标签:
cas 推荐是在https 环境中使用,之前说的只是在http环境中,配置的https 与http 大体上都是一致。 今天使用https 进行配置。
1、证书的颁发
2、服务端的配置。
3、客户端配置。
有问题欢迎学习交流。
linux 下nginx与openssl 搭建https 服务器 subversion https 服务器 如果有其他问题可以直接百度,有很多相关的资料的
在nginx 配置中添加 添加的原因 在后面的tomcat配置中。
- proxy_set_header x-real-ip
- proxy_set_header x-forwarded-host
- proxy_set_header x-forwarded-proto https;
WEB-INF/spring-configuration/ticketGrantingTicketCookieGenerator.xml
<!-- TODO 这里将 cookieSecure 修改为了false ,目的是使用http -->
<bean id="ticketGrantingTicketCookieGenerator"
class="org.jasig.cas.web.support.CookieRetrievingCookieGenerator"
c:casCookieValueManager-ref="cookieValueManager"
p:cookieSecure="true"
p:cookieMaxAge="-1"
p:cookieName="TGC"
p:cookiePath=""/> <!-- TODO 这里设置 p:requireSecure="false" 目的是为了使用http -->
<bean id="proxyAuthenticationHandler"
class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
p:requireSecure="false"
p:httpClient-ref="supportsTrustStoreSslSocketFactoryHttpClient" />客户端主要的是配置就是web.xml,里面修改相应的地址就好了.但是 SingleSignOutFilter 与 Cas20ProxyReceivingTicketValidationFilter 的配置 casServerUrlPrefix 不要修改, 原因是casserver 与server 是处于内容之中,内网中使用的是http 的方式,不存在http 的访问方式。所以不能使用https 的方式访问,如果将证书放在tomcat 下,这个配置也是需要修改的。
<filter>
<!-- 判断用户时候进行登录的,没有今登陆将跳转到casServerLoginUrl页面进行登录,这里手动实现了一下,用于登出 -->
<filter-name>CAS Authentication Filter</filter-name>
<!--<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>-->
<filter-class>com.ym.system.filter.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>https://test.com/cas/login</param-value>
</init-param>
<init-param>
<param-name>casServerLogoutUrl</param-name>
<param-value>https://test.com/cas/logout</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>test.com</param-value>
</init-param>
<init-param>
<param-name>ignorePattern</param-name>
<param-value>^.*[.](js|css|gif|png|zip)$</param-value>
</init-param>
</filter>
<filter>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>http://test.com/cas</param-value>
<!-- cas server 端地址的配置。 这个主要是用户登出用的 -->
</init-param>
</filter>
<filter>
<!-- 用于进行ticket认证 -->
<filter-name>CAS Validation Filter</filter-name>
<filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
<init-param>
<!-- ticket 认证的地址,这里配置的是内网地址-->
<param-name>casServerUrlPrefix</param-name>
<param-value>http://127.0.0.1:8443/cas</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>test.com</param-value>
</init-param>
<init-param>
<param-name>redirectAfterValidation</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>acceptAnyProxy</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>useSession</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>encoding</param-name>
<param-value>utf-8</param-value>
</init-param>
</filter>
客户端与服务端配置就这么多。
- 在上面的架构中,服务器是不能获取到外网请求的信息的,所以我们需要在lbs 上进行处理。也就是前面提到的nginx 添加的参数,但是仅仅有那个参数是不行的,还需要在tomcat中进行配置。
- 在tomcat 的server.xml 中添加RemoteIpValve ,目的是在使用代理的时候,获取代理的头中的配置信息,这样tomcat 就能获取到正确的请求地址,不会造成混乱。
<Valve className="org.apache.catalina.valves.RemoteIpValve"
remoteIpHeader="x-forwarded-for"
remoteIpProxiesHeader="x-forwarded-by"
protocolHeader="x-forwarded-proto"
/>
nginx 配置实例
http {
include mime.types;
default_type application/octet-stream;
log_format main ‘$remote_addr - $remote_user [$time_local] "$request" ‘
‘$status<$sent_http_location> $body_bytes_sent "$http_referer" ‘
‘"$http_x_forwarded_for"‘;
access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
server {
listen 80;
server_name localhost;
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
root html;
index index.html index.htm;
autoindex on; # 显示目录
autoindex_exact_size on; # 显示文件大小
autoindex_localtime on; # 显示文件时间
}
location /cas {
proxy_pass http://127.0.0.1:8443;
}
location /ym1 {
proxy_set_header Host $host;
proxy_set_header Referer $http_referer;
proxy_set_header Cookie $http_cookie;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-FORWARDED-HOST $server_addr;
proxy_set_header X-FORWARDED-PORT $server_port;
proxy_set_header x-forwarded-proto http;
proxy_pass http://127.0.0.1:8080;
}
location /ym2 {
proxy_set_header Host $host;
proxy_set_header Referer $http_referer;
proxy_set_header Cookie $http_cookie;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-FORWARDED-HOST $server_addr;
proxy_set_header X-FORWARDED-PORT $server_port;
proxy_set_header x-forwarded-proto http;
proxy_pass http://127.0.0.1:8081;
}
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
# HTTPS server
#
server {
listen 443;
server_name localhost;
ssl on ;
ssl_certificate test.crt;
ssl_certificate_key test_nopass.key;
# ssl_session_timeout 5m;
# ssl_session_cache shared:SSL:1m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
autoindex on; # 显示目录
autoindex_exact_size on; # 显示文件大小
autoindex_localtime on; # 显示文件时间
}
location /cas {
proxy_pass http://127.0.0.1:8443;
}
location /ym1 {
proxy_set_header Host $host;
proxy_set_header Referer $http_referer;
proxy_set_header Cookie $http_cookie;
proxy_set_header x-real-ip $remote_addr;
proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for;
proxy_set_header x-forwarded-host $server_addr;
proxy_set_header x-forwarded-port $server_port;
proxy_set_header x-forwarded-proto https;
proxy_pass http://127.0.0.1:8080;
}
location /ym2 {
proxy_set_header Host $host;
proxy_set_header Referer $http_referer;
proxy_set_header Cookie $http_cookie;
proxy_set_header x-real-ip $remote_addr;
proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for;
proxy_set_header x-forwarded-host $server_addr;
proxy_set_header x-forwarded-port $server_port;
proxy_set_header x-forwarded-proto https;
proxy_pass http://127.0.0.1:8081;
}
}
}
相关技术网站:
- Handling X-FORWARDED-PROTO in java apache-tomcat
- tomcat RemoteIpValve API
- tomcat架构分析(valve机制)
标签:
原文地址:http://blog.csdn.net/heavenick/article/details/51924774
