官方文档:
几个基本概念
CAS Server: SSO服务器端CAS Client : SSO客户端,内置于各个子应用ST: Service Ticket 用于登录验证TGC:Ticket Granted Cookie 用于验证是否已经登录,保存在客户端CookieTGT:Ticket Granting Ticket 跟TGC对应,保存于服务器
server端: 建议用overlay模式安装,源码在:https://github.com/apereo/cas-overlay-template,下载好之后用执行 build package生成war包,放到tomcat的webapp下
client端:可以参考:
关于服务注册
service的注册可以使用json方式,方法如下:
在/etc/cas/config/cas.properties如下配置:
cas.serviceRegistry.config.location: classpath:/servicescas.serviceRegistry.watcherEnabled=truecas.serviceRegistry.repeatInterval=10000cas.serviceRegistry.startDelay=5000cas.serviceRegistry.initFromJson=true
然后在classpath下的service目录下添加自己service的配置,当然,文件名需要遵循 [name] + "-" + [id] + ".json"的方式
{ "@class" : "org.apereo.cas.services.RegexRegisteredService", "serviceId" : "^https://172.17.20.20:8443/client2", "name" : "client2", "theme" : "apereo", "id" : 2000, "description" : "Cient2 sample service", "evaluationOrder" : 1, "logoutType" : "BACK_CHANNEL", "logoutUrl" : "https://172.17.20.20/client2/logout.jsp",}
关于SSL证书
比较麻烦的是ssl证书的生成
1. Tomcat 证书导入
keytool -genkey -alias tomcat -keyalg RSA -keystore /opt/apache-tomcat-8.5.9/conf/.keystore
然后修改tomcat的server.xml
2. JDK证书导入
p12生成keytool -importkeystore -srckeystore /opt/apache-tomcat-8.5.9/conf/.keystore \-destkeystore tomcat.p12 \-srcstoretype jks \-deststoretype pkcs12pem生成openssl pkcs12 -in tomcat.p12 -out tomcat.pemder生成openssl x509 -in tomcat.pem -out tomcat.der -outform DER 导入JDK keytool -import -keystore $JAVA_HOME/jre/lib/security/cacerts -file tomcat.der -alias tomcat
我遇到的错误如下:
1. cas-client端,需要指向server时,linux自己配置的ssl设置firstname和lastname时需要指定域名而不是IP,当然host文件(/etc/hosts)也需要改,否则会出现如下错误
2. 另外,JDK的ssl也需要配置(默认密码changeit),否则会出现如下错误
具体可参考:
java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested targetorg.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:443)org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:41)org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:193)org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:204)org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:97)