cas 简单配置不用证书 -

01jiangwei01

浏览: 541790 次
性别:
来自: 北京

最近访客更多访客>>

chenxuezhou_yzl

robotmen

xx5333

qiangorqiang

博主相关

博客

微博

相册

留言

关于我

文章分类

社区版块

存档分类

cas 简单配置不用证书

博客分类：

java
cas

cas单点登录配置速成

服务端配置
cas是个好东西，很灵活很好用，但是配置起来很麻烦，网上资料比较零碎。不弄个三五天根本不知道其中的原理，终于在多天的奋斗中配置成功，现在将配置的一些过程记录下来供大家参考。

cas官方网站

http://www.jasig.org/cas

下载最新的服务端 CAS Server 3.3.3 Final

解压后将modules下面的cas-server-webapp-3.3.3.war部署到web服务器，作为单点登录的服务器。

登录的服务器下面很多配置文件，通过配置可以做一些扩展。

修改点1：验证方式使用我们自己的用户表验证

cas和当前已有的系统做集成的入口

1.修改deployerConfigContext.xml文件

添加数据源配置

XML/HTML代码

< bean id = "casDataSource" class = "org.apache.commons.dbcp.BasicDataSource" >
< property name = "driverClassName" >
< value > com.mysql.jdbc.Driver </ value >
</ property >
< property name = "url" >
< value > jdbc:mysql://192.168.1.100/ires? useUnicode = true & characterEncoding = UTF -8& autoReconnect = true </ value >
</ property >
< property name = "username" >
< value > ires </ value >
</ property >
< property name = "password" >
< value > i709394 </ value >
</ property >
</ bean >

定义MD5的加密方式

XML/HTML代码

< bean id = "passwordEncoder"
class = "org.jasig.cas.authentication.handler.DefaultPasswordEncoder" autowire = "byName" >
< constructor-arg value = "MD5" />
</ bean >

配置authenticationManager下面的authenticationHandlers属性

XML/HTML代码

< bean class = "org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler" >
< property name = "dataSource" ref = "casDataSource" />
< property name = "sql" value = "select community_password from community_user_info where lower(community_user_info.community_user) = lower(?)" />
< property name = "passwordEncoder" ref = "passwordEncoder" />
</ bean >

修改点2：获取用户信息保存，方便各个客户端可以统一得到用户信息

1.定义attributeRepository，通过jdbc查询用户的详细信息，可以把用户表或用户的所属组织机构或角色等查询出来。

XML/HTML代码

< bean id = "attributeRepository" class = "org.jasig.services.persondir.support.jdbc.SingleRowJdbcPersonAttributeDao" >
< constructor-arg index = "0" ref = "casDataSource" />
< constructor-arg index = "1" >
< list >
< value > username </ value >
< value > username </ value >
</ list >
</ constructor-arg >
< constructor-arg index = "2" >
< value >
select * ,(SELECT orgn_organization.id from orgn_organization left join orgn_member on orgn_member.orgn_id = orgn_organization .id left join community_user_info on community_user_info.id = orgn_member .user_id where community_user_info.community_user = ?) as orgnId from community_user_info where community_user =?
</ value >
</ constructor-arg >
< property name = "columnsToAttributes" >
< map >
< entry key = "id" value = "id" />
< entry key = "community_user" value = "userName" />
< entry key = "orgnId" value = "orgnId" />
< entry key = "is_admin" value = "isAdmin" />
</ map >
</ property >
</ bean >

2.配置authenticationManager中credentialsToPrincipalResolvers属性

XML/HTML代码

< bean class = "org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" >
< property name = "attributeRepository" ref = "attributeRepository" /> </ bean >

注意：默认cas登录服务器没有把用户信息传到客户端中，所以要修改WEB-INF\view\jsp\protocol\2.0\casServiceValidationSuccess.jsp文件，增加

XML/HTML代码

< c:if test = "${fn:length(assertion.chainedAuthentications[fn:length(assertion.chainedAuthentications)-1].principal.attributes) > 0}" >
< cas:attributes >
< c:forEach var = "attr" items = "${assertion.chainedAuthentications[fn:length(assertion.chainedAuthentications)-1].principal.attributes}" >
< cas: ${fn:escapeXml(attr.key)} > ${fn:escapeXml(attr.value)} </ cas: ${fn:escapeXml(attr.key)} >
</ c:forEach >
</ cas:attributes >
</ c:if >

修改点3：用数据库来保存登录的会话

这样服务器在重新启动的时候不会丢失会话。

1.修改ticketRegistry.xml文件

将默认的ticketRegistry改成

XML/HTML代码

< bean id = "ticketRegistry" class = "org.jasig.cas.ticket.registry.JpaTicketRegistry" >
< constructor-arg index = "0" ref = "entityManagerFactory" />
</ bean >
< bean id = "entityManagerFactory" class = "org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean" >
< property name = "dataSource" ref = "dataSource" />
< property name = "jpaVendorAdapter" >
< bean class = "org.springframework.orm.jpa.vendor.HibernateJpaVendorAdapter" >
< property name = "generateDdl" value = "true" />
< property name = "showSql" value = "true" />
</ bean >
</ property >
< property name = "jpaProperties" >
< props >
< prop key = "hibernate.dialect" > org.hibernate.dialect.MySQLDialect </ prop >
< prop key = "hibernate.hbm2ddl.auto" > update </ prop >
</ props >
</ property >
</ bean >
< bean id = "transactionManager" class = "org.springframework.orm.jpa.JpaTransactionManager"
p:entityManagerFactory-ref = "entityManagerFactory" />
< tx:annotation-driven transaction-manager = "transactionManager" />
< bean
id = "dataSource"
class = "org.apache.commons.dbcp.BasicDataSource"
p:driverClassName = "com.mysql.jdbc.Driver"
p:url = "jdbc:mysql://192.168.1.100:3306/cas?useUnicode=true&characterEncoding=UTF-8&autoReconnect=true"
p:password = "709394"
p:username = "itravel" />

配置完之后还需要一些jar的支持，根据提示那些包缺少到网上找。

修改点4：配置remenber me的功能，可以让客户端永久保存session

1.修改deployerConfigContext.xml文件

authenticationManager增加authenticationMetaDataPopulators属性

XML/HTML代码

< property name = "authenticationMetaDataPopulators" >
< list >
< bean class = "org.jasig.cas.authentication.principal.RememberMeAuthenticationMetaDataPopulator" />
</ list >
</ property >

2.修改cas-servlet.xml

修改authenticationViaFormAction配置变成

XML/HTML代码

< bean id = "authenticationViaFormAction" class = "org.jasig.cas.web.flow.AuthenticationViaFormAction"
p:centralAuthenticationService-ref = "centralAuthenticationService"
p:formObjectClass = "org.jasig.cas.authentication.principal.RememberMeUsernamePasswordCredentials"
p:formObjectName = "credentials"
p:validator-ref = "UsernamePasswordCredentialsValidator"
p:warnCookieGenerator-ref = "warnCookieGenerator" />

增加UsernamePasswordCredentialsValidator

XML/HTML代码

< bean id = "UsernamePasswordCredentialsValidator" class = "org.jasig.cas.validation.UsernamePasswordCredentialsValidator" />

修改ticketExpirationPolicies.xml，grantingTicketExpirationPolicy配置如下，注意时间要加大，不然session很容易过期，达不到remember me的效果。

XML/HTML代码

< bean id = "grantingTicketExpirationPolicy" class = "org.jasig.cas.ticket.support.RememberMeDelegatingExpirationPolicy" >
< property name = "sessionExpirationPolicy" >
< bean class = "org.jasig.cas.ticket.support.TimeoutExpirationPolicy" >
< constructor-arg index = "0" value = "2592000000" />
</ bean >
</ property >
< property name = "rememberMeExpirationPolicy" >
< bean class = "org.jasig.cas.ticket.support.TimeoutExpirationPolicy" >
< constructor-arg index = "0" value = "2592000000" />
</ bean >
</ property >
</ bean >

登录页面要增加隐藏字段rememberMe，值是true，或用一个checkbox来勾选。

修改点5：取消https验证

在网络安全性较好，对系统安全没有那么高的情况下可以取消https验证，使系统更加容易部署。

1.修改ticketGrantingTicketCookieGenerator.xml

XML/HTML代码

< bean id = "ticketGrantingTicketCookieGenerator" class = "org.jasig.cas.web.support.CookieRetrievingCookieGenerator"
p:cookieSecure = "false"
p:cookieMaxAge = "-1"
p:cookieName = "CASTGC"
p:cookiePath = "/cas" />

p:cookieSecure改成false，客户端web.xml中单独服务器的链接改成http

使用https协议的配置

1.证书生成和导入

下面是一个生成证书和导入证书的bat脚本，如果web应用和单独登录服务器部署在同一台机可以一起执行

C++代码

@echo off
if "%JAVA_HOME%" == "" goto error
@echo on
@echo off
cls
rem please set the env JAVA_HOME before run this bat file
rem delete alia tomcat if it is existed
keytool - delete -alias tomcatsso -keystore "%JAVA_HOME%/jre/lib/security/cacerts" -storepass changeit
keytool - delete -alias tomcatsso -storepass changeit
REM （注释：清除系统中可能存在的名字为tomcatsso 的同名证书）
rem list all alias in the cacerts
keytool -list -keystore "%JAVA_HOME%/jre/lib/security/cacerts" -storepass changeit
REM （注释：列出系统证书仓库中存在证书名称列表）
rem generator a key
keytool -genkey -keyalg RSA -alias tomcatsso -dname "cn=localhost" -storepass changeit
REM （注释：指定使用RSA算法，生成别名为tomcatsso的证书，存贮口令为changeit，证书的DN为 "cn=linly" ，这个DN必须同当前主机完整名称一致哦，切记！！！）
rem export the key
keytool -export -alias tomcatsso -file "%java_home%/jre/lib/security/tomcatsso.crt" -storepass changeit
REM （注释：从keystore中导出别名为tomcatsso的证书，生成文件tomcatsso.crt）
rem import into trust cacerts
keytool -import -alias tomcatsso -file "%java_home%/jre/lib/security/tomcatsso.crt" -keystore "%java_home%/jre/lib/security/cacerts" -storepass changeit
REM （注释：将tomcatsso.crt导入jre的可信任证书仓库。注意，安装JDK是有两个jre目录，一个在jdk底下，一个是独立的jre，这里的目录必须同Tomcat使用的jre目录一致，否则后面Tomcat的HTTPS通讯就找不到证书了）
rem list all alias in the cacerts
keytool -list -keystore "%JAVA_HOME%/jre/lib/security/cacerts" -storepass changeit
pause
:error
echo 请先设置JAVA_HOME环境变量
:end

3.将.keystore文件拷贝到tomcat的conf目录下面，注意.keystore会在证书生成的时候生成到系统的用户文件夹中，如windows会生产到C:\Documents and Settings\[yourusername]\下面

2.配置tomcat，把https协议的8443端口打开，指定证书的位置。

XML/HTML代码

< Connector port = "8443" maxHttpHeaderSize = "8192"
maxThreads = "150" minSpareThreads = "25" maxSpareThreads = "75"
enableLookups = "false" disableUploadTimeout = "true"
acceptCount = "100" scheme = "https" secure = "true"
clientAuth = "false" sslProtocol = "TLS"
keystoreFile = "conf/.keystore" keystorePass = "changeit" truststoreFile = "C:\Program Files\Java\jdk1.5.0_07\jre\lib\security\cacerts" />

客户端配置

cas官方网站上面的客户端下载地址比较隐秘，没有完全公开，具体地址为

http://www.ja-sig.org/downloads/cas-clients/

下载最新的cas-client-3.1.6-release.zip

1.解压后把modules下面的包放到我们的web应用中

2.配置web.xml,注意encodingFilter要提前配置，不然会出现数据插入数据库的时候有乱码。

serverName是我们web应用的地址和端口

XML/HTML代码

< context-param >
< param-name > serverName </ param-name >
< param-value > 192.168.1.145:81 </ param-value >
</ context-param >
< filter >
< filter-name > encodingFilter </ filter-name >
< filter-class >
org.springframework.web.filter.CharacterEncodingFilter
</ filter-class >
< init-param >
< param-name > encoding </ param-name >
< param-value > UTF-8 </ param-value >
</ init-param >
< init-param >
< param-name > forceEncoding </ param-name >
< param-value > true </ param-value >
</ init-param >
</ filter >
< filter-mapping >
< filter-name > encodingFilter </ filter-name >
< url-pattern > *.htm </ url-pattern >
</ filter-mapping >
< filter-mapping >
< filter-name > encodingFilter </ filter-name >
< url-pattern > *.ftl </ url-pattern >
</ filter-mapping >
< filter-mapping >
< filter-name > encodingFilter </ filter-name >
< url-pattern > *.xhtml </ url-pattern >
</ filter-mapping >
< filter-mapping >
< filter-name > encodingFilter </ filter-name >
< url-pattern > *.html </ url-pattern >
</ filter-mapping >
< filter-mapping >
< filter-name > encodingFilter </ filter-name >
< url-pattern > *.shtml </ url-pattern >
</ filter-mapping >
< filter-mapping >
< filter-name > encodingFilter </ filter-name >
< url-pattern > *.jsp </ url-pattern >
</ filter-mapping >
< filter-mapping >
< filter-name > encodingFilter </ filter-name >
< url-pattern > *.do </ url-pattern >
</ filter-mapping >
< filter-mapping >
< filter-name > encodingFilter </ filter-name >
< url-pattern > *.vm </ url-pattern >
</ filter-mapping >
< filter >
< filter-name > CAS Single Sign Out Filter </ filter-name >
< filter-class >
org.jasig.cas.client.session.SingleSignOutFilter
</ filter-class >
</ filter >
< filter-mapping >
< filter-name > CAS Single Sign Out Filter </ filter-name >
< url-pattern > /* </ url-pattern >
</ filter-mapping >
< listener >
< listener-class >
org.jasig.cas.client.session.SingleSignOutHttpSessionListener
</ listener-class >
</ listener >
< filter >
< filter-name > CAS Authentication Filter </ filter-name >
< filter-class >
org.jasig.cas.client.authentication.AuthenticationFilter
</ filter-class >
< init-param >
< param-name > casServerLoginUrl </ param-name >
< param-value > http://192.168.1.100/cas/login </ param-value >
</ init-param >
</ filter >
< filter >
< filter-name > CAS Validation Filter </ filter-name >
< filter-class >
org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter
</ filter-class >
< init-param >
< param-name > casServerUrlPrefix </ param-name >
< param-value > http://192.168.1.100/cas </ param-value >
</ init-param >
</ filter >
< filter >
< filter-name > CAS HttpServletRequest Wrapper Filter </ filter-name >
< filter-class >
org.jasig.cas.client.util.HttpServletRequestWrapperFilter
</ filter-class >
</ filter >
< filter >
< filter-name > CAS Assertion Thread Local Filter </ filter-name >
< filter-class >
org.jasig.cas.client.util.AssertionThreadLocalFilter
</ filter-class >
</ filter >
< filter-mapping >
< filter-name > CAS Authentication Filter </ filter-name >
< url-pattern > /* </ url-pattern >
</ filter-mapping >
< filter-mapping >
< filter-name > CAS Validation Filter </ filter-name >
< url-pattern > /* </ url-pattern >
</ filter-mapping >
< filter-mapping >
< filter-name > CAS HttpServletRequest Wrapper Filter </ filter-name >
< url-pattern > /* </ url-pattern >
</ filter-mapping >
< filter-mapping >
< filter-name > CAS Assertion Thread Local Filter </ filter-name >
< url-pattern > /* </ url-pattern >
</ filter-mapping >

3.导入证书，如果不用https的话，这步可以跳过，把tomcatsso.crt 证书拷贝到c盘下面，在jdk的bin目录下面运行下面的语句。

JavaScript代码

rem （注释：清除系统中可能存在的名字为tomcatsso 的同名证书）
keytool - delete -alias tomcatsso -keystore "%JAVA_HOME%/jre/lib/security/cacerts" -storepass changeit
keytool - delete -alias tomcatsso -storepass changeit
rem 在客户端的 JVM 里导入信任的 SERVER 的证书 ( 根据情况有可能需要管理员权限 )
keytool - import -alias tomcatsso -file "c:/tomcatsso.crt" -keystore "%java_home%/jre/lib/security/cacerts" -storepass changeit

客户端获取登录用户名和用户信息实例

Java代码

HttpServletRequest request = ServletActionContext.getRequest();
AttributePrincipal principal = (AttributePrincipal)request.getUserPrincipal();
String username = principal.getName();
Long orgnId = Long.parseLong(principal.getAttributes().get( "orgnId" ).toString());

分享到：

cas 系统实例服务端配置（一） | jquery ifream 控制ifream的src 或者locati ...

2012-02-24 16:17
浏览 2210
评论(0)
分类:非技术
查看更多

发表评论

您还没有登录,请您登录后再发表评论

最近访客更多访客>>

博主相关

文章分类

社区版块

存档分类

最新评论

cas 简单配置不用证书

评论

发表评论

相关推荐

最近访客 更多访客>>

博主相关

文章分类

社区版块

存档分类

最新评论

cas 简单配置 不用证书

评论

发表评论

相关推荐

AESUtils

lbs比较两点坐标

java ftp上传文件

redis应用方法

风控系统1

可以保持session的java代码片段

ubuntu 搭建开发环境

主线程等待10秒钟，无应答返回(一)

drools书籍

一个Tomcat支持不同的域名访问各自不同程序的配置方法

netty5 包简读

netty5 入门翻译

spring-jms

git 命令大全

groovy eclipse 插件

docx4j word 工具类及测试类

docx4j 替换文本

docx4j 动态生成表格 （一 ）

java 开发的各种例子

tomcat 根项目部署方式

最近访客更多访客>>

cas 简单配置不用证书

docx4j 动态生成表格（一）