CAS学习笔记
|
1 实验环境
1.1 CAS Server端
FreeBSD + Diablo-JDK
IP地址:192.168.0.180 域名:www.test.com 1.2 CAS Client 端
Windows + JDK
IP地址:192.168.0.116 1.3 CAS Server 端数据验证的数据库
数据库:PostgreSQL 8.2 IP 地址192.168.0.180 数据库名称:BH_PORTAL 表名称:citizen 表定义: CREATE TABLE citizen ( citizenid character varying(20) NOT NULL, "password" character varying NOT NULL,160) none repeat scroll 0% 0%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;"> question character varying,160) none repeat scroll 0% 0%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;"> answer character varying,160) none repeat scroll 0% 0%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;"> name character varying NOT NULL,160) none repeat scroll 0% 0%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;"> CONSTRAINT citizen_pkey PRIMARY KEY (citizenid) ) 说明:其中citizenid用于登录的ID,”password”用于密码校验
2 环境搭建
2.1 CAS 服务器端
在%JAVA_HOME%/jre/lib/security目录下运行如下Shell文件 #!/bin/csh clear keytool -delete -alias tomcatsso -keystore cacerts -storepass changeit keytool -list -keystore cacerts -storepass changeit keytool -genkey -keyalg RSA -alias tomcatsso -dname "cn=www.test.com" -keystore cacerts -storepass changeit keytool -export -alias tomcatsso -file tomcatsso.crt -keystore cacerts -storepass changeit keytool -import -alias tomcatsso -file tomcatsso.crt -keystore cacerts -storepass changeit keytool -list -keystore cacerts -storepass changeit 说明:在生成key的过程,"cn=www.test.com" 中的www.test.com为Server端的域名。
将cacerts文件复制到TOMCAT的conf目录下 修改server.xml <Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="443" /> <Connector port="443" minSpareThreads="5" maxSpareThreads="75" enableLookups="true" disableUploadTimeout="true" acceptCount="100" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" clientAuth="false" sslProtocol="TLS" keystoreFile="conf/cacerts" keystorePass="changeit" truststoreFile="conf/cacerts"/> 启动Tomcat,测试https://www.test.com:443
2.2 CAS客户端
复制tomcatsso.crt 文件到%JAVA_HOME%/jre/lib/security
将证书tomcatsso.crt 文件导入到cacerts文件中 keytool -import -alias tomcatsso -file tomcatsso.crt -keystore cacerts -storepass changeit
3 配置
3.1 服务器端
将下载的cas-server-webapp-
在WEB-INF目录下修改deployerConfigContext.xml文件
将原来的
<bean class="org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler" /> 修改为 <bean class="org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler"> <property name="dataSource" ref="dataSource" /> <property name="sql" value="select password from citizen where citizenid = ?" /> </bean>
<bean id="dataSource" class="org.apache.commons.dbcp.BasicDataSource"> <property name="driverClassName"> <value>org.postgresql.Driver</value> </property>
<property name="url"> <value>jdbc:postgresql://192.168.0.180:5432/bh_portal</value> </property>
<property name="username"> <value>pgsql</value> </property>
<property name="password"> <value>javac</value> </bean> 其目的是将原来的SimpleTestUsernamePasswordAuthenticationHandler认证改为根据数据库数据进行认证。
3.2 客户端应用
partner1和partner2 Partner1下建立子目录secure,在secure中写2个测试页面,debug.jsp和index.jsp。
编辑web.xml <?xml version="1.0" encoding="ISO-8859-1"?> <web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" version="2.5">
<context-param> <param-name>contextConfigLocation</param-name> <param-value>/WEB-INF/classes/spring-appContext.xml</param-value> </context-param> <filter> <filter-name>CAS Single Sign Out Filter</filter-name> <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class> </filter>
<filter-mapping> <url-pattern>/*</url-pattern> </filter-mapping> <listener> <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class> </listener>
<filter-name>CAS Authentication Filter</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> <init-param> <param-name>targetBeanName</param-name> <param-value>casAuthenticationFilter</param-value> </init-param> </filter> <filter> <filter-name>CAS Validation Filter</filter-name> <param-value>casValidationFilter</param-value> </filter> <filter-name>CAS HttpServletRequestWrapperFilter</filter-name> <param-value>casHttpServletRequestWrapperFilter</param-value> <filter-mapping> <filter-name>CAS Authentication Filter</filter-name> <url-pattern>/secure/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>CAS Validation Filter</filter-name> <url-pattern>/secure/*</url-pattern> <listener> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> </web-app>
编辑spring-appContext.xml文件 在/WEB-INF/classes目录下创建spring-appContext.xml文件 <?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd"> <bean id="casAuthenticationFilter" class="org.jasig.cas.client.authentication.AuthenticationFilter"> <property name ="casServerLoginUrl" value="https://www.test.com:443/cas-server/login"/> <property name ="serverName" value="http://192.168.0.116:8080"/> </bean> <bean id="casValidationFilter" class="org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter"> <property name="ticketValidator"> <ref bean="Cas20ServiceTicketValidator"/> </property> <property name="useSession" value="true"/> <property name="serverName" value="http://192.168.0.116:8080"/> <property name="redirectAfterValidation" value="false"/> </bean> <bean id="Cas20ServiceTicketValidator" class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator"> <constructor-arg index="0" value="https://www.test.com:443/cas-server" /> <bean id="casHttpServletRequestWrapperFilter" class="org.jasig.cas.client.util.HttpServletRequestWrapperFilter"/> </beans>
复制所需JAR包 cas-client-core-
同partner1完全相同
配置index.jsp的Gateway参数
设置Gateway参数为false(默认值为false)
web.xml文件:
保持原有无需改变
spring-appContext.xml文件: 给AuthenticationFilter对应的Bean添加一个属性gateway,并显式的设置为false <property name ="gateway" value="false"/>
配置debug.jsp的Gateway参数
设置Gateway参数为true(默认值为false)
web.xml文件: 为debug.jsp独立配置上面spring-appContext.xml文件中所提及到的3个过滤器AuthenticationFilter,Cas20ProxyReceivingTicketValidationFilter,HttpServletRequestWrapperFilter。
spring-appContext.xml文件: 给AuthenticationFilter对应的Bean添加一个属性gateway,并设置值为true
<property name ="gateway" value="true"/>
4 实验
4.1 实验一:单点登录
A. 访问http://192.168.0.116:8080/partner1/secure/index.jsp B. 浏览器Redirect到CAS服务器端,输入用户名和密码,点击确认
C. 在另外一个选项卡上访问http://192.168.0.116:8080/partner2/secure/index.jsp
4.2 实验二:单点登出
A. 访问http://192.168.0.116:8080/partner1/secure/index.jsp
B. 浏览器Redirect到CAS服务器端,输入用户名和密码,点击确认
C. 在另外一个选项卡上访问http://192.168.0.116:8080/partner2/secure/index.jsp
D. 在另外一个选项卡上访问https://www.test.com:443/cas-server/logout,进行登出
E. 在另外一个选项卡上访问http://192.168.0.116:8080/partner2/secure/debug.jsp,确认登出成功
4.3 实验三:测试Gateway参数
A. 访问http://192.168.0.116:8080/partner1/secure/debug.jsp
B. 在另外一个选项卡上访问http://192.168.0.116:8080/partner1/secure/index.jsp
(编辑:李大同) 【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容! |