一、概述
實現基於CAS的單點登錄。
CAS的官網:http://www.jasig.org/cas
二、演示環境
本文演示過程在同一個機器上的(也可以在三臺實體機器或者三個的虛擬機上),環境如下:
-
JDK 1.7
-
Tomcat 7.0.54
-
CAS-server-4.0.0、CAS-client-3.2.1
根據演示需求,用修改hosts 文件的方法添加域名最簡單方便(這個非常重要),在文件 C:\Windows\System32\drivers\etc\hosts 文件中添加三條
127.0.0.1 demo.gaochao.com
127.0.0.1 app1.gaochao.com
127.0.0.1 app2.gaochao.com
-
demo.gaochao.com =>> 對應部署cas server的tomcat,這個虛擬域名還用於證書生成
-
app1.gaochao.com =>> 對應部署app1 的tomcat
-
app2.gaochao.com =>> 對應部署app2 的tomcat
三、JDK安裝配置
安裝號jdk並配置環境變量
四、安全證書配置
4.1. 生成證書:
1 |
keytool
-genkey - alias ssodemo
-keyalg RSA -keysize 1024 -keypass password -validity 365 -keystore e:\sso\ssodemo.keystore -storepass password |
ps:
-
截圖中需要輸入的姓名和上面hosts文件中配置的一致;
-
keypass 和 storepass 兩個密碼要一致,否則下面tomcat 配置https 訪問失敗;
4.2.導出證書:
1 |
keytool
- export - alias ssodemo
-keystore e:\sso\ssodemo.keystore -file e:\sso\ssodemo.crt
-storepass password |
4.3.客戶端導入證書:
1 |
keytool
- import -keystore
"%JAVA_HOME%"\jre\lib\security\cacerts - file
e :\sso\ssodemo.crt
- alias ssodemo |
ps:該命令中輸入的密碼和上面輸入的不是同一個密碼;如果是多臺機器演示,需要在每一臺客戶端導入該證書。
五、部署CAS-Server相關的Tomcat
5.1. 配置HTTPS
解壓apache-tomcat-7.0.56.tar.gz並重命名後的路徑爲 G:\sso\tomcat-cas,在文件 conf/server.xml文件找到:
修改成如下:
1 |
<Connector
port="8443" protocol="HTTP/1.1" SSLEnabled="true" |
2 |
maxThreads="150"
scheme="https" secure="true" |
3 |
keystoreFile="e:/sso/ssodemo.keystore"
keystorePass="password" |
4 |
clientAuth="false"
sslProtocol="TLS" URIEncoding="UTF-8" |
參數說明:
-
keystoreFile 就是4.1中創建證書的路徑
-
keystorePass 就是4.1中創建證書的密碼
5.2. 驗證HTTPS配置
其他按照默認配置不作修改,雙擊%TOMCAT_HOME%\bin\startup.bat 啓動tomcat-cas 驗證https訪問配置:
如果看到上述界面表示https 訪問配置成功。
5.3 部署CAS-Server
CAS-Server 下載地址:http://www.jasig.org/cas/download
本文以cas-server-4.0.0-release.zip 爲例,解壓提取cas-server-4.0.0/modules/cas-server-webapp-4.0.0.war文件,把改文件copy到 G:\sso\tomcat-cas\webapps\ 目下,並重命名爲:cas.war.
啓動tomcat-cas,在瀏覽器地址欄輸入:https://demo.micmiu.com:8443/cas/login ,回車
CAS-server的默認驗證規則:casuser | Mellon(僅僅用於測試,生成環境需要根據實際情況修改),輸入admin/admin
點擊登錄,就可以看到登錄成功的頁面:
看到上述頁面表示CAS-Server已經部署成功。
六、部署CAS-Client相關的Tomcat
6.1Cas-Client 下載
CAS-Client 下載地址:http://downloads.jasig.org/cas-clients/
以cas-client-3.2.1-release.zip 爲例,解壓提取cas-client-3.2.1/modules/cas-client-core-3.2.1.jar
藉以tomcat默認自帶的 webapps\examples 作爲演示的簡單web項目
6.2 安裝配置 tomcat-app1
解壓apache-tomcat-6.0.29.tar.gz並重命名後的路徑爲 G:\sso\tomcat-app1,修改tomcat的啓動端口,在文件conf/server.xml文件找到如下內容:
1 |
< Connector port = "8080" protocol = "HTTP/1.1" |
2 |
connectionTimeout = "20000" |
4 |
< Connector port = "8009" protocol = "AJP/1.3" redirectPort = "8443" /> |
修改成如下:
1 |
< Connector port = "18080" protocol = "HTTP/1.1" |
2 |
connectionTimeout = "20000" |
3 |
redirectPort = "18443" /> |
4 |
< Connector port = "18009" protocol = "AJP/1.3" redirectPort = "18443" /> |
啓動tomcat-app1,瀏覽器輸入 http://app1.gaochao.com:18080/DocumentManager/
回車:
接下來複制 client的lib包cas-client-core-3.2.1.jar到 tomcat-app1\webapps\examples\WEB-INF\lib\目錄下,
在tomcat-app1\webapps\examples\WEB-INF\web.xml 文件中增加如下內容:
4 |
< listener-class >org.jasig.cas.client.session.SingleSignOutHttpSessionListener</ listener-class > |
9 |
< filter-name >CAS
Single Sign Out Filter</ filter-name > |
10 |
< filter-class >org.jasig.cas.client.session.SingleSignOutFilter</ filter-class > |
13 |
< filter-name >CAS
Single Sign Out Filter</ filter-name > |
14 |
< url-pattern >/*</ url-pattern > |
18 |
< filter-name >CAS
Filter</ filter-name > |
19 |
< filter-class >org.jasig.cas.client.authentication.AuthenticationFilter</ filter-class > |
21 |
< param-name >casServerLoginUrl</ param-name > |
25 |
< param-name >serverName</ param-name > |
30 |
< filter-name >CAS
Filter</ filter-name > |
31 |
< url-pattern >/*</ url-pattern > |
35 |
< filter-name >CAS
Validation Filter</ filter-name > |
37 |
org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</ filter-class > |
39 |
< param-name >casServerUrlPrefix</ param-name > |
43 |
< param-name >serverName</ param-name > |
48 |
< filter-name >CAS
Validation Filter</ filter-name > |
49 |
< url-pattern >/*</ url-pattern > |
57 |
< filter-name >CAS
HttpServletRequest Wrapper Filter</ filter-name > |
59 |
org.jasig.cas.client.util.HttpServletRequestWrapperFilter</ filter-class > |
62 |
< filter-name >CAS
HttpServletRequest Wrapper Filter</ filter-name > |
63 |
< url-pattern >/*</ url-pattern > |
71 |
< filter-name >CAS
Assertion Thread Local Filter</ filter-name > |
72 |
< filter-class >org.jasig.cas.client.util.AssertionThreadLocalFilter</ filter-class > |
75 |
< filter-name >CAS
Assertion Thread Local Filter</ filter-name > |
76 |
< url-pattern >/*</ url-pattern > |
有關cas-client的web.xml修改的詳細說明見官網介紹:
https://wiki.jasig.org/display/CASC/Configuring+the+Jasig+CAS+Client+for+Java+in+the+web.xml
6.3 安裝配置 tomcat-app2
解壓apache-tomcat-6.0.29.tar.gz並重命名後的路徑爲 G:\sso\tomcat-app2,修改tomcat的啓動端口,在文件 conf/server.xml文件找到如下內容:
1 |
< Connector port = "8080" protocol = "HTTP/1.1" |
2 |
connectionTimeout = "20000" |
4 |
< Connector port = "8009" protocol = "AJP/1.3" redirectPort = "8443" /> |
修改成如下:
1 |
< Connector port = "28080" protocol = "HTTP/1.1" |
2 |
connectionTimeout = "20000" |
3 |
redirectPort = "28443" /> |
4 |
< Connector port = "28009" protocol = "AJP/1.3" redirectPort = "28443" /> |
啓動tomcat-app2,瀏覽器輸入 http://app2.gaochao.com:28080/examples/servlets/
回車,按照上述6.2中的方法驗證是否成功。
同6.2中的複製 client的lib包cas-client-core-3.2.1.jar到 tomcat-app2\webapps\examples\WEB-INF\lib\目錄下,
在tomcat-app2\webapps\examples\WEB-INF\web.xml 文件中增加如下內容:
4 |
< listener-class >org.jasig.cas.client.session.SingleSignOutHttpSessionListener</ listener-class > |
9 |
< filter-name >CAS
Single Sign Out Filter</ filter-name > |
10 |
< filter-class >org.jasig.cas.client.session.SingleSignOutFilter</ filter-class > |
13 |
< filter-name >CAS
Single Sign Out Filter</ filter-name > |
14 |
< url-pattern >/*</ url-pattern > |
18 |
< filter-name >CAS
Filter</ filter-name > |
19 |
< filter-class >org.jasig.cas.client.authentication.AuthenticationFilter</ filter-class > |
21 |
< param-name >casServerLoginUrl</ param-name > |
25 |
< param-name >serverName</ param-name > |
30 |
< filter-name >CAS
Filter</ filter-name > |
31 |
< url-pattern >/*</ url-pattern > |
35 |
< filter-name >CAS
Validation Filter</ filter-name > |
37 |
org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</ filter-class > |
39 |
< param-name >casServerUrlPrefix</ param-name > |
43 |
< param-name >serverName</ param-name > |
48 |
< filter-name >CAS
Validation Filter</ filter-name > |
49 |
< url-pattern >/*</ url-pattern > |
57 |
< filter-name >CAS
HttpServletRequest Wrapper Filter</ filter-name > |
59 |
org.jasig.cas.client.util.HttpServletRequestWrapperFilter</ filter-class > |
62 |
< filter-name >CAS
HttpServletRequest Wrapper Filter</ filter-name > |
63 |
< url-pattern >/*</ url-pattern > |
71 |
< filter-name >CAS
Assertion Thread Local Filter</ filter-name > |
72 |
< filter-class >org.jasig.cas.client.util.AssertionThreadLocalFilter</ filter-class > |
75 |
< filter-name >CAS
Assertion Thread Local Filter</ filter-name > |
76 |
< url-pattern >/*</ url-pattern > |
七、 測試驗證SSO
啓動之前配置好的三個tomcat分別爲:tomcat-cas、tomcat-app1、tomcat-app2.
7.1 基本的測試
預期流程: 打開app1 url —-> 跳轉cas server 驗證 —-> 顯示app1的應用 —->
打開app2 url —-> 顯示app2應用 —-> 註銷cas server —-> 打開app1/app2
url —-> 重新跳轉到cas server 驗證.
打開瀏覽器地址欄中輸入:http://app1.gaochao.com:18080/DocumentManager,回車:
跳轉到驗證頁面:
驗證通過後顯示如下:
此時訪問app2就不再需要驗證:
地址欄中輸入:https://demo.gaochao.com:8443/cas/logout,回車顯示:
上述表示 認證註銷成功,此時如果再訪問 : http://app1.gaochao.com:18080/DocumentManager 或
http://app2.gaochao.com:28080/DocumentManager 需要重新進行認證。
八、 在cas-server端配置數據庫認證
打開webapp\WEB-INF目錄下的deployerConfigContext.xml,替換
<bean id="primaryAuthenticationHandler"
class="org.jasig.cas.authentication.AcceptUsersAuthenticationHandler">
<property name="users">
<map>
<entry key="casuser" value="Mellon"/>
</map>
</property>
</bean>
爲
<bean id="primaryAuthenticationHandler" class="org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler">
<property name="dataSource" ref="dataSource" />
<property name="sql" value="select password from user where lower(user_id) = lower(?)" />
</bean>
<!-- MySQL connector -->
<bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource">
<property name="driverClassName">
<value>com.mysql.jdbc.Driver</value>
</property>
<property name="url">
<value>jdbc:mysql://localhost:3306/db</value>
</property>
<property name="username">
<value>root</value>
</property>
<property name="password">
<value>admin</value>
</property>
</bean>
使用jdbc的配置
首先把默認編譯後生成出來的jdbc.jar(通常名稱爲cas-server-support-jdbc-xxxxxxxxxx.jar),從cas-server-support-jdbc\target\目錄下拷貝到webapp\WEB-INF\lib目錄下。
未完,待續。。。