Tomcat下配置CAS，SSL

1、配置Tomcat的SSL，如果能正確訪問https://localhost:8443/，即說明SSL配置成功
   
     一、生成 server key ：
        以命令行方式切換到目錄%TOMCAT_HOME%，在command命令行輸入如下命令（jdk1.4以上帶的工具）：
       
        keytool -genkey -alias tomcat -keyalg RSA -keypass changeit -storepass changeit -keystore server.keystore -validity 3600
       
        用戶名輸入域名，如localhost（開發或測試用）或hostname.domainname(用戶擁有的域名)，其它全部以 enter 跳過，最後確認，此時會在%TOMCAT_HOME%下生成server.keystore 文件。
       
         注：參數 -validity 指證書的有效期(天)，缺省有效期很短，只有90天。
        
     二、將證書導入的JDK的證書信任庫中:
          這步對於Tomcat的SSL配置不是必須，但對於CAS SSO是必須的，否則會出現如下錯誤：edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate ProxyTicketValidator。。。
         
          導入過程分2步，第一步是導出證書，第二步是導入到證書信任庫，命令如下：
         
          keytool -export -trustcacerts -alias tomcat -file server.cer -keystore  server.keystore -storepass changeit

          keytool -import -trustcacerts -alias tomcat -file server.cer -keystore  c:/jdk15/jre/lib/security/cacerts -storepass changeit
         
        [linux下面:]  <導入證書> keytool -import -trustcacerts -alias tomcat -file server.cer -keystore  /usr/jdk15/jre/lib/security/cacerts -storepass changeit
                      <刪除存在的證書>keytool -delete -trustcacerts -alias tomcat  -keystore  /usr/jdk15/jre/lib/security/cacerts -storepass changeit

          如果有提示，輸入Y就可以了。
 
          其他有用keytool命令（列出信任證書庫中所有已有證書，刪除庫中某個證書）:
         
                 keytool -list -v -keystore c:/jdk15/jre/lib/security/cacerts   (列出信任庫中已經存在的證書)
                
                 keytool -delete -trustcacerts -alias tomcat  -keystore  c:/jdk15/jre/lib/security/cacerts -storepass changeit
                    (刪除某一個證書)
 
2、修改server.xml中的SSL服務

   
    <Connector port="8443" maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" keystoreFile="server.keystore" keystorePass="changeit"/>
   
3、cas-server-3.2.1-release/cas-server-3.2.1/modules中的cas-server-webapp-3.2.1.war更名爲爲CAS.war，拷貝到Tomcat中。

   訪問 https://localhost:8443/cas/，出現CAS的登錄頁面則說明配置成功
  
  
  
  
  
  
4.客戶端修改WEB.xml以便利用filter來保護受限制的資源  
   <context-param>
  <param-name>serverName</param-name>
  <param-value>https://192.168.1.179:8443</param-value>
 </context-param>

  <filter>
 <filter-name>CAS Authentication Filter</filter-name>
   <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
 <init-param>
  <param-name>casServerLoginUrl</param-name>
  <param-value>https://192.168.1.179:8443/cas/login</param-value>
 </init-param>
  </filter>
 
  <filter>
 <filter-name>CAS Validation Filter</filter-name>
   <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
 <init-param>
  <param-name>casServerUrlPrefix</param-name>
  <param-value>https://192.168.1.179:8443/cas</param-value>
 </init-param>
  </filter>
 
  <filter>
 <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
   <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
  </filter>
 
 <filter-mapping>
  <filter-name>CAS Authentication Filter</filter-name>
  <url-pattern>/casTest2/*</url-pattern>
 </filter-mapping>
 
 <filter-mapping>
  <filter-name>CAS Validation Filter</filter-name>
  <url-pattern>/casTest2/*</url-pattern>
 </filter-mapping>
 
 <filter-mapping>
  <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
  <url-pattern>/casTest2/*</url-pattern>
 </filter-mapping>

 

5.Unable to validate ProxyTicketValidator之HTTPS hostname wrong: should be....(異常出現的原因及解決方式：重新導入證書)

Yale CAS異常問題總結(1)Unable to validate ProxyTicketValidator之HTTPS hostname wrong: should be.....
嚴重: edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator prox
yList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[https://192.168.1.111:8443/cas/proxyValidate] ticket=[ST-0-9h7Mx5HK3pfsdxRv
MD3y] service=[http%3A%2F%2F192.168.1.222%3A8080%2Fservlets-examples%2Fservlet%2FHelloWorldExample] renew=false]]]

這個CAS異常是從CAS Client裏面拋出，是當我們不使用證書的CN去訪問域名的時候（比如下文是用IP訪問而且證書的CN是該IP對應的域名而非該IP），CASClient無法信任，因爲你證書的CN命名寫着abc.com，192.168.1.111這個IP是無法被CAS Client識別。

 edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList = [ null ] [edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl = [https: // 192.168.1.111:8443/cas/proxyValidate] ticket=[ST-0-9h7Mx5HK3pfsdxRvMD3y] service=[http%3A%2F%2F192.168.1.222%3A8080%2Fservlets-examples%2Fservlet%2FHelloWorldExample] renew=false]]]
     at edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java: 52 )
    at edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java: 455 )
    at edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java: 378 )
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java: 202 )
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java: 173 )
    at filters.ExampleFilter.doFilter(ExampleFilter.java: 101 )
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java: 202 )
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java: 173 )
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java: 213 )
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java: 178 )
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java: 432 )
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java: 126 )
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java: 105 )
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java: 107 )
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java: 148 )
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java: 869 )
    at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java: 664 )
    at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java: 527 )
    at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java: 80 )
    at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java: 684 )
    at java.lang.Thread.run(Thread.java: 595 )
Caused by: java.io.IOException: HTTPS hostname wrong:  should be  < 192.168 . 1.111 >
    at sun.net.www.protocol.https.HttpsClient.checkURLSpoofing(HttpsClient.java: 493 )
    at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java: 418 )
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java: 170 )
    at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java: 905 )
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java: 234 )
    at edu.yale.its.tp.cas.util.SecureURL.retrieve(SecureURL.java: 84 )
    at edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(ServiceTicketValidator.java: 212 )
    at edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java: 50 )
解決辦法：
用域名訪問，域名就是證書的CN。

 

5、如果發生kylix錯誤，則需要將服務器端的證書導到客戶端的 c:/jdk15/jre/lib/security/XXX中。