cas 单点登录(SSO)实验之一: jasig cas-server 安装

参考文章：

http://my.oschina.net/indestiny/blog/200768#comments

http://wenku.baidu.com/view/0bcc0d01e87101f69e319595.html

SSO原理不多重复，需要理解的就一点，一个复杂系统需要一个唯一的验证服务，

这就是CAS(Central Authentication Service) Server。系统内的各种服务(Web网站)

可以作为CAS Server的客户端，CAS Client。而用户访问的服务其实就是这些

CAS Client。一个典型的支持SSO的Web网站如下图：

Browser--------->B服务器：WebServer(CAS Client)=======>A服务器：CAS SERVER

下面第一步就是搭建这个CAS SERVER。利用开源代码jasig cas来实现SSO的服务

器。jasig cas是一套现成的代码，首先是了解它，然后才能定制它。以下全部内容在A服务器上

执行，服务器: RHEL6.4。

jasig cas-server 安装

cas sso服务端配置. sso服务器:
    IP: 192.168.1.142

hostname: ubuntu64

tomcat 8

java 7

1) 下载cas-server-4.0.0-release.tar.gz

http://downloads.jasig.org/cas/cas-server-4.0.0-release.tar.gz

或者(不需要)：
$ git clone https://github.com/Jasig/cas/tree/v4.0.0-RC3

2) 在sso服务器 (192.168.1.142) 上生成证书

$ keytool -genkey -alias ssotest -keyalg RSA

Enter keystore password:  123456
Re-enter new password: 123456
What is your first and last name?
  [Unknown]:  ubuntu64
What is the name of your organizational unit?
  [Unknown]:  dev
What is the name of your organization?
  [Unknown]:  pepstack.com
What is the name of your City or Locality?
  [Unknown]:  SHA
What is the name of your State or Province?
  [Unknown]:  SHA
What is the two-letter country code for this unit?
  [Unknown]:  CN
Is CN=ubuntu64, OU=dev, O=pepstack.com, L=SHA, ST=SHA, C=CN correct?
  [no]:  yes

生成文件:
~/.keystore

3) 在sso服务器 (192.168.1.142) 上导出证书

$ keytool -export -file ~/ssotest.crt -alias ssotest -keystore ~/.keystore
Enter keystore password:123456
Certificate stored in file </home/cl/ssotest.crt>

ssotest.crt 将要部署在客户端的jre环境中，本文中暂未使用。

4) 配置Tomcat SSL: ${TOMCAT_HOME}/conf/server.xml

增加下面的段落：

 <!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443
         This connector uses the NIO implementation that requires the JSSE
         style configuration. When using the APR/native implementation, the
         OpenSSL style configuration is required as described in the APR/native
         documentation -->
    <!-- https -->
    <Connector
        port="8443"
        protocol="org.apache.coyote.http11.Http11NioProtocol"
        maxThreads="150"
        SSLEnabled="true"
        scheme="https"
        secure="true"
        clientAuth="false"
        sslProtocol="TLS"
        URIEncoding="UTF-8"
        keystoreFile="/root/.keystore"
        keystorePass="123456"
        sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
        ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA,
SSL_RSA_WITH_RC4_128_SHA" />

5) 部署cas-server war

解压：cas-server-4.0.0-release.tar.gz
将modules/cas-server-webapp-4.0.0.war改名为cas.war,
复制到${TOMCAT_HOME}/webapps/下.

${TOMCAT_HOME}/webapps/cas.war

启动tomcat，这时打开浏览器, 进入下面的地址，如图：

https://192.168.1.142:8443/cas/

服务端已经配置ok！登录名在下面文件中找到：deployerConfigContext.xml

   <!--
       | Authentication handler beans
       -->
    <bean id="acceptUsersAuthenticationHandler"
          class="org.jasig.cas.authentication.AcceptUsersAuthenticationHandler">
        <property name="users">
            <map>
                <entry key="casuser" value="Mellon"/>
            </map>
        </property>
    </bean>

casuser/Mellon