CAS官网:https://www.apereo.org/projects/cas
CAS Server GitHub下载地址: https://github.com/apereo/cas
文档地址:https://apereo.github.io/cas/5.3.x/
https://github.com/apereo/cas-overlay-template
https://repo1.maven.org./maven2/cas/
Central Authentication Service (CAS),中央认证服务,是一个企业多语言单点登录解决方案。
Enterprise Single Sign-On - CAS provides a friendly open source community that actively supports and contributes to the project. While the project is rooted in higher-ed open source, it has grown to an international audience spanning Fortune 500 companies and small special-purpose installations.
企业单一登录-CAS提供了一个友好的开源社区,该社区积极支持该项目并为该项目做出贡献。尽管该项目以更高版本的开源为根基,但已经吸引了国际读者,涵盖了《财富》 500强公司和小型专用装置。
CAS provides enterprise single sign-on service for the Web:
- An open and well-documented protocol
- An open-source Java server component
- Pluggable authentication support (LDAP, database, X.509, 2-factor)
- Support for multiple protocols (CAS, SAML, OAuth, OpenID)
- A library of clients for Java, .Net, PHP, Perl, Apache, uPortal, and others
- Integrates with uPortal, BlueSocket, TikiWiki, Mule, Liferay, Moodle and others
- Community documentation and implementation support
- An extensive community of adopters
CAS为Web提供企业单一登录服务:
下载地址:https://github.com/apereo/java-cas-client
找到版本号可直接下载,如下:
https://repo1.maven.org/maven2/org/apereo/cas/cas-server-webapp-tomcat/5.3.16/cas-server-webapp-tomcat-5.3.16.war
https://repo1.maven.org/maven2/org/apereo/cas/cas-server-webapp-tomcat/6.3.4/cas-server-webapp-tomcat-6.3.4.war
https://repo1.maven.org/maven2/org/apereo/cas/cas-server-webapp-tomcat/6.3.3/cas-server-webapp-tomcat-6.3.3.war
Maven仓库war包下载地址:
https://mvnrepository.com/artifact/org.apereo.cas/cas-server-webapp-tomcat
https://mvnrepository.com/artifact/org.apereo.cas/cas-server-webapp-tomcat/6.3.0
如下载5.3.16版本
https://repo1.maven.org/maven2/org/apereo/cas/cas-server-webapp-tomcat/5.3.16/cas-server-webapp-tomcat-5.3.16.war
地址:https://hub.docker.com/r/apereo/cas
docker pull apereo/cas:6.3.3
docker run --name cas -p 8443:8443 -p 8442:8080 apereo/cas /bin/sh /cas-overlay/bin/run-cas.sh
Caused by: java.io.FileNotFoundException: /etc/cas/thekeystore (No such file or directory)
at java.base/java.io.FileInputStream.open0(Native Method)
at java.base/java.io.FileInputStream.open(Unknown Source)
at java.base/java.io.FileInputStream.<init>(Unknown Source)
at java.base/java.io.FileInputStream.<init>(Unknown Source)
at java.base/sun.net.www.protocol.file.FileURLConnection.connect(Unknown Source)
at java.base/sun.net.www.protocol.file.FileURLConnection.getInputStream(Unknown Source)
at org.apache.catalina.startup.CatalinaBaseConfigurationSource.getResource(CatalinaBaseConfigurationSource.java:121)
at org.apache.tomcat.util.net.SSLUtilBase.getStore(SSLUtilBase.java:197)
at org.apache.tomcat.util.net.SSLHostConfigCertificate.getCertificateKeystore(SSLHostConfigCertificate.java:207)
at org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:282)
at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:246)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:97)
... 33 more
sudo keytool -genkeypair -alias cas -keyalg RSA -keypass changeit -storepass changeit -keystore server.keystore -dname "CN=cas,OU=cas,OU=cas,C=cas" -ext SAN="dns:localhost,ip:127.0.0.1"
docker cp server.keystore cas:/etc/cas/thekeystore
docker restart cas
访问地址:https://127.0.0.1:8443/cas/login
初始用户名:casuser
初始密码:Mellon
CAS采用https协议处理用户请求,所以必须需要配置Tomcat对https协议的支持
采用JDK自带的keytool工具生成密钥库
在D:\cas\生成一个别名为yuan-key的密钥库
keytool -genkey -v -alias yuan-key -keyalg RSA -keystore D:\cas\yuan-key.keystore
命令行输出如下:
C:\Users\infodba>keytool -genkey -v -alias yuan-key -keyalg RSA -keystore d:\cas\yuan-key.keystore
输入密钥库口令: yuan123456
再次输入新口令: yuan123456
您的名字与姓氏是什么?
[Unknown]: jinshengyuan.com(这里很重要配置的就是域名,在windows\system32\driver\etchost文件里配置好)
您的组织单位名称是什么?
[Unknown]: yuan
您的组织名称是什么?
[Unknown]: yuan
您所在的城市或区域名称是什么?
[Unknown]: shanxi
您所在的省/市/自治区名称是什么?
[Unknown]: xian
该单位的双字母国家/地区代码是什么?
[Unknown]: zh
CN=yuan, OU=yuan, O=yuan, L=shanxi, ST=xian, C=zh是否正确?
[否]: y
正在为以下对象生成 2,048 位RSA密钥对和自签名证书 (SHA256withRSA) (有效期为 90 天):
CN=yuan, OU=yuan, O=yuan, L=shanxi, ST=xian, C=zh
输入 <yuan-key> 的密钥口令
(如果和密钥库口令相同, 按回车):
[正在存储d:\cas\yuan-key.keystore]
Warning:
JKS 密钥库使用专用格式。建议使用 "keytool -importkeystore -srckeystore d:\cas\yuan-key.keystore -destkeystore d:\cas\yuan-key.keystore -deststoretype pkcs12" 迁移到行业标准格式 PKCS12。
C:\Users\infodba>
根据提示迁移得到行业标准格式,也可以不迁移:
C:\Users\infodba>keytool -importkeystore -srckeystore d:/cas/yuan-key.keystore -destkeystore d:/cas/yuan-key.keystore -deststoretype pkcs12
输入源密钥库口令:
已成功导入别名 yuan-key 的条目。
已完成导入命令: 1 个条目成功导入, 0 个条目失败或取消
Warning:
已将 "d:/cas/yuan-key.keystore" 迁移到 Non JKS/JCEKS。将 JKS 密钥库作为 "d:/cas/yuan-key.keystore.old" 进行了备份。
keytool -export -trustcacerts -alias yuan-key -file d:/cas/yuan-key.cer -keystore d:/cas/yuan-key.keystore
命令行中提示输入密钥口令,就是上面的yuan123456
C:\Users\infodba>keytool -export -trustcacerts -alias yuan-key -file d:/cas/yuan-key.cer -keystore d:/cas/yuan-key.keystore
输入密钥库口令:
存储在文件 <d:/cas/yuan-key.cer> 中的证书
命令:
keytool -import -trustcacerts -alias yuan-key -file d:/cas/yuan-key.er -keystore "D:\Program Files\Java\jdk1.8.0_202\jre\lib\security\cacerts"
执行命令:
C:\Users\infodba>keytool -import -trustcacerts -alias yuan-key -file d:/cas/yuan-key.cer -keystore "D:\Program Files\Java\jdk1.8.0_202\jre\lib\security\cacerts"
输入密钥库口令: yuan123456
keytool 错误: java.io.IOException: Keystore was tampered with, or password was incorrect
正确的执行如下:
C:\Users\infodba>keytool -import -trustcacerts -alias yuan-key -file d:/cas/yuan-key.cer -keystore "D:\Program Files\Java\jdk1.8.0_202\jre\lib\security\cacerts"
输入密钥库口令:
所有者: CN=yuan, OU=yuan, O=yuan, L=shanxi, ST=xian, C=zh
发布者: CN=yuan, OU=yuan, O=yuan, L=shanxi, ST=xian, C=zh
序列号: 424e20f1
有效期为 Wed Jan 27 20:28:02 CST 2021 至 Tue Apr 27 20:28:02 CST 2021
证书指纹:
MD5: EF:17:47:78:0B:40:DF:3A:49:B4:29:E4:6E:24:57:EC
SHA1: 56:D6:89:3E:7E:BD:D0:42:A3:B6:12:33:BE:6D:96:AC:87:90:99:24
SHA256: 8E:33:25:6B:F9:C0:AF:74:05:21:AB:0C:02:01:61:88:46:41:5A:27:EF:53:49:29:7D:52:BE:CD:64:60:01:08
签名算法名称: SHA256withRSA
主体公共密钥算法: 2048 位 RSA 密钥
版本: 3
扩展:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: D2 5E 14 C9 B3 28 06 91 8A F5 92 FA E0 FF B2 67 .^...(.........g
0010: CD 24 B1 66 .$.f
]
]
是否信任此证书? [否]: y
证书已添加到密钥库中
D:\apache-tomcat-9.0.41\conf\server.xml中添加如下配置:
<Connector port="8444" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150"
SSLEnabled="true"
scheme="https"
secure="true"
clientAuth="false"
sslProtocol="TLS"
keystoreFile="d:\cas\yuan-key.keystore"
keystorePass="yuan123456"/>
https://repo1.maven.org/maven2/org/apereo/cas/cas-server-webapp-tomcat/5.3.16/cas-server-webapp-tomcat-5.3.16.war
将下载的cas-server-webapp-tomcat-5.3.16.war重命名为cas.war并拷贝到Tomcat下的webapps下
启动tomcat
输入地址访问:https://localhost:8444/cas
输入用户名与密码进行验证CAS服务器是否搭建成功
用户名/密码:casuser/Mellon
用户名密码具体在:D:\apache-tomcat-9.0.41\webapps\cas\WEB-INF\classes\application.properties中进行配置
cas.authn.accept.users=casuser::Mellon
CAS的服务记录是空的,没有定义服务。 希望通过CAS进行认证的应用程序必须在服务记录中明确定义。
解决办法:
1、修改配置文件wabapp\cas根目录\WEB-INF\classes\services\HTTPSandIMAPS-10000001.json
将
“serviceId” : “^(https|imaps)😕/."
改为
“serviceId” : "^(https|http|imaps)😕/.”,
2、修改配置文件wabapp\cas根目录\WEB-INF\classes\application.properties,追加下面两行代码
cas.tgc.secure=false
cas.serviceRegistry.initFromJson=true