generating certificate, you need to configure the certificate:
1. Generate the certificate
using the keytool tool that comes with the JDK to generate the certificate:
Create the keys file in the D drive, No need to create hailong
Command: keytool -genkey -alias (alias) hailong -keyalg RSA -keystore D:/keys/hailong
hailong is the certificate alias
2, export the certificate
Command: C:\>keytool -export -file d:/keys/hailongCRT.crt -alias hailong (the alias must be the same) -keystore d:/keys/hailong
.crt key file
3. Import the certificate into the client JDK.
命令:keytool -import -keystore D:\software\jdk\java1.7\jdk1.7.0_79\jre\lib\security\cacerts -file D:/keys/hailongCRT.crt -alias hailong
If the following error occurs, delete the cacerts file under jdk1.7.0_79\jre\lib\security and execute it.
eytool错误: java.io.IOException: Keystore was tampered with, or password was incorrect
4. Configure the server to
download the CAS server, decompress it, copy the cas-server-webapp-3.4.8.war file in the folder of the decompressed file to apache-tomcat-7.0.73\webapps, and modify it The file name is: cas.war.
2. Modify the apache-tomcat-7.0.73\conf\server.xml file, remove the comments between lines 83 and 93 of this file, and modify it to:
5. Start the tomcat
account admin, and the password admin The default account and password are the same.
Configure host Domain name, use https to visit https://sso.wsria.com:8443/cas
specific link http://www.kafeitu.me/sso/2010/11/05/sso-cas-full-course.html
http:/ /liujiawinds.iteye.com/blog/1990715
cas client configuration
<!-- pom.xml-->
<dependency> <groupId>org.jasig.cas.client</groupId> <artifactId>cas-client-core</artifactId> <version>3.1.12</version> </dependency>
<!-- ======================== SSO START ==================== ====== -->
<!-- For single logout, this filter is used to implement single logout function, optional configuration -->
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
<!-- This filter is used to implement single sign-out function, optional configuration. -->
<filter>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Single Sign Out Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- This filter is responsible for user authentication and must be enabled -->
<filter>
<filter-name>CASFilter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>https://www.hailongsso.com:8443/cas/login</param-value>
<!--The server here is the IP of the server, click the single login address link-->
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://www.hailongsso.com:8081</param-value><span style="color:#FF0000;"> ①</span>
<!--Customer link address after login-->
</init-param>
</filter>
<filter-mapping>
<filter-name>CASFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- This filter is responsible for the validation of Tickets, it must be enabled-->
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>
org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://www.hailongsso.com:8443/cas</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://www.hailongsso.com:8081</param-value> <span style="color:#FF0000;">②</span>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- This filter is responsible for implementing the package of HttpServletRequest requests, such as allowing developers to obtain the login name of the SSO login user through the getRemoteUser() method of HttpServletRequest, optional configuration. -->
<filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>
org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- This filter allows developers to obtain the user's login name via org.jasig.cas.client.util.AssertionHolder. For example AssertionHolder.getAssertion().getPrincipal().getName(). -->
<filter>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- ======================= End of single sign-on =================== ====== -->
Enter the client address http://www.hailongsso.com:8081/SingleSignOnExample
and redirect to the cas single sign-on screen. Specific analysis of AuthenticationFilter.java for
interception authentication
public final void doFilter(final ServletRequest servletRequest, final ServletResponse servletResponse, final FilterChain filterChain) throws IOException, ServletException {
final HttpServletRequest request = (HttpServletRequest) servletRequest;
final HttpServletResponse response = (HttpServletResponse) servletResponse;
//The TGC cookie has been passed over, verify if it is generated, if so, I will issue an ST with TGT and redirect it to the browser
//session corresponds to TGC Cookie entering null three times, there is value and value
// For the first time, there is no TGC Cookie, the client can only have it after entering the account password and going to cas
final HttpSession session = request.getSession(false);
//assertion corresponds to ST three times entering null null has value
// The second time you come, there is no ST, and the third time you come in and apply for CAS, it will be worthwhile.
final Assertion assertion = session != null ? (Assertion) session.getAttribute(CONST_CAS_ASSERTION) : null;
if (assertion != null) {
filterChain.doFilter(request, response);
return;
}
final String serviceUrl = constructServiceUrl(request, response);
final String ticket = CommonUtils.safeGetParameter(request,getArtifactParameterName());
final boolean wasGatewayed = this.gatewayStorage.hasGatewayedAlready(request, serviceUrl);
if (CommonUtils.isNotBlank(ticket) || wasGatewayed) {
filterChain.doFilter(request, response);
return;
}
final String modifiedServiceUrl;
log.debug("no ticket and no assertion found");
if (this.gateway) {
log.debug("setting gateway attribute in session");
modifiedServiceUrl = this.gatewayStorage.storeGatewayInformation(request, serviceUrl);
} else {
modifiedServiceUrl = serviceUrl;
}
if (log.isDebugEnabled()) {
log.debug("Constructed service url: " + modifiedServiceUrl);
}
final String urlToRedirectTo = CommonUtils.constructRedirectUrl(this.casServerLoginUrl, getServiceParameterName(), modifiedServiceUrl, this.renew, this.gateway);
if (log.isDebugEnabled()) {
log.debug("redirecting to \"" + urlToRedirectTo + "\"");
}
response.sendRedirect(urlToRedirectTo);
}
For the authentication and interception of the cas client, the configuration of the specific business service project, the authentication interception can have custom rules, rewrite or replace the AuthenticationFilter.java and other classes.
Modify the authentication logic of
CAS. The default logic of CAS is that you can log in with the same username and password. Now you need to move the username and password verification of the original web system to CAS. It is assumed here that there is a sys_user table in the original web system that stores the username and the MD5 hashed password.
Open cas/WEB-INF/deployerConfigContext.xml
and comment out the Handler SimpleTestUsernamePasswordAuthenticationHandler and add
<bean class="org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler"> <property ref="dataSource" name="dataSource"></property> <property name="sql" value="select t.encrypted_user_password from sys_user t where t.user_name=?"></property> <property ref="MD5PasswordEncoder" name="passwordEncoder"></property> </bean>
Add a link to the database before the end of the file:
<bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource">
<property name="driverClassName">
<value>oracle.jdbc.driver.OracleDriver</value>
</property>
<property name="url">
<value>jdbc:oracle:thin:@yourIP:1521:yourOracleInstanceId</value>
</property>
<property name="username">
<value>yourName</value>
</property>
<property name="password">
<value>yourPassword</value>
</property>
</bean>
<bean id="MD5PasswordEncoder" class="org.jasig.cas.authentication.handler.DefaultPasswordEncoder">
<constructor-arg index="0">
<value>MD5</value>
</constructor-arg>
</bean>
cas adds jdbc support
Copy cas-server-3.5.2\modules\cas-server-support-jdbc-3.5.2.jar and ojdbc14.jar or classes12.jar of oracle driver (using oracle data here) and put it in cas/WEB -INF/lib directory.
The source code of cas-server-webapp is packaged and cas-server-webapp.war is modified to cas.war
, which is the war package of the above-mentioned service:
