JA-SIG配置
主要环境:
java version "1.7.0_71"
apache-tomcat-7.0.56
cas-server-4.0.0-release
cas-client-3.3.3-release
一、修改c:\windows\system32\drivers\etc\hosts,追加如下配置
二、配置Tomcat启用SSL HTTP/1.1Connector
C:\Program Files\Java\jdk1.7.0_71\bin>keytool -genkey -alias tomcat -keyalg RSA
输入密钥库口令: <输入12345678>
再次输入新口令: <输入12345678>
您的名字与姓氏是什么?
[Unknown]: www.kdevn.com
您的组织单位名称是什么?
[Unknown]: cas
您的组织名称是什么?
[Unknown]: shanghai
您所在的城市或区域名称是什么?
[Unknown]: shanghai
您所在的省/市/自治区名称是什么?
[Unknown]: shanghai
该单位的双字母国家/地区代码是什么?
[Unknown]: CN
CN=www.kdevn.com, OU=cas, O=shanghai, L=shanghai, ST=shanghai, C=CN是否正确?
[否]: y
输入 <tomcat> 的密钥口令
(如果和密钥库口令相同, 按回车):
C:\Program Files\Java\jdk1.7.0_71\bin>keytool -export -file d:/server.crt -alia
tomcat
输入密钥库口令: <输入12345678>
存储在文件 <d:/server.crt> 中的证书
C:\Program Files\Java\jdk1.7.0_71\bin>keytool -import -keystore C:\"Program Fil
s"\Java\jdk1.7.0_71\jre\lib\security\cacerts -file d:/server.crt -alias tomcat
非法选项: Files\Java\jdk1.7.0_71\jre\lib\security\cacerts -file d:/server.crt
alias tomcat
keytool -importcert [OPTION]...
...
注:将C:\Program Files下的Java拷贝到C:\下,并设置JAVA_HOME和JRE_HOME环境变量。
C:\Program Files\Java\jdk1.7.0_71\bin>cd ..
C:\Program Files\Java\jdk1.7.0_71>cd ..
C:\Program Files\Java>cd ..
C:\Program Files>cd ..
C:\>
C:\>cd Java
C:\Java>cd jdk1.7.0_71/bin
C:\Java\jdk1.7.0_71\bin>keytool -import -keystore C:/Java/jdk1.7.0_71/jre/lib/se
curity/cacerts -file d:/server.crt -alias tomcat
输入密钥库口令: <输入密码时密码为"changeit",这是默认密码>
所有者: CN=www.kdevn.com, OU=cas, O=shanghai, L=shanghai, ST=shanghai, C=CN
发布者: CN=www.kdevn.com, OU=cas, O=shanghai, L=shanghai, ST=shanghai, C=CN
序列号: 4ae4e41a
有效期开始日期: Sat Jan 03 20:32:43 CST 2015, 截止日期: Fri Apr 03 20:32:43 CST
2015
证书指纹:
MD5: C9:19:6C:73:92:5C:43:12:13:5C:B2:91:D2:CC:00:20
SHA1: 74:05:98:3A:9B:77:47:F4:CC:27:C9:AD:10:30:1A:5E:74:AE:FB:3D
SHA256: E0:4C:A1:CA:99:C9:11:ED:C6:FB:FE:AA:2A:A9:F4:FE:CA:86:49:1F:DB:
EA:0F:0D:78:79:47:CA:9F:3E:C1:40
签名算法名称: SHA256withRSA
版本: 3
扩展:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 41 02 A5 17 B5 C3 C0 45 91 63 7B 78 BF C6 8B DE A......E.c.x....
0010: 1C AF 44 F4 ..D.
]
]
是否信任此证书? [否]: y
证书已添加到密钥库中
C:\Java\jdk1.7.0_71\bin>
修改tomcat目录下conf/server.xml
修改前:
<!--
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
-->
修改后:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="C:/Users/test01/.keystore"
keystorePass="12345678"
/>
三、CAS配置
将cas-server-4.0.0-release\cas-server-4.0.0\modules\下的cas-server-webapp-4.0.0.war解压,重命名为cas,并拷贝到apache-tomcat-7.0.56\webapps下
四、配置完以上步骤,访问https://www.kdevn.com:8443/cas/login会出现如下画面
测试完毕,再对cas做如下配置,使其支持查询数据库进行身份认证
1)修改cas\WEB-INF\deployerConfigContext.xml
修改前:
<!--
<bean id="primaryAuthenticationHandler"
class="org.jasig.cas.authentication.AcceptUsersAuthenticationHandler">
<property name="users">
<map>
<entry key="casuser" value="Mellon"/>
</map>
</property>
</bean>
-->
修改后:
<bean id="primaryAuthenticationHandler"
class="org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler">
<property name="sql" value="select PASSWORD from USER where NAME=?" />
<property name="dataSource" ref="dataSource" />
<!-- 若数据库中密码不是以加密方式保存的,可不配置 -->
<property name="passwordEncoder" ref="customPasswordEncoder"/>
</bean>
<bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource" >
<property name="driverClassName"><value>com.mysql.jdbc.Driver</value></property>
<property name="url"><value>jdbc:mysql://localhost:3306/test_jasig</value></property>
<property name="username"><value>root</value></property>
<property name="password"><value>admin</value></property>
</bean>
<!-- 若数据库中密码不是以加密方式保存的,可不配置 -->
<bean id="customPasswordEncoder" class="com.kdevn.encoder.CustomPasswordEncoder"/>
2)拷贝com.kdevn.encoder.CustomPasswordEncoder.class及依赖的MD5.class到webapps\cas\WEB-INF\classes\下 (若数据库中密码不是以加密方式保存的,可不配置)
CustomPasswordEncoder.java
package com.kdevn.encoder;
import java.io.UnsupportedEncodingException;
import org.jasig.cas.authentication.handler.PasswordEncoder;
public class CustomPasswordEncoder implements PasswordEncoder {
@Override
public String encode(String str) {
try {
return MD5.getMD5(str.getBytes("UTF-8"));
} catch (UnsupportedEncodingException e) {
e.printStackTrace();
}
return null;
}
}
五、拷贝应用1(ssotest.war)和应用2(ssotest2.war)到tomcat的webapps目录下
ssotest及ssotest2目录结构
HelloServlet.java
package com.kdevn.servlet;
import java.io.IOException;
import java.io.PrintWriter;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.jasig.cas.client.authentication.AttributePrincipal;
public class HelloServlet extends HttpServlet {
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws IOException, ServletException {
AttributePrincipal principal = (AttributePrincipal) request
.getUserPrincipal();
String username = principal.getName();
response.setContentType("text/html");
PrintWriter out = response.getWriter();
out.println("<html>");
out.println("<head>");
out.println("<title>Hello Servlet</title>");
out.println("</head>");
out.println("<body>");
out.println("<h1>Hello : " + username + "</h1>");
out.println("</body>");
out.println("</html>");
}
}
ssotest/WebContent/WEB-INF/web.xml内容如下
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
id="WebApp_ID" version="3.0">
<display-name>ssotest</display-name>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
<welcome-file>index.htm</welcome-file>
<welcome-file>index.jsp</welcome-file>
<welcome-file>default.html</welcome-file>
<welcome-file>default.htm</welcome-file>
<welcome-file>default.jsp</welcome-file>
</welcome-file-list>
<context-param>
<param-name>serverName</param-name>
<param-value>http://www.kdevn.com:8080</param-value>
</context-param>
<filter>
<filter-name>CAS Authentication Filter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>https://www.kdevn.com:8443/cas/login</param-value>
</init-param>
</filter>
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://www.kdevn.com:8443/cas</param-value>
</init-param>
</filter>
<filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Authentication Filter</filter-name>
<url-pattern>/servlet/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/servlet/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/servlet/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>Hello Servlet</servlet-name>
<servlet-class>com.kdevn.servlet.HelloServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>Hello Servlet</servlet-name>
<url-pattern>/servlet/helloservlet</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>Register Servlet</servlet-name>
<servlet-class>com.kdevn.servlet.RegServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>Register Servlet</servlet-name>
<url-pattern>/RegServlet</url-pattern>
</servlet-mapping>
</web-app>
ssotest2/WebContent/WEB-INF/web.xml 不同之处内容如下 (其余参照ssotest下的web.xml)
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
id="WebApp_ID" version="3.0">
<display-name>ssotest2</display-name>
...
<servlet>
<servlet-name>Hello Servlet2</servlet-name>
<servlet-class>com.kdevn.servlet.HelloServlet2</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>Hello Servlet2</servlet-name>
<url-pattern>/servlet/helloservlet2</url-pattern>
</servlet-mapping>
</web-app>
启动tomcat,
访问 http://www.kdevn.com:8080/ssotest/register.jsp 注册用户名,如 用户名:test 密码:123
六、访问第一个应用,会自动转到https://www.kdevn.com:8443/cas/login,要求输入用户名和密码。输入test/123,CAS验证通过后,会显示如下画面
http://www.kdevn.com:8080/ssotest/servlet/helloservlet
访问第二个应用,不再需要输入用户名和密码。(所谓的单点登录)
http://www.kdevn.com:8080/ssotest2/servlet/helloservlet2
注:
如不启用SSL HTTP/1.1 Connector,访问http://www.kdevn.com:8080/ssotest2/servlet/helloservlet2时,会再次跳转到登录画面,提示信息为:
Non-secure Connection
You are currently accessing CAS over a non-secure connection. Single Sign On WILL NOT WORK. In order to have single sign on work, you MUST log in over HTTPS.
附1
一、为两个不同应用 配置 不同的端口号 (8180 和 8080)
创建文件夹webapps2
编辑apache-tomcat-7.0.56\conf\server.xml,追加<Service/>元素
URL: http://localhost:8180/ssotest/helloservlet
URL: http://localhost:8080/cas/
二、配置CAS服务器读取数据库进行身份认证
1)Mysql中,创建数据test_jasig,该数据下新建user表
SQL: create table USER ( name VARCHAR(100), password VARCHAR(100))
2)修改cas\WEB-INF\deployerConfigContext.xml
修改前
<bean id="primaryAuthenticationHandler"
class="org.jasig.cas.authentication.AcceptUsersAuthenticationHandler">
<property name="users">
<map>
<entry key="casuser" value="Mellon"/>
</map>
</property>
</bean>
修改后
<bean id="primaryAuthenticationHandler"
class="org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler">
<property name="sql" value="select PASSWORD from USER where NAME=?" />
<property name="dataSource" ref="dataSource" />
</bean>
<bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource" >
<property name="driverClassName"><value>com.mysql.jdbc.Driver</value></property>
<property name="url"><value>jdbc:mysql://localhost:3306/test_jasig</value></property>
<property name="username"><value>root</value></property>
<property name="password"><value>admin</value></property>
</bean>
3.1)追加加密配置 (若数据库密码不是以加密方式保存的,可不配置)
3.2)拷贝com.kdevn.encoder.CustomPasswordEncoder.class及依赖的MD5.class到webapps\cas\WEB-INF\classes\下
三、刷新问题
修改cas\WEB-INF\spring-configuration/ticketExpirationPolicies.xml
修改前
<bean id="serviceTicketExpirationPolicy" class="org.jasig.cas.ticket.support.MultiTimeUseOrTimeoutExpirationPolicy"
c:numberOfUses="1" c:timeToKill="${st.timeToKillInSeconds:10}" c:timeUnit-ref="SECONDS"/>
修改后
<bean id="serviceTicketExpirationPolicy" class="org.jasig.cas.ticket.support.MultiTimeUseOrTimeoutExpirationPolicy"
c:numberOfUses="2" c:timeToKill="${st.timeToKillInSeconds:100}" c:timeUnit-ref="SECONDS"/>
附2
Tomcat其他配置
Tomcat配置虚拟目录
Ref: http://www.docin.com/p-253185793.html
Ref:
http://blog.youkuaiyun.com/rishengcsdn/article/details/10379321
http://www.th7.cn/Program/java/201409/281561.shtml
http://www.docin.com/p-253185793.html