用Yale CAS Server 来实现单点登陆(SSO)
CAS (Central Authentication Service)是Yale大学的ITS开发的一套JAVA实现的开源
的SSO(single sign-on)的服务。
这里用一个简单的例子来说明用CAS来实现单点登陆(SSO)。
Yale CAS Server 的配置过程
CAS (Central Authentication Service)是Yale大学的ITS开发的一套JAVA实现的开源
的SSO(single sign-on)的服务。该服务是以一个java web app(eg:cas.war)来进行服务的,
使用时需要将cas.war发布到一个servlet2.3兼容的服务器上,并且服务器需要支持SSL,
在需要使用该服务的其他服务器(客户),只要进行简单的配置就可以实现SSO了。
CAS 的客户端可以有很多种,因为验证的结果是以XML的格式返回的,CAS的客户端已
打包进去的有java,perl,python,asp,apache module等好几种客户端示例,你还可以根据
需要实现一个自己的客户端,非常简单!~
下面我们以tomcat 5.0 作为CAS Server(server1),另外一台tomcat5.0 为client(client1)
为例进行说明。
1.下载cas-server和cas-client(可选,建议使用)
http://www.yale.edu/tp/cas/cas-server-2.0.12.zip
http://www.yale.edu/tp/cas/cas-client-2.0.11.zip
2.将cas-server-2.0.12.zip解压,并将lib/cas.war拷贝到server1的webapps下
3.产生SERVER的证书
keytool -genkey -alias my-alias-name -keyalg RSA -keystore keystore-file
4.在server1配置tomcat使用HTTPS
$CATALINA_HOME/conf/server.xml里
<Connector className="org.apache.coyote.tomcat5.CoyoteConnector"
port="8443" minProcessors="5" maxProcessors="75"
enableLookups="true" disableUploadTimeout="true"
acceptCount="100" debug="0" scheme="https"
secure="true">
<Factory className="org.apache.coyote.tomcat5.CoyoteServerSocketFactory"
keystoreFile="/path/to/your/keystore-file"
keystorePass="your-password" clientAuth="false" protocol="TLS" />
</Connector>
5.在要使用CAS的客户端client1里设置(以servlets-examples这个APP为例),我们使用
ServletFilter(CAS client里提供的)来实现SSO的检查。
修改servlets-examples/WEB-INF/web.xml
<filter>
<filter-name>CASFilter</filter-name>
<filter-class>edu.yale.its.tp.cas.client.filter.CASFilter</filter-class>
<init-param>
<param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name>
<param-value>https://your.cas.server.name(eg:server1):port/cas/login</param-value>
</init-param>
<init-param>
<param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name>
<param-value>https://your.cas.server.name(eg:server1):port/cas/proxyValidate</param-value>
</init-param>
<init-param>
<param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name>
<param-value>your.client.server.name(eg:client1):port</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CASFilter</filter-name>
<url-pattern>/servlet/*</url-pattern>
</filter-mapping>
6.将cas-client-2.0.11.zip解压,把java/lib/casclient.jar拷贝到client1服务器上的
webapps/servlets-examples/WEB-INF/lib目录下(如果没有就建一个)
7.导出SERVER的证书,用来给所有需要用到的客户端导入
keytool -export -file myserver.cert -alias my-alias-name -keystore keystore-file
8.在客户端的JVM里导入信任的SERVER的证书(根据情况有可能需要管理员权限)
keytool -import -keystore $JAVA_HOME/jre/lib/security/cacerts -file myserver.cert -alias my-alias-name
9.test & done.
把server1和client1分别起来,检查启动的LOG是否正常,如果一切OK,就访问
http://client1:8080/servlets-examples/servlet/HelloWorldExample
系统会自动跳转到一个验证页面,随便输入一个相同的账号,密码,严正通过之后就会访问
到真正的HelloWorldExample这个servlet了
更多信息请参考
http://www.yale.edu/tp/cas/
http://www-106.ibm.com/developerworks/web/library/wa-singlesign/
You can also check the sites about poker room http://www.lambethcouncil.com/ poker room casino http://www.sydney-harbour.info/ casino poker http://www.longslabofjoy.com/ poker phentermine online http://www.penelopeschenk.com/ phentermine online online internet casinos http://www.paisleydevelopmentassociation.org/ online internet casinos cheap tramadol http://www.myrtlejones.com/ cheap tramadol diet pills http://diet-pills.honeymoon-destination-a.us/ diet pills texas hold em poker http://www.mbgeezers.com/ texas hold em poker online pharmacy http://www.bestonline-shopping.com/ online pharmacy texas holdem poker http://www.langsrestaurant.com/ texas holdem poker tramadol http://www.tramadol90.net/ tramadol online poker http://www.tokyojoes.info/ online poker weight loss http://www.lakesideartonline.com/ weight loss online poker http://www.online-poker-555.com/ online poker ... Thanks!!!
Posted by: video poker 发表于 September 19, 2004 08:07 PM您好,我正在做关于CAS单点登陆的项目,我看了您的文章,照您的方法做了但是有些毛病,不知是否能得到您的指教。
我的EMAIL是[email protected]
主要的问题是SERVER配置好后,TOMCAT启动时有这样的错误java.io.IOException: Algorithm TLS not available
以及8.在客户端的JVM里导入信任的SERVER的证书(根据情况有可能需要管理员权限)
keytool -import -keystore $JAVA_HOME/jre/lib/security/cacerts -file myserver.cert -alias my-alias-name
这一步,他说我的cacerts找不到,可是我看了LIB/SECURITY里有的。
谢谢,希望您能和我联系,我查不到您的EMAIL,抱歉
Posted by: yourghost 发表于 September 20, 2004 04:11 PMIn your free time, visit the sites dedicated to tramadol http://www.tramadol90.net/ tramadol online casinos http://www.stfc-isc.org/ online casinos online gambling http://www.pages4people.com/ online gambling texas holdem poker http://www.langsrestaurant.com/ texas holdem poker lose weight http://www.majorapplewhite.info/ lose weight online poker http://www.online-poker-555.com/ online poker diet pill http://www.nancyflowerswilson.com/ diet pill phentermine http://phentermine.waylandenterprises.co.uk/ phentermine casino http://www.vivlart.com/ casino buy phentremine http://www.pasuquinio.com/ buy phentremine weight loss http://www.lakesideartonline.com/ weight loss poker room http://www.lambethcouncil.com/ poker room video poker http://www.s-sites.net/ video poker casino http://www.sydney-harbour.info/ casino weight loss pill http://www.phrensy.org/ weight loss pill ... Thanks!!!
Posted by: online poker game 发表于 September 21, 2004 04:21 AM您好,上面回复的问题已经解决,但是我又出现了新的问题
启动TOMCAT后,没有问题,输入测试地址http://localhost:8080/servlets-examples/servlet/HelloWorldExample后,正常跳转到认证页面,输入用户名密码后,跳转到如下页面
http://localhost:8080/servlets-examples/servlet/HelloWorldExample?ticket=ST-0-qtE196vC6YFaH7VLE5k0
但是页面无法正常显示,而是显示:
HTTP Status 500 -
--------------------------------------------------------------------------------
type Exception report
message
description The server encountered an internal error () that prevented it from fulfilling this request.
exception
javax.servlet.ServletException: sun.security.validator.ValidatorException: No trusted certificate found
edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java:254)
edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:184)
root cause
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found
com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA6275)
com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA6275)
com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA6275)
com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA6275)
com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA6275)
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(DashoA6275)
sun.net.www.protocol.https.HttpsClient.afterConnect(DashoA6275)
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(DashoA6275)
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:617)
sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(DashoA6275)
edu.yale.its.tp.cas.util.SecureURL.retrieve(SecureURL.java:70)
edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(ServiceTicketValidator.java:212)
edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java:219)
edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:184)
note The full stack trace of the root cause is available in the Apache Tomcat/5.0.28 logs.
望您解答,谢谢
Posted by: yourghost 发表于 September 21, 2004 11:54 AM在客户端导入信任的SERVER的证书这一步成功了啊,为什么会出现这样的问题呢?请您指教
Posted by: yourghost 发表于 September 21, 2004 11:58 AM我尝试再在客户端里导入一次信任的SERVER的证书,但这次出现了这样的错误
java.io.IOException:keystore was tampered with,or password was incorrect
新的问题,上面的问题都解决了之后,跳转页面之后出现下面的页面问题:
type Exception report
message
description The server encountered an internal error () that prevented it from fulfilling this request.
exception
javax.servlet.ServletException: HTTPS hostname wrong: should be
edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java:254)
edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:184)
root cause
java.io.IOException: HTTPS hostname wrong: should be
sun.net.www.protocol.https.HttpsClient.b(DashoA6275)
sun.net.www.protocol.https.HttpsClient.afterConnect(DashoA6275)
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(DashoA6275)
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:617)
sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(DashoA6275)
edu.yale.its.tp.cas.util.SecureURL.retrieve(SecureURL.java:70)
edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(ServiceTicketValidator.java:212)
edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java:219)
edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:184)
上面的错误显示不出来,就是
type Exception report
message
description The server encountered an internal error () that prevented it from fulfilling this request.
exception
javax.servlet.ServletException: HTTPS hostname wrong: should be
edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java:254)
edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:184)
root cause
java.io.IOException: HTTPS hostname wrong: should be (localhost)
sun.net.www.protocol.https.HttpsClient.b(DashoA6275)
sun.net.www.protocol.https.HttpsClient.afterConnect(DashoA6275)
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(DashoA6275)
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:617)
sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(DashoA6275)
edu.yale.its.tp.cas.util.SecureURL.retrieve(SecureURL.java:70)
edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(ServiceTicketValidator.java:212)
edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java:219)
edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:184)
上边的出错的哥们,我跟你的错误是一样的,hehe,怎么解决,搞定后告诉我呀[email protected]
Posted by: lufei 发表于 September 21, 2004 04:47 PM经过几翻折腾终于可以用了。。地现他的CASFilter存在很严重的问题。做了修改。还有 就是SecureURL.retrieve 也存在问题。。。。做了修改。。还好是开源。要不无从下手
Posted by: lufei 发表于 September 22, 2004 02:42 PMsigh...
有日子没看了,想不到这么多兄弟都在关注这个SSO,有问题很好,解决了更好,呵呵
Please check some helpful info in the field of site | site | http://www.paxil-cr-top-pharmacy.net/ | home | home | http://www.claritin-d-top-pharmacy.net/ | link | link | http://www.buy-celebrex-top-pharmacy.net/ | whereever | whereever | http://www.wellbutrin-sr-top-pharmacy.net/ | place | place | http://www.ultram-top-pharmacy.net/ | come here | come here | http://www.zyrtec-top-pharmacy.net/ | zimmer | zimmer | http://www.zyprexa-top-pharmacy.net/ | come here | come here | http://www.ambien-top-pharmacy.net/ | each site | each site | http://www.yasmin-top-pharmacy.net/ | each site | each site | http://www.cheap-adipex-top-pharmacy.net/ | site | site | http://www.adipex-p-top-pharmacy.net/ | home | home | http://www.international-pharmacy-top-pharmacy.net/ | goto | goto | http://www.skelaxin-top-pharmacy.net/ | ...
Posted by: this link 发表于 October 7, 2004 07:55 PMPlease check some helpful info in the field of site | site | http://www.paxil-cr-top-pharmacy.net/ | home | home | http://www.claritin-d-top-pharmacy.net/ | link | link | http://www.buy-celebrex-top-pharmacy.net/ | whereever | whereever | http://www.wellbutrin-sr-top-pharmacy.net/ | place | place | http://www.ultram-top-pharmacy.net/ | come here | come here | http://www.zyrtec-top-pharmacy.net/ | zimmer | zimmer | http://www.zyprexa-top-pharmacy.net/ | come here | come here | http://www.ambien-top-pharmacy.net/ | each site | each site | http://www.yasmin-top-pharmacy.net/ | each site | each site | http://www.cheap-adipex-top-pharmacy.net/ | site | site | http://www.adipex-p-top-pharmacy.net/ | home | home | http://www.international-pharmacy-top-pharmacy.net/ | goto | goto | http://www.skelaxin-top-pharmacy.net/ | ...
Posted by: this link 发表于 October 7, 2004 07:55 PMI have found the best store for:
Discount Phentermine
Discount Adipex
Discount Ionamin
Discount Meridia
Discount Tenuate
Discount Diethylpropion
Discount Xenical
Buy Tramadol online cheap now.
Posted by: Tramadol 发表于 November 19, 2004 12:44 AMLook for Skelaxin pharmacy online
at http://www.skelaxin-online.net/