Yale CAS 最佳实践 第一部分：配置篇

第一部分：配置篇
1.环境准备
Jdk1.4.2
Tomcat5.0.28
cas-server-2.0.12（没有采用更高版本，是因为它最简单明了）
cas-client-java-2.1.1
2.在jdk上配置SSL
到http://java.sun.com/products/jsse/去下载jsse，我用的是1.0.3；下载下来后是一个zip包，把里边lib目录下的jar包复制到你的jdk目录下的jre\lib\ext目录中，是三个文件：jsse.jar;jnet.jar;jcert.jar

3.SSL验证证书
3.1.生成
keytool -genkey -alias tomcat -keyalg RSA
 如果C:\Documents and Settings\Administrator\.keystore已经存在，请先删除。
 输入tomcat本身的缺省口令changeit
 用户前名和用户后名都用localhost
keytool -export -alias tomcat -file server.crt
只能输入tomcat的缺省口令changeit
keytool -import -trustcacerts -alias tomcat -file server.crt -keystore %java_home%/jre/lib/security/cacerts
3.2.显示
keytool -list -v -keystore %java_home%/jre/lib/security/cacerts > t.txt
3.3.删除
keytool -delete -alias mykey -keystore %java_home%/jre/lib/security/cacerts -keypass changeit
只能输入tomcat的缺省口令changeit
3.4.keytool参考
%JAVA_HOME%\bin\keytool -delete -alias tomcat -keypass changeit
%JAVA_HOME%\bin\keytool -genkey -alias tomcat -keypass changeit -keyalg RSA
%JAVA_HOME%\bin\keytool -export -alias tomcat -keypass changeit -file %FILE_NAME%
%JAVA_HOME%\bin\keytool -import -file server.crt -keypass changeit
-keystore %JAVA_HOME%/jre/lib/security/cacerts
%JAVA_HOME%\bin\keytool -import -file server.crt -keypass changeit
%JAVA_HOME%\bin\keytool -genkey -alias tomcat -keypass changeit -keyalg RSA -validity 365

4.Tomcat配置
4.1.拷贝
拷贝C:\Documents and Settings\Administrator\.keystore到％tomcat_home%\conf\
4.2.配置
编辑％tomcat_home%\conf\server.xml，去掉ssl的注释，并更改为如下配置
<Connector port="8443" keystorePass="changeit" keystoreFile="conf/.keystore"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" debug="0" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
4.3.注意
请保持C:\Documents and Settings\Administrator\.keystore与％tomcat_home%\conf\.keystore一致

5.Tomcat jmx bug
在sun网站上http://java.sun.com/javase/technologies/core/mntr-mgmt/javamanagement/download.jsp
下载jmx-1_2_1-ri.zip，解压后，把jmxri.jar重命名为jmx.jar，覆盖tomcat/bin目录下的jmx.jar
这个适用于cas-server-3.*

我的登陆后跳转出现这种异常信息，麻烦给指导一下
javax.servlet.ServletException: Unable to validate ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[https://10.170.150.95:8443/cas/ServiceValidate] ticket=[ST-6-AnSoGcxl7qoqzGpsNx5dmkNbjBQfmqBVFcw-20] service=[http%3A%2F%2F10.170.150.95%3A8082%2Fservlets-examples%2Fservlet%2FHelloWorldExample] renew=false]]]
edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:381)


root cause

edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[https://10.170.150.95:8443/cas/ServiceValidate] ticket=[ST-6-AnSoGcxl7qoqzGpsNx5dmkNbjBQfmqBVFcw-20] service=[http%3A%2F%2F10.170.150.95%3A8082%2Fservlets-examples%2Fservlet%2FHelloWorldExample] renew=false]]]
edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:52)
edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java:455)
edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:378)

学习中

我是按照这个做的啊
但是控制台出这个错误

严重: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
	at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(SSLSessionImpl.java:394)
	at org.apache.commons.httpclient.contrib.ssl.StrictSSLProtocolSocketFactory.verifyHostname(StrictSSLProtocolSocketFactory.java:269)
	at org.apache.commons.httpclient.contrib.ssl.StrictSSLProtocolSocketFactory.createSocket(StrictSSLProtocolSocketFactory.java:163)
	at org.apache.commons.httpclient.contrib.ssl.StrictSSLProtocolSocketFactory.createSocket(StrictSSLProtocolSocketFactory.java:203)
	at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:706)
	at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java:1321)
	at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:386)
	at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:170)
	at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:396)
	at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:324)
	at org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.getResponseFromURL(AbstractUrlBasedTicketValidator.java:76)
	at org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:46)
	at org.jasig.cas.client.web.filter.TicketValidationFilter.doFilterInternal(TicketValidationFilter.java:91)
	at org.jasig.cas.client.web.filter.AbstractCasFilter.doFilter(AbstractCasFilter.java:100)
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:138)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
	at org.jasig.cas.client.web.filter.AuthenticationFilter.doFilterInternal(AuthenticationFilter.java:97)
	at org.jasig.cas.client.web.filter.AbstractCasFilter.doFilter(AbstractCasFilter.java:100)
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:138)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:868)
	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:744)
	at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
	at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)
	at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
	at java.lang.Thread.run(Thread.java:595)
2007-6-13 14:47:36 org.jasig.cas.client.web.filter.TicketValidationFilter doFilterInternal
警告: org.jasig.cas.client.validation.ValidationException: Unable to retrieve response from CAS Server.
org.jasig.cas.client.validation.ValidationException: Unable to retrieve response from CAS Server.
	at org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.getResponseFromURL(AbstractUrlBasedTicketValidator.java:80)
	at org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:46)
	at org.jasig.cas.client.web.filter.TicketValidationFilter.doFilterInternal(TicketValidationFilter.java:91)
	at org.jasig.cas.client.web.filter.AbstractCasFilter.doFilter(AbstractCasFilter.java:100)
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:138)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
	at org.jasig.cas.client.web.filter.AuthenticationFilter.doFilterInternal(AuthenticationFilter.java:97)
	at org.jasig.cas.client.web.filter.AbstractCasFilter.doFilter(AbstractCasFilter.java:100)
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:138)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:868)
	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:744)
	at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
	at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)
	at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
	at java.lang.Thread.run(Thread.java:595)
Caused by: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
	at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(SSLSessionImpl.java:394)
	at org.apache.commons.httpclient.contrib.ssl.StrictSSLProtocolSocketFactory.verifyHostname(StrictSSLProtocolSocketFactory.java:269)
	at org.apache.commons.httpclient.contrib.ssl.StrictSSLProtocolSocketFactory.createSocket(StrictSSLProtocolSocketFactory.java:163)
	at org.apache.commons.httpclient.contrib.ssl.StrictSSLProtocolSocketFactory.createSocket(StrictSSLProtocolSocketFactory.java:203)
	at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:706)
	at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java:1321)
	at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:386)
	at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:170)
	at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:396)
	at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:324)
	at org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.getResponseFromURL(AbstractUrlBasedTicketValidator.java:76)
	... 23 more
2007-6-13 14:47:36 org.apache.catalina.core.StandardWrapperValve invoke
严重: Servlet.service() for servlet default threw exception
org.jasig.cas.client.validation.ValidationException: Unable to retrieve response from CAS Server.
	at org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.getResponseFromURL(AbstractUrlBasedTicketValidator.java:80)
	at org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:46)
	at org.jasig.cas.client.web.filter.TicketValidationFilter.doFilterInternal(TicketValidationFilter.java:91)
	at org.jasig.cas.client.web.filter.AbstractCasFilter.doFilter(AbstractCasFilter.java:100)
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:138)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
	at org.jasig.cas.client.web.filter.AuthenticationFilter.doFilterInternal(AuthenticationFilter.java:97)
	at org.jasig.cas.client.web.filter.AbstractCasFilter.doFilter(AbstractCasFilter.java:100)
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:138)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:868)
	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:744)
	at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
	at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)
	at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
	at java.lang.Thread.run(Thread.java:595)
Caused by: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
	at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(SSLSessionImpl.java:394)
	at org.apache.commons.httpclient.contrib.ssl.StrictSSLProtocolSocketFactory.verifyHostname(StrictSSLProtocolSocketFactory.java:269)
	at org.apache.commons.httpclient.contrib.ssl.StrictSSLProtocolSocketFactory.createSocket(StrictSSLProtocolSocketFactory.java:163)
	at org.apache.commons.httpclient.contrib.ssl.StrictSSLProtocolSocketFactory.createSocket(StrictSSLProtocolSocketFactory.java:203)
	at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:706)
	at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java:1321)
	at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:386)
	at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:170)
	at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:396)
	at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:324)
	at org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.getResponseFromURL(AbstractUrlBasedTicketValidator.java:76)
	... 23 more

页面这个错误

HTTP Status 500 -



type Exception report

message

description The server encountered an internal error () that prevented it from fulfilling this request.

exception

javax.servlet.ServletException: Unable to retrieve response from CAS Server.
org.jasig.cas.client.web.filter.TicketValidationFilter.doFilterInternal(TicketValidationFilter.java:109)
org.jasig.cas.client.web.filter.AbstractCasFilter.doFilter(AbstractCasFilter.java:100)
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:138)
org.jasig.cas.client.web.filter.AuthenticationFilter.doFilterInternal(AuthenticationFilter.java:97)
org.jasig.cas.client.web.filter.AbstractCasFilter.doFilter(AbstractCasFilter.java:100)
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:138)


root cause

org.jasig.cas.client.validation.ValidationException: Unable to retrieve response from CAS Server.
org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.getResponseFromURL(AbstractUrlBasedTicketValidator.java:80)
org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:46)
org.jasig.cas.client.web.filter.TicketValidationFilter.doFilterInternal(TicketValidationFilter.java:91)
org.jasig.cas.client.web.filter.AbstractCasFilter.doFilter(AbstractCasFilter.java:100)
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:138)
org.jasig.cas.client.web.filter.AuthenticationFilter.doFilterInternal(AuthenticationFilter.java:97)
org.jasig.cas.client.web.filter.AbstractCasFilter.doFilter(AbstractCasFilter.java:100)
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:138)


note The full stack trace of the root cause is available in the Apache Tomcat/5.5.11 logs.




Apache Tomcat/5.5.11

恩，楼主能不能请教一下，在CAS中是如何实现对不同的用户的授权的呢？
比如我一个用户，在登录以后只有A应用有权限而对B用户没有权限，这个是怎么实现的？