CAS单点登录学习笔记四之HTTPS 单向认证方式 服务端和客户端配置 - 攻城师 - ITeye技术网站
博客分类：
一、生成服务端密钥文件二、生成服务端证书三、导入证书文件到cacerts密钥库文件四、服务端Tomcat配置五、生成客户端密钥库文件六、客户端应用配置七、补充说明八、常见配置错误
生成服务端密钥文件
登录服务器打开一个CMD窗口（开始菜单 -& 运行输入cmd后回车）并切换到tomcat安装目录下（如：c:\tomcat-cas），执行如下命令：
keytool -genkey -alias casserver -keypass demosso -keyalg RSA
-keystore casserver.keystore
-validity 365
执行后，可以看到tomcat安装目录下生成了一个casserver.keystore文件。如下图：
说明：-alias指定别名为casserver；-keyalg指定RSA算法；-keypass指定私钥密码；-keystore指定密钥文件名称为casserver.keystore；-validity指定有效期为365天。另外提示的输入keystore密码应与-keypass指定的相同；您的名字与姓氏是CAS服务器使用的域名（不能是IP，也不能是localhost），其它项随意填。
注意：服务器上如果有多个JDK，请确认环境变量中的JDK路径为tomcat所使用的JDK，如果不在环境变量中，也可切换到指定JDK的bin目录下执行命令；提示的输入keystore密码应与-keypass必须与指定的相同，否则后面tomcat启动会报IO异常（Cannot recover key）。
生成服务端证书
根据以上生成的服务端的密钥文件可以导出服务端证书，执行以下命令：
keytool -export -alias casserver -storepass demosso -file casserver.cer -keystore casserver.keystore
执行后，可以看到tomcat安装目录下生成了一个casserver.cer文件。如下图：
说明：-alias指定别名为casserver；-storepass指定私钥为demosso；-file指定导出证书的文件名为casserver.cer；-keystore指定之前生成的密钥文件的文件名。
注意：-alias和-storepass必须为生成casserver.keystore密钥文件时所指定的别名和密码，否则证书导出失败，报如下错误：
导入证书文件到cacerts 密钥库文件
导入以上生成的服务端的证书文件到一个cacerts密钥库文件，执行以下命令：
keytool -import -trustcacerts -alias casserver -storepass demosso
-file casserver.cer –keystore cacerts
执行后，可以看到tomcat安装目录下生成了一个cacerts文件。如下图：
服务端Tomcat配置
在制作完成密钥文件、证书文件、密钥库文件后即可进行服务端Tomcat的配置。打开$CATALINA_HOME/conf/server.xml文件，注释掉如下代码段：
&Connector port="80"protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443"/&
并取消注释&Connectorport="8443" protocol="HTTP/1.1" SSLEnabled="true"…/&代码段，修改后如下：
&Connector SSLEnabled="true" clientAuth="false"
keystoreFile="D:/Java/apache/apache-tomcat-cas/casserver.keystore"
keystorePass="demosso"
maxThreads="150"
port="443"
protocol="org.apache.coyote.http11.Http11Protocol"
scheme="https" secure="true" sslProtocol="TLS"/&
&!--keystoreFile 生成的安全证书的位置 --&
&!--keystorePass设置安全证书的密码--&
说明：port一般为，最常用的是443端口（https默认端口），这样https方式访问的时候可以不加端口号（如：）；keystoreFile为tomcat目录下的密钥文件；keystorePass为私钥密码；truststoreFile为生成的信任文件，如果此处不指定则默认为$JAVA_HOME/jre/lib/security/cacerts文件；其它属性默认即可。
生成客户端密钥库文件
单向认证的客户端配置只需生成客户端信任文件caserts即可。首先将服务端生成的证书文件（之前生成的casserver.cer文件）复制到$JAVA_HOME/jre/lib/security下，然后打开CMD窗口切换到$JAVA_HOME/jre/lib/security下并执行命令：
keytool -import -trustcacerts -alias casclient -storepass changeit -file casserver.cer -keystore cacerts
执行后，可以看到$JAVA_HOME/jre/lib/security目录下生成了一个cacerts文件。如下图：
备注：JDK JRE security
storepass 默认密码 changeit
客户端应用配置
1、应用程序WEB-INF\lib目录下加入cas-client-core-3.2.1.jar包并添加到buildpath中；
2、编辑应用程序中的web.xml文件在最末端加入如下内容：
&!-- 用于单点退出，该过滤器用于实现单点登出功能，可选配置 --&
&listener&
&listener-class&org.jasig.cas.client.session.SingleSignOutHttpSessionListener&/listener-class&
&/listener&
&!-- 该过滤器用于实现单点登出功能，可选配置。 --&
&filter-name&CAS Single Sign Out Filter&/filter-name&
&filter-class&org.jasig.cas.client.session.SingleSignOutFilter&/filter-class&
&filter-mapping&
&filter-name&CAS Single Sign Out Filter&/filter-name&
&url-pattern&/*&/url-pattern&
&/filter-mapping&
&!-- 该过滤器负责用户的认证工作，必须启用它 --&
&filter-name&CAS Authentication Filter&/filter-name&
&filter-class&org.jasig.cas.client.authentication.AuthenticationFilter&/filter-class&
&init-param&
&param-name&casServerLoginUrl&/param-name&
&param-value&/cas/login&/param-value&
&/init-param&
&init-param&
&param-name&renew&/param-name&
&param-value&false&/param-value&
&/init-param&
&init-param&
&param-name&gateway&/param-name&
&param-value&false&/param-value&
&/init-param&
&init-param&
&param-name&serverName&/param-name&
&param-value&http://localhost:8082&/param-value&
&/init-param&
&filter-mapping&
&filter-name&CAS Authentication Filter&/filter-name&
&url-pattern&/login-page.html&/url-pattern&
&/filter-mapping&
&!-- 该过滤器负责对Ticket的校验工作，必须启用它 --&
&filter-name&CAS Validation Filter&/filter-name&
&filter-class&org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter&/filter-class&
&init-param&
&param-name&casServerUrlPrefix&/param-name&
&param-value&/cas&/param-value&
&/init-param&
&init-param&
&param-name&serverName&/param-name&
&param-value&http://localhost:8082&/param-value&
&/init-param&
&init-param&
&param-name&useSession&/param-name&
&param-value&true&/param-value&
&/init-param&
&init-param&
&param-name&redirectAfterValidation&/param-name&
&param-value&true&/param-value&
&/init-param&
&filter-mapping&
&filter-name&CAS Validation Filter&/filter-name&
&url-pattern&/*&/url-pattern&
&/filter-mapping&
&!-- 该过滤器负责实现HttpServletRequest请求的包裹， 比如允许开发者通过HttpServletRequest的getRemoteUser()方法获得SSO登录用户的登录名，可选配置。 --&
&filter-name&CAS HttpServletRequest WrapperFilter&/filter-name&
&filter-class&org.jasig.cas.client.util.HttpServletRequestWrapperFilter&/filter-class&
&filter-mapping&
&filter-name&CAS HttpServletRequest WrapperFilter&/filter-name&
&url-pattern&/*&/url-pattern&
&/filter-mapping&
&!-- 该过滤器使得开发者可以通过org.jasig.cas.client.util.AssertionHolder来获取用户的登录名。 比如AssertionHolder.getAssertion().getPrincipal().getName()。 --&
&filter-name&CAS Assertion Thread Local Filter&/filter-name&
&filter-class&org.jasig.cas.client.util.AssertionThreadLocalFilter&/filter-class&
&filter-mapping&
&filter-name&CAS Assertion Thread Local Filter&/filter-name&
&url-pattern&/*&/url-pattern&
&/filter-mapping&
&!-- 自定义的filter,在用户登录成功之后进行处理 --&
&filter-name&AuthenticationFilter&/filter-name&
&filter-class&com.filter.AuthenticationFilter&/filter-class&
&filter-mapping&
&filter-name&AuthenticationFilter&/filter-name&
&url-pattern&/*&/url-pattern&
&/filter-mapping&
import java.io.IOE
import javax.servlet.F
import javax.servlet.FilterC
import javax.servlet.FilterC
import javax.servlet.ServletE
import javax.servlet.ServletR
import javax.servlet.ServletR
import javax.servlet.http.HttpServletR
import org.jasig.cas.client.validation.A
public class AuthenticationFilter implements Filter {
public void destroy() {
public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException,
ServletException {
HttpServletRequest httpRequest = (HttpServletRequest)
// _const_cas_assertion_是CAS中存放登录用户名的session标志
Object object = httpRequest.getSession().getAttribute("_const_cas_assertion_");
if (object != null) {
Assertion assertion = (Assertion)
String loginName = assertion.getPrincipal().getName();
User user = session 中获取user对象
// 第一次登录系统
if (user == null) {
自行实现获User对象的方法
//User _user = userService.getUserByName(loginName);
// 保存用户信息到Session
//setCurrentUser(httpRequest, _user);
System.out.println("current user :" + _user);
filterChain.doFilter(request, response);
public void init(FilterConfig arg0) throws ServletException {
说明：LoginFilter内容一般为获取用户基本信息、菜单信息然后保存到session中；为CAS服务器的域名，也就是之前使用keytool –genkey命令指定的“名字与姓氏”。若未申请域名，也可以本地模拟实现域名解析，编辑C:\WINDOWS\system32\drivers\etc\hosts文件添加：CAS服务器IP
即可），如下图：
注意：serverName属性值为客户端实际IP地址，可以为域名但绝不能为localhost！
客户端程序单点退出功能，需要访问，下面提供了一个示例，当点击退出按钮（或超链接）时，调用javascript方法ssoLogout()。ssoLogout()定义如下（可根据实际需求自行修改）：
[javascript]
&scripttype="text/javascript"&
function ssoLogout(){
if(confirm('确定要退出系统吗?')){
top.location.href ='/cas/logout?service='+location.protocol+'//'+location.host+location.
上面讲的是CAS单独部署的情况，也就是与其它应用分开部署。但有些情况是CAS与其它应用部署到同一台机器同一个Tomcat（关键问题是使用同一个JDK），这种情况下，服务端Tomcat配置中的&Connector truststoreFile属性就要指定为jdk下的cacerts文件路径或者直接注释掉（默认会找$JAVAHOME\jre\lib\security\下的cacerts文件）。这样服务端和客户端是同一个，也就不必再根据服务端证书生成客户端密钥库文件了。
常见配置错误
CAS服务端Tomcat启动后报错：Error initializing endpoint java.io.IOException: Cannot recover key
是由于生成服务端密钥文件时所指定的keypass与提示输入的“keystore密码”不一致。
javax.servlet.ServletException: org.jasig.cas.client.validation.TicketValidationException:绁ㄦ牴'ST-2-hozuLnLtIVGeaD5yju0Y-cas'涓嶇?鍚堢洰鏍囨湇鍔?
一般是由于客户端应用web.xml中配置的serverName属性值为localhost或CAS服务端cas-servlet.xml配置文件中的&bean logoutController/&没加p:followServiceRedirects="true"退出后重定向属性。
SSLHandshakeException: java.security.cert.CertificateException: Nosubject alternative names present
是由于客户端应用web.xml配置中的casServerLoginUrl和casServerUrlPrefix两个URL属性的域名与证书中定义的不一致。
1、keytool 生成安全证书不能使用IP地址 一律使用域名
2、务必确认客户端程序使用JDK 路径正确 分清楚JDK、JRE
浏览 10695
浏览: 258696 次
来自: 上海
楼主你这例子里边的SampleResource实体没有额？
[flash=200,200][url][url][img][ ...
官网全是一堆工程，而且不是web工程，对新手极不友好
现在在官网下不到war包了啊
简单明了，很详细[Province:
AB-PINAC A CAS-9 2016 New Produced AB-PINAC A Manufacturer Price high purity huge stock
Trade Term:
FOB,CFR,CIF,DAT
Payment Terms:
T/T,L/C,WU,Paypal,Money Gram
Trade on HiSupplier, Worry Free Guarantee
oTrading safety, secure your money, lower the risk, protect both buyers and suppliers
oHiSupplier is a Chinese multinational company in U.S, it helps to coordination and order landing.
Company Profile
Company Info
Qianqiu Biotech is a high technology researching company focus on the health and medicine business of creating better life for
people. we mainly produce high quality pharmaceutical intermediates, for research and lab use. those products are in very high purity and quality. especially its efficient are in very good repute. for many years of hard working with high developed technology, we are doing great jobs in China, and ranked in the top level of manufacturing chemical and medicine used pharma...
Company Profile
Year Company Registered:
Annual Sales Amount:
US$50 – 100 Million
Total No. of Staff:
11 – 50 People
No. of R&D Staff:
5 – 10 People
No. of Engineers:
5 – 10 People
Export Ratio:
81% – 90%
OEM Services Provided:
Payment Terms:
T/T, WU, moneygram
Business Type:
Manufacturer, Trading Company, Distributor/Wholesaler
Quality Certificate:
GS, CE, GB, ISO9001, FDA, CSA, RoHS, CCC
Main Export Markets:
North America, Western Europe, Southeast Asia, Eastern Asia, Oceania
Competitive Advantage:
High purity of products, good price, short time of lead, quick response of service.We are the manufacturer, we have better price, we have large stock to delivery in shortest time.
Brand Name:
white and yellow&
Model No.:
qqbio124a&
Place of Origin:
Min.Order:
Means of Transport:
Land, Ocean, Air
Production Capacity:
Packing:10g/bag
Delivery Date:
5~7 days you can recive the product
Model No:-9Place of Origin:Hebei,China (Mainland)Brand Name:qianqiuCAS No.:-9Purity:99.9%Appearance:white powderApplication:For research chemicalsValid Period:2 yearsMin Order:1gProName:&AB-PINACA,China Top SupplierCasNo:&-9Appearance:&white powderApplication:&For research chemicalsDeliveryTime:&within 3 daysPackAge:&foil bag with discreet packLimitNum:&1GramRelated Substances:&&0.1%Residue on Ignition:&&0.1%Heavy Metal:&&0.01%Valid Period:&2 yearsProname:&AB-PINACACAS NO.:&-9Apperance:&white powderApplication:&For research chemicalsDelivery time:&5 daysPackage:&foil bag with discreet packProduction capacity:&100KGTransportations:&AirStorage:&Kept in a cool and dry placeCompetive advantages1.Rich experienceWe specialize in this filed for many years,our steriods and hormones exported to all over the world and established long friendly relations of coroperation with them.2.Great quality,purity and favorableGood quality is one of our biggeu can get the best quality and service from us.3.Safest and fastest deliveryWe have adequate stock so that we can deliver the products with 24 hours as soon as receiving the payment.Fast and discreet shipment will be arranged to pass customs.4.Good packageUnique ways to ship 10g to 100kg powders to your destination.We offer melting powder into liquid service and ship the liquid in special bottles.5.Great after-sales serviceAny questions or problems after receiving the product,pls feel free to contact us.Problems would be solved immediately.Qianqiu Biotech is a high technology researching company focus on the health and medicine business of creating better life for& people. we mainly produce high quality pharmaceutical intermediates, for research and lab use. those products are in very high purity and quality. especially its efficient are in very good repute. for many years of hard working with high developed technology, we are doing great jobs in China, and ranked in the top level of manufacturing chemical and medicine used pharmaceutical intermediates.High purity of products, good price, short time of lead, quick response of service.We are the manufacturer, we have better price, we have large stock to delivery in shortest time.We could give you:1. Best quality in your requirement2. Competitive price in China market3. mature Technical support4. Professional logistic support5 . Full experience of large numbers containers loading in Chinese sea port6 Fast shipment by reputed shipping line7. Packing with pallet as buyer's special request8. Best service after shipment with e mail9. Cargoes together with container after-sales service available10. Full experience in export11. Raw materials from Chinese originAll we want is win-win business. Send yr. inquiries, you will get it!&&&High purity of products, good price, short time of lead, quick response of service.We are the manufacturer, we have better price, we have large stock to delivery in shortest time.&&we also offer 4-cp/dibu/4cec/fub/2nmc/4cpvp/mpbpv and other intermediates they are in large stockWe could give you:1. Best quality in your requirement2. Competitive price in China market3. mature Technical support4. Professional logistic support5 . Full experience of large numbers containers loading in Chinese sea port6 Fast shipment by reputed shipping line7. Packing with pallet as buyer's special request8. Best service after shipment with e mail9. Cargoes together with container after-sales service available10. Full experience in export11. Raw materials from Chinese originAll we want is win-win business. Send yr. inquiries, you will get it!wecansupplymethylone,ethylonea-pvp,4mmc,jwh-018,ur144,5f-akb48,3mmc,6apb, 5mapb10pxc&2nmc&bk-ebdp&Furanylfentanyl&&&hex_en&
dibutylone&u-47700&Dimethylone&&Actavis&Cough&Syrup&&HCG,&HGH Mmbc&fub-amb&fub-akd&fub-akb&&fab144&&4-emc&MDP&5f-pcnipo-332-A1MP&&&5f-pcnt&hj018&hj550350pxc4-CNB&&4-SMC& 4-MMa&&&4-BA&&&&3-CAF&&2-MME&&A-PBP&MOPVP& Dimethylone&&ZDCM-04&&&&&MDMP&&&&&&&&Dimethylphenidate(DP)&&&&&& 5F-NNEI(5F-MN24)&&&&&&&&&&&23B-PVP&&&&&&&&&MAB-CHMINAC MDBP&&&&&&&&PV10&&9-FPV9&&&4-MPD&MDPH&&&5-FPVP&&&&&& FubAMB&&&&&&&MMB2201&4FPHP,&&&FUB-AKB&&&&&4FPV8&&&&&&&&&ADBC&&u-47700,&fbab144,&sd006&,adbf&,fub-amb,&5fmn24&,&5f-pcn&,&thj018&,&thj2201,4-CNB&&4-SMC&4-MMA&&&4-BA&&&&3-CAF&&2-MME&&A-PBP&MOPVP&and&so&on&if&any&need&please&feel&free&to&contact&me&I&will&give&you&best&price
Send message to this supplier
Tel: 86-311-
Enter between 20 to 3,000 chatacters.
Contact Method
Qianqiu Biotechnology Co.,LTD
B21 of BinJiang Commercial Center QiaoDong District,,
Shijiazhuang,
China (Mainland)
Model No.:qqbio124a&
Brand Name:qianqiu&
CAS No.:-9&
Purity:99%&
color::white and yellow&
package:10g/bag&
usage:research&
delivery:express&
Place of Origin:Hebei&
Payment & Shipping Terms:
Trade Term: FOB,CFR,CIF,DAT
Payment Term:
L/C, WU, Money Gram, T/T, Paypal
Min.Order:
Means of Transport: Ocean,Land,Air
Supply Capacity:
Production Capacity: g/day
Packing: 10g/bag
Delivery Date: 5~7 days you can recive the product
[Province:&]&&
Send message to this supplier
Tel: 86-311-
Enter between 20 to 3,000 chatacters.
Contact Method
Qianqiu Biotechnology Co.,LTD
B21 of BinJiang Commercial Center QiaoDong District,,
Shijiazhuang,
China (Mainland)
Didn't find what you're looking for?
contact our
User Guide
Featured Partners:
Follow Us:
Browse by:
Language Option:
Copyright (C)
Online Inc. All Rights Reserved.君，已阅读到文档的结尾了呢~~
扫扫二维码，随身浏览文档
手机或平板扫扫即可继续访问
如何确认第二个sskgslcas就是获得Buffer Pin锁
举报该文档为侵权文档。
举报该文档含有违规或不良信息。
反馈该文档无法正常浏览。
举报该文档为重复文档。
推荐理由：
将文档分享至：
分享完整地址
文档地址：
粘贴到BBS或博客
flash地址：
支持嵌入FLASH地址的网站使用
html代码：
&embed src='/DocinViewer-4.swf' width='100%' height='600' type=application/x-shockwave-flash ALLOWFULLSCREEN='true' ALLOWSCRIPTACCESS='always'&&/embed&
450px*300px480px*400px650px*490px
支持嵌入HTML代码的网站使用
您的内容已经提交成功
您所提交的内容需要审核后才能发布，请您等待！
3秒自动关闭窗口修改Exchange　Server　2010　CAS阵列（ClientAccessArray）名称--钉子-Exchange　MVP
&::&Blog&List&::
修改Exchange&Server&2010&CAS阵列（ClientAccessArray）名称
1.原先CAS阵列名为cas.5dmail.net, 造成用户Outlook 显示服务器名称为CAS阵列的名称，为了方便用户，现需要统一名称为：mail.5dmail.netPS: 创建CAS Array的主要的目的在于统一客户端访问名称，便于不管连接哪台服务器均能够使用同样一个名字访问，以便客户端能够统一名称访问CAS服务器
2.打开Exchange Management Shell命令行
a. 执行以下命令查询现在CAS阵列的数据库中的应用。
Get-MailboxDatabase | select name,RpcClientAccessserver& | ft Cauto
b.执行以下命令修改现在cas阵列的名字，并在确认提醒中输入 a:
Get-ClientAccessArray | Set-ClientAccessArray -name "mail"
c. 执行以下命令修改现在cas阵列的fqdn名字，并在确认提醒中输入 a:
Get-ClientAccessArray | Set-ClientAccessArray -fqdn "mail.5dmail.net"
d. 执行以下命令查询现在CAS阵列的数据库中的应用，你将发现所有数据库没有绑定CAS阵列名：
Get-MailboxDatabase | select name,RpcClientAccessserver& | ft Cauto
e. 执行以下命令，指定数据库所需要的CAS阵列名
Get-MailboxDatabase | Set-MailboxDatabase -RpcClientAccessServer
f. 执行以下命令查询现在CAS阵列的数据库中的应用是否为修必后的名称
Get-MailboxDatabase | select name,RpcClientAccessserver& | ft Cauto
上一篇：下一篇：发表评论：
Best view with 1024 x 768 pixel & IE 6.0.