CAS单点登录系列(3)-简单实施SSO

   默认时,为了启用Web SSO,开发者必须开启HTTPS传输通道。由于传回CASTGC Cookie到CAS服务器需要走HTTPS通道,因此开发者必须准备好X.509 CA证书。当然,您也可以选择修改这一默认行为,但从安全性的角度考虑,不推荐这样做。


1.使用keytool生成根证书
1.1.查看jre信任的证书

(1)查看jre中所有信任的证书信息
keytool -list -keystore %JAVA_HOME%/jre/lib/security/cacerts -storepass changeit

(2)查看别名为root的证书信息
keytool -v -list -alias root -keystore %JAVA_HOME%/jre/lib/security/cacerts -storepass changeit


1.2.删除jre中别名为root的证书
keytool -delete -alias root -keystore %JAVA_HOME%/jre/lib/security/cacerts -storepass changeit

1.3.开始生成根证书
确认jre中不存在别名为root的证书之后,我们开始生成根证书。
(1)生成密钥库文件root.keystore
keytool -genkey -keyalg RSA -alias root -dname " CN=localhost, OU=javaeeOU, O=javaee, L=GuangZhou, ST=GuangDong, C=CN" -storepass changeit -keystore root.keystore
使用默认密码,直接回车。

(2)导出别名为root的证书,证书名root.crt
keytool -export -alias root -file root.crt -storepass changeit -keystore root.keystore

(3)将证书导入到jre信任证书库中
keytool -import -alias root -file root.crt -keystore %JAVA_HOME%/jre/lib/security/cacerts -storepass changeit

(4)查看别名为root的证书信息,确认成功导入到jre信任证书库中
keytool -v -list -alias root -keystore %JAVA_HOME%/jre/lib/security/cacerts -storepass changeit


2.启用HTTPS
2.1.在Tomcat中启用HTTPS配置

打开Tomcat目录下的conf/server.xml文件,添加Connector代码如下:
 

Html代码 复制代码
  1. <SPAN style="FONT-SIZE: small"><Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"  
  2.                maxThreads="150" minSpareThreads="2" maxSpareThreads="10"  
  3.                scheme="https" secure="true"  
  4.                clientAuth="false" sslProtocol="TLS"  
  5.                keystoreFile="conf/root.keystore" keystorePass="changeit"  
  6.                truststoreFile="E:/DevelopTools/JDK/jdk1.5.0_10/jre/lib/security/cacerts" /></SPAN>  
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" minSpareThreads="2" maxSpareThreads="10" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="conf/root.keystore" keystorePass="changeit" truststoreFile="E:/DevelopTools/JDK/jdk1.5.0_10/jre/lib/security/cacerts" />




 

其中:
keystoreFile指向密钥库文件root.keystore
keystorePass默认为changeit
truststoreFile指向jre信任的证书库文件

2.2.安装证书
  
启动Tomcat,访问地址:https://localhost:8443/cas3,浏览器将会返回证书错误界面:


单击“继续浏览此网站(不推荐)”链接,查看并将证书导入到浏览器中:


    单击“查看证书”,弹出证书安装界面:


    单击“安装证书”,进入证书导入向导界面:


选择“受信任的根证书颁发机构”,接下来只需要一路选择“下一步”或者“是”直至导入成功。

证书导入成功后,重新浏览器并访问地址:https://localhost:8443/cas3,将会看到类似于下图的锁图标,并可单击该图标查询证书信息,这表示证书已安装成功,正确启用了HTTPS。



3.对Web应用实施SSO
   
Web应用采用Tomcat自带的servlet例子Hello World,默认访问路径为http://localhost:8080/examples/servlets/servlet/HelloWorldExample。在没有对该servlet实施SSO之前,启动Tomcat后访问结果如下图所示:


    接下来,我们将对该servlet实施SSO,配置步骤如下:
3.1.添加Cas Client相应Jar包

   
只需要添加两个Jar包:cas-client-core-3.1.10.jar、commons-logging-1.0.4.jar,将其拷贝到Tomcat安装目录下的webapps\examples\WEB-INF\lib目录下。


3.2.配置web.xml文件

   
对于Cas Client在web.xml文件中的配置,主要包括两个方面,一个是过滤器的配置,另一个是监听器的配置。


3.2.1.过滤器配置

主要有以下5个过滤器:
1.SingleSignOutFilter
2.AuthenticationFilter
3.TicketValidationFilter (whichever one is chosen)
4.HttpServletRequestWrapperFilter
5.AssertionThreadLocalFilter
对于这5个过滤器,在web.xml中的配置必须严格按照以上顺序进行声明。
  其中,AuthenticationFilter、TicketValidationFilter是必须配置的,其他3个过滤器是可选的。特别的,如果配置了SingleSignOutFilter,必须配合SingleSignOutHttpSessionListener这一监听器进行使用。

3.2.1.1.SingleSignOutFilter

该过滤器用于实现单点登出功能,可选配置。配置如下:

Xml代码 复制代码
  1. <filter>  
  2.     <filter-name>CAS Single Sign Out Filter</filter-name>  
  3.     <filter-class>  
  4.         org.jasig.cas.client.session.SingleSignOutFilter   
  5.     </filter-class>  
  6. </filter>  
  7. <filter-mapping>  
  8.     <filter-name>CAS Single Sign Out Filter</filter-name>  
  9.     <url-pattern>/servlets/servlet/HelloWorldExample</url-pattern>  
  10. </filter-mapping>  
<filter>
    <filter-name>CAS Single Sign Out Filter</filter-name>
    <filter-class>
        org.jasig.cas.client.session.SingleSignOutFilter
    </filter-class>
</filter>
<filter-mapping>
    <filter-name>CAS Single Sign Out Filter</filter-name>
    <url-pattern>/servlets/servlet/HelloWorldExample</url-pattern>
</filter-mapping>

 

3.2.1.2.AuthenticationFilter
该过滤器负责用户的认证工作,必须启用它。配置如下:

Xml代码 复制代码
  1. <filter>  
  2.     <filter-name>CAS Authentication Filter</filter-name>  
  3.     <filter-class>  
  4.         org.jasig.cas.client.authentication.AuthenticationFilter   
  5.     </filter-class>  
  6.     <init-param>  
  7.         <param-name>casServerLoginUrl</param-name>  
  8.         <param-value>https://localhost:8443/cas3/login</param-value>  
  9.     </init-param>  
  10.     <init-param>  
  11.         <param-name>serverName</param-name>  
  12.         <param-value>localhost:8080</param-value>  
  13.     </init-param>  
  14. </filter>  
  15. <filter-mapping>  
  16.     <filter-name>CAS Authentication Filter</filter-name>  
  17.     <url-pattern>/servlets/servlet/HelloWorldExample</url-pattern>  
  18. </filter-mapping>  
<filter>
    <filter-name>CAS Authentication Filter</filter-name>
    <filter-class>
        org.jasig.cas.client.authentication.AuthenticationFilter
    </filter-class>
    <init-param>
        <param-name>casServerLoginUrl</param-name>
        <param-value>https://localhost:8443/cas3/login</param-value>
    </init-param>
    <init-param>
        <param-name>serverName</param-name>
        <param-value>localhost:8080</param-value>
    </init-param>
</filter>
<filter-mapping>
    <filter-name>CAS Authentication Filter</filter-name>
    <url-pattern>/servlets/servlet/HelloWorldExample</url-pattern>
</filter-mapping>

 

3.2.1.3.TicketValidationFilter
该过滤器负责对Ticket的校验工作,必须启用它。配置如下:

Xml代码 复制代码
  1. <filter>  
  2.     <filter-name>CAS Validation Filter</filter-name>  
  3.     <filter-class>  
  4.         org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter   
  5.     </filter-class>  
  6.     <init-param>  
  7.         <param-name>casServerUrlPrefix</param-name>  
  8.         <param-value>https://localhost:8443/cas3</param-value>  
  9.     </init-param>  
  10.     <init-param>  
  11.         <param-name>serverName</param-name>  
  12.         <param-value>localhost:8080</param-value>  
  13.     </init-param>  
  14. </filter>  
  15. <filter-mapping>  
  16.     <filter-name>CAS Validation Filter</filter-name>  
  17.     <url-pattern>/servlets/servlet/HelloWorldExample</url-pattern>  
  18. </filter-mapping>  
<filter>
    <filter-name>CAS Validation Filter</filter-name>
    <filter-class>
        org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter
    </filter-class>
    <init-param>
        <param-name>casServerUrlPrefix</param-name>
        <param-value>https://localhost:8443/cas3</param-value>
    </init-param>
    <init-param>
        <param-name>serverName</param-name>
        <param-value>localhost:8080</param-value>
    </init-param>
</filter>
<filter-mapping>
    <filter-name>CAS Validation Filter</filter-name>
    <url-pattern>/servlets/servlet/HelloWorldExample</url-pattern>
</filter-mapping>

 

3.2.1.4.HttpServletRequestWrapperFilter
该过滤器负责实现HttpServletRequest请求的包裹,比如允许开发者通过HttpServletRequest的getRemoteUser()方法获得SSO登录用户的登录名,可选配置。配置如下:

Xml代码 复制代码
  1. <filter>  
  2.     <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>  
  3.     <filter-class>  
  4.         org.jasig.cas.client.util.HttpServletRequestWrapperFilter   
  5.     </filter-class>  
  6. </filter>  
  7. <filter-mapping>  
  8.     <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>  
  9.     <url-pattern>/servlets/servlet/HelloWorldExample</url-pattern>  
  10. </filter-mapping>  
<filter>
    <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
    <filter-class>
        org.jasig.cas.client.util.HttpServletRequestWrapperFilter
    </filter-class>
</filter>
<filter-mapping>
    <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
    <url-pattern>/servlets/servlet/HelloWorldExample</url-pattern>
</filter-mapping>

 

3.2.1.5.AssertionThreadLocalFilter 该过滤器使得开发者可以通过org.jasig.cas.client.util.AssertionHolder来获取用户的登录名。比如AssertionHolder.getAssertion().getPrincipal().getName()。配置如下:

Xml代码 复制代码
  1. <filter>  
  2.     <filter-name>CAS Assertion Thread Local Filter</filter-name>  
  3.     <filter-class>  
  4.         org.jasig.cas.client.util.AssertionThreadLocalFilter   
  5.     </filter-class>  
  6. </filter>  
  7. <filter-mapping>  
  8.     <filter-name>CAS Assertion Thread Local Filter</filter-name>  
  9.     <url-pattern>/servlets/servlet/HelloWorldExample</url-pattern>  
  10. </filter-mapping>  
<filter>
    <filter-name>CAS Assertion Thread Local Filter</filter-name>
    <filter-class>
        org.jasig.cas.client.util.AssertionThreadLocalFilter
    </filter-class>
</filter>
<filter-mapping>
    <filter-name>CAS Assertion Thread Local Filter</filter-name>
    <url-pattern>/servlets/servlet/HelloWorldExample</url-pattern>
</filter-mapping>

 


3.2.2.监听器配置

    当配置了SingleSignOutFilter过滤器,即对Web应用实施单点登出功能时,需要在web.xml中添加以下监听器:

Xml代码 复制代码
  1. <listener>  
  2.     <listener-class>  
  3.         org.jasig.cas.client.session.SingleSignOutHttpSessionListener   
  4.     </listener-class>  
  5. </listener>  
<listener>
    <listener-class>
        org.jasig.cas.client.session.SingleSignOutHttpSessionListener
    </listener-class>
</listener>

 

    3.2.3.启动应用
        配置完成后,重新启动Tomcat,并访问地址http://localhost:8080/examples/servlets/servlet/HelloWorldExample,由于该servlet已受到Cas的保护,所以我们会被引导到Cas登录页面。
        只有通过Cas认证,才能真正的访问到http://localhost:8080/examples/servlets/servlet/HelloWorldExample这个servlet。




你可能感兴趣的:(tomcat,Web,servlet,Security,SSO)