1.环境准本
jdk1.8 maven gradle tomcat8
2.下载cas
wget https://github.com/apereo/cas-gradle-overlay-template/archive/master.zip
unzip master.zip
cd cas-gradle-overlay-template-master
3.配置管理,注意CAS配置文件版本之间不能通用
3.1修改gradle下载路径,否则可能下载报错
vim gradle/wrapper/gradle-wrapper.properties
#distributionUrl=https\://services.gradle.org/distributions/gradle-3.1-bin.zip
distributionUrl=https\://downloads.gradle.org/distributions/gradle-3.1-bin.zip
3.2添加cas jdbc支持库
vim cas/build.gradle
在dependencies域里添加compile "org.apereo.cas:cas-server-support-jdbc:${project.'cas.version'}"
3.3添加cas数据库配置
vim etc/cas/config/cas.properties(工程下的etc目录)
cas.server.name: https://cas.example.org:8443
cas.server.prefix: https://cas.example.org:8443/cas
cas.adminPagesSecurity.ip=127\.0\.0\.1
logging.config: file:/etc/cas/config/log4j2.xml
# cas.serviceRegistry.config.location: classpath:/services
# 覆盖掉静态授权默认用户 cas默认用户casuser密码Mellon
cas.authn.accept.users=
# 数据库授权配置
cas.authn.jdbc.query[0].sql=SELECT pwd FROM customer WHERE phone=?
cas.authn.jdbc.query[0].healthQuery=SELECT 1
cas.authn.jdbc.query[0].isolateInternalQueries=false
cas.authn.jdbc.query[0].url=jdbc:${mysql_url}?characterEncoding=utf8&useSSL=true
cas.authn.jdbc.query[0].failFast=true
cas.authn.jdbc.query[0].isolationLevelName=ISOLATION_READ_COMMITTED
# cas.authn.jdbc.query[0].dialect=org.hibernate.dialect.HSQLDialect
cas.authn.jdbc.query[0].dialect=org.hibernate.dialect.MySQLDialect
cas.authn.jdbc.query[0].leakThreshold=10
cas.authn.jdbc.query[0].propagationBehaviorName=PROPAGATION_REQUIRED
cas.authn.jdbc.query[0].batchSize=1
# 数据库用户
cas.authn.jdbc.query[0].user=${db.user}
cas.authn.jdbc.query[0].ddlAuto=create-drop
cas.authn.jdbc.query[0].maxAgeDays=180
# 数据库密码
cas.authn.jdbc.query[0].password=${db.pwd}
cas.authn.jdbc.query[0].autocommit=false
cas.authn.jdbc.query[0].driverClass=com.mysql.jdbc.Driver
cas.authn.jdbc.query[0].idleTimeout=5000
# cas.authn.jdbc.query[0].credentialCriteria=
# NONE不加密 DEFAULT算法加密
# cas.authn.jdbc.query[0].passwordEncoder.type=NONE|DEFAULT|STANDARD|BCRYPT
cas.authn.jdbc.query[0].passwordEncoder.type=DEFAULT
# cas.authn.jdbc.query[0].passwordEncoder.characterEncoding=
# 算法名称 如MD5 SHA
cas.authn.jdbc.query[0].passwordEncoder.encodingAlgorithm=MD5
# cas.authn.jdbc.query[0].passwordEncoder.secret=
# cas.authn.jdbc.query[0].passwordEncoder.strength=16
# cas.authn.jdbc.query[0].principalTransformation.suffix=
# cas.authn.jdbc.query[0].principalTransformation.caseConversion=NONE|UPPERCASE|LOWERCASE
# cas.authn.jdbc.query[0].principalTransformation.prefix=
3.2客户端支持http协议
vim src/main/resources/services/HTTPSandIMAPS-10000001.json
{
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "^(https|http)://.*",
"name" : "HTTPS and http",
"id" : 10000001,
"description" : "This service definition authorizes all application urls that support HTTPS and IMAPS protocols.",
"evaluationOrder" : 10000
}
该文件为cas注册客户端 serviceId为注册的客户端url 可以一个客户端一个json文件 几个客户端几个json文件 如serviceId:"http://sso.tdrh.com:8080/casClient"
当配置了支持http协议 需要关掉tgc安全
vim etc/cas.properties
添加以下配置
# 支持http协议
cas.tgc.secure=false
cas.warningCookie.secure=false
4.打包部署运行和日志
执行gradle clean build时如果/etc/下没有cas的配置文件 会拷贝工程下的etc/cas/config的到/etc下 所以修改了工程下的etc下的配置干掉/etc/cas
rm /etc/cas -r -f
./gradlew clean build
cp cas/build/libs/cas.war /usr/local/tomcat/webapps
/usr/local/tomcat/bin/catalina.sh start
tail -f /usr/local/tomcat/logs/catalina.out
5.根据CAS建议,打开tomcat的SSL
mkdir /etc/cas/key
cd /etc/cas/key
keytool -genkey -alias cas --keyalg RSA -keystore cas.keystore -validity 3650
keytool -export -file cas.crt -alias cas -keystore cas.keystore
keytool -importcert -alias cas -file cas.crt -keystore "${JAVA_HOME}/jre/lib/security/cacerts" -storepass changeit
配置tomcat打开SSL
cp /usr/local/tomcat/conf/server.xml /usr/local/tomcat/conf/server.xml.ori
vim /usr/local/tomcat/conf/server.xml
增加,注意大小写
clientAuth="false" sslProtocol="TLS"
keystoreFile="/etc/cas/key/cas.keystore"
keystorePass="123456" >
现在重新启动tomcat试试
/usr/local/tomcat/bin/catalina.sh stop
/usr/local/tomcat/bin/catalina.sh start
启动的时候关注下日志文件,看是否报错
异常信息
type Exception report
message java.net.ConnectException: 拒绝连接
description The server encountered an internal error that prevented it from fulfilling this request.
exception
java.lang.RuntimeException: java.net.ConnectException: 拒绝连接 org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:443) org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:41) org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:193) org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:204) org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:164) org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:97) org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:121) org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
root cause
java.net.ConnectException: 拒绝连接 java.net.PlainSocketImpl.socketConnect(Native Method) java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350) java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206) java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) java.net.Socket.connect(Socket.java:589) sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:668) sun.security.ssl.BaseSSLSocketImpl.connect(BaseSSLSocketImpl.java:173) sun.net.NetworkClient.doConnect(NetworkClient.java:180) sun.net.www.http.HttpClient.openServer(HttpClient.java:432) sun.net.www.http.HttpClient.openServer(HttpClient.java:527) sun.net.www.protocol.https.HttpsClient.(HttpsClient.java:264) sun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:367) sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(AbstractDelegateHttpsURLConnection.java:191) sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1105) sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:999) sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:177) sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1513) sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1441) sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254) org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:429) org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:41) org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:193) org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:204) org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:164) org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:97) org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:121) org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
note The full stack trace of the root cause is available in the Apache Tomcat/8.5.5 logs.
出现以上异常凭证认证过滤器设置的登录ur有问题 修改成https://sso.login.com:8443/cas/login即可
type Exception report
message java.io.FileNotFoundException: https://sso.login.com:8443/serviceValidate?ticket=ST-2-OHx5DEKKkKcvwz3mJW6S-nailsoul-ThinkPad-S2&service=http%3A%2F%2Flocalhost%3A8080%2FcasClient%2F
description The server encountered an internal error that prevented it from fulfilling this request.
exception
java.lang.RuntimeException: java.io.FileNotFoundException: https://sso.login.com:8443/serviceValidate?ticket=ST-2-OHx5DEKKkKcvwz3mJW6S-nailsoul-ThinkPad-S2&service=http%3A%2F%2Flocalhost%3A8080%2FcasClient%2F org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:443) org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:41) org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:193) org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:204) org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:164) org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:97) org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:121) org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
root cause
java.io.FileNotFoundException: https://sso.login.com:8443/serviceValidate?ticket=ST-2-OHx5DEKKkKcvwz3mJW6S-nailsoul-ThinkPad-S2&service=http%3A%2F%2Flocalhost%3A8080%2FcasClient%2F sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1836) sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1441) sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254) org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:429) org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:41) org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:193) org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:204) org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:164) org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:97) org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:121) org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
note The full stack trace of the root cause is available in the Apache Tomcat/8.5.5 logs.
出现以上异常票据检查过滤器设置的url前缀有问题 修改成https://sso.login.com:8443/cas既可
type Exception report
message org.jasig.cas.client.validation.TicketValidationException: 票根'ST-1-bs0oeI9jZTdG4zcob0aG-nailsoul-ThinkPad-S2'不符合目标服务
description The server encountered an internal error that prevented it from fulfilling this request.
exception
javax.servlet.ServletException: org.jasig.cas.client.validation.TicketValidationException: 票根'ST-1-bs0oeI9jZTdG4zcob0aG-nailsoul-ThinkPad-S2'不符合目标服务 org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:227) org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:164) org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:97) org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:121) org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
root cause
org.jasig.cas.client.validation.TicketValidationException: 票根'ST-1-bs0oeI9jZTdG4zcob0aG-nailsoul-ThinkPad-S2'不符合目标服务 org.jasig.cas.client.validation.Cas20ServiceTicketValidator.parseResponseFromServer(Cas20ServiceTicketValidator.java:84) org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:201) org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:204) org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:164) org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:97) org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:121) org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
note The full stack trace of the root cause is available in the Apache Tomcat/8.5.5 logs.
出现以上异常票据检查过滤器设置的客户端服务器地址 修改成https://sso.login.com:8443/casclient既可
CAS service record is empty, there is no definition of service. Want the application to be certified by the CAS must be clearly defined in the service record.
CAS的服务记录是空的,没有定义服务。 希望通过CAS进行认证的应用程序必须在服务记录中明确定义。
客户端使用https协议
cas 5.1.0-RC1以上版本才会出现该问题
问题解决办法 添加json注册服务依赖既可
vim cas/build.gradle
添加
compile "org.apereo.cas:cas-server-support-json-service-registry:${project.'cas.version'}"
客户端使用http协议
请看配置篇3.2