服务端配置
cas是个好东西,很灵活很好用,但是配置起来很麻烦,网上资料比较零碎。不弄个三五天根本不知道其中的原理,终于在多天的奋斗中配置成功,现在将配置的一些过程记录下来供大家参考。
cas官方网站
下载最新的服务端 CAS Server 3.3.3 Final
解压后将modules下面的cas-server-webapp-3.3.3.war部署到web服务器,作为单点登录的服务器。
登录的服务器下面很多配置文件,通过配置可以做一些扩展。
修改点1:验证方式使用我们自己的用户表验证
cas和当前已有的系统做集成的入口
1.修改deployerConfigContext.xml文件
添加数据源配置
XML/HTML代码
1. <bean id="casDataSource" class="org.apache.commons.dbcp.BasicDataSource">
2. <property name="driverClassName">
3. <value>com.mysql.jdbc.Driver</value>
4. </property>
5. <property name="url">
6. <value>jdbc:mysql://192.168.1.100/ires?useUnicode=true&characterEncoding=UTF-8&autoReconnect=true</value>
7. </property>
8. <property name="username">
9. <value>ires</value>
10. </property>
11. <property name="password">
12. <value>i709394</value>
13. </property>
14. </bean>
定义MD5的加密方式
XML/HTML代码
1. <bean id="passwordEncoder"
2. class="org.jasig.cas.authentication.handler.DefaultPasswordEncoder" autowire="byName">
3. <constructor-arg value="MD5"/>
4. </bean>
配置authenticationManager下面的authenticationHandlers属性
XML/HTML代码
1. <bean class="org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler">
2. <property name="dataSource" ref="casDataSource" />
3. <property name="sql" value="select community_password from community_user_info where lower(community_user_info.community_user) = lower(?)" />
4. <property name="passwordEncoder" ref="passwordEncoder"/>
5. </bean>
修改点2:获取用户信息保存,方便各个客户端可以统一得到用户信息
1.定义attributeRepository,通过jdbc查询用户的详细信息,可以把用户表或用户的所属组织机构或角色等查询出来。
XML/HTML代码
1. <bean id="attributeRepository" class="org.jasig.services.persondir.support.jdbc.SingleRowJdbcPersonAttributeDao">
2. <constructor-arg index="0" ref="casDataSource" />
3. <constructor-arg index="1" >
4. <list>
5. <value>username</value>
6. <value>username</value>
7. </list>
8. </constructor-arg>
9. <constructor-arg index="2">
10. <value>
11. select * ,(SELECT orgn_organization.id from orgn_organization left join orgn_member on orgn_member.orgn_id = orgn_organization.id left join community_user_info on community_user_info.id = orgn_member.user_id where community_user_info.community_user = ?) as orgnId from community_user_info where community_user=?
12. </value>
13. </constructor-arg>
14. <property name="columnsToAttributes">
15. <map>
16. <entry key="id" value="id" />
17. <entry key="community_user" value="userName" />
18. <entry key="orgnId" value="orgnId" />
19. <entry key="is_admin" value="isAdmin" />
20.
21. </map>
22. </property>
23. </bean>
2.配置authenticationManager中credentialsToPrincipalResolvers属性
XML/HTML代码
1. <bean class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver">
2. <property name="attributeRepository" ref="attributeRepository" /> </bean>
注意:默认cas登录服务器没有把用户信息传到客户端中,所以要修改WEB-INF\view\jsp\protocol\2.0\casServiceValidationSuccess.jsp文件,增加
XML/HTML代码
1. <c:if test="${fn:length(assertion.chainedAuthentications[fn:length(assertion.chainedAuthentications)-1].principal.attributes) > 0}">
2. <cas:attributes>
3. <c:forEach var="attr" items="${assertion.chainedAuthentications[fn:length(assertion.chainedAuthentications)-1].principal.attributes}">
4.
5. <cas:${fn:escapeXml(attr.key)}>${fn:escapeXml(attr.value)}</cas:${fn:escapeXml(attr.key)}>
6.
7.
8. </c:forEach>
9. </cas:attributes>
10. </c:if>
修改点3:用数据库来保存登录的会话
这样服务器在重新启动的时候不会丢失会话。
1.修改ticketRegistry.xml文件
将默认的ticketRegistry改成
XML/HTML代码
1. <bean id="ticketRegistry" class="org.jasig.cas.ticket.registry.JpaTicketRegistry">
2. <constructor-arg index="0" ref="entityManagerFactory" />
3. </bean>
4.
5. <bean id="entityManagerFactory" class="org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean">
6. <property name="dataSource" ref="dataSource"/>
7. <property name="jpaVendorAdapter">
8. <bean class="org.springframework.orm.jpa.vendor.HibernateJpaVendorAdapter">
9. <property name="generateDdl" value="true"/>
10. <property name="showSql" value="true" />
11. </bean>
12. </property>
13. <property name="jpaProperties">
14. <props>
15. <prop key="hibernate.dialect">org.hibernate.dialect.MySQLDialect</prop>
16. <prop key="hibernate.hbm2ddl.auto">update</prop>
17. </props>
18. </property>
19. </bean>
20.
21. <bean id="transactionManager" class="org.springframework.orm.jpa.JpaTransactionManager"
22. p:entityManagerFactory-ref="entityManagerFactory" />
23.
24. <tx:annotation-driven transaction-manager="transactionManager"/>
25.
26. <bean
27. id="dataSource"
28. class="org.apache.commons.dbcp.BasicDataSource"
29. p:driverClassName="com.mysql.jdbc.Driver"
30. p:url="jdbc:mysql://192.168.1.100:3306/cas?useUnicode=true&characterEncoding=UTF-8&autoReconnect=true"
31. p:password="709394"
32. p:username="itravel" />
配置完之后还需要一些jar的支持,根据提示那些包缺少到网上找。
修改点4:配置remenber me的功能,可以让客户端永久保存session
1.修改deployerConfigContext.xml文件
authenticationManager增加authenticationMetaDataPopulators属性
XML/HTML代码
1. <property name="authenticationMetaDataPopulators">
2. <list>
3. <bean class="org.jasig.cas.authentication.principal.RememberMeAuthenticationMetaDataPopulator" />
4. </list>
5. </property>
2.修改cas-servlet.xml
修改authenticationViaFormAction配置变成
XML/HTML代码
1. <bean id="authenticationViaFormAction" class="org.jasig.cas.web.flow.AuthenticationViaFormAction"
2. p:centralAuthenticationService-ref="centralAuthenticationService"
3. p:formObjectClass="org.jasig.cas.authentication.principal.RememberMeUsernamePasswordCredentials"
4. p:formObjectName="credentials"
5. p:validator-ref="UsernamePasswordCredentialsValidator"
6. p:warnCookieGenerator-ref="warnCookieGenerator" />
增加UsernamePasswordCredentialsValidator
XML/HTML代码
1. <bean id="UsernamePasswordCredentialsValidator" class="org.jasig.cas.validation
.UsernamePasswordCredentialsValidator" />
修改ticketExpirationPolicies.xml,grantingTicketExpirationPolicy配置如下,注意时间要加大,不然session很容易过期,达不到remember me的效果。
XML/HTML代码
1. <bean id="grantingTicketExpirationPolicy" class="org.jasig.cas.ticket.support.RememberMeDelegatingExpirationPolicy">
2. <property name="sessionExpirationPolicy">
3. <bean class="org.jasig.cas.ticket.support.TimeoutExpirationPolicy">
4. <constructor-arg index="0" value="2592000000" />
5. </bean>
6. </property>
7. <property name="rememberMeExpirationPolicy">
8. <bean class="org.jasig.cas.ticket.support.TimeoutExpirationPolicy">
9. <constructor-arg index="0" value="2592000000" />
10. </bean>
11. </property>
12. </bean>
修改点5:取消https验证
在网络安全性较好,对系统安全没有那么高的情况下可以取消https验证,使系统更加容易部署。
1.修改ticketGrantingTicketCookieGenerator.xml
XML/HTML代码
1. <bean id="ticketGrantingTicketCookieGenerator" class="org.jasig.cas.web.support.CookieRetrievingCookieGenerator"
2. p:cookieSecure="false"
3. p:cookieMaxAge="-1"
4. p:cookieName="CASTGC"
5. p:cookiePath="/cas" />
p:cookieSecure改成false,客户端web.xml中单独服务器的链接改成http
使用https协议的配置
1.证书生成和导入
下面是一个生成证书和导入证书的bat脚本,如果web应用和单独登录服务器部署在同一台机可以一起执行
C++代码
1. @echo off
2. if "%JAVA_HOME%" == "" goto error
3. @echo on
4.
5. @echo off
6. cls
7. rem please set the env JAVA_HOME before run this bat file
8. rem delete alia tomcat if it is existed
9. keytool -delete -alias tomcatsso -keystore "%JAVA_HOME%/jre/lib/security/cacerts" -storepass changeit
10. keytool -delete -alias tomcatsso -storepass changeit
11. REM (注释: 清除系统中可能存在的名字为tomcatsso 的同名证书)
12. rem list all alias in the cacerts
13. keytool -list -keystore "%JAVA_HOME%/jre/lib/security/cacerts" -storepass changeit
14. REM (注释: 列出系统证书仓库中存在证书名称列表)
15. rem generator a key
16. keytool -genkey -keyalg RSA -alias tomcatsso -dname "cn=localhost" -storepass changeit
17. REM (注释:指定使用RSA算法,生成别名为tomcatsso的证书,存贮口令为changeit,证书的DN为"cn=linly" ,这个DN必须同当前主机完整名称一致哦,切记!!!)
18. rem export the key
19. keytool -export -alias tomcatsso -file "%java_home%/jre/lib/security/tomcatsso.crt" -storepass changeit
20. REM (注释: 从keystore中导出别名为tomcatsso的证书,生成文件tomcatsso.crt)
21. rem import into trust cacerts
22. keytool -import -alias tomcatsso -file "%java_home%/jre/lib/security/tomcatsso.crt" -keystore "%java_home%/jre/lib/security/cacerts" -storepass changeit
23. REM (注释:将tomcatsso.crt导入jre的可信任证书仓库。注意,安装JDK是有两个jre目录,一个在jdk底下,一个是独立的jre,这里的目录必须同Tomcat使用的jre目录一致,否则后面Tomcat的HTTPS通讯就找不到证书了)
24. rem list all alias in the cacerts
25. keytool -list -keystore "%JAVA_HOME%/jre/lib/security/cacerts" -storepass changeit
26. pause
27.
28. :error
29. echo 请先设置JAVA_HOME环境变量
30. :end
3.将.keystore文件拷贝到tomcat的conf目录下面,注意.keystore会在证书生成的时候生成到系统的用户文件夹中,如windows会生产到C:\Documents and Settings\[yourusername]\下面
2.配置tomcat,把https协议的8443端口打开,指定证书的位置。
XML/HTML代码
1. <Connector port="8443" maxHttpHeaderSize="8192"
2. maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
3. enableLookups="false" disableUploadTimeout="true"
4. acceptCount="100" scheme="https" secure="true"
5. clientAuth="false" sslProtocol="TLS"
6. keystoreFile="conf/.keystore" keystorePass="changeit" truststoreFile="C:\Program Files\Java\jdk1.5.0_07\jre\lib\security\cacerts"/>
客户端配置
cas官方网站上面的客户端下载地址比较隐秘,没有完全公开,具体地址为
http://www.ja-sig.org/downloads/cas-clients/
下载最新的cas-client-3.1.6-release.zip
1.解压后把modules下面的包放到我们的web应用中
2.配置web.xml,注意encodingFilter要提前配置,不然会出现数据插入数据库的时候有乱码。
serverName是我们web应用的地址和端口
XML/HTML代码
1. <context-param>
2. <param-name>serverName</param-name>
3.
4.
5. <param-value>192.168.1.145:81</param-value>
6.
7. </context-param>
8.
9.
10. <filter>
11. <filter-name>encodingFilter</filter-name>
12. <filter-class>
13. org.springframework.web.filter.CharacterEncodingFilter
14. </filter-class>
15. <init-param>
16. <param-name>encoding</param-name>
17. <param-value>UTF-8</param-value>
18. </init-param>
19. <init-param>
20. <param-name>forceEncoding</param-name>
21. <param-value>true</param-value>
22. </init-param>
23. </filter>
24.
25.
26.
27. <filter-mapping>
28. <filter-name>encodingFilter</filter-name>
29. <url-pattern>*.htm</url-pattern>
30. </filter-mapping>
31.
32. <filter-mapping>
33. <filter-name>encodingFilter</filter-name>
34. <url-pattern>*.ftl</url-pattern>
35. </filter-mapping>
36.
37. <filter-mapping>
38. <filter-name>encodingFilter</filter-name>
39. <url-pattern>*.xhtml</url-pattern>
40. </filter-mapping>
41. <filter-mapping>
42. <filter-name>encodingFilter</filter-name>
43. <url-pattern>*.html</url-pattern>
44. </filter-mapping>
45. <filter-mapping>
46. <filter-name>encodingFilter</filter-name>
47. <url-pattern>*.shtml</url-pattern>
48. </filter-mapping>
49.
50.
51. <filter-mapping>
52. <filter-name>encodingFilter</filter-name>
53. <url-pattern>*.jsp</url-pattern>
54. </filter-mapping>
55. <filter-mapping>
56. <filter-name>encodingFilter</filter-name>
57. <url-pattern>*.do</url-pattern>
58. </filter-mapping>
59. <filter-mapping>
60. <filter-name>encodingFilter</filter-name>
61. <url-pattern>*.vm</url-pattern>
62. </filter-mapping>
63.
64.
65.
66.
67.
68. <filter>
69. <filter-name>CAS Single Sign Out Filter</filter-name>
70. <filter-class>
71. org.jasig.cas.client.session.SingleSignOutFilter
72. </filter-class>
73. </filter>
74. <filter-mapping>
75. <filter-name>CAS Single Sign Out Filter</filter-name>
76. <url-pattern>/*</url-pattern>
77. </filter-mapping>
78. <listener>
79. <listener-class>
80. org.jasig.cas.client.session.SingleSignOutHttpSessionListener
81. </listener-class>
82. </listener>
83. <filter>
84. <filter-name>CAS Authentication Filter</filter-name>
85. <filter-class>
86. org.jasig.cas.client.authentication.AuthenticationFilter
87. </filter-class>
88. <init-param>
89. <param-name>casServerLoginUrl</param-name>
90. <param-value>http://192.168.1.100/cas/login</param-value>
91. </init-param>
92. </filter>
93. <filter>
94. <filter-name>CAS Validation Filter</filter-name>
95. <filter-class>
96. org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter
97. </filter-class>
98. <init-param>
99. <param-name>casServerUrlPrefix</param-name>
100. <param-value>http://192.168.1.100/cas</param-value>
101. </init-param>
102. </filter>
103.
104. <filter>
105. <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
106. <filter-class>
107. org.jasig.cas.client.util.HttpServletRequestWrapperFilter
108. </filter-class>
109. </filter>
110. <filter>
111. <filter-name>CAS Assertion Thread Local Filter</filter-name>
112. <filter-class>
113. org.jasig.cas.client.util.AssertionThreadLocalFilter
114. </filter-class>
115. </filter>
116. <filter-mapping>
117. <filter-name>CAS Authentication Filter</filter-name>
118. <url-pattern>/*</url-pattern>
119. </filter-mapping>
120. <filter-mapping>
121. <filter-name>CAS Validation Filter</filter-name>
122. <url-pattern>/*</url-pattern>
123. </filter-mapping>
124. <filter-mapping>
125. <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
126. <url-pattern>/*</url-pattern>
127. </filter-mapping>
128. <filter-mapping>
129. <filter-name>CAS Assertion Thread Local Filter</filter-name>
130. <url-pattern>/*</url-pattern>
131. </filter-mapping>
3.导入证书,如果不用https的话,这步可以跳过,把tomcatsso.crt证书拷贝到c盘下面,在jdk的bin目录下面运行下面的语句。
JavaScript代码
1. rem (注释: 清除系统中可能存在的名字为tomcatsso 的同名证书)
2. keytool -delete -alias tomcatsso -keystore "%JAVA_HOME%/jre/lib/security/cacerts" -storepass changeit
3. keytool -delete -alias tomcatsso -storepass changeit
4.
5. rem 在客户端的 JVM 里导入信任的 SERVER 的证书 ( 根据情况有可能需要管理员权限 )
6. keytool -import -alias tomcatsso -file "c:/tomcatsso.crt" -keystore "%java_home%/jre/lib/security/cacerts" -storepass changeit
客户端获取登录用户名和用户信息实例
Java代码
1. HttpServletRequest request = ServletActionContext.getRequest();
2. AttributePrincipal principal = (AttributePrincipal)request.getUserPrincipal();
3. String username = principal.getName();
4. Long orgnId = Long.parseLong(principal.getAttributes().get("orgnId").toString());