版权声明:本文为博主原创文章,未经博主允许不得转载。 https://blog.csdn.net/qiyongkang520/article/details/70148977
最近刚入职一家创业公司,是做物流仓库管理服务的,所包含的系统以及模块还是挺多的,同时业务也比较复杂,感觉能得到不少的锻炼 。之前就对SSO单点登录比较感兴趣,刚好公司用了cas单点登录,所以自己就简单的了解了一下,后面有了实战经历,再给大家分享,今天就给大家简单的介绍下cas单点登录的一个大致原理。
首先,贴一张图介绍一下大致的过程,如下:
下面,笔者将分一下几个步骤进行介绍:
一、https以及hosts文件配置
由于cas服务器要求https协议,所以我们得配置服务器支持https协议,那么也就需要证书,这里我们使用jdk自带的keytool来生成证书,然后再配置到服务器,另外sso client所在的服务器需要用jdk导入证书即可,这里关于证书的生成和导入不做介绍,大家可以自行搜索资料。
笔者这里使用的是tomcat服务器,当然也可以使用resin、jetty等服务器。tomcat https配置只需要打开server.xml中的https配置即可,如下:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
keystoreFile="d:/sso/ssodemo.keystore" keystorePass="qykpwd"
clientAuth="false" sslProtocol="TLS" URIEncoding="UTF-8"/>为了模仿不同域下的单点登录,这里我们修改下系统的hosts文件,添加以下内容:
127.0.0.1 cas.qiyongkang.org
127.0.0.1 app1.qiyongkang.org
127.0.0.1 app2.qiyongkang.org二、cas server端部署
这里cas server的下载地址如下:http://developer.jasig.org/cas/cas-server-3.4.11-release.zip,下载后大家可以导入到eclipse,这是一个maven项目,如下:
这里,服务器默认的验证用户名和密码都是admin,当然大家也可以根据api修改相应的界面和登录逻辑。
三、sso client1配置
客户端的maven依赖如下:
<dependency>
<groupId>org.jasig.cas.client</groupId>
<artifactId>cas-client-core</artifactId>
<version>3.2.1</version>
</dependency>我们只需创建一个新的webapp,然后加上依赖,配置下web.xml即可,如下:
<!DOCTYPE web-app PUBLIC
"-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd" >
<web-app>
<display-name>Archetype Created Web Application</display-name>
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
<!-- 登出 -->
<filter>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Single Sign Out Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- 没有局部会话,就重定向到cas服务器登录页面 -->
<filter>
<filter-name>CAS Filter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>https://cas.qiyongkang.org:8443/cas/login</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://app1.qiyongkang.org:1111</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- ticket校验 -->
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>
org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://cas.qiyongkang.org:8443/cas</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://app1.qiyongkang.org:1111</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
然后,为了方便client web使用jetty插件启动,访问如下:
可以看到,直接跳到了cas服务器。
四、sso client2配置
客户端2和客户端1一样,只是把端口改成了2222,这里就不赘述了。
五、单点过程演示
我们输入admin/admin登录可以看到,如下:
六、过程分析
首先,笔者把cas服务器的日志贴出来:
2017-04-12 23:24:20,582 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <AuthenticationHandler: org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler successfully authenticated the user which provided the following credentials: [username: admin]>
2017-04-12 23:24:20,584 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <Resolved principal admin>
2017-04-12 23:24:20,584 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <Principal found: admin>
2017-04-12 23:24:20,587 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: [username: admin]
WHAT: supplied credentials: [username: admin]
ACTION: AUTHENTICATION_SUCCESS
APPLICATION: CAS
WHEN: Wed Apr 12 23:24:20 CST 2017
CLIENT IP ADDRESS: 127.0.0.1
SERVER IP ADDRESS: 127.0.0.1
=============================================================
>
2017-04-12 23:24:20,592 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: [username: admin]
WHAT: TGT-1-BbjBIU5hpzURziFCyPjcZ9nDxuG6KKnvE4WqSkoDFjJEEj9iVn-cas
ACTION: TICKET_GRANTING_TICKET_CREATED
APPLICATION: CAS
WHEN: Wed Apr 12 23:24:20 CST 2017
CLIENT IP ADDRESS: 127.0.0.1
SERVER IP ADDRESS: 127.0.0.1
=============================================================
>
2017-04-12 23:24:20,597 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket [ST-1-W1rPACHcF7FR1kVwDAHW-cas] for service [http://app1.qiyongkang.org:1111/app1/] for user [admin]>
2017-04-12 23:24:20,598 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: admin
WHAT: ST-1-W1rPACHcF7FR1kVwDAHW-cas for http://app1.qiyongkang.org:1111/app1/
ACTION: SERVICE_TICKET_CREATED
APPLICATION: CAS
WHEN: Wed Apr 12 23:24:20 CST 2017
CLIENT IP ADDRESS: 127.0.0.1
SERVER IP ADDRESS: 127.0.0.1
=============================================================
>
2017-04-12 23:24:21,134 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: ST-1-W1rPACHcF7FR1kVwDAHW-cas
ACTION: SERVICE_TICKET_VALIDATED
APPLICATION: CAS
WHEN: Wed Apr 12 23:24:21 CST 2017
CLIENT IP ADDRESS: 127.0.0.1
SERVER IP ADDRESS: 127.0.0.1
=============================================================
>
2017-04-12 23:25:38,696 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] - <Reloading registered services.>
2017-04-12 23:25:38,696 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] - <Loaded 4 services.>
2017-04-12 23:27:38,696 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] - <Reloading registered services.>
2017-04-12 23:27:38,696 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] - <Loaded 4 services.>
2017-04-12 23:27:41,241 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket [ST-2-ekj4xkMWDJPP0cxAoCug-cas] for service [http://app2.qiyongkang.org:2222/app2/] for user [admin]>
2017-04-12 23:27:41,242 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: admin
WHAT: ST-2-ekj4xkMWDJPP0cxAoCug-cas for http://app2.qiyongkang.org:2222/app2/
ACTION: SERVICE_TICKET_CREATED
APPLICATION: CAS
WHEN: Wed Apr 12 23:27:41 CST 2017
CLIENT IP ADDRESS: 127.0.0.1
SERVER IP ADDRESS: 127.0.0.1
=============================================================
>
2017-04-12 23:27:41,702 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: ST-2-ekj4xkMWDJPP0cxAoCug-cas
ACTION: SERVICE_TICKET_VALIDATED
APPLICATION: CAS
WHEN: Wed Apr 12 23:27:41 CST 2017
CLIENT IP ADDRESS: 127.0.0.1
SERVER IP ADDRESS: 127.0.0.1
=============================================================然后,再来解释下:首次访问http://app1.qiyongkang.org/app1/,app1服务器从浏览器拿局部会话jsessionid,
不存在,则重定向到认证中心https://cas.qiyongkang.org:8443/cas/login?service=http%3A%2F%2Fapp1.qiyongkang.org%3A1111%2Fapp1%2F,
认证中心cas服务器去拿全局会话TGT,不存在则进入登录页面进行登录;存在则生成ticket,并携带ticket重定向到app1服务器,
登录成功生成全局会话TGT,并产生一个service ticket,
然后携带sc重定向到http://app1.qiyongkang.org/app1/?ticket=ST-1-bf9EBZeb6ZbS3tHHe605-cas,
app1服务器获取ticket,发送给认证中心,进行票据验证,
认证中心验证票据合法后,返回用户登录信息给app1服务器,然后与浏览器建立局部会话session,结束。
再访问http://app2.qiyongkang.org/app2/,步骤差不多,因为没有建立局部会话,所以还是得去认证中心,
但是全局会话已经存在,只需生成ticket,然后携带ticket直接重定向到app2服务器,后面也一样,最后app2与浏览器建立
自己的局部会话session,结束。
好了,关于cas单点登录就介绍到这了,笔者也没深入看源码,只是学习了下大致的过程以及思想,后面再深入了解,希望给大家带来点帮助~