CAS 单点登录 Demo

sdxrh2005 贡献于2012-10-27

作者 dell  创建于2012-10-27 14:08:43   修改者  修改于1899-12-30 00:00:00字数12801

文档摘要:CAS 单点登录 Demo

Stepwise Instructions Basically, recommend starting fresh with (instruction are for a Windows XP professional computers) with no JDK/JRE or Tomcat. Using Microsoft Internet Explorer Version 7.0.5730.11 to verify SSL etc. Step 1: Install JDK Version download jdk-1_5_0_11-windows-i586-p.exe from conduct a typical installation, doing next, next, next set JAVA_HOME system environment variable to, well, java home... C:\Program Files\Java\jdk1.5.0_11 Step 2: Used keytool to self-author a server certificate for DEMO Entire Command Prompt Dialog is below Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\ukari>cd \program* The filename, directory name, or volume label syntax is incorrect. C:\Program Files>cd java C:\Program Files\Java>cd jdk* C:\Program Files\Java\jdk1.5.0_11>cd bin C:\Program Files\Java\jdk1.5.0_11\bin>keytool -genkey -alias tomcat -keypass changeit -keyalg RSA Enter keystore password: changeit What is your first and last name? [Unknown]: compA What is the name of your organizational unit? [Unknown]: Information Systems What is the name of your organization? [Unknown]: Pacific Disaster Center What is the name of your City or Locality? [Unknown]: Kihei What is the name of your State or Province? [Unknown]: HI What is the two-letter country code for this unit? [Unknown]: US Is CN=localhost, OU=Information Systems, O=Pacific Disaster Center, L=Kihei, ST=HI, C=US correct? [no]: yes C:\Program Files\Java\jdk1.5.0_11\bin>keytool -export -alias tomcat -keypass changeit -file server.crt Enter keystore password: changeit Certificate stored in file C:\Program Files\Java\jdk1.5.0_11\bin>keytool -import -file server.crt -keypass changeit -keystore ..\jre\lib\security\cacerts Enter keystore password: changeit Owner: CN=localhost, OU=Information Systems, O=Pacific Disaster Center, L=Kihei, ST=HI, C=US Issuer: CN=localhost, OU=Information Systems, O=Pacific Disaster Center, L=Kihei, ST=HI, C=US Serial number: 462030d8 Valid from: Fri Apr 13 15:39:36 HST 2007 until: Thu Jul 12 15:39:36 HST 2007 Certificate fingerprints: MD5: CC:3B:FB:FB:AE:12:AD:FB:3E:D 5:98:CB:2E:3B:0A:AD SHA1: A1:16:80:68:39:C7:58:EA:2F:48:59:AA:1D:73:5F:56:78:CE:A4:CE Trust this certificate? [no]: yes Certificate was added to keystore C:\Program Files\Java\jdk1.5.0_11\bin> CAS Server Name In the above dialog, it is critical that you enter the CAS server name as the answer (compA) to the following question: What is your first and last name? [Unknown]: compA At this stage we have a .keystore file created in C:\Documents and Settings\ and the %JAVA_HOME%\jre\lib\security\cacerts file with the corresponding certificate. Step 3: Install Tomcat Selected the Windows Installer version at When prompted for directory, changed it to C:\tomcat5.5.23 When prompted for JRE, changed default to %JAVA_HOME%/jre (IMPORTANT: this should be home of new cacerts from step 2) · Clicked finish and verified tomcat running as a service and also by doing http://localhost:8080 · Ensure that logs look very clean as well. Set environment variable %CATALINA_HOME% as C:\tomcat5.5.23 Tomcat JRE Home In the above dialog, it is critical in that you select the JRE home where you put the cacerts file in step 2. In this case, please note that we are using %JAVA_HOME%/jre Step 4: Configure Tomcat server.xml · uncomment connector element for port 8443 (SSL) · add the parameters for keystoreFile, keystorePass, truststoreFile as shown below · bounce tomcat You could need to add the following parameters to the Connector definition in order to activate the SSL on Tomcat: SSLEnabled="true" protocol="org.apache.coyote.http11.Http11NioProtocol" / protocol="org.apache.coyote.http11.Http11Protocol" Step 5: CASify HelloWorld Servlet [] verify that http://compA:8080/servlets-examples/servlet/HelloWorldExample works. add the following to web.xml of the servlets-examples context. CAS Filter https://compA:8443/cas/login https://compA:8443/cas/serviceValidate compA:8080 CAS Filter /servlet/HelloWorldExample Step 6: Drop CAS Client jar into the servlets-examples context URL: create the lib directory under servlets-examples/WEB-INF download that into C:\Tomcat5.5.23\webapps\servlets-examples\WEB-INF\lib RENAME the zip file to jar file. Note that for Tomcat 6 you must also include commons-logging in the lib folder: Step 7: Download and Deploy CAS URL: download the file. extract it all to c:\cas-server-3.0.7 directory. copy cas.war from C:\cas-server-3.0.7\cas-server-3.0.7\target to C:\Tomcat5.5.23\webapps (this deploys cas if tomcat is running...but just to be sure...step 8) Step 8. Clean start stop tomcat, clear all logs, start tomcat examine logs Step 9. Try It Use fresh browser session to access http://compA:8080/servlets-examples/servlet/HelloWorldExample Get past all browser alerts/warnings to CAS login page Log in as uday/uday (or any username=password string) Again see all sorts of alerts/warnings See Hello World...success. Step 10: Setup up distinct domain Repeat repeat Steps 1 thru 4 above for compB. Just do it, dont worry about creating a server certificate etc...Tomcat seems to like a keystore. So just do it. Step 11: CAS-ify client on second domain slightly differently In step 5, modify the direction above to add compB as the client-host as follows (obviously, leave the rest of it alone). Server Name Specification compB:8080 Though not needed for this demo, I promised to show you how you may get the user. This is how. Add the following right after the server name specification as a child of the element and as a sibling of the above init-param element for server name. This entry will allow you to access the login user name as String username = request.getRemoteUser();within any of the secured jsp. Try it! Config for getting user name in request true Another useful tip is that you may secure as many resources as you wish within your context by simply adding the following: Adding multiple secured resources CAS Filter /servlet/RequestHeaderExample The final compB web.xml modifications should look as follows: CAS Filter https://compA:8443/cas/login https://compA:8443/cas/serviceValidate compB:8080 true CAS Filter /servlet/HelloWorldExample CAS Filter /servlet/RequestHeaderExample Step 12: Drop CAS Client jar into the servlets-examples context Identical to Step 6, but for compB. Step 13: Establish trust with CAS SSO Server Ref: Here is the most elegant way to do it, I think. In compB, simply copy the cacerts to cacerts.old (to save it just in case) run java InstallCert compA:8443 (i.e. provide the argument "compA:8443" to the executable "InstallCert") (adapted source code for from Sun blog by Andreas Sterbenz is shown below) Answer 1 to the prompt This will add compA into trust store of compB (while neatly obviating the problem discussed in the Sun blog referenced above). This will add compA into trust store of compB (while neatly obviating the problem discussed in the Sun blog referenced above). - adapted from Sun Microsystems blog by Andreas Sterbenz /* * @(#) 1.1 06/10/09 * * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ import*; import; import*; import*; import*; public class InstallCert { public static void main(String[] args) throws Exception { String host; int port; char[] passphrase; if ((args.length == 1) || (args.length == 2)) { String[] c = args[0].split(":"); host = c[0]; port = (c.length == 1) ? 443 : Integer.parseInt(c[1]); String p = (args.length == 1) ? "changeit" : args[1]; passphrase = p.toCharArray(); } else { System.out.println("Usage: java InstallCert [:port] [passphrase]"); return; } File file = new File("jssecacerts"); if (file.isFile() == false) { char SEP = File.separatorChar; File dir = new File(System.getProperty("java.home") + SEP + "lib" + SEP + "security"); file = new File(dir, "jssecacerts"); if (file.isFile() == false) { file = new File(dir, "cacerts"); } } System.out.println("Loading KeyStore " + file + "..."); InputStream in = new FileInputStream(file); KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType()); ks.load(in, passphrase); in.close(); SSLContext context = SSLContext.getInstance("TLS"); TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); tmf.init(ks); X509TrustManager defaultTrustManager = (X509TrustManager)tmf.getTrustManagers()[0]; SavingTrustManager tm = new SavingTrustManager(defaultTrustManager); context.init(null, new TrustManager[] {tm}, null); SSLSocketFactory factory = context.getSocketFactory(); System.out.println("Opening connection to " + host + ":" + port + "..."); SSLSocket socket = (SSLSocket)factory.createSocket(host, port); socket.setSoTimeout(10000); try { System.out.println("Starting SSL handshake..."); socket.startHandshake(); socket.close(); System.out.println(); System.out.println("No errors, certificate is already trusted"); } catch (SSLException e) { System.out.println(); e.printStackTrace(System.out); } X509Certificate[] chain = tm.chain; if (chain == null) { System.out.println("Could not obtain server certificate chain"); return; } BufferedReader reader = new BufferedReader(new InputStreamReader(; System.out.println(); System.out.println("Server sent " + chain.length + " certificate(s):"); System.out.println(); MessageDigest sha1 = MessageDigest.getInstance("SHA1"); MessageDigest md5 = MessageDigest.getInstance("MD5"); for (int i = 0; i < chain.length; i++) { X509Certificate cert = chain[i]; System.out.println (" " + (i + 1) + " Subject " + cert.getSubjectDN()); System.out.println(" Issuer " + cert.getIssuerDN()); sha1.update(cert.getEncoded()); System.out.println(" sha1 " + toHexString(sha1.digest())); md5.update(cert.getEncoded()); System.out.println(" md5 " + toHexString(md5.digest())); System.out.println(); } System.out.println("Enter certificate to add to trusted keystore or 'q' to quit: [1]"); String line = reader.readLine().trim(); int k; try { k = (line.length() == 0) ? 0 : Integer.parseInt(line) - 1; } catch (NumberFormatException e) { System.out.println("KeyStore not changed"); return; } X509Certificate cert = chain[k]; String alias = host + "-" + (k + 1); ks.setCertificateEntry(alias, cert); OutputStream out = new FileOutputStream(file);, passphrase); out.close(); System.out.println(); System.out.println(cert); System.out.println(); System.out.println ("Added certificate to keystore 'cacerts' using alias '" + alias + "'"); } private static final char[] HEXDIGITS = "0123456789abcdef".toCharArray(); private static String toHexString(byte[] bytes) { StringBuilder sb = new StringBuilder(bytes.length * 3); for (int b : bytes) { b &= 0xff; sb.append(HEXDIGITS[b >> 4]); sb.append(HEXDIGITS[b & 15]); sb.append(' '); } return sb.toString(); } private static class SavingTrustManager implements X509TrustManager { private final X509TrustManager tm; private X509Certificate[] chain; SavingTrustManager(X509TrustManager tm) { = tm; } public X509Certificate[] getAcceptedIssuers() { throw new UnsupportedOperationException(); } public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException { throw new UnsupportedOperationException(); } public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException { this.chain = chain; tm.checkServerTrusted(chain, authType); } } } Step 14: Test Clean logs, restart tomcat on compB. Repeat Step 9. Change compA to compB on the URL. You should not be challenged to login (QED) Restart tomcat and try again, you should have to login to compB And, not to compA



需要 6 金币 [ 分享文档获得金币 ] 0 人已下载