1、修改hosts文件的方法添加域名
C:\Windows\System32\drivers\etc\hosts
127.0.0.1 demo.tch.com127.0.0.1 app1.tch.com
127.0.0.1 app2.tch.com 要使用回车键,不然会保存不了
2、CAS默认使用的是HTTPS协议,如果对安全要求不高,可使用HTTP协议。
修改deployerConfigContext.xml 增加参数p:requireSecure="false",是否需要安全验证,即HTTPS,false为不采用。
<beanclass="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"p:httpClient-ref="httpClient"
p:requireSecure="false" />
修改ticketGrantingTicketCookieGenerator.xml(cas/WEB-INF/spring-configuration/ticketGrantingTicketCookieGenerator.xml) 中ticketGrantingTicketCookieGenerator p:cookieSecure 属性 修改为 false。
<beanid="ticketGrantingTicketCookieGenerator"class="org.jasig.cas.web.support.CookieRetrievingCookieGenerator"
p:cookieSecure="false" p:cookieMaxAge="-1"p:cookieName="CASTGC" p:cookiePath="/cas" />
3、生成证书
keytool -genkey -alias ssodemo -keyalg RSA -keysize 1024 -keypass 123456 -validity 365-keystore F:\Study\Java\Projects\SSO\Demo\keys\ssodemo.keystore -storepass 123456
输入的名字与姓氏和上面hosts文件中cas域名配置一致;
keypass 和 storepass 两个密码要一致,否则下面tomcat 配置https 访问失败;
4、导出证书
keytool -export -alias ssodemo -keystore F:\Study\Java\Projects\SSO\Demo\keys\ssodemo.keystore -file F:\Study\Java\Projects\SSO\Demo\keys\ssodemo.crt -storepass 123456
5、客户端导入证书
将生成证书导入jdk
keytool -import -trustcacerts -file E:\ssodemo.crt -keypass changeit -keystore "%JAVA_HOME%/jre/lib/security/cacerts" -alias ssodemo
密码:changeit(默认)
6、部署cas-server的相关tomcat server。项目;
<!--
<Connectorport="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https"secure="true"
clientAuth="false" sslProtocol="TLS" />
-->
修改成如下:
<Connectorport="8443"protocol="org.apache.coyote.http11.Http11Protocol"SSLEnabled="true"
maxThreads="150" scheme="https"secure="true"
keystoreFile="C:\Users\wangbaijun\Desktop\Demo\keys\ssodemo.keystore"keystorePass="123456"
clientAuth="false" sslProtocol="TLS"URIEncoding="UTF-8"/>
参数说明:
keystoreFile 就是创建证书的路径
keystorePass 就是创建证书的密码
7、验证cas-server部署成功
启动cas-server的tomcat,进入网址https://demo.tch.com:8443/cas/login 出现登录界面
输入相同的用户名和密码,出现登录成功界面,则部署成功
8、部署两个cas-client的tomcat
<Serverport="8005" shutdown="SHUTDOWN">
<Connectorport="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
<Connectorport="8009" protocol="AJP/1.3"redirectPort="8443" />
修改成如下:
<Serverport="18005" shutdown="SHUTDOWN">
<Connectorport="18080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="18443" />
<Connectorport="18009" protocol="AJP/1.3"redirectPort="18443" />
在cas-client-1\webapps\examples\WEB-INF\lib\目录下添加cas-client-core-3.2.1.jar和commons-logging-1.1.jar
在tomcat-app1\webapps\examples\WEB-INF\web.xml 文件中增加如下内容
<!-- ========================单点登录开始 ========================-->
<!--用于单点退出,该过滤器用于实现单点登出功能,可选配置-->
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
<!--该过滤器用于实现单点登出功能,可选配置。-->
<filter>
<filter-name>CASSingle Sign OutFilter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CASSingle Sign Out Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>CASFilter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>https://demo.micmiu.com:8443/cas/login</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://app1.micmiu.com:18080</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CASFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--该过滤器负责对Ticket的校验工作,必须启用它-->
<filter>
<filter-name>CASValidationFilter</filter-name>
<filter-class>
org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://demo.micmiu.com:8443/cas</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://app1.micmiu.com:18080</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CASValidationFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--
该过滤器负责实现HttpServletRequest请求的包裹,
比如允许开发者通过HttpServletRequest的getRemoteUser()方法获得SSO登录用户的登录名,可选配置。
-->
<filter>
<filter-name>CASHttpServletRequest WrapperFilter</filter-name>
<filter-class>
org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CASHttpServletRequest WrapperFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--
该过滤器使得开发者可以通过org.jasig.cas.client.util.AssertionHolder来获取用户的登录名。
比如AssertionHolder.getAssertion().getPrincipal().getName()。
-->
<filter>
<filter-name>CASAssertion Thread LocalFilter</filter-name>
<filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CASAssertion Thread LocalFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- ========================单点登录结束 ======================== -->
修改tomcat-2,conf/server.xml文件
<Serverport="8005" shutdown="SHUTDOWN">
<Connectorport="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
<Connectorport="8009" protocol="AJP/1.3"redirectPort="8443" />
修改成如下:
<Serverport="28005" shutdown="SHUTDOWN">
<Connectorport="28080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="28443" />
<Connectorport="28009" protocol="AJP/1.3"redirectPort="28443" />
在cas-client-2\webapps\examples\WEB-INF\lib\目录下添加cas-client-core-3.2.1.jar和commons-logging-1.1.jar
<!-- ========================单点登录开始 ========================-->
<!--用于单点退出,该过滤器用于实现单点登出功能,可选配置-->
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
<!--该过滤器用于实现单点登出功能,可选配置。-->
<filter>
<filter-name>CASSingle Sign OutFilter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CASSingle Sign Out Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>CASFilter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>https://demo.micmiu.com:8443/cas/login</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://app2.micmiu.com:28080</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CASFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--该过滤器负责对Ticket的校验工作,必须启用它-->
<filter>
<filter-name>CASValidationFilter</filter-name>
<filter-class>
org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://demo.micmiu.com:8443/cas</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://app2.micmiu.com:28080</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CASValidationFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--
该过滤器负责实现HttpServletRequest请求的包裹,
比如允许开发者通过HttpServletRequest的getRemoteUser()方法获得SSO登录用户的登录名,可选配置。
-->
<filter>
<filter-name>CASHttpServletRequest WrapperFilter</filter-name>
<filter-class>
org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CASHttpServletRequest WrapperFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--
该过滤器使得开发者可以通过org.jasig.cas.client.util.AssertionHolder来获取用户的登录名。
比如AssertionHolder.getAssertion().getPrincipal().getName()。
-->
<filter>
<filter-name>CASAssertion Thread LocalFilter</filter-name>
<filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CASAssertion Thread LocalFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- ========================单点登录结束 ======================== -->
9、测试流程
打开app1 url —->跳转cas server验证 —->显示app1的应用 —->打开app2 url —->显示app2应用 —->注销cas server —->打开app1/app2url —->重新跳转到cas server验证.
app1地址
http://app1.tch.com:18080/examples/servlets/servlet/HelloWorldExample
app2地址
http://app2.tch.com:28080/examples/servlets/servlet/HelloWorldExample