CAS_SSO单点登录实例详细步骤(转)、Tomcat ssl(https) 配置
博客分类:
SSO&CAS&Identity
0, 从CAS官网下载最新版本的CAS服务器:cas-server-3.5.1-release.zip和java版客户端cas-client-3.2.1-release.zip。
1, 修改hosts文件,添加域名方便演示
127.0.0.1 cas.my.com #对应部署cas server的tomcat,这个虚拟域名还用于证书生成
127.0.0.1 app1.my.com # 对应部署app1 的tomcat
127.0.0.1 app2.my.com #对应部署app2 的tomcat
2, JDK安装, JAVA_HOME
3, 数字证书配置 - 生成数据证书文件(数据库)。所有的数字证书是以一条一条(采用别名区别)的形式存入证书库的中,证书库中的一条证书包含该条证书的私钥,公钥和对应的数字证书的信息。
keytool -genkey -alias casdemo -keyalg RSA -keysize 1024 -storepass P@ssw0rd -keypass P@ssw0rd -validity 365 -keystore E:\WorkRecords\CAS\casdemo.keystore
-storepass 指定私钥数据库keystore的密码(所有访问keystore文件的命令都要提供改密码)
-keypass 用来保护密钥对中的私钥。
-keypass 和 storepass 两个密码要一致,否则下面tomcat 配置https 访问会报错误(tomcat下配置文件对应的属性名叫keystorePass):java.io.IOException: Cannot recover key
可以使用下述命令修改keypass 和 storepass
keytool -alias casdemo -storepasswd -keystore E:\WorkRecords\CAS\casdemo.keystore -storepass sP@ssw0rd -new P@ssw0rd
keytool -alias casdemo -keypasswd -keystore E:\WorkRecords\CAS\casdemo.keystore -storepass P@ssw0rd -keypass kP@ssw0rd -new P@ssw0rd
紧跟着输入的证书名CN必须是服务器的域名:cas.my.com
4, 数字证书配置 - 从数据证书数据库中导出指定的数字证书文件,数字证书文件只包括主体信息和对应的公钥。
keytool -export -alias casdemo -keystore E:\WorkRecords\CAS\casdemo.keystore -file E:\WorkRecords\CAS\casdemo.crt -storepass P@ssw0rd
5,客户端导入 - 在客户端导入数字证书(包含主体信息和对应的公钥)
keytool -import -keystore %JAVA_HOME%\jre\lib\security\cacerts -file E:\WorkRecords\CAS\casdemo.crt
注意:cacerts是certified authority certificates的缩写,就是java存放证书的证书库。访问这个文件的默认密码是changeit,要把证书导入到这里时,系统会提示你输入该密码。可以通过下面的命令把cacerts的访问密码改成cP@ssw0rd
keytool -storepasswd -alias casdemo -keystore %JAVA_HOME%\jre\lib\security\cacerts -storepass changeit -new cP@ssw0rd
6,tomcat容器启用https访问
修改conf/server.xml配置文件,启用8443端口配置,并增加属性keystoreFile="E:\WorkRecords\CAS\casdemo.keystore" keystorePass="P@ssw0rd" URIEncoding="UTF-8"
然后重启tomcat
https://localhost:8443/cas-server-webapp-3.5.1/login
keystoreFile 就是创建的私钥证书的路径
keystorePass 就是创建的私钥证书的访问密码
7,部署CAS-Server相关的Tomcat,参考CAS-Server下载目录下的INSTALL.txt安装
把cas-server-3.5.1\modules\cas-server-webapp-3.5.1.war复制到tomcat webapps目录下,然后重启tomcat,用下面路径访问CAS服务器
https://localhost:8443/cas-server-webapp-3.5.1/login
默认的cas server的验证是只要用户名和密码一样就可以成功登录。(仅仅用于测试,生成环境需要根据实际情况修改)
8,部署CAS-Client相关的Tomcat:参考Configuring the Jasig CAS Client for Java in the web.xml
把cas-client-3.2.1/modules/cas-client-core-3.2.1.jar复制到你所发布的webapp的WEB-INF/lib下(测试时可以使用tomcat下的example做例子),在客户端web应用中修改WEB-INF/web.xml 在里面添加如下过滤器
Java代码 
- <!-- 用于单点退出 -->
- <listener>
- <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
- </listener>
- <filter>
- <filter-name>CAS Single Sign Out Filter</filter-name>
- <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
- </filter>
- <!-- 用于单点登录 -->
- <filter>
- <filter-name>CASFilter</filter-name>
- <filter-class>edu.yale.its.tp.cas.client.filter.CASFilter</filter-class>
- <init-param>
- <param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name>
- <param-value>https://cas.my.com:8443/cas/login</param-value>
- <!--这里的server是服务端的IP-->
- </init-param>
- <init-param>
- <param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name>
- <param-value>https://cas.my.com:8443/cas/proxyValidate</param-value>
- <!--这里的ServerName是服务端的主机名也就是CN-->
- </init-param>
- <init-param>
- <param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name>
- <param-value>localhost:8080</param-value>
- <!--client:port就是需要cas需要拦截的地址和端口,一般就是这个tomcat所启动的ip和port-->
- </init-param>
- </filter>
- <filter-mapping>
- <filter-name>CAS Single Sign Out Filter</filter-name>
- <url-pattern>/*</url-pattern>
- </filter-mapping>
- <filter-mapping>
- <filter-name>CASFilter</filter-name>
- <url-pattern>/*</url-pattern>
- </filter-mapping>
- <!-- 该过滤器负责实现HttpServletRequest请求的包裹,
- 比如允许开发者通过HttpServletRequest的getRemoteUser()方法获得SSO登录用户的登录名,可选配置。
- -->
- <filter>
- <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
- <filter-class>
- org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
- </filter>
- <filter-mapping>
- <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
- <url-pattern>/*</url-pattern>
- </filter-mapping>
- <!-- 该过滤器使得开发者可以通过org.jasig.cas.client.util.AssertionHolder来获取用户的登录名。
- 比如AssertionHolder.getAssertion().getPrincipal().getName()。
- -->
- <filter>
- <filter-name>CAS Assertion Thread Local Filter</filter-name>
- <filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
- </filter>
- <filter-mapping>
- <filter-name>CAS Assertion Thread Local Filter</filter-name>
- <url-pattern>/*</url-pattern>
- </filter-mapping>
<!-- 用于单点退出 --> <listener> <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class> </listener> <filter> <filter-name>CAS Single Sign Out Filter</filter-name> <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class> </filter> <!-- 用于单点登录 --> <filter> <filter-name>CASFilter</filter-name> <filter-class>edu.yale.its.tp.cas.client.filter.CASFilter</filter-class> <init-param> <param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name> <param-value>https://cas.my.com:8443/cas/login</param-value> <!--这里的server是服务端的IP--> </init-param> <init-param> <param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name> <param-value>https://cas.my.com:8443/cas/proxyValidate</param-value> <!--这里的ServerName是服务端的主机名也就是CN--> </init-param> <init-param> <param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name> <param-value>localhost:8080</param-value> <!--client:port就是需要cas需要拦截的地址和端口,一般就是这个tomcat所启动的ip和port--> </init-param> </filter> <filter-mapping> <filter-name>CAS Single Sign Out Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>CASFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- 该过滤器负责实现HttpServletRequest请求的包裹, 比如允许开发者通过HttpServletRequest的getRemoteUser()方法获得SSO登录用户的登录名,可选配置。 --> <filter> <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> <filter-class> org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class> </filter> <filter-mapping> <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- 该过滤器使得开发者可以通过org.jasig.cas.client.util.AssertionHolder来获取用户的登录名。 比如AssertionHolder.getAssertion().getPrincipal().getName()。 --> <filter> <filter-name>CAS Assertion Thread Local Filter</filter-name> <filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class> </filter> <filter-mapping> <filter-name>CAS Assertion Thread Local Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
借以tomcat默认自带的 webapps\examples 作为演示的简单web项目,访问url:http://localhost:8080/examples/servlets/
9, 获取登录用户的信息
Java代码
- import java.io.*;
- import java.util.*;
- import java.util.Map.Entry;
- import javax.servlet.*;
- import javax.servlet.http.*;
- import org.jasig.cas.client.authentication.AttributePrincipal;
- import org.jasig.cas.client.util.AbstractCasFilter;
- import org.jasig.cas.client.validation.Assertion;
- /**
- * The simplest possible servlet.
- *
- * @author James Duncan Davidson
- */
- public class HelloWorldExample extends HttpServlet {
- public void doGet(HttpServletRequest request, HttpServletResponse response)
- throws IOException, ServletException {
- ResourceBundle rb = ResourceBundle.getBundle("LocalStrings", request
- .getLocale());
- response.setContentType("text/html");
- PrintWriter out = response.getWriter();
- out.println("<html>");
- out.println("<head>");
- String title = rb.getString("helloworld.title");
- out.println("<title>" + title + "</title>");
- out.println("</head>");
- out.println("<body bgcolor=\"white\">");
- out.println("<a href=\"../helloworld.html\">");
- out.println("<img src=\"../images/code.gif\" height=24 "
- + "width=24 align=right border=0 alt=\"view code\"></a>");
- out.println("<a href=\"../index.html\">");
- out.println("<img src=\"../images/return.gif\" height=24 "
- + "width=24 align=right border=0 alt=\"return\"></a>");
- out.println("<h1>" + title + "</h1>");
- Assertion assertion = (Assertion) request.getSession().getAttribute(
- AbstractCasFilter.CONST_CAS_ASSERTION);
- if (null != assertion) {
- out.println(" Log | ValidFromDate =:"
- + assertion.getValidFromDate() + "<br>");
- out.println(" Log | ValidUntilDate =:"
- + assertion.getValidUntilDate() + "<br>");
- Map<Object, Object> attMap = assertion.getAttributes();
- out.println(" Log | getAttributes Map size = " + attMap.size()
- + "<br>");
- for (Entry<Object, Object> entry : attMap.entrySet()) {
- out.println(" | " + entry.getKey() + "=:"
- + entry.getValue() + "<br>");
- }
- }
- AttributePrincipal principal = assertion.getPrincipal();
- // AttributePrincipal principal = (AttributePrincipal) request
- // .getUserPrincipal();
- String username = null;
- out.print(" Log | UserName:");
- if (null != principal) {
- username = principal.getName();
- out.println("<span style='color:red;'>" + username + "</span><br>");
- }
- out.println("</body>");
- out.println("</html>");
- }
import java.io.*;
import java.util.*;
import java.util.Map.Entry;
import javax.servlet.*;
import javax.servlet.http.*;
import org.jasig.cas.client.authentication.AttributePrincipal;
import org.jasig.cas.client.util.AbstractCasFilter;
import org.jasig.cas.client.validation.Assertion;
/**
* The simplest possible servlet.
*
* @author James Duncan Davidson
*/
public class HelloWorldExample extends HttpServlet {
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws IOException, ServletException {
ResourceBundle rb = ResourceBundle.getBundle("LocalStrings", request
.getLocale());
response.setContentType("text/html");
PrintWriter out = response.getWriter();
out.println("<html>");
out.println("<head>");
String title = rb.getString("helloworld.title");
out.println("<title>" + title + "</title>");
out.println("</head>");
out.println("<body bgcolor=\"white\">");
out.println("<a href=\"../helloworld.html\">");
out.println("<img src=\"../images/code.gif\" height=24 "
+ "width=24 align=right border=0 alt=\"view code\"></a>");
out.println("<a href=\"../index.html\">");
out.println("<img src=\"../images/return.gif\" height=24 "
+ "width=24 align=right border=0 alt=\"return\"></a>");
out.println("<h1>" + title + "</h1>");
Assertion assertion = (Assertion) request.getSession().getAttribute(
AbstractCasFilter.CONST_CAS_ASSERTION);
if (null != assertion) {
out.println(" Log | ValidFromDate =:"
+ assertion.getValidFromDate() + "<br>");
out.println(" Log | ValidUntilDate =:"
+ assertion.getValidUntilDate() + "<br>");
Map<Object, Object> attMap = assertion.getAttributes();
out.println(" Log | getAttributes Map size = " + attMap.size()
+ "<br>");
for (Entry<Object, Object> entry : attMap.entrySet()) {
out.println(" | " + entry.getKey() + "=:"
+ entry.getValue() + "<br>");
}
}
AttributePrincipal principal = assertion.getPrincipal();
// AttributePrincipal principal = (AttributePrincipal) request
// .getUserPrincipal();
String username = null;
out.print(" Log | UserName:");
if (null != principal) {
username = principal.getName();
out.println("<span style='color:red;'>" + username + "</span><br>");
}
out.println("</body>");
out.println("</html>");
}
keytool报错误:keytool error: java.security.UnrecoverableKeyException: Cannot recover key
表明:命令中输入的keyPass不正确
参考:
CAS官网地址:http://www.jasig.org/cas
CAS帮助文档:https://wiki.jasig.org/display/CASUM/Home
keytool - Key and Certificate Management Tool: 管理私钥数据库(keystore)以及私钥关联的X.509证书链验证的对应公钥(证书),同时也为受信实体管理证书。
keytool工具的详细运用
CAS_SSO单点登录实例详细步骤
SSO之CAS单点登录实例演示