当前位置: 代码迷 >> Web前端 >> cas配备
  详细解决方案

cas配备

热度:349   发布时间:2012-10-31 14:37:32.0
cas配置

环境准备:

1. 安装JDK(安装目录必须无空格,默认安装Program Files目录会导致某些命令不能运行);

2. 配置JAVA_HOME环境变量,JAVA_HOME=E:\Java\jdk1.6


服务端:

1. 进入jdk的bin目录

2. 在jdk生成keystore

执行:

keytool -genkey?-alias gzirms_tomcat?-keystore gzirms_keystore?-storepass changeit -validity 365 -keyalg RSA -keysize 576 -v

生成keystore,别名为gzirms_tomcat,keystore的名称gzirms_keystore,初始密码changeit,有效期365天,密匙算法RSA,密钥长度 576

执行后,输入相关信息

gz.restar.net为服务器名称,后续配置访问路径时需要根据服务器名称配置,如果不想用主机名,可以通过配置hosts解决

3. 生成Server的cert证

keytool -export -file gzirms_keystore.cert -alias gzirms_tomcat -keystore gzirms_keystore

从名为gzirms_keystore的keystore中导出文件名为gzirms_keystore.cert的证书(要求输入密码,为上面定义的初始密码changeit)

4. 导入证书到tomcat中

keytool -import -keystore ../jre/lib/security/cacerts -file gzirms_keystore.cert -alias gzirms_tomcat

5. 配置tomcathttps协议

tomcatconf跟目录下的server.xml,查找“Define a SSL HTTP/1.1 Connector on port 8443”,找到后修改部分配置文件(绿色部分):

<!-- Define a SSL HTTP/1.1 Connector on port 8443
This connector uses the JSSE configuration, when using APR, the?
connector should be using the OpenSSL style configuration
described in the APR documentation -->

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="E:\Java\jdk1.6\bin\gzirms_keystore"
keystorePass="changeit" />

6. 单点登录门户配置

修改web.xml文件,增加单点登录filter

<!-- 单点登录服务端配置 -->
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
<!-- 用于单点登出 -->
<filter>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Single Sign Out Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

<!-- 门户作为客户端应用配置验证 -->

<filter>
<filter-name>CASFilter</filter-name>
<filter-class>com.boco.cas.filter.CasUrlFilter</filter-class>
<!--下面两个为验证地址,即cas server的地址,如果使用https验证,地址为https://hostname:8443字样-->
<init-param>
<param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name>
<param-value>http://LeeZw-PC:8080/cas/login</param-value>
</init-param>
<init-param>
<param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name>
<param-value>https://LeeZw-PC:8443/cas/proxyValidate</param-value>
</init-param>
<!-- 本工程的URL,被拦截的地址-->
<init-param>
<param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name>
<param-value>LeeZw-PC:8080</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CASFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
7. cas web应用配置

1) 复制cas.war到tomcat/wabapps下

2) 修改cas\WEB-INF\deployerConfigContext.xml

a. 在beans下增加datasource配置

<bean id="dataSource" class="org.apache.commons.dbcp.BasicDataSource">
<property name="driverClassName">
<value>oracle.jdbc.driver.OracleDriver</value>
</property>
<property name="url">
<value>jdbc:oracle:thin:@127.0.0.1:1521:ORCL</value>
</property>
<property name="username">
<value>gz_portal</value>
</property>
<property name="password">
<value>gz_portal</value>
</property>
</bean>

b. 在beans下增加密码加密策略配置

<bean id="passwordEncoder" class="org.jasig.cas.authentication.handler.DefaultPasswordEncoder" autowire="byName">
<constructor-arg value="MD5"/>
</bean>
c. 修改authenticationHandlers配置

屏蔽<bean class="org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler" />

增加

<bean class="org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler">
<property name="dataSource" ref="dataSource"/>
<property name="sql" value="SELECT PASSWORD FROM (SELECT OPERATOR_ID, PASSWORD FROM T_SYS_P_OPERATOR WHERE OPERATOR_ID != 'doraemon' UNION ALL SELECT 'doraemon' AS OPERATOR_ID, 'f9144ac3ae6679ea38bcc0e21e964453' AS PASSWORD FROM DUAL) WHERE OPERATOR_ID = ?"/>
<property name="passwordEncoder" ref="passwordEncoder"/>
</bean>

3)复制需要的jar包到cas\WEB-INF\lib

a. cas-server-support-jdbc-3.4.10.jar

b. commons-dbcp.jar

c. commons-pool.jar

d. ojdbc14.jar

客户端:

修改web.xml,增加单点登录filter

<filter>
<filter-name>CASFilter</filter-name>
<filter-class>edu.yale.its.tp.cas.client.filter.CASFilter</filter-class>
<!--下面两个为验证地址,即cas server的地址,如果使用https验证,地址为https://hostname:8443字样-->
<init-param>
<param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name>
<param-value>http://LeeZw-PC:8080/cas/login</param-value>
</init-param>
<init-param>
<param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name>
<param-value>https://LeeZw-PC:8443/cas/proxyValidate</param-value>
</init-param>
<!-- 本工程的URL,被拦截的地址-->
<init-param>
<param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name>
<param-value>LeeZw-PC:8080</param-value>
</init-param>
</filter>

<filter-mapping>
<filter-name>CASFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

  相关解决方案