sso demo ( cas )
1. generate keystorehtml
command : keytool -genkey -alias testtomcat -keyalg RSA -keystore "C:\Users\rocky\testsso\testtomcat.keystore"java
password : 123456web
2. setting the tomcat server.xmlwindows
3. download and extract cas-server-4.0.0-release.zip浏览器
~you can find cas-server-webapp-4.0.0.war in the modules package.tomcat
~copy it to tomcat webapps package and rename to cas.war.安全
~execute the startup.bat command as the administrator user.session
~https://localhost:8443/casapp
~login with user( username : casuser; password : Mellon)webapp
-------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------
update 2016-04-06
1. java jdk不支持以ip创建证书,因此须要虚拟一个域名,如cas.server.com
2. 生成证书
keytool -genkeypair -keyalg RSA -keysize 2048 -sigalg SHA1withRSA -validity 36500 -alias cas.server.com -keystore C:/Users/rocky/testsso/tomcat.keystore -dname "CN=cas.server.com,OU=cdv,O=cdv,L=bj,ST=bj,C=CN"
3. 导出证书
keytool -exportcert -alias cas.server.com -keystore C:/Users/rocky/testsso/tomcat.keystore -file C:/Users/rocky/testsso/tomcat.cer -rfc
4. tomcat 配置 cas, 浏览器添加证书
(区别于上面绝对路径方式引用, 现采用相对路径方式)将生成的tomcat.keystore 拷贝到tomcat目录下。
将第三步导出的tomcat.crt 导入到浏览器
5. 将tomcat.crt拷贝到cas client所在的机器, 并导入到jdk中(C:\Program Files\Java\jdk1.7.0_15\jre\lib\security\cacerts能够删除,这时导入的文件会从新生成该文件, C:\Program Files\Java\jre7\lib\security该路径下也有cacerts文件,可一并覆盖)
keytool -import -alias cacerts -keystore cacerts -file C:/Users/rocky/testsso/tomcat.cer -trustcacerts
6.建立cas client工程(web工程)casclient,配置xml文件,并导入相关jar包
<?xml version="1.0" encoding="UTF-8"?> <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" id="WebApp_ID" version="2.5"> <display-name>ssoclient</display-name> <filter> <filter-name>CAS Single Sign Out Filter</filter-name> <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class> </filter> <filter-mapping> <filter-name>CAS Single Sign Out Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <listener> <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class> </listener> <filter> <filter-name>CAS Authentication Filter</filter-name> <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class> <init-param> <param-name>casServerLoginUrl</param-name> <param-value>https://cas.server.com:8443/cas/login</param-value> </init-param> <init-param> <param-name>serverName</param-name> <param-value>cas.server.com:8081</param-value> </init-param> </filter> <filter> <filter-name>CAS Validation Filter</filter-name> <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class> <init-param> <param-name>casServerUrlPrefix</param-name> <param-value>https://cas.server.com:8443/cas/</param-value> </init-param> <init-param> <param-name>serverName</param-name> <param-value>cas.server.com:8081</param-value> </init-param> <init-param> <param-name>redirectAfterValidation</param-name> <param-value>false</param-value> </init-param> </filter> <filter> <filter-name>CAS HttpServletRequest WrapperFilter</filter-name> <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class> </filter> <filter> <filter-name>CAS Assertion Thread Local Filter</filter-name> <filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class> </filter> <filter-mapping> <filter-name>CAS Authentication Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>CAS Validation Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>CAS HttpServletRequest WrapperFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>CAS Assertion Thread Local Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <welcome-file-list> <welcome-file>index.html</welcome-file> <welcome-file>index.htm</welcome-file> <welcome-file>index.jsp</welcome-file> <welcome-file>default.html</welcome-file> <welcome-file>default.htm</welcome-file> <welcome-file>default.jsp</welcome-file> </welcome-file-list> </web-app>
记得,在tomcat的server.xml中要修改相关port,若是在同一台机器上实验,开多个tomcat,也应修改相关port,防止port冲突。
7. 浏览器输入http://cas.server.com:8081/ssoclient/index.jsp, 能够看到地址栏变了,进入cas server的login页面,输出对的username 和 password, 会跳回到client的index.jsp页面。
http://cas.server.com:8082/ssoclient2/index.jsp ,不在须要cas server登陆, 直接看到index.jsp页面
update 2016-10-13 14:41
1.演示环境
windows7 64 主机名:rocky-PC
JDK : jdk1.7.0_80
tomcat : tomcat-7.0.70
cas-server-4.0.0
cas-client-3.3.3
windows hosts 文件 添加域名映射 (C:\Windows\System32\drivers\etc)
demo.cdv.com 对应部署的tomcat-cas, 这个名称在生成证书时用到
app1.cdv.com 对应部署的tomcat-app1,
app2.cdv.com 对应部署的tomcat-app2
2. 安全证书配置
2.1 证书生成
输入的名称和hosts文件一致,也能够用主机名;
keypass 和 storepass 一致,不然tomcat访问https失败
2.2 导出证书
2.3 客户端 导入证书
此处导入的密码和上面的不同,若是客户端在多台机器上,须要屡次导入
3. cas server部署
3.1 修改 tomcat-cas server.xml
3.2 启动 tomcat-cas, 访问https://demo.cdv.com:8443 并添加 浏览器 访问例外
3.3 从cas-server-4.0.0-> modules下拷贝cas-server-webapp.war到tomcat-cas webapp下 并重命名cas.war
启动tomcat-cas 访问https://demo.cdv.com:8443/cas/login
用户名 casuser 密码 Mellon登陆
看到 Log in successful则cas server部署成功
4. cas client部署
4.1 tomcat-app1
4.1.1修改server.xml
.. <Server port="18005" shutdown="SHUTDOWN"> .. <Connector port="18080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="18443" />
访问http://app1.cdv.com:18080/examples/servlets/测试端口是否可用
4.1.2 导入jar
4.1.3 修改web.xml
<!-- ======================== 单点登陆开始 ======================== -->
<!-- 用于单点退出,该过滤器用于实现单点登出功能,可选配置-->
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
<!-- 该过滤器用于实现单点登出功能,可选配置。 -->
<filter>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Single Sign Out Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>CAS Filter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>https://demo.cdv.com:8443/cas/login</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://app1.cdv.com:18080</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- 该过滤器负责对Ticket的校验工做,必须启用它 -->
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>
org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://demo.cdv.com:8443/cas</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://app1.cdv.com:18080</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--
该过滤器负责实现HttpServletRequest请求的包裹,
好比容许开发者经过HttpServletRequest的getRemoteUser()方法得到SSO登陆用户的登陆名,可选配置。
-->
<filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>
org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--
该过滤器使得开发者能够经过org.jasig.cas.client.util.AssertionHolder来获取用户的登陆名。
好比AssertionHolder.getAssertion().getPrincipal().getName()。
-->
<filter>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- ======================== 单点登陆结束 ======================== -->
4.2 tomcat-app2(同tomcat-app1)
4.2.1 修改server.xml
.. <Server port="28005" shutdown="SHUTDOWN"> .. <Connector port="28080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="28443" /> ..
4.2.2 导入jar
4.2.3 修改web.xml
<!-- ======================== 单点登陆开始 ======================== -->
<!-- 用于单点退出,该过滤器用于实现单点登出功能,可选配置-->
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
<!-- 该过滤器用于实现单点登出功能,可选配置。 -->
<filter>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Single Sign Out Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>CAS Filter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>https://demo.cdv.com:8443/cas/login</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://app2.cdv.com:28080</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- 该过滤器负责对Ticket的校验工做,必须启用它 -->
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>
org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://demo.cdv.com:8443/cas</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://app2.cdv.com:28080</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--
该过滤器负责实现HttpServletRequest请求的包裹,
好比容许开发者经过HttpServletRequest的getRemoteUser()方法得到SSO登陆用户的登陆名,可选配置。
-->
<filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>
org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--
该过滤器使得开发者能够经过org.jasig.cas.client.util.AssertionHolder来获取用户的登陆名。
好比AssertionHolder.getAssertion().getPrincipal().getName()。
-->
<filter>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- ======================== 单点登陆结束 ======================== -->
5. 测试
5.1 启动 tomcat-cas , tomcat-app1, tomcat-app2
5.2 访问 http://app1.cdv.com:18080/examples/servlets/servlet/HelloWorldExample
跳转到 cas-server登陆界面, 输入用户名+密码 正确, 跳转到helloworld页面;
访问 http://app2.cdv.com:28080/examples/servlets/servlet/HelloWorldExample就不要登陆了。
访问https://demo.cdv.com:8443/cas/logout能够注销登陆