单点登录(CAS)示例 雨点打透心脏的1/2处 2022-05-26 01:36 273阅读 0赞 # 一、概述 # 单点登录全称Single Sign On(以下简称SSO),是指在多系统应用群中登录一个系统,便可在其他所有系统中得到授权而无需再次登录,包括单点登录与单点注销两部分。 CAS(Central Authentication Service)是一款不错的针对 Web 应用的单点登录框架,CAS 包含两个部分: CAS Server 和 CAS Client。CAS Server 需要独立部署,主要负责对用户的认证工作;CAS Client 负责处理对客户端受保护资源的访问请求,需要登录时,重定向到 CAS Server。 下面是具体的工作流程图: ![2018042221550192][] # 二、域名配置 # 由于环境需要三个域名,最简单的办法是修改window的host文件,文件路径为C:\\Windows\\System32\\drivers\\etc\\hosts 在文件后面添加: 127.0.0.1 cas.server.com 127.0.0.1 cas.client1.com 127.0.0.1 cas.client2.com cas.server.com --> 单点登录的服务端,登录认证 cas.client1.com --> 应用1 cas.client2.com --> 应用2 # 三、证书生成并导入 # 我在D:\\tools\\tomcat\\cas目录启动命令行窗口 生成证书命令,passwd为证书的密码: keytool -genkey -alias ssodemo -keyalg RSA -keysize 1024 -keypass passwd -validity 365 -keystore ssodemo.keystore -storepass passwd ![20180429215017801][] 导出证书: keytool -export -alias ssodemo -keystore ssodemo.keystore -file ssodemo.crt -storepass passwd ![20180429215129290][] 将客户端导入证书,让JDK信任这个证书: keytool -import -keystore "%JAVA_HOME%\jre\lib\security\cacerts" -file ssodemo.crt -alias ssodemo -storepass changeit ![20180429215337834][] # 四、CAS Server部署 # 下载Tomcat:[https://tomcat.apache.org/download-90.cgi][https_tomcat.apache.org_download-90.cgi] 将Tomcat解压,我的解压目录为D:\\tools\\tomcat\\cas,将文件夹修改为apache-tomcat-9.0.7-sever,CAS默认采用的https协议,需要一个证书,将步骤三中生成的casdemo.keystore文件放到D:\\tools\\tomcat\\cas\\ssodemo.keystore目录 修改tomcat下的D:\\tools\\tomcat\\cas\\apache-tomcat-9.0.7-sever\\conf\\server.xml文件,添加如下配置,keystorePass为证书的密码,passwd <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" keystoreFile="D:\tools\tomcat\cas\ssodemo.keystore" keystorePass="passwd" clientAuth="false" sslProtocol="TLS" URIEncoding="UTF-8"> </Connector> 启动tomcat,运行tomcat下的D:\\tools\\tomcat\\cas\\apache-tomcat-9.0.7-sever\\bin\\startup.bat 浏览器输入[https://cas.server.com:8443/][https_cas.server.com_8443] ![20180425200000379][] 下载CAS Server:[https://github.com/apereo/cas/releases/tag/v3.5.2][https_github.com_apereo_cas_releases_tag_v3.5.2] 下载cas-server-3.5.2-release.zip,解压,提取modules目录下的cas-server-webapp-3.5.2.war,名字修改为cas.war,放到 D:\\tools\\tomcat\\cas\\apache-tomcat-9.0.7-sever\\webapps目录,将Tomcat重启。 访问:[https://cas.server.com:8443/cas/login][https_cas.server.com_8443_cas_login]打开CAS Sever的登录页面,用户名和密码一样就可以登录。 ![20180425200855948][] # **![20180425201006107][]** # # **五、配置CAS Client1** # 把Tomcat压缩包,在D:\\tools\\tomcat\\cas目录再解压一份,命名为apache-tomcat-9.0.7-client1 修改D:\\tools\\tomcat\\cas\\apache-tomcat-9.0.7-client1\\conf\\serve.xml 定位到1、69和116行,找到 <Server port="8005" shutdown="SHUTDOWN"> <Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" /> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /> 修改为: <Server port="18005" shutdown="SHUTDOWN"> <Connector port="18080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="18443" /> <Connector port="18009" protocol="AJP/1.3" redirectPort="18443" /> 启动Tomcat Client,运行D:\\tools\\tomcat\\cas\\apache-tomcat-9.0.7-client1\\bin\\startup.bat 输入访问:[http://cas.client1.com:18080/examples/servlets][http_cas.client1.com_18080_examples_servlets],出现下面界面代表配置成功 ![20180425204715902][] 下载CAS Clint 文件cas-client-3.3.2-release.zip :[https://developer.jasig.org/cas-clients/][https_developer.jasig.org_cas-clients] 解压,将modules目录下的cas-client-core-3.2.1.jar和commons-logging-1.1.jar拷贝到D:\\tools\\tomcat\\cas\\apache-tomcat-9.0.7-client1\\webapps\\examples\\WEB-INF\\lib目录 然后修改webapps\\examples\\WEB-INF\\目录下的web.xml,将下面的内容加入到文件中 <!-- ======================== 单点登录开始 ======================== --> <!-- 用于单点退出,该过滤器用于实现单点登出功能,可选配置--> <listener> <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class> </listener> <!-- 该过滤器用于实现单点登出功能,可选配置。 --> <filter> <filter-name>CAS Single Sign Out Filter</filter-name> <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class> </filter> <filter-mapping> <filter-name>CAS Single Sign Out Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter> <filter-name>CAS Filter</filter-name> <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class> <init-param> <param-name>casServerLoginUrl</param-name> <param-value>https://cas.server.com:8443/cas/login</param-value> </init-param> <init-param> <param-name>serverName</param-name> <param-value>http://cas.client1.com:18080</param-value> </init-param> </filter> <filter-mapping> <filter-name>CAS Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- 该过滤器负责对Ticket的校验工作,必须启用它 --> <filter> <filter-name>CAS Validation Filter</filter-name> <filter-class> org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class> <init-param> <param-name>casServerUrlPrefix</param-name> <param-value>https://cas.server.com:8443/cas</param-value> </init-param> <init-param> <param-name>serverName</param-name> <param-value>http://cas.client1.com:18080</param-value> </init-param> </filter> <filter-mapping> <filter-name>CAS Validation Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- 该过滤器负责实现HttpServletRequest请求的包裹, 比如允许开发者通过HttpServletRequest的getRemoteUser()方法获得SSO登录用户的登录名,可选配置。 --> <filter> <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> <filter-class> org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class> </filter> <filter-mapping> <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- 该过滤器使得开发者可以通过org.jasig.cas.client.util.AssertionHolder来获取用户的登录名。 比如AssertionHolder.getAssertion().getPrincipal().getName()。 --> <filter> <filter-name>CAS Assertion Thread Local Filter</filter-name> <filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class> </filter> <filter-mapping> <filter-name>CAS Assertion Thread Local Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- ======================== 单点登录结束 ======================== --> 将Tomcat重启,重新访问:[http://cas.client1.com:18080/examples/servlets][http_cas.client1.com_18080_examples_servlets],就会发现页面调到了CAS Server的登录界面 ![20180425213927678][] # 六、配置CAS Client2 # 参照上面的步骤,将Tomcat再解压一份,目录命名为apache-tomcat-9.0.7-client2 修改D:\\tools\\tomcat\\cas\\apache-tomcat-9.0.7-client2\\conf\\serve.xml 定位到1、69和116行,找到 <Server port="8005" shutdown="SHUTDOWN"> <Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" /> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /> 修改为: <Server port="28005" shutdown="SHUTDOWN"> <Connector port="18080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="18443" /> <Connector port="28009" protocol="AJP/1.3" redirectPort="28443" /> 将cas-client-3.3.2-release.zip解压,将modules目录下的cas-client-core-3.2.1.jar和commons-logging-1.1.jar拷贝到D:\\tools\\tomcat\\cas\\apache-tomcat-9.0.7-client2\\webapps\\examples\\WEB-INF\\lib目录 然后修改webapps\\examples\\WEB-INF\\目录下的web.xml,将下面的内容加入到文件中 <!-- ======================== 单点登录开始 ======================== --> <!-- 用于单点退出,该过滤器用于实现单点登出功能,可选配置--> <listener> <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class> </listener> <!-- 该过滤器用于实现单点登出功能,可选配置。 --> <filter> <filter-name>CAS Single Sign Out Filter</filter-name> <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class> </filter> <filter-mapping> <filter-name>CAS Single Sign Out Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter> <filter-name>CAS Filter</filter-name> <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class> <init-param> <param-name>casServerLoginUrl</param-name> <param-value>https://cas.server.com:8443/cas/login</param-value> </init-param> <init-param> <param-name>serverName</param-name> <param-value>http://cas.client2.com:28080</param-value> </init-param> </filter> <filter-mapping> <filter-name>CAS Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- 该过滤器负责对Ticket的校验工作,必须启用它 --> <filter> <filter-name>CAS Validation Filter</filter-name> <filter-class> org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class> <init-param> <param-name>casServerUrlPrefix</param-name> <param-value>https://cas.server.com:8443/cas</param-value> </init-param> <init-param> <param-name>serverName</param-name> <param-value>http://cas.client2.com:28080</param-value> </init-param> </filter> <filter-mapping> <filter-name>CAS Validation Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- 该过滤器负责实现HttpServletRequest请求的包裹, 比如允许开发者通过HttpServletRequest的getRemoteUser()方法获得SSO登录用户的登录名,可选配置。 --> <filter> <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> <filter-class> org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class> </filter> <filter-mapping> <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- 该过滤器使得开发者可以通过org.jasig.cas.client.util.AssertionHolder来获取用户的登录名。 比如AssertionHolder.getAssertion().getPrincipal().getName()。 --> <filter> <filter-name>CAS Assertion Thread Local Filter</filter-name> <filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class> </filter> <filter-mapping> <filter-name>CAS Assertion Thread Local Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- ======================== 单点登录结束 ======================== --> 将Tomcat启动,访问[http://cas.client2.com:28080/examples/][http_cas.client2.com_28080_examples],会发现弹出了登录界面。 ![20180425213927678][] # 七、测试 # 访问[http://cas.client1.com:18080/examples/servlets][http_cas.client1.com_18080_examples_servlets],在出现的登录界面,输入相同的用户名和密码进行登录,登录成功之后,会发现浏览器上面的url变为了: http://cas.client1.com:18080/examples/servlets/;jsessionid=DC73E68683664F9DBAE207C3C677ECAC/ 接着访问[http://cas.client2.com:28080/examples/][http_cas.client2.com_28080_examples],会发现,自动登录了,url变为了: http://cas.client2.com:28080/examples/servlets;jsessionid=01E8EE38D169FD06C042060EEE0E3967/ 是由于client1登录了,服务器会返回token存储在浏览器的cookie中,client2登录的时候,自动带着token去服务端认证,直接就通过了,不用再登录了。 **本篇博客用到的所有资源下载路径:[https://download.csdn.net/download/u010889616/10383306][https_download.csdn.net_download_u010889616_10383306]** [2018042221550192]: /images/20220526/4abf8c4776244b78bd509396317d400b.png [20180429215017801]: /images/20220526/dc5390bd8869438f98272aef48fe95be.png [20180429215129290]: /images/20220526/6b122d589682474da96312848f2c8507.png [20180429215337834]: /images/20220526/792df187355343848dc77aa0a55f7d7a.png [https_tomcat.apache.org_download-90.cgi]: https://tomcat.apache.org/download-90.cgi [https_cas.server.com_8443]: https://cas.server.com:8443/ [20180425200000379]: /images/20220526/a3a3fd19630f4c5fb4692fac514cf7e2.png [https_github.com_apereo_cas_releases_tag_v3.5.2]: https://github.com/apereo/cas/releases/tag/v3.5.2 [https_cas.server.com_8443_cas_login]: https://cas.server.com:8443/cas/login [20180425200855948]: /images/20220526/7414fb85505147d19fe4d0fcc52d9ff8.png [20180425201006107]: /images/20220526/35d49dac2a49493b96aa4533acca1d2d.png [http_cas.client1.com_18080_examples_servlets]: http://cas.client1.com:18080/examples/servlets [20180425204715902]: /images/20220526/c9e19e16105d447194a4dce1974808a9.png [https_developer.jasig.org_cas-clients]: https://developer.jasig.org/cas-clients/ [20180425213927678]: /images/20220526/7f4302fe6d394423a13d026a1b89c90e.png [http_cas.client2.com_28080_examples]: http://cas.client2.com:28080/examples/ [https_download.csdn.net_download_u010889616_10383306]: https://download.csdn.net/download/u010889616/10383306
还没有评论,来说两句吧...