此文的目的是为了加深自己的理解,做一个备份与分享
过程全为自己的实际操作步骤
第一步:准备的环境
win7 64位的系统
jdk1.6.0_37
apache-tomcat-6.0.14
cas-server-3.4.8-release
cas-client-3.2.0-release
这里用到的是tomcat自带作为测试的程序
首先,找到系统的hosts文件(
C:\Windows\System32\drivers\etc\hosts )增加
在本机映射三个域名
127.0.0.1 cas.baishi.com
127.0.0.1 app1.baishi.com
127.0.0.1 app2.baishi.com
解释,其中,cas.baishi.com对应部署cas server的tomcat ,这个域名对应证书的生成
app1.baishi.com对应部署app1应用的tomcat
app2.baishi.com对应部署app2应用的tomcat
第二步:部署cas的服务
(1)首先,我在D盘下建一个文件夹,如D:/baishikeys 接着用jdk自带的keytool生成证书,即在cmd命令中键入
keytool -genkey -alias baishi -keyalg RSA -keystore “D:/baishikeys/baishikey” 该命令生成keys证书
baishi为证书的别名,执行结果如下图,注意其中姓氏要写之前cas server对应的域名
(2)导出证书
keytool -export -file d:/baishikeys/baishi.crt -alias baishi -keystore d:/baishikeys/baishikey
执行结果如图(其中密码和上面证书密码一致)
(3)把证书导入JDK中
先找到你安装的jdk目录中cacerts文件删掉,如D:\Program Files\Java\jdk1.6.0_37\jre\lib\security\cacerts
这样的目的是避免后面报错
执行keytool -import -keystore "D:\Program Files\Java\jdk1.6.0_37\jre\lib\security\cacerts" -file D:/baishikeys/baishi.crt -alias baishi
执行结果如图(其中密码和上面一致就行)
第三步:配置cas的服务端
解压apache-tomcat-6.0.14重命名为apache-tomcat-cas
把下载的cas-server-3.4.8-release包解压,在文件modules中,找到cas-server-webapps-3.4.8.war
复制到apache-tomcat-cas的webapps文件夹下,重命名为 cas.war,打开apache-tomcat-cas的
conf/server.xml文件,
找到64到72中间的注释打开,改为
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="D:/baishikeys/baishikey"
keystorePass="123456"
/>
其中keystoreFile是创建证书的路径,keystorePass是创建证书的密码,到此cas服务的配置完成
启动cas服务的apache-tomcat-cas,访问https://cas.baishi.com:8443/cas
执行图:点击继续浏览此网站
执行后图
用户名和密码输入相同的字符串就可以通过了
到此cas服务端的配置成功了
第四步:配置cas的客户端
(1) 安装配置 apache-tomcat-app1
解压apache-tomcat-6.0.14 .tar,改名为apache-tomcat-app1对应应用app1的服务
修改apache-tomcat-app1的启动端口,在文件conf/server.xml文件找到如下内容:
<Connector port="8080" protocol="HTTP/1.1" |
|
connectionTimeout="20000" |
|
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /> |
改成
<Connector port="18080" protocol="HTTP/1.1" |
|
connectionTimeout="20000" |
4 |
<Connector port="18009" protocol="AJP/1.3" redirectPort="18443" /> |
为了避免多个tomcat冲突,把<Server port="8005" shutdown="SHUTDOWN">也改成
<Server port="8085" shutdown="SHUTDOWN">
启动apache-tomcat-app1
,浏览器输入 http://app
1
.baishi.com:
1
8080/examples/servlets/ 回车:
则tomcat配置成功
接下来复制 client的lib包cas-client-core-3.2.0.jar到 apache-tomcat-app1\webapps\examples\WEB-INF\lib\目录下, 在apache-tomcat-app1\webapps\examples\WEB-INF\web.xml 文件中增加如下内容:
<!-- ======================== 单点登录开始 ======================== --> |
|
<!-- 用于单点退出,该过滤器用于实现单点登出功能,可选配置--> |
|
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class> |
|
<!-- 该过滤器用于实现单点登出功能,可选配置 --> |
|
<filter-name>CAS Single Sign Out Filter</filter-name> |
|
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class> |
|
<filter-name>CAS Single Sign Out Filter</filter-name> |
|
<url-pattern>/*</url-pattern> |
|
<filter-name>CAS Filter</filter-name> |
|
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class> |
|
<param-name>casServerLoginUrl</param-name> |
|
<param-value>https://cas.baishi.com:8443/cas/login</param-value> |
|
<param-name>serverName</param-name> |
|
<param-value>http://app1.baishi.com:18080</param-value> |
|
<filter-name>CAS Filter</filter-name> |
|
<url-pattern>/*</url-pattern> |
|
<!-- 该过滤器负责对Ticket的校验工作,必须启用它 --> |
|
<filter-name>CAS Validation Filter</filter-name> |
|
org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class> |
|
<param-name>casServerUrlPrefix</param-name> |
|
<param-value>https://cas.baishi.com:8443/cas</param-value> |
|
<param-name>serverName</param-name> |
|
<param-value>http://app1.baishi.com:18080</param-value> |
|
<filter-name>CAS Validation Filter</filter-name> |
|
<url-pattern>/*</url-pattern> |
|
该过滤器负责实现HttpServletRequest请求的包裹, |
|
比如允许开发者通过HttpServletRequest的getRemoteUser()方法获得SSO登录用户的登录名,可选配置。 |
|
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> |
|
org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class> |
|
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> |
|
<url-pattern>/*</url-pattern> |
|
该过滤器使得开发者可以通过org.jasig.cas.client.util.AssertionHolder来获取用户的登录名。 |
|
比如AssertionHolder.getAssertion().getPrincipal().getName()。 |
|
<filter-name>CAS Assertion Thread Local Filter</filter-name> |
|
<filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class> |
|
<filter-name>CAS Assertion Thread Local Filter</filter-name> |
|
<url-pattern>/*</url-pattern> |
|
<!-- ======================== 单点登录结束 ======================== --> |
(2) 安装配置 apache-tomcat-app2
解压apache-tomcat-6.0.14 .tar,改名为apache-tomcat-app2对应应用app2的服务
修改apache-tomcat-app2的启动端口,在文件conf/server.xml文件找到如下内容:
<Connector port="8080" protocol="HTTP/1.1" |
|
connectionTimeout="20000" |
|
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /> |
改成
<Connector port="28080" protocol="HTTP/1.1" |
|
connectionTimeout="20000" |
4 |
<Connector port="28009" protocol="AJP/1.3" redirectPort="28443" /> |
为了避免多个tomcat冲突,把<Server port="8005" shutdown="SHUTDOWN">也改成<Server port="8095" shutdown="SHUTDOWN">
启动apache-tomcat-app2
,浏览器输入 http://app
2
.baishi.com:
2
8080/examples/servlets/ 回车:
按照上述(1)中的方法验证是否成功。
接下来复制 client的lib包cas-client-core-3.2.0.jar到 apache-tomcat-app2\webapps\examples\WEB-INF\lib\目录下, 在apache-tomcat-app2\webapps\examples\WEB-INF\web.xml 文件中增加如下内容:
<!-- ======================== 单点登录开始 ======================== --> |
|
<!-- 用于单点退出,该过滤器用于实现单点登出功能,可选配置--> |
|
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class> |
|
<!-- 该过滤器用于实现单点登出功能,可选配置 --> |
|
<filter-name>CAS Single Sign Out Filter</filter-name> |
|
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class> |
|
<filter-name>CAS Single Sign Out Filter</filter-name> |
|
<url-pattern>/*</url-pattern> |
|
<filter-name>CAS Filter</filter-name> |
|
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class> |
|
<param-name>casServerLoginUrl</param-name> |
|
<param-value>https://cas.baishi.com:8443/cas/login</param-value> |
|
<param-name>serverName</param-name> |
|
<param-value>http://app2.baishi.com:18080</param-value> |
|
<filter-name>CAS Filter</filter-name> |
|
<url-pattern>/*</url-pattern> |
|
<!-- 该过滤器负责对Ticket的校验工作,必须启用它 --> |
|
<filter-name>CAS Validation Filter</filter-name> |
|
org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class> |
|
<param-name>casServerUrlPrefix</param-name> |
|
<param-value>https://cas.baishi.com:8443/cas</param-value> |
|
<param-name>serverName</param-name> |
|
<param-value>http://app2.baishi.com:18080</param-value> |
|
<filter-name>CAS Validation Filter</filter-name> |
|
<url-pattern>/*</url-pattern> |
|
该过滤器负责实现HttpServletRequest请求的包裹, |
|
比如允许开发者通过HttpServletRequest的getRemoteUser()方法获得SSO登录用户的登录名,可选配置。 |
|
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> |
|
org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class> |
|
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> |
|
<url-pattern>/*</url-pattern> |
|
该过滤器使得开发者可以通过org.jasig.cas.client.util.AssertionHolder来获取用户的登录名。 |
|
比如AssertionHolder.getAssertion().getPrincipal().getName()。 |
|
<filter-name>CAS Assertion Thread Local Filter</filter-name> |
|
<filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class> |
|
<filter-name>CAS Assertion Thread Local Filter</filter-name> |
|
<url-pattern>/*</url-pattern> |
|
<!-- ======================== 单点登录结束 ======================== --> |
第五步:测试
启动之前配置好的三个tomcat分别为:apache-tomcat-cas、apache-tomcat-app1、apache-tomcat-app2.
打开浏览器地址栏中输入:http://app1.baishi.com:18080/examples/servlets/servlet/HelloWorldExample
输入账户和密码之后会出现Hello World
之浏览器地址中输入http://app2.baishi.com:28080/examples/servlets/servlet/HelloWorldExample
就不用输入账户和密码了,直接进入Hello World
最后地址栏中输入:https://cas.baishi.com:8443/cas/logout会注销这个流程,重新开始认证
以上就是整个cas单点登录的简单配置
如果有cas服务的tomcat报错java.lang.Exception: Connector attribute SSLCertificateFile must be defined when using SSL with APR
只需把
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="D:/baishikeys/baishikey"
keystorePass="123456"
/>
改成
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="D:/baishikeys/baishikey"
keystorePass="123456"
/>
即可