自签证书方式搭建Server
什么叫自签证书呢?其实就是用jdk自带的keytool去生成一个证书,然后使用。虽然能配置https,但是有一个严重的问题就是各个浏览器是不认你的。比如访问的时候会出现以下的情况
域名映射
修改C:\Windows\System32\drivers\etc\host文件,添加服务端域名(simperfect.cas.com)
本地配置tomcat通过https访问
生成keystore
keytool -genkey -alias tomcat -keyalg RSA -validity 36500 -keystore /etc/cert/tomcat.keystore
-alias tomcat:表示秘钥库的别名是tomcat,实际操作都用别名识别,所以这个参数很重要。
-validity 3650: 表示证书有效期100年。
秘钥库口令 我输入的是 changeit
名字与姓氏输入服务器域名,其它一路回车,最后如果显示正确 输入 ‘y’ 就行了。
tomcat秘钥口令我采用与秘钥库相同,因此也是一路回车。
之后可以使用以下命令查看生成秘钥库的文件内容:
keytool -list -keystore /etc/cert/tomcat.keystore
根据keystore生成crt文件
keytool -export -alias tomcat -file /etc/cert/tomcat.cer -keystore /etc/cert/tomcat.keystore -validity 36500
信任授权文件到jdk
keytool -import -keystore /usr/local/java/jdk1.8.0_241/jre/lib/security/cacerts -file /etc/cert/tomcat.cer -alias tomcat -storepass changeit
删除授权文件命令如下,删除证书也需要输入密码:changeit
keytool -delete -keystore /usr/local/java/jdk1.8.0_241/jre/lib/security/cacerts -alias tomcat -storepass changeit
修改tomcat的配置文件server.xml
<Connector port="8380" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="200" SSLEnabled="true" scheme="https"
secure="true" clientAuth="false" sslProtocol="TLS"
keystoreFile="/etc/cert/tomcat.keystore"
keystorePass="changeit"/>
本地安装证书才能正常访问这个域名
windows下可以直接双击tomcat.cer进行安装
点击下一步后选择【收信人的根证书办法机构】(虽然没什么卵用,chrome依旧会告警,选择个人也可以啦)
最后完成导入
愉快的访问域名吧
最后记得需要给你的应用服务器的jdk也要导入这个证书,否则会有以下错误
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:965)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1564)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1492)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:263)
at org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:447)
at org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:42)
at org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:191)
at org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticateNow(CasAuthenticationProvider.java:158)
at org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticate(CasAuthenticationProvider.java:143)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:199)
at org.springframework.security.cas.web.CasAuthenticationFilter.attemptAuthentication(CasAuthenticationFilter.java:270)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:94)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:92)
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:77)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.springframework.session.web.http.SessionRepositoryFilter.doFilterInternal(SessionRepositoryFilter.java:141)
at org.springframework.session.web.http.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:82)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:373)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1590)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
at sun.security.validator.Validator.validate(Validator.java:262)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621)
... 74 common frames omitted
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
... 80 common frames omitted
阿里云免费证书搭建Server
首先登录阿里云控制台搜索SSL,找到SSL证书(应用安全),点进去。点击蓝色的购买证书按钮。如下图这样选择即可获得免费的证书。
证书申请下来如何给各种服务器配置阿里云自己的教程写的很清楚我就不赘述了,直接说如何使用CAS
方案一 nginx + tomcat模式
通过我的测试,这种模式nginx和tomcat都要配置https才可以。但是其实这个证书不用给jdk加什么信任的操作,只要在nginx的config文件以及tomcat的server.xml里配置好证书就可以了,将cas的war包扔到tomcat里运行就能用
方案二 只用tomcat
当然tomcat要配置证书就行了。操作及其简单只需配置xml。(用自签证书的我已经哭晕在厕所)
cas打包
从github上下载cas-overlay-template
我用的5.3 https://github.com/apereo/cas-overlay-template/tree/5.3
将项目导入IDEA修改application.properties
数据库访问修改
#mysql驱动
cas.authn.jdbc.encode[0].driverClass=com.mysql.cj.jdbc.Driver
#配置数据库连接
cas.authn.jdbc.encode[0].url=jdbc:mysql://172.28.168.225:3306/basic_paper?useUnicode=true&characterEncoding=UTF-8&autoReconnect=true&allowMultiQueries=true&useSSL=false&serverTimezone=GMT%2B8
#数据库用户名
cas.authn.jdbc.encode[0].user=root
#数据库密码
cas.authn.jdbc.encode[0].password=123456
#密码字段
cas.authn.jdbc.encode[0].passwordFieldName=password
#加密迭代次数,默认值为2
cas.authn.jdbc.encode[0].numberOfIterations=2
#盐值固定列
cas.authn.jdbc.encode[0].saltFieldName=employee_id
#静态盐值
cas.authn.jdbc.encode[0].staticSalt=.
cas.authn.jdbc.encode[0].sql=select employee_id, password, is_expired, is_disabled from employee where employee_id =? and is_deleted = 0
#对处理盐值后的算法
cas.authn.jdbc.encode[0].algorithmName=MD5
#过期字段 0:未过期 1:已过期
cas.authn.jdbc.encode[0].expiredFieldName=is_expired
#是否可用字段 0:未禁用 1:已禁用
cas.authn.jdbc.encode[0].disabledFieldName=is_disabled
关于一些误解
有很多人说在这个配置文件中配置证书,其实如果使用tomcat是不用在配置文件里配置证书的直接注释掉或者什么都不改都可以;当然,如果你是使用jar包启动下面这段还是要配置的
#启动SSL验证
server.ssl.enabled=true
#证书地址
server.ssl.key-store=file:/etc/cas/thekeystore
server.ssl.key-store-password=changeit
server.ssl.key-password=changeit
#证书别名
server.ssl.keyAlias=tomcat
引用参考:https://blog.csdn.net/qq_34021712/article/details/80871015