CAS Java Client Configuration

[color=cyan]
CAS Java Client Configuration
Blog Category: Jsp

JavaTomcatEclipseJDKSSO .

SSO, that is, Single sign on/off, single sign on/out.

CAS, the full name of JA-SIG Central Authentication Service, is an open source project that implements SSO.



The relevant documents explaining

CAS are overwhelming on the Internet, but for newbies trying to build a CAS service, they often find that the articles introducing the theory are not combined with operations; the articles introducing the operation lack arms and legs, and cannot really be structured step by step. A complete single sign-on/log-out service.

This article will focus on the operation steps, and describe the process of deploying and configuring a cas client and server under tomcat as completely as possible. As for theoretical knowledge, please search by yourself, or refer to the references at the end of the article.


Environment

Windows XP

JDK1.5

Tomcat6.0

Preparation 1

Install JDK, eclipse, tomcat

preparation 2 Go

to CAS official site to download CAS client and server The

official address is: http://www.ja-sig.org/products/cas / The

download page is: http://www.ja-sig.org/products/cas/downloads/index.html Go

to the download page to download the following 3 zip packages:

The first one, CAS Server, this is the server side of CAS ( The current latest version is 3.3.1)

The second one, JA-SIGCAS Java Client, is an officially developed CAS client for single exit. Special Note: Currently only version 3.1.2 and above of this client (JA-SIGCAS Java Client) supports single exit (the latest version is 3.1.3).

The third one is Yale CAS Client, which was developed by Yale University The client of CAS is used for single sign-on and does not support single-sign-out (the latest version is 2.0.11).

The downloaded ZIP package is placed in the c:\resource\cas directory, and decompressed in the current directory.


The preparatory work is over, and the formal operation begins.

Step 1: Make a key

Start - run - CMD

to test it first, type: (type the code to the right of the angle brackets. Do not type the angle brackets, the same below)

> keytool

If there is no help description, it means that the Path is not configured, and how to configure it will not own baidu.

Once configured, reopen the CMD window and go to the c:\resource\cas directory.

How to turn? Well, no, type the following code:

>c:

>cd\

>cd resource\cas

Next to generate the key, type:

>keytool -genkey -alias tomcat -keystore ./mykeystore -keyalg RSA -validity 2000

password:changeit

Common Name/Your Name:localhost

Enter the rest as you like.

Confirm , enter "yes", and enter "yes" in Chinese

Finally, use the same password and press Enter. If the

operation is successful, a mykeystore file will be generated in the c:\resource\cas directory.

Continue to type:

>keytool -export -alias tomcat -keystore ./mykeystore -file server.crt

Keystore password If the :changeit

operation is successful, a server.crt file will be generated in the c:\resource\cas directory.

Continue to type:

>keytool -import -alias tomcat -file ./server.crt -keystore %JAVA_HOME%/jre/lib/ security/cacerts

Keystore password: changeit

Special note: This %JAVA_HOME% refers to the JDK that tomcat needs to use. Of course, if you use the tomcat configured in eclipse later in this article, then %JAVA_HOME% is the JDK configured by tomcat in eclipse. If If you assign it to another jdk, an exception will occur when you actually access the server later:

which JDK is configured by unable to find valid certification path to requested target tomcat? do not know? The method of viewing the JDK configured by tomcat in eclipse:

Eclipse menu window-preperences-myEclipse-servers-tomcat-tomcat6-jdk-tomcat JDK name, this tomcat JDK name corresponds to the name attribute under window-preperences-java-installed JREs, the corresponding location is the path of jdk .

At this point, step 1 is completed.

Step 2: Configure tomcat

to open %TOMCAT_HOME%/conf/server.xml, which has such a code

    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"

               maxThreads="150" scheme="https" secure="true"

               clientAuth="false" sslProtocol="TLS" />

The current state of this code is commented out, open it, and complete it into the following code:

    <Connector port="8443" protocol="HTTP/ 1.1" SSLEnabled="true"

       maxThreads="150" scheme="https" secure="true"

       clientAuth="



       keystorePass="changeit"/>

Note: The keystoreFile="c:/resource/cas/mykeystore" in it, this file cannot be deleted after configuration, otherwise tomcat will report an error: the file cannot be found.

Save and close the file, and step 2 is complete.

Step 3: Configure the CAS server

In the c:\resource\cas\cas-server-3.3.1-release\cas-server-3.3.1\modules directory, there is a cas-server-webapp-3.3.1.war The war package, copied to the %TOMCAT_HOME%/webapps directory, and renamed cas_server.war

because we just configured the JDK used by eclipse, so now start tomcat through eclipse

to access http://localhost:8080/cas_server, the login appears page, indicating that the deployment was successful.

Try to log in, the username and password are the same and you can log in successfully.

Step 4: Configure CAS client Create a new web project

in eclipse, name: cas_client1

Copy c:\resource\cas\cas-client-2.0.11\cas-client-2.0.11\java\lib\casclient.jar Go to the lib of the project cas_client1 (for single sign-on)

and put cas-client-core-3.1 in the directory of c:\resource\cas\cas-client-3.1.3-release\cas-client-3.1.3\modules .3.jar is copied to the lib of project cas_client1 (for single exit)

Copy the commons-logging-1.1.jar in the c:\resource\cas\cas-client-3.1.3-release\cas-client-3.1.3\modules directory to the lib of the project cas_client1 (for single exit )

Add the following code to the web.xml of the project cas_client1:


<!-- for single exit-->

<listener>

   <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>

</listener>

<filter>

    <filter-name>CAS Single Sign Out Filter</filter-name>

    <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>

</filter>

< !-- For single sign-on -->

<filter>

<filter-name>CAS Filter</filter-name>

<filter-class>edu.yale.its.tp.cas.client.filter.CASFilter</filter -class>

    <init-param>

      <param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name>

       <param-value>https://localhost:8443/cas_server/login</param-value>

    </init-param>

    <init-param>

       <param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name>

       <param-value>https://localhost:8443/cas_server/serviceValidate</param-value>

    </init-param>

    <init-param>

       <param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name>

       <param-value>localhost:8080</param-value>

    </init-param>

</filter>

<filter-mapping>

    <filter-name>CAS Single Sign Out Filter</filter-name>

    <url-pattern>/*</url-pattern>

</filter-mapping>

<filter-mapping>

    <filter-name>CAS Filter</filter-name>

    <url-pattern>/*</url-pattern>

</filter-mapping>

Notes: in web.xml The filter should pay attention to the order. The related configuration of the CAS Single Sign Out Filter should be placed in front of the previously configured CAS Filter (at least the filter-mapping should be in front).

At this point, step 4 is completed.

Test: Publish cas_client1 and cas_server at the same time, visit http://localhost:8080/cas_client1, it will automatically jump to the login page of the server, fill in the same user name and password, then successfully log in and jump back to the client.

Step 5: Single sign-on and logout

Follow the process of step 4, and then create a web project, name: cas_client2

and deploy server, client1, client2 at the same time

Test 1: Access client1, you can directly access client2 after logging in

Test 2: Access client2, after logging in, you can Direct access to client1

test 3: log in to client1, after exiting, how can client1 and client2 be inaccessible

? Visit https://localhost:8443/cas_server/logout to exit.

Note: Access is like http://localhost:8080/cas_server/logout, this way of accessing and exiting through http is not acceptable! ! Because you do not log out through https, how does CAS Server "kill" the TGC cookie it sends to you through https?

At this point, step 5 is completed, and the single sign-on and log-out functions are basically completed. [/color]