公司准备上SSO,选用CAS框架。本人学习了N久,总算配成功了。下面记录下涉及的各个节点。
1.CAS的名词解释及原理
2.HTTPS的配置
3.CAS Proxy的配置
4.测试
一、CAS名词解释及原理
这些个东东比较拗口,很难解释。我是看了好久才勉强理解。这方面的知识网络上有很多,介绍几个大牛的博客给大家看下吧。
名词解释:http://blog.csdn.net/tienway/article/details/5464516
原理:http://blog.csdn.net/emon123/article/details/6285549
http://www.blogjava.net/security/archive/2006/04/26/SSO_CASProxy.html
官方wiki:https://wiki.jasig.org/display/CASC/CAS+Client+for+Java+3.1
二、HTTPS的配置
1.测试环境
cas-client-3.2.0
cas-server-3.4.10
cas server: https://sso.test.com
backend service: http://backend.test.com
proxy service: http://proxy.test.com
host:
172.16.11.71 sso.test.com
172.16.11.72 backend.test.com
172.16.11.73 proxy.test.com
http端口默认80
https端口默认443
2.证书的生成
CAS Server和Proxy Service多需要使用HTTPS协议,因此需要生成2个证书。使用java自带的命令生成
cas server: keytool -genkey -alias cas_server -keystore cas_server.keystore -keyalg RSA -validity 3666
proxy service:keytool -genkey -alias proxy_service -keystore proxy_service.keystore -keyalg RSA -validity 3666
生成证书时的域名(第一个输入项)要和测试的域名匹配。比如cas server要输入sso.test.com, proxy service要输入proxy.test.com
3.tomcat配置
配置conf/server.xml
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" URIEncoding="utf-8" keystoreFile="conf/cas_server.keystore" keystorePass="changeit" />
配置好后重启tomcat,打开浏览器验证下。如果出现红框,点击信任。如果能进入页面就OK了。因为这些证书是不受浏览器信任的,每次会提示安全信息。可以设置下将证书导出到信任列表里,就不会每次提醒了。IE的选择安装证书一路OK就行了。
4.证书信任
CAS代理验证模式下cas server和proxy service会后台互相调用https接口。因此需要配置jvm信任彼此的证书。不然
会报PKIX啥的异常.
首先在sso.test.com将cas server的证书导出
keytool -export -alias cas_server -keystore cas_server.keystore -file cas_server.crt
然后将cas_server.crt拷贝到proxy.test.com机器上导入jvm
keytool -import -alias cas_server -file cas_server .crt -keystore $JAVA_HOME/jre/lib/security/cacerts
同理 再将proxy.test.com上proxy_service的证书导入sso.test.com的jvm
现在先期的HTTPS配置工作完成了。
三、CAS Proxy配置
proxy service配置:
<filter> <filter-name>CAS Single Sign Out Filter</filter-name> <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class> </filter> <filter-mapping> <filter-name>CAS Single Sign Out Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <listener> <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class> </listener> <filter> <filter-name>CAS Authentication Filter</filter-name> <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter </filter-class> <init-param> <param-name>casServerLoginUrl</param-name> <param-value>https://sso.test.com/login</param-value> </init-param> <init-param> <param-name>renew</param-name> <param-value>false</param-value> </init-param> <init-param> <param-name>gateway</param-name> <param-value>false</param-value> </init-param> <init-param> <param-name>serverName</param-name> <param-value>http://proxy.test.com</param-value> </init-param> </filter> <filter> <filter-name>CAS Validation Filter</filter-name> <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class> <init-param> <param-name>casServerUrlPrefix</param-name> <param-value>https://sso.test.com/</param-value> </init-param> <init-param> <param-name>serverName</param-name> <param-value>http://proxy.test.com</param-value> </init-param> <init-param> <param-name>exceptionOnValidationFailure</param-name> <param-value>false</param-value> </init-param> <init-param> <param-name>redirectAfterValidation</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>acceptAnyProxy</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>useSession</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>proxyCallbackUrl</param-name> <param-value>https://proxy.test.com/proxyCallback</param-value> </init-param> <init-param> <param-name>proxyReceptorUrl</param-name> <param-value>/proxyCallback</param-value> </init-param> </filter> <filter-mapping> <filter-name>CAS Validation Filter</filter-name> <url-pattern>/proxyCallback</url-pattern> </filter-mapping> <filter-mapping> <filter-name>CAS Authentication Filter</filter-name> <url-pattern>*.jsp</url-pattern> </filter-mapping> <filter-mapping> <filter-name>CAS Validation Filter</filter-name> <url-pattern>*.jsp</url-pattern> </filter-mapping>
说明:
1.具体参数意义参见http://blog.csdn.net/tienway/article/details/5464516
2./proxyCallback这个接口原先yelu的jar包是单独的,cas_client_core是合并在
Cas20ProxyReceivingTicketValidationFilter类中。这个差别让我郁闷了很久。
3.过滤器的顺序不能乱了,前置的/proxyCallback官方没有这样的配置,这个得感谢(emon123)
http://blog.csdn.net/emon123/article/details/6285549
4.backend service配置同理