从cas-overlay-template安装apereo cas 6.1.x
今天是:
我需要三件东西:爱情友谊和图书。然而这三者之间何其相通!炽热的爱情可以充实图书的内容,图书又是人们最忠实的朋友。
User Image 从cas-overlay-template安装apereo cas 6.1.x 2020-03-08

一 什么是单点登录

单点登录的英文名称为Single Sign-On,简写为SSO,它是一个用户认证的过程,允许用户一次性进行认证之后,就访问系统中不同的应用;而不需要访问每个应用时,都重新输入密码。

二 认证流程

 

  1. 用户第一次访问受保护的应用,将会重定向到cas登录页面
  2. 用户输入用户名和密码,cas server 认证用户创建sso session,并生成TGT和改客户端的服务票据(ST)
  3. 应用拿着ST到 CAS 服务验证ST,验证通过后设置session和cookie返回浏览器
  4. 用户浏览器携带cookie访问,应用验证后返回内容
  5. 访问第二个cas client 应用,此时cookie中有TGT但是没有ST,应用要求去CAS 服务获取ST,cas 服务验证TGT并生成一个ST
  6. 客户端携带ST访问应用,应用服务区Cas server 验证ticket,验证成功后设置session,cookie,重定向到应用服务地址
  7. 展示第二个应用的内容

三. cas-overlay-template安装环境

  • JDK11
  • TOMCAT 9
  • GRADLE
  • GIT

四.下载项目并编译

git clone https://github.com/apereo/cas-overlay-template.git

执行./gradlew.bat clean build  第一次构建比较慢,耐心等待
./gradlew.bat explodeWar 解压

此时将会在bulid目录下生成一个cas-resources 文件夹,我们把里面的文件全部拷贝到src/main/resources,将\etc\cas\thekeystore 也拷贝到该目录下

更改配置application.properties    server.ssl.key-store=classpath:thekeystore 

./gradlew.bat run 将cas运行在内嵌的 Embedded Tomcat 中

启动完成后浏览器中打开 https://localhost:8443/cas/login ,

 

此时我们的cas已经部署成功 在登录也面输入用户名和密码 casuser Mellon ,出现下面界面表明cas已经部署成功

五.客户端应用接入CAS 服务

github 上有个简单的demo我们下载下来 https://github.com/casinthecloud/java-jasig-cas-client-demo.git

有一点错误,修改一下,加入如下依赖

<dependency>
   <groupId>javax.servlet</groupId>
   <artifactId>javax.servlet-api</artifactId>
   <version>3.0.1</version>
   <scope>provided</scope>
</dependency>

接入cas 主要需要配置三个filter即可,下面是完整的web.xml配置

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.1"
       metadata-complete="true"
       xmlns="http://xmlns.jcp.org/xml/ns/javaee"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd">

   <display-name>Demo webapp protected by the Java Jasig / Apereo CAS client</display-name>

   <!-- Filter to handle logout requests sent directly by the CAS server -->
   <filter>
      <filter-name>CAS Single Sign Out Filter</filter-name>
      <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
      <init-param>
         <param-name>casServerUrlPrefix</param-name>
         <param-value>http://localhost:8080/cas</param-value>
      </init-param>
   </filter>
   <filter-mapping>
      <filter-name>CAS Single Sign Out Filter</filter-name>
      <url-pattern>/*</url-pattern>
   </filter-mapping>
   <!-- Listener to clean sessions -->
   <listener>
      <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener
      </listener-class>
   </listener>

   <!-- Define the protected urls of your application -->
   <!-- #### change with your own CAS server and your host name #### -->
   <filter>
      <filter-name>CAS Authentication Filter</filter-name>
      <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
      <!--filter-class>org.jasig.cas.client.authentication.Saml11AuthenticationFilter</filter-class-->
      <init-param>
         <param-name>casServerLoginUrl</param-name>
         <param-value>https://localhost:8443/cas/login
         </param-value>
      </init-param>
      <init-param>
         <param-name>serverName</param-name>
         <param-value>http://localhost:8081</param-value>
      </init-param>
      <init-param>
         <param-name>method</param-name>
         <param-value>redirect</param-value>
      </init-param>
   </filter>
   <filter-mapping>
      <filter-name>CAS Authentication Filter</filter-name>
      <url-pattern>/protected/*</url-pattern>
   </filter-mapping>

   <!-- Define the urls on which you can validate a service ticket -->
   <!-- #### change with your own CAS server and your host name #### -->
   <filter>
      <filter-name>CAS Validation Filter</filter-name>
      <filter-class>org.jasig.cas.client.validation.Cas30ProxyReceivingTicketValidationFilter</filter-class>
      <!--filter-class>org.jasig.cas.client.validation.Saml11TicketValidationFilter</filter-class-->
      <init-param>
         <param-name>casServerUrlPrefix</param-name>
         <param-value>https://localhost:8443/cas</param-value>
      </init-param>
      <init-param>
         <param-name>serverName</param-name>
         <param-value>http://localhost:8081</param-value>
      </init-param>
   </filter>
   <filter-mapping>
      <filter-name>CAS Validation Filter</filter-name>
      <url-pattern>*</url-pattern>
   </filter-mapping>

   <!-- Put the CAS principal in the HTTP request -->
   <filter>
      <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
      <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
   </filter>
   <filter-mapping>
      <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
      <url-pattern>*</url-pattern>
   </filter-mapping>

</web-app>

NOW让我们部署一下该项目,逐一端口为8081,启动服务后打开http://localhost:8081,激动人心的时刻到了。。。。

发现在访问受保护的页面时 出现如下问题:

未认证授权的服务
不允许使用CAS来认证您访问的目标应用。

什么问题呢,看起来是CAS服务不认识我们的应用。是的,我们并没有在CAS中注册该应用,那接下来注册一下应用

Cas 6 提供了已json格式的文件来完成客户端应用的注册

现在 我们将 /etc/cas/services目录也拷贝到   src\main\resources\下,简单做一下修改即可

{
  "@class": "org.apereo.cas.services.RegexRegisteredService",
  "serviceId": "^(http|https|imaps)://.*",
  "name": "HTTPS and IMAPS",
  "id": 10000001,
  "description": "This service definition authorizes all application urls that support HTTPS and IMAPS protocols.",
  "evaluationOrder": 10000
}

在原有的https和imaps基础上增加了http应用,我们还需要再application.properties中配置注册文件的位置

cas.serviceRegistry.initFromJson=false
cas.serviceRegistry.json.location=classpath:/services

并且需要在build.gradle中加入依赖包

dependencies {
    // Other CAS dependencies/modules may be listed here...
    compile "org.apereo.cas:cas-server-support-json-service-registry:${casServerVersion}"

}

好了一切就绪,重新编译,重启服务,再次访问我们看到如下界面

ok,我们输入静态认证用户casuser和密码Mellon 登录 然而登录后发现:

HTTP Status 500 – Internal Server Error
Type Exception Report

Message javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Description The server encountered an unexpected condition that prevented it from fulfilling the request.

Exception

java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:440)
    org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:42)
    org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:191)
    org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:207)
    org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:191)
    org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:94)
Root Cause

javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    java.base/sun.security.ssl.Alert.createSSLException(Alert.java:128)
    java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:321)
    java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:264)
    java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:259)
    java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1329)
    java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1204)
    java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1151)
    java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
    java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
    java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421)
    java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:178)
    java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
    java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152)
    java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063)
    java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
    java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:567)
    java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
    java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1581)
    java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1509)
    java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:245)
    org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:424)
    org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:42)
    org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:191)
    org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:207)
    org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:191)
    org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:94)
Root Cause

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
    java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:290)
    java.base/sun.security.validator.Validator.validate(Validator.java:264)
    java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:321)
    java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:221)
    java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
    java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1313)
    java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1204)
    java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1151)
    java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
    java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
    java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421)
    java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:178)
    java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
    java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152)
    java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063)
    java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
    java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:567)
    java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
    java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1581)
    java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1509)
    java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:245)
    org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:424)
    org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:42)
    org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:191)
    org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:207)
    org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:191)
    org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:94)
Root Cause

sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
    java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
    java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
    java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
    java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:290)
    java.base/sun.security.validator.Validator.validate(Validator.java:264)
    java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:321)
    java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:221)
    java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
    java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1313)
    java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1204)
    java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1151)
    java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
    java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
    java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421)
    java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:178)
    java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
    java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152)
    java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063)
    java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
    java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:567)
    java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
    java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1581)
    java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1509)
    java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:245)
    org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:424)
    org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:42)
    org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:191)
    org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:207)
    org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:191)
    org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:94)
Note The full stack trace of the root cause is available in the server logs.
这特莫是什么鬼,仔细看看应该是证书的问题了,啥意思呢。 就是CAS客户端不信任CAS服务器提供的证书。我们使用keytool工具生成证书并导入jdk信任库中,

  1. keytool -genkeypair -alias cas -keyalg RSA -keypass changeit -storepass changeit -keystore D:/cas/thekeystore
  2. keytool -exportcert -alias cas -storepass changeit -keystore D:/cas/thekeystore  -file D:/cas/thekeystore/cas/cas.cer
  3. keytool -import -keystore "D:/Program Files/Java/jdk-11.0.2/lib/security/cacerts" -file cas.cer -alias cas

一切就绪,重新启动项目并登录

六.部署在外部的Tomcat中

在tomcat的server.xml中配置ssl

    <Connector
        protocol="org.apache.coyote.http11.Http11NioProtocol"
        port="8443"
        maxThreads="150"
        SSLEnabled="true">
        <SSLHostConfig>
            <Certificate
              certificateKeystoreFile="conf/thekeystore"
              certificateKeystorePassword="changeit"
              type="RSA"/>
        </SSLHostConfig>
    </Connector>

另外根据文档我们还需添加下面的依赖

dependencies {
    // Other CAS dependencies/modules may be listed here...
    compile "org.apereo.cas:cas-server-webapp:${casServerVersion}"

}

将bulid/lib中的cas.war 拷贝到tomcat的webapp中,启动即可正常访问

七.参考资料

https://apereo.github.io/cas/6.1.x/installation/WAR-Overlay-Installation.html

https://github.com/apereo/cas-overlay-template

分享到:

我的

类型标签

外部链接

网站访问总量