Cas服务器以及客户端搭建

一、搭建cas服务器

 官网:http://jasig.github.io/cas/ Cas Server

下载:http://developer.jasig.org/cas/ Cas Client

下载:http://developer.jasig.org/cas-clients/

测试环境: jdkjava version "1.8.0_60"

tomcatapache-tomcat-7.0.65

mysqlmysql5.5.40

 CAS Servercas-server-4.0.0-release.zip

 CAS Clientcas-client-3.1.12-release.zip

一、生成证书 1、生成证书: keytool -genkey -alias castest -keyalg RSA -keystore F:/keys/castest 生成一个别名为castest的证书。

此处需要特别注意口令(后续导入导出证书、CAS服务器端均要用到此口类)和“名字与姓氏”(为CAS跳转域名,否则会报错)

 

2.导出证书: keytool -export -file F:/keys/castest.crt -alias castest -keystore F:/keys/castest

3.将证书导入到客户端JRE中(注意、是导入JRE中),如果security中已经存在cacerts,需要先将其删除。

导入命令: Keytool -import -keystore "D:\Program Files\Java\jdk1.8.0_60\jre\lib\security\cacerts" -file F:/keys/castest.crt -alias castest

删除命令:keytool -delete -alias emailcert -keystore D:\Program Files\Java\jdk1.8.0_60\jre\lib\security\cacerts"

二、配置服务器端 1、从http://developer.jasig.org/cas/上下载cas服务器端cas-server-4.0.0-release.zip,在modules目录下找到cas-server-webapp-4.0.0.war,将其复制到%TOMCAT_HOME%\webapps下,并将名称改为cas.war

2、修改%TOMCAT_HOME%\conf\server.xml文件,去掉此文件8393行之间的注释,修改为: <Connector SSLEnabled="true" clientAuth="false" keystoreFile="F:/keys/castest" <!—生成证书时的路径,证书名--> keystorePass="castest" <!—证书密码--> maxThreads="150" port="8443" protocol="org.apache.coyote.http11.Http11Protocol" scheme="https" secure="true" sslProtocol="TLS"/>

3、测试:https://localhost:8443/

 

 

点击继续浏览此网页

 

如果此时可以正常访问,说明证书安装成功 https://localhost:8443/cas/login,出现

 

输入账号和密码 casuser Mellon

 

此时说明服务器端已经配置成功。可通过https://localhost:8443/cas/logout退出登录

二、cas配置客户端

1http://developer.jasig.org/cas-clients/上下载cas-client-3.1.12-release.zip,在modules目录下找到cas-client-core-3.1.12.ja、commons-collections-3.2.jarcommons-logging-1.1.jar复制到项目WEB-INF/lib

2. 添加映射域名,在C:\Windows\System32\drivers\etc\hosts文件中添加 127.0.0.1 sso.castest.com

3. 创建web项目CasClient,并在项目的web.xml配置过滤器

<?xml version="1.0" encoding="UTF-8"?>

<web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

        xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">

 

        <display-name>cas-demo</display-name>

        

        <!-- ======================== 单点登录开始 ======================== -->

        <!-- 用于单点退出,该过滤器用于实现单点登出功能,可选配置-->

        <listener>

                <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>

        </listener>

 

        <!-- 该过滤器用于实现单点登出功能,可选配置。 -->

        <filter>

                <filter-name>CAS Single Sign Out Filter</filter-name>

                <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>

        </filter>

        <filter-mapping>

                <filter-name>CAS Single Sign Out Filter</filter-name>

                <url-pattern>/CasClient/*</url-pattern>

        </filter-mapping>

 

        <!-- 该过滤器负责用户的认证工作,必须启用它 -->

        <filter>

                <filter-name>CASFilter</filter-name>

                <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>

                <init-param>

                        <param-name>casServerLoginUrl</param-name>

                        <param-value>https://sso.castest.com:8443/cas/login</param-value>

                        <!--这里的server是服务端的IP-->

                </init-param>

                <init-param>

                        <param-name>serverName</param-name>

                        <param-value>http://localhost:8080</param-value>

                </init-param>

        </filter>

        <filter-mapping>

                <filter-name>CASFilter</filter-name>

                <url-pattern>/*</url-pattern>

        </filter-mapping>

 

        <!-- 该过滤器负责对Ticket的校验工作,必须启用它 -->

        <filter>

                <filter-name>CAS Validation Filter</filter-name>

                <filter-class>

                        org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>

                <init-param>

                        <param-name>casServerUrlPrefix</param-name>

                        <param-value>https://sso.castest.com:8443/cas/</param-value><!-- 此处必须为登录url/cas/,带有任何其它路径都会报错,如“https://sso.castest.com:8443/cas/login,这样也会报错。 -->

                </init-param>

                <init-param>

                        <param-name>serverName</param-name>

                        <param-value>http://localhost:8080</param-value>

                </init-param>

        </filter>

        <filter-mapping>

                <filter-name>CAS Validation Filter</filter-name>

                <url-pattern>/*</url-pattern>

        </filter-mapping>

 

        <!--

                该过滤器负责实现HttpServletRequest请求的包裹,

                比如允许开发者通过HttpServletRequestgetRemoteUser()方法获得SSO登录用户的登录名,可选配置。

        -->

        <filter>

                <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>

                <filter-class>

                        org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>

        </filter>

        <filter-mapping>

                <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>

                <url-pattern>/*</url-pattern>

        </filter-mapping>

 

        <!--

                该过滤器使得开发者可以通过org.jasig.cas.client.util.AssertionHolder来获取用户的登录名。

                比如AssertionHolder.getAssertion().getPrincipal().getName()

        -->

        <filter>

                <filter-name>CAS Assertion Thread Local Filter</filter-name>

                <filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>

        </filter>

        <filter-mapping>

                <filter-name>CAS Assertion Thread Local Filter</filter-name>

                <url-pattern>/*</url-pattern>

        </filter-mapping>

        

        <!-- ======================== 单点登录结束 ======================== -->

 

        <!-- session超时定义,单位为分钟 -->

        <session-config>

                <session-timeout>2</session-timeout>

        </session-config>

 

</web-app>

4、此时访问http://localhost:8080/CasClient/Index.jsp时会自动跳转到sso.castest.com下去登录

三、配置cas服务器数据源

1、mysql中新建一个cas数据库并创建user

CREATE DATABASE /*!32312 IF NOT EXISTS*/`cas` /*!40100 DEFAULT CHARACTER SET gbk */;

 

USE `cas`;

 

/*Table structure for table `user` */

 

DROP TABLE IF EXISTS `user`;

 

CREATE TABLE `user` (

  `id` int(11) NOT NULL AUTO_INCREMENT,

  `name` varchar(255) NOT NULL,

  `password` varchar(255) NOT NULL,

  `used` tinyint(2) NOT NULL,

  PRIMARY KEY (`id`)

) ENGINE=MyISAM AUTO_INCREMENT=2 DEFAULT CHARSET=gbk;

 

/*Data for the table `user` */

 

insert  into `user`(`id`,`name`,`password`,`used`) values (1,'casuser','9414f9301cdb492b4dcd83f8c711d8bb',1);

2、CASHTTP模式与HTTPS设置(可省略)

1cas\WEB-INF\deployerConfigContext.xml,新增p:requireSecure="false"

    <bean id="proxyAuthenticationHandler"          class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"

          p:httpClient-ref="httpClient" p:requireSecure="false"/>

      2cas\WEB-INF\spring-configuration

    ticketGrantingTicketCookieGenerator.xml设置p:cookieSecure="false"

    warnCookieGenerator.xml设置p:cookieSecure="false"

http://localhost:8080/cas/login,进入登录页面。 默认用户为casuser/Mellon,登录成功即配置完成。

3、设置利用数据库来验证用户

依赖包:

 c3p0-0.9.1.2.jar

 mysql-connector-java-5.1.21.jar

 cas-server-support-jdbc-4.0.0.jar

mchange-commons-java-0.2.11.jar

cas\WEB-INF\deployerConfigContext.xml

  1)更换验证方式

<!--

   <bean id="primaryAuthenticationHandler"

          class="org.jasig.cas.authentication.AcceptUsersAuthenticationHandler">

        <property name="users">

            <map>

                <entry key="casuser" value="Mellon"/>

            </map>

        </property>

    </bean>

    -->

   <!-- Define the DB Connection -->

   <bean id="dataSource"

     class="com.mchange.v2.c3p0.ComboPooledDataSource"

     p:driverClass="com.mysql.jdbc.Driver"

     p:jdbcUrl="jdbc:mysql://127.0.0.1:3306/cas?useUnicode=true&characterEncoding=UTF-8&zeroDateTimeBehavior=convertToNull"

     p:user="root"

     p:password="root" />

 

     <!-- Define the encode method-->

     <!--<bean id="passwordEncoder"

       class="org.jasig.cas.authentication.handler.DefaultPasswordEncoder" autowire="byName">     

      <constructor-arg value="MD5"/>

     </bean> -->

    <bean id="passwordEncoder"

      class="org.jasig.cas.authentication.handler.DefaultPasswordEncoder"

      c:encodingAlgorithm="MD5"

      p:characterEncoding="UTF-8" />

 

     <bean id="dbAuthHandler"

      class="org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler"

      p:dataSource-ref="dataSource"

      p:sql="select password from user where name=? and used=1"

     p:passwordEncoder-ref="passwordEncoder"/>

     <!-- p:passwordEncoder-ref="passwordEncoder" -->

    2)更换验证Handle

<bean id="authenticationManager" class="org.jasig.cas.authentication.PolicyBasedAuthenticationManager">

        <constructor-arg>

            <map>

                <!--

                   | IMPORTANT

                   | Every handler requires a unique name.

                   | If more than one instance of the same handler class is configured, you must explicitly

                   | set its name to something other than its default name (typically the simple class name).

                   -->

                <entry key-ref="proxyAuthenticationHandler" value-ref="proxyPrincipalResolver" />

                <entry key-ref="dbAuthHandler" value-ref="primaryPrincipalResolver" />

           <!-- <entry key-ref="primaryAuthenticationHandler" value-ref="primaryPrincipalResolver" /> -->

            </map>

        </constructor-arg>

http://localhost:8080/cas,进入登录页面。如果没有配置http登录,则需要通过http://localhost:8443/cas进行访问 默认用户为casuser/Mellon,登录成功即配置完成。

 

posted @ 2018-08-08 10:36  逆水乘舟,不进则退  阅读(738)  评论(0编辑  收藏  举报