[置顶] 单点登录CAS-Demo
1,安全证书配置
CAS默认使用HTTPS协议,如果对安全要求不高,可使用HTTP协议。
修改为HTTP协议的步骤如下:
修改deployerConfigContext.xml 增加参数p:requireSecure="false",意为:不需要安全验证。
<bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"p:httpClient-ref="httpClient" p:requireSecure="false"/>
修改 ticketGrantingTicketCookieGenerator.xml (路径:cas/WEB-INF/spring-configuration/ticketGrantingTicketCookieGenerator.xml)中 ticketGrantingTicketCookieGeneratorp:cookieSecure 属性的值改为 false。
<bean id="ticketGrantingTicketCookieGenerator"class="org.jasig.cas.web.support.CookieRetrievingCookieGenerator" p:cookieSecure="false"p:cookieMaxAge="-1" p:cookieName="CASTGC"p:cookiePath="/cas" />
2,部署服务端CAS-Server
CAS-Server下载地址:http://www.jasig.org/cas/download
解压cas-server-3.4.11-release.zip提取cas-server-3.4.11/modules/cas-server-webapp-3.4.11.war文件,把改文件copy到Tomcat下,如,D:\tomacat-casServer\webapps\目下,并重命名为:cas.war.
启动tomacat-casServer,在浏览器地址栏输入:http://localhost:8080/cas/login ,回车
![[置顶] 单点登录CAS-Demo_第1张图片](http://img.e-com-net.com/image/info5/b613834cef0047f59163849a44503f3b.jpg)
CAS-server的默认验证规则:只要用户名和密码相同就认证通过(仅仅用于测试,生成环境需要根据实际情况修改),输入admin/admin点击登录,就可以看到登录成功的页面:
![[置顶] 单点登录CAS-Demo_第2张图片](http://img.e-com-net.com/image/info5/fc9956b94ac24643bacf256122db71fc.jpg)
CAS-Server部署成功。
3,部署CAS-Client
CAS-Client下载地址:http://downloads.jasig.org/cas-clients/
(1)解压cas-client-3.2.1-release.zip提取cas-client-3.2.1/modules/cas-client-core-3.2.1.jar
(2)以tomcat默认自带的 webapps\examples项目作为客户端
(3)安装配置 tomcat-client1
解压apache-tomcat-7.0.6并重命名为tomcat-client1
,修改tomcat的启动端口(共计5处),在文件conf/server.xml文件找到如下内容:
<Server port="8005" shutdown="SHUTDOWN"> <Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" /> <Connector port="8009" protocol="AJP/1.3"redirectPort="8443" />
修改成如下:
<Server port="18005" shutdown="SHUTDOWN"> <Connector port="18080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="18443" /> <Connector port="18009" protocol="AJP/1.3"redirectPort="18443" />
(4)启动tomcat-app1,浏览器输入http://localhost:18080/examples/servlets/回车:
![[置顶] 单点登录CAS-Demo_第3张图片](http://img.e-com-net.com/image/info5/25f9cc281bbb4fd4ad52bc5a196d1f99.jpg)
tomcat-client的配置成功。
(5)复制 client的lib包cas-client-core-3.2.1.jar和commons-logging-1.1.jar到tomcat-client\webapps\examples\WEB-INF\lib\目录下,在tomcat-client\webapps\examples\WEB-INF\web.xml 文件中添加如下配置:
<!-----------------单点登录开始---------------------------->
<!--用于单点退出,该过滤器用于实现单点登出功能,可选配置-->
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
<!--该过滤器用于实现单点登出功能,可选配置。 -->
<filter>
<filter-name>CASSingle Sign Out Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CASSingle Sign Out Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>CASFilter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>https://demo.micmiu.com:8443/cas/login</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://app1.micmiu.com:18080</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CASFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--该过滤器负责对Ticket的校验工作,必须启用它 -->
<filter>
<filter-name>CASValidation Filter</filter-name>
<filter-class>
org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://demo.micmiu.com:8443/cas</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://app1.micmiu.com:18080</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CASValidation Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--
该过滤器负责实现HttpServletRequest请求的包裹,
比如允许开发者通过HttpServletRequest的getRemoteUser()方法获得SSO登录用户的登录名,可选配置。
-->
<filter>
<filter-name>CASHttpServletRequest Wrapper Filter</filter-name>
<filter-class>
org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CASHttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--
该过滤器使得开发者可以通过org.jasig.cas.client.util.AssertionHolder来获取用户的登录名。
比如AssertionHolder.getAssertion().getPrincipal().getName()。
-->
<filter>
<filter-name>CASAssertion Thread Local Filter</filter-name>
<filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CASAssertion Thread Local Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--------------------------------单点登录结束 ------------------------------->
(6)
安装配置 tomcat-client2
解压apache-tomcat-7.0.6并重命名为tomcat-client2
,修改tomcat的启动端口(共计5处),在文件conf/server.xml文件找到如下内容:
<Server port="8005" shutdown="SHUTDOWN"> <Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" /> <Connector port="8009" protocol="AJP/1.3"redirectPort="8443" />
修改成如下:
<Server port="28005" shutdown="SHUTDOWN"> <Connector port="28080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="28443" /> <Connector port="28009" protocol="AJP/1.3"redirectPort="28443" />
以下其他步骤同配置tomcat-client1
4,测试SSO
分别启动tomcat-casServer、tomcat-client1、tomcat-client2
测试流程:打开client1 url —->跳转cas server 验证 —->显示client1 的应用 —->打开client2 url —-> 显示client2应用 —->注销cas server —->打开client1/client2 url—->重新跳转到cas server验证.
动手操作,观察单点登录效果。