nginx+tomcat+cas单点登录,退出登录无效,请大家帮忙

學楽 发布于 2016/12/09 14:07
阅读 1K+
收藏 1

nginx做了反向代理,现在nginx全体转为https请求,转发到tomcat。nginx是openssl生成的证书。

给用户只开启80端口。

tomcat也只接收https请求,分为cas单点登录服务器和其他业务服务器。tomcat是keytool生成的证书,以前nginx部署前退出登录是没有问题的,但是自从中间加上nginx服务器后退出登录就失效了。

web.xml中的cas客户端配置中因为nginx转发端口,所以没有去写上端口号,全都是用80端口访问。

这是其中一个业务服务器的web.xml配置

<!-- ======================== 单点登录开始 ======================== -->
	<!-- 用于单点退出,该过滤器用于实现单点登出功能,可选配置 -->
	<listener>
		<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
	</listener>

	<!-- 该过滤器用于实现单点登出功能,可选配置。 -->
	<filter>
		<filter-name>CAS Single Sign Out Filter</filter-name>
		<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
	</filter>
	<filter-mapping>
		<filter-name>CAS Single Sign Out Filter</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>

	<filter>
		<filter-name>CAS Filter</filter-name>
		<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
		<init-param>
			<param-name>casServerLoginUrl</param-name>
			<param-value>https://login.abc.com/login</param-value>
		</init-param>
		<init-param>
			<param-name>serverName</param-name>
			<param-value>https://www.abc.com</param-value>
		</init-param>
	</filter>
	<filter-mapping>
		<filter-name>CAS Filter</filter-name>
		<url-pattern>/main/*</url-pattern>
	</filter-mapping>
	<!-- 该过滤器负责对Ticket的校验工作,必须启用它 -->
	<filter>
		<filter-name>CAS Validation Filter</filter-name>
		<filter-class>
			org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter
		</filter-class>
		<init-param>
			<param-name>casServerUrlPrefix</param-name>
			<param-value>https://login.abc.com:8444</param-value>
		</init-param>
		<init-param>
			<param-name>serverName</param-name>
			<param-value>https://www.abc.com</param-value>
		</init-param>
	</filter>
	<filter-mapping>
		<filter-name>CAS Validation Filter</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>

	<!-- 该过滤器负责实现HttpServletRequest请求的包裹, 比如允许开发者通过HttpServletRequest的getRemoteUser()方法获得SSO登录用户的登录名,可选配置。 -->
	<filter>
		<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
		<filter-class>
			org.jasig.cas.client.util.HttpServletRequestWrapperFilter
		</filter-class>
	</filter>
	<filter-mapping>
		<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>

	<!-- 该过滤器使得开发者可以通过org.jasig.cas.client.util.AssertionHolder来获取用户的登录名。 比如AssertionHolder.getAssertion().getPrincipal().getName()。 -->
	<filter>
		<filter-name>CAS Assertion Thread Local Filter</filter-name>
		<filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
	</filter>
	<filter-mapping>
		<filter-name>CAS Assertion Thread Local Filter</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>

	<!-- ======================== 单点登录结束 ======================== -->



nginx.conf配置文件

#user  nobody;
worker_processes  1;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  30;

    #gzip  on;

	#redirect to https
	server {
		listen 80;
		server_name www.abc.com;
		return 301 https://$server_name$request_uri;
	}
	
	#proxy & ssl
	server {
        listen       443 ssl;
        server_name  www.abc.com;
		
		### SSL cert files ###
		ssl_certificate      ssl/z2sci_nginx.crt;
        ssl_certificate_key  ssl/z2sci_nginx.key;
		
		ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;
		
		ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;
		
        location / {
            #root   html;
            index  index.vm;
			proxy_pass              https://www.abc.com:8445;
			proxy_set_header        X-Real-IP $remote_addr;
			proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
			#proxy_set_header        Host $http_host;
			proxy_set_header 		Host $host;
			

			### Most PHP, Python, Rails, Java App can use this header ###
			proxy_set_header		X-Forwarded-Proto https;

			### By default we don't want to redirect it ####
			proxy_redirect			off;
        }
		
		location /baxt {
            #root   html;
            index  index.html index.htm index.do index.action index.vm;
			proxy_pass              https://www.abc.com:8446;
			proxy_set_header        X-Real-IP $remote_addr;
			proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
			#proxy_set_header        Host $http_host;
			proxy_set_header 		Host $host;
			

			### Most PHP, Python, Rails, Java App can use this header ###
			proxy_set_header		X-Forwarded-Proto https;

			### By default we don't want to redirect it ####
			proxy_redirect			off;
        }
		
		location /bgxt {
            #root   html;
            index  index.html index.htm index.do index.action index.vm;
			proxy_pass              https://www.abc.com:8447;
			proxy_set_header        X-Real-IP $remote_addr;
			proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
			#proxy_set_header        Host $http_host;
			proxy_set_header 		Host $host;
			

			### Most PHP, Python, Rails, Java App can use this header ###
			proxy_set_header		X-Forwarded-Proto https;

			### By default we don't want to redirect it ####
			proxy_redirect			off;
        }
		
		location /chat {
            #root   html;
            index  index.html index.htm index.do index.action index.vm;
			proxy_pass              https://www.abc.com:8448;
			proxy_set_header        X-Real-IP $remote_addr;
			proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
			#proxy_set_header        Host $http_host;
			proxy_set_header 		Host $host;
			

			### Most PHP, Python, Rails, Java App can use this header ###
			proxy_set_header		X-Forwarded-Proto https;

			### By default we don't want to redirect it ####
			proxy_redirect			off;
        }
		
		error_page   500 502 503 504  /error.html;
		location = /error.html {
            root   html;
        }
    }
	
	#proxy & ssl
	server {
        listen       443 ssl;
        server_name  login.abc.com;
		
		### SSL cert files ###
		ssl_certificate      ssl/z2sci_nginx.crt;
        ssl_certificate_key  ssl/z2sci_nginx.key;
		
		ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;
		
		ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;
		
        location / {
            #root   html;
            index  index.vm;
			proxy_pass              https://login.abc.com:8444;
			proxy_set_header        X-Real-IP $remote_addr;
			proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
			#proxy_set_header        Host $http_host;
			proxy_set_header 		Host $host;
			

			### Most PHP, Python, Rails, Java App can use this header ###
			proxy_set_header		X-Forwarded-Proto https;

			### By default we don't want to redirect it ####
			proxy_redirect			off;
        }
		
		error_page   500 502 503 504  /error.html;
		location = /error.html {
            root   html;
        }
    }
	
}




nginx和tomcat的证书域名全部都设置为 *.abc.com,这样也能支持二级域名


cas服务器域名设置为login.abc.com

其他业务服务器域名全部都设置为www.abc.com


现在退出登录时提示找不到证书。。。

访问系统,各个业务系统都完全没问题,就退出登录时显示找不到证书。奇怪了

加载中
0
學楽
學楽
感觉退出登录的时候找了nginx的证书,没有找java的证书导致的,大家有没有什么解决方案啊?
0
weiaini21
weiaini21

您解决了没

 

學楽
學楽
我自己写了一套清楚session的方法。。。
0
2324
2324

您好  能请教下 你这个是怎么解决的  能分享下清楚session的源码吗

返回顶部
顶部