1.cas4.0server download address
Thunder address: http://developer.jasig.org/cas/cas-server-4.0.0-release.zip
You can also go to the latest address:
https://www.apereo.org/projects/cas/download-cas or http://developer.jasig.org/cas/ choose the download you need
2. Deploy the cas service
After decompressing cas-server-4.0.0-release.zip, copy cas-server-webapp-4.0.0.war in cas-server-4.0.0\modules to the webapp directory of tomcat and rename it to cas
3. Create a certificate (will be used below)
The certificate is a very important key in the single sign-on authentication system. The interaction between the client and the server depends on the certificate. Since this tutorial is a demonstration, I will use the keytool tool that comes with the JDK to generate the certificate. For use in the environment, you must go to the certificate provider to purchase, of course, there are also free ones now.
keytool -genkey -alias tomcatcas -keystore d://castest -keyalg RSA -validity 3666
Detailed operation:
Because sso.castest.com does not exist, it is estimated that the hosts file needs to be modified (C:\Windows\System32\drivers\etc\hosts)
Added: 127.0.0.1 sso.castest.com
4. Export the certificate
Certificate export:
keytool -export -alias tomcatcas -keystore d://castest -file d://tomcatcas.crt
5. Import the certificate for the client's JVM
If there are spaces in the command, the command will report an error
keytool -import -keystore D:\software\Java\jdk1.8.0_20\jre\lib\security\cacerts -file D:/tomcatcas.crt -alias tomcatcas
Note: You need to enter a password here. This password is not the password set earlier. After the DK is installed, a keystore will be created by default. The password is: changeit
D:\software\Java\jdk1.8.0_20\jre\lib\security\ -- is the directory of jre; so far, the creation, export and import of the certificate to the client JVM have been completed, and the following is the beginning of using the certificate to the Web server
6. Enable the SSL of the Web server (Tomcat), which is the HTTPS encryption protocol
Open the conf/server.xml file in the tomcat directory, unenable the commented code around lines 84 and 88, and set keystoreFile and keystorePass. The modification results are as follows:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" keystorefile="D:/wsriakey" keystorepass="castest"/>
Parameter Description:
- keystoreFile: The key storage location created in the first step
- keystorePass: the password when creating the certificate
8. The jars that casserver data authentication configuration depends on: c3p0-0.9.1.2.jar, mysql-connector-java-5.1. 21.jar, cas-server-support-jdbc-4.0.0.jar is copied to cas\WEB-INF\lib to modify the configuration file:
tomcat/webapp/cas/WEB-INF/deployerConfigContext.xml1). Comment the default simple login configuration
<!--
<bean id="primaryAuthenticationHandler"
class="org.jasig.cas.authentication.AcceptUsersAuthenticationHandler">
<property name="users">
<map>
<entry key="casuser" value="Mellon"/>
</map>
</property>
</bean>
-->
2). Increase database connection
<!-- Define the DB Connection -->
<bean id="dataSource" class="com.mchange.v2.c3p0.ComboPooledDataSource"
p:driverClass="com.mysql.jdbc.Driver"
p:jdbcUrl="jdbc:mysql://127.0.0.1:3306/xxx?useUnicode=true&characterEncoding=UTF-8&zeroDateTimeBehavior=convertToNull"
p:user="root"
p:password="root" />
<!-- Define the encode method-->
<bean id="passwordEncoder"
class="org.jasig.cas.authentication.handler.DefaultPasswordEncoder"
c:encodingAlgorithm="MD5"
p:characterEncoding="UTF-8" />
<bean id="dbAuthHandler"
class="org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler"
p:dataSource-ref="dataSource"
p:sql="select password from xxxx where name=?"
p:passwordEncoder-ref="passwordEncoder"/>
<!-- p:passwordEncoder-ref="passwordEncoder" If there is no encryption, passwordEncoder bean and p:passwordEncoder--> are not required
3). Replace the authentication Handle (find the bean with id=authenticationManager)
<bean id="authenticationManager" class="org.jasig.cas.authentication.PolicyBasedAuthenticationManager">
<constructor-arg>
<map>
<!--
| IMPORTANT
| Every handler requires a unique name.
| If more than one instance of the same handler class is configured, you must explicitly
| set its name to something other than its default name (typically the simple class name).
-->
<entry key-ref="proxyAuthenticationHandler" value-ref="proxyPrincipalResolver" />
<entry key-ref="dbAuthHandler" value-ref="primaryPrincipalResolver" /> <!-- <entry key-ref="primaryAuthenticationHandler" value-ref="primaryPrincipalResolver" /> -->
</map>
</constructor-arg>
</bean>
It is to comment out the part of key-ref="primaryAuthenticationHandler", and then restart tomcat for verification after introducing the bean with id=dbAuthHandler. The configuration of the server is completed.
8. Client configuration
1). Add the jar package of cas-client (
cas- client-core-3.4.1.jar
), there are two ways:
- Traditional type : Download cas-client, address: http://developer.jasig.org/cas-clients/, then unzip cas-client-3.1.12.zip, in the modules or WEB-INF folder, according to your own The project situation chooses to use
- Maven
<dependency> <groupId>org.jasig.cas.client</groupId> <artifactId>cas-client-core</artifactId> <version>3.4.1</version> </dependency>
<!-- ======================== Single Sign-On/Sign-Out ================= ======== -->
<!-- This filter is used to implement single sign-out function, optional configuration. -->
<filter>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
<!-- This filter is responsible for user authentication and must be enabled -->
<filter>
<filter-name>CAS Authentication Filter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>https://localhost:8443/cas/login</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://localhost:8080</param-value>
</init-param>
</filter>
<!-- This filter is responsible for the validation of Tickets, it must be enabled-->
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>org.jasig.cas.client.validation.Cas10TicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://localhost:8443/cas</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://localhost:8080</param-value>
</init-param>
<init-param>
<param-name>redirectAfterValidation</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<!-- This filter is responsible for implementing the package of the HttpServletRequest request,
For example, allowing developers to obtain the login name of the SSO login user through the getRemoteUser() method of HttpServletRequest, optional configuration. -->
<filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<!-- This filter allows developers to obtain the user's login name via org.jasig.cas.client.util.AssertionHolder.
比如AssertionHolder.getAssertion().getPrincipal().getName()。-->
<filter>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Single Sign Out Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Authentication Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
<!-- ======================= End of single sign-on/logout =============== ========= -->
9 The client and shiro are integrated and configured
1). Add the required jar packages
shiro-cas-1.2.4.jar and
cas-client-core-3.4.1.jar (refer to step 8 for download)
<dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-cas</artifactId> <version>1.2.4</version> </dependency>2) Modify the configuration of shiro (spring-shiro.xml)
- Modify shiroFilter:
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"> <property name="securityManager" ref="securityManager" /> <!-- Set the login link of the role, here is the link of the cas login page to configure the callback address--> <property name="loginUrl" value="http://sso.castest.com:7443/cas/login?service=http://localhost:8080/admin/login.htm" /> <property name="successUrl" value="http://localhost:8080/admin/index.htm"></property> <!-- Adding this sentence will cause page loop redirection--> <property name="filters"> <map> <entry key="casFilter" > <bean class="org.apache.shiro.cas.CasFilter"> <!--The failure page/main is the system login page when configuring the authentication error--> <property name="failureUrl" value="/login.htm" /> </bean> </entry> </map> </property> <property name="unauthorizedUrl" value="/unauthorized.htm" /> <property name="filterChainDefinitions"> <value> /favicon.ico = anon /login.htm = anon /error/ajaxUnauthorized.htm = anon /doRegister.htm = anon /doAjaxLogin.htm = anon /logout.htm = logout /service/*.htm=anon /*.htm= authc /**/*.htm=authc </value> </property> </bean> - Two properties are added to the configuration of shiroRealm, namely the login address of the cas server and the address where the entry of the cas client will be intercepted:
<!--Custom Realm inherits from CasRealm --> <bean id="shiroJdbcRealm" class="com.lz.core.shiro.ShiroJdbcRealm"> <property name="casServerUrlPrefix" value="http://sso.castest.com:7443/cas/"/> <!-- 一定是ip+port+context path --> <property name="casService" value="http://localhost:8080/admin/doLogin.htm"/> <!-- Without this sentence, authentication will not pass, casfilter fails --> </bean> - Add properties to the securityManager configuration:
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager"> <!--Set custom realm --> <property name="realm" ref="shiroJdbcRealm" /> <property name="cacheManager" ref="shiroCacheManager" /> <property name="subjectFactory" ref="casSubjectFactory"/> <!-- 增加CasSubject --> </bean>
- Add the configuration of casSubjectFactory Bean
<bean id="casSubjectFactory" class="org.apache.shiro.cas.CasSubjectFactory"/> <!-- 引入CasSubject -->