CAS SSO研究一:拋棄Https讓Cas以Http協議提供單點登入服務
阿新 • • 發佈:2019-01-30
本文環境:
1、apache-tomcat-7.0.50-windows-x86
2、cas-server-3.4.11
3、cas-client-3.2.1
將cas-server-webapp-3.4.11.war放入tomcat的webapps下,改名ROOT.war,啟動tomcat,待自動解壓後,進行如下修改:
1、修改WEB-INF\deployerConfigContext.xml,加入
p:requireSecure="false"
2、修改WEB-INF\spring-configuration\ticketGrantingTicketCookieGenerator.xml,修改p:cookieSecure="false"<property name="authenticationHandlers"> <list> <!-- | This is the authentication handler that authenticates services by means of callback via SSL, thereby validating | a server side SSL certificate. +--> <bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" p:httpClient-ref="httpClient" p:requireSecure="false"/> <!-- | This is the authentication handler declaration that every CAS deployer will need to change before deploying CAS | into production. The default SimpleTestUsernamePasswordAuthenticationHandler authenticates UsernamePasswordCredentials | where the username equals the password. You will need to replace this with an AuthenticationHandler that implements your | local authentication strategy. You might accomplish this by coding a new such handler and declaring | edu.someschool.its.cas.MySpecialHandler here, or you might use one of the handlers provided in the adaptors modules. +--> <bean class="org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler" /> </list> </property>
<bean id="ticketGrantingTicketCookieGenerator" class="org.jasig.cas.web.support.CookieRetrievingCookieGenerator" p:cookieSecure="false" p:cookieMaxAge="-1" p:cookieName="CASTGC" p:cookiePath="/cas" />
3、修改修改WEB-INF\spring-configuration\warnCookieGenerator.xml,修改p:cookieSecure="false"
<bean id="warnCookieGenerator" class="org.jasig.cas.web.support.CookieRetrievingCookieGenerator"
p:cookieSecure="false"
p:cookieMaxAge="-1"
p:cookieName="CASPRIVACY"
p:cookiePath="/cas" />
經過以上三步,cas server端修改完畢
客戶端操作我習慣進行一下域名/IP對映,修改:C:\Windows\System32\drivers\etc\hosts 新增如下對映
127.0.0.1 cas.jkkl1314.com
127.0.0.1 c1.jkkl1314.com
127.0.0.1 c2.jkkl1314.com
在客戶端專案中加入cas-client-core-3.2.1.jar、commons-logging.jar,並在web.xml中加入:
<!-- ======================== 單點登入開始 ======================== -->
<!-- 用於單點退出,該過濾器用於實現單點登出功能,可選配置-->
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
<!-- 該過濾器用於實現單點登出功能,可選配置。 -->
<filter>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Single Sign Out Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>CAS Filter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>http://cas.jkkl1314.com:10000</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://c1.jkkl1314.com:8080</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- 該過濾器負責對Ticket的校驗工作,必須啟用它 -->
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>
org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>http://cas.jkkl1314.com:10000</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://c1.jkkl1314.com:8080</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--
該過濾器負責實現HttpServletRequest請求的包裹,
比如允許開發者通過HttpServletRequest的getRemoteUser()方法獲得SSO登入使用者的登入名,可選配置。
-->
<filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>
org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--
該過濾器使得開發者可以通過org.jasig.cas.client.util.AssertionHolder來獲取使用者的登入名。
比如AssertionHolder.getAssertion().getPrincipal().getName()。
-->
<filter>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- ======================== 單點登入結束 ======================== -->
第二個客戶端專案只是修改了一下域名,在web.xml中加入的配置是一樣的!執行後即可實現單點登入!
以下兩邊文章對我幫助很大,特此感謝:
http://www.micmiu.com/enterprise-app/sso/sso-cas-sample/
http://blog.csdn.net/designlife/article/details/2956814