一.系統環境:
java version 1.7.0_80
tomcat 7
cas server 4.2.7
cas-client-core 3.4.1
二.配置tomcat https(包括cas server端和cas client端):
1. 生成公私鑰證書庫並添加證書(公鑰和私鑰)信息,生成後可以查看:
keytool -genkey -alias casServer -keyalg RSA -keystore E:/develop/cas/keytool/.keystore -validity 36500
keytool -list -keystore .keystore
2. 複製“E:/軟件開發/cas/.keystore”到%TOMCAT_HOME%/conf
3. 配置server.xml,啓用https協議,注意要添加屬性keystorefile(公私鑰證書庫)和keystorepass:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/conf/.keystore" keystorePass="changeit"/>
4. 配置應用使用SSL(以http訪問會強制轉爲以https訪問)。打開應用的 web.xml 文件,增加配置如下: <security-constraint>
<web-resource-collection>
<web-resource-name>securedapp</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
將URL映射設爲/*,這樣你的整個應用都要求是 HTTPS 訪問,而transport-guarantee標籤設置爲CONFIDENTIAL以便使應用支持 SSL。如果你希望關閉SSL,只需要將CONFIDENTIAL改爲NONE即可。
5.從證書庫導出公鑰證書文件:
keytool -export -alias casServer -file casServer.crt -keystore .keystore
6.將公鑰證書文件導入jre公鑰庫"D:/Program Files/Java/jre7/lib/security/cacerts"裏,實現cas的tomcat對cas client應用在jre(非瀏覽器)層面的信任:keytool -import -keystore "D:/Program Files/Java/jdk1.7.0_80/jre/lib/security/cacerts" -file casServer.crt -alias casServer
三.給cas client應用添加cas的配置(假設包含CasClient1和CasClient2兩個應用,以下以CasClient1爲例,CasClient2同樣配法):
pom.xml依賴cas-client-core
<dependency>
<groupId>org.jasig.cas.client</groupId>
<artifactId>cas-client-core</artifactId>
<version>3.4.1</version>
</dependency>
web.xml加入cas client的filter和listener:
<filter>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://localhost:8443/cas</param-value>
</init-param>
</filter>
<filter>
<filter-name>CAS Authentication Filter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>https://localhost:8443/cas/login</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>https://localhost:8443/CasClient1</param-value>
</init-param>
</filter>
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>org.jasig.cas.client.validation.Cas30ProxyReceivingTicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://localhost:8443/cas</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>https://localhost:8443/CasClient1</param-value>
</init-param>
</filter>
<filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<filter>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Single Sign Out Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Authentication Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
四.部署cas server和cas client:
把cas-server-webapp-4.2.7.war改名爲"cas.war",連通兩個client應用的war包一起放到tomcat的webapp目錄下,啓動。
五.測試登錄:
CAS4.x以前,默認只要帳號密碼相等就能登錄,CAS4.x以後默認登錄帳號/密碼: casuser/Mellon