cas关键配置说明-3.4.2.1版本--X.509

参考文档：

https://wiki.jasig.org/display/CASUM/X.509+Certificates

https://wiki.jasig.org/display/CASUM/SSL+Troubleshooting+and+Reference+Guide

 

cas证书登录好文

http://lukejin.iteye.com/blog/646570

 

采用证书认证的逻辑，简单的可以X509CredentialsAuthenticationHandler完成，认证通过后，直接跳转回客户端，不会在服务端的某个页面停留。

 

1、版本

jdk:1.8

tomcat 7.0.39

服务端：cas-server 3.4.1

客户端：cas-client 3.4.1

 

2、tomcat 双向认证配置

只需要在cas-server端配置https，cas-client仍可采用http链接方式

 

tomcat 7.0.39 双向认证生效配置如下：

<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"

maxThreads="150" scheme="https" secure="true" clientAuth="true" sslProtocol="TLS"

keystoreFile="C:/temp/tomcat.keystore" keystorePass="password"

truststoreFile="C:/temp/tomcat.keystore" truststorePass="password"/>

参考如下链接：

http://jackiee-cn.iteye.com/blog/2383400

 

证书相关的命令如下：

keytool -genkey -v -alias tomcat -keyalg RSA -keystore F:\cas\keystore\tomcat.keystore -validity 36500

keytool -keystore F:\cas\keystore\tomcat.keystore -export -alias tomcat -file F:\cas\keystore\tomcat.cer

 

keytool -genkey -v -alias mykey -keyalg RSA -storetype PKCS12 -keystore F:\cas\keystore\client.key.p12

keytool -export -alias mykey -keystore F:\cas\keystore\client.key.p12 -storetype PKCS12 -storepass password -rfc -file F:\cas\keystore\client.key.cer

keytool -import -v -file F:\cas\keystore\client.key.cer -keystore F:\cas\keystore\tomcat.keystore

 

keytool -import -keystore %JAVA_HOME%/jre/lib/security/cacerts -file F:\cas\keystore\tomcat.cer -alias tomcat

keytool -import -keystore %JAVA_HOME%/jre/lib/security/cacerts -file F:\cas\keystore\client.key.cer -alias mykey

 

注意：

1）双向认证时，各个浏览器各有差异，采用谷歌浏览器比较好，每次都弹出证书选择框；

2）创建服务器证书时，dn要和url的域名保持一致（个人的理解，有待验证）；

3）%JAVA_HOME%/jre/lib/security/cacerts有时需要删掉重建（unable to find valid certification path to requested target）

 

3、安装测试：

1）客户端出现No principal was found问题，参考如下链接中的第三种方法，解决了此问题：

http://blog.csdn.net/zzq900503/article/details/55097970

 

a）client端web.xml中配置：

<filter>

<filter-name>CAS Validation Filter</filter-name>

<filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>

<!--<filter-class>org.jasig.cas.client.validation.Cas30ProxyReceivingTicketValidationFilter</filter-class>-->

<init-param>

<param-name>casServerUrlPrefix</param-name>

<param-value>https://localhost:8443/cas-server</param-value>

</init-param>

<init-param>

<param-name>serverName</param-name>

<param-value>http://localhost:7080</param-value>

</init-param>

<init-param>

<param-name>redirectAfterValidation</param-name>

<param-value>true</param-value>

</init-param>

<init-param>

<param-name>useSession</param-name>

<param-value>true</param-value>

</init-param>

<init-param>

<param-name>encoding</param-name>

<param-value>utf-8</param-value>

</init-param>

<init-param>

<param-name>authn_method</param-name>

<param-value>mfa-duo</param-value>

</init-param>

</filter>

b）server端casServiceValidationSuccess.jsp中

<%@ page session="false" contentType="application/xml;charset=utf-8" %>

 

2）cas-server端关键配置：

注意多个Authentication Handler和Principal Resolver的配置会把逻辑搞乱，只保留x.509相关的，如果多个并存的话，x.509应该放到第一位

 

a）login-webflow.xml

<decision-state id="gatewayRequestCheck">

<if test="externalContext.requestParameterMap['gateway'] neq '' &amp;&amp; externalContext.requestParameterMap['gateway'] neq null &amp;&amp; flowScope.service neq null" then="redirect" else="startAuthenticate" />

</decision-state>

<decision-state id="renewRequestCheck">

<if test="externalContext.requestParameterMap['renew'] neq '' &amp;&amp; externalContext.requestParameterMap['renew'] neq null" then="startAuthenticate" else="generateServiceTicket" />

</decision-state>

<action-state id="startAuthenticate">

<evaluate expression="x509Check" />

<transition on="success" to="sendTicketGrantingTicket" />

<transition on="warn" to="warn" />

<transition on="error" to="viewLoginForm" />

</action-state>

 

b）cas-servlet.xml

<bean

id="x509Check"

p:centralAuthenticationService-ref="centralAuthenticationService"

class="org.jasig.cas.adaptors.x509.web.flow.X509CertificateCredentialsNonInteractiveAction" >

<property name="centralAuthenticationService" ref="centralAuthenticationService"/>

</bean>

 

c）deployerConfigContext.xml

<property name="credentialsToPrincipalResolvers">

<list>

<bean

class="org.jasig.cas.adaptors.x509.authentication.principal.X509CertificateCredentialsToIdentifierPrincipalResolver">

<property name="identifier" value="$OU $CN" />

</bean>

</list>

</property>

<property name="authenticationHandlers">

<list>

<bean

class="org.jasig.cas.adaptors.x509.authentication.handler.support.X509CredentialsAuthenticationHandler">

<property name="trustedIssuerDnPattern" value="CN=mykey.+" />

</bean>

</list>

</property>

</bean>

上述trustedIssuerDnPattern按实际情况调整，此属性为必输项

 

3）最后一个问题，cas服务端验证完毕，转向cas客户端时报如下异常：

java.lang.RuntimeException: java.net.SocketException: Software caused connection abort: recv failed org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:341) org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:305) org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:50) org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:207) org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:169) org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:76)

 

此问题费尽周折，最后查明原因 cas-server端的tomcat中的配置 clientAuth="true"，改成 clientAuth="want"，ticket验证时，不传递客户端证书，改成want就不报错了。