近期公司的一個單點登錄框架移交到我手上維護,之前採用的是https,服務器的配置比較麻煩,就想換成http來訪問,這樣服務器端的配置和維護就簡單多啦!
CAS Server: cas-server-core-3.3.2.jar cas-client-core-3.1.3.jar
CAS Client: casclient-2.1.0.jar
下面是我的改進的步驟:
1.首先是需要在CAS服務器配置是CAS服務器端支持http協議方式
主要改進一下配置文件:
ticketGrantingTicketCookieGenerator.xml 配置文件:
<bean id="ticketGrantingTicketCookieGenerator" class="org.jasig.cas.web.support.CookieRetrievingCookieGenerator"
p:cookieSecure="true"
p:cookieMaxAge="-1"
p:cookieName="CASTGC"
p:cookiePath="/cas" />
將這個地方的配置改爲下面的配置:
<bean id="ticketGrantingTicketCookieGenerator" class="org.jasig.cas.web.support.CookieRetrievingCookieGenerator"
p:cookieSecure="false"
p:cookieMaxAge="-1"
p:cookieName="CASTGC"
p:cookiePath="/cas" />
warnCookieGenerator.xml 配置文件
<bean id="warnCookieGenerator" class="org.jasig.cas.web.support.CookieRetrievingCookieGenerator"
p:cookieSecure="true"
p:cookieMaxAge="-1"
p:cookieName="CASPRIVACY"
p:cookiePath="/cas" />
將這個地方的配置改爲下面的配置:
<bean id="warnCookieGenerator" class="org.jasig.cas.web.support.CookieRetrievingCookieGenerator"
p:cookieSecure="false"
p:cookieMaxAge="-1"
p:cookieName="CASPRIVACY"
p:cookiePath="/cas" />
deployerConfigContext.xml 配置文件:
<bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
p:httpClient-ref="httpClient"
/>
將這個地方的配置文件修改爲下面的配置:<bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
p:httpClient-ref="httpClient"
p:requireSecure="false"
/>
完成這些地方的修改後,服務器端就支持了http協議的訪問了 下面開始客戶端的改動
看過CAS客戶端的源碼的都知道,在配置過濾器類中,都做了訪問協議的判斷 如下代碼:
if (casServiceUrl != null){
if (! (casServiceUrl.startsWith("https://")|| (casServiceUrl.startsWith("http://") ))){
throw new ServletException("service URL must start with http:// or https://; its current value is [" + casServiceUrl + "]");
}
}
所以首先我們要做的 是需要將casclient.jar的源碼找到,將上面類似的這種協議判斷屏蔽掉。具體在一下2個類裏面:
第一個是:CASFilter這個類裏面中的init()方法中,https的判斷屏蔽後如下:
if (casGateway && Boolean.valueOf(casRenew).booleanValue()) {
throw new ServletException("gateway and renew cannot both be true in filter configuration");
}
if (casServerName != null && casServiceUrl != null) {
throw new ServletException("serverName and serviceUrl cannot both be set: choose one.");
}
if (casServerName == null && casServiceUrl == null) {
throw new ServletException("one of serverName or serviceUrl must be set.");
}
/* if (casServiceUrl != null){
if (! (casServiceUrl.startsWith("https://")|| (casServiceUrl.startsWith("http://") ))){
throw new ServletException("service URL must start with http:// or https://; its current value is [" + casServiceUrl + "]");
}
}*/
if (casValidate == null){
throw new ServletException("validateUrl parameter must be set.");
}
/* if (! casValidate.startsWith("https://")){
throw new ServletException("validateUrl must start with https://, its current value is [" + casValidate + "]");
}
*/
if (casAuthorizedProxy != null){
// parse and remember authorized proxies
StringTokenizer casProxies =
new StringTokenizer(casAuthorizedProxy);
while (casProxies.hasMoreTokens()) {
String anAuthorizedProxy = casProxies.nextToken();
/* if (!anAuthorizedProxy.startsWith("https://")){
throw new ServletException("CASFilter initialization parameter for authorized proxies " +
"must be a whitespace delimited list of authorized proxies. " +
"Authorized proxies must be secure (https) addresses. This one wasn't: [" + anAuthorizedProxy + "]");
}*/
this.authorizedProxies.add(anAuthorizedProxy);
}
}
第二個是:edu.yale.its.tp.cas.util.SecureURL這個類裏面的retrieve方法中,屏蔽後如下:
URL u = new URL(url);
/*if (!u.getProtocol().equals("https")){
// IOException may not be the best exception we could throw here
// since the problem is with the URL argument we were passed, not
// IO. -awp9
log.error("retrieve(" + url + ") on an illegal URL since protocol was not https.");
throw new IOException("only 'https' URLs are valid for this method");
}*/
URLConnection uc = u.openConnection();
重新打包後將casclient.jar更新到我們的程序第三方lib包中。剩下的就是修改我們程序的web.xml中關於cas的配置,把https的配置全部修改爲http,記得端口號改爲你CAS服務器的訪問端口號,而不再是https的訪問端口號。
另外要說明的是:在網上看到有鞋童說 退出時還是必須使用https,於是我就在我本地嘗試了下,我退出時並沒有使用https,退出沒有問題。如果退出仍然需要使用https,那麼我們把訪問改成http,就沒有任何意義了,服務器仍然需要進行https的配置。
下面提供我修改好的casclient.jar的文件,只是把https的協議判斷屏蔽了,沒有做其他的修改。如果需要源碼的,可以在網上找找,或者直接問我要都可以。以上有不正確的,還望斧正。