jasig cas单点登录配置笔记之五

以上配置完成后还有一点问题,就是cas client的配置完成后,登录A应用,然后登录B应用,需要重新认证.

仔细阅读文档,发现原来jasig Cas不能支持非SSL方式的统一登录.实际上登录首页上已经提示:

Non-secure Connection

You are currently accessing CAS over a non-secure connection. Single Sign On WILL NOT WORK. In order to have single sign on work, you MUST log in over HTTPS.

所以,还是老老实实的配置Tomcat7的SSL访问吧,参考文章:http://www.blogjava.net/naruke/archive/2011/02/17/161551.html#344516

需要注意的是jdk7的keytools生成的证书有点问题,只能在jdk7的版本使用,只要求cas client的应用也必须基于jdk7开发才行.

而且,keytools居然有bug,不能支持带空格的目录,所以你要是把jdk装再D:\Progam Files目录下,你就等着报错,而且莫明其妙.

0.cd D:\GreenProg\Java7\bin  

1.keytool -genkey -alias tomcat -keyalg RSA

输入必要的证书信息,第一项选择域名,建议搞一个正规点的域名,例如:www.XXXX.com,

证书密码:12345678

2.keytool -export -file D:/server.crt -alias tomcat

3.keytool -import -keystore D:\GreenProg\Java7/lib/security/cacerts -file d:/server.crt -alias tomcat

注意：输入密码时密码为"changeit"，这是默认密码。 

4.修改服务端Tomcat配置文件，启用SSL如下：

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
               keystoreFile="${user.home}/.keystore"
               keystorePass="12345678" />

此处,user.home是个系统变量,实际上win7的user.home是C:\Users\Administrator
然后,重新启动Tomcat7

5.修改cas client的配置,A应用和B应用都需要修改,而且A,B应用都必须用jdk7,并且导入证书

web.xml的修改

........

    <context-param>
        <param-name>serverName</param-name>
        <param-value>http://localhost:8180</param-value>
    </context-param>
 
 <filter>
  <filter-name>CAS Authentication Filter</filter-name>
  <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
  <init-param>
    <param-name>casServerLoginUrl</param-name>
    <param-value>https:// www.redcloudcas.com:8443/casweb/login</param-value>
  </init-param>

</filter>

  <filter>
    <filter-name>CAS Validation Filter</filter-name>
    <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
    <init-param>
        <param-name>casServerUrlPrefix</param-name>
        <param-value>https:// www.redcloudcas.com:8443/casweb</param-value>
    </init-param>

  </filter>
   
  <filter>
    <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
    <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
  </filter>
  <filter-mapping>
    <filter-name>CAS Validation Filter </filter-name>
    <url-pattern>/proxyCallback </url-pattern>
</filter-mapping>
      <filter-mapping>
        <filter-name>CAS Authentication Filter</filter-name>
        <url-pattern>/casFil/*</url-pattern>
    </filter-mapping>
     
    <filter-mapping>
        <filter-name>CAS Validation Filter</filter-name>
        <url-pattern>/casFil/*</url-pattern>
    </filter-mapping>
     
    <filter-mapping>
        <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
        <url-pattern>/casFil/*</url-pattern>
    </filter-mapping>

..................

导入证书语句

keytool -import -keystore D:\GreenProg\Java7/lib/security/cacerts -file d:/server.crt -alias tomcat

修改jdk目录位置,证书必须是服务器上一致的证书

重新启动,clientA和clientB应用服务器.

然后配置hosts文件(windows的DNS配置文件在:C:\Windows\System32\drivers\etc)

增加条目

10.2.17.235            www.redcloudcas.com

注意：条目与证书生成的时候的名字与姓氏是一致的，否则会导致java程序报错。

然后,登陆应用A地址,应该提示输入用户名/密码

再输入应用B的访问地址测试结果,正常结果无须再次输入用户名/密码

6.注意只有cas server需要配置SSL, client A和B应用没有必要配置SSL