jasig CAS實現單點登錄(數據庫認證)
這個CAS( Central Authentication Service)是耶魯大學的開源項目,旨在實現企業應用單點登錄,還是很不錯的。其官網 http://www.jasig.org/cas 。
- 實驗環境: </ul>
1.jdk7_45 2.tomcat7_45 3.三臺虛擬機: 1.tomcat1(部署cas驗證服務器) 2.tomcat2(其中部署了兩個web應用cas-web-client, cas-web-client2) 3.mysql server一臺(直接到數據庫種驗證)
- 原理圖: </ul>
- 資源下載地址:
- CAS服務器配置:
解壓之,jar會再modules目錄下,其他都為源代碼項目
已經打包的server:
client:
------------------------------------------------------
開始搭建:
1.在tomcat1所在機器生成證書:
這時會在用戶主目錄下生成.keystore文件,這個文件也可在上述命令種指定,其中生成過程會填入一些信息,注意輸入第一個時(名字與姓氏)就輸入你本機器的域名(不能時IP), 這里我的是www.tomcat1.com:
2.導出證書(后面將其導入客戶端的jre環境中):
于是在用戶主目錄下就有了ssotest.crt證書文件(保留著,待會客戶端配置要用),
3.配置Tomcat SSL: ${TOMCAT_HOME}/conf/server.xml中83-93行修改為:
<!-- Define a SSL HTTP/1.1 Connector on port 8443
This connector uses the JSSE configuration, when using APR, the
connector should be using the OpenSSL style configuration
described in the APR documentation -->
<!-- configure ssl -->
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/home/tomcatadmin/.keystore"
keystorePass="ssotest"/>4.將上面下載資源中的cas-server-webapp-3.5.2.war改名為cas.war, 復制到${TOMCAT_HOME}/webapps/下,啟動tomcat,這時進入https://www.tomcat1.com:8443/cas/, 見下圖,則服務端已經配置ok: 
這時輸入用戶名及密碼(保持一樣就可以,默認CAS驗證方式只要用戶名密碼一樣就行), 可見其默認驗證實現類SimpleTestUsernamePasswordAuthenticationHandler:
public final class SimpleTestUsernamePasswordAuthenticationHandler extends
AbstractUsernamePasswordAuthenticationHandler {
public boolean authenticateUsernamePasswordInternal(final UsernamePasswordCredentials credentials) {
final String username = credentials.getUsername();
final String password = credentials.getPassword();
if (StringUtils.hasText(username) && StringUtils.hasText(password)
&& username.equals(getPasswordEncoder().encode(password))) {//用戶名及密碼相同就成功
return true;
}
return false;
}
} 這樣CAS服務端就默認配置完畢了,待會兒我們還要配置數據庫驗證。
- 配置web客戶端:
1.生成.keystore(同上);
2.將CAS服務端的導出ssotest.crt證書拷貝到某目錄,并且導入到客戶端機器的jre運行環境中:
keytool -import -keystore $JAVA_HOME/jre/lib/security/cacerts -file ~/ssotest.crt -alias ssotest # NOTE: 有可能會有異常:java.io.IOException: Keystore was tampered with, or password was incorrect. 那就先刪除本機上述的cacerts文件。
3.配置客戶端Tomcat SSL(同上);
4.新建WEB項目cas-web-client, 并加入依賴包:cas-client-core-3.2.1.jar,commons-logging-1.1.jar
5.配置web.xml:
<?xml version="1.0" encoding="UTF-8"?> <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" id="WebApp_ID" version="2.5"> <display-name>cas-web-client2</display-name> <listener> <listener-class> org.jasig.cas.client.session.SingleSignOutHttpSessionListener </listener-class> </listener> <filter> <filter-name>CasSingleSignOutFilter</filter-name> <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class> </filter> <filter-mapping> <filter-name>CasSingleSignOutFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter> <filter-name>CASFilter</filter-name> <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class> <init-param> <param-name>casServerLoginUrl</param-name><!-- Cas Server登錄url--> <param-value>https://www.tomcat1.com:8443/cas/login</param-value> </init-param> <init-param><!-- 配置當前web應用所在的web服務器域名url --> <param-name>serverName</param-name> <param-value>http://www.tomcat2.com:8080</param-value> </init-param> </filter> <filter-mapping> <filter-name>CASFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter> <filter-name>CasTicketFilter</filter-name> <filter-class> org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class> <init-param> <param-name>casServerUrlPrefix</param-name> <param-value>https://www.tomcat1.com:8443/cas</param-value> </init-param> <init-param> <param-name>serverName</param-name> <param-value>http://www.tomcat2.com:8080</param-value> </init-param> </filter> <filter-mapping> <filter-name>CasTicketFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter> <filter-name>CasRequestWrapFilter</filter-name> <filter-class> org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class> </filter> <filter-mapping> <filter-name>CasRequestWrapFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter> <filter-name>AssertionThreadLocalFilter</filter-name> <filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class> </filter> <filter-mapping> <filter-name>AssertionThreadLocalFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <welcome-file-list> <welcome-file>index.jsp</welcome-file> </welcome-file-list> </web-app>
這樣cas-web-client就完成了,拷貝一份為另一個web客戶端cas-web-client2:
啟動Cas Server所在tomcat(Tomcat1),再啟動web客戶端所在tomcat(Tomcat2),此時我們訪問兩個web客戶端:
http://www.tomcat2.com:8080/cas-web-client/index.jsp
http://www.tomcat2.com:8080/cas-web-client2/index.jsp
都會被重定想到CAS Server登錄界面,登錄成功其中之一(將看到對應的index.jsp),再刷新另一個(也能看到對應的index.jsp了,因為已經登錄過了), 這就算服務端和客戶端都配置OK了。
------------------------------------------------------
- 現在就是要定制我們自己的驗證方式(基于數據庫驗證):
1.新建WEB項目cas-auth-server,你需要將cas-server-webapp-3.5.2.war中的資源對應拷貝到項目中,再把下載包中cas-server-webapp的源碼考到項目中,由于基于數據庫驗證,還得將cas-server-support-jdbc-3.5.2.jar和mysql-connector驅動包拷貝到WEB-INF/lib目錄下,這樣就構成了純凈的cas server項目,當然你也可以通過maven去構建,官網也有說明,如圖:
2.我們要做的是修改一些配置,就是WEB-INF/deployerConfigContext.xml文件,先配置mysql數據源:
<!-- DataSource,根據你的環境來定 -->
<bean id="mysqlDataSource" class="org.apache.commons.dbcp.BasicDataSource">
<property name="driverClassName" value="com.mysql.jdbc.Driver" />
<property name="url" value="jdbc:mysql://192.168.141.129:3306/blog?useUnicode=true&characterEncoding=utf-8"/>
<property name="username" value="mysqladmin" />
<property name="password" value="mysqladmin" />
</bean> 3.修改 authenticationManager bean的屬性 authenticationHandlers:
<property name="authenticationHandlers">
<list>
<bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" p:httpClient-ref="httpClient" />
<!--注釋掉默認的的認證實現<bean
class="org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler" />-->
<!-- 數據庫查詢認證處理器 -->
<bean class="org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler">
<property name="dataSource" ref="mysqlDataSource"/>
<property name="sql"
value="select password from t_user where username = ?" />
<property name="passwordEncoder" ref="myPasswordEncoder"></property>
</bean>
</list>
</property>
<!-- 自己定義的密碼轉譯器,你可以自己定義,也可以用CAS提供的 --> <bean id="myPasswordEncoder" class="org.jasig.cas.custom.encoder.MyPasswordEncoder" />
這樣就配置完成了,將項目導出war包,并部署到tomcat1所在機器上運行起來,效果會之前一樣。
來自:http://my.oschina.net/indestiny/blog/200768