CAS服务下单点登录

jopen 11年前

此文的目的是为了加深自己的理解,做一个备份与分享

过程全为自己的实际操作步骤

第一步:准备的环境

win7 64位的系统

jdk1.6.0_37

apache-tomcat-6.0.14

cas-server-3.4.8-release

cas-client-3.2.0-release

这里用到的是tomcat自带作为测试的程序


首先,找到系统的hosts文件( C:\Windows\System32\drivers\etc\hosts )增加


在本机映射三个域名

127.0.0.1   cas.baishi.com

127.0.0.1   app1.baishi.com

127.0.0.1   app2.baishi.com

解释,其中,cas.baishi.com对应部署cas server的tomcat ,这个域名对应证书的生成

app1.baishi.com对应部署app1应用的tomcat

app2.baishi.com对应部署app2应用的tomcat

第二步:部署cas的服务

(1)首先,我在D盘下建一个文件夹,如D:/baishikeys 接着用jdk自带的keytool生成证书,即在cmd命令中键入

keytool -genkey -alias baishi -keyalg RSA -keystore “D:/baishikeys/baishikey” 该命令生成keys证书

baishi为证书的别名,执行结果如下图,注意其中姓氏要写之前cas server对应的域名CAS服务下单点登录
(2)导出证书

keytool -export -file d:/baishikeys/baishi.crt -alias baishi -keystore d:/baishikeys/baishikey

执行结果如图(其中密码和上面证书密码一致)

CAS服务下单点登录

(3)把证书导入JDK中

先找到你安装的jdk目录中cacerts文件删掉,如D:\Program Files\Java\jdk1.6.0_37\jre\lib\security\cacerts

这样的目的是避免后面报错

执行keytool -import -keystore "D:\Program Files\Java\jdk1.6.0_37\jre\lib\security\cacerts" -file D:/baishikeys/baishi.crt -alias baishi

执行结果如图(其中密码和上面一致就行)CAS服务下单点登录

第三步:配置cas的服务端

解压apache-tomcat-6.0.14重命名为apache-tomcat-cas

把下载的cas-server-3.4.8-release包解压,在文件modules中,找到cas-server-webapps-3.4.8.war

复制到apache-tomcat-caswebapps文件夹下,重命名为 cas.war,打开apache-tomcat-cas的

conf/server.xml文件,

找到6472中间的注释打开,改为

 <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"

               maxThreads="150" scheme="https" secure="true"

               clientAuth="false" sslProtocol="TLS" 

              keystoreFile="D:/baishikeys/baishikey"

              keystorePass="123456"

   />

其中keystoreFile是创建证书的路径,keystorePass是创建证书的密码,到此cas服务的配置完成

启动cas服务的apache-tomcat-cas,访问https://cas.baishi.com:8443/cas

执行图:点击继续浏览此网站CAS服务下单点登录

执行后图

CAS服务下单点登录

用户名和密码输入相同的字符串就可以通过了

CAS服务下单点登录

到此cas服务端的配置成功了

第四步:配置cas的客户端

(1) 安装配置 apache-tomcat-app1

解压apache-tomcat-6.0.14 .tar,改名为apache-tomcat-app1对应应用app1的服务

修改apache-tomcat-app1的启动端口,在文件conf/server.xml文件找到如下内容:

<Connector port="8080" protocol="HTTP/1.1"

               connectionTimeout="20000"

               redirectPort="8443" />

<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
改成

<Connector port="18080" protocol="HTTP/1.1"

              connectionTimeout="20000"

              redirectPort="18443" />
4 <Connector port="18009" protocol="AJP/1.3" redirectPort="18443" />

为了避免多个tomcat冲突,把<Server port="8005" shutdown="SHUTDOWN">也改成 <Server port="8085" shutdown="SHUTDOWN">

启动apache-tomcat-app1</span> ,浏览器输入 http://app 1 .baishi.com: 1 8080/examples/servlets/ 回车:

CAS服务下单点登录

则tomcat配置成功

接下来复制 client的lib包cas-client-core-3.2.0.jarapache-tomcat-app1\webapps\examples\WEB-INF\lib\目录下, 在apache-tomcat-app1\webapps\examples\WEB-INF\web.xml 文件中增加如下内容:

<!-- ======================== 单点登录开始 ======================== -->

        <!-- 用于单点退出,该过滤器用于实现单点登出功能,可选配置-->

        <listener>

      

<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>


       </listener>

 

        <!-- 该过滤器用于实现单点登出功能,可选配置 -->

        <filter>

            <filter-name>CAS Single Sign Out Filter</filter-name>

            <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>

        </filter>

        <filter-mapping>

            <filter-name>CAS Single Sign Out Filter</filter-name>

            <url-pattern>/*</url-pattern>

        </filter-mapping>

 

        <filter>

            <filter-name>CAS Filter</filter-name>

            <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>

            <init-param>

                <param-name>casServerLoginUrl</param-name>

                <param-value>https://cas.baishi.com:8443/cas/login</param-value>

            </init-param>

            <init-param>

                <param-name>serverName</param-name>

                <param-value>http://app1.baishi.com:18080</param-value>

           </init-param>

        </filter>

        <filter-mapping>

            <filter-name>CAS Filter</filter-name>

            <url-pattern>/*</url-pattern>

        </filter-mapping>

        <!-- 该过滤器负责对Ticket的校验工作,必须启用它 -->

        <filter>

            <filter-name>CAS Validation Filter</filter-name>

            <filter-class>

                org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>

            <init-param>

                <param-name>casServerUrlPrefix</param-name>

                <param-value>https://cas.baishi.com:8443/cas</param-value>

            </init-param>

           <init-param>

                <param-name>serverName</param-name>

                <param-value>http://app1.baishi.com:18080</param-value>

           </init-param>

        </filter>

        <filter-mapping>

            <filter-name>CAS Validation Filter</filter-name>

            <url-pattern>/*</url-pattern>

        </filter-mapping>

 

        <!--

            该过滤器负责实现HttpServletRequest请求的包裹,

            比如允许开发者通过HttpServletRequest的getRemoteUser()方法获得SSO登录用户的登录名,可选配置。

        -->

        <filter>

           <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>

            <filter-class>

                org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>

        </filter>

        <filter-mapping>

            <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>

            <url-pattern>/*</url-pattern>

        </filter-mapping>

 

    <!--

        该过滤器使得开发者可以通过org.jasig.cas.client.util.AssertionHolder来获取用户的登录名。

        比如AssertionHolder.getAssertion().getPrincipal().getName()。

        -->

        <filter>

            <filter-name>CAS Assertion Thread Local Filter</filter-name>

            <filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>

        </filter>

        <filter-mapping>

            <filter-name>CAS Assertion Thread Local Filter</filter-name>

            <url-pattern>/*</url-pattern>

        </filter-mapping>

 

        <!-- ======================== 单点登录结束 ======================== -->

(2) 安装配置 apache-tomcat-app2

解压apache-tomcat-6.0.14 .tar,改名为apache-tomcat-app2对应应用app2的服务

修改apache-tomcat-app2的启动端口,在文件conf/server.xml文件找到如下内容:

<Connector port="8080" protocol="HTTP/1.1"

               connectionTimeout="20000"

               redirectPort="8443" />

<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
改成

<Connector port="28080" protocol="HTTP/1.1"

              connectionTimeout="20000"

              redirectPort="28443" />
4 <Connector port="28009" protocol="AJP/1.3" redirectPort="28443" />

为了避免多个tomcat冲突,把<Server port="8005" shutdown="SHUTDOWN">也改成<Server port="8095" shutdown="SHUTDOWN">

启动apache-tomcat-app2 ,浏览器输入 http://app 2 .baishi.com: 2 8080/examples/servlets/ 回车:

按照上述(1)中的方法验证是否成功。


接下来复制 client的lib包cas-client-core-3.2.0.jar到 apache-tomcat-app2\webapps\examples\WEB-INF\lib\目录下, 在apache-tomcat-app2\webapps\examples\WEB-INF\web.xml 文件中增加如下内容:

<!-- ======================== 单点登录开始 ======================== -->

        <!-- 用于单点退出,该过滤器用于实现单点登出功能,可选配置-->

        <listener>

      

<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>


       </listener>

 

        <!-- 该过滤器用于实现单点登出功能,可选配置 -->

        <filter>

            <filter-name>CAS Single Sign Out Filter</filter-name>

            <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>

        </filter>

        <filter-mapping>

            <filter-name>CAS Single Sign Out Filter</filter-name>

            <url-pattern>/*</url-pattern>

        </filter-mapping>

 

        <filter>

            <filter-name>CAS Filter</filter-name>

            <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>

            <init-param>

                <param-name>casServerLoginUrl</param-name>

                <param-value>https://cas.baishi.com:8443/cas/login</param-value>

            </init-param>

            <init-param>

                <param-name>serverName</param-name>

                <param-value>http://app2.baishi.com:18080</param-value>

           </init-param>

        </filter>

        <filter-mapping>

            <filter-name>CAS Filter</filter-name>

            <url-pattern>/*</url-pattern>

        </filter-mapping>

        <!-- 该过滤器负责对Ticket的校验工作,必须启用它 -->

        <filter>

            <filter-name>CAS Validation Filter</filter-name>

            <filter-class>

                org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>

            <init-param>

                <param-name>casServerUrlPrefix</param-name>

                <param-value>https://cas.baishi.com:8443/cas</param-value>

            </init-param>

           <init-param>

                <param-name>serverName</param-name>

                <param-value>http://app2.baishi.com:18080</param-value>

           </init-param>

        </filter>

        <filter-mapping>

            <filter-name>CAS Validation Filter</filter-name>

            <url-pattern>/*</url-pattern>

        </filter-mapping>

 

        <!--

            该过滤器负责实现HttpServletRequest请求的包裹,

            比如允许开发者通过HttpServletRequest的getRemoteUser()方法获得SSO登录用户的登录名,可选配置。

        -->

        <filter>

           <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>

            <filter-class>

                org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>

        </filter>

        <filter-mapping>

            <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>

            <url-pattern>/*</url-pattern>

        </filter-mapping>

 

    <!--

        该过滤器使得开发者可以通过org.jasig.cas.client.util.AssertionHolder来获取用户的登录名。

        比如AssertionHolder.getAssertion().getPrincipal().getName()。

        -->

        <filter>

            <filter-name>CAS Assertion Thread Local Filter</filter-name>

            <filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>

        </filter>

        <filter-mapping>

            <filter-name>CAS Assertion Thread Local Filter</filter-name>

            <url-pattern>/*</url-pattern>

        </filter-mapping>

 

        <!-- ======================== 单点登录结束 ======================== -->


第五步:测试

启动之前配置好的三个tomcat分别为:apache-tomcat-casapache-tomcat-app1apache-tomcat-app2.

打开浏览器地址栏中输入:http://app1.baishi.com:18080/examples/servlets/servlet/HelloWorldExample

输入账户和密码之后会出现Hello World

之浏览器地址中输入http://app2.baishi.com:28080/examples/servlets/servlet/HelloWorldExample

就不用输入账户和密码了,直接进入Hello World

最后地址栏中输入:https://cas.baishi.com:8443/cas/logout会注销这个流程,重新开始认证

以上就是整个cas单点登录的简单配置


如果有cas服务的tomcat报错java.lang.Exception: Connector attribute SSLCertificateFile must be defined when using SSL with APR

只需把

 <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"

               maxThreads="150" scheme="https" secure="true"

               clientAuth="false" sslProtocol="TLS" 

              keystoreFile="D:/baishikeys/baishikey"

              keystorePass="123456"

   />

改成

 <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"

               maxThreads="150" scheme="https" secure="true"

               clientAuth="false" sslProtocol="TLS" 

              keystoreFile="D:/baishikeys/baishikey"

              keystorePass="123456"

   />

即可