cas 单点登陆配置
服务端配置
cas是个好东西,很灵活很好用,可是配置起来很麻烦java
cas官方网站mysql
http://downloads.jasig.org/web
下载服务端 CAS Server 3.3.3 Final算法
一、将服务器端解压,将modules下面的cas-server-webapp-3.3.3.war部署到web服务器,重命名为CAS.war,做为单点的服务器。spring
二、导入modules中的cas-server-support-jdbc-3.3.3.jar包sql
三、导入数据库驱动数据库
四、导入附件中的全部文件 (commons-dbcp.jar,commons-pool-1.3.jar,spring.jar)
apache
数据库:
CREATE TABLE `users` (
`username` varchar(50) DEFAULT NULL,
`password` varchar(50) DEFAULT NULL,
`is_admin` int(11) DEFAULT NULL,
`id` int(11) DEFAULT NULL
)windows
insert into `users`(`username`,`password`,`is_admin`,`id`) values ('zjx','202cb962ac59075b964b07152d234b70',1,123);tomcat
登陆的服务器下面不少配置文件,经过配置能够作一些扩展。
修改点1:验证方式使用咱们本身的用户表验证
cas和当前已有的系统作集成的入口
1.修改deployerConfigContext.xml文件
添加数据源配置
XML/HTML代码
<bean id="casDataSource" class="org.apache.commons.dbcp.BasicDataSource">
<property name="driverClassName">
<value>com.mysql.jdbc.Driver</value>
</property>
<property name="url">
<value>jdbc:mysql://localhost/ires?useUnicode=true&characterEncoding=UTF-8&autoReconnect=true</value>
</property>
<property name="username">
<value>root</value>
</property>
<property name="password">
<value>i709394</value>
</property>
</bean>
定义MD5的加密方式
XML/HTML代码
<bean id="passwordEncoder"
class="org.jasig.cas.authentication.handler.DefaultPasswordEncoder" >
<constructor-arg value="MD5"/>
</bean>
配置authenticationManager下面的authenticationHandlers属性
XML/HTML代码
<bean class="org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler">
<property name="dataSource" ref="casDataSource" />
<property name="sql" value="select password from users where username = ?" />
<property name="passwordEncoder" ref="passwordEncoder"/>
</bean>
修改点2:获取用户信息保存,方便各个客户端能够统一获得用户信息
1.定义attributeRepository,经过jdbc查询用户的详细信息,能够把用户表或用户的所属组织机构或角色等查询出来。
XML/HTML代码
<bean id="attributeRepository" class="org.jasig.services.persondir.support.jdbc.SingleRowJdbcPersonAttributeDao">
<constructor-arg index="0" ref="casDataSource" />
<constructor-arg index="1" >
<list>
<value>username</value>
</list>
</constructor-arg>
<constructor-arg index="2">
<value>
select id,username,is_admin from users where username = ?
</value>
</constructor-arg>
<property name="columnsToAttributes">
<map>
<entry key="id" value="id" />
<entry key="username" value="username" />
<entry key="is_admin" value="is_admin" />
</map>
</property>
</bean>
2.配置authenticationManager中credentialsToPrincipalResolvers属性
XML/HTML代码
<bean class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver">
<property name="attributeRepository" ref="attributeRepository" />
</bean>
注意:默认cas登陆服务器没有把用户信息传到客户端中,因此要修改WEB-INF\view\jsp\protocol\2.0\casServiceValidationSuccess.jsp文件,增长
XML/HTML代码
<c:if test="${fn:length(assertion.chainedAuthentications[fn:length(assertion.chainedAuthentications)-1].principal.attributes) > 0}">
<cas:attributes>
<c:forEach var="attr" items="${assertion.chainedAuthentications[fn:length(assertion.chainedAuthentications)-1].principal.attributes}">
<cas:${fn:escapeXml(attr.key)}>${fn:escapeXml(attr.value)}</cas:${fn:escapeXml(attr.key)}>
</c:forEach>
</cas:attributes>
</c:if>
修改点3:用数据库来保存登陆的会话
这样服务器在从新启动的时候不会丢失会话。
1.修改ticketRegistry.xml文件
将默认的ticketRegistry改为
XML/HTML代码
<bean id="ticketRegistry" class="org.jasig.cas.ticket.registry.JpaTicketRegistry">
<constructor-arg index="0" ref="entityManagerFactory" />
</bean>
<bean id="entityManagerFactory" class="org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean">
<property name="dataSource" ref="dataSource"/>
<property name="jpaVendorAdapter">
<bean class="org.springframework.orm.jpa.vendor.HibernateJpaVendorAdapter">
<property name="generateDdl" value="true"/>
<property name="showSql" value="true" />
</bean>
</property>
<property name="jpaProperties">
<props>
<prop key="hibernate.dialect">org.hibernate.dialect.MySQLDialect</prop>
<prop key="hibernate.hbm2ddl.auto">update</prop>
</props>
</property>
</bean>
<bean id="transactionManager" class="org.springframework.orm.jpa.JpaTransactionManager"
p:entityManagerFactory-ref="entityManagerFactory" />
<tx:annotation-driven transaction-manager="transactionManager"/>
<bean
id="dataSource"
class="org.apache.commons.dbcp.BasicDataSource"
p:driverClassName="com.mysql.jdbc.Driver"
p:url="jdbc:mysql://192.168.1.100:3306/cas?useUnicode=true&characterEncoding=UTF-8&autoReconnect=true"
p:password="709394"
p:username="itravel" />
配置完以后还须要一些jar的支持,根据提示那些包缺乏到网上找。
修改点4:配置remenber me的功能,可让客户端永久保存session
1.修改deployerConfigContext.xml文件
authenticationManager增长authenticationMetaDataPopulators属性
XML/HTML代码
<property name="authenticationMetaDataPopulators">
<list>
<bean class="org.jasig.cas.authentication.principal.RememberMeAuthenticationMetaDataPopulator" />
</list>
</property>
2.修改cas-servlet.xml
修改authenticationViaFormAction配置变成
XML/HTML代码
<bean id="authenticationViaFormAction" class="org.jasig.cas.web.flow.AuthenticationViaFormAction"
p:centralAuthenticationService-ref="centralAuthenticationService"
p:formObjectClass="org.jasig.cas.authentication.principal.RememberMeUsernamePasswordCredentials"
p:formObjectName="credentials"
p:validator-ref="UsernamePasswordCredentialsValidator"
p:warnCookieGenerator-ref="warnCookieGenerator" />
增长UsernamePasswordCredentialsValidator
XML/HTML代码
<bean id="UsernamePasswordCredentialsValidator" class="org.jasig.cas.validation.UsernamePasswordCredentialsValidator" />
修改ticketExpirationPolicies.xml,grantingTicketExpirationPolicy配置以下,注意时间要加大,否则session很容易过时,达不到remember me的效果。
XML/HTML代码
<bean id="grantingTicketExpirationPolicy" class="org.jasig.cas.ticket.support.RememberMeDelegatingExpirationPolicy">
<property name="sessionExpirationPolicy">
<bean class="org.jasig.cas.ticket.support.TimeoutExpirationPolicy">
<constructor-arg index="0" value="2592000000" />
</bean>
</property>
<property name="rememberMeExpirationPolicy">
<bean class="org.jasig.cas.ticket.support.TimeoutExpirationPolicy">
<constructor-arg index="0" value="2592000000" />
</bean>
</property>
</bean>
修改点5:取消https验证
在网络安全性较好,对系统安全没有那么高的状况下能够取消https验证,使系统更加容易部署。
1.修改ticketGrantingTicketCookieGenerator.xml
XML/HTML代码
<bean id="ticketGrantingTicketCookieGenerator" class="org.jasig.cas.web.support.CookieRetrievingCookieGenerator"
p:cookieSecure="false"
p:cookieMaxAge="-1"
p:cookieName="CASTGC"
p:cookiePath="/cas" />
p:cookieSecure改为false,客户端web.xml中单独服务器的连接改为http
warnCookieGenerator.xml的p:cookieSecure一样设置为false
deployerConfigContext.xml 改为:
<bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" p:httpClient-ref="httpClient" p:requireSecure="false"/>
增长p:requireSecure="false"
使用https协议的配置
1.证书生成和导入
下面是一个生成证书和导入证书的bat脚本,若是web应用和单独登陆服务器部署在同一台机能够一块儿执行
C++代码
@echo off
if "%JAVA_HOME%" == "" goto error
@echo on
@echo off
cls
rem please set the env JAVA_HOME before run this bat file
rem delete alia tomcat if it is existed
keytool -delete -alias tomcatsso -keystore "%JAVA_HOME%/jre/lib/security/cacerts" -storepass changeit
keytool -delete -alias tomcatsso -storepass changeit
REM (注释: 清除系统中可能存在的名字为tomcatsso 的同名证书)
rem list all alias in the cacerts
keytool -list -keystore "%JAVA_HOME%/jre/lib/security/cacerts" -storepass changeit
REM (注释: 列出系统证书仓库中存在证书名称列表)
rem generator a key
keytool -genkey -keyalg RSA -alias tomcatsso -dname "cn=localhost" -storepass changeit
REM (注释:指定使用RSA算法,生成别名为tomcatsso的证书,存贮口令为changeit,证书的DN为"cn=linly" ,这个DN必须同当前主机完整名称一致哦,切记!!!)
rem export the key
keytool -export -alias tomcatsso -file "%java_home%/jre/lib/security/tomcatsso.crt" -storepass changeit
REM (注释: 从keystore中导出别名为tomcatsso的证书,生成文件tomcatsso.crt)
rem import into trust cacerts
keytool -import -alias tomcatsso -file "%java_home%/jre/lib/security/tomcatsso.crt" -keystore "%java_home%/jre/lib/security/cacerts" -storepass changeit
REM (注释:将tomcatsso.crt导入jre的可信任证书仓库。注意,安装JDK是有两个jre目录,一个在jdk底下,一个是独立的jre,这里的目录必须同Tomcat使用的jre目录一致,不然后面Tomcat的HTTPS通信就找不到证书了)
rem list all alias in the cacerts
keytool -list -keystore "%JAVA_HOME%/jre/lib/security/cacerts" -storepass changeit
pause
:error
echo 请先设置JAVA_HOME环境变量
:end
3.将.keystore文件拷贝到tomcat的conf目录下面,注意.keystore会在证书生成的时候生成到系统的用户文件夹中,如windows会生产到C:\Documents and Settings\[yourusername]\下面
2.配置tomcat,把https协议的8443端口打开,指定证书的位置。
XML/HTML代码
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="conf/.keystore" keystorePass="changeit" truststoreFile="C:\Program Files\Java\jdk1.5.0_07\jre\lib\security\cacerts"/>
客户端配置
cas官方网站上面的客户端下载地址比较隐秘,没有彻底公开,具体地址为
http://www.ja-sig.org/downloads/cas-clients/
下载最新的cas-client-3.1.6-release.zip(http://www.ja-sig.org/downloads/cas-clients/cas-client-3.1.6-release.zip)
1.解压后把modules下面的包放到咱们的web应用中
serverName是咱们web应用的地址和端口
XML/HTML代码
注意serverName是客户端应用
<context-param>
<param-name>serverName</param-name>
<param-value>http://192.168.1.145:81</param-value>
</context-param>
<filter>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class>
org.jasig.cas.client.session.SingleSignOutFilter
</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Single Sign Out Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>
org.jasig.cas.client.session.SingleSignOutHttpSessionListener
</listener-class>
</listener>
<filter>
<filter-name>CAS Authentication Filter</filter-name>
<filter-class>
org.jasig.cas.client.authentication.AuthenticationFilter
</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>http://192.168.1.100/cas/login</param-value>
</init-param>
</filter>
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>
org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter
</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>http://192.168.1.100/cas</param-value>
</init-param>
</filter>
<filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>
org.jasig.cas.client.util.HttpServletRequestWrapperFilter
</filter-class>
</filter>
<filter>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<filter-class>
org.jasig.cas.client.util.AssertionThreadLocalFilter
</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Authentication Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
3.导入证书,若是不用https的话,这步能够跳过,把tomcatsso.crt证书拷贝到c盘下面,在jdk的bin目录下面运行下面的语句。
JavaScript代码
rem (注释: 清除系统中可能存在的名字为tomcatsso 的同名证书)
keytool -delete -alias tomcatsso -keystore "%JAVA_HOME%/jre/lib/security/cacerts" -storepass changeit
keytool -delete -alias tomcatsso -storepass changeit
rem 在客户端的 JVM 里导入信任的 SERVER 的证书 ( 根据状况有可能须要管理员权限 )
keytool -import -alias tomcatsso -file "c:/tomcatsso.crt" -keystore "%java_home%/jre/lib/security/cacerts" -storepass changeit
客户端获取登陆用户名和用户信息实例
Java代码
AttributePrincipal principal = (AttributePrincipal) request
.getUserPrincipal();
String username = principal.getName();
System.out.println(username);
System.out.println(principal.getAttributes().get("id"));
System.out.println(principal.getAttributes().get("username"));
System.out.println(principal.getAttributes().get("is_admin"));
response.setContentType("text/plain"); response.getWriter().println("zjx");
- 1. CAS单点登陆配置
- 2. CAS单点登陆-配置中心
- 3. CAS单点登陆-https配置
- 4. Liferay7.0与cas单点登陆配置
- 5. CAS单点登陆-配置中心(三)
- 6. CAS单点登陆的配置
- 7. CAS单点登陆
- 8. CAS单点登陆(一):单点登陆与CAS理论介绍
- 9. cas单点登录配置
- 10. CAS单点登陆-第三方登陆
- 更多相关文章...
- • Eclipse Debug 配置 - Eclipse 教程
- • Maven 环境配置 - Maven教程
- • IntelliJ IDEA 代码格式化配置和快捷键
- • IDEA下SpringBoot工程配置文件没有提示
-
每一个你不满意的现在,都有一个你没有努力的曾经。
- 1. CAS单点登陆配置
- 2. CAS单点登陆-配置中心
- 3. CAS单点登陆-https配置
- 4. Liferay7.0与cas单点登陆配置
- 5. CAS单点登陆-配置中心(三)
- 6. CAS单点登陆的配置
- 7. CAS单点登陆
- 8. CAS单点登陆(一):单点登陆与CAS理论介绍
- 9. cas单点登录配置
- 10. CAS单点登陆-第三方登陆