CAS
1 CAS介绍
cas是单点登录框架。CAS是开源项目,代码在GitHub上管理。
下载地址:https://github.com/apereo/cas-overlay-template/tree/4.2
2 CAS服务端搭建
我们目前下载使用的是CAS4.2版本,采用HTTPS协议处理用户请求。
2.1 HTTPS搭建
2.1.1 生成密钥库
采用JDK自带的keytool工具生成秘钥库。口令为123456 其他信息hqlearn.com
C:\WINDOWS\system32>keytool -genkey -alias hqlearn -keyalg RSA -keystore D:/learn/springsecurity/cas/keystory/hqlearn
输入密钥库口令:123456
再次输入新口令:123456
您的名字与姓氏是什么?
[Unknown]: hqlearn.com
您的组织单位名称是什么?
[Unknown]: hqlearn.com
您的组织名称是什么?
[Unknown]: hqlearn.com
您所在的城市或区域名称是什么?
[Unknown]: hqlearn.com
您所在的省/市/自治区名称是什么?
[Unknown]: wh
该单位的双字母国家/地区代码是什么?
[Unknown]: cn
CN=hqlearn.com, OU=hqlearn.com, O=hqlearn.com, L=hqlearn.com, ST=wh, C=cn是否正确?
[否]: y
输入 <hqlearn> 的密钥口令
(如果和密钥库口令相同, 按回车):123456
再次输入新口令:123456
C:\WINDOWS\system32>keytool -export -trustcacerts -alias hqlearn -file D:/learn/springsecurity/cas/keystory/hqlearn.cer -keystore D:/learn/springsecurity/cas/keystory/hqlearn
输入密钥库口令:123456
存储在文件 <D:/learn/springsecurity/cas/keystory/hqlearn.cer> 中的证书
将证书导入JDK证书库中
C:\WINDOWS\system32>keytool -import -trustcacerts -alias hqlearn -file D:/learn/springsecurity/cas/keystory/hqlearn.cer -keystore "C:/Program Files/Java/jdk1.8.0_74/jre/lib/security/cacerts"
输入密钥库口令:changeit(☆☆☆☆☆☆☆☆☆!!!!!此处为jdk的口令,默认为changeit)
所有者: CN=hqlearn.com, OU=hqlearn.com, O=hqlearn.com, L=hqlearn.com, ST=wh, C=cn
发布者: CN=hqlearn.com, OU=hqlearn.com, O=hqlearn.com, L=hqlearn.com, ST=wh, C=cn
序列号: 48737c3d
有效期开始日期: Thu Dec 06 11:44:41 CST 2018, 截止日期: Wed Mar 06 11:44:41 CST 2019
证书指纹:
MD5: CF:9B:8A:34:69:AE:5E:A9:49:96:16:35:74:E2:6C:99
SHA1: A2:CA:F6:81:76:C9:28:C4:53:33:04:1B:69:0C:5F:DA:39:D3:85:46
SHA256: 48:E7:4E:3C:09:93:01:A3:E9:1F:8B:67:A3:86:77:88:DA:E2:FD:0E:D3:F1:F3:33:DF:14:87:A4:4A:25:17:8A
签名算法名称: SHA256withRSA
版本: 3
扩展:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: F1 E0 9A BC FA D2 45 E3 D3 47 71 FB CD CF AA BD ......E..Gq.....
0010: E3 39 A6 1A .9..
]
]
是否信任此证书? [否]: y
证书已添加到密钥库中
2.1.2 tomcat发布CAS服务端项目
在https://github.com/apereo/cas-overlay-template/tree/4.2下载CAS服务端项目
把项目导入idea中,此处保持网络通畅,较慢
导入成功后,maven package,生成target文件夹
在target文件夹中拷贝cas.war文件至tomcat的webapps目录下,并解压,删除cas.war文件
在idea中找到cas.properties(cas-overlay-template-4.2\etc目录下),拷贝至Tomcat的webapps\cas\WEB-INF目录下
修改Tomcat的webapps\cas\WEB-INF\spring-configuration\propertyFileConfigurer.xml文件,改为cas.properties的绝对路劲,如下:
<util:properties id="casProperties" location="file:D:/learn/springsecurity/cas/apache-tomcat-8.0.50/webapps/cas/WEB-INF/cas.properties" />
在tomcat的conf/server.xml,加入如下代码,其中加入上面步骤生成的证书路劲和密钥
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="D:\learn\springsecurity\cas\apache-tomcat-8.0.50\ssl\hqlearn"
keystorePass="123456"/>
如果出现端口被占用,修改端口号,如下
<?xml version="1.0" encoding="UTF-8"?>
<Server port="28035" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.startup.VersionLoggerListener" />
<!-- Security listener. Documentation at /docs/config/listeners.html
<Listener className="org.apache.catalina.security.SecurityListener" />
-->
<!--APR library loader. Documentation at /docs/apr.html -->
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
<!-- Prevent memory leaks due to use of particular java/javax APIs-->
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
<GlobalNamingResources>
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
</GlobalNamingResources>
<Service name="Catalina">
<Connector port="28083" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="D:\learn\springsecurity\cas\apache-tomcat-8.0.50\ssl\hqlearn"
keystorePass="123456"/>
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="28039" protocol="AJP/1.3" redirectPort="8443" />
<Engine name="Catalina" defaultHost="localhost">
<Realm className="org.apache.catalina.realm.LockOutRealm">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
</Realm>
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true">
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log" suffix=".txt"
pattern="%h %l %u %t "%r" %s %b" />
</Host>
</Engine>
</Service>
</Server>
注意:同一台机器上开启两个或多个tomcat,需修改tomcat的bin\startup.bat,在开头加如下代码,指定要使用的JDK环境和tomcat环境,这样不会与系统环境变量中配置的相互冲突
set JAVA_HOME=C:/Program Files/Java/jdk1.8.0_74
set JRE_HOME=C:/Program Files/Java/jdk1.8.0_74/jre
set CATALINA_HOME=D:\learn\springsecurity\cas\apache-tomcat-8.0.50
set CATALINA_BASE=D:\learn\springsecurity\cas\apache-tomcat-8.0.50
修改host文件进行映射,修改内容如下
127.0.0.1 hqlearn.com
至此,CAS服务端可以正常启动,访问https://localhost添加例外。
访问https://hqlearn.com/cas/login添加例外,可以访问cas登陆界面
2.1.3 配置数据库连接
打开tomcat的webapps\cas\WEB-INF\deployerConfigContext.xml文件
把27行的注释掉
将下面代码拷贝至deployerConfigContext.xml文件中
<!--配置加密算法-->
<bean id="MD5PasswordEncoder" class="org.jasig.cas.authentication.handler.DefaultPasswordEncoder" autowire="byName">
<constructor-arg value="MD5"/>
</bean>
<!--查询数据所采用的加密方式-->
<bean id="queryDatabaseAuthenticationHandler" name="primaryAuthenticationHandler"
class="org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler">
<property name="passwordEncoder" ref="MD5PasswordEncoder"/>
</bean>
<!--名字叫dataSource的bean取别名叫queryDatabaseDataSource-->
<alias name="dataSource" alias="queryDatabaseDataSource"/>
<!--配置数据源-->
<bean id="dataSource" class="com.mchange.v2.c3p0.ComboPooledDataSource"
p:driverClass="com.mysql.jdbc.Driver"
p:jdbcUrl="jdbc:mysql://127.0.0.1:3306/springsecuritydb?characterEncoding=utf8&serverTimezone=GMT%2B8"
p:user="root"
p:password="root"
p:initialPoolSize="6"
p:minPoolSize="6"
p:maxPoolSize="18"
p:maxIdleTimeExcessConnections="120"
p:checkoutTimeout="10000"
p:acquireIncrement="6"
p:acquireRetryAttempts="5"
p:acquireRetryDelay="2000"
p:idleConnectionTestPeriod="30"
p:preferredTestQuery="select 1"/>
修改Tomcat的webapps\cas\WEB-INF\cas.properties文件,240行,修改如下
cas.jdbc.authn.query.sql=select password from users where username=?
由于采用的是MD5加密,因此可以手动修改一下数据password字段为MD5加密后的值
select MD5("1234");
重启Tomcat,进入https://hqlearn.com/cas/login 进行登录
2.1.4 CAS是实现单点登陆功能
2.1.4.1 创建maven项目cas-client-1
创建maven webapp项目
修改pom文件内容
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>cn.hqlearn</groupId>
<artifactId>cas-client-1</artifactId>
<version>1.0-SNAPSHOT</version>
<packaging>war</packaging>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<maven.compiler.source>1.8</maven.compiler.source>
<maven.compiler.target>1.8</maven.compiler.target>
</properties>
<dependencies>
<!--必须引入该包-->
<dependency>
<groupId>org.jasig.cas.client</groupId>
<artifactId>cas-client-core</artifactId>
<version>3.3.3</version>
</dependency>
<!-- 添加Servlet支持 -->
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>servlet-api</artifactId>
<version>2.5</version>
</dependency>
<dependency>
<groupId>javax.servlet.jsp</groupId>
<artifactId>jsp-api</artifactId>
<version>2.0</version>
</dependency>
<!-- 添加jtl支持 -->
<dependency>
<groupId>jstl</groupId>
<artifactId>jstl</artifactId>
<version>1.2</version>
</dependency>
</dependencies>
</project>
修改web.xml文件
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<!--该过滤器用于实现单点登出功能,可选配置-->
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
<!--该过滤器用于实现单点登出功能,可选配置-->
<filter>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Single Sign Out Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>CASFilter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>https://hqlearn.com/cas/login</param-value>
<!--这里的server是服务端的ip-->
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://localhost:18082</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CASFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--该过滤器负责对Ticket的校验工作,必须启用它-->
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://hqlearn.com/cas</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://localhost:18082</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--该过滤器负责实现HttpServletRequest请求的包裹,比如允许开发者通过HttpServletRequest的getRemoteUser()方法获得SSO登陆用户的登陆名-->
<filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--该过滤器是的开发者可以通过org.jasig.cas.client.util.AssertionHolder来获取用户的登陆名
如:AssertionHolder.getAssertion().getPrincipal().getName()
-->
<filter>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
</web-app>
修改index.jsp文件
<html>
<body>
<h2>Hello World!</h2>
<%=request.getRemoteUser()%>
</body>
</html>
配置端口
如果不配置有可能端口被占用,其中HTTP port必须与web.xml的过滤器配置的相呼应!!
HTTP port: 18082
JMX port:10992
AJPport:80092
2.1.4.2 创建maven项目cas-client-2
创建maven webapp项目,修改pom文件内容,修改web.xml文件,修改index.jsp文件与创建cas-client-1相同,注意名称端口号不同
配置端口
HTTP port: 18083
JMX port:10993
AJPport:80093
2.1.4.3 测试
18082登录成功后,18083就不需要登录,直接进入首页