CAS单点登陆实践
来源:互联网 发布:窗帘 知乎 编辑:程序博客网 时间:2024/05/23 05:08
一、概述
实现基于CAS的单点登录。
CAS的官网:http://www.jasig.org/cas
二、演示环境
本文演示过程在同一个机器上的(也可以在三台实体机器或者三个的虚拟机上),环境如下:
- JDK 1.7
- Tomcat 7.0.54
- CAS-server-4.0.0、CAS-client-3.2.1
127.0.0.1 demo.gaochao.com127.0.0.1 app1.gaochao.com127.0.0.1 app2.gaochao.com
- demo.gaochao.com =>> 对应部署cas server的tomcat,这个虚拟域名还用于证书生成
- app1.gaochao.com =>> 对应部署app1 的tomcat
- app2.gaochao.com =>> 对应部署app2 的tomcat
三、JDK安装配置
安装号jdk并配置环境变量
四、安全证书配置
4.1. 生成证书:
1
keytool -genkey -
alias
ssodemo -keyalg RSA -keysize 1024 -keypass password -validity 365 -keystore e:\sso\ssodemo.keystore -storepass password
ps:
- 截图中需要输入的姓名和上面hosts文件中配置的一致;
- keypass 和 storepass 两个密码要一致,否则下面tomcat 配置https 访问失败;
4.2.导出证书:
1
keytool -
export
-
alias
ssodemo -keystore e:\sso\ssodemo.keystore -file
e:\sso\ssodemo.crt -storepass password
4.3.客户端导入证书:
1
keytool -
import
-keystore "%JAVA_HOME%"\jre\lib\security\cacerts -
file e
:\sso\ssodemo.crt -
alias
ssodemo
ps:该命令中输入的密码和上面输入的不是同一个密码;如果是多台机器演示,需要在每一台客户端导入该证书。
五、部署CAS-Server相关的Tomcat
5.1. 配置HTTPS
解压apache-tomcat-7.0.56.tar.gz并重命名后的路径为 G:\sso\tomcat-cas,在文件 conf/server.xml文件找到:
1
<!--
2
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
3
maxThreads="150" scheme="https" secure="true"
4
clientAuth="false" sslProtocol="TLS" />
5
-->
修改成如下:
1
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
2
maxThreads="150" scheme="https" secure="true"
3
keystoreFile="e:/sso/ssodemo.keystore" keystorePass="password"
4
clientAuth="false" sslProtocol="TLS" URIEncoding="UTF-8"
参数说明:
- keystoreFile 就是4.1中创建证书的路径
- keystorePass 就是4.1中创建证书的密码
5.2. 验证HTTPS配置
其他按照默认配置不作修改,双击%TOMCAT_HOME%\bin\startup.bat 启动tomcat-cas 验证https访问配置:
如果看到上述界面表示https 访问配置成功。
5.3 部署CAS-Server
CAS-Server 下载地址:http://www.jasig.org/cas/download
本文以cas-server-4.0.0-release.zip 为例,解压提取cas-server-4.0.0/modules/cas-server-webapp-4.0.0.war文件,把改文件copy到 G:\sso\tomcat-cas\webapps\ 目下,并重命名为:cas.war.
启动tomcat-cas,在浏览器地址栏输入:https://demo.micmiu.com:8443/cas/login ,回车
CAS-server的默认验证规则:casuser | Mellon(仅仅用于测试,生成环境需要根据实际情况修改),输入admin/admin 点击登录,就可以看到登录成功的页面:
看到上述页面表示CAS-Server已经部署成功。
六、部署CAS-Client相关的Tomcat
6.1Cas-Client 下载
CAS-Client 下载地址:http://downloads.jasig.org/cas-clients/
以cas-client-3.2.1-release.zip 为例,解压提取cas-client-3.2.1/modules/cas-client-core-3.2.1.jar
借以tomcat默认自带的 webapps\examples 作为演示的简单web项目
6.2 安装配置 tomcat-app1
解压apache-tomcat-6.0.29.tar.gz并重命名后的路径为 G:\sso\tomcat-app1,修改tomcat的启动端口,在文件conf/server.xml文件找到如下内容:
1
<
Connector
port
=
"8080"
protocol
=
"HTTP/1.1"
2
connectionTimeout
=
"20000"
3
redirectPort
=
"8443"
/>
4
<
Connector
port
=
"8009"
protocol
=
"AJP/1.3"
redirectPort
=
"8443"
/>
修改成如下:
1
<
Connector
port
=
"18080"
protocol
=
"HTTP/1.1"
2
connectionTimeout
=
"20000"
3
redirectPort
=
"18443"
/>
4
<
Connector
port
=
"18009"
protocol
=
"AJP/1.3"
redirectPort
=
"18443"
/>
启动tomcat-app1,浏览器输入 http://app1.gaochao.com:18080/DocumentManager/ 回车:
接下来复制 client的lib包cas-client-core-3.2.1.jar到 tomcat-app1\webapps\examples\WEB-INF\lib\目录下, 在tomcat-app1\webapps\examples\WEB-INF\web.xml 文件中增加如下内容:
1
<!-- ======================== 单点登录开始 ======================== -->
2
<!-- 用于单点退出,该过滤器用于实现单点登出功能,可选配置-->
3
<
listener
>
4
<
listener-class
>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</
listener-class
>
5
</
listener
>
6
7
<!-- 该过滤器用于实现单点登出功能,可选配置。 -->
8
<
filter
>
9
<
filter-name
>CAS Single Sign Out Filter</
filter-name
>
10
<
filter-class
>org.jasig.cas.client.session.SingleSignOutFilter</
filter-class
>
11
</
filter
>
12
<
filter-mapping
>
13
<
filter-name
>CAS Single Sign Out Filter</
filter-name
>
14
<
url-pattern
>/*</
url-pattern
>
15
</
filter-mapping
>
16
17
<
filter
>
18
<
filter-name
>CAS Filter</
filter-name
>
19
<
filter-class
>org.jasig.cas.client.authentication.AuthenticationFilter</
filter-class
>
20
<
init-param
>
21
<
param-name
>casServerLoginUrl</
param-name
>
22
<
param-value
>https://demo.gaochao.com:8443/cas/login</
param-value
>
23
</
init-param
>
24
<
init-param
>
25
<
param-name
>serverName</
param-name
>
26
<
param-value
>http://app1.gaochao.com:18080</
param-value
>
27
</
init-param
>
28
</
filter
>
29
<
filter-mapping
>
30
<
filter-name
>CAS Filter</
filter-name
>
31
<
url-pattern
>/*</
url-pattern
>
32
</
filter-mapping
>
33
<!-- 该过滤器负责对Ticket的校验工作,必须启用它 -->
34
<
filter
>
35
<
filter-name
>CAS Validation Filter</
filter-name
>
36
<
filter-class
>
37
org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</
filter-class
>
38
<
init-param
>
39
<
param-name
>casServerUrlPrefix</
param-name
>
40
<
param-value
>https://demo.gaochao.com:8443/cas</
param-value
>
41
</
init-param
>
42
<
init-param
>
43
<
param-name
>serverName</
param-name
>
44
<
param-value
>http://app1.gaochao.com:18080</
param-value
>
45
</
init-param
>
46
</
filter
>
47
<
filter-mapping
>
48
<
filter-name
>CAS Validation Filter</
filter-name
>
49
<
url-pattern
>/*</
url-pattern
>
50
</
filter-mapping
>
51
52
<!--
53
该过滤器负责实现HttpServletRequest请求的包裹,
54
比如允许开发者通过HttpServletRequest的getRemoteUser()方法获得SSO登录用户的登录名,可选配置。
55
-->
56
<
filter
>
57
<
filter-name
>CAS HttpServletRequest Wrapper Filter</
filter-name
>
58
<
filter-class
>
59
org.jasig.cas.client.util.HttpServletRequestWrapperFilter</
filter-class
>
60
</
filter
>
61
<
filter-mapping
>
62
<
filter-name
>CAS HttpServletRequest Wrapper Filter</
filter-name
>
63
<
url-pattern
>/*</
url-pattern
>
64
</
filter-mapping
>
65
66
<!--
67
该过滤器使得开发者可以通过org.jasig.cas.client.util.AssertionHolder来获取用户的登录名。
68
比如AssertionHolder.getAssertion().getPrincipal().getName()。
69
-->
70
<
filter
>
71
<
filter-name
>CAS Assertion Thread Local Filter</
filter-name
>
72
<
filter-class
>org.jasig.cas.client.util.AssertionThreadLocalFilter</
filter-class
>
73
</
filter
>
74
<
filter-mapping
>
75
<
filter-name
>CAS Assertion Thread Local Filter</
filter-name
>
76
<
url-pattern
>/*</
url-pattern
>
77
</
filter-mapping
>
78
79
<!-- ======================== 单点登录结束 ======================== -->
有关cas-client的web.xml修改的详细说明见官网介绍:
https://wiki.jasig.org/display/CASC/Configuring+the+Jasig+CAS+Client+for+Java+in+the+web.xml
6.3 安装配置 tomcat-app2
解压apache-tomcat-6.0.29.tar.gz并重命名后的路径为 G:\sso\tomcat-app2,修改tomcat的启动端口,在文件 conf/server.xml文件找到如下内容:
1
<
Connector
port
=
"8080"
protocol
=
"HTTP/1.1"
2
connectionTimeout
=
"20000"
3
redirectPort
=
"8443"
/>
4
<
Connector
port
=
"8009"
protocol
=
"AJP/1.3"
redirectPort
=
"8443"
/>
修改成如下:
1
<
Connector
port
=
"28080"
protocol
=
"HTTP/1.1"
2
connectionTimeout
=
"20000"
3
redirectPort
=
"28443"
/>
4
<
Connector
port
=
"28009"
protocol
=
"AJP/1.3"
redirectPort
=
"28443"
/>
启动tomcat-app2,浏览器输入 http://app2.gaochao.com:28080/examples/servlets/ 回车,按照上述6.2中的方法验证是否成功。
同6.2中的复制 client的lib包cas-client-core-3.2.1.jar到 tomcat-app2\webapps\examples\WEB-INF\lib\目录下, 在tomcat-app2\webapps\examples\WEB-INF\web.xml 文件中增加如下内容:
1
<!-- ======================== 单点登录开始 ======================== -->
2
<!-- 用于单点退出,该过滤器用于实现单点登出功能,可选配置-->
3
<
listener
>
4
<
listener-class
>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</
listener-class
>
5
</
listener
>
6
7
<!-- 该过滤器用于实现单点登出功能,可选配置。 -->
8
<
filter
>
9
<
filter-name
>CAS Single Sign Out Filter</
filter-name
>
10
<
filter-class
>org.jasig.cas.client.session.SingleSignOutFilter</
filter-class
>
11
</
filter
>
12
<
filter-mapping
>
13
<
filter-name
>CAS Single Sign Out Filter</
filter-name
>
14
<
url-pattern
>/*</
url-pattern
>
15
</
filter-mapping
>
16
17
<
filter
>
18
<
filter-name
>CAS Filter</
filter-name
>
19
<
filter-class
>org.jasig.cas.client.authentication.AuthenticationFilter</
filter-class
>
20
<
init-param
>
21
<
param-name
>casServerLoginUrl</
param-name
>
22
<
param-value
>https://demo.gaochao.com:8443/cas/login</
param-value
>
23
</
init-param
>
24
<
init-param
>
25
<
param-name
>serverName</
param-name
>
26
<
param-value
>http://app2.gaochao.com:28080</
param-value
>
27
</
init-param
>
28
</
filter
>
29
<
filter-mapping
>
30
<
filter-name
>CAS Filter</
filter-name
>
31
<
url-pattern
>/*</
url-pattern
>
32
</
filter-mapping
>
33
<!-- 该过滤器负责对Ticket的校验工作,必须启用它 -->
34
<
filter
>
35
<
filter-name
>CAS Validation Filter</
filter-name
>
36
<
filter-class
>
37
org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</
filter-class
>
38
<
init-param
>
39
<
param-name
>casServerUrlPrefix</
param-name
>
40
<
param-value
>https://demo.gaochao.com:8443/cas</
param-value
>
41
</
init-param
>
42
<
init-param
>
43
<
param-name
>serverName</
param-name
>
44
<
param-value
>http://app2.gaochao.com:28080</
param-value
>
45
</
init-param
>
46
</
filter
>
47
<
filter-mapping
>
48
<
filter-name
>CAS Validation Filter</
filter-name
>
49
<
url-pattern
>/*</
url-pattern
>
50
</
filter-mapping
>
51
52
<!--
53
该过滤器负责实现HttpServletRequest请求的包裹,
54
比如允许开发者通过HttpServletRequest的getRemoteUser()方法获得SSO登录用户的登录名,可选配置。
55
-->
56
<
filter
>
57
<
filter-name
>CAS HttpServletRequest Wrapper Filter</
filter-name
>
58
<
filter-class
>
59
org.jasig.cas.client.util.HttpServletRequestWrapperFilter</
filter-class
>
60
</
filter
>
61
<
filter-mapping
>
62
<
filter-name
>CAS HttpServletRequest Wrapper Filter</
filter-name
>
63
<
url-pattern
>/*</
url-pattern
>
64
</
filter-mapping
>
65
66
<!--
67
该过滤器使得开发者可以通过org.jasig.cas.client.util.AssertionHolder来获取用户的登录名。
68
比如AssertionHolder.getAssertion().getPrincipal().getName()。
69
-->
70
<
filter
>
71
<
filter-name
>CAS Assertion Thread Local Filter</
filter-name
>
72
<
filter-class
>org.jasig.cas.client.util.AssertionThreadLocalFilter</
filter-class
>
73
</
filter
>
74
<
filter-mapping
>
75
<
filter-name
>CAS Assertion Thread Local Filter</
filter-name
>
76
<
url-pattern
>/*</
url-pattern
>
77
</
filter-mapping
>
78
79
<!-- ======================== 单点登录结束 ======================== -->
七、 测试验证SSO
启动之前配置好的三个tomcat分别为:tomcat-cas、tomcat-app1、tomcat-app2.
7.1 基本的测试
预期流程: 打开app1 url —-> 跳转cas server 验证 —-> 显示app1的应用 —-> 打开app2 url —-> 显示app2应用 —-> 注销cas server —-> 打开app1/app2 url —-> 重新跳转到cas server 验证.
打开浏览器地址栏中输入:http://app1.gaochao.com:18080/DocumentManager,回车:
跳转到验证页面:
验证通过后显示如下:
此时访问app2就不再需要验证:
地址栏中输入:https://demo.gaochao.com:8443/cas/logout,回车显示:
上述表示 认证注销成功,此时如果再访问 : http://app1.gaochao.com:18080/DocumentManager 或 http://app2.gaochao.com:28080/DocumentManager 需要重新进行认证。
八、 在cas-server端配置数据库认证
打开webapp\WEB-INF目录下的deployerConfigContext.xml,替换
<bean id="primaryAuthenticationHandler" class="org.jasig.cas.authentication.AcceptUsersAuthenticationHandler"> <property name="users"> <map> <entry key="casuser" value="Mellon"/> </map> </property> </bean>
为
<bean id="primaryAuthenticationHandler" class="org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler"> <property name="dataSource" ref="dataSource" /> <property name="sql" value="select password from user where lower(user_id) = lower(?)" /> </bean> <!-- MySQL connector --> <bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource"> <property name="driverClassName"> <value>com.mysql.jdbc.Driver</value> </property> <property name="url"> <value>jdbc:mysql://localhost:3306/db</value> </property> <property name="username"> <value>root</value> </property> <property name="password"> <value>admin</value> </property> </bean>
使用jdbc的配置
首先把默认编译后生成出来的jdbc.jar(通常名称为cas-server-support-jdbc-xxxxxxxxxx.jar),从cas-server-support-jdbc\target\目录下拷贝到webapp\WEB-INF\lib目录下。
未完,待续。。。- CAS单点登陆实践
- CAS单点登陆
- Cas单点登陆配置
- CAS单点登陆原理
- CAS 单点登陆
- cas 单点登陆
- shiro cas 单点登陆
- cas 4.0 单点登陆
- CAS 单点登陆配置
- CAS 单点登陆
- CAS 单点登陆
- CAS 单点登陆
- CAS 单点登陆
- CAS 单点登陆
- 单点登陆CAS
- SSO CAS单点登陆
- 用CAS实现单点登陆
- 单点登陆(CAS)学习
- 临界区,互斥量,信号量,事件的区别(线程同步)
- placeholder和json两种实现登录隐藏的方法
- freemaker的语法问题
- Ultra-QuickSort(树状数组 + 离散化)
- 文件工具
- CAS单点登陆实践
- latex多幅图片排列 2*2示例
- 哈希表
- 求每年最高气温
- 指针和数组——(个人笔记)
- Android 实现ListView的A-Z字母排序和过滤搜索功能,实现汉字转成拼音
- 学生成绩管理系统
- gcc-o
- STC12C4052部分调试成功的程序