CAS配置全过程
说明:这里只是简单的配置了CAS单点登录的过程,并没有加入复杂的验证,也没有做MD5的校验。输入数据库中存在的用户名跟密码就会登录成功
一.
首先需要下载cas-server-3.4.2-release.zip包,这个包里面包含CAS Server服务器的war包。解压之后放到找到cas-server-3.4.2\modules 下的cas-server-webapp-3.4.2.war , 拷tomcat\webapps\下并改名为cas.war。
启动tomcat后会在webapps下看到cas文件,然后停止tomcat.
二. 配置tomcat以及修改cas server的配置
1.生成证书并导入到jdk的jre中
请直接运行附件中的.bat文件会自动把证书生成在D盘根目录下并导入到jre中
这是bat脚本内容
keytool -genkey -alias tomcatgecko -keyalg RSA -keystored:\mykeystore -dname "CN=gecko-4d4611f2e,OU=gecko-4d4611f2e, O=gecko-4d4611f2e,L=SH, ST=SH, C=CN" -keypass changeit -storepass changeit
keytool-export -alias tomcatgecko -keystore d:\mykeystore -file d:\mycerts.crt-storepass changeit
keytool -import -keystore"%JAVA_HOME%/JRE/LIB/SECURITY/CACERTS" -file d:\mycerts.crt -aliastomcatgecko
这里要注意:证书是要导入到tomcat使用的jdk。不然CAS在跳转时会找不到本地域名
脚本中红色的部分是写自己的计算机名称
然后在C:\WINDOWS\system32\drivers\etc\hosts配置自己的本地域名,跟计算机名称相同
2.启动tomcat之后会在tomcat\webapps下看到cas.war解压出来之后的cas文件夹;找到tomcat\conf\server.xml文件。在xml中加入
<Connectorprotocol="org.apache.coyote.http11.Http11NioProtocol"
port="8443"minSpareThreads="5" maxSpareThreads="75"
enableLookups="true"disableUploadTimeout="true"
acceptCount="100" maxThreads="200"
scheme="https"secure="true" SSLEnabled="true"
clientAuth="false"sslProtocol="TLS"
keystoreFile="D:\mykeystore"
keystorePass="changeit"/>
keystoreFile=”” 是指定证书的路径
keystorePass=”” 是证书的密码
3. 修改cas server 服务器配置
打到cas\WEB-INF\deployerConfigContext.xml
注释掉
<!--<bean class="org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler"/>-->
加入
<beanclass="org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler">
<property name="sql" value="select password from portal_user where username=?"/>
<property name="dataSource"ref="dataSource"/>
</bean>
红色部分是sql语句,可以根据自己的需求修改
修改后文件如下:
<?xml version="1.0"encoding="UTF-8"?>
<!--
| deployerConfigContext.xml centralizes intoone file some of the declarative configuration that
| all CAS deployers will need to modify.
|
| This file declares some of the Spring-managedJavaBeans that make up a CAS deployment.
| The beans declared in this file areinstantiated at context initialization time by the Spring
| ContextLoaderListener declared inweb.xml. It finds this file because this
| file is among those declared in the contextparameter "contextConfigLocation".
|
| By far the most common change you will needto make in this file is to change the last bean
| declaration to replace the defaultSimpleTestUsernamePasswordAuthenticationHandler with
| one implementing your approach forauthenticating usernames and passwords.
+-->
<beansxmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:sec="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beanshttp://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<!--
| This bean declares ourAuthenticationManager. TheCentralAuthenticationService service bean
| declared in applicationContext.xmlpicks up this AuthenticationManager by reference to its id,
|"authenticationManager". Mostdeployers will be able to use the default AuthenticationManager
| implementation and so do not needto change the class of this bean. Weinclude the whole
| AuthenticationManager here in theuserConfigContext.xml so that you can see the things you will
| need to change in context.
+-->
<bean id="authenticationManager"
class="org.jasig.cas.authentication.AuthenticationManagerImpl">
<!--
| This is the List ofCredentialToPrincipalResolvers that identify what Principal is trying toauthenticate.
| TheAuthenticationManagerImpl considers them in order, finding aCredentialToPrincipalResolver which
| supports the presentedcredentials.
|
| AuthenticationManagerImpluses these resolvers for two purposes. First, it uses them to identify the Principal
| attempting to authenticateto CAS /login . In the defaultconfiguration, it is the DefaultCredentialsToPrincipalResolver
| that fills this role. If you are using some other kind ofcredentials than UsernamePasswordCredentials, you will need to replace
|DefaultCredentialsToPrincipalResolver with a CredentialsToPrincipalResolverthat supports the credentials you are
| using.
|
| Second,AuthenticationManagerImpl uses these resolvers to identify a service requestinga proxy granting ticket.
| In the defaultconfiguration, it is the HttpBasedServiceCredentialsToPrincipalResolver thatserves this purpose.
| You will need to changethis list if you are identifying services by something more or other than theircallback URL.
+-->
<propertyname="credentialsToPrincipalResolvers">
<list>
<!--
|UsernamePasswordCredentialsToPrincipalResolver supports theUsernamePasswordCredentials that we use for /login
| bydefault and produces SimplePrincipal instances conveying the username from thecredentials.
|
| Ifyou've changed your LoginFormAction to use credentials other thanUsernamePasswordCredentials then you will also
| need tochange this bean declaration (or add additional declarations) to declare aCredentialsToPrincipalResolver that supports the
|Credentials you are using.
+-->
<bean
class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver"/>
<!--
|HttpBasedServiceCredentialsToPrincipalResolver supportsHttpBasedCredentials. It supports theCAS 2.0 approach of
|authenticating services by SSL callback, extracting the callback URL from theCredentials and representing it as a
|SimpleService identified by that callback URL.
|
| If youare representing services by something more or other than an HTTPS URL whereatthey are able to
| receivea proxy callback, you will need to change this bean declaration (or addadditional declarations).
+-->
<bean
class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver"/>
</list>
</property>
<!--
| WhereasCredentialsToPrincipalResolvers identify who it is some Credentials mightauthenticate,
| AuthenticationHandlersactually authenticate credentials. Herewe declare the AuthenticationHandlers that
| authenticate thePrincipals that the CredentialsToPrincipalResolvers identified. CAS will try these handlers in turn
| until it finds one thatboth supports the Credentials presented and succeeds in authenticating.
+-->
<property name="authenticationHandlers">
<list>
<!--
| This isthe authentication handler that authenticates services by means of callback viaSSL, thereby validating
| aserver side SSL certificate.
+-->
<beanclass="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
p:httpClient-ref="httpClient"/>
<!--
| This isthe authentication handler declaration that every CAS deployer will need tochange before deploying CAS
| intoproduction. The defaultSimpleTestUsernamePasswordAuthenticationHandler authenticatesUsernamePasswordCredentials
| wherethe username equals the password. Youwill need to replace this with an AuthenticationHandler that implements your
| localauthentication strategy. You mightaccomplish this by coding a new such handler and declaring
|edu.someschool.its.cas.MySpecialHandler here, or you might use one of thehandlers provided in the adaptors modules.
+-->
<!--
<bean
class="org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler"/>-->
<beanclass="org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler">
<property name="sql"value="select password from app_user where username=?" />
<property name="dataSource"ref="dataSource" />
</bean>
</list>
</property>
</bean>
<!--
This bean defines the security roles for theServices Management application. Simpledeployments can use the in-memory version.
More robust deployments will want to useanother option, such as the Jdbc version.
The name of this should remain"userDetailsService" in order for Spring Security to find it.
To use this, you should add an entry similar tothe following between the two value tags:
battags=notused,ROLE_ADMIN
where battags is the username you want to grantaccess to. You can put one entry perline.
-->
<sec:user-serviceid="userDetailsService">
<sec:user name="@@THIS SHOULDBE REPLACED@@" password="notused"authorities="ROLE_ADMIN" />
</sec:user-service>
<!--
Bean that defines the attributes that a servicemay return. This example uses theStub/Mock version. A real implementation
may go against a database or LDAP server. The id should remain "attributeRepository"though.
-->
<bean id="attributeRepository"
class="org.jasig.services.persondir.support.StubPersonAttributeDao">
<propertyname="backingMap">
<map>
<entrykey="uid" value="uid" />
<entrykey="eduPersonAffiliation" value="eduPersonAffiliation"/>
<entrykey="groupMembership" value="groupMembership" />
</map>
</property>
</bean>
<!--
Sample, in-memory data store for theServiceRegistry. A real implementation
would probably want to replace this with theJPA-backed ServiceRegistry DAO
The name of this bean should remain"serviceRegistryDao".
-->
<bean
id="serviceRegistryDao"
class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl"/>
<bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource">
<propertyname="driverClassName"><value>com.mysql.jdbc.Driver</value></property>
<propertyname="url"><value>jdbc:mysql://localhost:3306/portal</value></property>
<property name="username"><value>portal</value></property>
<propertyname="password"><value>portal</value></property>
</bean>
</beans>
找到cas\WEB-INF\spring-configuration\ticketGrantingTicketCookieGenerator.xml并修改成
<?xmlversion="1.0" encoding="UTF-8"?>
<beansxmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:p="http://www.springframework.org/schema/p"
xsi:schemaLocation="http://www.springframework.org/schema/beanshttp://www.springframework.org/schema/beans/spring-beans-2.0.xsd">
<description>
Defines the cookie that stores theTicketGrantingTicket. You most likelyshould never modify these (especially the "secure" property).
You can change the name if you wantto make it harder for people to guess.
</description>
<beanid="ticketGrantingTicketCookieGenerator"class="org.jasig.cas.web.support.CookieRetrievingCookieGenerator"
p:cookieSecure="false"
p:cookieMaxAge="-1"
p:cookieName="CASTGC"
p:cookiePath="/cas" />
</beans>
红色部分代表修改过的地方
说明:请在附件中把cas-server-3.4.2-release.zip解压后找到cas-server-3.4.2\modules\cas-server-support-jdbc-3.4.2.jar,把它拷贝到cas\WEB-INF\lib下;还要把数据库驱动拷贝进来(看用的是什么数据库)。
三.建立web工程
1.在eclipse中建立自己的工程后找到web.xml,配置过滤器
<filter>
<filter-name>CAS Filter</filter-name>
<filter-class>edu.yale.its.tp.cas.client.filter.CASFilter</filter-class>
<init-param>
<param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name>
<param-value>https://gecko-4d4611f2e:8443/cas/login</param-value>
</init-param>
<init-param>
<param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name>
<param-value>https://gecko-4d4611f2e:8443/cas/serviceValidate</param-value>
</init-param>
<init-param>
<param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name>
<param-value>localhost:8080</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
红色部分上面第二部配置的自己的本地域名
2.加入
spring.jar相关的jar包已放在附件中。
Index.jsp中的代码
<%@ page language="java"pageEncoding="UTF-8"%>
<%@page import="edu.yale.its.tp.cas.client.filter.CASFilter"%>
<!DOCTYPE HTML PUBLIC "-//W3C//DTDHTML 4.01 Transitional//EN">
<html>
<head>
<title>My JSP'index.jsp' starting page</title>
<meta http-equiv="pragma"content="no-cache">
<meta http-equiv="cache-control"content="no-cache">
<meta http-equiv="expires"content="0">
<meta http-equiv="keywords"content="keyword1,keyword2,keyword3">
<meta http-equiv="description"content="This is my page">
<!--
<link rel="stylesheet"type="text/css" href="styles.css">
-->
</head>
<body>
<%
String username = (String)session.getAttribute(CASFilter.CAS_FILTER_USER);
out.print("您好,"+username);
System.out.println(username);
%>
</body>
</html>
五.启动tomcat后,访问http://localhost:8080/工程名;会直接过滤到CAS的登录界面
输入用户名跟密码则跳转到index.jsp中
3123
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
