JA-SIG（CAS）学习笔记一

2013-11-09

JA-SIG（CAS）学习笔记1实验背景：系统环境： Windows XP|SUN JDK1.6U4 | Tomcat6.0.14 | CAS Server 3.1.1 +

JA-SIG（CAS）学习笔记1
实验背景：
系统环境： Windows XP | SUN JDK1.6U4 | Tomcat6.0.14 | CAS Server 3.1.1 + CAS Client 2.1.1
主机完整名称： Linly
浏览器： FireFox V2.0.0.11

实验步骤：
STEP 1，搭建Java Web服务器环境
安装 JDK + Tomcat 6.0.14 ， HTTP端口8080 ， HTTPS端口8443
JAVA_HOME = D:\Java\jdk1.6.0_04
CATALINA_HOME = D:\Java\apache-tomcat-6.0.14
安装完毕，启动Tomcat ，在浏览器上测试 http://Linly:8080/

出现上述界面，表明系统STEP1成功搭建。

STEP 2，使用Java Keytool工具为系统生成HTTPS证书，并为系统注册
（Java Keytool相关资料可参阅：Java keytool 安全证书学习笔记），在DOS窗体运行以下指令（建议编写一个BAT批处理文件执行）

cls
rem please set the env JAVA_HOME before run this bat file
rem delete alia tomcat if it is existed
keytool -delete -alias tomcatsso -keystore %JAVA_HOME%/jre/lib/security/cacerts -storepass changeit
keytool -delete -alias tomcatsso -storepass changeit
（注释：清除系统中可能存在的名字为tomcatsso 的同名证书）
rem list all alias in the cacerts
keytool -list -keystore %JAVA_HOME%/jre/lib/security/cacerts -storepass changeit
（注释：列出系统证书仓库中存在证书名称列表）
rem generator a key
keytool -genkey -keyalg RSA -alias tomcatsso -dname "cn=linly" -storepass changeit
（注释：指定使用RSA算法，生成别名为tomcatsso的证书，存贮口令为changeit，证书的DN为"cn=linly" ，这个DN必须同当前主机完整名称一致哦，切记！！！）rem export the key
keytool -export -alias tomcatsso -file %java_home%/jre/lib/security/tomcatsso.crt -storepass changeit
（注释：从keystore中导出别名为tomcatsso的证书，生成文件tomcatsso.crt）rem import into trust cacerts
keytool -import -alias tomcatsso -file %java_home%/jre/lib/security/tomcatsso.crt -keystore %java_home%/jre/lib/security/cacerts -storepass changeit
（注释：将tomcatsso.crt导入jre的可信任证书仓库。注意，安装JDK是有两个jre目录，一个在jdk底下，一个是独立的jre，这里的目录必须同Tomcat使用的jre目录一致，否则后面Tomcat的HTTPS通讯就找不到证书了）
rem list all alias in the cacerts
keytool -list -keystore %JAVA_HOME%/jre/lib/security/cacerts -storepass changeit
（注释：列出jre可信任证书仓库中证书名单，验证先前的导入是否成功，如果导入成功，应该在列表中能找到tomcatsso这个别名，如下图）[/quote]

同时，在D:\Java\jdk1.6.0_04\jre\lib\security目录下能找到“tomcatsso.crt”这个文件；在C:\Documents and Settings\Linly目录下能找到“.keystore”文件。
满足上述条件则STEP2部署完成。

STEP 3，配置Tomcat的HTTPS服务
编辑D:\Java\apache-tomcat-6.0.14\conf下的server.xml文件，在connector的配置位置添加以下的配置：
           enableLookups="true" disableUploadTimeout="true"
           acceptCount="100" maxThreads="200"
           scheme="https" secure="true" SSLEnabled="true"
           keystoreFile="C:/Documents and Settings/new/.keystore" keystorePass="changeit"
           truststoreFile="D:/Java/jdk1.6.0_04/jre/lib/security/cacerts"
           clientAuth="false" sslProtocol="TLS"/>

启动Tomcat，访问https://linly:8443/，出现以下界面说明HTTPS配置生效：

STEP 4，为HelloWorldExample程序配置CAS过滤器
访问http://linly:8080/examples/servlets/servlet/HelloWorldExample，出现以下界面说明应用正常启动：

编辑D:\Java\apache-tomcat-6.0.14\webapps\examples\WEB-INF下的web.xml文件，添加如下信息：

输入用户名/密码：linly/linly（任意两个相同的字窜），点击“登录”，出现以下画面：

表示CAS服务器配置运行成功。

STEP 6，测试JA-SIG（CAS）部署结果
启动Tomcat。
测试使用浏览器登陆以下网址：http://linly:8080/examples/servlets/servlet/HelloWorldExample，页面将弹出以下认证框，点击“确定”

页面将重定向到JA-SIG的SSO登录认证页面

输入用户名=密码，如：linly/linly，则通过验证，进入应用的入口界面，如下：

细心的用户将发现，此时的URL不再是：
http://linly:8080/examples/servlets/servlet/HelloWorldExample，
URL的尾端带上了一个ticket参数：
http://linly:8080/examples/servlets/servlet/HelloWorldExample?ticket=ST-2-qTcfDrdFb0bWndWgaqZD
到此，JA-SIG（CAS）服务器的初步SSO部署宣告成功。

javax.servlet.ServletException: Unable to validate ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[https://cuytr:8443/CAS/serviceValidate] ticket=[ST-1-7YW9lw0fMbTeW0P1wHxx] service=[http%3A%2F%2Fcuytr%3A8080%2FConairOA%2F] renew=false]]]edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:381)root cause edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[https://cuytr:8443/CAS/serviceValidate] ticket=[ST-1-7YW9lw0fMbTeW0P1wHxx] service=[http%3A%2F%2Fcuytr%3A8080%2FConairOA%2F] renew=false]]]edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:52)edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java:455)edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:378)root cause javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested targetcom.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown Source)com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown Source)com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source)edu.yale.its.tp.cas.util.SecureURL.retrieve(SecureURL.java:84)edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(ServiceTicketValidator.java:212)edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:50)edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java:455)edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:378)root cause sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested targetsun.security.validator.PKIXValidator.doBuild(Unknown Source)sun.security.validator.PKIXValidator.engineValidate(Unknown Source)sun.security.validator.Validator.validate(Unknown Source)com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(Unknown Source)com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown Source)com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown Source)com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source)edu.yale.its.tp.cas.util.SecureURL.retrieve(SecureURL.java:84)edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(ServiceTicketValidator.java:212)edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:50)edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java:455)edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:378)root cause sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested targetsun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)java.security.cert.CertPathBuilder.build(Unknown Source)sun.security.validator.PKIXValidator.doBuild(Unknown Source)sun.security.validator.PKIXValidator.engineValidate(Unknown Source)sun.security.validator.Validator.validate(Unknown Source)com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(Unknown Source)com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown Source)com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown Source)com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source)edu.yale.its.tp.cas.util.SecureURL.retrieve(SecureURL.java:84)edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(ServiceTicketValidator.java:212)edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:50)edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java:455)edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:378)

<filter-mapping><filter-name>CAS Filter</filter-name><url-pattern>/servlets/servlet/HelloWorldExample</url-pattern></filter-mapping>

例子中就只有过滤这个页面啊，而且使用/*是一种很糟糕的配置哦，至少要是/*.do /*.jsp哦，否则cas的工作量就大了。

出现网页受保护的提示的是你IE的安全信任设置问题，还有我们在实验中用的证书是非正式的。谢谢楼主，学习试了下，用的tomcat5.5, examples文件夹直接从tomcat6拷贝过来，可以成功，继续学习第二篇笔记
开始我怀疑是我keytool的jre跟tomcat的jre不统一造成的。。但是经我查看时统一的。。。。楼主能帮忙看下是怎么回事吗
十分感谢 33 楼张小宇 2011-10-27   您好~ 有个问题希望能得到您的帮助 TT
在进入中心服务器准备验证之前，应该取到一串token，而这里取到的是一串乱码，导致后边无法正确认证，如下：
2011-10-27 18:37:02,484 DEBUG [org.jasig.cas.support.spnego.web.flow.SpnegoCrede
ntialsAction] - <SPNEGO Authorization header found with 1672 bytes>
2011-10-27 18:37:02,484 DEBUG [org.jasig.cas.support.spnego.web.flow.SpnegoCrede
ntialsAction] - <Obtained token: `??+爞??袪$0" *咹傳      *咹嗺

+?
????       *咹嗺

额。。。复制不上来，就是很长的一串乱码，不知道是从哪里取到的，应该如何处理这些乱码呢，求教求教，多谢多谢~ 34 楼 yatou_0209 2011-11-02   CAS服务环境搭建对别的环境会不会有影响？ 35 楼 leaow567 2012-03-14   serverName可以用ip地址的

热点排行

软件架构设计

JA-SIG（CAS）学习笔记一