第一步 部署CAS-Server(服务端)
1.从CAS官方网站(http://developer.jasig.org/cas/)下载最新版本的CAS-Server(当前最新版本cas-server-4.0.0-release.zip),将其解压,找到modules/cas-server-webapp-3.5.2.war,复制到本地tomcat下的webapps下,并重命名为cas.war(可以是其他名称),启动tomcat,在webapps下生成了名为cas的web项目。
2.CAS默认使用https协议通信,需要tomcat配置SSL协议(这一部分会在以后详细介绍)。 但是由于一般项目不需要这么高的安全级别, 为了简化操作,将使用http协议通信。
打开webappscasWEB-INFspring-configurationwarnCookieGenerator.xml,找到如下配置,将p:cookieSecure="true"改为p:cookieSecure="false"
打开webappscasWEB-INFspring-configuration icketGrantingTicketCookieGenerator.xml ,找到如下配置,将p:cookieSecure="true"改为p:cookieSecure="false"
打开webappscasWEB-INFdeployerConfigContext.xml 文件 ,找到如下配置,将p:requireSecure="false"添加到下图标记的位置
3.重新启动tomcat,访问 http://localhost:8085/cas 则可以看到如下登陆界面。
至于下图所显示的错误Non-secure Connection,是由于没有使用HTTPS协议的关系,而默认的登陆界面有对此进行验证的代码,而在实际项目中的登陆界面一般需要自己写,通过修改webappscasWEB-INFviewjspdefaultui下的casLoginView.jsp即可。将下图所示代码删掉即可去除错误警告。
4.CAS-Server的默认验证规则:只要用户名和密码相同就认证通过(仅仅用于测试,生成环境需要根据实际情况修改,如何更改认证规则会在以后详细介绍),输入admin/admin 点击登录,就可以看到登录成功的页面。至此CAS服务端配置完成。
第二步 部署CAS-Client(客户端)
1.从网上下载对应CAS-Server版本的CAS-Client(当前对应版本cas-client-3.2.1-release.zip), 解压提取cas-client-3.2.1/modules/cas-client-core-3.2.1.jar,复制到实际web项目的lib下。
2.配置web.xml文件,添加以下代码
<!-- ======================== 单点登录开始 ======================== --> <!-- 用于单点退出,该过滤器用于实现单点登出功能,可选配置--> <listener> <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class> </listener> <!-- 该过滤器用于实现单点登出功能,可选配置。 --> <filter> <filter-name>CAS Single Sign Out Filter</filter-name> <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class> </filter> <filter-mapping> <filter-name>CAS Single Sign Out Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter> <filter-name>CAS Filter</filter-name> <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class> <init-param> <param-name>casServerLoginUrl</param-name> <param-value>http://127.0.0.1:8080/cas/login</param-value> </init-param> <init-param> <param-name>serverName</param-name> <param-value>http://127.0.0.1:8080</param-value> </init-param> </filter> <filter-mapping> <filter-name>CAS Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- 该过滤器负责对Ticket的校验工作,必须启用它 --> <filter> <filter-name>CAS Validation Filter</filter-name> <filter-class> org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class> <init-param> <param-name>casServerUrlPrefix</param-name> <param-value>http://127.0.0.1:8080/cas</param-value> </init-param> <init-param> <param-name>serverName</param-name> <param-value>http://127.0.0.1:8080</param-value> </init-param> </filter> <filter-mapping> <filter-name>CAS Validation Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- 该过滤器负责实现HttpServletRequest请求的包裹, 比如允许开发者通过HttpServletRequest的getRemoteUser()方法获得SSO登录用户的登录名,可选配置。 --> <filter> <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> <filter-class> org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class> </filter> <filter-mapping> <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- 该过滤器使得开发者可以通过org.jasig.cas.client.util.AssertionHolder来获取用户的登录名。 比如AssertionHolder.getAssertion().getPrincipal().getName()。 --> <filter> <filter-name>CAS Assertion Thread Local Filter</filter-name> <filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class> </filter> <filter-mapping> <filter-name>CAS Assertion Thread Local Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- ======================== 单点登录结束 ======================== -->
3.模拟两个子系统。
首先,创建两个servlet(App1.java和App2.java)。
App1.java代码
package servlet; import java.io.*; import javax.servlet.*; import javax.servlet.http.*; public class App1 extends HttpServlet { private static final long serialVersionUID = -6593274907821061823L; public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { response.setContentType("text/html"); PrintWriter out = response.getWriter(); out.println("App1"); } }
App2.java代码
package servlet; import java.io.*; import javax.servlet.*; import javax.servlet.http.*; public class App2 extends HttpServlet { private static final long serialVersionUID = -6593274907821061823L; public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { response.setContentType("text/html"); PrintWriter out = response.getWriter(); out.println("App2"); } }
最终的web.xml代码
<?xml version="1.0" encoding="UTF-8"?> <web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"> <display-name></display-name> <welcome-file-list> <welcome-file>index.jsp</welcome-file> </welcome-file-list> <!-- ======================== 单点登录开始 ======================== --> <!-- 用于单点退出,该过滤器用于实现单点登出功能,可选配置--> <listener> <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class> </listener> <!-- 该过滤器用于实现单点登出功能,可选配置。 --> <filter> <filter-name>CAS Single Sign Out Filter</filter-name> <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class> </filter> <filter-mapping> <filter-name>CAS Single Sign Out Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter> <filter-name>CAS Filter</filter-name> <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class> <init-param> <param-name>casServerLoginUrl</param-name> <param-value>http://127.0.0.1:8080/cas/login</param-value> </init-param> <init-param> <param-name>serverName</param-name> <param-value>http://127.0.0.1:8080</param-value> </init-param> </filter> <filter-mapping> <filter-name>CAS Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- 该过滤器负责对Ticket的校验工作,必须启用它 --> <filter> <filter-name>CAS Validation Filter</filter-name> <filter-class> org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class> <init-param> <param-name>casServerUrlPrefix</param-name> <param-value>http://127.0.0.1:8080/cas</param-value> </init-param> <init-param> <param-name>serverName</param-name> <param-value>http://127.0.0.1:8080</param-value> </init-param> </filter> <filter-mapping> <filter-name>CAS Validation Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- 该过滤器负责实现HttpServletRequest请求的包裹, 比如允许开发者通过HttpServletRequest的getRemoteUser()方法获得SSO登录用户的登录名,可选配置。 --> <filter> <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> <filter-class> org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class> </filter> <filter-mapping> <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- 该过滤器使得开发者可以通过org.jasig.cas.client.util.AssertionHolder来获取用户的登录名。 比如AssertionHolder.getAssertion().getPrincipal().getName()。 --> <filter> <filter-name>CAS Assertion Thread Local Filter</filter-name> <filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class> </filter> <filter-mapping> <filter-name>CAS Assertion Thread Local Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- ======================== 单点登录结束 ======================== --> <servlet> <display-name>App1</display-name> <servlet-name>App1</servlet-name> <servlet-class>servlet.App1</servlet-class> </servlet> <servlet> <display-name>App2</display-name> <servlet-name>App2</servlet-name> <servlet-class>servlet.App2</servlet-class> </servlet> <servlet-mapping> <servlet-name>App1</servlet-name> <url-pattern>/App1</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>App2</servlet-name> <url-pattern>/App2</url-pattern> </servlet-mapping> </web-app>
4.添加jar依赖包commons-logging.jar(日志工具),如果不添加会报错误,但是没有测试是否影响正常功能的使用。
第三步 测试SSO
1.浏览器中输入地址http://127.0.0.1:8080/SSO_CAS/App1(SSO_CAS为web项目名称),跳转到CAS-Server的默认登陆界面中,输入admin/admin,点击登陆,显示App1。
2.浏览器中输入地址http://127.0.0.1:8080/SSO_CAS/App2,则跳过登陆验证,直接显示App2。
到此已经全部完成了基于CAS的单点登录实例演示。