一、要求环境:
JDK:jdk1.5.0_15
TOMCAT:5.5.26
CAS:3.2
这几个环境的版本比较关键。尤其是小版本号会对服务产生影响。JDK版本号不对会造成SSL服务无法生效。
二、在生成Key时,要注意第一项的
What is your first and last name?
的答案必须是完整的计算机名。
三、具体配置:
1. 下载安装jdk1.5.0_15.
2. 使用keytoll工具制作自签名证书以及将其导入到证书库。具体步骤如下:
运行cmd,写入如下代码:
一.keytool -genkey -alias tomcat -keypass changeit -keyalg RSA
Enter keystore password: changeit
What is your first and last name?
[Unknown]: 必须填写完整的计算机名称
What is the name of your organizational unit?
[Unknown]: 随意填写
What is the name of your organization?
[Unknown]: 随意填写
What is the name of your City or Locality?
[Unknown]: 随意填写
What is the name of your State or Province?
[Unknown]: 随意填写
What is the two-letter country code for this unit?
[Unknown]: 随意填写
Is CN=localhost, OU=Information Systems, O=Pacific Disaster Center, L=Kihei, ST=HI, C=US correct?
[no]: y
二.keytool -export -alias tomcat -keypass changeit -file server.crt
Enter keystore password: changeit
Certificate stored in file <server.crt>
三.将证书导入到JDK的security中。在导入之前,请先备份一个空的cacerts文件。
keytool -import –file server.crt -keypass changeit -keystore (C:/Java/jdk1.5.0_15/jre/lib/security/cacerts)括号中的部分是cacerts文件所在的具体路径。
Enter keystore password: changeit
Owner: CN=localhost, OU=Information Systems, O=Pacific Disaster Center, L=Kihei, ST=HI, C=US
Issuer: CN=localhost, OU=Information Systems, O=Pacific Disaster Center, L=Kihei, ST=HI, C=US
Serial number: 462030d8
Valid from: Fri Apr 13 15:39:36 HST 2007 until: Thu Jul 12 15:39:36 HST 2007
Certificate fingerprints:
MD5: CC:3B:FB:FB:AE:12:AD:FB:3E:D 5:98:CB:2E:3B:0A:AD
SHA1: A1:16:80:68:39:C7:58:EA:2F:48:59:AA:1D:73:5F:56:78:CE:A4:CE
Trust this certificate? [no]: y
Certificate was added to keystore
3.CAS默认设置为只要用户名和密码相同,即可进行登录,这在现实使用中是不允许的。我们修改为使用Oracle(192.168.1.27)的test数据库中的app_user表作为用户数据源。首先,我们在test库中创建一个表app_user,使用Editplus打开C:/tomcat5.5.26/webapps/cas/WEB-INF/deployerConfigContext.xml
4.屏蔽原有验证方法:
<bean class="org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler" />
3.加入通过访问数据库进行验证的handler
<bean class="org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler">
<property name="sql" value="select password from app_user where username=?" />
<property name="dataSource" ref="dataSource" />
</bean>
5.加入一个数据库连接的<bean>:
<bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource" destroy-method="close">
<property name="driverClassName">
<value>oracle.jdbc.driver.OracleDriver</value>
</property>
<property name="url">
<value>jdbc:oracle:thin:@192.168.1.27:1521:JDDB</value>
</property>
<property name="username">
<value>J2EE</value>
</property>
<property name="password">
<value>J2EE</value>
</property>
</bean>
6.由于使用的是oracle 9i的数据库要把ojdbc14.jar驱动包copy到C:/tomcat5.5.26/common/lib目录下。
7.需要copy到C:/tomcat5.5.26/webapps/cas/WEB-INF/lib下的文件:
commons-collections-3.2.jar
commons-dbcp-1.2.1.jar
commons-pool-1.3.jar
ojdbc14.jar
cas-server-jdbc-3.0.5.jar
cas-server-support-jdbc-3.2.jar
8、启用tomcat中的server.xml中以下配置
<!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
9、在要进行认证的工程的web.xml中,增加以下配置:
<!-- 使网站使用CAS进行身份认证 -->
<filter>
<filter-name>CASFilter</filter-name>
<filter-class>edu.yale.its.tp.cas.client.filter.CASFilter</filter-class>
<init-param>
<param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name>
<param-value>https://szx.xmjtinfo.com:8443/cas/login</param-value>
</init-param>
<init-param>
<param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name>
<param-value>https://szx.xmjtinfo.com:8443/cas/proxyValidate</param-value>
</init-param>
<init-param>
<param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name>
<param-value>szx.xmjtinfo.com:8080</param-value>
</init-param>
</filter>
<!-- CAS end -->
<filter-mapping>
<filter-name>CASFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
10、把CAS的相关包,加到要进行认证的工程的lib中。相关的LIB可以从CAS的工程中复制。