第一节:生成证书
第一步:生成keystore注意【cn=www.xxx.com】这个一般为域名或者地址不同会出现no match dname
keytool -genkey -keyalg RSA -alias tomcatmycas -dname "cn=localhost" -storepass 123456 -keystore f:\api\keyserver.keystore
第二步:导出证书
keytool -export -alias tomcatmycas -file D:\Java\jdk1.7.0_71\jre\lib\security\tomcatmycas.crt -storepass 123456 -keystore f:\api\keyserver.keystore
第三步:导入到运行环境中的JDK中【注意:当存在多个jdk时一定要导入到对应的JRE中】
keytool -import -alias tomcatmycas -file D:\Java\jdk1.7.0_71\jre\lib\security\tomcatmycas.crt -keystore D:\Java\JRE\lib\security\cacerts -storepass changeit
第二节 Tomcat 的配置
第一步:server.xml配置
<!--org.apache.coyote.http11.Http11NioProtocol--> <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" keystoreFile="f:\api\keyserver.keystore" keystorePass="123456" truststoreFile="D:\Java\jdk1.7.0_71\jre\lib\security\cacerts" clientAuth="false" sslProtocol="TLS" />
第二步:将cas-server-3.5.2.1-release【cas-server-webapp-3.5.2.1.war】改名为【cas.war】导入项目中
WEB-INF\deployerConfigContext.xml
<?xml version="1.0" encoding="UTF-8"?> <!-- Licensed to Jasig under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. Jasig licenses this file to you under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at the following location: http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. --> <!-- | deployerConfigContext.xml centralizes into one file some of the declarative configuration that | all CAS deployers will need to modify. | | This file declares some of the Spring-managed JavaBeans that make up a CAS deployment. | The beans declared in this file are instantiated at context initialization time by the Spring | ContextLoaderListener declared in web.xml. It finds this file because this | file is among those declared in the context parameter "contextConfigLocation". | | By far the most common change you will need to make in this file is to change the last bean | declaration to replace the default SimpleTestUsernamePasswordAuthenticationHandler with | one implementing your approach for authenticating usernames and passwords. +--> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p" xmlns:tx="http://www.springframework.org/schema/tx" xmlns:sec="http://www.springframework.org/schema/security" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.1.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd"> <!-- | This bean declares our AuthenticationManager. The CentralAuthenticationService service bean | declared in applicationContext.xml picks up this AuthenticationManager by reference to its id, | "authenticationManager". Most deployers will be able to use the default AuthenticationManager | implementation and so do not need to change the class of this bean. We include the whole | AuthenticationManager here in the userConfigContext.xml so that you can see the things you will | need to change in context. +--> <bean id="authenticationManager" class="org.jasig.cas.authentication.AuthenticationManagerImpl"> <!-- Uncomment the metadata populator to allow clearpass to capture and cache the password This switch effectively will turn on clearpass. <property name="authenticationMetaDataPopulators"> <list> <bean class="org.jasig.cas.extension.clearpass.CacheCredentialsMetaDataPopulator"> <constructor-arg index="0" ref="credentialsCache" /> </bean> </list> </property> --> <!-- | This is the List of CredentialToPrincipalResolvers that identify what Principal is trying to authenticate. | The AuthenticationManagerImpl considers them in order, finding a CredentialToPrincipalResolver which | supports the presented credentials. | | AuthenticationManagerImpl uses these resolvers for two purposes. First, it uses them to identify the Principal | attempting to authenticate to CAS /login . In the default configuration, it is the DefaultCredentialsToPrincipalResolver | that fills this role. If you are using some other kind of credentials than UsernamePasswordCredentials, you will need to replace | DefaultCredentialsToPrincipalResolver with a CredentialsToPrincipalResolver that supports the credentials you are | using. | | Second, AuthenticationManagerImpl uses these resolvers to identify a service requesting a proxy granting ticket. | In the default configuration, it is the HttpBasedServiceCredentialsToPrincipalResolver that serves this purpose. | You will need to change this list if you are identifying services by something more or other than their callback URL. +--> <property name="credentialsToPrincipalResolvers"> <list> <!-- | UsernamePasswordCredentialsToPrincipalResolver supports the UsernamePasswordCredentials that we use for /login | by default and produces SimplePrincipal instances conveying the username from the credentials. | | If you've changed your LoginFormAction to use credentials other than UsernamePasswordCredentials then you will also | need to change this bean declaration (or add additional declarations) to declare a CredentialsToPrincipalResolver that supports the | Credentials you are using. +--> <bean class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" > <property name="attributeRepository" ref="attributeRepository" /> </bean> <!-- | HttpBasedServiceCredentialsToPrincipalResolver supports HttpBasedCredentials. It supports the CAS 2.0 approach of | authenticating services by SSL callback, extracting the callback URL from the Credentials and representing it as a | SimpleService identified by that callback URL. | | If you are representing services by something more or other than an HTTPS URL whereat they are able to | receive a proxy callback, you will need to change this bean declaration (or add additional declarations). +--> <bean class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" /> </list> </property> <!-- | Whereas CredentialsToPrincipalResolvers identify who it is some Credentials might authenticate, | AuthenticationHandlers actually authenticate credentials. Here we declare the AuthenticationHandlers that | authenticate the Principals that the CredentialsToPrincipalResolvers identified. CAS will try these handlers in turn | until it finds one that both supports the Credentials presented and succeeds in authenticating. +--> <property name="authenticationHandlers"> <list> <!-- | This is the authentication handler that authenticates services by means of callback via SSL, thereby validating | a server side SSL certificate. +--> <bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" p:httpClient-ref="httpClient" /> <!-- | This is the authentication handler declaration that every CAS deployer will need to change before deploying CAS | into production. The default SimpleTestUsernamePasswordAuthenticationHandler authenticates UsernamePasswordCredentials | where the username equals the password. You will need to replace this with an AuthenticationHandler that implements your | local authentication strategy. You might accomplish this by coding a new such handler and declaring | edu.someschool.its.cas.MySpecialHandler here, or you might use one of the handlers provided in the adaptors modules. +--> <!--bean class="org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler" /--> <bean class="org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler"> <property name="sql" value="select password from app_user where username=?" /> <property name="dataSource" ref="dataSource" /> </bean> </list> </property> </bean> <bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource" > <property name="driverClassName"><value>com.mysql.jdbc.Driver</value></property> <property name="url"><value>jdbc:mysql://localhost:3306/castest</value></property> <property name="username"><value>root</value></property> <property name="password"><value>123456</value></property> </bean> <!-- This bean defines the security roles for the Services Management application. Simple deployments can use the in-memory version. More robust deployments will want to use another option, such as the Jdbc version. The name of this should remain "userDetailsService" in order for Spring Security to find it. --> <!-- <sec:user name="@@THIS SHOULD BE REPLACED@@" password="notused" authorities="ROLE_ADMIN" />--> <sec:user-service id="userDetailsService"> <sec:user name="@@THIS SHOULD BE REPLACED@@" password="notused" authorities="ROLE_ADMIN" /> </sec:user-service> <!-- Bean that defines the attributes that a service may return. This example uses the Stub/Mock version. A real implementation may go against a database or LDAP server. The id should remain "attributeRepository" though. --> <bean id="attributeRepository" class="org.jasig.services.persondir.support.StubPersonAttributeDao"> <property name="backingMap"> <map> <entry key="uid" value="uid" /> <entry key="eduPersonAffiliation" value="eduPersonAffiliation" /> <entry key="groupMembership" value="groupMembership" /> </map> </property> </bean> <!-- Sample, in-memory data store for the ServiceRegistry. A real implementation would probably want to replace this with the JPA-backed ServiceRegistry DAO The name of this bean should remain "serviceRegistryDao". --> <bean id="serviceRegistryDao" class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl"> <property name="registeredServices"> <list> <bean class="org.jasig.cas.services.RegexRegisteredService"> <property name="id" value="0" /> <property name="name" value="HTTP and IMAP" /> <property name="description" value="Allows HTTP(S) and IMAP(S) protocols" /> <property name="serviceId" value="^(https?|imaps?)://.*" /> <property name="evaluationOrder" value="10000001" /> </bean> <!-- Use the following definition instead of the above to further restrict access to services within your domain (including subdomains). Note that example.com must be replaced with the domain you wish to permit. --> <!-- <bean class="org.jasig.cas.services.RegexRegisteredService"> <property name="id" value="1" /> <property name="name" value="HTTP and IMAP on example.com" /> <property name="description" value="Allows HTTP(S) and IMAP(S) protocols on example.com" /> <property name="serviceId" value="^(https?|imaps?)://([A-Za-z0-9_-]+\.)*example\.com/.*" /> <property name="evaluationOrder" value="0" /> </bean> --> </list> </property> </bean> <bean id="auditTrailManager" class="com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager" /> <bean id="healthCheckMonitor" class="org.jasig.cas.monitor.HealthCheckMonitor"> <property name="monitors"> <list> <bean class="org.jasig.cas.monitor.MemoryMonitor" p:freeMemoryWarnThreshold="10" /> <!-- NOTE The following ticket registries support SessionMonitor: * DefaultTicketRegistry * JpaTicketRegistry Remove this monitor if you use an unsupported registry. --> <bean class="org.jasig.cas.monitor.SessionMonitor" p:ticketRegistry-ref="ticketRegistry" p:serviceTicketCountWarnThreshold="5000" p:sessionCountWarnThreshold="100000" /> </list> </property> </bean> </beans>
第三节Web 配置(项目)
<?xml version="1.0" encoding="UTF-8"?> <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID" version="3.0"> <display-name>demo1</display-name> <context-param> <param-name>serverName</param-name> <param-value>http://localhost:2020</param-value> </context-param> <filter> <filter-name>CAS Authentication Filter</filter-name> <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class> <init-param> <param-name>casServerLoginUrl</param-name> <param-value>https://localhost:8443/cas/login</param-value> </init-param> </filter> <filter> <filter-name>CAS Validation Filter</filter-name> <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class> <init-param> <param-name>casServerUrlPrefix</param-name> <param-value>https://localhost:8443/cas</param-value> </init-param> <init-param> <param-name>serverName</param-name> <param-value>http://localhost:2020</param-value> </init-param> </filter> <filter> <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class> </filter> <filter-mapping> <filter-name>CAS Authentication Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>CAS Validation Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <welcome-file-list> <welcome-file>index.html</welcome-file> <welcome-file>index.htm</welcome-file> <welcome-file>index.jsp</welcome-file> <welcome-file>default.html</welcome-file> <welcome-file>default.htm</welcome-file> <welcome-file>default.jsp</welcome-file> </welcome-file-list> </web-app>
错误情况:
1)CAS unable to find valid certification path 【JDK默认密码为:changeit】
keytool -import -alias tomcatmycas -file D:\Java\jdk1.7.0_71\jre\lib\security\tomcatmycas.crt -keystore D:\Java\JRE\lib\security\cacerts -storepass changeit
2) 如果证书已经存在可以删除
keytool -delete -alias tomcatmycas -keystore f:\api\keyserver.keystore -storepass 123456
相关推荐
根据http://blog.csdn.net/pucao_cug/article/details/70182968整合了cas,casClient可以实现单点登录功能,部署时记得看说明
NULL 博文链接:https://qiaopang.iteye.com/blog/451892
zip中包含两个maven测试demo,demo引用cas服务端,直接导入然后tomcat7:run。就可以启动。cas服务端的包直接导入到项目中,启动tomcat即可。
n cas-server-3.4.2\modules\cas-server-support-jdbc-3.4.2.jar 、 cas-server-integration-restlet-3.4.2.jar 拷贝到 D:\server\apache-tomcat-6.0.18\webapps\cas\WEB-INF\lib 目录下。 n 数据库驱动 jar 拷贝...
基于Java中CAS的单点登录,有服务端的所有源码,将tomcat目录下的所有资源直接拷到Tomcat服务中间件的webapp目录下,阅读tomcat-webapp中的read.txt文档,查看使用说明,适用于第一次开发CAS单点登录的同学们,简单...
1.CAS-集成mysql 2.CAS-日志审计 3.CAS-连接池配置 4.CAS-自定义错误信息 5.CAS-识别json文件 6.CAS-页面缓存记住我 7.CAS-cookie设置 8.CAS-tgc设置 9.CAS-登出 10.CAS-redisCluster集群存储ticket(相应redis必须...
我把cas 集成至tomcat中,下载后只要 更改 tomcat webapps\cas\WEB-INF\deployerConfigContext.xml 里面的数据库连接即可。我想这个已经是最简单了。然后在你的项目 web.xml 里面 配置过滤器 来配置你的cas。
在多系统集成中,单点登陆非常的重要,这个是我的安装手册,基于cas的开源.
部署到tomcat上就可以了,注意修改配置文件数据库路径
jdk1.8,其中用到redis存储tickets,使用了代理模式、restful、自定义用户验证等,由于文件大小的限制,client1和casproxy只有应用,把其解压后下面的目录拷贝到tomcat下的webapp即能使用,如果没有redis需要修改...
## cas集成说明 1.首先采用的是查数据库的方式来校验用户身份的,在cas/WEB-INF/deployerConfigContext.xml中第135行构建了这个类型 ``` xml <!-- 设置密码的加密方式,这里使用的是MD5加密 --> class="org.jasig...
会影响其他与其共存的与cas集成的系统.这让我好郁闷.这哪里是系统啊..怎么像病毒啊.会导致我其他访问cas的系统无法在得到从cas返回的用户名验证.晕倒. 我的解决方法是直接更改它的登陆页面链接.和登陆链接. 首先...
将以下Module的注释去掉,这里并没有使用mod_jk.so进行apache和tomcat的链接,从2.X以后apache自身已集成了mod_jk.so的功能。只需简单的把下面几行去掉注释,就相当于以前用mod_jk.so比较繁琐的配置了。这里主要采用...
本课程内容包括CAS简介、CAS架构简介、CAS覆盖安装、CAS配置SSL证书、CAS改为安全连接模式、CAS改为Tomcat安全连接模式、CAS改为JDBC动态连接模式、CAS重置密码参数配置、CAS重置密码开启邮箱SMTP服务、CAS重置密码...
尤里卡! 临床中央认证服务(CAS) ,,佐治亚州亚特兰大它有什么作用? 这是一个修补的服务器,用于Eureka进行身份验证! 临床项目。 它在所有尤里卡上提供...建造要求 运行时要求Oracle Java JRE 8 Tomcat7 同时运行
一. 安装JDK ........................................................................... 与Oracle Berkeley DB 集成..........................................................................................
与 uPortal、BlueSocket、TikiWiki、Mule、Liferay、Moodle 等集成 社区文档和实施支持 广泛的采用者社区 建造 建议使用在本地构建和部署 CAS。 这种方式不需要采用者明确下载任何版本的 CAS,而是利用 Maven 的...
设置hosts文件,添加两个本地映射127.0.0.1 ssoclient127.0.0.1 ssoserver进入client输入mvn tomcat7:run启动shiro cas客户端进入server输入mvn jetty:run启动cas服务端(因为tomcat不支持war包的overlay)打开...
源码简介与安装说明: MaxKey(马克思的钥匙)用户单点登录认证系统(Sigle Sign On System),寓意是最大钥匙,是业界领先的企业级IAM身份管理和身份认证产品,支持OAuth 2.0/OpenID Connect、SAML 2.0、JWT、CAS等标准...
7、基于Java平台开发,采用Spring、MySQL、Tomcat、Apache Kafka、Redis等开源技术,支持微服务,扩展性强。 8、许可证 Apache License, Version 2.0,开源免费。 MaxKey单点登录认证系统 更新日志: v2.7.0 ...