SSO之CAS单点登陆详细搭建
SSO之CAS单点登陆详细搭建 :
环境说明:
同一个机器上环境以下:
操做系统:windows7 64位
JDK版本:1.7.0_80
web容器版本:apache-tomcat-7.0.70 64位
服务端:cas-3.5.2.1.zip
服务端如今地址:https://github.com/apereo/cas/archive/v4.2.3.zip
客户端:cas-client-3.3.3-release.zip
客户端下载地址:http://developer.jasig.org/cas-clients/
eclipse版本:eclipse-jee-luna-SR2-win32-x86_64.ziphtml
一、将cas-3.5.2.1 cas-client-3.3.3 标准maven工程导入eclipse 打包编译;java
二、修改本机 C:\Windows\System32\drivers\etc\hosts (CAS单点登陆系统是基于JAVA安全证书的 https 访问,要使用CAS单点登陆必需要配置域名, cas是不能经过ip访问的.)
附件-->记事本管理员权限编辑hosts文件,加入以下三行代码后保存。
127.0.0.1 server.flyer.com
127.0.0.1 client1.flyer.com
127.0.0.1 client2.flyer.commysql
解释:
server.flyer.com =>> 对应部署cas server的tomcat,这个虚拟域名还用于服务端证书生成
client1.flyer.com =>> 对应部署client1客户端应用的tomcat
client2.flyer.com =>> 对应部署client2客户端应用的tomcatgit
三、安全证书配置github
3.一、管理员模式打开cmd命令窗口,生成证书,在cmd窗口输入如下命令:
C:\Users\Administrator>keytool -genkey -alias ssoflyer -keyalg RSA -keysize 1024 -keypass flyer2016 -validity 365 -keystore D:\app\flyer.keystore -storepass flyer2016
说明:-alias自定义的别名;
-keypass指定证书密钥库的密码;
-storepass和前面keypass密码相同,不然下面tomcat配置https会访问失败;
-keystore指定证书的位置,例如:D:\app\目录,密钥库名称能够自定义,例如:flyer.keystore
特别注意:您的名字与姓氏是什么?该项必定要使用网站的域名,例如: server.flyer.com ,Cas Client使用httpclient访问cas server的时候,会严格的检查证书。
示例以下:
C:\Users\Administrator>keytool -genkey -alias ssoflyer -keyalg RSA -keysize 1024 -keypass flyer2016 -validity 365 -keystore D:\app\flyer.keystore -storepass flyer2016
您的名字与姓氏是什么?
[Unknown]: server.flyer.com
您的组织单位名称是什么?
[Unknown]: HCZX_hczx
您的组织名称是什么?
[Unknown]: kaifabumen
您所在的城市或区域名称是什么?
[Unknown]: longgangbantian
您所在的州或省份名称是什么?
[Unknown]: guangdong
该单位的两字母国家代码是什么
[Unknown]: 0755
CN=server.flyer.com, OU=HCZX_hczx, O=kaifabumen, L=longgangbantian, ST=guangdong, C=0755 正确吗?
[否]: y
web
3.二、导出证书:
在cmd窗口继续输入如下命令,导出证书:
C:\Users\Administrator>keytool -export -alias ssoflyer -keystore D:\app\flyer.keystore -file D:\app\ssoflyer.crt -storepass flyer2016sql
说明:-alias后面的名称要与生成证书的命令里面的alias的名称一致;
–keystore后面指定证书存放的位置,上面定义的D:\app\目录;
证书名称要与【生成证书】对应的命令里的keystore名称一致.这里是flyer.keystore;
-file后面才crt路径,指定在D:\app\目录;
–storepass的证书密码要与上面输入的密码一致.数据库
3.三、客户端导入证书express
在cmd窗口输入命令:
添加 keypair JDK
keytool -importcert -alias ssoflyer -file D:\app\ssoflyer.crt -keystore %JAVA_HOME%\jre\lib\security\cacerts -storepass changeit -noprompt
查看 keypair: JDK
keytool -list -alias ssoflyer -keystore %JAVA_HOME%\jre\lib\security\cacerts -storepass changeit
删除 keypair: JDK
keytool -delete -keystore %JAVA_HOME%\jre\lib\security\cacerts -alias ssoflyer -storepass changeitapache
添加 keypair: JRE
keytool -importcert -alias ssoflyer -file D:\app\ssoflyer.crt -keystore D:\app\Java\jre1.7.0_80\lib\security\cacerts -storepass changeit -noprompt
查看 keypair: JRE
keytool -list -alias ssoflyer -keystore D:\app\Java\jre1.7.0_80\lib\security\cacerts -storepass changeit
删除 keypair: JRE
keytool -delete -keystore D:\app\Java\jre1.7.0_80\lib\security\cacerts -alias ssoflyer -storepass changeit
说明:-file指定证书的位置,上一步导出证书的位置,即D:\app\ssoflyer.crt;
实际测试过程当中,最好jdk jre的security中都把证书导入;
这里-storepass的密码必需要输入changeit,不能输入上面指定的密码 flyer2016 ,不然导入客户端证书会有问题。
四、部署CAS-Server相关的Tomcat
apache-tomcat-7.0.70-server配置HTTPS 编辑D:\app\apache-tomcat-7.0.70-server\conf\server.xml,找到下面片断:
注释:
<!--APR library loader. Documentation at /docs/apr.html
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
-->
<!--
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" />
-->
拷贝一份,修改为:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
keystoreFile="D:/app/flyer.keystore" keystorePass="flyer2016"
clientAuth="false" sslProtocol="TLS" />
其中,keystoreFile就是建立证书的路径,keystorePass就是建立证书的密码.
启动tomcat 验证https是否配置成功,浏览器访问,在地址栏输入
https://server.flyer.com:8443/ 出现tomcat欢迎页,代表tomcat的https配置OK.
点击【我已充分了解可能的风险】,点击出现的【添加例外】—【确认安全例外】!
部署CAS-Server,将打包编译好的cas.war,把改文件copy到D:\app\apache-tomcat-7.0.70-server\webapps\webapps 目录下。
启动tomcat,在浏览器地址栏输入:https://server.flyer.com:8443/cas ,出现CAS服务端的登陆验证首页,表示配置OK.
用mysql来进行用户名密码验证,具体配置以下:
用户名和密码确定须要和数据库进行交互验证的,如何配置呢?
【说明】:我本地使用的是mysql数据库。
一、修改工程cas-server-webapp 中的 deployerConfigContext.xml文件
<bean
class="org.jasig.cas.adaptors.jdbc.SearchModeSearchDatabaseAuthenticationHandler">
<property name="dataSource" ref="casDataSource"></property>
<property name="tableUsers" value="cas_login"></property>
<property name="fieldUser" value="user_name"></property>
<property name="fieldPassword" value="passwords"></property>
<property name="passwordEncoder" ref="MD5PasswordEncoder"></property>
</bean>
<bean id="MD5PasswordEncoder"
class="org.jasig.cas.authentication.handler.DefaultPasswordEncoder">
<constructor-arg index="0">
<value>MD5</value>
</constructor-arg>
</bean>
<!-- 定义数据源 -->
<bean id="casDataSource" class="org.apache.commons.dbcp.BasicDataSource"
destroy-method="close">
<property name="driverClassName" value="com.mysql.jdbc.Driver" />
<property name="url"
value="jdbc:mysql://localhost:3306/appstore?useUnicode=true&characterEncoding=utf8" />
<property name="username" value="root" />
<property name="password" value="root123456" />
<property name="minEvictableIdleTimeMillis" value="-1" />
<property name="validationQuery" value="select 1 from dual" />
</bean>
<bean id="attributeRepository"
class="org.jasig.services.persondir.support.jdbc.SingleRowJdbcPersonAttributeDao">
<constructor-arg index="0" ref="casDataSource" />
<constructor-arg index="1"
value="select user_name username from cas_login where user_name=?" />
<property name="queryAttributeMapping">
<map>
<entry key="username" value="user_name" />
</map>
</property>
<property name="resultAttributeMapping">
<map>
<entry key="username" value="user_name" />
</map>
</property>
</bean>
五、部署CAS客户端相关的Tomcat
首先,客户端应用是要和CAS服务端进行交互的,因此这里须要jar文件,放在客户端应用的lib目录下。分别是:
apache-tomcat-7.0.70-client1\webapps\castest\WEB-INF\lib
cas-client-core-3.3.3.jar
commons-logging-1.1.1.jar
log4j-1.2.15.jar
slf4j-api-1.7.1.jar
slf4j-log4j12-1.7.1.jar
建立一个jsp
apache-tomcat-7.0.70-client1\webapps\castest\index.jsp
配置D:\app\apache-tomcat-7.0.70-client1客户端1:
修改tomcat的启动端口:
编辑D:\app\apache-tomcat-7.0.70-client1\conf\server.xml文件,找到以下2处内容:
<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" />
修改成:
<Connector port="8088" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" />
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
修改成:
<Connector port="8021" protocol="AJP/1.3" redirectPort="8443" />
<Server port="8005" shutdown="SHUTDOWN">
修改成:
<Server port="8006" shutdown="SHUTDOWN">
启动这个tomcat,即运行D:\app\apache-tomcat-7.0.70-client1\bin\startup.bat。
浏览器输入 http://client1.flyer.com:8088/castest/ 显示到刚编辑的jsp标识配置正常。
编辑D:\app\apache-tomcat-7.0.70-client1\webapps\castest\WEB-INF\web.xml,在最下面加入以下配置:
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0"
metadata-complete="true">
<description>Servlet and JSP Examples.</description>
<display-name>Servlet and JSP Examples</display-name>
<!-- 用于单点退出,该过滤器用于实现单点登出功能,可选配置-->
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
<!-- 该过滤器用于实现单点登出功能,可选配置。 -->
<filter>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Single Sign Out Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- 该过滤器负责用户的认证工做,必须启用它 -->
<filter>
<filter-name>CAS Authentication Filter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>https://server.flyer.com:8443/cas/login</param-value>
</init-param>
<init-param>
<!--这里的客户端server是服务端的IP-->
<param-name>serverName</param-name>
<param-value>http://client1.flyer.com:8088</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Authentication Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--
2.ValidationFilter
该过滤器负责对请求参数Ticket进行验证(ticket参数是负责子系统与CAS进行验证交互的凭证)
casServerUrlPrefix:CAS服务访问地址
serverName:当前应用所在的主机名
-->
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://server.flyer.com:8443/cas</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://client1.flyer.com:8088</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--
3.HttpServletRequestWrapperFilter
这个是HttpServletRequest的包裹类,让他支持getUserPrincipal,getRemoteUser方法来取得用户信息
-->
<filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--
4.AssertionThreadLocalFilter
这个类把Assertion信息放在ThreadLocal变量中,这样应用程序不在web层也可以获取到当前登陆信息
Assertion assertion = AssertionHolder.getAssertion();
-->
<filter>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
</web-app>
配置完成后,启动CAS服务端tomcat,再启动该客户端1的tomcat,在浏览器访问:
http://client1.flyer.com:8088/castest
看看是否跳转到了CAS认证界面,回车以后
认证观察会发现浏览器的地址栏中(我用的是火狐浏览器),URL信息是这样的:
https://server.flyer.com:8443/cas/login?service=http%3A%2F%2Fclient1.flyer.com%3A8088%2Fcastest%2F
因为你没有登陆CAS认证系统,CAS认证系统拦截到你访问的客户端应用,首先进入到认证系统登陆界面,同时URL后面加上你想访问的地址信息,当你登陆成功后,CAS服务会转向到你刚刚访问的地址,也就是:
http://client1.flyer.com:8088/castest/
六、配置第二台tomcat,参见上步的server.xml修改
修改编辑D:\app\apache-tomcat-7.0.70-client2\webapps\castest\WEB-INF\web.xml文件,加入的内容就是上面在第一个客户端的web.xml内容一致:
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0"
metadata-complete="true">
<description>Servlet and JSP Examples.</description>
<display-name>Servlet and JSP Examples</display-name>
<!-- 用于单点退出,该过滤器用于实现单点登出功能,可选配置-->
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
<!-- 该过滤器用于实现单点登出功能,可选配置。 -->
<filter>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Single Sign Out Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- 该过滤器负责用户的认证工做,必须启用它 -->
<filter>
<filter-name>CAS Authentication Filter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>https://server.flyer.com:8443/cas/login</param-value>
</init-param>
<init-param>
<!--这里的客户端server是服务端的IP-->
<param-name>serverName</param-name>
<param-value>http://client2.flyer.com:8088</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Authentication Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--
2.ValidationFilter
该过滤器负责对请求参数Ticket进行验证(ticket参数是负责子系统与CAS进行验证交互的凭证)
casServerUrlPrefix:CAS服务访问地址
serverName:当前应用所在的主机名
-->
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://server.flyer.com:8443/cas</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://client2.flyer.com:8088</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--
3.HttpServletRequestWrapperFilter
这个是HttpServletRequest的包裹类,让他支持getUserPrincipal,getRemoteUser方法来取得用户信息
-->
<filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--
4.AssertionThreadLocalFilter
这个类把Assertion信息放在ThreadLocal变量中,这样应用程序不在web层也可以获取到当前登陆信息
Assertion assertion = AssertionHolder.getAssertion();
-->
<filter>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
</web-app>
至此,2个客户端也已经配置完毕,启动配置好的三个tomcat分别为:CAS服务端tomcat、2个客户端tomcat
下面截图,根据上面所示进行测试,看看是否与上面说的流程一致:
首先,打开火狐浏览器,地址栏输入:
http://client2.flyer.com:8089/castest2
- 1. SSO之CAS单点登陆详细搭建教程(转)
- 2. SSO之CAS单点登陆详细搭建教程
- 3. SSO CAS单点登陆搭建详细步骤及源码
- 4. SSO之CAS单点登录详细搭建教程
- 5. CAS单点登陆(SSO)
- 6. JAVA CAS单点登陆(SSO)
- 7. Cas sso单点登陆(二)
- 8. 搭建cas单点登陆
- 9. CAS实现SSO单点登陆-CAS Server搭建
- 10. CAS实现SSO单点登陆-CAS Server 5.3搭建
- 更多相关文章...
- • SSH框架(Struts2+Spring+Hibernate)搭建整合详细步骤 - Spring教程
- • SSM(Spring+Spring MVC+MyBatis)框架整合搭建详细步骤 - Spring教程
- • 为了进字节跳动,我精选了29道Java经典算法题,带详细讲解
- • Flink 数据传输及反压详解
-
每一个你不满意的现在,都有一个你没有努力的曾经。
- 1. 「插件」Runner更新Pro版,帮助设计师远离996
- 2. 错误 707 Could not load file or assembly ‘Newtonsoft.Json, Version=12.0.0.0, Culture=neutral, PublicKe
- 3. Jenkins 2018 报告速览,Kubernetes使用率跃升235%!
- 4. TVI-Android技术篇之注解Annotation
- 5. android studio启动项目
- 6. Android的ADIL
- 7. Android卡顿的检测及优化方法汇总(线下+线上)
- 8. 登录注册的业务逻辑流程梳理
- 9. NDK(1)创建自己的C/C++文件
- 10. 小菜的系统框架界面设计-你的评估是我的决策