使用CAS实现单点登录
CAS官网:https://www.apereo.org/
CAS下载地址:https://github.com/apereo/cas/releases
CAS-Client下载地址:http://developer.jasig.org/cas-clients/
CAS-Server下载地址:http://developer.jasig.org/cas/
CAS-Overlay-Template下载地址:https://github.com/apereo/cas-overlay-template
CAS原理解析
演示环境
- win10 64位
- JDK 1.8.0_152
- Tomcat 8.5.28
- cas-server-4.0.0
- cas-client-3.3.3
- demo.simba.com:对应部署cas server的tomcat,虚拟域名还用于证书的生成
- app1.simba.com:对应部署app1的tocmat
- app2.simba.com:对应部署app2的tocmat
安全证书配置
生成证书
打开命令窗口,输入下面命令:
keytool -genkey -v -alias tomcat -keyalg RSA -keypass 123456 -storepass 123456 -keystore D:/sso/keystore/mykey.keystore
- -alias tomcat:取别名为tomcat
- -keyalg RSA:指定密钥的算法为RSA
- -keypass 123456: 指定别名条目的密码(私钥的密码)
- -storepass 123456:指定密钥库的密码(获取keystore信息所需的密码)
- -keystore D:/sso/keystore/mykey.keystore:生成一个名为tomcat的证书,放在D盘下的sso\keystore目录下
执行后如图:
D:/sso/keystore目录下会多出一个mykey.keystore文件
导出证书
执行下面命令,输入密钥库口令
keytool -export -trustcacerts -alias tomcat -file D:/sso/keystore/mykey.cer -keystore D:/sso/keystore/mykey.keystore
执行结果:
执行后D:/sso/keystore目录下会多出一个mykey.cer文件
导入到JDK中
导入到jdk的安装目录C:\Program Files (x86)\Java\jdk1.8.0_152\jre\lib\security下的cacerts文件中
执行下面命令
keytool -import -trustcacerts -alias tomcat -file D:/sso/keystore/mykey.cer -keystore "C:\Program Files (x86)\Java\jdk1.8.0_152\jre\lib\security\cacerts"
证书添加出现错误,系统拒绝访问,更改java文件属性的所有权限即可
更改后如图
查看JDK中的证书列表,执行下面命令
keytool -list -keystore "C:\Program Files (x86)\Java\jdk1.8.0_152\jre\lib\security\cacerts"
Tomcat配置
修改tocmat解压目录下conf下的server.xml配置
并添加证书配置
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" keystoreFile="D:/sso/keystore/mykey.keystore" keystorePass="123456" clientAuth="false" sslProtocol="TLS" URIEncoding="UTF-8"> </Connector>
CAS-Server的部署
将CAS-Server解压目录下modules文件夹下的cas-server-webapp-4.0.0.war拷贝到tomcat的webapps下面,并该名为cas
启动tomcat,可以访问到,说明部署成功
在cas/WEB-INF/deployerConfigContext.xml中有原始登录账号和密码,填写账号和密码登录即可
登录后
CAS-Client的部署
借用tomcat默认自带的webapps\examples作为演示简单的web项目
安装app1、app2俩个tomcat,修改端口,并访问成功即可
app1的部署
将cas-client-3.3.3/modules目录下的cas-client-core-3.3.3.jar拷贝到app1\apache-tomcat-8.5.28\webapps\examples\WEB-INF\lib目录中
并在app1\apache-tomcat-8.5.28\webapps\examples\WEB-INF\web.xml添加
<!-- ======================== 单点登录开始 ======================== --> <!-- 用于单点退出,该过滤器用于实现单点登出功能,可选配置--> <listener> <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class> </listener> <!-- 该过滤器用于实现单点登出功能,可选配置。 --> <filter> <filter-name>CAS Single Sign Out Filter</filter-name> <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class> </filter> <filter-mapping> <filter-name>CAS Single Sign Out Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter> <filter-name>CAS Filter</filter-name> <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class> <init-param> <param-name>casServerLoginUrl</param-name> <param-value>https://demo.simba.com:8443/cas/login</param-value> </init-param> <init-param> <param-name>serverName</param-name> <param-value>http://app1.simba.com:18080</param-value> </init-param> </filter> <filter-mapping> <filter-name>CAS Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- 该过滤器负责对Ticket的校验工作,必须启用它 --> <filter> <filter-name>CAS Validation Filter</filter-name> <filter-class> org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class> <init-param> <param-name>casServerUrlPrefix</param-name> <param-value>https://demo.simba.com:8443/cas</param-value> </init-param> <init-param> <param-name>serverName</param-name> <param-value>http://app1.simba.com:18080</param-value> </init-param> </filter> <filter-mapping> <filter-name>CAS Validation Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- 该过滤器负责实现HttpServletRequest请求的包裹, 比如允许开发者通过HttpServletRequest的getRemoteUser()方法获得SSO登录用户的登录名,可选配置。 --> <filter> <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> <filter-class> org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class> </filter> <filter-mapping> <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- 该过滤器使得开发者可以通过org.jasig.cas.client.util.AssertionHolder来获取用户的登录名。 比如AssertionHolder.getAssertion().getPrincipal().getName()。 --> <filter> <filter-name>CAS Assertion Thread Local Filter</filter-name> <filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class> </filter> <filter-mapping> <filter-name>CAS Assertion Thread Local Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- ======================== 单点登录结束 ======================== -->
启动tomcat,发现如下错误
原因是缺少slf4j-api的jar包,将slf4j-api-1.7.25.jar添加到发布项目的lib中即可
app2的部署
将cas-client-3.3.3/modules目录下的cas-client-core-3.3.3.jar拷贝到app2\apache-tomcat-8.5.28\webapps\examples\WEB-INF\lib目录中
并在app2\apache-tomcat-8.5.28\webapps\examples\WEB-INF\web.xml添加
<!-- ======================== 单点登录开始 ======================== --> <!-- 用于单点退出,该过滤器用于实现单点登出功能,可选配置--> <listener> <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class> </listener> <!-- 该过滤器用于实现单点登出功能,可选配置。 --> <filter> <filter-name>CAS Single Sign Out Filter</filter-name> <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class> </filter> <filter-mapping> <filter-name>CAS Single Sign Out Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter> <filter-name>CAS Filter</filter-name> <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class> <init-param> <param-name>casServerLoginUrl</param-name> <param-value>https://demo.simba.com:8443/cas/login</param-value> </init-param> <init-param> <param-name>serverName</param-name> <param-value>http://app2.simba.com:28080</param-value> </init-param> </filter> <filter-mapping> <filter-name>CAS Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- 该过滤器负责对Ticket的校验工作,必须启用它 --> <filter> <filter-name>CAS Validation Filter</filter-name> <filter-class> org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class> <init-param> <param-name>casServerUrlPrefix</param-name> <param-value>https://demo.simba.com:8443/cas</param-value> </init-param> <init-param> <param-name>serverName</param-name> <param-value>http://app2.simba.com:28080</param-value> </init-param> </filter> <filter-mapping> <filter-name>CAS Validation Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- 该过滤器负责实现HttpServletRequest请求的包裹, 比如允许开发者通过HttpServletRequest的getRemoteUser()方法获得SSO登录用户的登录名,可选配置。 --> <filter> <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> <filter-class> org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class> </filter> <filter-mapping> <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- 该过滤器使得开发者可以通过org.jasig.cas.client.util.AssertionHolder来获取用户的登录名。 比如AssertionHolder.getAssertion().getPrincipal().getName()。 --> <filter> <filter-name>CAS Assertion Thread Local Filter</filter-name> <filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class> </filter> <filter-mapping> <filter-name>CAS Assertion Thread Local Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- ======================== 单点登录结束 ======================== -->
单点登录演示
只要登录cas-server,app1和app2能够访问到具体的网址
只要登出或者未登录cas-server,app1和app2必须跳转到cas-server的登录界面
(注:该页面是重定向,无法显示原网址)