一、概述
实现基于CAS的单点登录。
CAS的官网:http://www.jasig.org/cas
二、演示环境
本文演示过程在同一个机器上的(也可以在三台实体机器或者三个的虚拟机上),环境如下:
-
JDK 1.7
-
Tomcat 7.0.54
-
CAS-server-4.0.0、CAS-client-3.2.1
根据演示需求,用修改hosts 文件的方法添加域名最简单方便(这个非常重要),在文件 C:\Windows\System32\drivers\etc\hosts 文件中添加三条
127.0.0.1 demo.gaochao.com
127.0.0.1 app1.gaochao.com
127.0.0.1 app2.gaochao.com
-
demo.gaochao.com =>> 对应部署cas server的tomcat,这个虚拟域名还用于证书生成
-
app1.gaochao.com =>> 对应部署app1 的tomcat
-
app2.gaochao.com =>> 对应部署app2 的tomcat
三、JDK安装配置
安装号jdk并配置环境变量
四、安全证书配置
4.1. 生成证书:
1 |
keytool
-genkey - alias ssodemo
-keyalg RSA -keysize 1024 -keypass password -validity 365 -keystore e:\sso\ssodemo.keystore -storepass password |
ps:
-
截图中需要输入的姓名和上面hosts文件中配置的一致;
-
keypass 和 storepass 两个密码要一致,否则下面tomcat 配置https 访问失败;
4.2.导出证书:
1 |
keytool
- export - alias ssodemo
-keystore e:\sso\ssodemo.keystore -file e:\sso\ssodemo.crt
-storepass password |
4.3.客户端导入证书:
1 |
keytool
- import -keystore
"%JAVA_HOME%"\jre\lib\security\cacerts - file
e :\sso\ssodemo.crt
- alias ssodemo |
ps:该命令中输入的密码和上面输入的不是同一个密码;如果是多台机器演示,需要在每一台客户端导入该证书。
五、部署CAS-Server相关的Tomcat
5.1. 配置HTTPS
解压apache-tomcat-7.0.56.tar.gz并重命名后的路径为 G:\sso\tomcat-cas,在文件 conf/server.xml文件找到:
修改成如下:
1 |
<Connector
port="8443" protocol="HTTP/1.1" SSLEnabled="true" |
2 |
maxThreads="150"
scheme="https" secure="true" |
3 |
keystoreFile="e:/sso/ssodemo.keystore"
keystorePass="password" |
4 |
clientAuth="false"
sslProtocol="TLS" URIEncoding="UTF-8" |
参数说明:
-
keystoreFile 就是4.1中创建证书的路径
-
keystorePass 就是4.1中创建证书的密码
5.2. 验证HTTPS配置
其他按照默认配置不作修改,双击%TOMCAT_HOME%\bin\startup.bat 启动tomcat-cas 验证https访问配置:
如果看到上述界面表示https 访问配置成功。
5.3 部署CAS-Server
CAS-Server 下载地址:http://www.jasig.org/cas/download
本文以cas-server-4.0.0-release.zip 为例,解压提取cas-server-4.0.0/modules/cas-server-webapp-4.0.0.war文件,把改文件copy到 G:\sso\tomcat-cas\webapps\ 目下,并重命名为:cas.war.
启动tomcat-cas,在浏览器地址栏输入:https://demo.micmiu.com:8443/cas/login ,回车
CAS-server的默认验证规则:casuser | Mellon(仅仅用于测试,生成环境需要根据实际情况修改),输入admin/admin
点击登录,就可以看到登录成功的页面:
看到上述页面表示CAS-Server已经部署成功。
六、部署CAS-Client相关的Tomcat
6.1Cas-Client 下载
CAS-Client 下载地址:http://downloads.jasig.org/cas-clients/
以cas-client-3.2.1-release.zip 为例,解压提取cas-client-3.2.1/modules/cas-client-core-3.2.1.jar
借以tomcat默认自带的 webapps\examples 作为演示的简单web项目
6.2 安装配置 tomcat-app1
解压apache-tomcat-6.0.29.tar.gz并重命名后的路径为 G:\sso\tomcat-app1,修改tomcat的启动端口,在文件conf/server.xml文件找到如下内容:
1 |
< Connector port = "8080" protocol = "HTTP/1.1" |
2 |
connectionTimeout = "20000" |
4 |
< Connector port = "8009" protocol = "AJP/1.3" redirectPort = "8443" /> |
修改成如下:
1 |
< Connector port = "18080" protocol = "HTTP/1.1" |
2 |
connectionTimeout = "20000" |
3 |
redirectPort = "18443" /> |
4 |
< Connector port = "18009" protocol = "AJP/1.3" redirectPort = "18443" /> |
启动tomcat-app1,浏览器输入 http://app1.gaochao.com:18080/DocumentManager/
回车:
接下来复制 client的lib包cas-client-core-3.2.1.jar到 tomcat-app1\webapps\examples\WEB-INF\lib\目录下,
在tomcat-app1\webapps\examples\WEB-INF\web.xml 文件中增加如下内容:
4 |
< listener-class >org.jasig.cas.client.session.SingleSignOutHttpSessionListener</ listener-class > |
9 |
< filter-name >CAS
Single Sign Out Filter</ filter-name > |
10 |
< filter-class >org.jasig.cas.client.session.SingleSignOutFilter</ filter-class > |
13 |
< filter-name >CAS
Single Sign Out Filter</ filter-name > |
14 |
< url-pattern >/*</ url-pattern > |
18 |
< filter-name >CAS
Filter</ filter-name > |
19 |
< filter-class >org.jasig.cas.client.authentication.AuthenticationFilter</ filter-class > |
21 |
< param-name >casServerLoginUrl</ param-name > |
25 |
< param-name >serverName</ param-name > |
30 |
< filter-name >CAS
Filter</ filter-name > |
31 |
< url-pattern >/*</ url-pattern > |
35 |
< filter-name >CAS
Validation Filter</ filter-name > |
37 |
org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</ filter-class > |
39 |
< param-name >casServerUrlPrefix</ param-name > |
43 |
< param-name >serverName</ param-name > |
48 |
< filter-name >CAS
Validation Filter</ filter-name > |
49 |
< url-pattern >/*</ url-pattern > |
57 |
< filter-name >CAS
HttpServletRequest Wrapper Filter</ filter-name > |
59 |
org.jasig.cas.client.util.HttpServletRequestWrapperFilter</ filter-class > |
62 |
< filter-name >CAS
HttpServletRequest Wrapper Filter</ filter-name > |
63 |
< url-pattern >/*</ url-pattern > |
71 |
< filter-name >CAS
Assertion Thread Local Filter</ filter-name > |
72 |
< filter-class >org.jasig.cas.client.util.AssertionThreadLocalFilter</ filter-class > |
75 |
< filter-name >CAS
Assertion Thread Local Filter</ filter-name > |
76 |
< url-pattern >/*</ url-pattern > |
有关cas-client的web.xml修改的详细说明见官网介绍:
https://wiki.jasig.org/display/CASC/Configuring+the+Jasig+CAS+Client+for+Java+in+the+web.xml
6.3 安装配置 tomcat-app2
解压apache-tomcat-6.0.29.tar.gz并重命名后的路径为 G:\sso\tomcat-app2,修改tomcat的启动端口,在文件 conf/server.xml文件找到如下内容:
1 |
< Connector port = "8080" protocol = "HTTP/1.1" |
2 |
connectionTimeout = "20000" |
4 |
< Connector port = "8009" protocol = "AJP/1.3" redirectPort = "8443" /> |
修改成如下:
1 |
< Connector port = "28080" protocol = "HTTP/1.1" |
2 |
connectionTimeout = "20000" |
3 |
redirectPort = "28443" /> |
4 |
< Connector port = "28009" protocol = "AJP/1.3" redirectPort = "28443" /> |
启动tomcat-app2,浏览器输入 http://app2.gaochao.com:28080/examples/servlets/
回车,按照上述6.2中的方法验证是否成功。
同6.2中的复制 client的lib包cas-client-core-3.2.1.jar到 tomcat-app2\webapps\examples\WEB-INF\lib\目录下,
在tomcat-app2\webapps\examples\WEB-INF\web.xml 文件中增加如下内容:
4 |
< listener-class >org.jasig.cas.client.session.SingleSignOutHttpSessionListener</ listener-class > |
9 |
< filter-name >CAS
Single Sign Out Filter</ filter-name > |
10 |
< filter-class >org.jasig.cas.client.session.SingleSignOutFilter</ filter-class > |
13 |
< filter-name >CAS
Single Sign Out Filter</ filter-name > |
14 |
< url-pattern >/*</ url-pattern > |
18 |
< filter-name >CAS
Filter</ filter-name > |
19 |
< filter-class >org.jasig.cas.client.authentication.AuthenticationFilter</ filter-class > |
21 |
< param-name >casServerLoginUrl</ param-name > |
25 |
< param-name >serverName</ param-name > |
30 |
< filter-name >CAS
Filter</ filter-name > |
31 |
< url-pattern >/*</ url-pattern > |
35 |
< filter-name >CAS
Validation Filter</ filter-name > |
37 |
org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</ filter-class > |
39 |
< param-name >casServerUrlPrefix</ param-name > |
43 |
< param-name >serverName</ param-name > |
48 |
< filter-name >CAS
Validation Filter</ filter-name > |
49 |
< url-pattern >/*</ url-pattern > |
57 |
< filter-name >CAS
HttpServletRequest Wrapper Filter</ filter-name > |
59 |
org.jasig.cas.client.util.HttpServletRequestWrapperFilter</ filter-class > |
62 |
< filter-name >CAS
HttpServletRequest Wrapper Filter</ filter-name > |
63 |
< url-pattern >/*</ url-pattern > |
71 |
< filter-name >CAS
Assertion Thread Local Filter</ filter-name > |
72 |
< filter-class >org.jasig.cas.client.util.AssertionThreadLocalFilter</ filter-class > |
75 |
< filter-name >CAS
Assertion Thread Local Filter</ filter-name > |
76 |
< url-pattern >/*</ url-pattern > |
七、 测试验证SSO
启动之前配置好的三个tomcat分别为:tomcat-cas、tomcat-app1、tomcat-app2.
7.1 基本的测试
预期流程: 打开app1 url —-> 跳转cas server 验证 —-> 显示app1的应用 —->
打开app2 url —-> 显示app2应用 —-> 注销cas server —-> 打开app1/app2
url —-> 重新跳转到cas server 验证.
打开浏览器地址栏中输入:http://app1.gaochao.com:18080/DocumentManager,回车:
跳转到验证页面:
验证通过后显示如下:
此时访问app2就不再需要验证:
地址栏中输入:https://demo.gaochao.com:8443/cas/logout,回车显示:
上述表示 认证注销成功,此时如果再访问 : http://app1.gaochao.com:18080/DocumentManager 或
http://app2.gaochao.com:28080/DocumentManager 需要重新进行认证。
八、 在cas-server端配置数据库认证
打开webapp\WEB-INF目录下的deployerConfigContext.xml,替换
<bean id="primaryAuthenticationHandler"
class="org.jasig.cas.authentication.AcceptUsersAuthenticationHandler">
<property name="users">
<map>
<entry key="casuser" value="Mellon"/>
</map>
</property>
</bean>
为
<bean id="primaryAuthenticationHandler" class="org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler">
<property name="dataSource" ref="dataSource" />
<property name="sql" value="select password from user where lower(user_id) = lower(?)" />
</bean>
<!-- MySQL connector -->
<bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource">
<property name="driverClassName">
<value>com.mysql.jdbc.Driver</value>
</property>
<property name="url">
<value>jdbc:mysql://localhost:3306/db</value>
</property>
<property name="username">
<value>root</value>
</property>
<property name="password">
<value>admin</value>
</property>
</bean>
使用jdbc的配置
首先把默认编译后生成出来的jdbc.jar(通常名称为cas-server-support-jdbc-xxxxxxxxxx.jar),从cas-server-support-jdbc\target\目录下拷贝到webapp\WEB-INF\lib目录下。
未完,待续。。。