`
dakulaliu
  • 浏览: 97590 次
  • 性别: Icon_minigender_1
  • 来自: 北京
社区版块
存档分类
最新评论

Spring Security 2.0 + CAS 配置单点登录学习配置笔记

SecuritySpringTomcatJavaSUN 
阅读更多
Spring Security 2.0是基于原先的Acegi Security安全认证框架基础上的新版本。其中集成了很多权限验证系统,我想大家最熟知的可能就是耶鲁大学的CAS了,今天花了半天的时间搭建了一个Spring Security提供的例子,以下就是这半天的学习笔记:

准备工作:
1.Java SE Development Kit (JDK) 6 Update 10(include JRE):
http://java.sun.com/javase/downloads/index.jsp
2.Tomcat 6.0.18:
http://apache.mirror.phpchina.com/tomcat/tomcat-6/v6.0.18/bin/apache-tomcat-6.0.18.zip
3.Eclipse 3.4(WTP)
http://download.actuatechina.com/eclipse/technology/epp/downloads/release/ganymede/SR1/eclipse-jee-ganymede-SR1-win32.zip
4.下载最新的Spring发行版本2.5.5:http://nchc.dl.sourceforge.net/sourceforge/springframework/spring-framework-2.5.5-with-dependencies.zip
5.下载最新的Spring Security的发行版本2.0.4:http://nchc.dl.sourceforge.net/sourceforge/springframework/spring-security-2.0.4.zip
6.下载最新的CAS发新版本包括Server端的和客户端的:
http://www.ja-sig.org/downloads/cas/cas-server-3.3-release.zip
http://www.ja-sig.org/downloads/cas-clients/cas-client-3.1.3-release.zip

好了,下载完成这些准备文件之后解压到你喜欢的路径下,JDK、Tomcat以及Eclipse WTP开发套件的安装准备工作这里不再赘述。

下面是具体的步骤:
1.配置Tomcat支持SSL服务,具体详细步骤请参看javaeye论坛的一片文章http://www.iteye.com/topic/78274(作者:eddie ),我这里只给出最主要的几个步骤,这里认为你知道并且熟悉相关环境变量,以及PATH配置:
a.切换到Tomcat的安装目录 
cd %CATALINA_HOME%

b.生成Server Key,此处注意输入的用户名称使用localhost或者你所拥有的域名。 
keytool -genkey -alias tomcat -keyalg RSA -keypass changeit -storepass changeit -keystore server.keystore -validity 365

c.将证书导入到JRE的证书信任库中 
keytool -export -trustcacerts -alias tomcat -file server.cer -keystore  server.keystore -storepass changeit

keytool -import -trustcacerts -alias tomcat -file server.cer -keystore  %JAVA_HOME%/jre/lib/security/cacerts -storepass changeit

d.配置你的Tomcat服务器配置文件%CATALINA_HOME%/conf/server.xml,其中有一块相关SSL的配置被注释掉了,将一下代码粘贴进去: 
 <Connector protocol="org.apache.coyote.http11.Http11NioProtocol"  
            port="8443" minSpareThreads="5" maxSpareThreads="75"  
            enableLookups="true" disableUploadTimeout="true"    
            acceptCount="100"  maxThreads="200"  
            scheme="https" secure="true" SSLEnabled="true"  
            clientAuth="false" sslProtocol="TLS"  
            keystoreFile="[your_tomcat_install_path]/server.keystore"    
            keystorePass="changeit"/>

到此,Tomcat相关的SSL配置工作完成,启动Tomcat,访问https://localhost:8443/验证。

2.部署CAS服务,在CAS Server发行包中,有一个war包cas-server-3.3\modules\cas-server-webapp-3.3.war,将其重命名为cas.war,将其部署到Tomcat的webapps下,启动Tomcat如果一切正常,访问http://localhost:8080/cas可以访问CAS服务。
但不知道什么原因,文件webapps/cas/WEB-INF/view/jsp/default/ui/casLoginView.jsp中第48行代码有错误,原因是双引号混乱造成,因此此行需要简单的修改一下:
引用
<c:set var="query" value=<%=request.getQueryString() == null ? "" : request.getQueryString().replaceAll("&locale=([A-Za-z][A-Za-z]_)?[A-Za-z][A-Za-z]|^locale=([A-Za-z][A-Za-z]_)?[A-Za-z][A-Za-z]", "")%> />

将此处代码中红色标注的双引号修改为单引号。再访问http://localhost:8080/cas/就可以看到CAS页面。

3.下载Spring Security 和CAS相关的样例代码,由于Spring Security 2.0并没有把CAS相关的样例代码放到其发行版本中,因此需要通过SVN获取相关代码,SVN地址是:
http://acegisecurity.svn.sourceforge.net/svnroot/acegisecurity/spring-security/trunk,CAS相关Sample在spring-security\samples\cas目录下,分为server和client两个文件夹,Server相关部分我们已经手工完成,因此此处我们只需要关系client部分。因为官方是使用Maven方式构建项目,因此我们需要手工将源代码导入到Eclipse工程中,如何导入此处不再赘述。
需要注意的是:
a.项目名称(导出的war文件名称)最好使用与在applicationContext-security.xml中同意的cas-sample,因为这个配置文件中配置到一些此应用部署到tomcat之后的地址,例如:https://localhost:9443/cas-sample/secure/receptor
b.我们还要注意,目前我们的Tomcat SSL相关的端口为8443,而且我们希望CAS Server和我们的Web 应用部署到同一台Tomcat上,因此需要将applicationContext-security.xml中涉及到所有的9443端口修改成8443端口。
c.还有一个文件中用到的URL链接使用了9443端口。同样需要修改成8443端口cas-sample/cas-logout.jsp。
d.添加相关的jar包到WEB-INF/lib中,包括:
  cas-client-core-3.1.3.jar
  comons-logging-1.1.jar
  log4j-1.2.9.jar
  spring.jar
  spring-security-cas-client-2.0.4.jar
  spring-security-core-2.0.4.jar

4.到此配置修改完成,将你的Dynamic Web Project到导出一个war包:cas-sample.war部署到Tomcat服务器,启动Tomcat,访问:http://localhost:8080/cas-sample/secure/index.jsp,此页面是需要认证的页面,会跳转至cas认证页面,登录去输入rod/rod(在applicationContext-security.xml中配置,因为需要使用到这些配置用户的授权信息),便可登录到我们自己的cas-sample应用。

至此,我们的Spring Security 2.0 + CAS单点登录系统简单配置完成。
7
4
分享到:
| Spring Security 2.0 暂时不支持Jcaptcha!
评论
3 楼 lulcxu 2009-08-14  
因为官方是使用Maven方式构建项目,因此我们需要手工将源代码导入到Eclipse工程中,如何导入此处不再赘述。



希望可以说说,因为需求的原因需要改动CAS SERVER服务器,但一直无法将它转换成ECLIPSE项目。

希望可以给出详细的流程及前提条件(比如开发机器是否要求连接外网,因为我的开发机器无法连接外网)
2 楼 wangyu 2009-01-20  
帮我看一下这个异常 
2009-01-20 16:55:54,968 INFO [org.jasig.cas.web.flow.InitialFlowSetupAction] - <Setting path for cookies to: /cas>
2009-01-20 16:56:04,765 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <AuthenticationHandler: org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler successfully authenticated the user which provided the following credentials: [username: rod]>
2009-01-20 16:56:04,843 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket [ST-1-CRuiVmmfkds9mJtbfHjZ-cas] for service [https://localhost:8443/cas-sample/j_spring_cas_security_check] for user [rod]>
16:56:05,125 ERROR Cas20ServiceTicketValidator:49 - javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
	at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
	at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
	at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown Source)
	at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown Source)
	at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
	at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
	at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
	at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
	at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
	at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source)
	at org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:35)
	at org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:178)
	at org.springframework.security.providers.cas.CasAuthenticationProvider.authenticateNow(CasAuthenticationProvider.java:145)
	at org.springframework.security.providers.cas.CasAuthenticationProvider.authenticate(CasAuthenticationProvider.java:131)
	at org.springframework.security.providers.ProviderManager.doAuthentication(ProviderManager.java:188)
	at org.springframework.security.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:46)
	at org.springframework.security.ui.cas.CasProcessingFilter.attemptAuthentication(CasProcessingFilter.java:94)
	at org.springframework.security.ui.AbstractProcessingFilter.doFilterHttp(AbstractProcessingFilter.java:258)
	at org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53)
	at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
	at org.springframework.security.ui.logout.LogoutFilter.doFilterHttp(LogoutFilter.java:89)
	at org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53)
	at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
	at org.springframework.security.context.HttpSessionContextIntegrationFilter.doFilterHttp(HttpSessionContextIntegrationFilter.java:235)
	at org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53)
	at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
	at org.springframework.security.securechannel.ChannelProcessingFilter.doFilterHttp(ChannelProcessingFilter.java:116)
	at org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53)
	at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
	at org.springframework.security.util.FilterChainProxy.doFilter(FilterChainProxy.java:175)
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:183)
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:138)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:99)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
	at org.apache.coyote.http11.Http11NioProcessor.process(Http11NioProcessor.java:880)
	at org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProtocol.java:719)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:2081)
	at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
	at java.lang.Thread.run(Unknown Source)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
	at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
	at sun.security.validator.Validator.validate(Unknown Source)
	at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
	at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(Unknown Source)
	... 51 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
	at java.security.cert.CertPathBuilder.build(Unknown Source)
	... 56 more
1 楼 jelver 2008-12-15  
不错,我们最近也用到
发表评论

您还没有登录,请您登录后再发表评论

相关推荐

Magicbox
Global site tag (gtag.js) - Google Analytics