sso单点登录cas认证

最新推荐文章于 2019-10-11 16:44:47 发布
最新推荐文章于 2019-10-11 16:44:47 发布
阅读量478 收藏
点赞数
分类专栏: sso keytool https cas 文章标签: java 运维 web.xml
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/aoeace/article/details/84748022
版权
https 同时被 3 个专栏收录
4 篇文章 0 订阅
订阅专栏
cas
4 篇文章 0 订阅
订阅专栏
sso
2 篇文章 0 订阅
订阅专栏

1.下载cas的server和client包(cas-server-4.0.0-release.zip,cas-client-3.3.3-release.zip),https://www.apereo.org/projects/cas/download-cas,http://downloads.jasig.org/cas-clients/。。

2.自定义测试域名hosts,更改C:\Windows\System32\drivers\etc路径下的hosts文件

 

127.0.0.1	www.owenmoney.com
127.0.0.1	www.owensso.com
127.0.0.1	www.owenmall.com

 3.使用keytool安装证书

 

 

keytool -genkey -alias owensso -keyalg RSA -keysize 2048 -keystore E:/temp/cas/keys/owensso.keystore
#keystore密码:changeit,您的名字与姓氏是什么?www.owensso.com(否则会出现java.security.cert.CertificateException: No subject alternative DNS name matching <hostname> found)
keytool -export -file E:/temp/cas/keys/owensso.crt -alias  owensso -keystore  E:/temp/cas/keys/owensso.keystore

keytool -import -keystore D:\app\Java\jre6\lib\security\cacerts -file E:/temp/cas/keys/owensso.crt -alias owensso

4.客户端安装证书(不安装会出现PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target )

 

 

/*
 * Copyright 2006 Sun Microsystems, Inc.  All Rights Reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 *   - Redistributions of source code must retain the above copyright
 *     notice, this list of conditions and the following disclaimer.
 *
 *   - Redistributions in binary form must reproduce the above copyright
 *     notice, this list of conditions and the following disclaimer in the
 *     documentation and/or other materials provided with the distribution.
 *
 *   - Neither the name of Sun Microsystems nor the names of its
 *     contributors may be used to endorse or promote products derived
 *     from this software without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
 * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR
 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

import java.io.BufferedReader;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.OutputStream;
import java.security.KeyStore;
import java.security.MessageDigest;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;

import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;

public class InstallCert {

	public static void main(String[] args) throws Exception {
		String host;
		int port;
		char[] passphrase;
		if ((args.length == 1) || (args.length == 2)) {
			String[] c = args[0].split(":");
			host = c[0];
			port = (c.length == 1) ? 443 : Integer.parseInt(c[1]);
			String p = (args.length == 1) ? "changeit" : args[1];
			passphrase = p.toCharArray();
		} else {
			System.out
					.println("Usage: java InstallCert <host>[:port] [passphrase]");
			return;
		}

		File file = new File("jssecacerts");
		if (file.isFile() == false) {
			char SEP = File.separatorChar;
			File dir = new File(System.getProperty("java.home") + SEP + "lib"
					+ SEP + "security");
			file = new File(dir, "jssecacerts");
			if (file.isFile() == false) {
				file = new File(dir, "cacerts");
			}
		}
		System.out.println("Loading KeyStore " + file + "...");
		InputStream in = new FileInputStream(file);
		KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
		ks.load(in, passphrase);
		in.close();

		SSLContext context = SSLContext.getInstance("TLS");
		TrustManagerFactory tmf = TrustManagerFactory
				.getInstance(TrustManagerFactory.getDefaultAlgorithm());
		tmf.init(ks);
		X509TrustManager defaultTrustManager = (X509TrustManager) tmf
				.getTrustManagers()[0];
		SavingTrustManager tm = new SavingTrustManager(defaultTrustManager);
		context.init(null, new TrustManager[] { tm }, null);
		SSLSocketFactory factory = context.getSocketFactory();

		System.out
				.println("Opening connection to " + host + ":" + port + "...");
		SSLSocket socket = (SSLSocket) factory.createSocket(host, port);
		socket.setSoTimeout(10000);
		try {
			System.out.println("Starting SSL handshake...");
			socket.startHandshake();
			socket.close();
			System.out.println();
			System.out.println("No errors, certificate is already trusted");
		} catch (SSLException e) {
			System.out.println();
			e.printStackTrace(System.out);
		}

		X509Certificate[] chain = tm.chain;
		if (chain == null) {
			System.out.println("Could not obtain server certificate chain");
			return;
		}

		BufferedReader reader = new BufferedReader(new InputStreamReader(
				System.in));

		System.out.println();
		System.out.println("Server sent " + chain.length + " certificate(s):");
		System.out.println();
		MessageDigest sha1 = MessageDigest.getInstance("SHA1");
		MessageDigest md5 = MessageDigest.getInstance("MD5");
		for (int i = 0; i < chain.length; i++) {
			X509Certificate cert = chain[i];
			System.out.println(" " + (i + 1) + " Subject "
					+ cert.getSubjectDN());
			System.out.println("   Issuer  " + cert.getIssuerDN());
			sha1.update(cert.getEncoded());
			System.out.println("   sha1    " + toHexString(sha1.digest()));
			md5.update(cert.getEncoded());
			System.out.println("   md5     " + toHexString(md5.digest()));
			System.out.println();
		}

		System.out
				.println("Enter certificate to add to trusted keystore or 'q' to quit: [1]");
		String line = reader.readLine().trim();
		int k;
		try {
			k = (line.length() == 0) ? 0 : Integer.parseInt(line) - 1;
		} catch (NumberFormatException e) {
			System.out.println("KeyStore not changed");
			return;
		}

		X509Certificate cert = chain[k];
		String alias = host + "-" + (k + 1);
		ks.setCertificateEntry(alias, cert);

		OutputStream out = new FileOutputStream("jssecacerts");
		ks.store(out, passphrase);
		out.close();

		System.out.println();
		System.out.println(cert);
		System.out.println();
		System.out
				.println("Added certificate to keystore 'jssecacerts' using alias '"
						+ alias + "'");
	}

	private static final char[] HEXDIGITS = "0123456789abcdef".toCharArray();

	private static String toHexString(byte[] bytes) {
		StringBuilder sb = new StringBuilder(bytes.length * 3);
		for (int b : bytes) {
			b &= 0xff;
			sb.append(HEXDIGITS[b >> 4]);
			sb.append(HEXDIGITS[b & 15]);
			sb.append(' ');
		}
		return sb.toString();
	}

	private static class SavingTrustManager implements X509TrustManager {

		private final X509TrustManager tm;
		private X509Certificate[] chain;

		SavingTrustManager(X509TrustManager tm) {
			this.tm = tm;
		}

		public X509Certificate[] getAcceptedIssuers() {
			throw new UnsupportedOperationException();
		}

		public void checkClientTrusted(X509Certificate[] chain, String authType)
				throws CertificateException {
			throw new UnsupportedOperationException();
		}

		public void checkServerTrusted(X509Certificate[] chain, String authType)
				throws CertificateException {
			this.chain = chain;
			tm.checkServerTrusted(chain, authType);
		}
	}

}

 编译后,执行 java InstallCert www.owensso.com:8443

 

 

Enter certificate to add to trusted keystore or 'q' to quit: [1]

 回复:1,回车。

 

将生成的jssecacerts文件copy到D:\app\Java\jdk1.6.0_23\jre\lib\security目录下,不确定运行的那一个jre,把java_home下的jre文件夹相同路径下也备一份

5.tomcat的https配置

解压3个tomcat,命名tomcat80,tomcat8080,tomcat8443,对应域名:www.owenmoney.com:80,www.owenmall.com:8080,www.owensso.com:8443,更改配置tomcat的server.xml文件,其他端口号都相应的+1,8443tomcat的server.xml如下,ciphers参数是解决高版本的chrome和firefox的弱权限问题

 

<Connector port="8443" 
			   ciphers= " TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA " 
			   protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" 
			   keystoreFile="E:/temp/cas/keys/owensso.keystore"    
			   keystorePass="changeit"
			   />

 6.解压cas-server-4.0.0-release.zip,把modules/cas-server-webapp-4.0.0.war发布到tomcat8443下,启动tomcat,访问https://www.owensso.com:8443/cas/login,用户名:casuser密码:Mellon

 

7.解压cas-client-3.3.3-release.zip,复制cas-client-core-3.3.3.jar包到owenmall工程下,添加web.xml

 

<!-- ======================== 单点登录开始 ======================== -->
	<!-- 用于单点退出,该过滤器用于实现单点登出功能,可选配置-->
	<!-- 该过滤器用于实现单点登出功能,可选配置。 -->
	<filter>
		<filter-name>CAS Single Sign Out Filter</filter-name>
		<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
	</filter>
	<filter>
		<filter-name>CAS Filter</filter-name>
		<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
		<init-param>
			<param-name>casServerLoginUrl</param-name>
			<param-value>https://www.owensso.com:8443/cas/login</param-value>
		</init-param>
		<init-param>
			<param-name>serverName</param-name>
			<param-value>http://www.owenmall.com:8080</param-value>
		</init-param>
	</filter>
	<!-- 该过滤器负责对Ticket的校验工作,必须启用它 -->
	<filter>
		<filter-name>CAS Validation Filter</filter-name>
		<filter-class>
			org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
		<init-param>
			<param-name>casServerUrlPrefix</param-name>
			<param-value>https://www.owensso.com:8443/cas</param-value>
		</init-param>
		<init-param>
			<param-name>serverName</param-name>
			<param-value>http://www.owenmall.com:8080</param-value>
		</init-param>
	</filter>
	<!--
		该过滤器负责实现HttpServletRequest请求的包裹,
		比如允许开发者通过HttpServletRequest的getRemoteUser()方法获得SSO登录用户的登录名,可选配置。
	-->
	<filter>
		<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
		<filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
	</filter>
	<!--
		该过滤器使得开发者可以通过org.jasig.cas.client.util.AssertionHolder来获取用户的登录名。
		比如AssertionHolder.getAssertion().getPrincipal().getName()。
	-->
	<filter>
		<filter-name>CAS Assertion Thread Local Filter</filter-name>
		<filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
	</filter>
	<filter-mapping>
		<filter-name>CAS Single Sign Out Filter</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>CAS Filter</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>CAS Validation Filter</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>CAS Assertion Thread Local Filter</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>
	<listener>
		<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
	</listener>

	<!-- ======================== 单点登录结束 ======================== -->

 7.启动tomcat8443,tomcat8080,访问www.owenmall.com:8080/sso-client,网页自动跳转到https://www.owensso.com:8443/cas/login输入用户名密码,成功后将会回跳开始页面!

 

学习笔记,参考知识资料皆来源于国内外的论坛博客,原网址浏览时未记录,若侵权请联系!

 

 

 

梅八哥
关注
专栏目录
聊聊单点登录(SSO)中的CAS认证
虚幻私塾
09-16 1215
随着企业的发展,一个大型系统里可能包含 n 多子系统, 用户在操作不同的系统时,需要多次登录,很麻烦,我们需要一种全新的登录方式来实现多系统应用群的登录,这就是单点登录。web 系统 由单系统发展成多系统组成的应用群,复杂性应该由系统内部承担,而不是用户。无论 web 系统内部多么复杂,对用户而言,都是一个统一的整体,也就是说,用户访问 web 系统的整个应用群与访问单个系统一样,登录/注销 只要1次就够了即单点登录,一种对于许多相互关联,但是又是各自独立的软件系统,提供访问控制的方法。
sso/cas单点登录Java maven版 含服务端客服端
02-26
SSO(Single Sign-On)是单点登录的缩写,是一种网络用户身份验证的机制,允许用户在一次登录后访问多个应用系统而无需再次验证。CAS(Central Authentication Service)是SSO的一种实现,由耶鲁大学开发并开源,它...
单点登录系统(SSO)之CAS(中央认证服务)
weixin_34008784的博客
06-04 2521
SSO(Single Sign On)单点登录系统,是在多个系统中值要求只要登录一次,就可以用已登录的身份访问多个系统,去掉了每次访问不同的系统都要重新登录的弊端。 CAS(中央/集中认证服务):The Central Authentication Service project, more commonly referred to as CAS is an authentication sys...
CAS Authentication failed!
weixin_34288121的博客
01-26 1852
2019独角兽企业重金招聘Python工程师标准>>> ...
Spring+ Spring cloud + SSO单点登录应用认证
springML的博客
11-26 562
之前的文章中有介绍spring cloud sso集成的方案,也做过spring + jwt + redis的解决方案,不同系统的无缝隙集成,统一的sso单点登录界面的管理、每个应用集成的权限认证,白名单等都是我们需要考虑的,现在针对于以上的问题我们做了sso单点登录应用认证平台,设计如下:愿意了解源码的朋友直接求求交流分享技术二一四七七七五六三三 1. 数据库设计: DROP TABLE ...
浅谈单点登录SSO
全力奔跑,梦在彼岸
05-15 739
前言 最近在小编公司大大小小的技术分享中,一直提到一个词“单点登录”,下面就来了解一下单点登录的知识。 正文 一、由来 当我们想要访问一个系统或者网站时,往往会有一个登录入口,输入用户名和密码,用来验证用户的身份。当我们需要访问多个系统的时候,就需要进行多次用户身份认证,用户体验度不高、后台用户管理也会很复杂,这时候我们可以采用一种叫做单点登录的机制解决问题,为不同域不同系统的登录提供一致的界面,用户只需要登录一次,就可以访问所有相互信任的应用系统,而不用重复登录。
SSO 证书配置
weixin_30730151的博客
04-11 307
ssodev.crt为开发环境证书ssotest.crt为测试环境证书 将证书拷贝到目录:{JDK}\jre\lib\security 其中 {JDK} 是实际安装JDK的位置。然后cmd进入命令窗口,进入该目录执行命令:keytool -import -trustcacerts -alias ssoCas -storepass changeit -file ssodev.crt -keysto...
单点登录sso-shiro-cas-maven
10-19
spring下使用shiro+cas配置单点登录,多个系统之间的访问,每次只需要登录一次 ## 系统模块说明 1. cas单点登录模块,这里直接拿的是cas的项目改了点样式而已 2. doc: 文档目录,里面有数据库生成语句,采用的...
cas_sso.rar_CAS_CAS SSO_cas文档_sso C_单点登录
09-24
CAS(Central Authentication Service,中央认证服务)是一种广泛使用的开源身份验证框架,旨在提供一种安全的单点登录(Single Sign-On,SSO)解决方案。SSO允许用户通过一次登录,就能访问多个相互信任的应用系统...
sso.rar_DotNetCasClient.dll_sso_sso 单点登录_单点登录_鍗曠偣鐧诲綍
09-20
单点登录(Single Sign-On,简称SSO)是一种网络身份验证技术,允许用户在一次登录后,无需再次输入凭证即可访问多个相互关联的应用系统。在IT领域,它极大地提升了用户体验和安全性,尤其对于大型企业或组织,管理...
cas-client-3.3.3-releasecas-server-4.2.1-release下载
10-20
cas的jar包,包括: 服务器端:cas-server-4.2.1-release.zip 客户端:cas-client-3.3.3-release.zip
联通统一通信客户端
06-05
联通推出的使用电话号发短信的功能,名字就是统一通信,客户端各地可能会有差别。
java.security.cert.CertificateException: No subject alternative DNS name matching XXX found解决方案
12-21
由于第三方服务商更新服务器证书,导致向其推送数据出现SSL证书认证失败。 网上搜了一堆,都无法生效,最终找到了一个完美解决方案: 在代码层跳出SSL验证 1、观察异常日志信息如下: 2、新增跳过证书的类,TrustAllTrustManager.java,代码如下: public class TrustAllTrustManager implements javax.net.ssl.TrustManager, javax.net.ssl.X509TrustManager { @Override public java.security.cert.X509Certificate
单点登录实现
zhaoyanjun008的博客
06-15 199
先给个链接看看别人是怎么弄得http://blog.csdn.net/ghsau/article/details/20545513 有时间在附上自己的代码
CORS跨域、Cookie传递SessionID实现单点登录后的权限认证的移动端兼容性测试报告...
dongjizheng9270的博客
06-10 143
简述 本文仅记录如标题所述场景的测试所得,由于场景有些特殊,且并不需兼容所有浏览器,所以本文的内容对读者也许并无作用,仅为记录。 场景、与实现 需在移动端单点登录 需在移动端跨域访问我们的服务 基于历史原因: 单点登录验证后,如Web网站一样,用Cookie携带SessionID到服务器,服务器根据SessionID管理该用户会话、权限 跨域用CORS,在服务端和客户端有如下设置。...
SSL证书认证失败javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: 解决方法
热门推荐
qq_40315210的博客
10-11 3万+
访问第三方接口传递数据,出现SSL证书认证失败的情况,于是做出了如下解决方案: 1.代码层跳出SSL验证 javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching idcardcert.market.al...
CAS SSO单点登录实战配置指南
"SSO\CAS 单点登录配置手册" SSO(Single Sign-On)单点登录是一种身份验证机制,允许用户在一个应用系统中登录后,无需再次输入凭证即可访问其他相互信任的应用系统。CAS(Central Authentication Service)是实现...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值