gavanwanggw

导航

cas 单点登录(SSO)之中的一个: jasig cas-server 安装

cas 单点登录(SSO)实验之中的一个: jasig cas-server 安装

參考文章:

http://my.oschina.net/indestiny/blog/200768#comments

http://wenku.baidu.com/view/0bcc0d01e87101f69e319595.html


SSO原理不多反复,须要理解的就一点,一个复杂系统须要一个唯一的验证服务。

这就是CAS(Central Authentication Service) Server。

系统内的各种服务(Web站点)

能够作为CAS Server的client,CAS Client。而用户訪问的服务事实上就是这些

CAS Client。一个典型的支持SSO的Web站点例如以下图:

          Browser--------->B服务器:WebServer(CAS Client)=======>A服务器:CAS SERVER

以下第一步就是搭建这个CAS SERVER。利用开源码jasig cas来实现SSO的服务

器。jasig cas是一套现成的代码,首先是了解它。然后才干定制它。以下所有内容在A服务器上

运行,服务器: RHEL6.4。


jasig cas-server 安装

cas sso服务端配置. sso服务器:
    IP: 192.168.1.142

    hostname: ubuntu64

    tomcat 8

    java 7

1) 下载cas-server-4.0.0-release.tar.gz

http://downloads.jasig.org/cas/cas-server-4.0.0-release.tar.gz

或者(不须要):
$ git clone https://github.com/Jasig/cas/tree/v4.0.0-RC3

2) 在sso服务器 (192.168.1.142) 上生成证书

  $ keytool -genkey -alias ssotest -keyalg RSA

Enter keystore password:  123456
Re-enter new password: 123456
What is your first and last name?


  [Unknown]:  ubuntu64
What is the name of your organizational unit?
  [Unknown]:  dev
What is the name of your organization?
  [Unknown]:  pepstack.com
What is the name of your City or Locality?
  [Unknown]:  SHA
What is the name of your State or Province?


  [Unknown]:  SHA
What is the two-letter country code for this unit?
  [Unknown]:  CN
Is CN=ubuntu64, OU=dev, O=pepstack.com, L=SHA, ST=SHA, C=CN correct?
  [no]:  yes

生成文件:
~/.keystore

3) 在sso服务器 (192.168.1.142) 上导出证书

  $ keytool -export -file ~/ssotest.crt -alias ssotest -keystore ~/.keystore
Enter keystore password:123456
Certificate stored in file </home/cl/ssotest.crt>

ssotest.crt 将要部署在client的jre环境中,本文中暂未使用。


4) 配置Tomcat SSL: ${TOMCAT_HOME}/conf/server.xml

添加以下的段落:

 <!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443
         This connector uses the NIO implementation that requires the JSSE
         style configuration. When using the APR/native implementation, the
         OpenSSL style configuration is required as described in the APR/native
         documentation -->
    <!-- https -->
    <Connector
        port="8443"
        protocol="org.apache.coyote.http11.Http11NioProtocol"
        maxThreads="150"
        SSLEnabled="true"
        scheme="https"
        secure="true"
        clientAuth="false"
        sslProtocol="TLS"
        URIEncoding="UTF-8"
        keystoreFile="/root/.keystore"
        keystorePass="123456"
        sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
        ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA,
SSL_RSA_WITH_RC4_128_SHA" />

5) 部署cas-server war

解压:cas-server-4.0.0-release.tar.gz
将modules/cas-server-webapp-4.0.0.war改名为cas.war,
拷贝到${TOMCAT_HOME}/webapps/下.

  ${TOMCAT_HOME}/webapps/cas.war

启动tomcat,这时打开浏览器, 进入以下的地址,如图:

    https://192.168.1.142:8443/cas/


服务端已经配置ok!

登录名在以下文件里找到:deployerConfigContext.xml

   <!--
       | Authentication handler beans
       -->
    <bean id="acceptUsersAuthenticationHandler"
          class="org.jasig.cas.authentication.AcceptUsersAuthenticationHandler">
        <property name="users">
            <map>
                <entry key="casuser" value="Mellon"/>
            </map>
        </property>
    </bean>

casuser/Mellon



posted on 2017-05-02 09:00  gavanwanggw  阅读(1225)  评论(0编辑  收藏  举报