1. 首页
  2. 互联网
  3. SSO实施说明

SSO实施说明

葛大爷 互联网 2015-11-20 3654

环境准备

Linux服务器:Red Hat Enterprise Linux Server (64)

JDK:jdk-6u4-linux-i586.bin

Http Server:httpd-2.2.8.tar.gz

Web Server:apache-tomcat-5.5.28.zip、tomcat-connectors-1.2.28-src.tar.gz

CAS Server:cas.war

  1. 搭建Web服务器
    • 安装JDK
      [@PTL_AS4U8_mwb01 data]# mkdir /opt/java
      [@PTL_AS4U8_mwb01 data]# mv jdk-6u35-linux-i586.bin /opt/java/jdk-6u35-linux-i586.bin 
      [@PTL_AS4U8_mwb01 data]# cd /opt/java/
      [@PTL_AS4U8_mwb01 java]# chmod +x jdk-6u35-linux-i586.bin 
      [@PTL_AS4U8_mwb01 java]# ./jdk-6u35-linux-i586.bin
    • 设置环境变量
      [@PTL_AS4U8_mwb01 java]# vi /etc/profile
      [@PTL_AS4U8_mwb01 java]# source /etc/profile
          export JAVA_HOME=/opt/java/jdk1.6.0_35
          export CLASSPATH=.:$JAVA_HOME/lib/tools.jar
          export PATH=$JAVA_HOME/bin:$PATH
          export JRE_HOME=$JAVA_HOME/jre
          export CATALINA_HOME=/opt/services/apache-tomcat-5.5.23
      [@PTL_AS4U8_mwb01 java]# source /etc/profile
    • 安装TOMCAT
      [@PTL_AS4U8_mwb01 data]# mv apache-tomcat-5.5.23.tar.gz /opt/services/apache-tomcat-5.5.23.tar.gz
      [@PTL_AS4U8_mwb01 data]# cd /opt/services/
      [@PTL_AS4U8_mwb01 java]# tar -zxvf apache-tomcat-5.5.23.tar.gz
    • 设置环境变量
      [@PTL_AS4U8_mwb01 java]# vi /etc/profile
      [@PTL_AS4U8_mwb01 java]# source /etc/profile
          export JAVA_HOME=/opt/java/jdk1.6.0_35
          export CLASSPATH=.:$JAVA_HOME/lib/tools.jar
          export PATH=$JAVA_HOME/bin:$PATH
          export JRE_HOME=$JAVA_HOME/jre
          export CATALINA_HOME=/opt/services/apache-tomcat-5.5.23
      [@PTL_AS4U8_mwb01 java]# source /etc/profile
    • 安装APACHE(linux需要gcc支持)
      [@PTL_AS4U8_mwb02 data]# mv httpd-2.2.8.tar.gz /opt/httpd-2.2.8.tar.gz
      [@PTL_AS4U8_mwb02 data]# cd ../ 
      [@PTL_AS4U8_mwb02 opt]# tar -zxvf httpd-2.2.8.tar.gz
      [@PTL_AS4U8_mwb02 opt]# cd httpd-2.2.8
      [@PTL_AS4U8_mwb02 httpd-2.2.8]# rm -rf configure
      [@PTL_AS4U8_mwb02 httpd-2.2.8]# rm -rf srclib/apr-util/configure
      [@PTL_AS4U8_mwb02 httpd-2.2.8]# ./buildconf
      [@PTL_AS4U8_mwb02 httpd-2.2.8]# ./configure --enable-lib64 --libdir=/usr/lib64 --enable-ssl --with-ssl=/usr/local/ssl --enable-module=so --prefix=/usr/local/httpd
      [@PTL_AS4U8_mwb02 httpd-2.2.8]# make
      [@PTL_AS4U8_mwb02 httpd-2.2.8]# make install
      [@PTL_AS4U8_mwb02 httpd-2.2.8]# ln -s /opt/httpd-2.2.8 /usr/local/httpd 
      [@PTL_AS4U8_mwb02 httpd-2.2.8]# /usr/local/httpd/bin/apachectl start
    • 配置APACHE与TOMCAT集成

      [@PTL_AS4U8_mwb02 data]# mv tomcat-connectors-1.2.31-src.tar.gz /opt/java/tomcat-connectors-1.2.31-src.tar.gz 
      [@PTL_AS4U8_mwb01 data]# cd /opt/java/
      [@PTL_AS4U8_mwb02 java]# tar -zxvf tomcat-connectors-1.2.31-src.tar.gz
      [@PTL_AS4U8_mwb02 java]# cd tomcat-connectors-1.2.31-src/native/
      [@PTL_AS4U8_mwb02 native]# ./configure --with-apxs=/usr/local/httpd/bin/apxs
      [@PTL_AS4U8_mwb02 native]# make
      [@PTL_AS4U8_mwb02 native]# cp apache-2.0/mod_jk.so /usr/local/httpd/modules/
      [@PTL_AS4U8_mwb02 native]# cd /usr/local/httpd/conf/
      [@PTL_AS4U8_mwb02 conf]# vi mod_jk.conf
          #添加以下内容
          JkWorkersFile /usr/local/httpd/conf/workers.properties
          # Where to put jk logs
          JkLogFile /usr/local/httpd/logs/mod_jk.log
          # Set the jk log level [debug/error/info]
          JkLogLevel info
          # Select the log format
          JkLogStampFormat "[%a %b %d %H:%M:%S %Y]"
          # JkOptions indicate to send SSL KEY SIZE,
          JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories
          # JkRequestLogFormat set the request format
          JkRequestLogFormat "%w %V %T"
      [@PTL_AS4U8_mwb02 conf]# vi workers.properties
          #添加以下内容,worker1在Tomcat的server.xml中配置AJP时使用,端口对应Tomcat的AJP端口
          worker.list=worker1
          # Set properties for worker1
          worker.worker1.type=ajp13
          worker.worker1.host=localhost
          worker.worker1.port=8009
          worker.worker1.lbfactor=50
      [@PTL_AS4U8_mwb02 conf]# vi httpd.conf 
          #添加以下内容
          LoadModule jk_module modules/mod_jk.so
          Include conf/mod_jk.conf
          #设置访问权限,注释Deny from all
          <directory />
              Options FollowSymLinks
              AllowOverride None
              Order deny,allow
              #Deny from all
          </directory>
    • 配置APACHE SSL
      [@PTL_AS4U8_mwb02 conf]# vi httpd.conf
          #注释HTTP默认协议端口80
          #Listen 80
          #去掉加载httpd-ssl.conf命令前的注释
          Include conf/extra/httpd-ssl.conf
      [@PTL_AS4U8_mwb02 conf]# cd extra
      [@PTL_AS4U8_mwb02 extra]# vi httpd-ssl.conf
          <VirtualHost *:443>
              #   General setup for the virtual host
              DocumentRoot "/opt/services/apache-tomcat-5.5.23/webapps/cas"
              ServerName sso.domain.com:443
              #ServerAdmin you@example.com
      	ErrorLog "/usr/local/httpd/logs/error_log"
      	TransferLog "/usr/local/httpd/logs/access_log"
      	JkMount /* worker1
      		
              #下面两个在httpd-ssl.conf是存在的,单独去修改证书的地址
      	SSLCertificateFile "/opt/data/domain.com.crt"
      	SSLCertificateKeyFile "/opt/data/domain.com.key"
          </VirtualHost>
  2. 安装CAS服务端程序
    • 部署CAS应用
      [@PTL_AS4U8_mwb02 data]# mv cas.war /opt/services/apache-tomcat-5.5.23/webapps
      [@PTL_AS4U8_mwb02 data]#/opt/services/apache-tomcat-5.5.23/bin/startup.sh

      测试cas服务,在浏览器输入:http://server:8080,进入cas登陆页面,默认为简单用户验证,用户名和密码一样即可通过验证
    • 修改server.xml
      • 注释Connector on port 8080相关配置
        <!-- Define a non-SSL HTTP/1.1 Connector on port 8080
        <Connector port="8080" maxHttpHeaderSize="8192"
            URIEncoding="utf-8"
            maxThreads="150"
            minSpareThreads="25" maxSpareThreads="75"
            enableLookups="false" 
            redirectPort="8443" acceptCount="100"
            connectionTimeout="20000" disableUploadTimeout="true" />
        -->
      • AJP 1.3 Connector on port 8009添加字符编码为UTF-8
        <!-- Define an AJP 1.3 Connector on port 8009 -->
        <Connector port="8009"         enableLookups="false" redirectPort="8443" protocol="AJP/1.3" URIEncoding="utf-8" />
      • 开启AJP配置
        <!-- You should set jvmRoute to support load-balancing via AJP ie : -->
        <Engine name="Catalina" defaultHost="localhost" jvmRoute="worker1" />
      • 注释Realm配置
        <!--
        <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/>
        -->
      • 修改Context信息,检查Host配置
        <Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true" xmlvalidation="false" xmlnamespaceAware="false">
        <!—- Context要自己手动配置 -->
        <Context path="" docBase="/opt/services/apache-tomcat-5.5.23/webapps/cas" reloadable="true" crossContext="true"/>
      • 开启AccessLogValve
        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="cas_access_log." suffix=".txt" pattern="common" resolveHosts="false"/>
    • 配置CAS与AD集成
      修改cas.war/WEB-INF/deployerConfigContext.xml配置
      <!-— 注释简单模式认证 -->
      <!--
          <bean class="org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler" />
      -->
      <!-- 增加ldap认证处理程序 -->
      <bean class="org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler">
          <property name="filter" value="%u" />
          <property name="contextSource" ref="contextSource" />
      </bean>
      <!-- 增加ldap的contextsource -->
      <bean id="contextSource" 
          class="org.springframework.ldap.core.support.LdapContextSource">
          <property name="pooled" value="true"/>
          <property name="urls">
              <list><value>ldap://XXXX</value></list>
          </property>
          <property name="userDn" value="{XXXX}"/>
          <property name="password" value="{XXXX}"/>
          <property name="baseEnvironmentProperties">
              <map>
                  <entry key="java.naming.security.authentication" value="simple" />
              </map>
          </property>
      </bean>