sso demo ( cas )
1. generate keystorehtml
command : keytool -genkey -alias testtomcat -keyalg RSA -keystore "C:\Users\rocky\testsso\testtomcat.keystore"java
password : 123456web
2. setting the tomcat server.xmlwindows
3. download and extract cas-server-4.0.0-release.zip瀏覽器
~you can find cas-server-webapp-4.0.0.war in the modules package.tomcat
~copy it to tomcat webapps package and rename to cas.war.安全
~execute the startup.bat command as the administrator user.session
~https://localhost:8443/casapp
~login with user( username : casuser; password : Mellon)webapp
-------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------
update 2016-04-06
1. java jdk不支持以ip創建證書,因此須要虛擬一個域名,如cas.server.com
2. 生成證書
keytool -genkeypair -keyalg RSA -keysize 2048 -sigalg SHA1withRSA -validity 36500 -alias cas.server.com -keystore C:/Users/rocky/testsso/tomcat.keystore -dname "CN=cas.server.com,OU=cdv,O=cdv,L=bj,ST=bj,C=CN"
3. 導出證書
keytool -exportcert -alias cas.server.com -keystore C:/Users/rocky/testsso/tomcat.keystore -file C:/Users/rocky/testsso/tomcat.cer -rfc
4. tomcat 配置 cas, 瀏覽器添加證書
(區別於上面絕對路徑方式引用, 現採用相對路徑方式)將生成的tomcat.keystore 拷貝到tomcat目錄下。
將第三步導出的tomcat.crt 導入到瀏覽器
5. 將tomcat.crt拷貝到cas client所在的機器, 並導入到jdk中(C:\Program Files\Java\jdk1.7.0_15\jre\lib\security\cacerts能夠刪除,這時導入的文件會從新生成該文件, C:\Program Files\Java\jre7\lib\security該路徑下也有cacerts文件,可一併覆蓋)
keytool -import -alias cacerts -keystore cacerts -file C:/Users/rocky/testsso/tomcat.cer -trustcacerts
6.建立cas client工程(web工程)casclient,配置xml文件,並導入相關jar包
<?xml version="1.0" encoding="UTF-8"?> <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" id="WebApp_ID" version="2.5"> <display-name>ssoclient</display-name> <filter> <filter-name>CAS Single Sign Out Filter</filter-name> <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class> </filter> <filter-mapping> <filter-name>CAS Single Sign Out Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <listener> <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class> </listener> <filter> <filter-name>CAS Authentication Filter</filter-name> <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class> <init-param> <param-name>casServerLoginUrl</param-name> <param-value>https://cas.server.com:8443/cas/login</param-value> </init-param> <init-param> <param-name>serverName</param-name> <param-value>cas.server.com:8081</param-value> </init-param> </filter> <filter> <filter-name>CAS Validation Filter</filter-name> <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class> <init-param> <param-name>casServerUrlPrefix</param-name> <param-value>https://cas.server.com:8443/cas/</param-value> </init-param> <init-param> <param-name>serverName</param-name> <param-value>cas.server.com:8081</param-value> </init-param> <init-param> <param-name>redirectAfterValidation</param-name> <param-value>false</param-value> </init-param> </filter> <filter> <filter-name>CAS HttpServletRequest WrapperFilter</filter-name> <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class> </filter> <filter> <filter-name>CAS Assertion Thread Local Filter</filter-name> <filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class> </filter> <filter-mapping> <filter-name>CAS Authentication Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>CAS Validation Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>CAS HttpServletRequest WrapperFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>CAS Assertion Thread Local Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <welcome-file-list> <welcome-file>index.html</welcome-file> <welcome-file>index.htm</welcome-file> <welcome-file>index.jsp</welcome-file> <welcome-file>default.html</welcome-file> <welcome-file>default.htm</welcome-file> <welcome-file>default.jsp</welcome-file> </welcome-file-list> </web-app>
記得,在tomcat的server.xml中要修改相關port,若是在同一臺機器上實驗,開多個tomcat,也應修改相關port,防止port衝突。
7. 瀏覽器輸入http://cas.server.com:8081/ssoclient/index.jsp, 能夠看到地址欄變了,進入cas server的login頁面,輸出對的username 和 password, 會跳回到client的index.jsp頁面。
http://cas.server.com:8082/ssoclient2/index.jsp ,不在須要cas server登陸, 直接看到index.jsp頁面
update 2016-10-13 14:41
1.演示環境
windows7 64 主機名:rocky-PC
JDK : jdk1.7.0_80
tomcat : tomcat-7.0.70
cas-server-4.0.0
cas-client-3.3.3
windows hosts 文件 添加域名映射 (C:\Windows\System32\drivers\etc)
demo.cdv.com 對應部署的tomcat-cas, 這個名稱在生成證書時用到
app1.cdv.com 對應部署的tomcat-app1,
app2.cdv.com 對應部署的tomcat-app2
2. 安全證書配置
2.1 證書生成
輸入的名稱和hosts文件一致,也能夠用主機名;
keypass 和 storepass 一致,不然tomcat訪問https失敗
2.2 導出證書
2.3 客戶端 導入證書
此處導入的密碼和上面的不同,若是客戶端在多臺機器上,須要屢次導入
3. cas server部署
3.1 修改 tomcat-cas server.xml
3.2 啓動 tomcat-cas, 訪問https://demo.cdv.com:8443 並添加 瀏覽器 訪問例外
3.3 從cas-server-4.0.0-> modules下拷貝cas-server-webapp.war到tomcat-cas webapp下 並重命名cas.war
啓動tomcat-cas 訪問https://demo.cdv.com:8443/cas/login
用戶名 casuser 密碼 Mellon登陸
看到 Log in successful則cas server部署成功
4. cas client部署
4.1 tomcat-app1
4.1.1修改server.xml
.. <Server port="18005" shutdown="SHUTDOWN"> .. <Connector port="18080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="18443" />
訪問http://app1.cdv.com:18080/examples/servlets/測試端口是否可用
4.1.2 導入jar
4.1.3 修改web.xml
<!-- ======================== 單點登陸開始 ======================== -->
<!-- 用於單點退出,該過濾器用於實現單點登出功能,可選配置-->
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
<!-- 該過濾器用於實現單點登出功能,可選配置。 -->
<filter>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Single Sign Out Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>CAS Filter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>https://demo.cdv.com:8443/cas/login</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://app1.cdv.com:18080</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- 該過濾器負責對Ticket的校驗工做,必須啓用它 -->
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>
org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://demo.cdv.com:8443/cas</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://app1.cdv.com:18080</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--
該過濾器負責實現HttpServletRequest請求的包裹,
好比容許開發者經過HttpServletRequest的getRemoteUser()方法得到SSO登陸用戶的登陸名,可選配置。
-->
<filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>
org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--
該過濾器使得開發者能夠經過org.jasig.cas.client.util.AssertionHolder來獲取用戶的登陸名。
好比AssertionHolder.getAssertion().getPrincipal().getName()。
-->
<filter>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- ======================== 單點登陸結束 ======================== -->
4.2 tomcat-app2(同tomcat-app1)
4.2.1 修改server.xml
.. <Server port="28005" shutdown="SHUTDOWN"> .. <Connector port="28080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="28443" /> ..
4.2.2 導入jar
4.2.3 修改web.xml
<!-- ======================== 單點登陸開始 ======================== -->
<!-- 用於單點退出,該過濾器用於實現單點登出功能,可選配置-->
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
<!-- 該過濾器用於實現單點登出功能,可選配置。 -->
<filter>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Single Sign Out Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>CAS Filter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>https://demo.cdv.com:8443/cas/login</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://app2.cdv.com:28080</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- 該過濾器負責對Ticket的校驗工做,必須啓用它 -->
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>
org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://demo.cdv.com:8443/cas</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://app2.cdv.com:28080</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--
該過濾器負責實現HttpServletRequest請求的包裹,
好比容許開發者經過HttpServletRequest的getRemoteUser()方法得到SSO登陸用戶的登陸名,可選配置。
-->
<filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>
org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--
該過濾器使得開發者能夠經過org.jasig.cas.client.util.AssertionHolder來獲取用戶的登陸名。
好比AssertionHolder.getAssertion().getPrincipal().getName()。
-->
<filter>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- ======================== 單點登陸結束 ======================== -->
5. 測試
5.1 啓動 tomcat-cas , tomcat-app1, tomcat-app2
5.2 訪問 http://app1.cdv.com:18080/examples/servlets/servlet/HelloWorldExample
跳轉到 cas-server登陸界面, 輸入用戶名+密碼 正確, 跳轉到helloworld頁面;
訪問 http://app2.cdv.com:28080/examples/servlets/servlet/HelloWorldExample就不要登陸了。
訪問https://demo.cdv.com:8443/cas/logout能夠註銷登陸
- 1. CAS SSO
- 2. SSO之CAS + LDAP
- 3. SSO與CAS
- 4. SSO原理 (CAS)
- 5. 跨域SSO(CAS)
- 6. SSO 與CAS 協議
- 7. cas(sso)服務器
- 8. cas sso原理(轉)
- 9. SSO及CAS淺談
- 10. SSO 與 CAS 知識
- 更多相關文章...
- • ionic 顏色 - ionic 教程
- • Redis watch命令——監控事務 - Redis教程
- • RxJava操作符(一)Creating Observables
- • RxJava操作符(八)Aggregate
-
每一个你不满意的现在,都有一个你没有努力的曾经。
- 1. CAS SSO
- 2. SSO之CAS + LDAP
- 3. SSO與CAS
- 4. SSO原理 (CAS)
- 5. 跨域SSO(CAS)
- 6. SSO 與CAS 協議
- 7. cas(sso)服務器
- 8. cas sso原理(轉)
- 9. SSO及CAS淺談
- 10. SSO 與 CAS 知識