单点登录(CAS)示例
一、概述
单点登录全称Single Sign On(以下简称SSO),是指在多系统应用群中登录一个系统,便可在其他所有系统中得到授权而无需再次登录,包括单点登录与单点注销两部分。
CAS(Central Authentication Service)是一款不错的针对 Web 应用的单点登录框架,CAS 包含两个部分: CAS Server 和 CAS Client。CAS Server 需要独立部署,主要负责对用户的认证工作;CAS Client 负责处理对客户端受保护资源的访问请求,需要登录时,重定向到 CAS Server。
下面是具体的工作流程图:
二、域名配置
由于环境需要三个域名,最简单的办法是修改window的host文件,文件路径为C:\Windows\System32\drivers\etc\hosts
在文件后面添加:
127.0.0.1 cas.server.com
127.0.0.1 cas.client1.com
127.0.0.1 cas.client2.com
cas.server.com --> 单点登录的服务端,登录认证
cas.client1.com --> 应用1
cas.client2.com --> 应用2
三、证书生成并导入
我在D:\tools\tomcat\cas目录启动命令行窗口
生成证书命令,passwd为证书的密码:
keytool -genkey -alias ssodemo -keyalg RSA -keysize 1024 -keypass passwd -validity 365 -keystore ssodemo.keystore -storepass passwd
导出证书:
keytool -export -alias ssodemo -keystore ssodemo.keystore -file ssodemo.crt -storepass passwd
将客户端导入证书,让JDK信任这个证书:
keytool -import -keystore "%JAVA_HOME%\jre\lib\security\cacerts" -file ssodemo.crt -alias ssodemo -storepass changeit
四、CAS Server部署
下载Tomcat:https://tomcat.apache.org/download-90.cgi
将Tomcat解压,我的解压目录为D:\tools\tomcat\cas,将文件夹修改为apache-tomcat-9.0.7-sever,CAS默认采用的https协议,需要一个证书,将步骤三中生成的casdemo.keystore文件放到D:\tools\tomcat\cas\ssodemo.keystore目录
修改tomcat下的D:\tools\tomcat\cas\apache-tomcat-9.0.7-sever\conf\server.xml文件,添加如下配置,keystorePass为证书的密码,passwd
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="D:\tools\tomcat\cas\ssodemo.keystore" keystorePass="passwd"
clientAuth="false" sslProtocol="TLS" URIEncoding="UTF-8">
</Connector>
启动tomcat,运行tomcat下的D:\tools\tomcat\cas\apache-tomcat-9.0.7-sever\bin\startup.bat
浏览器输入https://cas.server.com:8443/
下载CAS Server:https://github.com/apereo/cas/releases/tag/v3.5.2
下载cas-server-3.5.2-release.zip,解压,提取modules目录下的cas-server-webapp-3.5.2.war,名字修改为cas.war,放到
D:\tools\tomcat\cas\apache-tomcat-9.0.7-sever\webapps目录,将Tomcat重启。
访问:https://cas.server.com:8443/cas/login打开CAS Sever的登录页面,用户名和密码一样就可以登录。
五、配置CAS Client1
把Tomcat压缩包,在D:\tools\tomcat\cas目录再解压一份,命名为apache-tomcat-9.0.7-client1
修改D:\tools\tomcat\cas\apache-tomcat-9.0.7-client1\conf\serve.xml
定位到1、69和116行,找到
<Server port="8005" shutdown="SHUTDOWN">
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
修改为:
<Server port="18005" shutdown="SHUTDOWN">
<Connector port="18080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="18443" />
<Connector port="18009" protocol="AJP/1.3" redirectPort="18443" />
启动Tomcat Client,运行D:\tools\tomcat\cas\apache-tomcat-9.0.7-client1\bin\startup.bat
输入访问:http://cas.client1.com:18080/examples/servlets,出现下面界面代表配置成功
下载CAS Clint 文件cas-client-3.3.2-release.zip :https://developer.jasig.org/cas-clients/
解压,将modules目录下的cas-client-core-3.2.1.jar和commons-logging-1.1.jar拷贝到D:\tools\tomcat\cas\apache-tomcat-9.0.7-client1\webapps\examples\WEB-INF\lib目录
然后修改webapps\examples\WEB-INF\目录下的web.xml,将下面的内容加入到文件中
<!-- ======================== 单点登录开始 ======================== -->
<!-- 用于单点退出,该过滤器用于实现单点登出功能,可选配置-->
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
<!-- 该过滤器用于实现单点登出功能,可选配置。 -->
<filter>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Single Sign Out Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>CAS Filter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>https://cas.server.com:8443/cas/login</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://cas.client1.com:18080</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- 该过滤器负责对Ticket的校验工作,必须启用它 -->
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>
org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://cas.server.com:8443/cas</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://cas.client1.com:18080</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--
该过滤器负责实现HttpServletRequest请求的包裹,
比如允许开发者通过HttpServletRequest的getRemoteUser()方法获得SSO登录用户的登录名,可选配置。
-->
<filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>
org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--
该过滤器使得开发者可以通过org.jasig.cas.client.util.AssertionHolder来获取用户的登录名。
比如AssertionHolder.getAssertion().getPrincipal().getName()。
-->
<filter>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- ======================== 单点登录结束 ======================== -->
将Tomcat重启,重新访问:http://cas.client1.com:18080/examples/servlets,就会发现页面调到了CAS Server的登录界面
六、配置CAS Client2
参照上面的步骤,将Tomcat再解压一份,目录命名为apache-tomcat-9.0.7-client2
修改D:\tools\tomcat\cas\apache-tomcat-9.0.7-client2\conf\serve.xml
定位到1、69和116行,找到
<Server port="8005" shutdown="SHUTDOWN">
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
修改为:
<Server port="28005" shutdown="SHUTDOWN">
<Connector port="18080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="18443" />
<Connector port="28009" protocol="AJP/1.3" redirectPort="28443" />
将cas-client-3.3.2-release.zip解压,将modules目录下的cas-client-core-3.2.1.jar和commons-logging-1.1.jar拷贝到D:\tools\tomcat\cas\apache-tomcat-9.0.7-client2\webapps\examples\WEB-INF\lib目录
然后修改webapps\examples\WEB-INF\目录下的web.xml,将下面的内容加入到文件中
<!-- ======================== 单点登录开始 ======================== -->
<!-- 用于单点退出,该过滤器用于实现单点登出功能,可选配置-->
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
<!-- 该过滤器用于实现单点登出功能,可选配置。 -->
<filter>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Single Sign Out Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>CAS Filter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>https://cas.server.com:8443/cas/login</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://cas.client2.com:28080</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- 该过滤器负责对Ticket的校验工作,必须启用它 -->
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>
org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://cas.server.com:8443/cas</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://cas.client2.com:28080</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--
该过滤器负责实现HttpServletRequest请求的包裹,
比如允许开发者通过HttpServletRequest的getRemoteUser()方法获得SSO登录用户的登录名,可选配置。
-->
<filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>
org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--
该过滤器使得开发者可以通过org.jasig.cas.client.util.AssertionHolder来获取用户的登录名。
比如AssertionHolder.getAssertion().getPrincipal().getName()。
-->
<filter>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- ======================== 单点登录结束 ======================== -->
将Tomcat启动,访问http://cas.client2.com:28080/examples/,会发现弹出了登录界面。
七、测试
访问http://cas.client1.com:18080/examples/servlets,在出现的登录界面,输入相同的用户名和密码进行登录,登录成功之后,会发现浏览器上面的url变为了:
http://cas.client1.com:18080/examples/servlets/;jsessionid=DC73E68683664F9DBAE207C3C677ECAC/
接着访问http://cas.client2.com:28080/examples/,会发现,自动登录了,url变为了:
http://cas.client2.com:28080/examples/servlets;jsessionid=01E8EE38D169FD06C042060EEE0E3967/
是由于client1登录了,服务器会返回token存储在浏览器的cookie中,client2登录的时候,自动带着token去服务端认证,直接就通过了,不用再登录了。
本篇博客用到的所有资源下载路径:https://download.csdn.net/download/u010889616/10383306
上一篇: 关于用Robotics System Toolbox 和Robotics Toolbox 解逆动力学遇到的问题
下一篇: Robotics System Toolbox学习笔记(六):gik函数例子:Solve Inverse Kinematics for a Four-Bar Linkage(平面闭合链机构)
推荐阅读
-
PHP 实现超简单的SESSION与COOKIE登录验证功能示例
-
Android端“被挤下线”功能的单点登录实现
-
Vue+Express实现登录状态权限验证的示例代码
-
python3模拟百度登录并实现百度贴吧签到示例分享(百度贴吧自动签到)
-
Python Selenium Cookie 绕过验证码实现登录示例代码
-
Laravel 微信小程序后端实现用户登录的示例代码
-
php 实现简单的登录功能示例【基于thinkPHP框架】
-
JSP + Servlet实现生成登录验证码示例
-
详解基于Spring Cloud几行配置完成单点登录开发
-
Laravel框架基于中间件实现禁止未登录用户访问页面功能示例