环境win8+tomcat7+jdk7+cas-server-4.0.0-release
1. 首先到 http://downloads.jasig.org/ 地址下载 cas-server-4.0.0-release.zip,解压后到modules目录中找到cas-server-webapp-4.0.0.war,复制到tomcat的webapp目录下,修改名称为cas.war
2. (1)创建证书
keytool -genkey -alias mycas -keyalg RSA -keysize 2048 -keystore E:/cas/keys/mycas.keystore
(2)导出证书
keytool -export -file E:/cas/keys/mycas.crt -alias mycas -keystore E:/cas/keys/mycas.keystore
(3)客户端JVM导入证书
keytool -import -keystore E:javajdk1.7.0_79jrelibsecuritycacerts -file E:/cas/keys/mycas.crt -alias mycas
如果提示:
keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect
那么输入密码:changeit
这是因为JDK安装后会默认创建一个密钥库,密码为:changeit
也可以删除E:javajdk1.7.0_79jrelibsecuritycacerts 在输入上述命令
3. 让tomcat使用证书
打开tomcat目录的conf/server.xml文件,8443端处,并设置keystoreFile、keystorePass修改结果如下:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="E:caskeysmycas.keystore" keystorePass="123456" />
4. 登录cas
启动tomcat之后再webapp中的cas.war自动解压,我们可以直接访问https://localhost:8443/cas/login, cas4.0 默认账号密码是casuser/Mellon
5. 读取数据库进行认证
需要的jar包有cas-server-support-jdbc.jar c3p0-0.9.1.2.jar mysql-connector-java-5.1.24 ,我这里是mysq 其他数据库根据情况整理jar包,放入到webappscasWEB-INFlib 。之后在casWEB-INF下找到deployerConfigContext.xml进行修改:
(1)首先注释掉默认的登录账号密码:
<!-- <bean id="primaryAuthenticationHandler" class="org.jasig.cas.authentication.AcceptUsersAuthenticationHandler"> <property name="users"> <map> <entry key="casuser" value="Mellon"/> </map> </property> </bean> -->
(2)注释之后,添加jdbc配置,这里为了方便没有采用加密:
<bean id="dataSource" class="com.mchange.v2.c3p0.ComboPooledDataSource" p:driverClass="com.mysql.jdbc.Driver" p:jdbcUrl="jdbc:mysql://127.0.0.1:3306/test?useUnicode=true&characterEncoding=UTF-8&zeroDateTimeBehavior=convertToNull" p:user="root" p:password="root" /> <bean id="dbAuthHandler" class="org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler"> <property name="sql" value="select password from user where username=?" /> <property name="dataSource" ref="dataSource" /> </bean>
再找到id=authenticationManager的bean,注释掉primaryAuthenticationHandler,并添加dbAuthHandler:
<!-- <entry key-ref="primaryAuthenticationHandler" value-ref="primaryPrincipalResolver" /> --> <entry key-ref="dbAuthHandler" value-ref="primaryPrincipalResolver" />
之后重启tomcat 进行验证,登录https://localhost:8443/cas/login进行验证