Liferay uses CAS single-point logon Technology

There are many ways to implement Single-point login (SSO). Here we use cas, which is also the method adopted in liferay. As for what cas is and how single-point login is implemented, I will not explain it here (read the article I have reproduced). I will explain the implementation method step by step, I don't need to talk about anything more.

Step 1: Create a certificate

Keytool-genkey-alias tomcat-keystore c: \ mykeystore-dname "cn = xyb, ou = localhost, O = localhost, L = SH, St = SH, C = cn "-keypass 123456-storepass 123456

PS:

-Genkey: Create a certificate.
-Alias certificate alias
-Keystore specifies the path to generate this certificate (do not write it. It is stored in the. keystore file in the home directory of the system by default.
-Storepass: password of the specified keystore
-Keypass: Specifies the password of an Alias Entry
-Dname specifies the certificate owner information (do not write it, but the system will prompt you to enter the information in sequence, note that the value of "cn" is the domain name or machine name of the machine you want to use as the CAS server, but it cannot be an IP address)
-Keyalg specifies the key algorithm (not to be written)
-Validity: Specifies the validity period of the created certificate (optional, 90 days by default)

Step 2: export the certificate

Keytool-export-alias tomcat-keystore c: \ mykeystore-file c: \ mycerts. cer-storepass 123456

PS:

-Export: export the Certificate specified by the alias to a file.
-Keystore specifies the path to generate this certificate (this indicates what is written in the previous step, and this is not written if not)
-File: Specifies the file name to export to the file.

Step 3: import the exported certificate to the Client Server

Keytool-import-trustcacerts-alias tomcat-keystore "% java_home %/JRE/lib/security/cacerts"-storepass 123456-file c: \ mycerts. Cer

PS:

-Import the signed digital certificate to the keystore
-File: Specifies the name of the file to be imported to the keystore (that is, the file exported in the previous step)
There is a prompt: whether to trust this certificate, enter y, and press Enter.

Step 4: Download the CAS integration package. Rename the downloaded file cas-web and place it in the liferay webapps directory. Find the following section in CONF/server. XML, remove the original comment, and modify it:

<Connector Port = "8443" maxhttpheadersize = "8192" maxthreads = "150" minsparethreads = "25" maxsparethreads = "75" feature = "false" disableuploadtimeout = "true" acceptcount =" 100 "Scheme =" HTTPS "secure =" true "clientauth =" false "sslprotocol =" TLS "uriencoding =" UTF-8 "keystorepass =" 123456 "keyalias =" Tomcat "/>

Step 5 Add the following content under liferay's webapps \ Root \ WEB-INF \ Classes \ portal-ext.properties:

Cas. Auth. Enabled = true
Cas. login. url = http: // xyb: 8443/CAS-Web/login
Cas. logout. url = https: // xyb: 8443/CAS-Web/logout
Cas. server. Name = Client IP: 8080
Cas. Service. url =
# Cas. Service. url = http: /localhost: 8080/C/portal/login
Cas. Validate. url = http: // xyb: 8443/CAS-Web/proxyvalidate

If it is not in liferay, a common web program can be implemented using a filter.

<Filter>
<Filter-Name> casfilter </filter-Name>
<Filter-class> edu. Yale. Its. Tp. Cas. Client. Filter. casfilter </filter-class>
<Init-param>
<Param-Name> edu. Yale. Its. Tp. Cas. Client. Filter. loginurl </param-Name>
<Param-value> https: // xyb: 8443/CAS-Web/login </param-value>
</Init-param> <! -- Here xyb is the IP address or machine name of the CAS server -->
<Init-param>
<Param-Name> edu. Yale. Its. Tp. Cas. Client. Filter. validateurl </param-Name>
<Param-value> https: // xyb: 8443/CAS-Web/proxyvalidate </param-value>
</Init-param>
<Init-param>
<Param-Name> edu. Yale. Its. Tp. Cas. Client. Filter. servername </param-Name>
<Param-value> localhost: 8080 </param-value> <! -- Client: port is the address and port to be intercepted by CAS. Generally, it is the IP address and port started by Tomcat. -->
</Init-param>
</Filter>

<Filter-mapping>
<Filter-Name> casfilter </filter-Name>
<URL-pattern>/* </url-pattern> <! -- Here is the URL request you want to intercept -->
</Filter-mapping>

 

The last step is to obtain the user name that passes CAS authentication on the client.

1. Use in JSP or servlet:

<% @ Page import = "edu. Yale. Its. Tp. Cas. Client. Filter. casfilter" %>
<% @ Page import = "javax. servlet. http. httpservletrequest" %>
<% @ Page import = "javax. servlet. http. httpsession" %>
<%
Httpsession ses = request. getsession ();

String screenname =
(String) SES. getattribute (casfilter. cas_filter_user );
System. Out. println ("screenname =:" + screenname );
%>

2. Get the logon username through session in Java

// Either of the following is acceptable
Session. getattribute (casfilter. cas_filter_user );
Session. getattribute ("edu. Yale. Its. Tp. Cas. Client. Filter. User ");

3. How to get the user name in jstl

<C: Out value = "$ {sessionscope [CAS: 'Edu. Yale. Its. Tp. Cas. Client. Filter. user']}"/>

Problem summary:

Severe: edu. Yale. Its. Tp. Cas. Client. casauthenticationexception: Unable to validate proxyticketvalidator [[edu. Yale. Its. Tp. Cas. Client. proxyticketvalidator prox
Ylist = [null] [edu. Yale. Its. Tp. Cas. Client. serviceticketvalidator casvalidateurl = [https: // 192.168.1.111: 8443/CAS/proxyvalidate] ticket = [ST-0-9h7Mx5HK3pfsdxRv
Md3y] service = [http % 3A % 2f % 2f192. 168.1.222% 3a8080% 2fservlets-examples % 2 fservlet % 2 fhelloworldexample] Renew = false]

This CAS exception is thrown from the CAS client, when we do not use the certificate's CN to access the domain name (for example, the following uses an IP address to access and the certificate's CN is the domain name corresponding to this IP address rather than this IP address), CasClient cannot trust it, that is, the CN question I mentioned above. Pay special attention to this.

 

Info [org. JASIG. Cas. Authentication. authenticationmanager
Impl]-<authenticationhandler: cn.com. tiansky. Cas. authenticationhandlers. upauthenticationhandler successfully authenticated the user which provided the followi
Ng credentials: [Username: Test]>

It may be because the configuration file on the client is not quite correct. That is, the fifth step mentioned above. Pay more attention to it.

 

Java. Io. ioexception: cannot recover key
At org.apache.tomcat.util.net. JSSE. jsse14socketfactory. INIT (jsse14socket
Factory. Java: 125)
At org.apache.tomcat.util.net. JSSE. jssesocketfactory. createsocket (jsseso
Cketfactory. Java: 88)
At org.apache.tomcat.util.net. pooltcpendpoint. initendpoint (pooltcpendpoi
NT. Java: 292)
At org. Apache. Coyote. http11.http11baseprotocol. INIT (http11baseprotocol. j
Ava: 138)
At org. Apache. Catalina. connector. connector. initialize (connector. Java: 101

This error may be caused by a problem with the certificate you generated. If the keypass and storepass passwords are inconsistent, this error will also occur (I don't know why I have to set them to the same one)