CAS实现单点登录

jopen 7年前

CAS介绍

  • 开源的企业级单点登录解决方案
  • CAS Server 是需要独立部署的 Web 应用
  • CAS Client 支持非常多的客户端(这里指单点登录系统中的各个 Web 应用),包括 Java, .Net, PHP, Perl, Apache, uPortal, Ruby 等
       

CAS服务部署

  • CAS服务端下载:http://downloads.jasig.org/cas/
  • 解压zip文件,改名为cas.war,然后复制到tomcat/webapp目录下
  • 浏览器访问:http://localhost:8080/cas


CAS-SERVER的默认验证规则:只要用户名和密码相同就认证通过(仅仅用于测试,生成环境需要根据实际情况修改),输入admin/admin 点击登录,就可以看到登录成功的页面

Tomcat配置HTTPS

  • 创建证书

       这里使用JDK生成的证书,正式环境需购买专业提供商的证书

       用JDK自带的keytool工具生成证书:

keytool -genkey -alias xiaokaceng -keyalg RSA -keystore d  :/cas/xiaokaceng

注意:127.0.0.1==sso.xiaokaceng.com 在C:\Windows\System32\drivers\etc\hosts配置,只能输入域名不能输入IP

  • 导出证书

keytool -export -file d:/cas/xiaokaceng.crt -alias xiaoka  ceng -keystore d:/cas/xiaokaceng

证书导出完成,可提供JDK使用

  • JVM导入证书

keytool -import -keystore D:\JavaDev\jdk1.7\jre\lib\secur  ity\cacerts -file d:\cas\xiaokaceng.crt -alias xiaokaceng

特别提示:

keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect

那么请输入密码:changeit

  • 应用到Web容器

       启用Tomcat的SSL,开启83和87的注释,配置keystoreFile和keystorePass

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"                 maxThreads="150" scheme="https" secure="true"                 clientAuth="false" sslProtocol="TLS" keystoreFile="D:/cas/xiaokaceng" keystorePass="123456"/>

注意:keystoreFile和keystorePass有大小写之分


CAS登录

  • 启动两个tomcat客户端,修改其端口(tomcat默认自带的 webapps\examples 作为演示的简单web项目)
  • 整合CAS-Client

      CAS-Client 下载地址:http://downloads.jasig.org/cas-clients/,解压并拷贝相应jar

  


修改web.xml

<!-- ======================== 单点登录开始 ======================== -->      <!-- 用于单点退出,该过滤器用于实现单点登出功能,可选配置-->      <listener>        <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>      </listener>        <!-- 该过滤器用于实现单点登出功能,可选配置。 -->      <filter>        <filter-name>CAS Single Sign Out Filter</filter-name>        <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>      </filter>      <filter-mapping>        <filter-name>CAS Single Sign Out Filter</filter-name>        <url-pattern>/*</url-pattern>      </filter-mapping>        <filter>        <filter-name>CAS Filter</filter-name>        <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>        <init-param>          <param-name>casServerLoginUrl</param-name>          <param-value>https://sso.xiaokaceng.com:8443/cas/login</param-value>        </init-param>        <init-param>          <param-name>serverName</param-name>          <param-value>http://localhost:18080</param-value>        </init-param>      </filter>      <filter-mapping>        <filter-name>CAS Filter</filter-name>        <url-pattern>/*</url-pattern>      </filter-mapping>      <!-- 该过滤器负责对Ticket的校验工作,必须启用它 -->      <filter>        <filter-name>CAS Validation Filter</filter-name>        <filter-class>          org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>        <init-param>          <param-name>casServerUrlPrefix</param-name>          <param-value>https://sso.xiaokaceng.com:8443/cas</param-value>        </init-param>        <init-param>          <param-name>serverName</param-name>          <param-value>http://localhost:18080</param-value>        </init-param>      </filter>      <filter-mapping>        <filter-name>CAS Validation Filter</filter-name>        <url-pattern>/*</url-pattern>      </filter-mapping>        <!--        该过滤器负责实现HttpServletRequest请求的包裹,        比如允许开发者通过HttpServletRequest的getRemoteUser()方法获得SSO登录用户的登录名,可选配置。      -->      <filter>        <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>        <filter-class>          org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>      </filter>      <filter-mapping>        <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>        <url-pattern>/*</url-pattern>      </filter-mapping>        <!--      该过滤器使得开发者可以通过org.jasig.cas.client.util.AssertionHolder来获取用户的登录名。      比如AssertionHolder.getAssertion().getPrincipal().getName()。      -->      <filter>        <filter-name>CAS Assertion Thread Local Filter</filter-name>        <filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>      </filter>      <filter-mapping>        <filter-name>CAS Assertion Thread Local Filter</filter-name>        <url-pattern>/*</url-pattern>      </filter-mapping>        <!-- ======================== 单点登录结束 ======================== -->


测试验证,访问http://localhost:18080/examples/servlets/servlet/HelloWorldExample


CAS登出

退出链接为:https://sso.xiaokaceng.com:8443/cas/logout


CAS服务界面

  • 登录界面:casLoginView.jsp
  • 登录成功:casGenericSuccess.jsp
  • 登出界面:casLogoutView.jsp

来自:http://my.oschina.net/u/1264515/blog/181598