Cas sso Configuration

In fact, there is no need to repeat unnecessary things on the Internet, but I can't help but make a few complaints. I want to share my experience with others, so I need to pretend to be true. The software is constantly being upgraded and its usage will be constantly improved. do not always use the old version method in the new version. It will not only help others, but delay time, it is better to go directly to the official website to translate English documents. Even if it is painful, it is better to get outdated things. See that most of the implementations on the Internet are those 2. X and 3. the CAS of X are mixed, but I don't think it's unreasonable. Now there is no Yelu package on JASIG, and you need to configure Yelu or something When configuring the client, paste the usage of the new version, hoping that other boots will not be in the same detour as me.

 

Generate a certificate:

1. Generate a digital certificate

./Keytool-genkey-alias examplecas-keypass changeit-keyalg RSA-keystore server. keystore

2. Export a digital certificate

./Keytool-export-alias examplecas-keypass changeit-file server. CRT-keystore server. keystore

3. Import the digital certificate to the Trusted Zone of JRE.

./Keytool-import-alias examplecas-file server. CRT-keypass changeit-keystore ../JRE/lib/security/cacerts

Other commands:
View the list of trusted certificates (check whether the certificate is successfully added)
./Keytool-list-keystore ../JRE/lib/security/cacerts

Common commands:

 

-Genkey creates a default file ". keystore" in the user's main directory, and generates a mykey alias. mykey contains the user's public key, private key, and certificate.
-Alias generation
-Keystore specifies the name of the keystore (the generated information will not be in the. keystore file.
-Keyalg: Algorithm for specifying the key
-Validity: Specifies the validity period of the created certificate.
-Keysize: Specifies the key length.
-Storepass: password of the specified keystore
-Keypass: Specifies the password of an Alias Entry
-Dname indicates the certificate owner information, for example, "cn = firstname, ou = org, O = BJ, L = BJ, St = Gd, c = cn"
-List: displays the certificate information in the keystore. keytool-list-v-keystore alias-storepass ....
-V: displays the certificate details in the keystore.
-Export: export the Certificate specified by the alias to the file keytool-export-alias-file name. CRT
-The file parameter specifies the file name to be exported.
-Delete: Delete the keytool-delete-alias-keystore sage
-Keypasswd: Modify the keytool-keypasswd-alias-keypass ......-New ......-storepass ......-keystore alias
-Import: import the signed digital certificate to the keystore keytool-import-alias-keystore Certificate Name-file name (suffix. CRT can be added)

 

Note:
1. When generating a digital certificate, you must use the host name or domain name as the Certificate Name (CN ),
For example, sso.example.com (CN = sso.example.com, ou = example, O = example, L = Beijing, St = Beijing, c = China)
2. Check the java_home environment variable (echo $ java_home) and confirm that Tomcat uses that JRE (sometimes there will be

Multiple JRE), you need to import the generated Certificate file to the JRE trust certificate list used by the Web server, you can use keytool-list

Command to check whether the certificate has been imported successfully.

 

 

Build Environment:

Server: cas-server-webapp-3.4.2.war

Client: cas-client-3.1.10 (for a simple demo, just the cas-client-core-3.1.10.jar and commons-logging-1.1.jar under modules, no things below 2. x are needed)

JDK: jdk1.6.0 _ 10

Tomcat: APACHE-Tomcat-6.0.26

 

First, if HTTPS is enabled, use keytool to generate the certificate and import it to the JDK certificate used by Tomcat. Many of these materials are not described in detail, and only possible problems are written.

1. keytool does not support file paths with spaces, especially when importing certificates.

2. When importing a certificate, the password is the default changit instead of the password of your certificate.

3. tomcat5.x and tomcat6.x use different methods to enable SSL.

6. x (individual authentication)

<Connector protocol = "org. apache. coyote. http11.http11protocol "<br/> Port =" 8443 "maxhttpheadersize =" 8192 "<br/> maxthreads =" 150 "minsparethreads =" 25 "maxsparethreads =" 75 "<br/> enablelookups = "false" disableuploadtimeout = "true" <br/> acceptcount = "100" Scheme = "HTTPS" secure = "true" <br/> clientauth = "false" sslprotocol =" TLS "sslenabled =" true "<br/> keystorefile =" $ {keystore_path/$ {name }. keystore} "<br/> keystorepass =" ***** "/>

 

Second, set up the CAS server. There is nothing special about this. Just put the war in the webapp.

 

Finally, build the client,

1. Put the cas-client-core-3.1.10.jar and commons-logging-1.1.jar In the Lib of the application system.

2. Add the following configuration in Web. xml:

 

<Context-param> <br/> <param-Name> servername </param-Name> <br/> <param-value >$ {application system address }: $ {port} </param-value> <br/> </context-param> </P> <p> <filter> <br/> <filter-Name> cas single Sign Out filter </filter-Name> <br/> <filter-class> <br/> Org. JASIG. CAS. client. session. singlesignoutfilter <br/> </filter-class> <br/> </filter> <br/> <filter-mapping> <br/> <filter-Name> CAS Single Sign out filter </filter-Name> <br/> <URL-pattern>/* </url-pattern> <br/> </filter-mapping> <br/> <listener> <br/> <listener-class> <br/> Org. JASIG. CAS. client. session. singlesignouthttpsessionlistener <br/> </listener-class> <br/> </listener> <br/> <filter-Name> CAS authentication filter </ filter-Name> <br/> <filter-class> <br/> Org. JASIG. CAS. client. authentication. authenticationfilter <br/> </filter-class> <br/> <init-param> <br/> <param-Name> casserverloginurl </param-Name> <br/> <param-value> https: // caoshuaibiao: 8443/cas342/login </param-value> <br/> </init-param> <br/> </filter> <br/> <filter> <br/> <filter-Name> CAS validation filter </filter-Name> <br/> <filter-class> <br/> Org. JASIG. CAS. client. validation. cas20proxypolicingticketvalidationfilter <br/> </filter-class> <br/> <init-param> <br/> <param-Name> casserverurlprefix </param-Name> <br/> <param-value> https: // caoshuaibiao: 8443/cas342 </param-value> <br/> </init-param> <br/> </filter> </P> <p> <filter> <br/> <filter-Name> CAS httpservletrequest wrapper filter </filter-Name> <br/> <filter-class> <br/> Org. JASIG. CAS. client. util. httpservletrequestwrapperfilter <br/> </filter-class> <br/> </filter> <br/> <filter-Name> CAS assertion Thread Local Filter </filter-Name> <br/> <filter-class> <br/> Org. JASIG. CAS. client. util. assertionthreadlocalfilter <br/> </filter-class> <br/> </filter> <br/> <filter-mapping> <br/> <filter-Name> CAS authentication filter </filter-Name> <br/> <URL-pattern>/* </url-pattern> <br/> </filter-mapping> <br/> <filter- mapping> <br/> <filter-Name> CAS validation filter </filter-Name> <br/> <URL-pattern>/* </url-pattern> <br/> </filter-mapping> <br/> <filter-Name> CAS httpservletrequest wrapper filter </filter-Name> <br/> <URL-pattern>/* </url-pattern> <br/> </filter-mapping> <br/> <filter-Name> CAS assertion Thread Local filter </filter-Name> <br/> <URL-pattern>/* </url-pattern> <br/> </filter-mapping>

 

3. Methods for obtaining cas-certified users in applications

<% @ Page import = "org. JASIG. CAS. client. authentication. attributeprincipal "%> <br/> <% <br/> attributeprincipal principal = (attributeprincipal) request. getuserprincipal (); <br/> string username = Principal. getname (); <br/> %>

 

 

 

 

This article from: http://utopiasky.javaeye.com/blog/709794