CAS Server 配置文件
login-webflow.xml:其中內容指定了當訪問cas/login時的程序流程,初始“initialFlowSetup”
cas-servlet.xml:servlet與class對應關系
deployerConfigContext.xml:認證管理器相關
cas.properties:系統屬性設置
applicationContext.xml:系統屬性相關
argumentExtractorsConfiguration.xml:不是很了解它的用途
ticketExpirationPolicies.xml:ticket過期時間設置
ticketGrantingTicketCookieGenerator.xml:TGT cookie屬性相關,是否支持http也在這兒修改
ticketRegistry.xml:保存ticket的類相關設置
uniqueIdGenerators.xml:ticket自動生成類設置
warnCookieGenerator.xml:同ticketGrantingTicketCookieGenerator.xml,生成的 cookie名為CASPRIVACY
/login :
當訪問/login時,會調用login-webflow.xml中的流程圖:
/serviceValidate:
對應的處理類是org.jasig.cas.web.ServiceValidateController,主要負責對service ticket的驗證,失敗返回casServiceValidationFailure.jsp,成功返回casServiceValidationSuccess.jsp
對service ticket的驗證是通過client端向server端發送http(或https)實現的
邏輯:
1.
通過由client端傳來的ticket到DefaultTicketRegistry中獲取緩存的ServiceTicketImpl對象,並判斷其是否已經過期(ST過期時間默認是5分鍾,TGT默認是2個小時,可以在ticketExpirationPolicies.xml中進行修改)以及與當前service的id是否相一,以上都滿足則表示驗證通過。
2.
通過ServiceTicketImpl對象獲取到登錄之后的Authentication對象,借助於它生成ImmutableAssertionImpl對象並返回
3.成功返回
CAS數據流程
Credentials-->Principal-->Authentication
定義自己的AuthenticationHandler
在中心認證進行認證的過程中會調用deployerConfigContext.xml中設置的AuthenticationHandler來進行認證工作。
Java代碼
<property name="authenticationHandlers">
<list>
<!--
This is the authentication handler that authenticates services by means of callback via SSL, thereby validating
a server side SSL certificate.
-->
<bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
p:httpClient-ref="httpClient" />
<!--
This is the authentication handler declaration that every CAS deployer will need to change before deploying CAS
into production. The default SimpleTestUsernamePasswordAuthenticationHandler authenticates UsernamePasswordCredentials
where the username equals the password. You will need to replace this with an AuthenticationHandler that implements your
local authentication strategy. You might accomplish this by coding a new such handler and declaring
edu.someschool.its.cas.MySpecialHandler here, or you might use one of the handlers provided in the adaptors modules.
-->
<bean
class="org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler" />
<bean class="com.goldarmor.live800.cas.Live800CasAuthenticationHandler">
<property name="dataSource" ref="casDataSource" />
</bean>
</list
</property>
<property name="authenticationHandlers">
<list>
<!--
This is the authentication handler that authenticates services by means of callback via SSL, thereby validating
a server side SSL certificate.
-->
<bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
p:httpClient-ref="httpClient" />
<!--
This is the authentication handler declaration that every CAS deployer will need to change before deploying CAS
into production. The default SimpleTestUsernamePasswordAuthenticationHandler authenticates UsernamePasswordCredentials
where the username equals the password. You will need to replace this with an AuthenticationHandler that implements your
local authentication strategy. You might accomplish this by coding a new such handler and declaring
edu.someschool.its.cas.MySpecialHandler here, or you might use one of the handlers provided in the adaptors modules.
-->
<bean
class="org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler" />
<bean class="com.goldarmor.live800.cas.Live800CasAuthenticationHandler">
<property name="dataSource" ref="casDataSource" />
</bean>
</list
</property> 如上,我們定義了3個AuthenticationHandler,這正是CAS的一個 ,通過配置,我們可以實現針對不同的應用提供不同的認證方式,這樣可以實現任意的中心認證。再來看看AuthenticationHandler的代碼
Java代碼
/**
* Method to determine if the credentials supplied are valid.
*
* @param credentials The credentials to validate.
* @return true if valid, return false otherwise.
* @throws AuthenticationException An AuthenticationException can contain
* details about why a particular authentication request failed.
*/
boolean authenticate(Credentials credentials)
throws AuthenticationException;
/**
* Method to check if the handler knows how to handle the credentials
* provided. It may be a simple check of the Credentials class or something
* more complicated such as scanning the information contained in the
* Credentials object.
*
* @param credentials The credentials to check.
* @return true if the handler supports the Credentials, false othewrise.
*/
boolean supports(Credentials credentials);
/**
* Method to determine if the credentials supplied are valid.
*
* @param credentials The credentials to validate.
* @return true if valid, return false otherwise.
* @throws AuthenticationException An AuthenticationException can contain
* details about why a particular authentication request failed.
*/
boolean authenticate(Credentials credentials)
throws AuthenticationException;
/**
* Method to check if the handler knows how to handle the credentials
* provided. It may be a simple check of the Credentials class or something
* more complicated such as scanning the information contained in the
* Credentials object.
*
* @param credentials The credentials to check.
* @return true if the handler supports the Credentials, false othewrise.
*/
boolean supports(Credentials credentials); 我們要做的就是實現這倆個方法而已,特別提醒:可以在cas-servlet.xml中設置你所使用的Credentials,如下:(其中的p:formObjectClass值,如果不指定默認使用UsernamePasswordCredentials)
Java代碼
<bean id="authenticationViaFormAction" class="org.jasig.cas.web.flow.AuthenticationViaFormAction"
p:formObjectClass="com.goldarmor.live800.cas.Live800CasCredentials"
p:centralAuthenticationService-ref="centralAuthenticationService"
p:warnCookieGenerator-ref="warnCookieGenerator" />
<bean id="authenticationViaFormAction" class="org.jasig.cas.web.flow.AuthenticationViaFormAction"
p:formObjectClass="com.goldarmor.live800.cas.Live800CasCredentials"
p:centralAuthenticationService-ref="centralAuthenticationService"
p:warnCookieGenerator-ref="warnCookieGenerator" />
定義自己的credentialsToPrincipalResolvers
通過AuthenticationHandler的認證后,會調用在deployerConfigContext.xml中配置的credentialsToPrincipalResolvers來處理Credentials,生成Principal對象:
Java代碼
<property name="credentialsToPrincipalResolvers">
<list>
<!--
UsernamePasswordCredentialsToPrincipalResolver supports the UsernamePasswordCredentials that we use for /login
by default and produces SimplePrincipal instances conveying the username from the credentials.
If you've changed your LoginFormAction to use credentials other than UsernamePasswordCredentials then you will also
need to change this bean declaration (or add additional declarations) to declare a CredentialsToPrincipalResolver that supports the
Credentials you are using.
--> <bean
class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" />
<!--
HttpBasedServiceCredentialsToPrincipalResolver supports HttpBasedCredentials. It supports the CAS 2.0 approach of
authenticating services by SSL callback, extracting the callback URL from the Credentials and representing it as a
SimpleService identified by that callback URL.
If you are representing services by something more or other than an HTTPS URL whereat they are able to
receive a proxy callback, you will need to change this bean declaration (or add additional declarations).
-->
<bean
class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" />
<bean class="com.goldarmor.live800.cas.Live800CasCredentialsToPrincipalResolver"/>
</list>
</property>
<property name="credentialsToPrincipalResolvers">
<list>
<!--
UsernamePasswordCredentialsToPrincipalResolver supports the UsernamePasswordCredentials that we use for /login
by default and produces SimplePrincipal instances conveying the username from the credentials.
If you've changed your LoginFormAction to use credentials other than UsernamePasswordCredentials then you will also
need to change this bean declaration (or add additional declarations) to declare a CredentialsToPrincipalResolver that supports the
Credentials you are using.
--> <bean
class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" />
<!--
HttpBasedServiceCredentialsToPrincipalResolver supports HttpBasedCredentials. It supports the CAS 2.0 approach of
authenticating services by SSL callback, extracting the callback URL from the Credentials and representing it as a
SimpleService identified by that callback URL.
If you are representing services by something more or other than an HTTPS URL whereat they are able to
receive a proxy callback, you will need to change this bean declaration (or add additional declarations).
-->
<bean
class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" />
<bean class="com.goldarmor.live800.cas.Live800CasCredentialsToPrincipalResolver"/>
</list>
</property> 如上:我們也可以像定義AuthenticationHandler一樣,可以定義多個credentialsToPrincipalResolvers來處理Credentials,返回你所需要的Principal對象,下面來看看credentialsToPrincipalResolvers的方法:
Java代碼
/**
* Turn Credentials into a Principal object by analyzing the information
* provided in the Credentials and constructing a Principal object based on
* that information or information derived from the Credentials object.
*
* @param credentials from which to resolve Principal
* @return resolved Principal, or null if the principal could not be resolved.
*/
Principal resolvePrincipal(Credentials credentials);
/**
* Determine if a credentials type is supported by this resolver. This is
* checked before calling resolve principal.
*
* @param credentials The credentials to check if we support.
* @return true if we support these credentials, false otherwise.
*/
boolean supports(Credentials credentials);
/**
* Turn Credentials into a Principal object by analyzing the information
* provided in the Credentials and constructing a Principal object based on
* that information or information derived from the Credentials object.
*
* @param credentials from which to resolve Principal
* @return resolved Principal, or null if the principal could not be resolved.
*/
Principal resolvePrincipal(Credentials credentials);
/**
* Determine if a credentials type is supported by this resolver. This is
* checked before calling resolve principal.
*
* @param credentials The credentials to check if we support.
* @return true if we support these credentials, false otherwise.
*/
boolean supports(Credentials credentials);
在CAS驗證的時候,通過訪問/serviceValidate可知:驗證成功之后返回的casServiceValidationSuccess.jsp中的數據來源於Assertion,下面來看看它的代碼:
Java代碼
List<Authentication> getChainedAuthentications();
/**
* True if the validated ticket was granted in the same transaction as that
* in which its grantor GrantingTicket was originally issued.
*
* @return true if validated ticket was granted simultaneous with its
* grantor's issuance
*/
boolean isFromNewLogin();
/**
* Method to obtain the service for which we are asserting this ticket is
* valid for.
*
* @return the service for which we are asserting this ticket is valid for.
*/
Service getService();
List<Authentication> getChainedAuthentications();
/**
* True if the validated ticket was granted in the same transaction as that
* in which its grantor GrantingTicket was originally issued.
*
* @return true if validated ticket was granted simultaneous with its
* grantor's issuance
*/
boolean isFromNewLogin();
/**
* Method to obtain the service for which we are asserting this ticket is
* valid for.
*
* @return the service for which we are asserting this ticket is valid for.
*/
Service getService(); 通過getChainedAuthentications()方法,我們可以得到Authentication對象列表,再看看Authentication的代碼:
Java代碼
/**
* Method to obtain the Principal.
*
* @return a Principal implementation
*/
Principal getPrincipal();
/**
* Method to retrieve the timestamp of when this Authentication object was
* created.
*
* @return the date/time the authentication occurred.
*/
Date getAuthenticatedDate();
/**
* Attributes of the authentication (not the Principal).
* @return the map of attributes.
*/
Map<String, Object> getAttributes();
/**
* Method to obtain the Principal.
*
* @return a Principal implementation
*/
Principal getPrincipal();
/**
* Method to retrieve the timestamp of when this Authentication object was
* created.
*
* @return the date/time the authentication occurred.
*/
Date getAuthenticatedDate();
/**
* Attributes of the authentication (not the Principal).
* @return the map of attributes.
*/
Map<String, Object> getAttributes(); 而這其中的Principal就來源於上面提到的由credentialsToPrincipalResolvers處理得到的Principal對象,最后看一下Principal的代碼,我們只要再做一個實現他的代碼,整個CAS Server就可以信手拈來了,呵呵
Java代碼
/**
* Returns the unique id for the Principal
* @return the unique id for the Principal.
*/
String getId();
/**
*
* @return
*/
Map<String, Object> getAttributes();
/**
* Returns the unique id for the Principal
* @return the unique id for the Principal.
*/
String getId();
/**
*
* @return
*/
Map<String, Object> getAttributes();
我們還可以自定義自己的casServiceValidationSuccess.jsp和casLoginView.jsp頁面等,具體的操作辦法也是最簡單的辦法就是備份以前的頁面之后修改成自己需要的頁面。