使用CAS实现单点登录
CAS官网:
https://www.apereo.org/CAS下载地址:
https://github.com/apereo/cas/releasesCAS-Client下载地址:
http://developer.jasig.org/cas-clients/CAS-Server下载地址:
http://developer.jasig.org/cas/CAS-Overlay-Template下载地址:
https://github.com/apereo/cas-overlay-templateCAS原理解析
演示环境
- win10 64位
- JDK 1.8.0_152
- Tomcat 8.5.28
- cas-server-4.0.0
- cas-client-3.3.3
- demo.simba.com:对应部署cas server的tomcat,虚拟域名还用于证书的生成
- app1.simba.com:对应部署app1的tocmat
- app2.simba.com:对应部署app2的tocmat
安全证书配置
生成证书
打开命令窗口,输入下面命令:
keytool -genkey -v -alias tomcat -keyalg RSA -keypass 123456 -storepass 123456 -keystore D:/sso/keystore/mykey.keystore - -alias tomcat:取别名为tomcat
- -keyalg RSA:指定密钥的算法为RSA
- -keypass 123456: 指定别名条目的密码(私钥的密码)
- -storepass 123456:指定密钥库的密码(获取keystore信息所需的密码)
- -keystore D:/sso/keystore/mykey.keystore:生成一个名为tomcat的证书,放在D盘下的sso\keystore目录下
执行后如图:
D:/sso/keystore目录下会多出一个mykey.keystore文件
导出证书
执行下面命令,输入密钥库口令
keytool -export -trustcacerts -alias tomcat -file D:/sso/keystore/mykey.cer -keystore D:/sso/keystore/mykey.keystore 执行结果:
执行后D:/sso/keystore目录下会多出一个mykey.cer文件
导入到JDK中
导入到jdk的安装目录C:\Program Files (x86)\Java\jdk1.8.0_152\jre\lib\security下的cacerts文件中
执行下面命令
keytool -import -trustcacerts -alias tomcat -file D:/sso/keystore/mykey.cer -keystore "C:\Program Files (x86)\Java\jdk1.8.0_152\jre\lib\security\cacerts" 证书添加出现错误,系统拒绝访问,更改java文件属性的所有权限即可
更改后如图
查看JDK中的证书列表,执行下面命令
keytool -list -keystore "C:\Program Files (x86)\Java\jdk1.8.0_152\jre\lib\security\cacerts" Tomcat配置
修改tocmat解压目录下conf下的server.xml配置
并添加证书配置
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="D:/sso/keystore/mykey.keystore" keystorePass="123456"
clientAuth="false" sslProtocol="TLS" URIEncoding="UTF-8">
</Connector> 使用CAS实现单点登录 CAS-Server的部署
将CAS-Server解压目录下modules文件夹下的cas-server-webapp-4.0.0.war拷贝到tomcat的webapps下面,并该名为cas
启动tomcat,可以访问到,说明部署成功
在cas/WEB-INF/deployerConfigContext.xml中有原始登录账号和密码,填写账号和密码登录即可
登录后
CAS-Client的部署
借用tomcat默认自带的webapps\examples作为演示简单的web项目
安装app1、app2俩个tomcat,修改端口,并访问成功即可
app1的部署
将cas-client-3.3.3/modules目录下的cas-client-core-3.3.3.jar拷贝到app1\apache-tomcat-8.5.28\webapps\examples\WEB-INF\lib目录中
并在app1\apache-tomcat-8.5.28\webapps\examples\WEB-INF\web.xml添加
<!-- ======================== 单点登录开始 ======================== -->
<!-- 用于单点退出,该过滤器用于实现单点登出功能,可选配置-->
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
<!-- 该过滤器用于实现单点登出功能,可选配置。 -->
<filter>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Single Sign Out Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>CAS Filter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>https://demo.simba.com:8443/cas/login</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://app1.simba.com:18080</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- 该过滤器负责对Ticket的校验工作,必须启用它 -->
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>
org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://demo.simba.com:8443/cas</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://app1.simba.com:18080</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--
该过滤器负责实现HttpServletRequest请求的包裹,
比如允许开发者通过HttpServletRequest的getRemoteUser()方法获得SSO登录用户的登录名,可选配置。
-->
<filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>
org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--
该过滤器使得开发者可以通过org.jasig.cas.client.util.AssertionHolder来获取用户的登录名。
比如AssertionHolder.getAssertion().getPrincipal().getName()。
-->
<filter>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- ======================== 单点登录结束 ======================== --> 启动tomcat,发现如下错误
原因是缺少slf4j-api的jar包,将slf4j-api-1.7.25.jar添加到发布项目的lib中即可
app2的部署
将cas-client-3.3.3/modules目录下的cas-client-core-3.3.3.jar拷贝到app2\apache-tomcat-8.5.28\webapps\examples\WEB-INF\lib目录中
并在app2\apache-tomcat-8.5.28\webapps\examples\WEB-INF\web.xml添加
<!-- ======================== 单点登录开始 ======================== -->
<!-- 用于单点退出,该过滤器用于实现单点登出功能,可选配置-->
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
<!-- 该过滤器用于实现单点登出功能,可选配置。 -->
<filter>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Single Sign Out Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>CAS Filter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>https://demo.simba.com:8443/cas/login</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://app2.simba.com:28080</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- 该过滤器负责对Ticket的校验工作,必须启用它 -->
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>
org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://demo.simba.com:8443/cas</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://app2.simba.com:28080</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--
该过滤器负责实现HttpServletRequest请求的包裹,
比如允许开发者通过HttpServletRequest的getRemoteUser()方法获得SSO登录用户的登录名,可选配置。
-->
<filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>
org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--
该过滤器使得开发者可以通过org.jasig.cas.client.util.AssertionHolder来获取用户的登录名。
比如AssertionHolder.getAssertion().getPrincipal().getName()。
-->
<filter>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- ======================== 单点登录结束 ======================== --> 单点登录演示
只要登录cas-server,app1和app2能够访问到具体的网址
只要登出或者未登录cas-server,app1和app2必须跳转到cas-server的登录界面
(注:该页面是重定向,无法显示原网址)