关于CAS单点登录的实例
程序员文章站
2022-03-13 22:06:38
...
1、如何实现sso与cas的环境搭建和使用。实现的结果:单点登录的时候,先验证用户身份,如果未验证用户身份,那么将跳转到第三方的验证登录界面,如果验证通过,将允许跳转到对应的请求链接
CAS的官网:http://www.jasig.org/cas
2、环境的搭建:
我们需要修改hots文件中的内容,添加域名,在文件 C:\Windows\System32\drivers\etc\hosts 文件中添加2条
127.0.0.1 server.zhang.com
127.0.0.1 client.zhang.com
server.zhang.com ----->对应cas server的tomcat,同时这个虚拟的域名还要用于生成证书
client.zhang.com--------->对应部署应用client客户端的tomcat
下一步:安装jdk,确保jdk环境正确
配置好环境变量后,检查jdk环境是否配置正确。
下一步:配置并生成证书
打开cmd ,输入下面的命令:
keytool -genkey -alias ssocas -keyalg RSA -keystore e:/sso/ssocas
下一步导出证书:
keytool -export -file e:/sso/ssocas.crt -alias ssocas -keystore e:/sso/ssocas
下一步:部署cas-server的tomcat;
(1)、配置HTTPS
在文件 conf/server.xml文件找到:
<Connector port="8080" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="e:/sso/ssocas" keystorePass="ssodemo"
clientAuth="false" sslProtocol="TLS" URIEncoding="UTF-8"/>----------->keystoreFile也可以等于(e:/sso/ssocas.keystore)保存后,启动tomcat访问 https://server.zhang.com:8080/.可以看到提示网站证书有问题,点击继续浏览后进入tomcat的首页。
下一步部署casServer:
CAS-Server 下载地址:http://www.jasig.org/cas/download
本文以cas-server-3.4.11-release.zip 为例,解压提取cas-server-3.4.11/modules/cas-server-webapp-3.4.11.war文件,把改文件copy到 \webapps\ 目下,并重命名为:cas.war.
启动tomcat,在浏览器地址栏输入:https://server.zhang.com:8080/cas/login ,回车
CAS-server的默认验证规则:只要用户名和密码相同就认证通过(仅仅用于测试,生成环境需要根据实际情况修改),输入admin/admin 点击登录,就可以看到登录成功的页面:
退出时链接为:https://server.zhang.com:8080/cas/logout
看到上述页面表示CAS-Server已经部署成功
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------部署客户端:
1、需要导入服务端生成的证书,用管理员身份打开cmd,进入到jdk的安装目录中;我的是这个----》C:\Program Files\Java\jdk1.7.0_67\jre\lib\security
执行一下命令:
keytool -import -keystore cacerts -file e:/sso/ssocas.crt -alias ssocas执行完后,已添加到了jdk中信任的证书。
---------------------------------------------------------------------
【如何删除从jdk中证书】
{
keytool -delete -alias ssocas -keystore cacerts -storepass ssodemo}
-----------------------------------------------------------------
2、部署client
CAS-Client 下载地址:http://downloads.jasig.org/cas-clients/
以cas-client-3.2.1-release.zip 为例,解压提取cas-client-3.2.1/modules/cas-client-core-3.2.1.jar
借以tomcat默认自带的 webapps\examples 作为演示的简单web项目
-------下一步:-配置tomcat (如果是在同一台机器上,则另外启用一个tomcat)
(
同一台机器时另起一个tomcat,需要修改
<Server port="8005" shutdown="SHUTDOWN">
改成
<Server port="8006" shutdown="SHUTDOWN">
)
<Connector port="18080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="18443" />
<Connector port="18009" protocol="AJP/1.3" redirectPort="18443" />启动client的tomcat ,浏览器输入 http://client.zhang.com:18080/examples/servlets/ 回车:
没有报错说明配置启动成功。
下一步:接下来复制 client的lib包cas-client-core-3.2.1.jar到 \webapps\examples\WEB-INF\lib\目录下, 在\webapps\examples\WEB-INF\web.xml 文件中增加如下内容:
<!-- ======================== 单点登录开始 ======================== -->
<!-- 用于单点退出,该过滤器用于实现单点登出功能,可选配置-->
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
<!-- 该过滤器用于实现单点登出功能,可选配置。 -->
<filter>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Single Sign Out Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>CAS Filter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>https://server.zhang.com:8080/cas/login</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://client.zhang.com:18080</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- 该过滤器负责对Ticket的校验工作,必须启用它 -->
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>
org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://server.zhang.com:808/cas</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://client.zhang.com:18080</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--
该过滤器负责实现HttpServletRequest请求的包裹,
比如允许开发者通过HttpServletRequest的getRemoteUser()方法获得SSO登录用户的登录名,可选配置。
-->
<filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>
org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--
该过滤器使得开发者可以通过org.jasig.cas.client.util.AssertionHolder来获取用户的登录名。
比如AssertionHolder.getAssertion().getPrincipal().getName()。
-->
<filter>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- ======================== 单点登录结束 ======================== -->----------------- 启动后,输入:http://client.zhang.com.18080/example/如果没有验证用户身份,就会直接跳转到服务的登录界面,如果验证了,就会直接进入到相应的页面
在servlet中获取到用户输入的用户名:
-------
在创建这个web服务是,需要的包有:cas-client-core.3.3.3.jar ,但是这个包还需要其他两个包: commons-lang-2.4.jar slf4j-api-1.7.25.jar
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
遇到的问题:
1、
严重: Servlet.service() for servlet [default] in context with path [/SSO] threw exception
java.lang.NullPointerException
at java.lang.StringBuffer.indexOf(Unknown Source)
at java.lang.StringBuffer.indexOf(Unknown Source)
at org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:169)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:100)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:94)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:502)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1132)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1539)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1495)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Unknown Source)解决办法:在web.xml文件中的CASFilter 和CAS Validation Filter过滤器中的<init-param> <param-name>serverName</param-name> 中的serverName改为service
2、
十月 16, 2017 2:55:02 下午 org.apache.catalina.core.StandardWrapperValve invoke
严重: Servlet.service() for servlet [LoginServlet] in context with path [/SSO] threw exception
java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:409)
at org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:45)
at org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:200)
at org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:206)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:180)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:100)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:94)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:502)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1132)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1539)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1495)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Unknown Source)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
at sun.security.ssl.Handshaker.processLoop(Unknown Source)
at sun.security.ssl.Handshaker.process_record(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source)
at org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:395)
... 27 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
... 40 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
at java.security.cert.CertPathBuilder.build(Unknown Source)
... 46 more
十月 16, 2017 3:02:23 下午 org.apache.catalina.core.StandardWrapperValve invoke
严重: Servlet.service() for servlet [LoginServlet] in context with path [/SSO] threw exception [Filter execution threw an exception] with root cause
java.lang.Error: Unresolved compilation problem:
The method logout() is undefined for the type HttpServletRequest
at org.jasig.cas.client.session.SingleSignOutHandler$Servlet30LogoutStrategy.logout(SingleSignOutHandler.java:380)
at org.jasig.cas.client.session.SingleSignOutHandler.destroySession(SingleSignOutHandler.java:316)
at org.jasig.cas.client.session.SingleSignOutHandler.process(SingleSignOutHandler.java:212)
at org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:99)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:94)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:502)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1132)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1539)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1495)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Unknown Source)原因:证书导入不正确导致的,特别是同一台机器上,证书的导入。需要确定eclipse引用的jdk是不是你导入的证书的jdk,如果是用tomcat直接启动的,需要确认tomcat配置的jdk是不是你引入的证书的jdk.下面是eclipse中引用的jdk路径:
参考文章:http://www.micmiu.com/enterprise-app/sso/sso-cas-sample/
http://www.kafeitu.me/sso/2010/11/05/sso-cas-full-course.html
--------------------完工-------------------------
上一篇: 啊哈 , 算法 !--深度优先搜索( C语言版 )
下一篇: 【leetcode】178. 分数排名