cas 单点登录(SSO)之一: jasig cas-server 安装

cas 单点登录(SSO)实验之一: jasig cas-server 安装

参考文章：

http://my.oschina.net/indestiny/blog/200768#comments

http://wenku.baidu.com/view/0bcc0d01e87101f69e319595.html

SSO原理不多重复，需要理解的就一点，一个复杂系统需要一个唯一的验证服务，

这就是CAS(Central Authentication Service) Server。系统内的各种服务(Web网站)

可以作为CAS Server的客户端，CAS Client。而用户访问的服务其实就是这些

CAS Client。一个典型的支持SSO的Web网站如下图：

Browser--------->B服务器：WebServer(CAS Client)=======>A服务器：CAS SERVER

下面第一步就是搭建这个CAS SERVER。利用开源代码jasig cas来实现SSO的服务

器。jasig cas是一套现成的代码，首先是了解它，然后才能定制它。以下全部内容在A服务器上

执行，服务器: RHEL6.4。

jasig cas-server 安装

cas sso服务端配置. sso服务器:
IP: 192.168.1.142

hostname: ubuntu64

tomcat 8

java 7

1) 下载cas-server-4.0.0-release.tar.gz

http://downloads.jasig.org/cas/cas-server-4.0.0-release.tar.gz

或者(不需要)：
$ git clone https://github.com/Jasig/cas/tree/v4.0.0-RC3

2) 在sso服务器 (192.168.1.142) 上生成证书

$ keytool -genkey -alias ssotest -keyalg RSA

Enter keystore password: 123456
Re-enter new password: 123456
What is your first and last name?
[Unknown]: ubuntu64
What is the name of your organizational unit?
[Unknown]: dev
What is the name of your organization?
[Unknown]: pepstack.com
What is the name of your City or Locality?
[Unknown]: SHA
What is the name of your State or Province?
[Unknown]: SHA
What is the two-letter country code for this unit?
[Unknown]: CN
Is CN=ubuntu64, OU=dev, O=pepstack.com, L=SHA, ST=SHA, C=CN correct?
[no]: yes

生成文件:
~/.keystore

3) 在sso服务器 (192.168.1.142) 上导出证书

$ keytool -export -file ~/ssotest.crt -alias ssotest -keystore ~/.keystore
Enter keystore password:123456
Certificate stored in file </home/cl/ssotest.crt>

ssotest.crt 将要部署在客户端的jre环境中，本文中暂未使用。

4) 配置Tomcat SSL: ${TOMCAT_HOME}/conf/server.xml

增加下面的段落：

<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443
This connector uses the NIO implementation that requires the JSSE
style configuration. When using the APR/native implementation, the
OpenSSL style configuration is required as described in the APR/native
documentation -->
<!-- https -->
<Connector
port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150"
SSLEnabled="true"
scheme="https"
secure="true"
clientAuth="false"
sslProtocol="TLS"
URIEncoding="UTF-8"
keystoreFile="/root/.keystore"
keystorePass="123456"
sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA,
SSL_RSA_WITH_RC4_128_SHA" />

5) 部署cas-server war

解压：cas-server-4.0.0-release.tar.gz
将modules/cas-server-webapp-4.0.0.war改名为cas.war,
复制到${TOMCAT_HOME}/webapps/下.

${TOMCAT_HOME}/webapps/cas.war

启动tomcat，这时打开浏览器, 进入下面的地址，如图：
https://192.168.1.142:8443/cas/
服务端已经配置ok！登录名在下面文件中找到：deployerConfigContext.xml

<!--
| Authentication handler beans
-->
<bean id="acceptUsersAuthenticationHandler"
class="org.jasig.cas.authentication.AcceptUsersAuthenticationHandler">
<property name="users">
<map>
<entry key="casuser" value="Mellon"/>
</map>
</property>
</bean>

casuser/Mellon