`

CAS 与Tomcat 集成

 
阅读更多

第一节:生成证书

第一步:生成keystore注意【cn=www.xxx.com】这个一般为域名或者地址不同会出现no match dname

  

keytool -genkey -keyalg RSA -alias tomcatmycas -dname "cn=localhost" -storepass 123456 -keystore f:\api\keyserver.keystore

 第二步:导出证书

 

keytool -export -alias tomcatmycas -file D:\Java\jdk1.7.0_71\jre\lib\security\tomcatmycas.crt -storepass 123456 -keystore f:\api\keyserver.keystore

第三步:导入到运行环境中的JDK中【注意:当存在多个jdk时一定要导入到对应的JRE中】

keytool -import -alias tomcatmycas -file D:\Java\jdk1.7.0_71\jre\lib\security\tomcatmycas.crt -keystore D:\Java\JRE\lib\security\cacerts -storepass changeit

 

第二节 Tomcat 的配置

 

第一步:server.xml配置

 

<!--org.apache.coyote.http11.Http11NioProtocol-->
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
			   keystoreFile="f:\api\keyserver.keystore" keystorePass="123456" 
			   truststoreFile="D:\Java\jdk1.7.0_71\jre\lib\security\cacerts"
			   clientAuth="false" sslProtocol="TLS" />

 

第二步:将cas-server-3.5.2.1-release【cas-server-webapp-3.5.2.1.war】改名为【cas.war】导入项目中

WEB-INF\deployerConfigContext.xml

<?xml version="1.0" encoding="UTF-8"?>
<!--

    Licensed to Jasig under one or more contributor license
    agreements. See the NOTICE file distributed with this work
    for additional information regarding copyright ownership.
    Jasig licenses this file to you under the Apache License,
    Version 2.0 (the "License"); you may not use this file
    except in compliance with the License.  You may obtain a
    copy of the License at the following location:

      http://www.apache.org/licenses/LICENSE-2.0

    Unless required by applicable law or agreed to in writing,
    software distributed under the License is distributed on an
    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
    KIND, either express or implied.  See the License for the
    specific language governing permissions and limitations
    under the License.

-->
<!--
	| deployerConfigContext.xml centralizes into one file some of the declarative configuration that
	| all CAS deployers will need to modify.
	|
	| This file declares some of the Spring-managed JavaBeans that make up a CAS deployment.  
	| The beans declared in this file are instantiated at context initialization time by the Spring 
	| ContextLoaderListener declared in web.xml.  It finds this file because this
	| file is among those declared in the context parameter "contextConfigLocation".
	|
	| By far the most common change you will need to make in this file is to change the last bean
	| declaration to replace the default SimpleTestUsernamePasswordAuthenticationHandler with
	| one implementing your approach for authenticating usernames and passwords.
	+-->

<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:p="http://www.springframework.org/schema/p"
       xmlns:tx="http://www.springframework.org/schema/tx"
       xmlns:sec="http://www.springframework.org/schema/security"
       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
       http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.1.xsd
       http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
	<!--
		| This bean declares our AuthenticationManager.  The CentralAuthenticationService service bean
		| declared in applicationContext.xml picks up this AuthenticationManager by reference to its id, 
		| "authenticationManager".  Most deployers will be able to use the default AuthenticationManager
		| implementation and so do not need to change the class of this bean.  We include the whole
		| AuthenticationManager here in the userConfigContext.xml so that you can see the things you will
		| need to change in context.
		+-->
	<bean id="authenticationManager"
		class="org.jasig.cas.authentication.AuthenticationManagerImpl">
		
		<!-- Uncomment the metadata populator to allow clearpass to capture and cache the password
		     This switch effectively will turn on clearpass.
		<property name="authenticationMetaDataPopulators">
		   <list>
		      <bean class="org.jasig.cas.extension.clearpass.CacheCredentialsMetaDataPopulator">
		         <constructor-arg index="0" ref="credentialsCache" />
		      </bean>
		   </list>
		</property>
		 -->
		
		<!--
			| This is the List of CredentialToPrincipalResolvers that identify what Principal is trying to authenticate.
			| The AuthenticationManagerImpl considers them in order, finding a CredentialToPrincipalResolver which 
			| supports the presented credentials.
			|
			| AuthenticationManagerImpl uses these resolvers for two purposes.  First, it uses them to identify the Principal
			| attempting to authenticate to CAS /login .  In the default configuration, it is the DefaultCredentialsToPrincipalResolver
			| that fills this role.  If you are using some other kind of credentials than UsernamePasswordCredentials, you will need to replace
			| DefaultCredentialsToPrincipalResolver with a CredentialsToPrincipalResolver that supports the credentials you are
			| using.
			|
			| Second, AuthenticationManagerImpl uses these resolvers to identify a service requesting a proxy granting ticket. 
			| In the default configuration, it is the HttpBasedServiceCredentialsToPrincipalResolver that serves this purpose. 
			| You will need to change this list if you are identifying services by something more or other than their callback URL.
			+-->
		<property name="credentialsToPrincipalResolvers">
			<list>
				<!--
					| UsernamePasswordCredentialsToPrincipalResolver supports the UsernamePasswordCredentials that we use for /login 
					| by default and produces SimplePrincipal instances conveying the username from the credentials.
					| 
					| If you've changed your LoginFormAction to use credentials other than UsernamePasswordCredentials then you will also
					| need to change this bean declaration (or add additional declarations) to declare a CredentialsToPrincipalResolver that supports the
					| Credentials you are using.
					+-->
				<bean class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" >
					<property name="attributeRepository" ref="attributeRepository" />
				</bean>
				<!--
					| HttpBasedServiceCredentialsToPrincipalResolver supports HttpBasedCredentials.  It supports the CAS 2.0 approach of
					| authenticating services by SSL callback, extracting the callback URL from the Credentials and representing it as a
					| SimpleService identified by that callback URL.
					|
					| If you are representing services by something more or other than an HTTPS URL whereat they are able to
					| receive a proxy callback, you will need to change this bean declaration (or add additional declarations).
					+-->
				<bean
					class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" />
			</list>
		</property>

		<!--
			| Whereas CredentialsToPrincipalResolvers identify who it is some Credentials might authenticate, 
			| AuthenticationHandlers actually authenticate credentials.  Here we declare the AuthenticationHandlers that
			| authenticate the Principals that the CredentialsToPrincipalResolvers identified.  CAS will try these handlers in turn
			| until it finds one that both supports the Credentials presented and succeeds in authenticating.
			+-->
		<property name="authenticationHandlers">
			<list>
				<!--
					| This is the authentication handler that authenticates services by means of callback via SSL, thereby validating
					| a server side SSL certificate.
					+-->
				<bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
					p:httpClient-ref="httpClient" />
				<!--
					| This is the authentication handler declaration that every CAS deployer will need to change before deploying CAS 
					| into production.  The default SimpleTestUsernamePasswordAuthenticationHandler authenticates UsernamePasswordCredentials
					| where the username equals the password.  You will need to replace this with an AuthenticationHandler that implements your
					| local authentication strategy.  You might accomplish this by coding a new such handler and declaring
					| edu.someschool.its.cas.MySpecialHandler here, or you might use one of the handlers provided in the adaptors modules.
					+-->
				<!--bean 
					class="org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler" /-->
 
                <bean class="org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler"> 
                    <property name="sql" value="select password from app_user where username=?" /> 
                    <property name="dataSource" ref="dataSource" /> 
                 </bean>
					
				
					
			</list>
		</property>
	</bean>
	
	<bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource" > 
                    <property name="driverClassName"><value>com.mysql.jdbc.Driver</value></property> 
                    <property name="url"><value>jdbc:mysql://localhost:3306/castest</value></property> 
                    <property name="username"><value>root</value></property> 
                    <property name="password"><value>123456</value></property> 
                </bean>	


	<!--
	This bean defines the security roles for the Services Management application.  Simple deployments can use the in-memory version.
	More robust deployments will want to use another option, such as the Jdbc version.
	
	The name of this should remain "userDetailsService" in order for Spring Security to find it.
	 -->
    <!-- <sec:user name="@@THIS SHOULD BE REPLACED@@" password="notused" authorities="ROLE_ADMIN" />-->

    <sec:user-service id="userDetailsService">
        <sec:user name="@@THIS SHOULD BE REPLACED@@" password="notused" authorities="ROLE_ADMIN" />
    </sec:user-service>
	
	<!-- 
	Bean that defines the attributes that a service may return.  This example uses the Stub/Mock version.  A real implementation
	may go against a database or LDAP server.  The id should remain "attributeRepository" though.
	 -->
	<bean id="attributeRepository"
		class="org.jasig.services.persondir.support.StubPersonAttributeDao">
		<property name="backingMap">
			<map>
				<entry key="uid" value="uid" />
				<entry key="eduPersonAffiliation" value="eduPersonAffiliation" /> 
				<entry key="groupMembership" value="groupMembership" />
			</map>
		</property>
	</bean>
	
	<!-- 
	Sample, in-memory data store for the ServiceRegistry. A real implementation
	would probably want to replace this with the JPA-backed ServiceRegistry DAO
	The name of this bean should remain "serviceRegistryDao".
	 -->
	<bean
		id="serviceRegistryDao"
        class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl">
            <property name="registeredServices">
                <list>
                    <bean class="org.jasig.cas.services.RegexRegisteredService">
                        <property name="id" value="0" />
                        <property name="name" value="HTTP and IMAP" />
                        <property name="description" value="Allows HTTP(S) and IMAP(S) protocols" />
                        <property name="serviceId" value="^(https?|imaps?)://.*" />
                        <property name="evaluationOrder" value="10000001" />
                    </bean>
                    <!--
                    Use the following definition instead of the above to further restrict access
                    to services within your domain (including subdomains).
                    Note that example.com must be replaced with the domain you wish to permit.
                    -->
                    <!--
                    <bean class="org.jasig.cas.services.RegexRegisteredService">
                        <property name="id" value="1" />
                        <property name="name" value="HTTP and IMAP on example.com" />
                        <property name="description" value="Allows HTTP(S) and IMAP(S) protocols on example.com" />
                        <property name="serviceId" value="^(https?|imaps?)://([A-Za-z0-9_-]+\.)*example\.com/.*" />
                        <property name="evaluationOrder" value="0" />
                    </bean>
                    -->
                </list>
            </property>
        </bean>

  <bean id="auditTrailManager" class="com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager" />
  
  <bean id="healthCheckMonitor" class="org.jasig.cas.monitor.HealthCheckMonitor">
    <property name="monitors">
      <list>
        <bean class="org.jasig.cas.monitor.MemoryMonitor"
            p:freeMemoryWarnThreshold="10" />
        <!--
          NOTE
          The following ticket registries support SessionMonitor:
            * DefaultTicketRegistry
            * JpaTicketRegistry
          Remove this monitor if you use an unsupported registry.
        -->
        <bean class="org.jasig.cas.monitor.SessionMonitor"
            p:ticketRegistry-ref="ticketRegistry"
            p:serviceTicketCountWarnThreshold="5000"
            p:sessionCountWarnThreshold="100000" />
      </list>
    </property>
  </bean>
</beans>

 

 

 

 

第三节Web 配置(项目)

 

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xmlns="http://java.sun.com/xml/ns/javaee"
	xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
	id="WebApp_ID" version="3.0">
	<display-name>demo1</display-name>

	<context-param>
		<param-name>serverName</param-name>
		<param-value>http://localhost:2020</param-value>
	</context-param>
	<filter>
		<filter-name>CAS Authentication Filter</filter-name>
		<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
		<init-param>
			<param-name>casServerLoginUrl</param-name>
			<param-value>https://localhost:8443/cas/login</param-value>
		</init-param>
	</filter>

	<filter>
		<filter-name>CAS Validation Filter</filter-name>
		<filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
		<init-param>
			<param-name>casServerUrlPrefix</param-name>
			<param-value>https://localhost:8443/cas</param-value>
		</init-param>
		<init-param>
			<param-name>serverName</param-name>
			<param-value>http://localhost:2020</param-value>
		</init-param>
	</filter>

	<filter>
		<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
		<filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
	</filter>

	<filter-mapping>
		<filter-name>CAS Authentication Filter</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>

	<filter-mapping>
		<filter-name>CAS Validation Filter</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>

	<welcome-file-list>
		<welcome-file>index.html</welcome-file>
		<welcome-file>index.htm</welcome-file>
		<welcome-file>index.jsp</welcome-file>
		<welcome-file>default.html</welcome-file>
		<welcome-file>default.htm</welcome-file>
		<welcome-file>default.jsp</welcome-file>
	</welcome-file-list>
</web-app>

 

 

错误情况:

1)CAS unable to find valid certification path 【JDK默认密码为:changeit】

keytool -import -alias tomcatmycas -file D:\Java\jdk1.7.0_71\jre\lib\security\tomcatmycas.crt -keystore D:\Java\JRE\lib\security\cacerts -storepass changeit

 

2) 如果证书已经存在可以删除

keytool -delete -alias tomcatmycas -keystore f:\api\keyserver.keystore -storepass 123456

 

 

 

 

 

1
3
分享到:
评论

相关推荐

    使用CAS在Tomcat中实现单点登录参考代码及配置

    #### 三、CAS与Tomcat集成 - **配置CASServer**:首先需要在Tomcat环境中部署CASServer。这通常涉及配置服务器的相关参数,比如数据库连接、安全设置等。 - **配置CASClient**:为了使Web应用能够与CASServer进行...

    cas tomcat整合单点登录demo

    【标题】"CAS Tomcat整合单点登录Demo"是一个示例项目,展示了如何将CAS(Central Authentication Service)与Tomcat应用程序服务器集成,实现单点登录(Single Sign-On, SSO)的功能。CAS是一种开放源码的身份验证...

    myeclipse、tomcat集成CAS

    【标题】:“myeclipse、tomcat集成CAS” 在IT领域,myeclipse是一款流行的Java集成开发环境,而tomcat是广泛使用的Apache软件基金会的开源Servlet容器。CAS(Central Authentication Service)是一种基于Web的单点...

    使用 CAS 在 Tomcat6 中实现单点登录

    总结来说,实现使用CAS在Tomcat6中进行单点登录,需要理解SSO的基本概念,熟悉CAS的工作原理和协议流程,掌握CAS Server的部署和配置,以及CAS Client在Tomcat中的集成。通过这些步骤,可以构建一个安全且方便的单点...

    casServer+tomcat

    在IT行业中,CasServer与Tomcat的集成是一个常见的身份验证解决方案。CasServer是基于Java的中央认证服务(Central Authentication Service),它提供了一种安全、统一的登录方式,用于多个应用系统之间的单点登录...

    使用CAS在Tomcat中实现单点登录

    CAS的主要特点是其分层架构,包括独立部署的CAS Server和与各个应用集成的CAS Client。CAS Server负责统一的用户身份验证,而CAS Client则分布在各个需要保护的应用中,拦截对受保护资源的访问请求。当用户尝试访问...

    cas单点登录(tomcat)

    **Tomcat与CAS集成的关键点** - **配置CasFilter**:这是CAS客户端的核心组件,负责拦截请求,检查CAS票证,以及重定向到CAS服务器进行身份验证。 - **CasServerValidationFilter**:用于验证从CAS服务器返回的票证...

    cas集成AD域

    在企业环境中,尤其是在已部署了Active Directory(AD)域服务的情况下,将CAS与AD集成可以实现用户通过一次认证就能访问所有系统,提升用户体验并加强安全性。 AD域是微软Windows Server操作系统中的一个组件,它...

    springboot+cas5.x+shiro+pac4j实现sso集成

    本项目基于SpringBoot、CAS5.x、Shiro和Pac4j实现了SSO集成,下面将详细阐述这些技术组件以及它们在SSO中的作用。 1. **SpringBoot** SpringBoot是Spring框架的一个子项目,它简化了Spring应用的初始搭建和运行...

    基于Tomcat6的CAS SSO配置

    基于Tomcat6的CAS SSO配置涉及的主要知识点包括SSO(Single Sign-On,单点登录)、CAS(Central Authentication Service,中心认证服务)、SSL(Secure Socket Layer,安全套接层)以及Tomcat服务器的配置。...

    cas单点登陆集成到简单maven项目的全部war包

    在CAS集成到Maven项目中,war包通常包含了CAS服务器端的应用程序,可以直接部署到Tomcat这样的应用服务器上。 描述中提到,压缩包包含两个Maven测试DEMO。Maven是Java项目管理工具,它负责构建、依赖管理和项目信息...

    前后端分离集成cas

    本项目是关于前后端分离集成CAS(Central Authentication Service)的一个实例,主要使用了Spring Boot、Shiro、Oracle数据库以及Vue.js等技术。 首先,Spring Boot是基于Spring框架的轻量级开发工具,它简化了新...

    tomcat + cas

    "Tomcat + CAS" 是一个关于集成中央认证服务(Central Authentication Service,简称CAS)与Apache Tomcat应用服务器的场景。这里提到的"cas 服务端tomcatx64"指的是在64位操作系统上运行的Tomcat服务器作为CAS...

    使用CAS 在Tomcat 中实现单点登录实例教程,有例子和参考

    4. **客户端集成**:对于每个要集成到CAS的Web应用,需要添加适当的CAS客户端库,并配置相应的过滤器,以处理与CAS服务器的交互,如处理登录重定向、服务票据验证等。 5. **测试与调试**:完成配置后,进行详尽的...

    CAS单点登录 for Tomcat

    在本案例中,重点是将CAS与Tomcat应用服务器集成,实现Linux环境下的单点登录。 首先,了解CAS的基本工作原理:用户尝试访问受保护的资源时,会被重定向到CAS服务器进行身份验证。如果验证成功,CAS会返回一个票据...

    CAS server 5.2.3. Tomcat war最新版

    1. **下载与准备**:获取CAS 5.2.3的war文件(cas-server-webapp-5.2.3.war),并确保安装了符合要求的Apache Tomcat服务器。 2. **配置Tomcat**:在Tomcat的`conf/server.xml`中,可能需要配置Context来指定war文件...

    openjdk11+tomcat9+CASServer.zip

    6. **自定义和扩展**: 根据需求,可以进一步定制CAS Server的行为,如编写自定义认证模块、集成新的身份验证源、开发自定义服务验证过滤器等。 总的来说,这个压缩包提供了一个基础的环境来搭建和运行CAS Server ...

    搭建cas服务,cas与sqlserver连接,cas与security连接

    本教程将详细介绍如何搭建CAS服务,并将其与SQL Server数据库和Spring Security进行集成。 首先,搭建CAS服务器是整个流程的基础。CAS服务器负责处理用户的身份验证请求,并在用户成功验证后提供服务票据(Ticket ...

    Liferay集成CAS实现单点登录与应用系统集成

    【Liferay 门户集成CAS实现单点登录与应用系统集成】是将开源门户平台Liferay与中央认证服务(CAS)相结合,以实现用户在多个应用系统间的统一登录体验。Liferay是一个基于Java的企业级门户解决方案,它具备强大的...

    apereo cas6.3.2可执行war,集成mysql的jdbc认证模块

    这个发布的重点是可执行的 WAR 文件,这意味着 CAS 服务器可以被直接部署到任何支持 Java 的应用服务器,如 Tomcat、Jetty 等,而无需额外的构建步骤。它包含了内置的启动脚本 `startup.bat`,使得在不同操作系统上...

Global site tag (gtag.js) - Google Analytics