本文共 7710 字,大约阅读时间需要 25 分钟。
原文地址,转载请注明出处: ©
之前在服务端整合了数据库,也整合了shiro,我们一直是在服务端玩,登录跳转到登录成功页面,没啥意思,今天我们来将服务端和 客户端整合,使不同的客户端使用cas登录。cas服务端还是基于之前的整合shiro版本。
ip | 域名 | 对应服务 |
---|---|---|
127.0.0.1 | server.cas.com | CAS服务器 |
127.0.0.1 | app1.cas.com | CAS客户端1 |
127.0.0.1 | app2.cas.com | CAS客户端2 |
在/etc/hosts
中增加如下配置:
客户端接入 CAS 首先需要在服务端进行注册,否则客户端访问将提示“未认证授权的服务”警告:
需求:对所有https和http请求的service进行允许认证,在resources/services下新建文件HTTPSandIMAPS-10000001.json
,这个文件是我从cas源代码同路径下拷贝过来的。 { "@class" : "org.apereo.cas.services.RegexRegisteredService", "serviceId" : "^(https|imaps|http)://.*", "name" : "测试客户端", "id" : 10000001, "description" : "这是一个测试客户端的服务,所有的https或者http访问都允许通过", "evaluationOrder" : 10000}
注意:services目录中可包含多个 JSON 文件,其命名必须满足以下规则:${name}-${id}.json
,id必须为json文件中内容id一致。
配置好service之后,根据,还需修改 application.properties 文件告知 CAS 服务端从本地加载服务定义文件
#注册客户端cas.serviceRegistry.initFromJson=truecas.serviceRegistry.watcherEnabled=truecas.serviceRegistry.schedule.repeatInterval=120000cas.serviceRegistry.schedule.startDelay=15000cas.serviceRegistry.managementType=DEFAULTcas.serviceRegistry.json.location=classpath:/servicescas.logout.followServiceRedirects=true
2018-07-31 18:49:38,611 WARN [org.apereo.cas.services.ServiceRegistryInitializer] -2018-07-31 18:49:38,611 WARN [org.apereo.cas.services.ServiceRegistryInitializer] -
网上说必须保证客户端证书和服务端证书是同一个证书,不然就会报错,我因为是在同一台机器,所以就没有进行这一步操作。
sudo keytool -import -file /Users/wangsaichao/Desktop/tomcat.cer -alias tomcat -keystore /Library/Java/JavaVirtualMachines/jdk1.8.0_144.jdk/Contents/Home/jre/lib/security/cacerts -storepass changeit
在官方文档中提供了 CAS Java 客户端样例,即。下载项目导入idea
org.apache.tomcat.maven tomcat7-maven-plugin 2.2 8081 UTF-8 tomcat7 /
这里给的例子是client1的,如果是client2只需要将 app1.cas.com:8081改为 app2.cas.com:8082
cas-app org.jasig.cas.client.session.SingleSignOutHttpSessionListener CAS Single Sign Out Filter org.jasig.cas.client.session.SingleSignOutFilter casServerUrlPrefix https://server.cas.com:8443/cas CAS Single Sign Out Filter /* CAS Filter org.jasig.cas.client.authentication.AuthenticationFilter casServerLoginUrl https://server.cas.com:8443/cas/login serverName http://app1.cas.com:8081 CAS Filter /* CAS Validation Filter org.jasig.cas.client.validation.Cas30ProxyReceivingTicketValidationFilter casServerUrlPrefix https://server.cas.com:8443/cas serverName http://app1.cas.com:8081 CAS Validation Filter /* CAS HttpServletRequest Wrapper Filter org.jasig.cas.client.util.HttpServletRequestWrapperFilter CAS HttpServletRequest Wrapper Filter /* CAS Assertion Thread Local Filter org.jasig.cas.client.util.AssertionThreadLocalFilter CAS Assertion Thread Local Filter /*
为了看出效果,在两个客户端的index.jsp添加一些标签,和两个客户端互相跳转的路径,下面只给出客户端1的完整实例
<%@page contentType="text/html" %><%@page pageEncoding="UTF-8" %><%@ page import="java.util.Map" %><%@ page import="java.util.Iterator" %><%@ page import="java.util.List" %><%@ page import="org.jasig.cas.client.authentication.AttributePrincipal" %>CAS Example Java Web App 当前为客户端1
客户端1
客户端2
A sample web application that exercises the CAS protocol features via the Java CAS Client.
Authenticated User Id: <%= request.getRemoteUser() %>
<% if (request.getUserPrincipal() != null) { AttributePrincipal principal = (AttributePrincipal) request.getUserPrincipal(); final Map attributes = principal.getAttributes(); if (attributes != null) { Iterator attributeNames = attributes.keySet().iterator(); out.println("Attributes:"); if (attributeNames.hasNext()) { out.println("
Attributes | "); out.println("|
---|---|
Key | Value |
"); String attributeName = (String) attributeNames.next(); out.println(attributeName); out.println(" | "); final Object attributeValue = attributes.get(attributeName); if (attributeValue instanceof List) { final List values = (List) attributeValue; out.println("Multi-valued attribute: " + values.size() + ""); out.println("
|
The attribute map is empty. Review your CAS filter configurations."); } } else { out.println("
The user principal is empty from the request object. Review the wrapper filter configuration."); }%>
启动服务端和客户端,此时访问
会跳转至 输入用户信息,登录成功,返回这里首先把出现的错误罗列一下,个跟客户端整合的过程中,也是出现了很多的问题。
1.javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching cas.com found
原因:之前生成证书的时候,用的域名是server.cas.com 在开始使用cas 服务端的时候一直配置的域名是cas.com 其实应该带上server 所以,修改客户端中的cas.com 为 server.cas.com。记得修改/etc/hosts中的域名映射。 2.org.jasig.cas.client.validation.TicketValidationException: No principal was found in the response from the CAS server.