SSO之CAS单点登录实例(非常详细)
程序员文章站
2022-06-11 11:20:47
...
一、实例环境
- jdk jdk1.8.0_202
- tomcat apache-tomcat-8.5.45
- win10
二、修改hosts文件
C:\Windows\System32\drivers\etc\hosts
在文件中添加三条,(如果修改不成功原因是没有管理员权限,就把hosts文件复制到桌面然后修改完成再粘贴回来)
127.0.0.1 demo.sso.com
127.0.0.1 app1.sso.com
127.0.0.1 app2.sso.com三、安全证书配置
- 生成证书 在d盘根目录下新建文件夹,命名为sso,然后打开cmd运行下面的命令
keytool -genkey -alias ssodemo -keyalg RSA -keysize 1024 -validity 365 -keystore d:\sso\cas.keystore参数说明:
- genkey 生成**
- alias 指定别名
- keyalg 指定**算法
- keysize 指定**长度,默认是1024位
- validity 指定证书有效期
- keystore 指定**库存储位置
2.导出证书
keytool -export -alias ssodemo -keystore d:\sso\cas.keystore -file d:\sso\cas.crt3.导入证书
首先将C:\Program Files\Java\jdk1.8.0_202\jre\lib\security\cacerts 文件删除。然后以管理员运行cmd执行命令
keytool -import -keystore "c:\Program Files\Java\jdk1.8.0_202\jre\lib\security\cacerts" -file d:\sso\cas.crt -alias ssodemo
四、配置tomcat
- tomcat目录的conf\server.xml找到
将其修改为:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="d:/sso/cas.keystore" keystorePass="123456"
/>2.解压apache-tomcat-8.5.47-windows-x64.zip并重命名为tomcat-app1,再解压并重命名为tomcat-app2。
因为需要在同一台电脑部署cas服务器,cas客户端1,cas客户端2,所以需要同时启动3个tomcat,待会配置tomcat使电脑能同时运行3个tomcat。
在tomcat-app1文件夹下,删除下面红框的文件
然后重新创建一个startup.bat,保存以下命令
set "CATALINA_BASE=%cd%"
set "EXECUTABLE=%CATALINA_HOME%\bin\catalina.bat"
call "%EXECUTABLE%" start 同样在tomcat-app2执行以上操作。
3.然后打开tomcat-app1\conf\server.xml,修改端口号,使三个tomcat的端口号不会互相冲突。
修改为:
打开tomcat-app2\conf\server.xml,修改端口号为:
4.打开本来的tomcat(这里叫做tomcat-server,下面会用到)和重新命名的tomcat-app1和tomcat-app2,看是否能同时打开。
原来的tomcat 访问 https://demo.sso.com:8443/
出现以下页面表示设置成功
tomcat-app1 访问 http://app1.sso.com:18080/
tomcat-app2 访问 http://app2.sso.com:28080/
五、部署cas服务器、cas客户端1、cas客户端2
1.部署cas服务器
从https://github.com/apereo/cas-overlay-template/tree/5.3下载并解压缩,在文件根目录下运行mvn clean package进行打包,这里会进行长时间的依赖下载,也可能出错,弄了好长时间。实在不行的小伙伴看下面的链接,里面有cas服务器、cas客户端1和cas客户端2的war包。https://download.csdn.net/download/weixin_44864748/11964249
将已经打包好的war包重命名为cas.war,并放在tomcat-server的webapps中
然后通过startup.bat启动tomcat,访问 https://demo.sso.com:8443/cas/login
输入用户名/密码 casuser/Mellon
2.部署cas客户端1
GitHub地址 https://github.com/cas-projects/cas-sample-java-webapp ,解压后打开项目
目录结构
打开web.xml,将所有内容修改为以下代码:
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
<!-- ========================单点登录开始 ======================== -->
<!-- 用于单点退出,该过滤器用于实现单点登出功能,可选配置 -->
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
<!-- 该过滤器用于实现单点登出功能,可选配置。 -->
<filter>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<!-- 修改为自己配置的cas 服务器 -->
<param-value>https://demo.sso.com:8443/cas</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Single Sign Out Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- 该过滤器用于实现单点登录功能 -->
<filter>
<filter-name>CAS Authentication Filter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<!-- 修改为自己配置的cas 服务器的登录地址 -->
<param-value>https://demo.sso.com:8443/cas/login</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<!-- 修改为当前客户端系统的地址 -->
<param-value>http://app1.sso.com:18080/</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Authentication Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- 该过滤器负责对Ticket的校验工作 -->
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>org.jasig.cas.client.validation.Cas30ProxyReceivingTicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<!-- 修改为在浏览器输入该地址能正常打开CAS-Server的根地址 -->
<param-value>https://demo.sso.com:8443/cas</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<!-- 修改为当前客户端系统的地址 -->
<param-value>http://app1.sso.com:18080/</param-value>
</init-param>
<init-param>
<param-name>redirectAfterValidation</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>useSession</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>authn_method</param-name>
<param-value>mfa-duo</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- 该过滤器负责实现HttpServletRequest请求的包裹,
比如允许开发者通过HttpServletRequest的getRemoteUser()方法
获得SSO登录用户的登录名,可选配置。 -->
<filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--
该过滤器使得开发者可以通过org.jasig.cas.client.util.AssertionHolder来获取用户的登录名。
比如AssertionHolder.getAssertion().getPrincipal().getName()
或者request.getUserPrincipal().getName()
-->
<filter>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- ========================单点登录结束 ======================== -->
<welcome-file-list>
<welcome-file>
index.jsp
</welcome-file>
</welcome-file-list>
</web-app>
然后通过cmd进入当前项目根目录运行命令mvn clean package进行项目打包并重命名为casClientApp1.war,然后部署到tomcat-app1的webapps中去。
3.部署tomcat-app2
将项目中的web.xml继续修改为以下内容:
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
<!-- ========================单点登录开始 ======================== -->
<!-- 用于单点退出,该过滤器用于实现单点登出功能,可选配置 -->
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
<!-- 该过滤器用于实现单点登出功能,可选配置。 -->
<filter>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<!-- 修改为自己配置的cas 服务器 -->
<param-value>https://demo.sso.com:8443/cas</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Single Sign Out Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- 该过滤器用于实现单点登录功能 -->
<filter>
<filter-name>CAS Authentication Filter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<!-- 修改为自己配置的cas 服务器的登录地址 -->
<param-value>https://demo.sso.com:8443/cas/login</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<!-- 修改为当前客户端系统的地址 -->
<param-value>http://app2.sso.com:28080/</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Authentication Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- 该过滤器负责对Ticket的校验工作 -->
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>org.jasig.cas.client.validation.Cas30ProxyReceivingTicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<!-- 修改为在浏览器输入该地址能正常打开CAS-Server的根地址 -->
<param-value>https://demo.sso.com:8443/cas</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<!-- 修改为当前客户端系统的地址 -->
<param-value>http://app2.sso.com:28080/</param-value>
</init-param>
<init-param>
<param-name>redirectAfterValidation</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>useSession</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>authn_method</param-name>
<param-value>mfa-duo</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- 该过滤器负责实现HttpServletRequest请求的包裹,
比如允许开发者通过HttpServletRequest的getRemoteUser()方法
获得SSO登录用户的登录名,可选配置。 -->
<filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--
该过滤器使得开发者可以通过org.jasig.cas.client.util.AssertionHolder来获取用户的登录名。
比如AssertionHolder.getAssertion().getPrincipal().getName()
或者request.getUserPrincipal().getName()
-->
<filter>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- ========================单点登录结束 ======================== -->
<welcome-file-list>
<welcome-file>
index.jsp
</welcome-file>
</welcome-file-list>
</web-app>
然后进行打包命令并重命名为casClientApp2.war,然后部署到tomcat-app2的webapps文件夹中去。
六、运行实例
分别运行tomcat-server、tomcat-app1、tomcat-app2,在浏览器输入 http://app1.sso.com:18080/casClientApp1,会出现以下情况
这种问题在运行cas服务器的tomcat目录下找到webapps\cas\WEB-INF\classes\services\HTTPSandIMAPS-10000001.json
其中,第三行修改为https|imaps|http,修改以后的文件内容为:
{
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "^(https|imaps|http)://.*",
"name" : "HTTPS and IMAPS",
"id" : 10000001,
"description" : "This service definition authorizes all application urls that support HTTPS and IMAPS protocols.",
"evaluationOrder" : 10000
}
然后打开webapps\cas\WEB-INF\classes\application.properties,增加如下配置
cas.tgc.secure=false
cas.serviceRegistry.initFromJson=true然后重新启动tomcat。
在浏览器输入 http://app1.sso.com:18080/casClientApp1 会跳转到cas认证中心进行登录,输入用户名\密码 casuser\Mellon
在浏览器输入 http://app2.sso.com:28080/casClientApp2