最近自己一直配置CAS但是发现使用数据库表认证时,总是会有错误,暂时先把采取简单认证的搭建好再说吧,在此做个记录!
环境说明: 本机:192.168.0.2 计算机名:localhost
CAS Server:192.168.0.110 计算机名:cas.server
Web应用-CasClient: 192.168.0.11 计算机名:cas.client
首先修改dns文件,c:\windows\system32\drivers\etc\hosts,或者/etc/hosts配置各个主机名。
可以去到cas官方网站下载cas server和cas client,本文采用的是 cas-server-3.5.1-release和cas-client-3.2.1-release。
以下是配置证书文件:
1)创建证书 CAS Server:keytool -genkey -alias cas-server -keyalg RSA -keystore server.keystore -storepass changeit
然后根据自己的情况输入,要输入名字的时候请输入主机名,如果已经有了可以将以前的删除掉,使用此命令 keytool -delete -alias cas-server -storepass changeit
2)导出证书 CAS Server: keytool -export -file server.cer -alias cas-server -keystore server.keystore -storepass changeit
3) 导入证书库 CAS Server: keytool -import -keystore /usr/java/jre/lib/security/cacerts -file server.cer -storepass changeit
同样在Web 应用所在机器上创建证书,并导入jre证书库中, client.cer client.keystore ,请将这两个文件放在tomcat的根目录下。
另外还需要将web应用的证书导入到CAS server中,建议两者相互都导入,因为在配置的过程,出现pki错误,我怀疑是这里存在双向认证,待搞清楚之后在说明清楚
keytool -import -keystore /usr/java/jre/lib/security/cacerts -file client.cer -storepass changeit
然后配置tomcat之中的server.xml文件,把端口8443注释去掉,如下
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
disableUploadTimeout ="true" acceptCount ="100" maxThreads ="200"
SSLEnabled ="true"
scheme ="https" secure ="true"
clientAuth ="false" sslProtocol ="TLS"
keystoreFile ="/opt/apache-tomcat-6.0.18/server.keystore"
keystorePass="changeit" />
各自配置好之后,然后将cas-server module文件夹下的war文件放入tomcat中,启动tomcat,访问https://cas-server:8443/cas/login 如果出现cas认证页面,输入用户名和密码(只要两者相同就行)。然后将自己开发一个web project,只需要在index.jsp中加入显示信息,就行了,放入cas.client中的tomcat下,开启tomcat,两个tomcat验证有没有问题。
我没有cas server的配置,只采用简单的认证。将cas-client module文件夹下的cas-client-core-3.2.1.jar放入tomcat的lib下。下面只需要在cas.client中的project中的web.xml,加入如下的配置:
<!-- CAS 相关配置文件 -->
< filter >
< filter-name >CAS Single Sign Out Filter </ filter-name >
< filter-class >org.jasig.cas.client.session.SingleSignOutFilter </ filter-class >
</ filter >
< filter-mapping >
< filter-name >CAS Single Sign Out Filter </ filter-name >
< url-pattern >/* </ url-pattern >
</ filter-mapping >
< listener >
< listener-class >org.jasig.cas.client.session.SingleSignOutHttpSessionListener </ listener-class >
</ listener >
<!-- 单点登录 -->
< filter >
< filter-name >CAS Authentication Filter </ filter-name >
< filter-class >org.jasig.cas.client.authentication.AuthenticationFilter </ filter-class >
<!-- CAS login 服务地址 -->
< init-param >
< param-name >casServerLoginUrl </ param-name >
< param-value >https://cas.server:8443/cas/login </ param-value >
</ init-param >
< init-param >
< param-name >renew </ param-name >
< param-value >false </ param-value >
</ init-param >
< init-param >
< param-name >gateway </ param-name >
< param-value >false </ param-value >
</ init-param >
<!-- 客户端应用服务地址 -->
< init-param >
< param-name >serverName </ param-name >
< param-value >http://cas.client:8080 </ param-value >
</ init-param >
</ filter >
<!-- 负责Ticket校验 -->
< filter >
< filter-name >CAS Validation Filter </ filter-name >
< filter-class >org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter </ filter-class >
< init-param >
< param-name >casServerUrlPrefix </ param-name >
<!-- 下面一定要是主机名称 -->
< param-value >https://cas.server:8443/cas </ param-value >
</ init-param >
< init-param >
< param-name >serverName </ param-name >
< param-value >http://cas.client:80 </ param-value >
</ init-param >
< init-param >
< param-name >useSession </ param-name >
< param-value >true </ param-value >
</ init-param >
< init-param >
< param-name >redirectAfterValidation </ param-name >
< param-value >true </ param-value >
</ init-param >
</ filter >
< filter >
< filter-name >CAS HttpServletRequest WrapperFilter </ filter-name >
< filter-class >org.jasig.cas.client.util.HttpServletRequestWrapperFilter </ filter-class >
</ filter >
< filter >
< filter-name >CAS Assertion Thread Local Filter </ filter-name >
< filter-class >org.jasig.cas.client.util.AssertionThreadLocalFilter </ filter-class >
</ filter >
< filter-mapping >
< filter-name >CAS Authentication Filter </ filter-name >
< url-pattern >/* </ url-pattern >
</ filter-mapping >
< filter-mapping >
< filter-name >CAS Validation Filter </ filter-name >
< url-pattern >/* </ url-pattern >
</ filter-mapping >
< filter-mapping >
< filter-name >CAS HttpServletRequest WrapperFilter </ filter-name >
< url-pattern >/* </ url-pattern >
</ filter-mapping >
< filter-mapping >
< filter-name >CAS Assertion Thread Local Filter </ filter-name >
< url-pattern >/* </ url-pattern >
</ filter-mapping >
<!-- CAS 配置文件结束 -->
然后在本地的浏览器上访问 http://cas.client:8080/CasClient/index.jsp ,则在浏览器中地址会变成https://cas.server:8443/cas/login?server=XXXXXXX,XXXX是要访问的地址。出现CAS的认证页面,输入相同的用户名和密码之后,会转入到要访问的页面 index.jsp。
当然还可以采取其他的认证,比如从数据库中读用户表来验证,xml文件,或者LDAP服务器都行,需要更改cas.server中的相关配置。