一.系统环境:
java version 1.7.0_80
tomcat 7
cas server 4.2.7
cas-client-core 3.4.1
二.配置tomcat https(包括cas server端和cas client端):
1. 生成公私钥证书库并添加证书(公钥和私钥)信息,生成后可以查看:
keytool -genkey -alias casServer -keyalg RSA -keystore E:/develop/cas/keytool/.keystore -validity 36500
keytool -list -keystore .keystore
2. 复制“E:/软件开发/cas/.keystore”到%TOMCAT_HOME%/conf
3. 配置server.xml,启用https协议,注意要添加属性keystorefile(公私钥证书库)和keystorepass:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/conf/.keystore" keystorePass="changeit"/>
4. 配置应用使用SSL(以http访问会强制转为以https访问)。打开应用的 web.xml 文件,增加配置如下:
<security-constraint>
<web-resource-collection>
<web-resource-name>securedapp</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
将URL映射设为/*,这样你的整个应用都要求是 HTTPS 访问,而transport-guarantee标签设置为CONFIDENTIAL以便使应用支持 SSL。
如果你希望关闭SSL,只需要将CONFIDENTIAL改为NONE即可。
5.从证书库导出公钥证书文件:
keytool -export -alias casServer -file casServer.crt -keystore .keystore
6.将公钥证书文件导入jre公钥库"D:/Program Files/Java/jre7/lib/security/cacerts"里,实现cas的tomcat对cas client应用在jre(非浏览器)层面的信任:
keytool -import -keystore "D:/Program Files/Java/jdk1.7.0_80/jre/lib/security/cacerts" -file casServer.crt -alias casServer
三.给cas client应用添加cas的配置(假设包含CasClient1和CasClient2两个应用,以下以CasClient1为例,CasClient2同样配法):
pom.xml依赖cas-client-core
<dependency>
<groupId>org.jasig.cas.client</groupId>
<artifactId>cas-client-core</artifactId>
<version>3.4.1</version>
</dependency>
web.xml加入cas client的filter和listener:
<filter>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://localhost:8443/cas</param-value>
</init-param>
</filter>
<filter>
<filter-name>CAS Authentication Filter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>https://localhost:8443/cas/login</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>https://localhost:8443/CasClient1</param-value>
</init-param>
</filter>
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>org.jasig.cas.client.validation.Cas30ProxyReceivingTicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://localhost:8443/cas</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>https://localhost:8443/CasClient1</param-value>
</init-param>
</filter>
<filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<filter>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Single Sign Out Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Authentication Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
四.部署cas server和cas client:
把cas-server-webapp-4.2.7.war改名为"cas.war",连通两个client应用的war包一起放到tomcat的webapp目录下,启动。
五.测试登录:
CAS4.x以前,默认只要帐号密码相等就能登录,CAS4.x以后默认登录帐号/密码: casuser/Mellon