CAS and tomcat simple SSO Construction

Cas sso in tomcat6.0.18
(1) implementation principle of CAS
Terms:

CAS (Central Authentication Service)
TGT (ticket granting ticket)
ST (service ticket)
PGT (proxy granting ticket)

In terms of structure, CAS includes two parts: CAS server and CAS client. CAS server needs to be deployed independently and is mainly responsible for user authentication. CAS client is responsible for processing access requests to the protected resources of the client, and is redirected to CAS server when logon is required. Figure 1 shows the most basic CAS Protocol process:

 

Figure 1. CAS basic Protocol

 

CAS client and protected client applications are deployed together to protect protected resources in filter mode. For each Web request that accesses protected resources, the CAS client analyzes whether the HTTP request contains service ticket. If not, the current user has not logged on, therefore, the request is redirected to the specified CAS server logon address, and the service (that is, the destination resource address to be accessed) is passed so that the address can be returned after successful logon. The user enters the authentication information in step 1. If the login succeeds, the CAS server randomly generates a fairly long, unique, and unfalsified service ticket, and caches it for future verification, then the system automatically redirects to the service address and sets a ticket granted cookie (TGC) for the client browser. After the CAS client obtains the service and the newly generated ticket, in step 5 and 6, perform proper identity with the CAS server to ensure the validity of the service ticket.

In this Protocol, all interactions with CAS adopt the SSL protocol to ensure the security of ST and TGC. There will be two redirection processes during the Protocol work, but the process of ticket verification between CAS client and CAS server is transparent to users.

In addition, the CAS Protocol also provides the proxy mode to adapt to more advanced and complex application scenarios. For details, refer to the relevant documents on the Official CAS website.

For more information about complex application scenarios, see relevant documents on the Official CAS website.

(2) Media required
1. Customer-end mediation cas-client-java-2.1.1.zip

2. Service end mediation cas-server-3.3.3-release.zip

3. tomcat6.0

4. jdk6.0

(3) configuration steps
1. Install jdk6.0 and tomcat6.0 (omitted)
2. Configure Java environment variables and tomcat Environment Variables
(1) JDK environment variable Configuration:

If your JDK is installed on drive C, for example, C:/j2sdk1.4.2 _ 05, you can click New in the system variable (or in the user variable:

Variable name: java_home

Variable value: C:/j2sdk1.4.2 _ 05

Click New again:

Variable name: classpath

Variable value:.; % java_home %/lib/dt. jar;

Add.; % java_home %/bin in path;

Test:

Start: Run cmd

Enter Java and javac in the DOS command, and press Enter.

 

 

(2) Tomcat environment variable Configuration:

If your Tomcat is installed in drive C, such as: F:/tomcat50 (remember that when you install Tomcat

Do not have spaces. Otherwise, the configuration may fail)

Similarly, click New in the system variable:

Variable name: catalina_base

Variable value: C:/Apache-Tomcat-6.0.18/Apache-Tomcat-6.0.18

Create again:

Variable name: catalina_home

Variable value: C:/Apache-Tomcat-6.0.18/Apache-Tomcat-6.0.18

Click OK and add % catalina_home %/common/lib/servlet-api.jar to classpath;

Add % catalina_home %/lib to path;

Test:

Enter % catalina_home % Bin

Run startup. bat

(4) configure the SSL protocol
Background: protocol used for communication between a server and a client

Steps:

3.1 generate a keystore

Run the following command on the command line:

C:/Documents and Settings/Administrator> keytool-genkey-alias mykey-keyalg RSA-keystore server. keystore

Enter the keystore password: 123456

Enter the new password again: 123456

What is your first name and last name?

[UNKNOWN]: The host name or IP address is preferably the host name mapped to the host.

What is the name of your organization?

[UNKNOWN]: capinfo

What is your organization name?

[UNKNOWN]: capinfo

What is the name of your city or region?

[UNKNOWN]: Beijing

What is the name of your state or province?

[UNKNOWN]: Beijing

What is the two-letter country code for this unit?

[UNKNOWN]: CN

CN = fengqingyu, ou = capinfo software Ltd., O = capinfo, L = Beijing, St = Beijing, c = cn correct?

[No]: Y

Enter the <mykey> Primary Password

(If the password is the same as the keystore password, press Enter ):

In C:/Documents and Settings/new, you can find a file: Server. keystore, which contains a self-signed certificate.

Note:

The password of certificate keystore and certificate must be the same. This is a tomcat constraint.

3.2 Add the keystore directory

Create a new directory keystore in the directory % tomcat_home % and copy server. keystore to its directory.

3.3 modify the configuration file

Modify the % atat_home %/CONF/server. xml file. Add an HTTPS ctor.

<Connector

Port = "8443" minsparethreads = "5" maxsparethreads = "75"

Enablelookups = "true" disableuploadtimeout = "true"

Acceptcount = "100" maxthreads = "200"

Scheme = "HTTPS" secure = "true" sslenabled = "true"

Keystorefile = "keystore/server. keystore" keystorepass = "123456"

Clientauth = "false" sslprotocol = "TLS"/>

Note:

1) The keystorefile points to the file % tomcat_home %/keystore/server. keystore.

2) keystorepass is the password generated for the certificate keystore.

3) test HTTPS. Access https: // localhost: 8443/, prompting you to have an insecure certificate. Accept the certificate and see the amiable tomcat.

4) it is best to replace localhost with your host name during access.

Now the SSL protocol configuration is complete.

4. Set up the CAS Server
4.1 release of CAS on Tomcat

1. decompress the downloaded cas-server-3.3.3-release.zip File

2) copy the cas-server-webapp-3.3.3.war under the modules folder in the decompressed package to the webapps directory of Tomcat and rename it cas. War

You can restart Tomcat and access: https: // localhost: 8443/CAS. If the normal CAS logon page appears, the CAS server has been deployed successfully.

5. Set up the CAS Client
1. Configure the HTTPS protocol for the client server as the server.

2. Client installation

1) decompress cas-client-java-2.1.1.zip and copy CasClient. Jar under/cas-client-java-2.1.1/Dist to the WEB-INF/lib directory of the project you want to apply

2) Copy all packages under/cas-client-java-2.1.1/lib to the WEB-INF/lib directory

3. Key Exchange.

1) Export the server key

C:/Documents and Settings/Administrator> keytool-export-file client. cert-alias mykey-keystore server. keystore

2) Import client keys

Copy the exported client. Cert key to the client machine and run it on the client machine.

Keytool-import-trustcacerts-file client. cert-keypass changeit-keystore "% java_home %/JRE/lib/security/cacerts"-alias mykey1

Note:

The imported part is

The JRE directory of java_home is not the same as that of JDK.
Example: C:/program files/Java/jdk1.6.0 _ 03/JRE/lib/security/cacerts

4. modify the configuration file

1) Modify webapps/examples/WEB-INF/Web. xml and add servlet filter to implement SSO check.

Note: This web. xml file is the Web. xml file of the project to which you want to add the SSO function. This example uses the example project that comes with Tomcat.

<Filter>

<Filter-Name> casfilter </filter-Name>

<Filter-class> edu. Yale. Its. Tp. Cas. Client. Filter. casfilter </filter-class>

<Init-param>

<Param-Name> edu. Yale. Its. Tp. Cas. Client. Filter. loginurl </param-Name>

<Param-value> https://cas02.com.cn: 8443/CAS/login </param-value>

</Init-param>

<Init-param>

<Param-Name> edu. Yale. Its. Tp. Cas. Client. Filter. validateurl </param-Name>

<Param-value> https://cas02.com.cn: 8443/CAS/proxyvalidate </param-value>

</Init-param>

<Init-param>

<Param-Name> edu. Yale. Its. Tp. Cas. Client. Filter. servername </param-Name>

<Param-value> cas02.com.cn: 8080 </param-value>

</Init-param>

<Init-param>

<Param-Name> edu. Yale. Its. Tp. Cas. Client. Filter. wraprequest </param-Name>

<Param-value> true </param-value>

</Init-param>

</Filter>

<Filter-mapping>

<Filter-Name> casfilter </filter-Name>

<URL-pattern>/* </url-pattern>

</Filter-mapping>

Note: In this test case, the server and the client are under the same machine, so the same host name is used in the address bar, for example, the client and the service machine are on different machines, the red host names of the first two tables should be replaced with the host names of the server, and the third blue-colored host names should be the host names of the client.

6. Test SSO
1) access http: // host name: 8080 through IE. after entering the Tomcat page, selecting example will jump to the CAS login page and entering the same username and password to go To the login page of example, this simple SSO ends now

 

This article from: http://blog.csdn.net/xinyucool2006/archive/2009/11/13/4808040.aspx