公司的的产品使用了单点登录.毕竟有多个应用.
之前通过公司产品使用代理访问,使得各个应用在打开的时候比较缓慢.从一个request 一个response 变成了2个.中间的CAS验证也增加了.整体的速度怎能不慢呢.
这次的改造工作中首要的问题的就是解决CAS问题,及去掉之前的代理访问模式.
CAS 自身提供一种代理模式.
上图主要描述cas-client-1获得pgt的过程,并没有与cas-client-2交互。
上图描述cas-client-1代理browser与cas-client-2交互的过程。
我所下载的CAS-SERVLER版本为:cas-server-webapp-4.0.0
使用的CAS-client为:cas-client-core-3.2.1
Tomcat 为7.0 x64
部署前提:
1. 我没有弄HTTPS,懒得去改那么多东西.默认的http足以.所以TOMCAT 不需要修改任何东西。
2.需要修改cas-server-webapp-4.0.0,因为我没有使用https.
修改步骤分3步,网上大多是2步,导致我在部署中坑了半天多.
第一步:
修改cas-server-webapp-4.0.0\WEB-INF\spring-configuration\ticketGrantingTicketCookieGenerator.xml文件,修改后如下:
<bean id=”ticketGrantingTicketCookieGenerator” class=”org.jasig.cas.web.support.CookieRetrievingCookieGenerator”p:cookieSecure=”false”p:cookieMaxAge=”-1″p:cookieName=”CASTGC”p:cookiePath=”/cas” />
<bean class=”org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler”p:httpClient-ref=”httpClient”p:requireSecure=”false”/>
<util:list id=”registeredServicesList”>
<bean class=”org.jasig.cas.services.RegexRegisteredService”
p:id=”0″ p:name=”HTTP and IMAP”
p:description=”Allows HTTP(S) and IMAP(S) protocols”
p:serviceId=”^(https?|imaps?)://.*”
p:evaluationOrder=”10000001″
p:enabled=”true”
p:allowedToProxy=”true”
p:ssoEnabled=”true”
/>
4.0不添加则会报错;
错误信息为:
type Exception report
message org.jasig.cas.client.validation.TicketValidationException:
description The server encountered an internal error that prevented it from fulfilling this request.
exception
javax.servlet.ServletException: org.jasig.cas.client.validation.TicketValidationException:
The supplied service ‘https://127.0.0.1:8081/Proxy/’ is not authorized to use CAS proxy authentication.org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:194)
org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:116)
OK;前提工作做完了。可以启动CAS-SERVER了
项目配置:
这里主要是代理模式的部署.单系统的基本百度到处都是.
CAS 的代理模式中,必然一个是代理端,其他全是被代理端.
我这里是Proxy(代理端),Client(被代理端) 2个项目.
主要是web.xml文件配置:
1.proxy 的web.xml
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
<filter>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Single Sign Out Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>CASFilter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>http://127.0.0.1:8080/cas-server-webapp-4.0.0/login</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://127.0.0.1:8081</param-value>
</init-param>
</filter>
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>
org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>http://127.0.0.1:8080/cas-server-webapp-4.0.0</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://127.0.0.1:8081</param-value>
</init-param>
<init-param>
<param-name>redirectAfterValidation</param-name>
<param-value>true</param-value>
</init-param><init-param>
<param-name>encoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
<!– 代理端 使用–>
<init-param>
<param-name>proxyCallbackUrl</param-name>
<param-value>http://127.0.0.1:8081/Proxy/proxyCallback</param-value>
</init-param>
<init-param>
<param-name>proxyReceptorUrl</param-name>
<param-value>/proxyCallback</param-value>
</init-param></filter>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/proxyCallback</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CASFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>
org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping></web-app>
这里主要是蓝色部分 对应添加就是.
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/proxyCallback</url-pattern>
</filter-mapping>这段必须是在最前面 不然代理无效
2.Client的web.xml
<!– 用于单点退出,该过滤器用于实现单点登出功能,可选配置 –>
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
<!– 该过滤器用于实现单点登出功能,可选配置。 –>
<filter>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Single Sign Out Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!– 该过滤器负责用户的认证工作,必须启用它 –>
<filter>
<filter-name>CASFilter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>http://127.0.0.1:8080/cas-server-webapp-4.0.0/login</param-value>
<!–这里的server是服务端的IP –>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://127.0.0.1:8082</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CASFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!– 该过滤器负责对Ticket的校验工作,必须启用它 –>
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>
org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>http://127.0.0.1:8080/cas-server-webapp-4.0.0</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://127.0.0.1:8082</param-value>
</init-param><init-param>
<param-name>encoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
<!–允许所有代理–>
<init-param>
<param-name>acceptAnyProxy</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<!– redirectAfterValidation must be false, otherwise the request params
from proxying app could not be received –>
<param-name>redirectAfterValidation</param-name>
<param-value>false</param-value>
</init-param></filter>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!– 该过滤器负责实现HttpServletRequest请求的包裹, 比如允许开发者通过HttpServletRequest的getRemoteUser()方法获得SSO登录用户的登录名,可选配置。 –>
<filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>
org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!– 该过滤器使得开发者可以通过org.jasig.cas.client.util.AssertionHolder来获取用户的登录名。 比如AssertionHolder.getAssertion().getPrincipal().getName()。 –>
<filter>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping><!– ======================== 单点登录结束 ======================== –>
就蓝色的那一段就好了.
然后在Proxy index.jsp
<body>
this is Proxy
<a href=”http://127.0.0.1:8082/Client”>go to client</a>
</body>
Client index.jsp
<body>
this is Client
<a href=”http://127.0.0.1:8081/Proxy”>go to client</a>
</body>
部署完毕.
启动2个应用。
访问 http://127.0.0.1:8081/Proxy 试试吧