CAS单点登录应用
一. 基础知识点 2.HTTPS的全称是Secure Hypertext Transfer Protocol(安全超文本传输协议), 3.如果希望 Tomcat 支持 Https,主要的工作是配置 SSL 协议,其配置过程和配置方法可以 4.证书是单点登录认证系统中很重要的一把钥匙,客户端于服务器的交互安全靠的就是证书; 二.证书应用 1.用JDK自带的keytool工具生成证书: Keytool使用举例: 2.导出证书 3.为客户端的JVM导入证书 导入证书时出现java.io.IOException: Keystore was tampered with, or password was incorrect 4.应用证书到Web服务器-Tomcat <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="D:/keys/wsriakey" keystorePass="keystore" /> 参数说明: Tomcat的SSL启用完成后,输入地址:https://sso.:8443/访问。 三. 部署CAS服务器
4. 后台数据库身份验证 <bean class="org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler"> <property name="dataSource" ref="dataSource" /> <property name="sql" value="select password from t_admin_user where login_name=?"/> <property name="passwordEncoder" ref="MD5PasswordEncoder"/> </bean> 在文件的末尾之前加入如下代码: <bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource"> <property name="driverClassName"><value>com.mysql.jdbc.Driver</value></property> <property name="url"><value>jdbc:mysql:///wsriademo</value></property> <property name="username"><value>root</value></property> <property name="password"><value>root</value></property> </bean> <bean id="MD5PasswordEncoder" class="org.jasig.cas.authentication.handler.DefaultPasswordEncoder"> <constructor-arg index="0"> <value>MD5</value> </constructor-arg> </bean> (2)复制cas-server-3.4.3.1\modules\cas-server-support-jdbc-3.4.3.1.jar 配置解释:
<dependency> <groupId>org.jasig.cas.client</groupId> <artifactId>cas-client-core</artifactId> <version>3.1.12</version> </dependency> 2.在web.xml文件中进行如下配置: <!-- 用于单点退出,该过滤器用于实现单点登出功能,可选配置--> <listener> <listener-class> org.jasig.cas.client.session.SingleSignOutHttpSessionListener </listener-class> </listener> <!-- 该过滤器用于实现单点登出功能,可选配置。 --> <filter> <filter-name>CAS Single Sign Out Filter</filter-name> <filter-class> org.jasig.cas.client.session.SingleSignOutFilter </filter-class> </filter> <filter-mapping> <filter-name>CAS Single Sign Out Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- 该过滤器负责用户的认证工作,必须启用它 --> <filter> <filter-name>CASFilter</filter-name> <filter-class> org.jasig.cas.client.authentication.AuthenticationFilter </filter-class> <init-param> <param-name>casServerLoginUrl</param-name> <param-value> https://localhost:8443/cas/login </param-value> <!--这里的server是服务端的IP--> </init-param> <init-param> <param-name>serverName</param-name> <param-value>http://localhost:8080</param-value> </init-param> </filter> <filter-mapping> <filter-name>CASFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- 该过滤器负责对Ticket的校验工作,必须启用它 --> <filter> <filter-name>CAS Validation Filter</filter-name> <filter-class> org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter </filter-class> <init-param> <param-name>casServerUrlPrefix</param-name> <param-value>https://localhost:8443/cas</param-value> </init-param> <init-param> <param-name>serverName</param-name> <param-value>http://localhost:8080</param-value> </init-param> </filter> <filter-mapping> <filter-name>CAS Validation Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- 该过滤器负责实现HttpServletRequest请求的包裹,比如允许开发者 通过HttpServletRequest的getRemoteUser()方法获得SSO登录用户的登录名,可选配置。 --> <filter> <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> <filter-class> org.jasig.cas.client.util.HttpServletRequestWrapperFilter </filter-class> </filter> <filter-mapping> <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- 该过滤器使得开发者可以通过org.jasig.cas.client.util.AssertionHolder 来获取用户的登录名, 比如AssertionHolder.getAssertion().getPrincipal().getName()。 --> <filter> <filter-name>CAS Assertion Thread Local Filter</filter-name> <filter-class> org.jasig.cas.client.util.AssertionThreadLocalFilter </filter-class> </filter> <filter-mapping> <filter-name>CAS Assertion Thread Local Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- 自动根据单点登录的结果设置本系统的用户信息 --> <filter> <display-name>AutoSetUserAdapterFilter</display-name> <filter-name>AutoSetUserAdapterFilter</filter-name> <filter-class> com.cas.client.filter.AutoSetUserAdapterFilter </filter-class> </filter> <filter-mapping> <filter-name>AutoSetUserAdapterFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> 需注意二点: 3.AutoSetUserAdapterFilter类设置登录用户session信息代码如下: public class AutoSetUserAdapterFilter implements Filter{ public void destroy() { } /** * 过滤逻辑:首先判断单点登录的账户是否已经存在本系统中, * 如果不存在使用用户查询接口查询出用户对象并设置在Session中 */ public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletRequest httpRequest = (HttpServletRequest) request; // _const_cas_assertion_是CAS中存放登录用户名的session标志 Object object = httpRequest.getSession().getAttribute("_const_cas_assertion_"); if (object != null) { Assertion assertion = (Assertion) object; String loginName = assertion.getPrincipal().getName(); System.out.println("登录名为:"+loginName); // 接下来在本业务系统中根据用户名获取用户对象,判断session中是否存在, // 如果不存在,则获取用户对象保存到session中,否则直接获取用户对象。 } chain.doFilter(request, response); } public void init(FilterConfig filterConfig) throws ServletException { } } 五. 美化CAS服务器界面
|
|