CAS 5.X 安装
官方文档: https://apereo.github.io/cas/5.1.x/index.html
几个基本概念
CAS Server: SSO服务器端
CAS Client : SSO客户端,内置于各个子应用
ST: Service Ticket 用于登录验证
TGC:Ticket Granted Cookie 用于验证是否已经登录,保存在客户端Cookie
TGT:Ticket Granting Ticket 跟TGC对应,保存于服务器
server端: 建议用overlay模式安装,源码在:https://github.com/apereo/cas-overlay-template,下载好之后用执行 build package生成war包,放到tomcat的webapp下
client端:可以参考:https://github.com/akononowicz/cas-sample-java-webapp
关于服务注册
service的注册可以使用json方式,方法如下:
在/etc/cas/config/cas.properties如下配置:
cas.serviceRegistry.config.location: classpath:/services cas.serviceRegistry.watcherEnabled=true cas.serviceRegistry.repeatInterval=10000 cas.serviceRegistry.startDelay=5000 cas.serviceRegistry.initFromJson=true
然后在classpath下的service目录下添加自己service的配置,当然,文件名需要遵循 [name] + "-" + [id] + ".json"的方式
{ "@class" : "org.apereo.cas.services.RegexRegisteredService", "serviceId" : "^https://172.17.20.20:8443/client2", "name" : "client2", "theme" : "apereo", "id" : 2000, "description" : "Cient2 sample service", "evaluationOrder" : 1, "logoutType" : "BACK_CHANNEL", "logoutUrl" : "https://172.17.20.20/client2/logout.jsp", }
关于SSL证书
比较麻烦的是ssl证书的生成
1. Tomcat 证书导入
keytool -genkey -alias tomcat -keyalg RSA -keystore /opt/apache-tomcat-8.5.9/conf/.keystore
然后修改tomcat的server.xml
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" keystoreFile="/opt/apache-tomcat-8.5.9/conf/.keystore" keystorePass="liuwei" sslProtocol="TLS" />
2. JDK证书导入
p12生成 keytool -importkeystore -srckeystore /opt/apache-tomcat-8.5.9/conf/.keystore \ -destkeystore tomcat.p12 \ -srcstoretype jks \ -deststoretype pkcs12 pem生成 openssl pkcs12 -in tomcat.p12 -out tomcat.pem der生成 openssl x509 -in tomcat.pem -out tomcat.der -outform DER
导入JDK
keytool -import -keystore $JAVA_HOME/jre/lib/security/cacerts -file tomcat.der -alias tomcat
我遇到的错误如下:
1. cas-client端,需要指向server时,linux自己配置的ssl设置firstname和lastname时需要指定域名而不是IP,当然host文件(/etc/hosts)也需要改,否则会出现如下错误
2. 另外,JDK的ssl也需要配置(默认密码changeit),否则会出现如下错误
java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:443) org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:41) org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:193) org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:204) org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:97)
---栖息之鹰(一个外表懒洋洋的内心有激情的程序员)
此博客为笔者原著,转载时请注明出处,谢谢!