程序博客网 > 淘宝产品分类

CAS (5) —— Nginx代理模式下浏览器访问CAS服务器配置详解

来源:互联网 发布:淘宝产品分类 编辑:程序博客网 时间:2024/06/05 09:41

http://www.cnblogs.com/richaaaard/p/5053108.html

tomcat版本: tomcat-8.0.29

jdk版本: jdk1.8.0_65

nginx版本: nginx-1.9.8

cas版本: cas4.1.2
cas-client-3.4.1

参考来源:

jasig.github.io:CAS protocol

https://github.com/Jasig/java-cas-client

通过Proxy访问其它Cas应用

CAS负载均衡配置——SSL篇

CAS负载均衡配置

CAS客户端集群

  • 以下的示例采用我博客的另外两篇文章中搭建好的测试环境举例

CAS (1) —— Mac下配置CAS到Tomcat(服务端)

CAS (2) —— Mac下配置CAS到Tomcat(客户端)

CAS (3) —— Mac下配置CAS客户端经代理访问Tomcat CAS

Mac为nginx安装nginx-sticky-module

【高可用HA】Nginx (1) —— Mac下配置Nginx Http负载均衡(Load Balancer)之101实例

Nginx (2) —— Mac下配置Apache Httpd的Https/SSL (待出)

目标架构

此代理非彼代理

在CAS官方网站上给出了一个“Proxy Web Flow Diagram”:

顺序图:(来源于http://jasig.github.io/cas/4.0.x/protocol/CAS-Protocol.html)

这个方案主要适用一种场景:

有两个应用App1和App2,它们都是受Cas Server保护的,即请求它们时都需要通过Cas Server的认证。现需要在App1中通过Http请求访问App2,显然该请求将会被App2配置的Cas的AuthenticationFilter拦截并转向Cas Server,Cas Server将引导用户进行登录认证,这样我们也就不能真正的访问到App2了。针对这种应用场景,Cas也提供了对应的支持。通过Proxy访问其它Cas应用

无论是用中文关键字在“度娘”,还是用英文关键字再“谷哥”上搜索,多数文章都是描述上面这样一个场景。

而我这里介绍的“代理”,并非是上述场景——依靠代理去验证ticket,“代理”在此的角色是:

  • 只做分发反向代理(未来的负载均衡器)
* 注意:所以说“此代理非彼代理”

准备

要搭建上面这个环境会相对复杂,我们需要参照之前的文章准备以下必备的组件或环境:

  1. 2个Tomcat服务器作为客户端应用程序服务器(即cas的客户端)

    app1.hoau.com:8081/8413(http/https)app2.hoau.com:8082/8423(http/https)

    参照Tomcat Cluster、Tomcat SSL和CAS Client

  2. 1个配置好SSL的Nginx服务器作为中间层代理转发服务器(后可扩展为LoadBalancer)

    proxy.sso.hoau.com:85/443(http/https)

    参照Nginx Load Balancer与Nginx Sticky Session

  3. 另一个1个带有SSL的Tomcat服务器作为CAS服务器

    sso.hoau.com:8083/8433(http/https)

    参照Tomcat SSL与CAS Server

关键配置

  • 代理服务器(Nginx x 1)

    nginx.conf

    • http

      server:

      server {    listen       85;    server_name  proxy.sso.hoau.com;    location / {      #index index.html index.htm;    #设置主机头和客户端真实地址,以便服务器获取客户端真实IP    proxy_set_header   Host   $host;    proxy_set_header   Referer $http_referer;    proxy_set_header   Cookie $http_cookie;    proxy_set_header   X-Real-IP  $remote_addr;    proxy_set_header   X-Forwarded-For              $proxy_add_x_forwarded_for;    proxy_redirect off;      #禁用缓存    #proxy_buffering off;    proxy_connect_timeout 3;    proxy_send_timeout 30;    proxy_read_timeout 30;     proxy_pass http://cas_server_http; }

      upstream:

      upstream cas_server_http {      #根据ip计算将请求分配各那个后端tomcat,许多人误认为可以解决session问题,其实并不能。      #同一机器在多网情况下,路由切换,ip可能不同      #ip_hash;       #sticky;    #Richard: http    server localhost:8083 weight=1 srun_id=c;     #server localhost:8084 weight=1 srun_id=c;     jvm_route $cookie_JSESSIONID|sessionid reverse;}

      *注意:

      (1)以上的“jvm_route $cookie_JSESSIONID|sessionid reverse;”是关键配置,因为CAS是依赖于Session和Cookie进行身份验证的。

      (2)srun_id=c,其中“c”需要与CAS服务器Tomcat server.xml文件里的jvmRoute配置“

      <Engine name="Catalina" defaultHost="localhost" jvmRoute="c">”

    • https

      server:

      server {     listen 443;    server_name  proxy.sso.hoau.com;    ssl on;     ssl_certificate /Users/Richard/Documents/Dev/servers/cluster/nginx/keys/server.crt;     ssl_certificate_key  /Users/Richard/Documents/Dev/servers/cluster/nginx/keys/server.key;     ssl_session_timeout 5m;    ssl_protocols SSLv3 TLSv1;    ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;    ssl_prefer_server_ciphers on;    location / {        proxy_redirect off;          proxy_set_header Host $host;          proxy_set_header   Referer $http_referer;        proxy_set_header   Cookie $http_cookie;        proxy_set_header X-Real-IP $remote_addr;          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;        proxy_set_header X-FORWARDED-HOST $server_addr;          proxy_set_header X-FORWARDED-PORT $server_port;        proxy_connect_timeout 3;        proxy_send_timeout 30;        proxy_read_timeout 30;        proxy_pass https://cas_server_ssl;    }   }

      *注意:以上的ssl为关键配置“ssl_certificate”和“ssl_certificate_key”需要指向正确的证书和密钥。

      upstream:

      upstream cas_server_ssl {      #Richard: https todo    server sso.hoau.com:8433 weight=1 srun_id=c;      #server sso.hoau.com:8443 weight=1 srun_id=c;     jvm_route $cookie_JSESSIONID|sessionid reverse;}

*注意:以上http和https可以只配一项,或两者兼存皆可,端口不要冲突。

  • CAS客户端应用服务器(Tomcat x 2)

    以下客户端的蓝本可以在github上收到(关键字:“cas-sample-java-webapp”),我这里只贴出自己的关键点和修改后的结果。

    CAS客户端的应用服务器有两台,如果不使用Spring Security的集成,比较关键配置就只有pom.xml(编译)和web.xml(部署):

    • 两个环境编译类似,pom.xml(贴全了,有无冗余请自行解决):

      *注意:以下Spring Security相关依赖为非必须

      <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">    <modelVersion>4.0.0</modelVersion>    <groupId>iamlabs.unicon.net</groupId>    <artifactId>cas-sample-java-webapp</artifactId>    <version>0.0.1-SNAPSHOT</version>    <packaging>war</packaging>    <name>CAS Example Java Web App</name>    <description>A sample web application that exercises the CAS protocol features via the Java CAS Client.</description>    <build>        <finalName>cas-sample-java-webapp</finalName>        <plugins>            <plugin>                <groupId>org.apache.maven.plugins</groupId>                <artifactId>maven-compiler-plugin</artifactId>                <version>2.5.1</version>                <configuration>                    <source>1.7</source>                    <target>1.7</target>                </configuration>            </plugin>        </plugins>    </build>    <properties>               <spring.version>3.2.4.RELEASE</spring.version>         <casclient.version>3.4.1</casclient.version>            </properties>      <dependencies>    <dependency>        <groupId>commons-logging</groupId>        <artifactId>commons-logging</artifactId>        <version>1.1.1</version>    </dependency>    <!-- Logging -->        <dependency>          <groupId>org.slf4j</groupId>          <artifactId>slf4j-api</artifactId>          <version>1.7.13</version>      </dependency>      <dependency>          <groupId>org.slf4j</groupId>          <artifactId>slf4j-simple</artifactId>          <version>1.7.13</version>      </dependency>        <dependency>            <groupId>org.slf4j</groupId>            <artifactId>slf4j-log4j12</artifactId>            <version>1.7.13</version>       </dependency>     <dependency>        <groupId>org.opensaml</groupId>        <artifactId>opensaml1</artifactId>        <version>1.1</version>    </dependency>    <dependency>        <groupId>javax.servlet</groupId>        <artifactId>javax.servlet-api</artifactId>        <version>3.1.0</version>        <scope>provided</scope>    </dependency>    <dependency>        <groupId>org.jasig.cas.client</groupId>        <artifactId>cas-client-core</artifactId>        <version>${casclient.version}</version>        <exclusions>            <exclusion>                <groupId>javax.servlet</groupId>                <artifactId>servlet-api</artifactId>            </exclusion>        </exclusions>    </dependency>    <dependency>        <groupId>org.jasig.cas.client</groupId>        <artifactId>cas-client-integration-tomcat-common</artifactId>        <version>${casclient.version}</version>    </dependency>    <dependency>        <groupId>commons-codec</groupId>        <artifactId>commons-codec</artifactId>        <version>1.6</version>    </dependency>    <dependency>        <groupId>org.apache.santuario</groupId>        <artifactId>xmlsec</artifactId>        <version>1.4.3</version>    </dependency>    <dependency>          <groupId>org.springframework</groupId>          <artifactId>spring-core</artifactId>          <version>${spring.version}</version>      </dependency>      <dependency>          <groupId>org.springframework</groupId>          <artifactId>spring-beans</artifactId>          <version>${spring.version}</version>      </dependency>      <dependency>          <groupId>org.springframework</groupId>          <artifactId>spring-context</artifactId>          <version>${spring.version}</version>      </dependency>      <dependency>          <groupId>org.springframework</groupId>          <artifactId>spring-web</artifactId>          <version>${spring.version}</version>      </dependency>      <dependency>         <groupId>org.springframework.security</groupId>        <artifactId>spring-security-core</artifactId>        <version>${spring.version}</version>      </dependency>    <dependency>        <groupId>org.springframework.security</groupId>        <artifactId>spring-security-web</artifactId>        <version>${spring.version}</version>      </dependency>      <dependency>          <groupId>org.springframework.security</groupId>        <artifactId>spring-security-config</artifactId>          <version>${spring.version}</version>      </dependency>      </dependencies></project>

    • https://app1.hoau.com:8413

      web.xml:

      <?xml version="1.0" encoding="UTF-8"?><web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"    xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">     <context-param>        <param-name>log4jConfigLocation</param-name>        <param-value>/WEB-INF/log4j.properties</param-value>    </context-param>    <listener>        <listener-class>org.springframework.web.util.Log4jConfigListener</listener-class>    </listener>    <!--    <listener>        <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>    </listener>    <filter>        <filter-name>CAS Single Sign Out Filter</filter-name>        <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>        <init-param>            <param-name>casServerUrlPrefix</param-name>            <param-value>https://proxy.sso.hoau.com:443</param-value>        </init-param>    </filter>    <filter-mapping>        <filter-name>CAS Single Sign Out Filter</filter-name>        <url-pattern>/*</url-pattern>    </filter-mapping>    -->    <filter>        <filter-name>CAS Validation Filter</filter-name>        <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>        <!--         <filter-class>org.jasig.cas.client.validation.Saml11TicketValidationFilter</filter-class>         -->         <!--         <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>          -->     <init-param>        <param-name>casServerUrlPrefix</param-name>        <!--        <param-value>https://sso.hoau.com:8433/cas</param-value>        <param-value>https://proxy.sso.hoau.com:443/cas</param-value>        -->        <param-value>https://proxy.sso.hoau.com:443/cas</param-value>    </init-param>    <!---->    <init-param>        <param-name>serverName</param-name>        <param-value>https://app1.hoau.com:8413</param-value>    </init-param>    <init-param>        <param-name>redirectAfterValidation</param-name>        <param-value>true</param-value>    </init-param>    <init-param>        <param-name>useSession</param-name>        <param-value>true</param-value>    </init-param>    <init-param>        <param-name>acceptAnyProxy</param-name>        <param-value>true</param-value>    </init-param>    <!--     <init-param>        <param-name>ticketValidatorClass</param-name>        <param-value>org.jasig.cas.client.validation.Cas20ProxyTicketValidator</param-value>    </init-param>    -->    <!-- http://haohaoxuexi.iteye.com/blog/2145751    <init-param>        <param-name>proxyReceptorUrl</param-name>        <param-value>/proxyCallback</param-value>    </init-param>    <init-param>        <param-name>proxyCallbackUrl</param-name>        <param-value>https://app1.hoau.com:8413/cas1/proxyCallback</param-value>    </init-param>    --></filter><filter>    <filter-name>CAS Authentication Filter</filter-name>    <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>    <!--     <filter-class>org.jasig.cas.client.authentication.Saml11AuthenticationFilter</filter-class>     -->    <!--     <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>     -->    <init-param>        <param-name>casServerLoginUrl</param-name>        <!--        <param-value>https://sso.hoau.com:8433/cas/login</param-value>        -->         <param-value>https://proxy.sso.hoau.com:443/cas/login</param-value>    </init-param>    <init-param>        <param-name>serverName</param-name>        <param-value>https://app1.hoau.com:8413</param-value>    </init-param></filter><filter>    <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>    <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class></filter><filter-mapping>    <filter-name>CAS Validation Filter</filter-name>    <url-pattern>/*</url-pattern></filter-mapping><filter-mapping>    <filter-name>CAS Authentication Filter</filter-name>    <url-pattern>/*</url-pattern></filter-mapping><filter-mapping>    <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>    <url-pattern>/*</url-pattern></filter-mapping><!--<servlet>    <servlet-name>ProxyValidate</servlet-name>    <servlet-class> edu.yale.its.tp.cas.servlet.ProxyValidate</servlet-class></servlet><servlet>     <servlet-name>ProxyTicketReceptor</servlet-name>     <servlet-class>edu.yale.its.tp.cas.proxy.ProxyTicketReceptor</servlet-class> </servlet > <servlet-mapping>     <servlet-name>ProxyTicketReceptor</servlet-name>     <url-pattern>/CasProxyServlet </url-pattern> </servlet-mapping >--><welcome-file-list>    <welcome-file>        index.jsp    </welcome-file></welcome-file-list></web-app>

      *注意:

      • “CAS Validation Filter”需要放在“CAS Authentication Filter”之前
      • 此代理非彼代理
      网上一些文章说的需要配置诸如:
      1. “SingleSignOutHttpSessionListener”
      2. “SingleSignOutFilter”
      3. “ticketValidatorClass”
      4. “ProxyValidate”
      5. “ProxyTicketReceptor”

      均不需要

      • 如果误配了SingleSignOutFilter,会出现异常

        Caused by: java.io.IOException: Server returned HTTP response code: 500 for URL: https://proxy.sso.hoau.com:443/cas/proxyValidate?ticket=ST-31-TM9EbFoQbasNdXh11HaJ-cas01.sso.hoau.com&service=https%3A%2F%2Fapp2.hoau.com%3A8423%2Fcas2%3Bjsessionid%3D0CEB865B53E64FF31BF02A496DF73860.tomcat2

        at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1840)  at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1441)  at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)  at org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:429)  ... 24 more

* https://app2.hoau.com:8423        web.xml配置同上    >*注意:修改端口

  • CAS服务器(Tomcat x 1)

    • 服务端https://sso.hoau.com:8433

      *注意:

      系列文章CAS (1) —— Mac下配置CAS到Tomcat(服务端)中介绍服务端配置也无需任何修改。

      以下配置:

      1. “Proxy (PGT acquisition)”
      2. “Modern proxy-service validation”

      均不需要

测试

*1. 访问“https://app1.hoau.com:8413/cas1”

会重定向到“https://proxy.sso.hoau.com/cas/login?service=https%3A%2F%2Fapp1.hoau.com%3A8413%2Fcas1”

*2. 然后输入用户明密码(test01/psw01)

如果验证成功,则会将浏览器重定向到app1的登陆成功页面。

*3. 再次访问“https://app1.hoau.com:8413/cas1”

可以直接进入登陆成功页,而无需输入用户名密码。

*4. 访问另一应用

同样可以通过test01用户直接进入登陆成功页,而无需输入用户名密码。

代理下的网络顺序分析

参照另一文章:(待出)

源代码

还在准备,如果需要的童鞋请留言。

0 1
淘宝产品分类 淘宝产品分类
原创粉丝点击
热门IT博客
查询表数据的sql语句查询表数据的sql语句
人工智能 医生人工智能 医生
淘宝卖奶粉需要什么证
fastadmin cms
php 替换双引号
趣丸网络待遇怎么样
美工与平面设计的区别
腾讯jar软件下载
js做二级下拉菜单
js在div后面追加标签
understand linux
java ftp上传文件原理
知乎spam
淘宝联盟 京东
cf怎么修改游戏数据
淘宝电霸三防手机
淘宝卖家如何推广商品
mac money girls
java reflect invoke
平潭怎么样知乎
热门问题 老师的惩罚 人脸识别 我在镇武司摸鱼那些年 重生之率土为王 我在大康的咸鱼生活 盘龙之生命进化 天生仙种 凡人之先天五行 春回大明朝 姑娘不必设防,我是瞎子 缘分五月歌谱 缘来网登录 缘来网会员登录 缘之空洒洒 缘字谶 苑冉后援会 苑冉老公是谁 约什麦克罗伯茨 月沉吟19楼 月沉吟简介 月岛希良梨的歌 月岛希良梨的图片 月妃传 月姬格斗bgm 月莲h文 月亮神腰突贴 月上重火19楼 月影传说激活码 岳父大人打一字 阅读空气2 跃霸音乐世界 越南鼓麦词 越南妞 270m 越南新娘集体逃婚 越前龙雅图片 越洋追踪 刘德华 越洋追踪刘德华 越野车违章777次 云创通技术罗祖庆总监 云创通罗祖庆总监 云大附中张馨月 云浮一中女生 云河段霄 云聚达 云乐影城 云联盟大唐帝国 云梅网络 云南楚雄货车侧翻 云南留守少年除夕夜自杀 云南人肉遮挡号牌 云南信息港聊天室

程序博客网,程序员的互联网技术博客家园。csdn论坛精品 msdn技术资料都在这里