CAS (2) —— Mac下配置CAS到Tomcat(客戶端)
tomcat版本: tomcat-8.0.29
jdk版本: jdk1.8.0_65
cas版本: cas4.1.2
cas-client-3.4.1
參考來源:
Tomcat (1) —— Mac下配置Tomcat Https/SSL
【高可用HA】Apache (2) —— Mac下安裝多個Apache Tomcat例項
目標架構
下載
首先登陸jasig網站http://downloads.jasig.org/,下載相應的cas版本。
由於網站只提供原始碼包而不提供釋出包,所以需要自己下載來編譯。
cas會為不同的客戶端消費者提供client包,這裡我們選擇java-client作為演示。
編譯客戶端所需要的jar
java-cas-client-cas-client-3.4.1 Richard$ mvn clean install -Dmaven.test.skip
然後下載供測試的客戶端示例程式碼(jasig在github上為我們提供了一個簡易的客戶端demo)
$ git clone https://github.com/UniconLabs/cas-sample-java-webapp.git配置
客戶端
設定
參照以下文章為Tomcat配置好Https
Tomcat (1) —— Mac下配置Tomcat Https/SSL
【高可用HA】Apache (2) —— Mac下安裝多個Apache Tomcat例項
編譯部署
然後編譯我們的示例專案
:cas-sample-java-webapp Richard$ mvn clean install -Dmaven.test.skippom.xml
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>iamlabs.unicon.net</groupId>
<artifactId>cas-sample-java-webapp</artifactId>
<version>0.0.1-SNAPSHOT</version>
<packaging>war</packaging>
<name>CAS Example Java Web App</name>
<description>A sample web application that exercises the CAS protocol features via the Java CAS Client.</description>
<build>
<finalName>cas-sample-java-webapp</finalName>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<version>2.5.1</version>
<configuration>
<source>1.6</source>
<target>1.6</target>
</configuration>
</plugin>
</plugins>
</build>
<dependencies>
<dependency>
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
<version>1.1.1</version>
</dependency>
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>1.2.16</version>
</dependency>
<dependency>
<groupId>org.opensaml</groupId>
<artifactId>opensaml1</artifactId>
<version>1.1</version>
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>javax.servlet-api</artifactId>
<version>3.1.0</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>org.jasig.cas.client</groupId>
<artifactId>cas-client-core</artifactId>
<version>3.2.1</version>
<exclusions>
<exclusion>
<groupId>javax.servlet</groupId>
<artifactId>servlet-api</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>commons-codec</groupId>
<artifactId>commons-codec</artifactId>
<version>1.6</version>
</dependency>
<dependency>
<groupId>org.apache.santuario</groupId>
<artifactId>xmlsec</artifactId>
<version>1.4.3</version>
</dependency>
</dependencies>將編譯生成的war包部署到我們的Tomcat容器中:
專案主要包括兩個頁面
index.jsp(供登陸)
<%@page contentType="text/html"%>
<%@page pageEncoding="UTF-8"%>
<%@ page import="java.util.Map" %>
<%@ page import="java.util.Iterator" %>
<%@ page import="java.util.List" %>
<%@ page import="org.jasig.cas.client.authentication.AttributePrincipal" %>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>CAS Example Java Web App</title>
</head>
<body>
<h1>CAS Example Java Web App</h1>
<p>A sample web application that exercises the CAS protocol features via the Java CAS Client.</p>
<hr>
<p><b>Authenticated User Id:</b> <a href="../cas1/logout.jsp" title="Click here to log out"><%= request.getRemoteUser() %></a></p>
<%
if (request.getUserPrincipal() != null) {
AttributePrincipal principal = (AttributePrincipal) request.getUserPrincipal();
/*
final String password = principal.getPassword();
if (password != null) {
out.println("<p><b>User Credentials:</b> " + password + "</p>");
}
*/
final Map attributes = principal.getAttributes();
if (attributes != null) {
Iterator attributeNames = attributes.keySet().iterator();
out.println("<b>Attributes:</b>");
if (attributeNames.hasNext()) {
out.println("<hr><table border='3pt' width='100%'>");
out.println("<th colspan='2'>Attributes</th>");
out.println("<tr><td><b>Key</b></td><td><b>Value</b></td></tr>");
for (; attributeNames.hasNext();) {
out.println("<tr><td>");
String attributeName = (String) attributeNames.next();
out.println(attributeName);
out.println("</td><td>");
final Object attributeValue = attributes.get(attributeName);
if (attributeValue instanceof List) {
final List values = (List) attributeValue;
out.println("<strong>Multi-valued attribute: " + values.size() + "</strong>");
out.println("<ul>");
for (Object value: values) {
out.println("<li>" + value + "</li>");
}
out.println("</ul>");
} else {
out.println(attributeValue);
}
out.println("</td></tr>");
}
out.println("</table>");
} else {
out.print("No attributes are supplied by the CAS server.</p>");
}
} else {
out.println("<pre>The attribute map is empty. Review your CAS filter configurations.</pre>");
}
} else {
out.println("<pre>The user principal is empty from the request object. Review the wrapper filter configuration.</pre>");
}
%>
</body>
</html>logout.jsp(登出)
<%@page contentType="text/html"%>
<%@page pageEncoding="UTF-8"%>
<%@ page import="java.util.Map" %>
<%@ page import="java.util.Iterator" %>
<%@ page import="org.jasig.cas.client.authentication.AttributePrincipal" %>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<%
session.invalidate();
%>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>CAS Example Java Web App</title>
</head>
<body>
<h1>CAS Example Java Web App</h1>
<p>Application session is now invalidated. You may also issue a request to "/cas/logout" to destroy the CAS SSO Session as well.</p>
<hr>
<a href="../cas1/index.jsp">Back to Home</a>
</body>
</html>配置CAS Authentication Filter
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
<filter>
<filter-name>CAS Authentication Filter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<!-- <filter-class>org.jasig.cas.client.authentication.Saml11AuthenticationFilter</filter-class> -->
<!-- <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class> -->
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>https://sso.hoau.com:8433/cas/login</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>https://app1.hoau.com:8413</param-value>
</init-param>
</filter>
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
<!-- <filter-class>org.jasig.cas.client.validation.Saml11TicketValidationFilter</filter-class> -->
<!-- <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class> -->
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://sso.hoau.com:8433/cas</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>https://app1.hoau.com:8413</param-value>
</init-param>
<init-param>
<param-name>redirectAfterValidation</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>useSession</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>acceptAnyProxy</param-name>
<param-value>true</param-value>
</init-param>
<!--
<init-param>
<param-name>proxyReceptorUrl</param-name>
<param-value>/cas1/proxyUrl</param-value>
</init-param>
<init-param>
<param-name>proxyCallbackUrl</param-name>
<param-value>https://app1.hoau.com:8413/cas1/index.jsp</param-value>
</init-param>
-->
</filter>
<filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Authentication Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<welcome-file-list>
<welcome-file>
index.jsp
</welcome-file>
</welcome-file-list>
</web-app>* 以上web.xml配置中有四處需要注意的地方
cas目標伺服器登陸頁面的配置
<init-param> <param-name>casServerLoginUrl</param-name> <param-value>https://sso.hoau.com:8433/cas/login</param-value> </init-param>本機伺服器的地址(即當前node-a)
<init-param> <param-name>serverName</param-name> <param-value>https://app1.hoau.com:8413</param-value> </init-param>"Cas20ProxyReceivingTicketValidationFilter"
2.x和3.x以前也有其他的Ticket校驗方式,這裡官方推薦用Cas20Proxy
<filter> <filter-name>CAS Validation Filter</filter-name> <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class> <init-param> <param-name>casServerUrlPrefix</param-name> <param-value>https://sso.hoau.com:8433/cas</param-value> </init-param> <init-param> <param-name>serverName</param-name> <param-value>https://app1.hoau.com:8413</param-value> </init-param>暫時將proxyReceptorUrl和proxyCallbackUrl註釋掉,因為這裡沒有使用代理
<!-- <init-param> <param-name>proxyReceptorUrl</param-name> <param-value>/cas1/proxyUrl</param-value> </init-param> <init-param> <param-name>proxyCallbackUrl</param-name> <param-value>https://app1.hoau.com:8413/cas1/index.jsp</param-value> </init-param> -->
測試
嘗試訪問
https://app1.hoau.com:8413/cas1
* 抱歉此處配圖為node-b的
並使用我們在資料庫裡面預埋的資料"test01/psw01"登陸
使用相同方式將cas2部署到node-b節點,並指向cas的SSO伺服器
*擴充套件
我們清空瀏覽器的cache和cookie,按照下列步驟操作
訪問"https://app1.hoau.com:8413/cas1"
系統會將我們重定向到"https://sso.hoau.com:8433/cas/login"。
輸入使用者名稱密碼"test01/psw01"
登陸成功
訪問"https://app2.hoau.com:8423/cas2"
系統會自動登陸使用使用者名稱密碼"test01/psw01"。
問題來了
這就是達到了SSO的效果,但是為什麼是這樣,原理是什麼