1:在WEB-INF/lib中导入cas jar包
2、导入证书
(1)将证书server.cer文件拷贝至业务系统所在服务器上的某路径下(如c盘根目录),在cmd命令界面切换至证书所在路径,执行以下命令(jdk路径自行修改),并信任该认证(输入Y,回车):
keytool -import -trustcacerts -alias casserver -file server.cer -keystore "C:\Program Files\Java\jdk1.6.0_21\jre\lib\security\cacerts" -storepass changeit |
(2)如果安装了jre,务必再执行一遍以下命令:
keytool -import -trustcacerts -alias casserver -file server.cer -keystore "C:\Program Files\Java\jre6\lib\security\cacerts" -storepass changeit
导入证书界面如下图:
3:配置web.xml
<!-- CAS退出url -->
<context-param>
<param-name>casServerLogoutUrl</param-name>
<param-value>http://casserver.sdcloud.net:8090/cas/logout</param-value>
</context-param>
<!--单点退出配置,一定要放在其他filter之前-->
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
<filter>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Single Sign Out Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- CAS 客户端配置 这个filter负责对请求进行登录验证拦截,-->
<filter>
<filter-name>CAS Authentication Filter</filter-name>
<filter-class>
org.jasig.cas.client.authentication.AuthenticationFilter
</filter-class>
<!-- CAS验证服务器地址,有域名填写域名 -->
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>
https://casserver.sdcloud.net:8443/cas/login
</param-value>
</init-param>
<init-param>
<param-name>renew</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>gateway</param-name>
<param-value>false</param-value>
</init-param>
<!-- 客户端应用服务器地址,utl_pattern用来控制需要过滤的url-->
<!-- 这里将对http://localhost:8080/xxx/logon/xx.jsp的所有路径进行过滤-->
<init-param>
<param-name>serverName</param-name>
<param-value>http://localhost:8080</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Authentication Filter</filter-name>
<url-pattern>/logon/*</url-pattern>
</filter-mapping>
<!--负责Ticket校验 这个filter负责对请求参数ticket进行验证(ticket参数是负责子系统与CAS进行验证交互的凭证)-->
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>
org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter
</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://casserver.sdcloud.net:8443/cas/</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://localhost:8080</param-value>
</init-param>
<init-param>
<param-name>useSession</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>redirectAfterValidation</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- 这个是HttpServletRequet的包裹类,让他支持getUserPrincipal,getRemoteUser方法来取得用户信息 -->
<filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>
org.jasig.cas.client.util.HttpServletRequestWrapperFilter
</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- 这个类把Assertion信息放在ThreadLocal变量中,这样应用程序不在web层也能够获取到当前登录信息 -->
<filter>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<filter-class>
org.jasig.cas.client.util.AssertionThreadLocalFilter
</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
4:修改源程序
假设原业务系统中(参看test测试应用),系统登录页面为test/login.jsp,用户验证页面为test/checkUser.jsp,验证成功后的页面为test/index.jsp,退出后的页面为test/logout.jsp。
原业务流程为:用户在login.jsp中输入用户名、密码,通过checkUser.jsp进行相关业务逻辑的验证,然后登录到index.jsp,退出系统到logout.jsp;如果未登录访问index.jsp,则自动转到login.jsp。
使用CAS单点登录服务器,需要做以下修改(参看castest测试应用)。
(1) 修改原来的用户登录验证页面checkUser.jsp,将其中从request中获取用户名、密码的语句,改为通过CAS的类AttributePrincipal进行获取。其他的验证业务逻辑不变。(参考castest/checkUserWithCAS.jsp)
//获取在CAS登录窗口输入的用户名密码
AttributePrincipal principal = (AttributePrincipal)request.getUserPrincipal();
String username = principal.getName();
String password = principal.getProxyTicketFor(username);
(2) 修改index.jsp页面中,原来判断如果未登录的转向页面,原来是转向登录页面,修改为用户登录验证页面。(参考castest/index.jsp)或者改相应的配置文件,web.xml.
(3) 修改退出处理页面logout.jsp。在使session失效后,增加CAS退出的语句。
response.sendRedirect("http://casserver.sdcloud.net:8090/cas/logout?service=http://localhost:8080/test/logoutseccess.jsp"); 标黄色为退出后要转到的页面,可自行设置。
5:发布系统
访问业务系统地址:http://localhost:8080/casclient/ 如果出现如下警告信息,点击“继续浏览此网站(不推荐)。”