1 实验环境
1.1 CAS Server端
FreeBSD + Diablo-JDK 1.5.0 + Tomcat 6.0 + CAS Server 3.2.1
IP地址:192.168.0.180
域名:www.test.com
1.2 CAS Client 端
Windows + JDK 1.5.10 + Tomcat 6.0 + JA-SIG CAS-Client-3.1.3
IP地址:192.168.0.116
1.3 CAS Server 端数据验证的数据库
数据库:PostgreSQL 8.2
IP 地址192.168.0.180
数据库名称:BH_PORTAL
表名称:citizen
表定义:
CREATE TABLE citizen
(
citizenid character varying(20) NOT NULL,
"password" character varying NOT NULL,
question character varying,
answer character varying,
name character varying NOT NULL,
CONSTRAINT citizen_pkey PRIMARY KEY (citizenid)
)
说明:其中citizenid用于登录的ID,”password”用于密码校验
2 环境搭建
2.1 CAS 服务器端
2.1.1 为CAS服务器端生成HTTPS证书并注册
在%JAVA_HOME%/jre/lib/security目录下运行如下Shell文件
#!/bin/csh
clear
keytool -delete -alias tomcatsso -keystore cacerts -storepass changeit
keytool -list -keystore cacerts -storepass changeit
keytool -genkey -keyalg RSA -alias tomcatsso -dname "cn=www.test.com" -keystore cacerts -storepass changeit
keytool -export -alias tomcatsso -file tomcatsso.crt -keystore cacerts -storepass changeit
keytool -import -alias tomcatsso -file tomcatsso.crt -keystore cacerts -storepass changeit
keytool -list -keystore cacerts -storepass changeit
说明:在生成key的过程,"cn=www.test.com" 中的www.test.com为Server端的域名。
2.1.2 配置Tomcat的HTTPS服务
将cacerts文件复制到TOMCAT的conf目录下
修改server.xml
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443" />
<Connector port="443" minSpareThreads="5" maxSpareThreads="75"
enableLookups="true" disableUploadTimeout="true"
acceptCount="100" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="conf/cacerts" keystorePass="changeit"
truststoreFile="conf/cacerts"/>
启动Tomcat,测试https://www.test.com:443
2.2 CAS客户端
2.2.1 复制证书
复制tomcatsso.crt 文件到%JAVA_HOME%/jre/lib/security
2.2.2 导入证书
将证书tomcatsso.crt 文件导入到cacerts文件中
keytool -import -alias tomcatsso -file tomcatsso.crt -keystore cacerts -storepass changeit
3 配置
3.1 服务器端
3.1.1 部署cas server
将下载的cas-server-webapp- 3.2.1 .war复制到TOMCAT的webapps目录下,并改名为cas-server.war。
3.1.2 修改认证方式
在WEB-INF目录下修改deployerConfigContext.xml文件
将原来的
<bean class="org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler" />
修改为
<bean class="org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler">
<property name="dataSource" ref="dataSource" />
<property name="sql" value="select password from citizen where citizenid = ?" />
</bean>
<bean id="dataSource" class="org.apache.commons.dbcp.BasicDataSource">
<property name="driverClassName">
<value>org.postgresql.Driver</value>
</property>
<property name="url">
<value>jdbc:postgresql://192.168.0.180:5432/bh_portal</value>
</property>
<property name="username">
<value>pgsql</value>
</property>
<property name="password">
<value>javac</value>
</property>
</bean>
其目的是将原来的SimpleTestUsernamePasswordAuthenticationHandler认证改为根据数据库数据进行认证。
3.2 客户端应用
3.2.1 建立应用
partner1和partner2
Partner1下建立子目录secure,在secure中写2个测试页面,debug.jsp和index.jsp。
3.2.2 P artner1配置
编辑web.xml
<?xml version="1.0" encoding="ISO-8859-1"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5">
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/classes/spring-appContext.xml</param-value>
</context-param>
<filter>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Single Sign Out Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener> <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
<filter>
<filter-name>CAS Authentication Filter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<init-param>
<param-name>targetBeanName</param-name>
<param-value>casAuthenticationFilter</param-value>
</init-param>
</filter>
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<init-param>
<param-name>targetBeanName</param-name>
<param-value>casValidationFilter</param-value>
</init-param>
</filter>
<filter>
<filter-name>CAS HttpServletRequestWrapperFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<init-param>
<param-name>targetBeanName</param-name>
<param-value>casHttpServletRequestWrapperFilter</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Authentication Filter</filter-name>
<url-pattern>/secure/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/secure/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS HttpServletRequestWrapperFilter</filter-name>
<url-pattern>/secure/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
</web-app>
编辑spring-appContext.xml文件
在/WEB-INF/classes目录下创建spring-appContext.xml文件
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.0.xsd">
<bean id="casAuthenticationFilter"
class="org.jasig.cas.client.authentication.AuthenticationFilter">
<property name ="casServerLoginUrl" value="https://www.test.com:443/cas-server/login"/>
<property name ="serverName" value="http://192.168.0.116:8080"/>
</bean>
<bean id="casValidationFilter"
class="org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter">
<property name="ticketValidator">
<ref bean="Cas20ServiceTicketValidator"/>
</property>
<property name="useSession" value="true"/>
<property name="serverName" value="http://192.168.0.116:8080"/>
<property name="redirectAfterValidation" value="false"/>
</bean>
<bean id="Cas20ServiceTicketValidator" class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
<constructor-arg index="0" value="https://www.test.com:443/cas-server" />
</bean>
<bean id="casHttpServletRequestWrapperFilter"
class="org.jasig.cas.client.util.HttpServletRequestWrapperFilter"/>
</beans>
复制所需JAR包
cas-client-core- 3.1.3 .jar和spring.jar这两个JAR包复制到/WEB-INF/lib目录下
3.2.3 P artner2配置
同partner1完全相同
3.2.4 gateway参数更改(用于实验三, 在实验一和实验二中不要修改)
配置index.jsp的Gateway参数
设置Gateway参数为false(默认值为false)
web.xml文件:
保持原有无需改变
spring-appContext.xml文件:
给AuthenticationFilter对应的Bean添加一个属性gateway,并显式的设置为false
<property name ="gateway" value="false"/>
配置debug.jsp的Gateway参数
设置Gateway参数为true(默认值为false)
web.xml文件:
为debug.jsp独立配置上面spring-appContext.xml文件中所提及到的3个过滤器AuthenticationFilter, Cas20ProxyReceivingTicketValidationFilter, HttpServletRequestWrapperFilter。
spring-appContext.xml文件:
给AuthenticationFilter对应的Bean添加一个属性gateway,并设置值为true
<property name ="gateway" value="true"/>
4 实验
4.1 实验一:单点登录
A. 访问http://192.168.0.116:8080/partner1/secure/index.jsp
B. 浏览器Redirect到CAS服务器端,输入用户名和密码,点击确认
C. 在另外一个选项卡上访问http://192.168.0.116:8080/partner2/secure/index.jsp
4.2 实验二:单点登出
A. 访问http://192.168.0.116:8080/partner1/secure/index.jsp
B. 浏览器Redirect到CAS服务器端,输入用户名和密码,点击确认
C. 在另外一个选项卡上访问http://192.168.0.116:8080/partner2/secure/index.jsp
D. 在另外一个选项卡上访问https://www.test.com:443/cas-server/logout,进行登出
E. 在另外一个选项卡上访问http://192.168.0.116:8080/partner2/secure/debug.jsp,确认登出成功
4.3 实验三:测试Gateway参数
A. 访问http://192.168.0.116:8080/partner1/secure/debug.jsp
B. 在另外一个选项卡上访问http://192.168.0.116:8080/partner1/secure/index.jsp
浏览器Redirect到CAS服务器端,输入用户名和密码,点击确认