单点CAS搭建服务端+客户端

server端：
1:从github下载cas-server-webapp-3.4.12
2:导入eclipse,修改deployerConfigContext.xml
3:因此项目中的JSP用的jquery组件是google cdn,页面加载不出来，需要更换下cdn

替换

<script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js"></script>        <script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jqueryui/1.8.5/jquery-ui.min.js"></script><script src="http://code.jquery.com/jquery-1.4.2.min.js"></script><script type="text/javascript" src="http://code.jquery.com/ui/1.8.5/jquery-ui.min.js</script>

mysql建用户表

create database cas ;—授权...DROP TABLE IF EXISTS `user`;CREATE TABLE `user` (  `id` bigint(11) unsigned NOT NULL AUTO_INCREMENT,  `login_name` varchar(25) NOT NULL,  `password` varchar(40) NOT NULL,  `email` varchar(20) DEFAULT '',  `enabled` tinyint(1) NOT NULL DEFAULT '0',  `role` varchar(10) NOT NULL DEFAULT '',  PRIMARY KEY (`id`)) ENGINE=InnoDB AUTO_INCREMENT=3 DEFAULT CHARSET=utf8;-- ------------------------------  Records of `user`-- ----------------------------BEGIN;INSERT INTO `user` VALUES ('1', ’nick', ‘ MD5PasswordEncoder加密', '123@qq.com', '1', 'ROLE_USER'), ('2', 'cas', ‘ MD5PasswordEncoder加密', 'cas@qq.com', '1', 'ROLE_ADMIN');COMMIT;SET FOREIGN_KEY_CHECKS = 1;

客户端
客户端示例代码从https://github.com/henrycm/Spring-Security-CAS/trunk 检出
1:修改spring-cas.xml
2:修改tomcat的server.xml配置，添加证书。证书可以直接用项目/src/keys中的证书

测试代码下载地址 http://pan.baidu.com/s/1mg7tW6G

deployerConfigContext.xml内容如下：

<?xml version="1.0" encoding="UTF-8"?><!-- | deployerConfigContext.xml centralizes into one file some of the declarative     configuration that | all CAS deployers will need to modify. | | This file     declares some of the Spring-managed JavaBeans that make up a CAS deployment.     | The beans declared in this file are instantiated at context initialization     time by the Spring | ContextLoaderListener declared in web.xml. It finds     this file because this | file is among those declared in the context parameter     "contextConfigLocation". | | By far the most common change you will need     to make in this file is to change the last bean | declaration to replace     the default SimpleTestUsernamePasswordAuthenticationHandler with | one implementing     your approach for authenticating usernames and passwords. + --><beans xmlns="http://www.springframework.org/schema/beans"    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p"    xmlns:sec="http://www.springframework.org/schema/security"    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd       http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">    <!-- | This bean declares our AuthenticationManager. The CentralAuthenticationService         service bean | declared in applicationContext.xml picks up this AuthenticationManager         by reference to its id, | "authenticationManager". Most deployers will be         able to use the default AuthenticationManager | implementation and so do         not need to change the class of this bean. We include the whole | AuthenticationManager         here in the userConfigContext.xml so that you can see the things you will         | need to change in context. + -->    <bean id="authenticationManager" class="org.jasig.cas.authentication.AuthenticationManagerImpl">        <!-- | This is the List of CredentialToPrincipalResolvers that identify             what Principal is trying to authenticate. | The AuthenticationManagerImpl             considers them in order, finding a CredentialToPrincipalResolver which |             supports the presented credentials. | | AuthenticationManagerImpl uses these             resolvers for two purposes. First, it uses them to identify the Principal             | attempting to authenticate to CAS /login . In the default configuration,             it is the DefaultCredentialsToPrincipalResolver | that fills this role. If             you are using some other kind of credentials than UsernamePasswordCredentials,             you will need to replace | DefaultCredentialsToPrincipalResolver with a CredentialsToPrincipalResolver             that supports the credentials you are | using. | | Second, AuthenticationManagerImpl             uses these resolvers to identify a service requesting a proxy granting ticket.             | In the default configuration, it is the HttpBasedServiceCredentialsToPrincipalResolver             that serves this purpose. | You will need to change this list if you are             identifying services by something more or other than their callback URL.             + -->        <property name="credentialsToPrincipalResolvers">            <list>                <!-- | UsernamePasswordCredentialsToPrincipalResolver supports the UsernamePasswordCredentials                     that we use for /login | by default and produces SimplePrincipal instances                     conveying the username from the credentials. | | If you've changed your LoginFormAction                     to use credentials other than UsernamePasswordCredentials then you will also                     | need to change this bean declaration (or add additional declarations) to                     declare a CredentialsToPrincipalResolver that supports the | Credentials                     you are using. + -->                <!-- <bean class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver"                     /> -->                <!-- | HttpBasedServiceCredentialsToPrincipalResolver supports HttpBasedCredentials.                     It supports the CAS 2.0 approach of | authenticating services by SSL callback,                     extracting the callback URL from the Credentials and representing it as a                     | SimpleService identified by that callback URL. | | If you are representing                     services by something more or other than an HTTPS URL whereat they are able                     to | receive a proxy callback, you will need to change this bean declaration                     (or add additional declarations). + -->                <!--  修改日期 on 2015-08-01,add user info -->                <bean                    class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver">                    <property name="attributeRepository">                        <!-- 为认证过的用户的Principal添加属性 -->                        <ref local="attributeRepository" />                    </property>                </bean>                <bean                    class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" />            </list>        </property>        <!-- | Whereas CredentialsToPrincipalResolvers identify who it is some             Credentials might authenticate, | AuthenticationHandlers actually authenticate             credentials. Here we declare the AuthenticationHandlers that | authenticate             the Principals that the CredentialsToPrincipalResolvers identified. CAS will             try these handlers in turn | until it finds one that both supports the Credentials             presented and succeeds in authenticating. + -->        <property name="authenticationHandlers">            <list>                <!-- | This is the authentication handler that authenticates services                     by means of callback via SSL, thereby validating | a server side SSL certificate.                     + -->                <bean                    class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"                    p:httpClient-ref="httpClient" />                <!-- | This is the authentication handler declaration that every CAS                     deployer will need to change before deploying CAS | into production. The                     default SimpleTestUsernamePasswordAuthenticationHandler authenticates UsernamePasswordCredentials                     | where the username equals the password. You will need to replace this with                     an AuthenticationHandler that implements your | local authentication strategy.                     You might accomplish this by coding a new such handler and declaring | edu.someschool.its.cas.MySpecialHandler                     here, or you might use one of the handlers provided in the adaptors modules.                     + -->                <bean                    class="org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler">                    <property name="dataSource" ref="dataSource"></property>                    <property name="sql"                        value="select password from user where login_name=?"></property>                    <!-- 用户密码编码方式 -->                    <property name="passwordEncoder" ref="MD5PasswordEncoder"></property>                </bean>            </list>        </property>    </bean>    <!-- This bean defines the security roles for the Services Management application.         Simple deployments can use the in-memory version. More robust deployments         will want to use another option, such as the Jdbc version. The name of this         should remain "userDetailsService" in order for Spring Security to find it. -->    <!-- <sec:user name="@@THIS SHOULD BE REPLACED@@" password="notused" authorities="ROLE_ADMIN"         /> -->    <sec:user-service id="userDetailsService">        <sec:user name="@@THIS SHOULD BE REPLACED@@" password="notused"            authorities="ROLE_ADMIN" />    </sec:user-service>    <!-- Bean that defines the attributes that a service may return. This example         uses the Stub/Mock version. A real implementation may go against a database         or LDAP server. The id should remain "attributeRepository" though. -->    <!-- 修改该文件中默认的 attributeRepositorybean配置 -->    <!-- 在这里配置获取更多用户的信息 -->    <!-- <bean id="attributeRepository" class="org.jasig.services.persondir.support.StubPersonAttributeDao">         <property name="backingMap"> <map> <entry key="uid" value="uid" /> <entry         key="eduPersonAffiliation" value="eduPersonAffiliation" /> <entry key="groupMembership"         value="groupMembership" /> </map> </property> </bean> -->    <bean id="attributeRepository"        class="org.jasig.services.persondir.support.jdbc.SingleRowJdbcPersonAttributeDao">        <constructor-arg index="0" ref="dataSource" />        <constructor-arg index="1"            value="SELECT * FROM user WHERE {0} and enabled=1" />        <property name="queryAttributeMapping">            <map>                <entry key="username" value="login_name" />            </map>        </property>        <property name="resultAttributeMapping">            <map>                <entry key="login_name" value="login_name" />                <entry key="id" value="uuid" />                <entry key="password" value="password" />                <entry key="email" value="email" />                <entry key="role" value="role" />            </map>        </property>    </bean>    <!-- Sample, in-memory data store for the ServiceRegistry. A real implementation         would probably want to replace this with the JPA-backed ServiceRegistry DAO         The name of this bean should remain "serviceRegistryDao". -->    <!-- 修改该xml文件中最后一个默认的serviceRegistryDao bean中的属性全部注释掉，或者删除， 这个bean中的RegisteredServiceImpl的ignoreAttributes属性将决定是否添加attributes属性内容，默认为false:不添加，只有去掉这个配置，         cas server才会将获取的用户的附加属性添加到认证用的Principal的attributes中去，我在这里犯过这样的错误，最后还是通过跟踪源码才发现的。 -->    <bean id="serviceRegistryDao" class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl">        <!-- <property name="registeredServices"> <list> <bean class="org.jasig.cas.services.RegexRegisteredService">             <property name="id" value="0" /> <property name="name" value="HTTP and IMAP"             /> <property name="description" value="Allows HTTP(S) and IMAP(S) protocols"             /> <property name="serviceId" value="^(https?|imaps?)://.*" /> <property             name="evaluationOrder" value="10000001" /> </bean> Use the following definition             instead of the above to further restrict access to services within your domain             (including subdomains). Note that example.com must be replaced with the domain             you wish to permit. <bean class="org.jasig.cas.services.RegexRegisteredService">             <property name="id" value="1" /> <property name="name" value="HTTP and IMAP             on example.com" /> <property name="description" value="Allows HTTP(S) and             IMAP(S) protocols on example.com" /> <property name="serviceId" value="^(https?|imaps?)://([A-Za-z0-9_-]+\.)*example\.com/.*"             /> <property name="evaluationOrder" value="0" /> </bean> </list> </property> -->    </bean>    <bean id="auditTrailManager"        class="com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager" />    <bean id="dataSource"        class="org.springframework.jdbc.datasource.DriverManagerDataSource">        <property name="driverClassName">            <value>com.mysql.jdbc.Driver</value>        </property>        <property name="url">            <!-- 如果使用mysql数据库，应该加上后面的编码参数，否则可能导致客户端对TGT票据无法识别的问题 -->            <value>jdbc:mysql://localhost:3306/cas?useUnicode=true&amp;characterEncoding=utf-8            </value>        </property>        <property name="username">            <value>root</value>        </property>        <property name="password">            <value>数据库密码</value>        </property>    </bean>    <bean id="MD5PasswordEncoder"        class="org.jasig.cas.authentication.handler.DefaultPasswordEncoder">        <constructor-arg index="0">            <!-- cas server默认支持MD5和SHA1两种编码方式，如果需要其他的编码方式例如SHA256,512等，可自行实现org.jasig.cas.authentication.handler.PasswordEncoder接口 -->            <value>MD5</value>        </constructor-arg>    </bean></beans>