CAS_SSO单点登录实例详细步骤(转)、Tomcat ssl(https) 配置
生活随笔
收集整理的這篇文章主要介紹了
CAS_SSO单点登录实例详细步骤(转)、Tomcat ssl(https) 配置
小編覺得挺不錯的,現(xiàn)在分享給大家,幫大家做個參考.
CAS_SSO單點登錄實例詳細步驟(轉(zhuǎn))、Tomcat ssl(https) 配置??????
????
1, 修改hosts文件,添加域名方便演示
127.0.0.1??? cas.my.com #對應(yīng)部署cas server的tomcat,這個虛擬域名還用于證書生成
127.0.0.1??? app1.my.com # 對應(yīng)部署app1 的tomcat
127.0.0.1??? app2.my.com #對應(yīng)部署app2 的tomcat
2, JDK安裝, JAVA_HOME
3, 數(shù)字證書配置 - 生成數(shù)據(jù)證書文件(數(shù)據(jù)庫)。所有的數(shù)字證書是以一條一條(采用別名區(qū)別)的形式存入證書庫的中,證書庫中的一條證書包含該條證書的私鑰,公鑰和對應(yīng)的數(shù)字證書的信息。
keytool -genkey -alias casdemo -keyalg RSA -keysize 1024 -storepass P@ssw0rd -keypass P@ssw0rd -validity 365 -keystore E:\WorkRecords\CAS\casdemo.keystore
-storepass 指定私鑰數(shù)據(jù)庫keystore的密碼(所有訪問keystore文件的命令都要提供改密碼)
-keypass 用來保護密鑰對中的私鑰。
-keypass 和 storepass 兩個密碼要一致,否則下面tomcat 配置https 訪問會報錯誤(tomcat下配置文件對應(yīng)的屬性名叫keystorePass):java.io.IOException: Cannot recover key
可以使用下述命令修改keypass 和 storepass
keytool -alias casdemo -storepasswd -keystore E:\WorkRecords\CAS\casdemo.keystore -storepass sP@ssw0rd -new P@ssw0rd
keytool -alias casdemo -keypasswd -keystore E:\WorkRecords\CAS\casdemo.keystore -storepass P@ssw0rd -keypass kP@ssw0rd -new P@ssw0rd
緊跟著輸入的證書名CN必須是服務(wù)器的域名:cas.my.com
4, 數(shù)字證書配置 - 從數(shù)據(jù)證書數(shù)據(jù)庫中導(dǎo)出指定的數(shù)字證書文件,數(shù)字證書文件只包括主體信息和對應(yīng)的公鑰。?
keytool -export -alias casdemo -keystore E:\WorkRecords\CAS\casdemo.keystore -file E:\WorkRecords\CAS\casdemo.crt -storepass P@ssw0rd
5,客戶端導(dǎo)入 - 在客戶端導(dǎo)入數(shù)字證書(包含主體信息和對應(yīng)的公鑰)
keytool -import -keystore %JAVA_HOME%\jre\lib\security\cacerts -file E:\WorkRecords\CAS\casdemo.crt
注意:cacerts是certified authority certificates的縮寫,就是java存放證書的證書庫。訪問這個文件的默認密碼是changeit,要把證書導(dǎo)入到這里時,系統(tǒng)會提示你輸入該密碼。可以通過下面的命令把cacerts的訪問密碼改成cP@ssw0rd
keytool -storepasswd -alias casdemo -keystore %JAVA_HOME%\jre\lib\security\cacerts -storepass changeit -new cP@ssw0rd
6,tomcat容器啟用https訪問
修改conf/server.xml配置文件,啟用8443端口配置,并增加屬性keystoreFile="E:\WorkRecords\CAS\casdemo.keystore" keystorePass="P@ssw0rd" URIEncoding="UTF-8"
然后重啟tomcat
https://localhost:8443/cas-server-webapp-3.5.1/login
keystoreFile 就是創(chuàng)建的私鑰證書的路徑
keystorePass 就是創(chuàng)建的私鑰證書的訪問密碼
7,部署CAS-Server相關(guān)的Tomcat,參考CAS-Server下載目錄下的INSTALL.txt安裝
把cas-server-3.5.1\modules\cas-server-webapp-3.5.1.war復(fù)制到tomcat webapps目錄下,然后重啟tomcat,用下面路徑訪問CAS服務(wù)器
https://localhost:8443/cas-server-webapp-3.5.1/login
默認的cas server的驗證是只要用戶名和密碼一樣就可以成功登錄。(僅僅用于測試,生成環(huán)境需要根據(jù)實際情況修改)
8,部署CAS-Client相關(guān)的Tomcat:參考Configuring the Jasig CAS Client for Java in the web.xml
把cas-client-3.2.1/modules/cas-client-core-3.2.1.jar復(fù)制到你所發(fā)布的webapp的WEB-INF/lib下(測試時可以使用tomcat下的example做例子),在客戶端web應(yīng)用中修改WEB-INF/web.xml 在里面添加如下過濾器
Java代碼 ?<!--?用于單點退出?-->?? <listener>?? ????<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>?? </listener>?? <filter>?? ????<filter-name>CAS?Single?Sign?Out?Filter</filter-name>?? ????<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>?? </filter>?? <!--?用于單點登錄?-->?? <filter>?? ????<filter-name>CASFilter</filter-name>?? ????<filter-class>edu.yale.its.tp.cas.client.filter.CASFilter</filter-class>?? ????<init-param>?? ????????<param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name>?? ????????<param-value>https://cas.my.com:8443/cas/login</param-value>?? ????????<!--這里的server是服務(wù)端的IP-->?? ????</init-param>?? ????<init-param>?? ????????<param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name>?? ????????<param-value>https://cas.my.com:8443/cas/proxyValidate</param-value>?? ????????<!--這里的ServerName是服務(wù)端的主機名也就是CN-->?? ????</init-param>?? ????<init-param>?? ????????<param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name>?? ????????<param-value>localhost:8080</param-value>?? ????????<!--client:port就是需要cas需要攔截的地址和端口,一般就是這個tomcat所啟動的ip和port-->?? ????</init-param>?? </filter>?? <filter-mapping>?? ????<filter-name>CAS?Single?Sign?Out?Filter</filter-name>?? ????<url-pattern>/*</url-pattern>?? </filter-mapping>?? <filter-mapping>?? ????<filter-name>CASFilter</filter-name>?? ????<url-pattern>/*</url-pattern>?? </filter-mapping>?? ?? <!--?該過濾器負責實現(xiàn)HttpServletRequest請求的包裹,?? ????比如允許開發(fā)者通過HttpServletRequest的getRemoteUser()方法獲得SSO登錄用戶的登錄名,可選配置。?? -->?? <filter>?? ????<filter-name>CAS?HttpServletRequest?Wrapper?Filter</filter-name>?? ????<filter-class>?? ????????????????????org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>?? </filter>?? <filter-mapping>?? ????<filter-name>CAS?HttpServletRequest?Wrapper?Filter</filter-name>?? ????<url-pattern>/*</url-pattern>?? </filter-mapping>?? ?? <!--?該過濾器使得開發(fā)者可以通過org.jasig.cas.client.util.AssertionHolder來獲取用戶的登錄名。?? ????比如AssertionHolder.getAssertion().getPrincipal().getName()。?? -->?? <filter>?? ????<filter-name>CAS?Assertion?Thread?Local?Filter</filter-name>?? ????<filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>?? </filter>?? <filter-mapping>?? ????<filter-name>CAS?Assertion?Thread?Local?Filter</filter-name>?? ????<url-pattern>/*</url-pattern>?? </filter-mapping>?? <!-- 用于單點退出 --><listener><listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class></listener><filter><filter-name>CAS Single Sign Out Filter</filter-name><filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class></filter><!-- 用于單點登錄 --><filter><filter-name>CASFilter</filter-name><filter-class>edu.yale.its.tp.cas.client.filter.CASFilter</filter-class><init-param><param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name><param-value>https://cas.my.com:8443/cas/login</param-value><!--這里的server是服務(wù)端的IP--></init-param><init-param><param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name><param-value>https://cas.my.com:8443/cas/proxyValidate</param-value><!--這里的ServerName是服務(wù)端的主機名也就是CN--></init-param><init-param><param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name><param-value>localhost:8080</param-value><!--client:port就是需要cas需要攔截的地址和端口,一般就是這個tomcat所啟動的ip和port--></init-param></filter><filter-mapping><filter-name>CAS Single Sign Out Filter</filter-name><url-pattern>/*</url-pattern></filter-mapping><filter-mapping><filter-name>CASFilter</filter-name><url-pattern>/*</url-pattern></filter-mapping><!-- 該過濾器負責實現(xiàn)HttpServletRequest請求的包裹,比如允許開發(fā)者通過HttpServletRequest的getRemoteUser()方法獲得SSO登錄用戶的登錄名,可選配置。--><filter><filter-name>CAS HttpServletRequest Wrapper Filter</filter-name><filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class></filter><filter-mapping><filter-name>CAS HttpServletRequest Wrapper Filter</filter-name><url-pattern>/*</url-pattern></filter-mapping><!-- 該過濾器使得開發(fā)者可以通過org.jasig.cas.client.util.AssertionHolder來獲取用戶的登錄名。比如AssertionHolder.getAssertion().getPrincipal().getName()。--><filter><filter-name>CAS Assertion Thread Local Filter</filter-name><filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class></filter><filter-mapping><filter-name>CAS Assertion Thread Local Filter</filter-name><url-pattern>/*</url-pattern></filter-mapping>
借以tomcat默認自帶的 webapps\examples 作為演示的簡單web項目,訪問url:http://localhost:8080/examples/servlets/
9, 獲取登錄用戶的信息
Java代碼 ?import?java.io.*;?? import?java.util.*;?? import?java.util.Map.Entry;?? ??? import?javax.servlet.*;?? import?javax.servlet.http.*;?? ??? import?org.jasig.cas.client.authentication.AttributePrincipal;?? import?org.jasig.cas.client.util.AbstractCasFilter;?? ????import?org.jasig.cas.client.validation.Assertion;?? ??????? ????/**? ?????*?The?simplest?possible?servlet.? ?????*? ?????*?@author?James?Duncan?Davidson? ?????*/?? ??????? ????public?class?HelloWorldExample?extends?HttpServlet?{?? ??????? ????????public?void?doGet(HttpServletRequest?request,?HttpServletResponse?response)?? ????????????????throws?IOException,?ServletException?{?? ????????????ResourceBundle?rb?=?ResourceBundle.getBundle("LocalStrings",?request?? ????????????????????.getLocale());?? ????????????response.setContentType("text/html");?? ????????????PrintWriter?out?=?response.getWriter();?? ??????? ????????????out.println("<html>");?? ????????????out.println("<head>");?? ??????? ????????????String?title?=?rb.getString("helloworld.title");?? ??????? ????????????out.println("<title>"?+?title?+?"</title>");?? ????????????out.println("</head>");?? ????????????out.println("<body?bgcolor=\"white\">");?? ??????? ????????????out.println("<a?href=\"../helloworld.html\">");?? ????????????out.println("<img?src=\"../images/code.gif\"?height=24?"?? ????????????????????+?"width=24?align=right?border=0?alt=\"view?code\"></a>");?? ????????????out.println("<a?href=\"../index.html\">");?? ????????????out.println("<img?src=\"../images/return.gif\"?height=24?"?? ????????????????????+?"width=24?align=right?border=0?alt=\"return\"></a>");?? ????????????out.println("<h1>"?+?title?+?"</h1>");?? ??????? ????????????Assertion?assertion?=?(Assertion)?request.getSession().getAttribute(?? ????????????????????AbstractCasFilter.CONST_CAS_ASSERTION);?? ??????? ????????????if?(null?!=?assertion)?{?? ????????????????out.println("?Log?|?ValidFromDate?=:"?? ????????????????????????+?assertion.getValidFromDate()?+?"<br>");?? ????????????????out.println("?Log?|?ValidUntilDate?=:"?? ????????????????????????+?assertion.getValidUntilDate()?+?"<br>");?? ????????????????Map<Object,?Object>?attMap?=?assertion.getAttributes();?? ????????????????out.println("?Log?|?getAttributes?Map?size?=?"?+?attMap.size()?? ????????????????????????+?"<br>");?? ????????????????for?(Entry<Object,?Object>?entry?:?attMap.entrySet())?{?? ????????????????????out.println("?????|?"?+?entry.getKey()?+?"=:"?? ????????????????????????????+?entry.getValue()?+?"<br>");?? ????????????????}?? ??????? ????????????}?? ????????????AttributePrincipal?principal?=?assertion.getPrincipal();?? ??????? ????????????//?AttributePrincipal?principal?=?(AttributePrincipal)?request?? ????????????//?.getUserPrincipal();?? ??????? ????????????String?username?=?null;?? ????????????out.print("?Log?|?UserName:");?? ????????????if?(null?!=?principal)?{?? ????????????????username?=?principal.getName();?? ????????????????out.println("<span?style='color:red;'>"?+?username?+?"</span><br>");?? ????????????}?? ??????? ????????????out.println("</body>");?? ????????????out.println("</html>");?? ????????}?? import java.io.*;import java.util.*;import java.util.Map.Entry;import javax.servlet.*;import javax.servlet.http.*;import org.jasig.cas.client.authentication.AttributePrincipal;import org.jasig.cas.client.util.AbstractCasFilter;import org.jasig.cas.client.validation.Assertion;/*** The simplest possible servlet.** @author James Duncan Davidson*/public class HelloWorldExample extends HttpServlet {public void doGet(HttpServletRequest request, HttpServletResponse response)throws IOException, ServletException {ResourceBundle rb = ResourceBundle.getBundle("LocalStrings", request.getLocale());response.setContentType("text/html");PrintWriter out = response.getWriter();out.println("<html>");out.println("<head>");String title = rb.getString("helloworld.title");out.println("<title>" + title + "</title>");out.println("</head>");out.println("<body bgcolor=\"white\">");out.println("<a href=\"../helloworld.html\">");out.println("<img src=\"../images/code.gif\" height=24 "+ "width=24 align=right border=0 alt=\"view code\"></a>");out.println("<a href=\"../index.html\">");out.println("<img src=\"../images/return.gif\" height=24 "+ "width=24 align=right border=0 alt=\"return\"></a>");out.println("<h1>" + title + "</h1>");Assertion assertion = (Assertion) request.getSession().getAttribute(AbstractCasFilter.CONST_CAS_ASSERTION);if (null != assertion) {out.println(" Log | ValidFromDate =:"+ assertion.getValidFromDate() + "<br>");out.println(" Log | ValidUntilDate =:"+ assertion.getValidUntilDate() + "<br>");Map<Object, Object> attMap = assertion.getAttributes();out.println(" Log | getAttributes Map size = " + attMap.size()+ "<br>");for (Entry<Object, Object> entry : attMap.entrySet()) {out.println(" | " + entry.getKey() + "=:"+ entry.getValue() + "<br>");}}AttributePrincipal principal = assertion.getPrincipal();// AttributePrincipal principal = (AttributePrincipal) request// .getUserPrincipal();String username = null;out.print(" Log | UserName:");if (null != principal) {username = principal.getName();out.println("<span style='color:red;'>" + username + "</span><br>");}out.println("</body>");out.println("</html>");}
keytool報錯誤:keytool error: java.security.UnrecoverableKeyException: Cannot recover key
表明:命令中輸入的keyPass不正確
參考:
CAS官網(wǎng)地址:http://www.jasig.org/cas
CAS幫助文檔:https://wiki.jasig.org/display/CASUM/Home
keytool - Key and Certificate Management Tool: 管理私鑰數(shù)據(jù)庫(keystore)以及私鑰關(guān)聯(lián)的X.509證書鏈驗證的對應(yīng)公鑰(證書),同時也為受信實體管理證書。
keytool工具的詳細運用
CAS_SSO單點登錄實例詳細步驟
SSO之CAS單點登錄實例演示
- 博客分類:
- SSO&CAS&Identity
- Java.Tomcat
1, 修改hosts文件,添加域名方便演示
127.0.0.1??? cas.my.com #對應(yīng)部署cas server的tomcat,這個虛擬域名還用于證書生成
127.0.0.1??? app1.my.com # 對應(yīng)部署app1 的tomcat
127.0.0.1??? app2.my.com #對應(yīng)部署app2 的tomcat
2, JDK安裝, JAVA_HOME
3, 數(shù)字證書配置 - 生成數(shù)據(jù)證書文件(數(shù)據(jù)庫)。所有的數(shù)字證書是以一條一條(采用別名區(qū)別)的形式存入證書庫的中,證書庫中的一條證書包含該條證書的私鑰,公鑰和對應(yīng)的數(shù)字證書的信息。
keytool -genkey -alias casdemo -keyalg RSA -keysize 1024 -storepass P@ssw0rd -keypass P@ssw0rd -validity 365 -keystore E:\WorkRecords\CAS\casdemo.keystore
-storepass 指定私鑰數(shù)據(jù)庫keystore的密碼(所有訪問keystore文件的命令都要提供改密碼)
-keypass 用來保護密鑰對中的私鑰。
-keypass 和 storepass 兩個密碼要一致,否則下面tomcat 配置https 訪問會報錯誤(tomcat下配置文件對應(yīng)的屬性名叫keystorePass):java.io.IOException: Cannot recover key
可以使用下述命令修改keypass 和 storepass
keytool -alias casdemo -storepasswd -keystore E:\WorkRecords\CAS\casdemo.keystore -storepass sP@ssw0rd -new P@ssw0rd
keytool -alias casdemo -keypasswd -keystore E:\WorkRecords\CAS\casdemo.keystore -storepass P@ssw0rd -keypass kP@ssw0rd -new P@ssw0rd
緊跟著輸入的證書名CN必須是服務(wù)器的域名:cas.my.com
4, 數(shù)字證書配置 - 從數(shù)據(jù)證書數(shù)據(jù)庫中導(dǎo)出指定的數(shù)字證書文件,數(shù)字證書文件只包括主體信息和對應(yīng)的公鑰。?
keytool -export -alias casdemo -keystore E:\WorkRecords\CAS\casdemo.keystore -file E:\WorkRecords\CAS\casdemo.crt -storepass P@ssw0rd
5,客戶端導(dǎo)入 - 在客戶端導(dǎo)入數(shù)字證書(包含主體信息和對應(yīng)的公鑰)
keytool -import -keystore %JAVA_HOME%\jre\lib\security\cacerts -file E:\WorkRecords\CAS\casdemo.crt
注意:cacerts是certified authority certificates的縮寫,就是java存放證書的證書庫。訪問這個文件的默認密碼是changeit,要把證書導(dǎo)入到這里時,系統(tǒng)會提示你輸入該密碼。可以通過下面的命令把cacerts的訪問密碼改成cP@ssw0rd
keytool -storepasswd -alias casdemo -keystore %JAVA_HOME%\jre\lib\security\cacerts -storepass changeit -new cP@ssw0rd
6,tomcat容器啟用https訪問
修改conf/server.xml配置文件,啟用8443端口配置,并增加屬性keystoreFile="E:\WorkRecords\CAS\casdemo.keystore" keystorePass="P@ssw0rd" URIEncoding="UTF-8"
然后重啟tomcat
https://localhost:8443/cas-server-webapp-3.5.1/login
keystoreFile 就是創(chuàng)建的私鑰證書的路徑
keystorePass 就是創(chuàng)建的私鑰證書的訪問密碼
7,部署CAS-Server相關(guān)的Tomcat,參考CAS-Server下載目錄下的INSTALL.txt安裝
把cas-server-3.5.1\modules\cas-server-webapp-3.5.1.war復(fù)制到tomcat webapps目錄下,然后重啟tomcat,用下面路徑訪問CAS服務(wù)器
https://localhost:8443/cas-server-webapp-3.5.1/login
默認的cas server的驗證是只要用戶名和密碼一樣就可以成功登錄。(僅僅用于測試,生成環(huán)境需要根據(jù)實際情況修改)
8,部署CAS-Client相關(guān)的Tomcat:參考Configuring the Jasig CAS Client for Java in the web.xml
把cas-client-3.2.1/modules/cas-client-core-3.2.1.jar復(fù)制到你所發(fā)布的webapp的WEB-INF/lib下(測試時可以使用tomcat下的example做例子),在客戶端web應(yīng)用中修改WEB-INF/web.xml 在里面添加如下過濾器
Java代碼 ?
借以tomcat默認自帶的 webapps\examples 作為演示的簡單web項目,訪問url:http://localhost:8080/examples/servlets/
9, 獲取登錄用戶的信息
Java代碼 ?
keytool報錯誤:keytool error: java.security.UnrecoverableKeyException: Cannot recover key
表明:命令中輸入的keyPass不正確
參考:
CAS官網(wǎng)地址:http://www.jasig.org/cas
CAS幫助文檔:https://wiki.jasig.org/display/CASUM/Home
keytool - Key and Certificate Management Tool: 管理私鑰數(shù)據(jù)庫(keystore)以及私鑰關(guān)聯(lián)的X.509證書鏈驗證的對應(yīng)公鑰(證書),同時也為受信實體管理證書。
keytool工具的詳細運用
CAS_SSO單點登錄實例詳細步驟
SSO之CAS單點登錄實例演示
總結(jié)
以上是生活随笔為你收集整理的CAS_SSO单点登录实例详细步骤(转)、Tomcat ssl(https) 配置的全部內(nèi)容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 准货币是m1还是m2
- 下一篇: Struts2做下载