單點登陸cas實現2之tomcat支援https訪問
阿新 • • 發佈:2018-12-02
keystool 參考 https://blog.csdn.net/yjaspire/article/details/82858084
cas伺服器
(1)生成keystore檔案
keytool -genkey -keystore "D:\keystore\localhost.keystore" -alias testcj -keyalg RSA -validity 365 -dname "CN=localhost, OU=org, O=org.cj, L=昆明, ST=雲南, C=中國" -keypass testcj -storepass testcj
keytool命令如下
(2)修改server.xml檔案-新增如下配置
<Connector SSLEnabled="true" clientAuth="false" keystoreFile="D:\keystore\localhost.keystore" keystorePass="testcj" maxThreads="150" port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true" sslProtocol="TLS"/>
(3)註釋cas.properties下面的配置
//在配置http的時候新增的,如果沒有配置過http可以忽略
tgc.secure=false
warn.cookie.secure=false
啟動tomcat
使用同樣的證書配置兩個客戶端的https
<Connector SSLEnabled="true" clientAuth="false" keystoreFile="D:\keystore\localhost.keystore" keystorePass="testcj" maxThreads="150" port="444" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true" sslProtocol="TLS"/>
<Connector SSLEnabled="true" clientAuth="false" keystoreFile="D:\keystore\localhost.keystore" keystorePass="testcj" maxThreads="150" port="446" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true" sslProtocol="TLS"/>
注意客戶端的埠
除此之外還要配置客戶端的web.xml將所有的http更改為https,如下
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5">
<!-- 用於單點退出,該過濾器用於實現單點登出功能,可選配置 -->
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
<!-- 該過濾器用於實現單點登出功能,可選配置。 -->
<filter>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Single Sign Out Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- 該過濾器負責使用者的認證工作,必須啟用它 -->
<filter>
<filter-name>CASFilter</filter-name> <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>https://localhost/cas/login</param-value>
<!--這裡的server是服務端的IP -->
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>https://localhost</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CASFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- 該過濾器負責對Ticket的校驗工作,必須啟用它 -->
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class> org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://localhost/cas</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>https://localhost</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- 該過濾器負責實現HttpServletRequest請求的包裹, 比如允許開發者通過HttpServletRequest的getRemoteUser()方法獲得SSO登入使用者的登入名,可選配置。 -->
<filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>
org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- 該過濾器使得開發者可以通過org.jasig.cas.client.util.AssertionHolder來獲取使用者的登入名。 比如AssertionHolder.getAssertion().getPrincipal().getName()。 -->
<filter>
<filter-name>CAS Assertion Thread Local Filter</filter-name> <filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
更改完所有的配置之後,啟動伺服器和客戶端
發現可以正常訪問,但是在客戶端輸入使用者和密碼後登陸會出現如下錯誤
java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:407)
at org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:45)
at org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:200)
at org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:206)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:161)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:100)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:94)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:502)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1132)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1539)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1495)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
這是因為沒有將你的證書匯入至jdk的信任中,參考 https://blog.csdn.net/yjaspire/article/details/82858084
在匯入證書的時候可能會出現如下錯誤
keytool 錯誤: java.io.FileNotFoundException: C:\Java\jdk1.8.0_40\jre\lib\security\cacerts (拒絕訪問。)
這個可能是因為只有讀的許可權,可以設定資料夾許可權,或者放到D盤,匯入之後在覆蓋至jdk中.
此時,cas伺服器和兩個客戶端的地址如下
cas伺服器 https://localhost/cas/login
客戶端1號 https:localhost:446/casClient01
客戶端2號 https://localhost:444/casClient02
此時發現點選客戶端退出之後,是下面的提示
感覺不夠友好,需要實現在點選退出之後重新跳轉到登陸介面,如下配置
cas.properties檔案中
cas.logout.followServiceRedirects=true
上面的配置也只在4.2版本以上有效,4.2版本之後很多引數配置都可以在cas.properties中完成
同時修改index.jsp中退出登陸連結如下
<a href="http://localhost/cas/logout?service=https://www.baidu.com/">退出登入</a>
程式碼demo下載地址https://download.csdn.net/download/yjaspire/10691665
下載之後請先閱讀注意說明,