１．环境准本

jdk1.8 maven gradle tomcat8

2.下载cas

wget https://github.com/apereo/cas-gradle-overlay-template/archive/master.zip 
unzip master.zip 
cd cas-gradle-overlay-template-master

３.配置管理,注意CAS配置文件版本之间不能通用

3.1修改gradle下载路径，否则可能下载报错

vim gradle/wrapper/gradle-wrapper.properties 
#distributionUrl=https\://services.gradle.org/distributions/gradle-3.1-bin.zip 
distributionUrl=https\://downloads.gradle.org/distributions/gradle-3.1-bin.zip

3.2添加cas jdbc支持库

vim cas/build.gradle

在dependencies域里添加compile "org.apereo.cas:cas-server-support-jdbc:${project.'cas.version'}"

3.3添加cas数据库配置

vim etc/cas/config/cas.properties(工程下的etc目录)

cas.server.name: https://cas.example.org:8443

cas.server.prefix: https://cas.example.org:8443/cas



cas.adminPagesSecurity.ip=127\.0\.0\.1



logging.config: file:/etc/cas/config/log4j2.xml

# cas.serviceRegistry.config.location: classpath:/services

#　覆盖掉静态授权默认用户 cas默认用户casuser密码Mellon

cas.authn.accept.users=



#　数据库授权配置

cas.authn.jdbc.query[0].sql=SELECT pwd FROM customer WHERE phone=?

cas.authn.jdbc.query[0].healthQuery=SELECT 1

cas.authn.jdbc.query[0].isolateInternalQueries=false

cas.authn.jdbc.query[0].url=jdbc:${mysql_url}?characterEncoding=utf8&useSSL=true

cas.authn.jdbc.query[0].failFast=true

cas.authn.jdbc.query[0].isolationLevelName=ISOLATION_READ_COMMITTED

# cas.authn.jdbc.query[0].dialect=org.hibernate.dialect.HSQLDialect

cas.authn.jdbc.query[0].dialect=org.hibernate.dialect.MySQLDialect

cas.authn.jdbc.query[0].leakThreshold=10

cas.authn.jdbc.query[0].propagationBehaviorName=PROPAGATION_REQUIRED

cas.authn.jdbc.query[0].batchSize=1

#　数据库用户

cas.authn.jdbc.query[0].user=${db.user}

cas.authn.jdbc.query[0].ddlAuto=create-drop

cas.authn.jdbc.query[0].maxAgeDays=180

# 数据库密码                                                                                                                                                                                                                           

cas.authn.jdbc.query[0].password=${db.pwd}

cas.authn.jdbc.query[0].autocommit=false

cas.authn.jdbc.query[0].driverClass=com.mysql.jdbc.Driver

cas.authn.jdbc.query[0].idleTimeout=5000

# cas.authn.jdbc.query[0].credentialCriteria=



# NONE不加密　DEFAULT算法加密

# cas.authn.jdbc.query[0].passwordEncoder.type=NONE|DEFAULT|STANDARD|BCRYPT

cas.authn.jdbc.query[0].passwordEncoder.type=DEFAULT

# cas.authn.jdbc.query[0].passwordEncoder.characterEncoding=

#　算法名称　如MD5 SHA

cas.authn.jdbc.query[0].passwordEncoder.encodingAlgorithm=MD5

# cas.authn.jdbc.query[0].passwordEncoder.secret=

# cas.authn.jdbc.query[0].passwordEncoder.strength=16



# cas.authn.jdbc.query[0].principalTransformation.suffix=

# cas.authn.jdbc.query[0].principalTransformation.caseConversion=NONE|UPPERCASE|LOWERCASE

# cas.authn.jdbc.query[0].principalTransformation.prefix=

3.2客户端支持http协议

vim src/main/resources/services/HTTPSandIMAPS-10000001.json

{
  "@class" : "org.apereo.cas.services.RegexRegisteredService",
  "serviceId" : "^(https|http)://.*",
  "name" : "HTTPS and http",
  "id" : 10000001,
  "description" : "This service definition authorizes all application urls that support HTTPS and IMAPS protocols.",
  "evaluationOrder" : 10000
}

该文件为cas注册客户端 serviceId为注册的客户端url　可以一个客户端一个json文件　几个客户端几个json文件　如serviceId:"http://sso.tdrh.com:8080/casClient"

当配置了支持http协议　需要关掉tgc安全

vim etc/cas.properties

添加以下配置

#　支持http协议
cas.tgc.secure=false
cas.warningCookie.secure=false

4.打包部署运行和日志

执行gradle clean build时如果/etc/下没有cas的配置文件　会拷贝工程下的etc/cas/config的到/etc下　所以修改了工程下的etc下的配置干掉/etc/cas

rm /etc/cas -r -f

./gradlew clean build

cp cas/build/libs/cas.war /usr/local/tomcat/webapps

/usr/local/tomcat/bin/catalina.sh start

tail -f /usr/local/tomcat/logs/catalina.out

5.根据CAS建议，打开tomcat的SSL

mkdir /etc/cas/key
cd /etc/cas/key
keytool -genkey -alias cas --keyalg RSA -keystore cas.keystore -validity 3650

keytool -export -file cas.crt -alias cas -keystore cas.keystore

keytool -importcert -alias cas -file cas.crt -keystore "${JAVA_HOME}/jre/lib/security/cacerts" -storepass changeit

配置tomcat打开SSL
cp /usr/local/tomcat/conf/server.xml /usr/local/tomcat/conf/server.xml.ori
vim /usr/local/tomcat/conf/server.xml

增加,注意大小写
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/etc/cas/key/cas.keystore"
keystorePass="123456" >
</Connector>

现在重新启动tomcat试试
/usr/local/tomcat/bin/catalina.sh stop
/usr/local/tomcat/bin/catalina.sh start

启动的时候关注下日志文件，看是否报错

异常信息

１．HTTP Status 500 - java.net.ConnectException: 拒绝连接

type Exception report

message java.net.ConnectException: 拒绝连接

description The server encountered an internal error that prevented it from fulfilling this request.

exception

java.lang.RuntimeException: java.net.ConnectException: 拒绝连接
	org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:443)
	org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:41)
	org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:193)
	org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:204)
	org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:164)
	org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:97)
	org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:121)
	org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)

root cause

java.net.ConnectException: 拒绝连接
	java.net.PlainSocketImpl.socketConnect(Native Method)
	java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
	java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
	java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
	java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
	java.net.Socket.connect(Socket.java:589)
	sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:668)
	sun.security.ssl.BaseSSLSocketImpl.connect(BaseSSLSocketImpl.java:173)
	sun.net.NetworkClient.doConnect(NetworkClient.java:180)
	sun.net.www.http.HttpClient.openServer(HttpClient.java:432)
	sun.net.www.http.HttpClient.openServer(HttpClient.java:527)
	sun.net.www.protocol.https.HttpsClient.<init>(HttpsClient.java:264)
	sun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:367)
	sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(AbstractDelegateHttpsURLConnection.java:191)
	sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1105)
	sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:999)
	sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:177)
	sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1513)
	sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1441)
	sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
	org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:429)
	org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:41)
	org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:193)
	org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:204)
	org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:164)
	org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:97)
	org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:121)
	org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)

note The full stack trace of the root cause is available in the Apache Tomcat/8.5.5 logs.

出现以上异常凭证认证过滤器设置的登录ur有问题　修改成https://sso.login.com:8443/cas/login即可

２．HTTP Status 500 - java.io.FileNotFoundException: https://sso.login.com:8443/serviceValidate?ticket=ST-2-OHx5DEKKkKcvwz3mJW6S-nailsoul-ThinkPad-S2&service=http%3A%2F%2Flocalhost%3A8080%2FcasClient%2F

type Exception report

message java.io.FileNotFoundException: https://sso.login.com:8443/serviceValidate?ticket=ST-2-OHx5DEKKkKcvwz3mJW6S-nailsoul-ThinkPad-S2&service=http%3A%2F%2Flocalhost%3A8080%2FcasClient%2F

description The server encountered an internal error that prevented it from fulfilling this request.

exception

java.lang.RuntimeException: java.io.FileNotFoundException: https://sso.login.com:8443/serviceValidate?ticket=ST-2-OHx5DEKKkKcvwz3mJW6S-nailsoul-ThinkPad-S2&service=http%3A%2F%2Flocalhost%3A8080%2FcasClient%2F
	org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:443)
	org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:41)
	org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:193)
	org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:204)
	org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:164)
	org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:97)
	org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:121)
	org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)

root cause

java.io.FileNotFoundException: https://sso.login.com:8443/serviceValidate?ticket=ST-2-OHx5DEKKkKcvwz3mJW6S-nailsoul-ThinkPad-S2&service=http%3A%2F%2Flocalhost%3A8080%2FcasClient%2F
	sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1836)
	sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1441)
	sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
	org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:429)
	org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:41)
	org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:193)
	org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:204)
	org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:164)
	org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:97)
	org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:121)
	org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)

note The full stack trace of the root cause is available in the Apache Tomcat/8.5.5 logs.

出现以上异常票据检查过滤器设置的url前缀有问题　修改成https://sso.login.com:8443/cas既可

３．HTTP Status 500 - org.jasig.cas.client.validation.TicketValidationException: 票根'ST-1-bs0oeI9jZTdG4zcob0aG-nailsoul-ThinkPad-S2'不符合目标服务

type Exception report

message org.jasig.cas.client.validation.TicketValidationException: 票根'ST-1-bs0oeI9jZTdG4zcob0aG-nailsoul-ThinkPad-S2'不符合目标服务

description The server encountered an internal error that prevented it from fulfilling this request.

exception

javax.servlet.ServletException: org.jasig.cas.client.validation.TicketValidationException: 票根'ST-1-bs0oeI9jZTdG4zcob0aG-nailsoul-ThinkPad-S2'不符合目标服务
	org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:227)
	org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:164)
	org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:97)
	org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:121)
	org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)

root cause

org.jasig.cas.client.validation.TicketValidationException: 票根'ST-1-bs0oeI9jZTdG4zcob0aG-nailsoul-ThinkPad-S2'不符合目标服务
	org.jasig.cas.client.validation.Cas20ServiceTicketValidator.parseResponseFromServer(Cas20ServiceTicketValidator.java:84)
	org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:201)
	org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:204)
	org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:164)
	org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:97)
	org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:121)
	org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)

note The full stack trace of the root cause is available in the Apache Tomcat/8.5.5 logs.

出现以上异常票据检查过滤器设置的客户端服务器地址　修改成https://sso.login.com:8443/casclient既可

4．未认证服务授权No authentication and authorization service

No authentication and authorization service

CAS service record is empty, there is no definition of service. Want the application to be certified by the CAS must be clearly defined in the service record.

未认证授权的服务

CAS的服务记录是空的，没有定义服务。希望通过CAS进行认证的应用程序必须在服务记录中明确定义。

客户端使用https协议

cas 5.1.0-RC1以上版本才会出现该问题

问题解决办法　添加json注册服务依赖既可

vim cas/build.gradle

添加

compile "org.apereo.cas:cas-server-support-json-service-registry:${project.'cas.version'}"

客户端使用http协议

请看配置篇3.2

cas５安装与配置

１．HTTP Status 500 - java.net.ConnectException: 拒绝连接

２．HTTP Status 500 - java.io.FileNotFoundException: https://sso.login.com:8443/serviceValidate?ticket=ST-2-OHx5DEKKkKcvwz3mJW6S-nailsoul-ThinkPad-S2&service=http%3A%2F%2Flocalhost%3A8080%2FcasClient%2F

３．HTTP Status 500 - org.jasig.cas.client.validation.TicketValidationException: 票根'ST-1-bs0oeI9jZTdG4zcob0aG-nailsoul-ThinkPad-S2'不符合目标服务

4．未认证服务授权No authentication and authorization service

No authentication and authorization service

未认证授权的服务

猜你喜欢