2、cas4.0 單點登錄 之 cas-client

cas4.0 單點登錄 之 cas-client

cas4.0 單點登錄 之 https證書 已經做好了證書的準備工作，現在結合cas-server來配置單點登錄；

一、安裝cas服務端（cas-server)

cas服務端是一個war包，這裏只做體驗單點登錄，cas-server下載點這裏cas-server-webapp-4.0.0.war，將war包放tomcat下運行即可，運行cas-server的tomcat的要開啓SSL支持，上面文章也有說明，server.xml需要如下配置：

<Connector port="8443" protocol="HTTP/1.1"
      maxThreads="150"  SSLEnabled="true"  scheme="https"  secure="true"
      clientAuth="false" sslProtocol="TLS" keystoreFile="d:/cas/keystore"  keystorePass="caspass"/>

cas-server的定製開發後面文章再講。

二、cas客戶端配置（cas-client）

1、web.xml方式配置

寫了個簡單客戶端配置，源碼cas_client_test_demo.zip

a) pom.xml

<dependencies>
    <dependency>
        <groupId>junit</groupId>
        <artifactId>junit</artifactId>
        <version>3.8.1</version>
        <scope>test</scope>
    </dependency>
    <dependency>
        <groupId>javax.servlet</groupId>
        <artifactId>servlet-api</artifactId>
        <version>2.5</version>
        <scope>provided</scope>
    </dependency>
    <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-webmvc</artifactId>
        <version>4.0.3.RELEASE</version>
    </dependency>
    <dependency>
        <groupId>org.jasig.cas.client</groupId>
        <artifactId>cas-client-core</artifactId>
        <version>3.4.1</version>
    </dependency>
</dependencies>

b) web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app id="WebApp_ID" version="3.0"
    xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">


    <servlet>
        <servlet-name>mvc-dispatcher</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <init-param>
            <param-name>contextConfigLocation</param-name>
            <param-value>classpath:/spring-mvc.xml</param-value>
        </init-param>
        <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet-mapping>
        <servlet-name>mvc-dispatcher</servlet-name>
        <url-pattern>/</url-pattern>
    </servlet-mapping>

    <!-- ****************** 單點登錄開始 ********************-->
    <!-- 用於實現單點登出功能  可選 -->
    <listener>
        <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
    </listener>

    <!-- 該過濾器用於實現單點登出功能，單點退出配置，一定要放在其他filter之前 可選 -->
    <filter>
        <filter-name>CAS Single Sign Out Filter</filter-name>
        <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
        <init-param>
            <param-name>casServerUrlPrefix</param-name>
            <param-value>https://cas.castest.com:8443/cas/</param-value>
        </init-param>
    </filter>
    <filter-mapping>
        <filter-name>CAS Single Sign Out Filter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

    <!-- 該過濾器負責用戶的認證工作，必須 -->
    <filter>
        <filter-name>CASFilter</filter-name>
        <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
        <init-param>
            <!--casServerLoginUrl:cas服務的登陸url -->
            <param-name>casServerLoginUrl</param-name>
            <param-value>https://cas.castest.com:8443/cas/login</param-value>
        </init-param>
        <init-param>
            <!--serverName:本項目的ip+port -->
            <param-name>serverName</param-name>
            <param-value>http://www.zrk1000.com:8081</param-value>
        </init-param>
        <init-param>
            <param-name>useSession</param-name>
            <param-value>true</param-value>
        </init-param>
        <init-param>
            <param-name>redirectAfterValidation</param-name>
            <param-value>true</param-value>
        </init-param>
    </filter>
    <filter-mapping>
        <filter-name>CASFilter</filter-name>
        <url-pattern>/test</url-pattern>
    </filter-mapping>

    <!-- 該過濾器負責對Ticket的校驗工作，必須-->
    <filter>
        <filter-name>CAS Validation Filter</filter-name>
        <filter-class>
            org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter
        </filter-class>
        <init-param>
            <param-name>casServerUrlPrefix</param-name>
            <param-value>https://cas.castest.com:8443/cas/</param-value>
        </init-param>
        <init-param>
            <param-name>serverName</param-name>
            <param-value>http://www.zrk1000.com:8081</param-value>
        </init-param>
    </filter>
    <filter-mapping>
        <filter-name>CAS Validation Filter</filter-name>
        <!-- 對test做登錄攔截-->
        <url-pattern>/test</url-pattern>
    </filter-mapping>

    <!-- 該過濾器對HttpServletRequest請求包裝， 可通過HttpServletRequest的getRemoteUser()方法獲得登錄用戶的登錄名，可選 -->

    <filter>
        <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
        <filter-class>
            org.jasig.cas.client.util.HttpServletRequestWrapperFilter
        </filter-class>
    </filter>
    <filter-mapping>
        <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

    <!-- 該過濾器使得可以通過org.jasig.cas.client.util.AssertionHolder來獲取用戶的登錄名。
         比如AssertionHolder.getAssertion().getPrincipal().getName()。 
         這個類把Assertion信息放在ThreadLocal變量中，這樣應用程序不在web層也能夠獲取到當前登錄信息 -->
    <filter>
        <filter-name>CAS Assertion Thread Local Filter</filter-name>
        <filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>CAS Assertion Thread Local Filter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
    <!-- ****************** 單點登錄結束 ********************-->


</web-app>

**注意：casServerLoginUrl和casServerUrlPrefix必須使用域名，且域名要和證書中的“名字與姓氏”完全相同，沒有域名的可以配置本地hosts做映射
我的hosts配置是這樣：

這裏用的一臺機器，兩個域名均指向了本機，有域名的童鞋及土豪無視

c) spring-mvc.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:context="http://www.springframework.org/schema/context"
    xmlns:mvc="http://www.springframework.org/schema/mvc"
    xmlns:p="http://www.springframework.org/schema/p"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:tx="http://www.springframework.org/schema/tx"
    xsi:schemaLocation="
        http://www.springframework.org/schema/beans     
        http://www.springframework.org/schema/beans/spring-beans-4.0.xsd
        http://www.springframework.org/schema/context
        http://www.springframework.org/schema/context/spring-context-4.0.xsd
        http://www.springframework.org/schema/mvc
        http://www.springframework.org/schema/mvc/spring-mvc-4.0.xsd
        http://www.springframework.org/schema/tx
        http://www.springframework.org/schema/tx/spring-tx-4.0.xsd
        ">

    <mvc:annotation-driven />
    <context:component-scan base-package="com.castest.*" />

</beans>

d) 測試Controller

package com.castest.cas;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;

@Controller
public class IndexController {


    @RequestMapping("/test")
    @ResponseBody
    public String index(HttpServletRequest request, HttpServletResponse response) {
        String result = "execute test method</br>";
        result +=   "sessionId                  :   "+request.getSession().getId()  +"</br>";
        result +=   "request.getRemoteUser()    :   " + request.getRemoteUser()     +"</br>";
        result +=   "request.getUserPrincipal() :   " + request.getUserPrincipal()  +"</br>";
        return result;
    }

    @RequestMapping(value={"/","/index"})
    @ResponseBody
    public String error(HttpServletRequest request, HttpServletResponse response) {
        String result = "execute index method</br>";
        result +=   "sessionId                  :   "+request.getSession().getId()  +"</br>";
        result +=   "request.getRemoteUser()    :   " + request.getRemoteUser()     +"</br>";
        result +=   "request.getUserPrincipal() :   " + request.getUserPrincipal()  +"</br>";
        return result;
    }


}

e) 測試結果

1、
請求：http://www.zrk1000.com:8081/cas_client/index

結果：web.xml中只對/test做登陸攔截，/index未跳轉登陸正常

2、
請求：http://www.zrk1000.com:8081/cas_client/test
–> https://cas.castest.com:8443/cas/login?service=http%3A%2F%2Fwww.zrk1000.com%3A8081%2Fcas_client%2Ftest

被攔截重定向到了cas-server的默認登陸頁面；server參數爲原請求URL，認證成功後會重定向到此地址。
cas默認用戶名爲：casuser 默認密碼：Mellon (cas-server的WEB-INF/deployerConfigContext.xml中)
–>http://www.zrk1000.com:8081/cas_client/test

結果：web.xml中只對/test做登陸攔截，/index不跳轉；登陸正常，並且登陸成功後獲取到了用戶信息

2、基於spring boot配置

使用spring boot創建web項目沒有web.xml，只能使用java代碼的方式添加filter和listener，原理和web.xml一樣，這裏做了簡單的配置，
github上源碼：https://github.com/zrk1000/cas_client_boot，https://github.com/zrk1000/cas_client_boot_demo
或者源碼壓縮包：cas_client_boot_test_demo.zip
其中cas_client_boot_demo.war依賴cas_client_boot.jar。
使用spring boot的項目cas這樣配置：

spring.mvc.view.prefix=/WEB-INF/page
spring.mvc.view.suffix=.jsp
server.session.cookie.domain=.castest.com
server.session.cookie.path=/
server.port=8081

spring.cas.sign-out-filters=/*
spring.cas.auth-filters=/test
spring.cas.validate-filters=/test
spring.cas.request-wrapper-filters=/*
spring.cas.assertion-filters=/*

spring.cas.cas-server-login-url=https://cas.castest.com:8443/cas/login
spring.cas.cas-server-url-prefix=https://cas.castest.com:8443/cas/
spring.cas.redirect-after-validation=true
spring.cas.use-session=true
spring.cas.server-name=http://www.zrk1000.com:8081

3 常見錯誤

1、javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching cas.castest.com found
原因:cas客戶端使用的證書庫中未找到相應的域名，也就是說客戶端JDK導入的證書的域名與客戶端訪問的cas-server域名不同
解決:檢查JDK證書庫中證書域名是否和cas-server的域名相同，保持一致即可

2、javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
原因:證書未導入等原因
解決:往jdk導入證書，使用IDE的小夥伴也要檢查工具使用的jdk是否和你導入證書的jdk是同一個