一、准备环境:
- Tomcat6.0.36
- JDK7
- CAS Server版本:cas-server-3.4.2
- CAS Client版本:cas-client-3.1.12
证书是单点登录认证系统中很重要的一把钥匙,客户端于服务器的交互安全靠的就是证书;由于是演示所以就自己用JDK自带的keytool工具生成证书;如果以后真正在产品环境中使用肯定要去证书提供商去购买,证书认证一般都是由VeriSign认证,中文官方网站:http://www.verisign.com/cn/
用JDK自带的keytool工具生成证书:
keytool -genkey -alias tomcat -keyalg RSA -keystore tomcat.keystore
三、导出证书
keytool -export -file d:/tomcat.crt -alias wsria -keystore d:/tomcat.keystore
如果提示:keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect那么请输入密码:changeit
四、导入证书
keytool -import -keystore C:\Program Files\Java\jdk7\jre\lib\security\cacerts -file D:/tomcat.crt -alias wsria
五、修改Tomcat为https访问
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="D:/tomcat.keystore" keystorePass="hanzhou"
clientAuth="false" sslProtocol="TLS" />
- keystoreFile:创建key存放的位置
- keystorePass:创建证书时的密码
六、部署CAS Server
-
CAS服务端下载:http://www.jasig.org/cas/download
-
下载解压改名为cas,然后复制cas目录到你的tomcat/webapp目录下
-
访问CAS应用,打开CAS服务器的页面输入admin/admin(CAS默认的验证规则只要用户名和密码相同就通过)
注释掉:SimpleTestUsernamePasswordAuthenticationHandler这个验证Handler,这个是比较简单的,只是判断用户名和密码相同即可通过。紧接着在后面添加如下:
<!--<bean
class="org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler" />-->
<bean class="org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler">
<property name="dataSource" ref="dataSource"></property>
<property name="sql" value="SELECT PASSWORD FROM USER WHERE USERNAME = LOWER(?)"></property>
<property name="passwordEncoder" ref="casSha"></property>
</bean>
在末尾添加:
<bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource">
<property name="driverClassName"><value>oracle.jdbc.driver.OracleDriver</value></property>
<property name="url"><value>jdbc:oracle:thin:@127.0.0.1:1521:test</value></property>
<property name="username"><value>test</value></property>
<property name="password"><value>test</value></property>
</bean>
<bean id="casSha" class="CasShaPasswordEncoder">
复制cas-server-3.4.2\modules\cas-server-support-jdbc-3.4.2.jar和Oracle驱动jar包到tomcat/webapp/cas/WEB-INF/lib目录
主要配置解释:
QueryDatabaseAuthenticationHandler,是cas-server-support-jdbc提供的查询接口其中一个,通过配置一个 SQL 语句查出密码,与所给密码匹配;
dataSource,使用JDBC查询时的数据源;
sql,根据user表的username字段查询密码,CAS会匹配用户输入的密码;
passwordEncoder,处理密码加密类,大部分时候我们需要自定义密码加密方式,所以可以新建一个类继承org.jasig.cas.authentication.handler.PasswordEncoder,然后在encode方法中加密用户输入的密码然后返回即可,如:
import org.jasig.cas.authentication.handler.PasswordEncoder;
import org.springframework.security.authentication.encoding.ShaPasswordEncoder;
public class CasShaPasswordEncoder
implements PasswordEncoder
{
public String encode(String arg0)
{
ShaPasswordEncoder sha = new ShaPasswordEncoder();
sha.setEncodeHashAsBase64(false);
String pwd = sha.encodePassword(arg0, null);
return pwd;
}
}
七、配置CAS客户端
下载cas-client,地址:http://www.ja-sig.org/downloads/cas-clients/,然后解压cas-client-3.1.12.zip,在modules文件夹中复制cas-client-core-3.2.1.jar到应用的WEB-INF/lib目录中
配置web.xml
<!-- 用于单点退出,该过滤器用于实现单点登出功能,可选配置 -->
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
<!-- 该过滤器用于实现单点登出功能,可选配置。 -->
<filter>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Single Sign Out Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- 该过滤器负责用户的认证工作,必须启用它 -->
<filter>
<filter-name>CASFilter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>http://sso.test.com:8080/cas/login</param-value>
</init-param>
<init-param>
<!--这里的server是服务端的IP -->
<param-name>serverName</param-name>
<param-value>http://localhost:18080</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CASFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- 该过滤器负责对Ticket的校验工作,必须启用它 -->
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>
org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter
</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>http://sso.test.com:8080/cas</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://localhost:18080</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- 该过滤器负责实现HttpServletRequest请求的包裹, 比如允许开发者通过HttpServletRequest的getRemoteUser()方法获得SSO登录用户的登录名,可选配置。 -->
<filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>
org.jasig.cas.client.util.HttpServletRequestWrapperFilter
</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- 该过滤器使得开发者可以通过org.jasig.cas.client.util.AssertionHolder来获取用户的登录名。 比如AssertionHolder.getAssertion().getPrincipal().getName()。 -->
<filter>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- ======================== 单点登录结束 ======================== -->
八、CAS完善
1、退出链接设置为:https://sso.test.com/cas/logout
2、自定义登录/登出等页面,其实就是修改以下页面:
登录界面:casLoginView.jsp
登录成功:casGenericSuccess.jsp
登出界面:casLogoutView.jsp
更详细内容:http://www.kafeitu.me/sso/2010/11/05/sso-cas-full-course.html