6. import javax.servlet.http.*;  
7.    
8. import org.jasig.cas.client.authentication.AttributePrincipal;  
9. import org.jasig.cas.client.util.AbstractCasFilter;  
10.     import org.jasig.cas.client.validation.Assertion;  
11.        
12.     /** 
13.      * The simplest possible servlet. 
14.      * 
15.      * @author James Duncan Davidson 
16.      */  
17.        
18.     public class HelloWorldExample extends HttpServlet {  
19.        
20.         public void doGet(HttpServletRequest request, HttpServletResponse response)  
21.                 throws IOException, ServletException {  
22.             ResourceBundle rb = ResourceBundle.getBundle("LocalStrings", request  
23.                     .getLocale());  
24.             response.setContentType("text/html");  
25.             PrintWriter out = response.getWriter();  
26.        
27.             out.println("<html>");  
28.             out.println("<head>");  
29.        
30.             String title = rb.getString("helloworld.title");  
31.        
32.             out.println("<title>" + title + "</title>");  
33.             out.println("</head>");  
34.             out.println("<body bgcolor=\"white\">");  
35.        
36.             out.println("<a href=\"../helloworld.html\">");  
37.             out.println("<img src=\"../images/code.gif\" height=24 "  
38.                     + "width=24 align=right border=0 alt=\"view code\"></a>");  
39.             out.println("<a href=\"../index.html\">");  
40.             out.println("<img src=\"../images/return.gif\" height=24 "  
41.                     + "width=24 align=right border=0 alt=\"return\"></a>");  
42.             out.println("<h1>" + title + "</h1>");  
43.        
44.             Assertion assertion = (Assertion) request.getSession().getAttribute(  
45.                     AbstractCasFilter.CONST_CAS_ASSERTION);  
46.        
47.             if (null != assertion) {  
48.                 out.println(" Log | ValidFromDate =:"  
49.                         + assertion.getValidFromDate() + "<br>");  
50.                 out.println(" Log | ValidUntilDate =:"  
51.                         + assertion.getValidUntilDate() + "<br>");  
52.                 Map<Object, Object> attMap = assertion.getAttributes();  
53.                 out.println(" Log | getAttributes Map size = " + attMap.size()  
54.                         + "<br>");  
55.                 for (Entry<Object, Object> entry : attMap.entrySet()) {  
56.                     out.println("     | " + entry.getKey() + "=:"  
57.                             + entry.getValue() + "<br>");  
58.                 }  
59.        
60.             }  
61.             AttributePrincipal principal = assertion.getPrincipal();  
62.        
63.             // AttributePrincipal principal = (AttributePrincipal) request  
64.             // .getUserPrincipal();  
65.        
66.             String username = null;  
67.             out.print(" Log | UserName:");  
68.             if (null != principal) {  
69.                 username = principal.getName();  
70.                 out.println("<span style='color:red;'>" + username + "</span><br>");  
71.             }  
72.        
73.             out.println("</body>");  
74.             out.println("</html>");  
75.         }  

import java.io.*;import java.util.*;import java.util.Map.Entry; import javax.servlet.*;import javax.servlet.http.*; import org.jasig.cas.client.authentication.AttributePrincipal;import org.jasig.cas.client.util.AbstractCasFilter; import org.jasig.cas.client.validation.Assertion;   /**  * The simplest possible servlet.  *  * @author James Duncan Davidson  */   public class HelloWorldExample extends HttpServlet {       public void doGet(HttpServletRequest request, HttpServletResponse response)             throws IOException, ServletException {         ResourceBundle rb = ResourceBundle.getBundle("LocalStrings", request                 .getLocale());         response.setContentType("text/html");         PrintWriter out = response.getWriter();           out.println("<html>");         out.println("<head>");           String title = rb.getString("helloworld.title");           out.println("<title>" + title + "</title>");         out.println("</head>");         out.println("<body bgcolor=\"white\">");           out.println("<a href=\"../helloworld.html\">");         out.println("<img src=\"../images/code.gif\" height=24 "                 + "width=24 align=right border=0 alt=\"view code\"></a>");         out.println("<a href=\"../index.html\">");         out.println("<img src=\"../images/return.gif\" height=24 "                 + "width=24 align=right border=0 alt=\"return\"></a>");         out.println("<h1>" + title + "</h1>");           Assertion assertion = (Assertion) request.getSession().getAttribute(                 AbstractCasFilter.CONST_CAS_ASSERTION);           if (null != assertion) {             out.println(" Log | ValidFromDate =:"                     + assertion.getValidFromDate() + "<br>");             out.println(" Log | ValidUntilDate =:"                     + assertion.getValidUntilDate() + "<br>");             Map<Object, Object> attMap = assertion.getAttributes();             out.println(" Log | getAttributes Map size = " + attMap.size()                     + "<br>");             for (Entry<Object, Object> entry : attMap.entrySet()) {                 out.println("     | " + entry.getKey() + "=:"                         + entry.getValue() + "<br>");             }           }         AttributePrincipal principal = assertion.getPrincipal();           // AttributePrincipal principal = (AttributePrincipal) request         // .getUserPrincipal();           String username = null;         out.print(" Log | UserName:");         if (null != principal) {             username = principal.getName();             out.println("<span style='color:red;'>" + username + "</span><br>");         }           out.println("</body>");         out.println("</html>");     }

keytool报错误：keytool error: java.security.UnrecoverableKeyException: Cannot recover key
表明：命令中输入的keyPass不正确

参考：
CAS官网地址：http://www.jasig.org/cas
CAS帮助文档：https://wiki.jasig.org/display/CASUM/Home
keytool - Key and Certificate Management Tool： 管理私钥数据库（keystore）以及私钥关联的X.509证书链验证的对应公钥（证书），同时也为受信实体管理证书。
keytool工具的详细运用
CAS_SSO单点登录实例详细步骤
SSO之CAS单点登录实例演示