CAS tomcat 部署+CAS 代理模式 demo

公司的的产品使用了单点登录.毕竟有多个应用.

之前通过公司产品使用代理访问,使得各个应用在打开的时候比较缓慢.从一个request 一个response 变成了2个.中间的CAS验证也增加了.整体的速度怎能不慢呢.

这次的改造工作中首要的问题的就是解决CAS问题,及去掉之前的代理访问模式.

CAS 自身提供一种代理模式.

1
上图主要描述cas-client-1获得pgt的过程,并没有与cas-client-2交互。

2

上图描述cas-client-1代理browser与cas-client-2交互的过程。

我所下载的CAS-SERVLER版本为:cas-server-webapp-4.0.0

使用的CAS-client为:cas-client-core-3.2.1

Tomcat 为7.0 x64

部署前提:

1.  我没有弄HTTPS,懒得去改那么多东西.默认的http足以.所以TOMCAT 不需要修改任何东西。

2.需要修改cas-server-webapp-4.0.0,因为我没有使用https.

修改步骤分3步,网上大多是2步,导致我在部署中坑了半天多.

第一步:

修改cas-server-webapp-4.0.0\WEB-INF\spring-configuration\ticketGrantingTicketCookieGenerator.xml文件,修改后如下:

<bean id=”ticketGrantingTicketCookieGenerator” class=”org.jasig.cas.web.support.CookieRetrievingCookieGenerator”
p:cookieSecure=”false”
p:cookieMaxAge=”-1″
p:cookieName=”CASTGC”
p:cookiePath=”/cas” />
主要是修改红色部分.
第二步:
修改cas-server-webapp-4.0.0\WEB-INF\deployerConfigContext.xml,authenticationHandlers下有一个org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler,在,修改后如下:
<bean class=”org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler”
p:httpClient-ref=”httpClient”
p:requireSecure=”false”/>
比原来增加了一个属性配置p:requireSecure=”false”,这个属性默认值是true,代表cas-server在回调代理应用时使用https,以加强安全。
第三步:
  这一步主要是4.0以后才会有的,4以下的版本估计不用此操作.
修改cas-server-webapp-4.0.0\WEB-INF\deployerConfigContext.xml
找到下列代码 增加红色部分.
<util:list id=”registeredServicesList”>
<bean class=”org.jasig.cas.services.RegexRegisteredService”
p:id=”0″ p:name=”HTTP and IMAP”
p:description=”Allows HTTP(S) and IMAP(S) protocols”
p:serviceId=”^(https?|imaps?)://.*”
p:evaluationOrder=”10000001″
p:enabled=”true”
p:allowedToProxy=”true”
p:ssoEnabled=”true”
/>

4.0不添加则会报错;
错误信息为:

type Exception report

message org.jasig.cas.client.validation.TicketValidationException:

description The server encountered an internal error that prevented it from fulfilling this request.

exception

javax.servlet.ServletException: org.jasig.cas.client.validation.TicketValidationException:
The supplied service ‘https://127.0.0.1:8081/Proxy/’ is not authorized to use CAS proxy authentication.

org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:194)
org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:116)

 

OK;前提工作做完了。可以启动CAS-SERVER了

项目配置:

这里主要是代理模式的部署.单系统的基本百度到处都是.

CAS 的代理模式中,必然一个是代理端,其他全是被代理端.

我这里是Proxy(代理端),Client(被代理端) 2个项目.

主要是web.xml文件配置:

1.proxy 的web.xml

<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
<filter>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Single Sign Out Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>CASFilter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>http://127.0.0.1:8080/cas-server-webapp-4.0.0/login</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://127.0.0.1:8081</param-value>
</init-param>
</filter>
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>
org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>http://127.0.0.1:8080/cas-server-webapp-4.0.0</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://127.0.0.1:8081</param-value>
</init-param>
<init-param>
<param-name>redirectAfterValidation</param-name>
<param-value>true</param-value>
</init-param>

<init-param>
<param-name>encoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
<!– 代理端 使用–>
<init-param>
<param-name>proxyCallbackUrl</param-name>
<param-value>http://127.0.0.1:8081/Proxy/proxyCallback</param-value>
</init-param>
<init-param>
<param-name>proxyReceptorUrl</param-name>
<param-value>/proxyCallback</param-value>
</init-param>

</filter>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/proxyCallback</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CASFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>
org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

</web-app>

这里主要是蓝色部分 对应添加就是.

<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/proxyCallback</url-pattern>
</filter-mapping>

这段必须是在最前面  不然代理无效

2.Client的web.xml

<!– 用于单点退出,该过滤器用于实现单点登出功能,可选配置 –>
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
<!– 该过滤器用于实现单点登出功能,可选配置。 –>
<filter>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Single Sign Out Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!– 该过滤器负责用户的认证工作,必须启用它 –>
<filter>
<filter-name>CASFilter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>http://127.0.0.1:8080/cas-server-webapp-4.0.0/login</param-value>
<!–这里的server是服务端的IP –>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://127.0.0.1:8082</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CASFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!– 该过滤器负责对Ticket的校验工作,必须启用它 –>
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>
org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>http://127.0.0.1:8080/cas-server-webapp-4.0.0</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://127.0.0.1:8082</param-value>
</init-param>

<init-param>
<param-name>encoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
<!–允许所有代理–>
<init-param>
<param-name>acceptAnyProxy</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<!– redirectAfterValidation must be false, otherwise the request params
from proxying app could not be received –>
<param-name>redirectAfterValidation</param-name>
<param-value>false</param-value>
</init-param>

</filter>

<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!– 该过滤器负责实现HttpServletRequest请求的包裹, 比如允许开发者通过HttpServletRequest的getRemoteUser()方法获得SSO登录用户的登录名,可选配置。 –>
<filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>
org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!– 该过滤器使得开发者可以通过org.jasig.cas.client.util.AssertionHolder来获取用户的登录名。 比如AssertionHolder.getAssertion().getPrincipal().getName()。 –>
<filter>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

<!– ======================== 单点登录结束 ======================== –>

就蓝色的那一段就好了.

然后在Proxy index.jsp

<body>
this is Proxy
<a href=”http://127.0.0.1:8082/Client”>go to client</a>
</body>

Client index.jsp

<body>
this is Client
<a href=”http://127.0.0.1:8081/Proxy”>go to client</a>
</body>

 

部署完毕.
启动2个应用。
访问 http://127.0.0.1:8081/Proxy 试试吧

发表评论

电子邮件地址不会被公开。 必填项已用*标注