首頁 探索 說明
註冊 登入
github
/
spring-security
镜像来自 https://github.com/spring-projects/spring-security
2
0
複刻 0
Files 問題管理 0 Wiki
目錄樹: 9649003d57
分支列表 標籤列表
spring-security
/
samples
/
contacts
/
xdocs
/
ssl
/
howto.txt

howto.txt 4.6 KB
文件歷史 原始文件

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899 
  1. $Id$
    2. 

  2. 

  3. CAS requires HTTPS be used for all operations, with the certificate used
    4. 

  4. having been signed by a certificate in the cacerts files shipped with Java.
    5. 

  5. 

  6. If you're using a HTTPS certificate signed by a well known authority
    7. 

  7. (like Verisign), you can safely ignore the procedure below (although you
    8. 

  8. might find the troubleshooting section at the end helpful).
    9. 

  9. 

  10. The following demonstrates how to create a self-signed certificate and add
    11. 

  11. it to the cacerts file. If you just want to use the certificate we have
    12. 

  12. already created and shipped with the Acegi Security System for Spring, you
    13. 

  13. can skip directly to step 3.
    14. 

  14. 

  15. 

  16. 1. keytool -keystore keystore -alias acegisecurity -genkey -keyalg RSA -validity 9999 -storepass password -keypass password
    17. 

  17. 

  18. What is your first and last name?
    19. 

  19.   [Unknown]:  localhost
    20. 

  20. What is the name of your organizational unit?
    21. 

  21.   [Unknown]:  Acegi Security System for Spring
    22. 

  22. What is the name of your organization?
    23. 

  23.   [Unknown]:  TEST CERTIFICATE ONLY. DO NOT USE IN PRODUCTION.
    24. 

  24. What is the name of your City or Locality?
    25. 

  25.   [Unknown]:
    26. 

  26. What is the name of your State or Province?
    27. 

  27.   [Unknown]:
    28. 

  28. What is the two-letter country code for this unit?
    29. 

  29.   [Unknown]:
    30. 

  30. Is CN=localhost, OU=Acegi Security System for Spring, O=TEST CERTIFICATE ONLY. D
    31. 

  31. O NOT USE IN PRODUCTION., L=Unknown, ST=Unknown, C=Unknown correct?
    32. 

  32.   [no]:  yes
    33. 

  33. 

  34. 

  35. 2. keytool -export -v -rfc -alias acegisecurity -file acegisecurity.txt -keystore keystore -storepass password
    36. 

  36. 

  37. 3. copy acegisecurity.txt %JAVA_HOME%\lib\security
    38. 

  38.    
    39. 

  39. 4. copy keystore %YOUR_WEB_CONTAINER_LOCATION%
    40. 

  40. 

  41.    NOTE: You will need to configure your web container as appropriate.
    42. 

  42.    We recommend you test the certificate works by visiting
    43. 

  43.    https://localhost:8443. When prompted by your browser, select to
    44. 

  44.    install the certificate.
    45. 

  45. 

  46. 5. cd %JAVA_HOME%\lib\security
    47. 

  47. 

  48. 6. keytool -import -v -file acegisecurity.txt -keypass password -keystore cacerts -storepass changeit -alias acegisecurity
    49. 

  49. 

  50. Owner: CN=localhost, OU=Acegi Security System for Spring, O=TEST CERTIFICATE ONL
    51. 

  51. Y. DO NOT USE IN PRODUCTION., L=Unknown, ST=Unknown, C=Unknown
    52. 

  52. Issuer: CN=localhost, OU=Acegi Security System for Spring, O=TEST CERTIFICATE ON
    53. 

  53. LY. DO NOT USE IN PRODUCTION., L=Unknown, ST=Unknown, C=Unknown
    54. 

  54. Serial number: 4080daf4
    55. 

  55. Valid from: Sat Apr 17 07:21:24 GMT 2004 until: Tue Sep 02 07:21:24 GMT 2031
    56. 

  56. Certificate fingerprints:
    57. 

  57.          MD5:  B4:AC:A8:24:34:99:F1:A9:F8:1D:A5:6C:BF:0A:34:FA
    58. 

  58.          SHA1: F1:E6:B1:3A:01:39:2D:CF:06:FA:82:AB:86:0D:77:9D:06:93:D6:B0
    59. 

  59. Trust this certificate? [no]:  yes
    60. 

  60. Certificate was added to keystore
    61. 

  61. [Saving cacerts]
    62. 

  62. 

  63. 

  64. 7. Finished. You can now run the sample application as if you purchased a
    65. 

  65.    properly signed certificate. For production applications, of course you should
    66. 

  66.    use an appropriately signed certificate so your web visitors will trust it
    67. 

  67.    (such as issued by Thawte, Verisign etc).
    68. 

  68. 

  69. TROUBLESHOOTING
    70. 

  70. 

  71. * First of all, most CAS-Acegi Security problems are because of untrusted
    72. 

  72.   SSL certificates. So it's important to understand why. Most people can
    73. 

  73.   load the Acegi Security webapp, get redirected to the CAS server, then
    74. 

  74.   after login they get redirected back to the Acegi Security webapp and
    75. 

  75.   receive a failure. This is because the CAS server redirects to something
    76. 

  76.   like https://server3.company.com/webapp/j_acegi_cas_security_check?ticket=ST-0-ER94xMJmn6pha35CQRoZ
    77. 

  77.   which causes the "service ticket" (the "ticket" parameter) to be validated.
    78. 

  78.   net.sf.acegisecurity.providers.cas.ticketvalidator.CasProxyTicketValidator
    79. 

  79.   performs service ticket validation by delegation to CAS'
    80. 

  80.   ProxyTicketValidator class. The ProxyTicketValidator class will perform a
    81. 

  81.   HTTPS connection from the web server running the Acegi Security webapp
    82. 

  82.   (server3.company.com) above to the CAS server. If for some reason the
    83. 

  83.   web server keystore does not trust the HTTPS certificate presented by the
    84. 

  84.   CAS server, you will receive various failures as discussed below. NB: This
    85. 

  85.   has NOTHING to do with client-side (browser) certificates. You need to
    86. 

  86.   correct the trust between the two webserver keystores alone.
    87. 

  87. 

  88. * A "sun.security.validator.ValidatorException: No trusted certificate 
    89. 

  89.   found" indicates the cacerts is not being used or it did not correctly
    90. 

  90.   import the certificate. To rule out your web container replacing or in
    91. 

  91.   some way modifying the trust manager, set the
    92. 

  92.   CasProxyTicketValidator.trustStore property to the full file system
    93. 

  93.   location to your cacerts file.
    94. 

  94. 

  95. * If your web container is ignoring your cacerts file, double-check it
    96. 

  96.   is stored in $JAVA_HOME\lib\security\cacerts. $JAVA_HOME might be
    97. 

  97.   pointing to the SDK, not JRE. In that case, copy
    98. 

  98.   $JAVA_HOME\jre\lib\security\cacerts to $JAVA_HOME\lib\security\cacerts
    99. 

  99.