`
javasogo
  • 浏览: 1766217 次
  • 性别: Icon_minigender_1
  • 来自: 北京
文章分类
社区版块
存档分类
最新评论

cas3.0.5+acegi1.0.1+tomcat5.5.17 sso 配置指引

阅读更多
1.配置tomcat的ssl: 1)生成证书: 控制台cd到%JAVA_HOME%/jre/lib/security目录下,按以下步骤操作: D:\PROGRA~1\Java\jdk1.5.0\jre\lib\security>keytool -genkey -alias tomcat -keyalg RSA 输入keystore密码: changeit keytool错误: java.lang.Exception: 没有创建键值对,别名 <tomcat> 已经存在

D:\PROGRA~1\Java\jdk1.5.0\jre\lib\security>keytool -delete -alias tomcat -keyalg RSA 输入keystore密码: changeit

D:\PROGRA~1\Java\jdk1.5.0\jre\lib\security>keytool -genkey -alias tomcat -keyalg RSA 输入keystore密码: changeit 您的名字与姓氏是什么? [Unknown]: localhost 您的组织单位名称是什么? [Unknown]: mycom 您的组织名称是什么? [Unknown]: mycom 您所在的城市或区域名称是什么? [Unknown]: zhuzhou 您所在的州或省份名称是什么? [Unknown]: hunan 该单位的两字母国家代码是什么 [Unknown]: cn CN=localhost, OU=mycom, O=mycom, L=zhuzhou, ST=hunan, C=cn 正确吗? [否]: y

输入<tomcat>的主密码 (如果和 keystore 密码相同,按回车):

D:\PROGRA~1\Java\jdk1.5.0\jre\lib\security>keytool -export -alias tomcat -keypass changeit -file casserver.crt 输入keystore密码: changeit 保存在文件中的认证 <casserver.crt>

D:\PROGRA~1\Java\jdk1.5.0\jre\lib\security>keytool -import -file casserver.crt -keypass changeit -keystore %JAVA_HOME%/jre/lib/security/cacerts 输入keystore密码: changeit keytool错误: java.lang.Exception: 认证未输入,别名 <mykey> 已经存在

D:\PROGRA~1\Java\jdk1.5.0\jre\lib\security>keytool -delete -alias mykey -keystore %JAVA_HOME%/jre/lib/security/cacerts 输入keystore密码: changeit

D:\PROGRA~1\Java\jdk1.5.0\jre\lib\security>keytool -import -file casserver.crt -keypass changeit -keystore %JAVA_HOME%/jre/lib/security/cacerts 输入keystore密码: changeit Owner: CN=localhost, OU=mycom, O=mycom, L=zhuzhou, ST=hunan, C=cn 发照者: CN=localhost, OU=mycom, O=mycom, L=zhuzhou, ST=hunan, C=cn 序号: 44f67974 有效期间: Thu Aug 31 13:53:56 CST 2006 至: Wed Nov 29 13:53:56 CST 2006 认证指纹: MD5: D2:A8:3A:37:96:36:97:88:42:9E:F8:9A:5B:FB:F5:5E SHA1: 91:0E:63:82:25:E8:04:72:5F:8B:0D:6B:39:55:C2:1E:C8:77:F3:CB 信任这个认证? [否]: y 认证已添加至keystore中

D:\PROGRA~1\Java\jdk1.5.0\jre\lib\security>keytool -import -file server.crt -keystore %JAVA_HOME%\jre\lib\security\cacerts 输入keystore密码: changeit keytool错误: java.io.FileNotFoundException: server.crt (系统找不到指定的文件。)

D:\PROGRA~1\Java\jdk1.5.0\jre\lib\security>keytool -import -file casserver.crt -keystore %JAVA_HOME%\jre\lib\security\cacerts 输入keystore密码: changeit keytool错误: java.lang.Exception: 认证未输入,别名 <mykey> 已经存在

D:\PROGRA~1\Java\jdk1.5.0\jre\lib\security>

生成证书的名称必须为localhost (您的名字与姓氏是什么?) 2)tomcat中解除ssl的注释,server.xml中找到 Connector port="8443" ... 的语句,解除其原来的注释。 2.安装cas3的server端。将cas.war解压到webapps目录下,拷贝文件acegi-security-1.0.1.jar和acegi-security-cas-1.0.1.jar到目录/cas/WEB-INF/lib下, 并修改其中的/cas/WEB-INF/deployerConfigContext.xml,将其中的全部内容修改为以下: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans.dtd"> <beans> <bean id="authenticationManager" class="org.jasig.cas.authentication.AuthenticationManagerImpl"> <property name="credentialsToPrincipalResolvers"> <list> <bean class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" /> <bean class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" /> </list> </property> <property name="authenticationHandlers"> <list> <bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" /> <bean class="org.acegisecurity.adapters.cas3.CasAuthenticationHandler"> <property name="authenticationManager" ref="acegiAuthenticationManager" /> </bean> </list> </property> </bean> <bean id="inMemoryDaoImpl" class="org.acegisecurity.userdetails.memory.InMemoryDaoImpl"> <property name="userMap"> <value> marissa=koala,ROLES_IGNORED_BY_CAS dianne=emu,ROLES_IGNORED_BY_CAS scott=wombat,ROLES_IGNORED_BY_CAS peter=opal,disabled,ROLES_IGNORED_BY_CAS </value> </property> </bean> <bean id="daoAuthenticationProvider" class="org.acegisecurity.providers.dao.DaoAuthenticationProvider"> <property name="userDetailsService"><ref bean="inMemoryDaoImpl"/></property> </bean> <bean id="acegiAuthenticationManager" class="org.acegisecurity.providers.ProviderManager"> <property name="providers"> <list> <ref bean="daoAuthenticationProvider"/> </list> </property> </bean> </beans>

3.安装acegi客户端。 1)解压文件acegi-security-sample-contacts-filter.war到目录contacts-cas中,并将此目录拷贝到webapps目录下。 2)拷贝文件casclient.jar到contacts-cas/WEB-INF/lib目录下。 3)在目录contacts-cas/WEB-INF/中添加一个文件applicationContext-cas.xml, 并将此文件加到web.xml中的contextConfigLocation变量添加一个值:/WEB-INF/applicationContext-cas.xml applicationContext-cas.xml文件中的内容如下: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans.dtd">

<!-- - Application context containing authentication beans. - - Used by all artifacts. - - $Id: applicationContext-common-authorization.xml 1426 2006-04-28 06:51:58Z benalex $ -->

<beans> <bean id="serviceProperties" class="org.acegisecurity.ui.cas.ServiceProperties"> <property name="service"><value>https://localhost:8443/contacts-cas/j_acegi_cas_security_check</value></property> <property name="sendRenew"><value>false</value></property> </bean> <bean id="casProcessingFilter" class="org.acegisecurity.ui.cas.CasProcessingFilter"> <property name="authenticationManager"><ref bean="authenticationManager"/></property> <property name="authenticationFailureUrl"><value>/casfailed.jsp</value></property> <property name="defaultTargetUrl"><value>/</value></property> <property name="filterProcessesUrl"><value>/j_acegi_cas_security_check</value></property> </bean>

<bean id="exceptionTranslationFilter" class="org.acegisecurity.ui.ExceptionTranslationFilter"> <property name="authenticationEntryPoint"><ref local="casProcessingFilterEntryPoint"/></property> </bean>

<bean id="casProcessingFilterEntryPoint" class="org.acegisecurity.ui.cas.CasProcessingFilterEntryPoint"> <property name="loginUrl"><value>https://localhost:8443/cas/login</value></property> <property name="serviceProperties"><ref bean="serviceProperties"/></property> </bean> <bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager"> <property name="providers"> <list> <ref bean="casAuthenticationProvider"/> </list> </property> </bean>

<bean id="casAuthenticationProvider" class="org.acegisecurity.providers.cas.CasAuthenticationProvider"> <property name="casAuthoritiesPopulator"><ref bean="casAuthoritiesPopulator"/></property> <property name="casProxyDecider"><ref bean="casProxyDecider"/></property> <property name="ticketValidator"><ref bean="casProxyTicketValidator"/></property> <property name="statelessTicketCache"><ref bean="statelessTicketCache"/></property> <property name="key"><value>my_password_for_this_auth_provider_only</value></property> </bean>

<bean id="casProxyTicketValidator" class="org.acegisecurity.providers.cas.ticketvalidator.CasProxyTicketValidator"> <property name="casValidate"><value>https://localhost:8443/cas/proxyValidate</value></property> <property name="proxyCallbackUrl"><value>https://localhost:8443/contacts-cas/casProxy/receptor</value></property> <property name="serviceProperties"><ref bean="serviceProperties"/></property> <property name="trustStore"><value>D:\Program Files\Java\jdk1.5.0\jre\lib\security\cacerts</value></property> </bean>

<bean id="cacheManager" class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean"> <property name="configLocation"> <value>classpath:/ehcache-failsafe.xml</value> </property> </bean> <bean id="ticketCacheBackend" class="org.springframework.cache.ehcache.EhCacheFactoryBean"> <property name="cacheManager"> <ref local="cacheManager"/> </property> <property name="cacheName"> <value>ticketCache</value> </property> </bean> <bean id="statelessTicketCache" class="org.acegisecurity.providers.cas.cache.EhCacheBasedTicketCache"> <property name="cache"><ref local="ticketCacheBackend"/></property> </bean>

<bean id="casAuthoritiesPopulator" class="org.acegisecurity.providers.cas.populator.DaoCasAuthoritiesPopulator"> <property name="userDetailsService"><ref bean="inMemoryDaoImpl"/></property> </bean>

<bean id="casProxyDecider" class="org.acegisecurity.providers.cas.proxy.RejectProxyTickets"/>

<bean id="inMemoryDaoImpl" class="org.acegisecurity.userdetails.memory.InMemoryDaoImpl"> <property name="userMap"> <value> marissa=koala,ROLES_IGNORED_BY_CAS dianne=emu,ROLES_IGNORED_BY_CAS scott=wombat,ROLES_IGNORED_BY_CAS peter=opal,disabled,ROLES_IGNORED_BY_CAS </value> </property> </bean> </beans>

4)在web.xml中添加以下servlet配置: <servlet> <servlet-name>casproxy</servlet-name> <servlet-class>edu.yale.its.tp.cas.proxy.ProxyTicketReceptor</servlet-class> </servlet> <servlet-mapping> <servlet-name>casproxy</servlet-name> <url-pattern>/casProxy/*</url-pattern> </servlet-mapping>

5)修改原来的applicationContext-acegi-security.xml,注释掉authenticationManager的bean配置,并将所有引用authent icationManager的Bean的ref属性修改为bean,即修改<ref local="authenticationManager"/>为<ref bean="authenticationManager"/>。 在filterChainProxy的属性filterInvocationDefinitionSource中插入casProcessingFilter,如下: <bean id="filterChainProxy" class="org.acegisecurity.util.FilterChainProxy"> <property name="filterInvocationDefinitionSource"> <value> CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON PATTERN_TYPE_APACHE_ANT /**=httpSessionContextIntegrationFilter,logoutFilter,casProcessingFilter,basicProcessingFilter,securityContextHolderAwareRequestFilter,rememberMeProcessingFilter,anonymousProcessingFilter,switchUserProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor </value> </property> </bean>

修改所有的j_acegi_security_check为j_acegi_cas_security_check。

将log4j改为debug后,将可以看到凭证。

调试过程中出现javax.servlet.ServletException: need edu.yale.its.tp.cas.proxyUrl 的错误,未知原因。

分享到:
评论

相关推荐

Global site tag (gtag.js) - Google Analytics