- 浏览: 96993 次
- 性别:
- 来自: 北京
-
文章分类
最新评论
-
zhuce_4521:
谢谢分享!
Spring数据库事务 -
xh584990686:
感谢分享 经典~~~~~
CAS单点登录系列(5)-简单实施SSO之二 -
huze104:
1,memcached是什么?memcached服务器和客户端 ...
Memcached Linux安装部署 -
huze104:
DataImportHandler 最大的优点是基本不用写代码 ...
Solr 3.5 入门配置应用 -
yangpeihai:
谢谢分享,受益匪浅,不过上面到xml代码怎么都是重复的!
CAS单点登录系列(3)-简单实施SSO
原理描述
子系统所有请求被CAS过滤器拦截(web.xml中定义的cas过滤器)到,过滤器会将页面重定向CAS Server,CAS Server会判断用户是否已经登录,如果未登录,则定位到登录页面(CAS Server内的)。登录成功后,再重定向到用户先前访问的本系统页面。此时session里有一个名为的 edu.yale.its.tp.cas.client.filter.user属性。它存储的就是用户的登录名
cas官方网站
下载最新的服务端 CAS Server 3.3.3 Final
解压后将modules下面的cas-server-webapp-3.3.3.war部署到web服务器,作为单点登录的服务器。
登录的服务器下面很多配置文件,通过配置可以做一些扩展。
修改点1:验证方式使用我们自己的用户表验证
cas和当前已有的系统做集成的入口
1.修改deployerConfigContext.xml文件
添加数据源配置
XML/HTML代码
< bean id = "casDataSource" class = "org.apache.commons.dbcp.BasicDataSource" >
< property name = "driverClassName" >
< value > com.mysql.jdbc.Driver </ value >
</ property >
< property name = "url" >
< value > jdbc:mysql://192.168.1.100/ires? useUnicode = true & characterEncoding = UTF -8& autoReconnect = true </ value >
</ property >
< property name = "username" >
< value > ires </ value >
</ property >
< property name = "password" >
< value > i709394 </ value >
</ property >
</ bean >
定义MD5的加密方式
XML/HTML代码
< bean id = "passwordEncoder"
class = "org.jasig.cas.authentication.handler.DefaultPasswordEncoder" autowire = "byName" >
< constructor-arg value = "MD5" />
</ bean >
配置authenticationManager下面的authenticationHandlers属性
XML/HTML代码
< bean class = "org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler" >
< property name = "dataSource" ref = "casDataSource" />
< property name = "sql" value = "select community_password from community_user_info where lower(community_user_info.community_user) = lower(?)" />
< property name = "passwordEncoder" ref = "passwordEncoder" />
</ bean >
修改点2:获取用户信息保存,方便各个客户端可以统一得到用户信息
1.定义attributeRepository,通过jdbc查询用户的详细信息,可以把用户表或用户的所属组织机构或角色等查询出来。
XML/HTML代码
< bean id = "attributeRepository" class = "org.jasig.services.persondir.support.jdbc.SingleRowJdbcPersonAttributeDao" >
< constructor-arg index = "0" ref = "casDataSource" />
< constructor-arg index = "1" >
< list >
< value > username </ value >
< value > username </ value >
</ list >
</ constructor-arg >
< constructor-arg index = "2" >
< value >
select * ,(SELECT orgn_organization.id from orgn_organization left join orgn_member on orgn_member.orgn_id = orgn_organization .id left join community_user_info on community_user_info.id = orgn_member .user_id where community_user_info.community_user = ?) as orgnId from community_user_info where community_user =?
</ value >
</ constructor-arg >
< property name = "columnsToAttributes" >
< map >
< entry key = "id" value = "id" />
< entry key = "community_user" value = "userName" />
< entry key = "orgnId" value = "orgnId" />
< entry key = "is_admin" value = "isAdmin" />
</ map >
</ property >
</ bean >
2.配置authenticationManager中credentialsToPrincipalResolvers属性
XML/HTML代码
< bean class = "org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" >
< property name = "attributeRepository" ref = "attributeRepository" /> </ bean >
注意:默认cas登录服务器没有把用户信息传到客户端中 ,所以要修改WEB- INF\view\jsp\protocol\2.0\casServiceValidationSuccess.jsp文件,增加
XML/HTML代码
< c:if test = "${fn:length(assertion.chainedAuthentications[fn:length(assertion.chainedAuthentications)-1].principal.attributes) > 0}" >
< cas:attributes >
< c:forEach var = "attr" items = "${assertion.chainedAuthentications[fn:length(assertion.chainedAuthentications)-1].principal.attributes}" >
< cas: ${fn:escapeXml(attr.key)} > ${fn:escapeXml(attr.value)} </ cas: ${fn:escapeXml(attr.key)} >
</ c:forEach >
</ cas:attributes >
</ c:if >
修改点3:用数据库来保存登录的会话
这样服务器在重新启动的时候不会丢失会话。
1.修改ticketRegistry.xml文件
将默认的ticketRegistry改成
XML/HTML代码
< bean id = "ticketRegistry" class = "org.jasig.cas.ticket.registry.JpaTicketRegistry" >
< constructor-arg index = "0" ref = "entityManagerFactory" />
</ bean >
< bean id = "entityManagerFactory" class = "org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean" >
< property name = "dataSource" ref = "dataSource" />
< property name = "jpaVendorAdapter" >
< bean class = "org.springframework.orm.jpa.vendor.HibernateJpaVendorAdapter" >
< property name = "generateDdl" value = "true" />
< property name = "showSql" value = "true" />
</ bean >
</ property >
< property name = "jpaProperties" >
< props >
< prop key = "hibernate.dialect" > org.hibernate.dialect.MySQLDialect </ prop >
< prop key = "hibernate.hbm2ddl.auto" > update </ prop >
</ props >
</ property >
</ bean >
< bean id = "transactionManager" class = "org.springframework.orm.jpa.JpaTransactionManager"
p:entityManagerFactory-ref = "entityManagerFactory" />
< tx:annotation-driven transaction-manager = "transactionManager" />
< bean
id = "dataSource"
class = "org.apache.commons.dbcp.BasicDataSource"
p:driverClassName = "com.mysql.jdbc.Driver"
p:url = "jdbc:mysql://192.168.1.100:3306/cas?useUnicode=true&characterEncoding=UTF-8&autoReconnect=true"
p:password = "709394"
p:username = "itravel" />
配置完之后还需要一些jar的支持,根据提示那些包缺少到网上找。
修改点4:配置remenber me的功能,可以让客户端永久保存session
1.修改deployerConfigContext.xml文件
authenticationManager增加authenticationMetaDataPopulators属性
XML/HTML代码
< property name = "authenticationMetaDataPopulators" >
< list >
< bean class = "org.jasig.cas.authentication.principal.RememberMeAuthenticationMetaDataPopulator" />
</ list >
</ property >
2.修改cas-servlet.xml
修改authenticationViaFormAction配置变成
XML/HTML代码
< bean id = "authenticationViaFormAction" class = "org.jasig.cas.web.flow.AuthenticationViaFormAction"
p:centralAuthenticationService-ref = "centralAuthenticationService"
p:formObjectClass = "org.jasig.cas.authentication.principal.RememberMeUsernamePasswordCredentials"
p:formObjectName = "credentials"
p:validator-ref = "UsernamePasswordCredentialsValidator"
p:warnCookieGenerator-ref = "warnCookieGenerator" />
增加UsernamePasswordCredentialsValidator
XML/HTML代码
< bean id = "UsernamePasswordCredentialsValidator" class = "org.jasig.cas.validation.UsernamePasswordCredentialsValidator" />
修改ticketExpirationPolicies.xml,grantingTicketExpirationPolicy配置如下,注意时间要加大,不然session很容易过期,达不到remember me的效果。
XML/HTML代码
< bean id = "grantingTicketExpirationPolicy" class = "org.jasig.cas.ticket.support.RememberMeDelegatingExpirationPolicy" >
< property name = "sessionExpirationPolicy" >
< bean class = "org.jasig.cas.ticket.support.TimeoutExpirationPolicy" >
< constructor-arg index = "0" value = "2592000000" />
</ bean >
</ property >
< property name = "rememberMeExpirationPolicy" >
< bean class = "org.jasig.cas.ticket.support.TimeoutExpirationPolicy" >
< constructor-arg index = "0" value = "2592000000" />
</ bean >
</ property >
</ bean >
修改点5:取消https验证
在网络安全性较好,对系统安全没有那么高的情况下可以取消https验证,使系统更加容易部署。
1.修改ticketGrantingTicketCookieGenerator.xml
XML/HTML代码
< bean id = "ticketGrantingTicketCookieGenerator" class = "org.jasig.cas.web.support.CookieRetrievingCookieGenerator"
p:cookieSecure = "false"
p:cookieMaxAge = "-1"
p:cookieName = "CASTGC"
p:cookiePath = "/cas" />
p:cookieSecure改成false,客户端web.xml中单独服务器的链接改成http
使用https协议的配置
1.证书生成和导入
下面是一个生成证书和导入证书的bat脚本,如果web应用和单独登录服务器部署在同一台机可以一起执行
C++代码
@echo off
if "%JAVA_HOME%" == "" goto error
@echo on
@echo off
cls
rem please set the env JAVA_HOME before run this bat file
rem delete alia tomcat if it is existed
keytool - delete -alias tomcatsso -keystore "%JAVA_HOME%/jre/lib/security/cacerts" -storepass changeit
keytool - delete -alias tomcatsso -storepass changeit
REM (注释: 清除系统中可能存在的名字为tomcatsso 的同名证书)
rem list all alias in the cacerts
keytool -list -keystore "%JAVA_HOME%/jre/lib/security/cacerts" -storepass changeit
REM (注释: 列出系统证书仓库中存在证书名称列表)
rem generator a key
keytool -genkey -keyalg RSA -alias tomcatsso -dname "cn=localhost" -storepass changeit
REM (注释:指定使用RSA算法,生成别名为tomcatsso的证书,存贮口令为 changeit,证书的DN为 "cn=linly" ,这个DN 必须同当前主机完整名称一致哦,切记!!!)
rem export the key
keytool -export -alias tomcatsso -file "%java_home%/jre/lib/security/tomcatsso.crt" -storepass changeit
REM (注释: 从keystore中导出别名为tomcatsso的证书,生成文件 tomcatsso.crt)
rem import into trust cacerts
keytool -import -alias tomcatsso -file "%java_home%/jre/lib/security/tomcatsso.crt" -keystore "%java_home%/jre/lib/security/cacerts" -storepass changeit
REM (注释:将tomcatsso.crt导入jre的可信任证书仓库。注意,安装 JDK是有两个jre目录,一个在jdk底下,一个是独立的jre,这里的目录必须同Tomcat使用的jre目录一致,否则后面Tomcat的 HTTPS通讯就找不到证书了)
rem list all alias in the cacerts
keytool -list -keystore "%JAVA_HOME%/jre/lib/security/cacerts" -storepass changeit
pause
:error
echo 请先设置JAVA_HOME环境变量
:end
3.将.keystore文件拷贝到tomcat的conf目录下面,注意.keystore会在证书生成的时候生成到系统的用户文件夹中,如 windows会生产到C:\Documents and Settings\[yourusername]\下面
2.配置tomcat,把https协议的8443端口打开,指定证书的位置。
XML/HTML代码
< Connector port = "8443" maxHttpHeaderSize = "8192"
maxThreads = "150" minSpareThreads = "25" maxSpareThreads = "75"
enableLookups = "false" disableUploadTimeout = "true"
acceptCount = "100" scheme = "https" secure = "true"
clientAuth = "false" sslProtocol = "TLS"
keystoreFile = "conf/.keystore" keystorePass = "changeit" truststoreFile = "C:\Program Files\Java\jdk1.5.0_07\jre\lib\security\cacerts" />
客户端配置
cas官方网站上面的客户端下载地址比较隐秘,没有完全公开,具体地址为
http://www.ja-sig.org/downloads/cas-clients/
下载最新的cas-client-3.1.6-release.zip
1.解压后把modules下面的包放到我们的web应用中
2.配置web.xml,注意encodingFilter要提前配置,不然会出现数据插入数据库的时候有乱码。
serverName是我们web应用的地址和端口
XML/HTML代码
< context-param >
< param-name > serverName </ param-name >
< param-value > 192.168.1.145:81 </ param-value >
</ context-param >
< filter >
< filter-name > encodingFilter </ filter-name >
< filter-class >
org.springframework.web.filter.CharacterEncodingFilter
</ filter-class >
< init-param >
< param-name > encoding </ param-name >
< param-value > UTF-8 </ param-value >
</ init-param >
< init-param >
< param-name > forceEncoding </ param-name >
< param-value > true </ param-value >
</ init-param >
</ filter >
< filter-mapping >
< filter-name > encodingFilter </ filter-name >
< url-pattern > *.htm </ url-pattern >
</ filter-mapping >
< filter-mapping >
< filter-name > encodingFilter </ filter-name >
< url-pattern > *.ftl </ url-pattern >
</ filter-mapping >
< filter-mapping >
< filter-name > encodingFilter </ filter-name >
< url-pattern > *.xhtml </ url-pattern >
</ filter-mapping >
< filter-mapping >
< filter-name > encodingFilter </ filter-name >
< url-pattern > *.html </ url-pattern >
</ filter-mapping >
< filter-mapping >
< filter-name > encodingFilter </ filter-name >
< url-pattern > *.shtml </ url-pattern >
</ filter-mapping >
< filter-mapping >
< filter-name > encodingFilter </ filter-name >
< url-pattern > *.jsp </ url-pattern >
</ filter-mapping >
< filter-mapping >
< filter-name > encodingFilter </ filter-name >
< url-pattern > *.do </ url-pattern >
</ filter-mapping >
< filter-mapping >
< filter-name > encodingFilter </ filter-name >
< url-pattern > *.vm </ url-pattern >
</ filter-mapping >
< filter >
< filter-name > CAS Single Sign Out Filter </ filter-name >
< filter-class >
org.jasig.cas.client.session.SingleSignOutFilter
</ filter-class >
</ filter >
< filter-mapping >
< filter-name > CAS Single Sign Out Filter </ filter-name >
< url-pattern > /* </ url-pattern >
</ filter-mapping >
< listener >
< listener-class >
org.jasig.cas.client.session.SingleSignOutHttpSessionListener
</ listener-class >
</ listener >
< filter >
< filter-name > CAS Authentication Filter </ filter-name >
< filter-class >
org.jasig.cas.client.authentication.AuthenticationFilter
</ filter-class >
< init-param >
< param-name > casServerLoginUrl </ param-name >
< param-value > http://192.168.1.100/cas/login </ param-value >
</ init-param >
</ filter >
< filter >
< filter-name > CAS Validation Filter </ filter-name >
< filter-class >
org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter
</ filter-class >
< init-param >
< param-name > casServerUrlPrefix </ param-name >
< param-value > http://192.168.1.100/cas </ param-value >
</ init-param >
</ filter >
< filter >
< filter-name > CAS HttpServletRequest Wrapper Filter </ filter-name >
< filter-class >
org.jasig.cas.client.util.HttpServletRequestWrapperFilter
</ filter-class >
</ filter >
< filter >
< filter-name > CAS Assertion Thread Local Filter </ filter-name >
< filter-class >
org.jasig.cas.client.util.AssertionThreadLocalFilter
</ filter-class >
</ filter >
< filter-mapping >
< filter-name > CAS Authentication Filter </ filter-name >
< url-pattern > /* </ url-pattern >
</ filter-mapping >
< filter-mapping >
< filter-name > CAS Validation Filter </ filter-name >
< url-pattern > /* </ url-pattern >
</ filter-mapping >
< filter-mapping >
< filter-name > CAS HttpServletRequest Wrapper Filter </ filter-name >
< url-pattern > /* </ url-pattern >
</ filter-mapping >
< filter-mapping >
< filter-name > CAS Assertion Thread Local Filter </ filter-name >
< url-pattern > /* </ url-pattern >
</ filter-mapping >
3.导入证书,如果不用https的话,这步可以跳过,把tomcatsso.crt 证书拷贝到c盘下面,在jdk的bin目录下面运行下面的语句。
JavaScript代码
rem (注释: 清除系统中可能存在的名字为tomcatsso 的同名证书)
keytool - delete -alias tomcatsso -keystore "%JAVA_HOME%/jre/lib/security/cacerts" -storepass changeit
keytool - delete -alias tomcatsso -storepass changeit
rem 在客户端的 JVM 里导入信任的 SERVER 的证书 ( 根据情况有可能需要管理员权限 )
keytool - import -alias tomcatsso -file "c:/tomcatsso.crt" -keystore "%java_home%/jre/lib/security/cacerts" -storepass changeit
客户端获取登录用户名和用户信息实例
Java代码
HttpServletRequest request = ServletActionContext.getRequest();
AttributePrincipal principal = (AttributePrincipal)request.getUserPrincipal();
String username = principal.getName();
Long orgnId = Long.parseLong(principal.getAttributes().get( "orgnId" ).toString());
本文来自CSDN博客,转载请标明出处:http://blog.csdn.net/liuzhenwen/archive/2010/01/31/5274865.aspx
发表评论
-
CAS单点登录系列(5)-简单实施SSO之二
2010-10-22 15:47 2010在本系列文章的第3篇中,讲解了使用CAS实施单点登录 ... -
CAS单点登录系列(4)-使用RDBMS认证
2010-10-22 15:46 997在实际应用中,用户认证信息一般会存放在RDBMS或LDA ... -
CAS单点登录系列(3)-简单实施SSO
2010-10-22 15:04 1629默认时,为了启用Web SSO,开发者必须开启HTTPS ... -
CAS单点登录系列(2)-初步认识CAS
2010-10-22 15:02 12471.CAS介绍 CAS(Central Authenti ... -
CAS单点登录系列(1)-基础知识
2010-10-22 14:59 12261.单点登录 1.1.概述 ... -
Acegi安全系统详解
2010-06-22 17:56 803Acegi是Spring Framework 下最 ... -
应用J2EE构建项目登录方式的改进设计与实现
2010-06-22 17:52 671j2ee是当前建立和开发各 ... -
SSO技术简介
2010-06-22 17:51 742SSO(Single Sign-On,单点登录)是身份 ... -
单点登陆系统SSO原理
2010-06-22 17:50 726本文以某新闻单位多媒体数据库系统为例,提出建立企业用户认证中心 ... -
浅谈Acegi配置
2010-06-22 17:49 646Acegi是基于Spring的一个开源的安全认证框架,现在的 ... -
CAS logout问题释疑
2010-06-22 17:48 1027CAS Logout是一个非常费解的问题,广州UG版,网友不停 ... -
acegi 作为 yale cas认证服务器的客户端在springside项目中的应用
2010-06-22 17:47 843First, Set SpringSide's web.xm ... -
部署cas服务器实现定制JDBC验证
2010-06-22 17:22 9671 安装 1.1系统配置 以下的软件环境是必需的: 1. ... -
yale cas 配置
2010-06-22 17:20 967在配置YALE 的CAS里面,走 ... -
Yale cas安装
2010-06-22 16:59 736看了网上很多CAS安装的 ... -
CAS安全性介绍
2010-06-22 16:57 774CAS 的安全性是一个非常重要的 Topic 。 CAS 从 ... -
Yale CAS实现原理及其基础协议
2010-06-22 16:40 931CAS(Central Authentication Serv ...
相关推荐
cas是个好东西,很灵活很好用,但是配置起来很麻烦,网上资料比较零碎。不弄个三五天根本不知道其中的原理,终于在多天的奋斗中配置成功,现在将配置的一些过程记录下来供大家参考。
CAS,单点登录,配置,请按照1,2顺序看完
cas单点登录配置大全,包括服务端、java客户端、.net客户端和php客户端配置
Spring Security 3 与 CAS单点登录配置.doc
CAS单点登录配置全过程,这里只是简单的配置了CAS单点登录的过程,并没有加入复杂的验证,也没有做MD5的校验。输入数据库中存在的用户名跟密码就会登录成功
详细配置CAS单点登录,利用java代码实现配置CAS,单独
基于Java中CAS的单点登录,有服务端的所有源码,将tomcat目录下的所有资源直接拷到Tomcat服务中间件的webapp目录下,阅读tomcat-webapp中的read.txt文档,查看使用说明,适用于第一次开发CAS单点登录的同学们,简单...
SSO\CAS 单点登录配置手册
CAS 单点登录 HTTP协议 配置指南 SSO CAS 单点登录 HTTP协议 配置指南 SSO CAS 单点登录 HTTP协议 配置指南 SSO
cas 单点登录 解决方案.
本人亲自试验的cas单点登录配置,服务端用cas-server-3.5.2,客户端用cas-client-3.2.1,里边详细描述了具体每一步的配置过程及遇到的问题及异常,相信你也会碰到的,cas-client-3.2.1中需要修改一个java类的源代码...
SSO CAS单点登录配置教程,亲自操作后写的一个配置教程,里面有一个配置好的工程
CAS单点登录CAS单点登录CAS单点登录CAS单点登录
本文在已有的禅道集成CAS单点登录的客户端插件基础上进行的修改,因原有插件在我们的系统上调试无法成功,做了一些定制,环境如下: 1. CAS server 版本:4.0.0 2. 禅道开源版本: 9.6.3 3. 禅道CAS client 插件版本...
CAS单点登录操作文档 CAS 是 Yale 大学发起的一个开源项目,旨在为 Web 应用系统提供一种可靠的单点登录方法,CAS 在 2004 年 12 月正式成为 JA-SIG 的一个项目。CAS 具有以下特点: • 开源的企业级单点登录解决...
手把手教你如何配置如下几项: 单点登录认证配置 配置为自定义数据库认证方式 获取登录用户名 单点退出 网站间建立信任关系 修改默认页面 超时设置 另附CAS实用网址
资源列表(1:cas CAS Server,2:Cas_Client_One 授权系统,3:graduationDesign 用户组织管理系统,4:CAS单点登录论文.doc,5:CAS单点登录文献综述.doc,6:基于CAS的用户管理单点登录门户系统ppt.ppt)
集成cas实现单点登录认证.zip
最近花了点时间整理了一下 CAS 的单点登录配置,希望对大家有帮助!
CAS单点登录时序图,UML源码