因ؓ工作需要接触到ssoQ据知目前多?/span>sso使用耉?/span>cas实现Q且发现使用cas真的是很单就可以做出一个单点登录系l来Q?/span>casq提供丰富的扩展功能Q对于扩展功能日后再l细研究Q这里只使用cas做一?/span>hello world来记录本人的学习q程Q如有幸被高人看刎ͼq望指出弊病Q不吝赐教?/span>
在?/span>cas之前最好对数字证书有所了解Q不了解也没有关p,跟着我的步骤也一样可以跑的通?/span>
准备工作
需要的文gQ?/span>
ü Jdk6
ü Tomcat
ü cas-server-3.3.2
ü cas-client-3.1.9
证书
下面?/span>keytool命o的一些常用方法,先在q里认识一下它们,一会儿会用的到?/span>
使用keytool命o生成密钥?/span>
keytool -genkey -alias tomcat -keyalg RSA -dname "CN=pcma, OU=vanceinfo, O=vanceinfo, L=haidian, S=beijing, C=CN" -keystore c:"keystore5.jks
CNQ主机名
OUQ组l单?/span>
OQ组l?/span>
LQ地?/span>
SQ城?/span>
CQ国?br />
如果需要指定密钥有效期Q添?validity 365卛_Q单位是天,如:
keytool -genkey -alias tomcat -keyalg RSA -dname "xxxxx" -keystore xxxxx -validity 365
导出证书
keytool -export -file c:/server5.crt -alias tomcat -keystore c:"keystore5.jks
证书导入到客户?/span>jdk
keytool -import -keystore "D:"Java"jdk1.6.0_14"jre"lib"security"cacerts" -file c:/server5.crt -alias tomcat
从密钥库中删除指定别名的证书
keytool -delete -noprompt -alias tomcat -keystore E:"apache-tomcat-6.0.20_2"conf"keystore2.jks
查看密钥库中的证?/span>
keytool -list -v -keystore c:"keystore5.jks
配置tomcat
使用keytool命o生成密钥库?/span>
配置%tomcat_home%/conf/server.xml?/span>tomcat支持SSL协议Qƈ指定密钥库?/span>
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" keystorePass="mashiguang"
keystoreFile="${catalina.home}/conf/keystore5.jks"/>
部vcas server
解压~?/span>cas-server-3.3.2-release.zip文gQ在modules目录里找?/span>cas-server-webapp-3.3.2.war文gQ这是一个做好了?/span>cas服务端,我们做的sso helloword可以直接使用Q只需?/span>cas-server-webapp-3.3.2.war改了个简单点的名字,?/span>cas.warQ然后部|到tomcat卛_?/span>
览器访?/span>https://pcma:8443/casQ如果打开昄的是cas默认的登录页面,则表C服务端已部|完毕?/span>
客户端?/span>cas client
新徏两个web工程Q用于模拟单点登录系l中的客LQƈ?/span>cas-client-3.1.9"modules里的jar包放?/span>web工程lib目录下,是主要的?/span>cas-client-core-3.1.9.jar文gQ把spring2.5也放?/span>lib目录下?/span>
Web.xml文g
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.4"
xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/config/casContext.xml
</param-value>
</context-param>
<listener>
<listener-class>
org.springframework.web.context.ContextLoaderListener
</listener-class>
</listener>
<!-- 负责用户认证 -->
<filter>
<filter-name>CAS Authentication Filter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<!-- CAS login 服务地址-->
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>https://pcma:8443/cas/login</param-value>
</init-param>
<init-param>
<param-name>renew</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>gateway</param-name>
<param-value>false</param-value>
</init-param>
<!-- 客户端应用服务地址-->
<init-param>
<param-name>serverName</param-name>
<param-value>http://pcma:8081</param-value>
</init-param>
</filter>
<!--负责Ticket校验-->
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<init-param>
<param-name>targetBeanName</param-name>
<param-value>cas.validationfilter</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Authentication Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
casContext.xml文g
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN"
"http://www.springframework.org/dtd/spring-beans.dtd">
<beans>
<bean id="cas.validationfilter" class="org.jasig.cas.client.validation.Cas10TicketValidationFilter">
<property name="ticketValidator">
<ref bean="cas10TicketValidator"/>
</property>
<property name="useSession">
<value>true</value>
</property>
<!-- 客户端应用服务地址-->
<property name="serverName">
<value>http://pcma:8081</value>
</property>
<property name="redirectAfterValidation">
<value>true</value>
</property>
</bean>
<bean id="cas10TicketValidator" class="org.jasig.cas.client.validation.Cas10TicketValidator">
<!-- q里参数?/span>cas服务器的地址-->
<constructor-arg index="0" value="https://pcma:8443/cas" />
</bean>
</beans>
新徏index.jsp文g
<body>
hello sso<br>
<a >sso2</a>q个地址是另外一台机器上?/span>sso客户?/span>
</body>
上面?/span>web.xml?/span>casContext.xml?/span>index.jsp是两个客L中的一个,另一个要Ҏ实际情况修改?/span>
最后不要忘记客L?/span>jdk要?/span>keytool命o导入证书文g?/span>
试
启动tomcatQ测试器讉Khttp://pcma:8081/ssoQ出?/span>casd面Q输入相同的用户名和密码卛_dQ登录成功后面自动跌{?/span>http://pcma:8081/ssoQ这时点击页面上?/span>sso2链接Q就可以自动dq蟩转到sso2应用?/span>
如果输入用户名密码后提示下面的异常,是因为部|客L?/span>jdk没有导入证书文g的原因?/span>
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
源码
http://www.aygfsteel.com/Files/mashiguang/sso.zip
1,commons-email-1.1.jar
2,mail.jar
3,activation.jar
(在web应用里只需要commons-email?
发送简单的文字邮g:
SimpleEmail email = new SimpleEmail();email.setHostName("smtp.sina.com");email.setAuthentication("username", "password");//在邮件服务商处注册的用户名和密码email.addTo("mailTo@163.com");email.setFrom("username@sina.com", "alias");email.setCharset("UTF-8");//gbk或gb2312,只要支持中文pemail.setSubject("title");email.setMsg("content");email.send();发送带附g的邮?
// Create the attachmentEmailAttachment attachment = new EmailAttachment();attachment.setPath("mypictures/john.jpg");attachment.setDisposition(EmailAttachment.ATTACHMENT);attachment.setDescription("Picture of John");attachment.setName("John");// Create the email messageMultiPartEmail email = new MultiPartEmail();email.setHostName("mail.myserver.com");email.setAuthentication("username", "password");email.addTo("jdoe@somewhere.org", "John Doe");email.setFrom("me@apache.org", "Me");email.setCharset("UTF-8");email.setSubject("The picture");email.setMsg("Here is the picture you wanted");// add the attachmentemail.attach(attachment);// send the emailemail.send();创徏多个EmailAttachment对象,q调用MultiPartEmail.attach();可以发送多个附?
发送HTML格式的邮?
发送html格式的邮件和单邮件的区别在创徏HtmlEmail对象
q用email.setHtmlMsg(String)或email.setMsg(String)把含有html标签的字W串赋给email对象.
HtmlEmail对象q有一个setTextMsg(String)Ҏ,q个Ҏ参数里的html标签会被当做普通字W处?不会被解析成html元素.
更详l内容可以看apache commons-email的用h?/a>.
Struts本n有一套完善的防止重复提交表单?strong>Token(令牌)机制Q但W者目前的目自写的framework没有用到StrutsQ故也得自写防止用户因ؓ后退或者刷新来重复提交表单内容的Token机制。不难,Ҏ实现?/p>
实现原理Q一致性。jsp生成表单Ӟ在表单中插入一个隐?lt;input>字段Q该字段是保存在页面端的token字符Ԍ同时把该字符串存入session中。等到用h交表单时Q会一q提交该隐藏的token字符丌Ӏ在服务器端Q查看下是否在session中含有与该token字符串相{的字符丌Ӏ如果有Q那么表明是W一ơ提交该表单Q然后删除存放于session端的token字符Ԍ再做正常业务逻辑程Q如果没有,那么表示该表单被重复提交Q做非正常流E处理,可以警告提示也可以什么也不做?/p>
看代码?/p>
首先?strong>Tokenȝ。类很简单,而且主要Ҏ都给doc注释?/p>
/**//*
* blog: http://hi.baidu.com/bobylou* $Revision: 1.1 $* $Date: 2007/07/18 10:02:55 $* $Author: bobrow$
*/
package com.paizuo.framework.util;import java.util.ArrayList;import javax.servlet.http.HttpSession;public class Token 
{ private static final String TOKEN_LIST_NAME = "tokenList"; public static final String TOKEN_STRING_NAME = "token";
private static ArrayList getTokenList(HttpSession session) { Object obj = session.getAttribute(TOKEN_LIST_NAME); if (obj != null) { return (ArrayList) obj; } else { ArrayList tokenList = new ArrayList(); session.setAttribute(TOKEN_LIST_NAME, tokenList); return tokenList;
} } private static void saveTokenString(String tokenStr, HttpSession session) { ArrayList tokenList = getTokenList(session); tokenList.add(tokenStr); session.setAttribute(TOKEN_LIST_NAME, tokenList); } private static String generateTokenString(){ return new Long(System.currentTimeMillis()).toString(); } /** *//** * Generate a token string, and save the string in session, then return the token string. * * @param HttpSession * session * @return a token string used for enforcing a single request for a particular transaction. */ public static String getTokenString(HttpSession session) { String tokenStr = generateTokenString(); saveTokenString(tokenStr, session); return tokenStr; } /** *//** * check whether token string is valid. if session contains the token string, return true. * otherwise, return false. * * @param String * tokenStr * @param HttpSession * session * @return true: session contains tokenStr; false: session is null or tokenStr is id not in session */ public static boolean isTokenStringValid(String tokenStr, HttpSession session) { boolean valid = false; if(session != null){ ArrayList tokenList = getTokenList(session); if (tokenList.contains(tokenStr)) { valid = true; tokenList.remove(tokenStr); } } return valid; }}怎么使用Q?/font>
在jsp面端?/strong>
首先import该类Q?/p>
<%@ page import="com.paizuo.framework.util.Token" %>
表单包含隐藏的token字符?
<form><input type="hidden" name="<%=Token.TOKEN_STRING_NAME %>" value="<%=Token.getTokenString(session) %>"></form>
在Server端action中进行检验?/strong>
if(Token.isTokenStringValid(request.getParameter(Token.TOKEN_STRING_NAME), request.getSession())){//q行正常业务程}else{//q行防重复提交处理流E?/span>}完毕?/p>
在web.xml里添加如下的配置:
<servlet> <servlet-name>InvokerServlet</servlet-name> <servlet-class> org.apache.catalina.servlets.InvokerServlet </servlet-class> <init-param> <param-name>debug</param-name> <param-value>0</param-value> </init-param> <load-on-startup>-1</load-on-startup> </servlet> <servlet-mapping> <servlet-name>InvokerServlet</servlet-name> <url-pattern>/servlet/*</url-pattern> </servlet-mapping><form name="f" method="post" action="/servlet/com.mashiguang.servlet.UserManagerService"> <input/> <submit/></form>