Spring Security 集成 CAS(基於HTTP協議版本)

Spring Security 集成 CAS(基於HTTP協議版本)

近段時間一直研究Spring Security 集成 CAS，網上資料相關資料也很多，不過大都是基於Https的安全認證;使用https協議方式驗證需要創建證書等一系列事情比較繁瑣，且證書是自己制作每次導航至登錄界面時都會有安全提示給人感覺不太好；所以整理此文檔供有需要的同學參考。

 

一、服務端配置(cas 3.5)
(1).Http協議的CAS比Https版本的步驟要少了ssl的配置，然后修改服務端部分配置文件即可。
(2).配置CAS服務應用程序的配置文件：WEB_INF下cas.properties、deployerConfigContext.xml
以及WEB-INF子目錄spring-configuration下的ticketGrantingTicketCookieGenerator.xml、warmCookieGenerator.xml
(3).修改cas.properties

# Services Management Web UI Security
server.name=http://localhost:8080
server.prefix=${server.name}/cas
cas.securityContext.serviceProperties.service=${server.prefix}/services/j_acegi_cas_security_check
# Names of roles allowed to access the CAS service manager
cas.securityContext.serviceProperties.adminRoles=ROLE_ADMINISTRATOR
cas.securityContext.casProcessingFilterEntryPoint.loginUrl=${server.prefix}/login
cas.securityContext.ticketValidator.casServerUrlPrefix=${server.prefix}
# IP address or CIDR subnet allowed to access the /status URI of CAS that exposes health check information
cas.securityContext.status.allowedSubnet=127.0.0.1


cas.themeResolver.defaultThemeName=cas-theme-default
cas.viewResolver.basename=default_views

##
# Unique CAS node name
# host.name is used to generate unique Service Ticket IDs and SAMLArtifacts. This is usually set to the specific
# hostname of the machine running the CAS node, but it could be any label so long as it is unique in the cluster.
host.name=cas

##
# Database flavors for Hibernate
#
# One of these is needed if you are storing Services or Tickets in an RDBMS via JPA.
#
  database.hibernate.dialect=org.hibernate.dialect.OracleDialect
# database.hibernate.dialect=org.hibernate.dialect.MySQLInnoDBDialect
#database.hibernate.dialect=org.hibernate.dialect.HSQLDialect

 


(4).deployerConfigContext.xml 添加數據源和密碼密碼編譯器Bean驗證用戶登錄信息；
設置不要使用Https方式（p:requireSecure="false"）。
注意：SpringSecurity,CAS 的版本不同有可能類存在不同的包內。

<?xml version="1.0" encoding="UTF-8"?>
<!--
| deployerConfigContext.xml centralizes into one file some of the declarative configuration that
| all CAS deployers will need to modify.
|
| This file declares some of the Spring-managed JavaBeans that make up a CAS deployment.
| The beans declared in this file are instantiated at context initialization time by the Spring
| ContextLoaderListener declared in web.xml. It finds this file because this
| file is among those declared in the context parameter "contextConfigLocation".
|
| By far the most common change you will need to make in this file is to change the last bean
| declaration to replace the default SimpleTestUsernamePasswordAuthenticationHandler with
| one implementing your approach for authenticating usernames and passwords.
+-->

<!--
~ Licensed to Jasig under one or more contributor license
~ agreements. See the NOTICE file distributed with this work
~ for additional information regarding copyright ownership.
~ Jasig licenses this file to you under the Apache License,
~ Version 2.0 (the "License"); you may not use this file
~ except in compliance with the License. You may obtain a
~ copy of the License at the following location:
~
~ http://www.apache.org/licenses/LICENSE-2.0
~
~ Unless required by applicable law or agreed to in writing,
~ software distributed under the License is distributed on an
~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
~ KIND, either express or implied. See the License for the
~ specific language governing permissions and limitations
~ under the License.
-->

<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:sec="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<!--
| This bean declares our AuthenticationManager. The CentralAuthenticationService service bean
| declared in applicationContext.xml picks up this AuthenticationManager by reference to its id,
| "authenticationManager". Most deployers will be able to use the default AuthenticationManager
| implementation and so do not need to change the class of this bean. We include the whole
| AuthenticationManager here in the userConfigContext.xml so that you can see the things you will
| need to change in context.
+-->
<bean id="authenticationManager"
class="org.jasig.cas.authentication.AuthenticationManagerImpl">

<!-- Uncomment the metadata populator to allow clearpass to capture and cache the password
This switch effectively will turn on clearpass.
<property name="authenticationMetaDataPopulators">
<list>
<bean class="org.jasig.cas.extension.clearpass.CacheCredentialsMetaDataPopulator">
<constructor-arg index="0" ref="credentialsCache" />
</bean>
</list>
</property>
-->

<!--
| This is the List of CredentialToPrincipalResolvers that identify what Principal is trying to authenticate.
| The AuthenticationManagerImpl considers them in order, finding a CredentialToPrincipalResolver which
| supports the presented credentials.
|
| AuthenticationManagerImpl uses these resolvers for two purposes. First, it uses them to identify the Principal
| attempting to authenticate to CAS /login . In the default configuration, it is the DefaultCredentialsToPrincipalResolver
| that fills this role. If you are using some other kind of credentials than UsernamePasswordCredentials, you will need to replace
| DefaultCredentialsToPrincipalResolver with a CredentialsToPrincipalResolver that supports the credentials you are
| using.
|
| Second, AuthenticationManagerImpl uses these resolvers to identify a service requesting a proxy granting ticket.
| In the default configuration, it is the HttpBasedServiceCredentialsToPrincipalResolver that serves this purpose.
| You will need to change this list if you are identifying services by something more or other than their callback URL.
+-->
<property name="credentialsToPrincipalResolvers">
<list>
<!--
| UsernamePasswordCredentialsToPrincipalResolver supports the UsernamePasswordCredentials that we use for /login
| by default and produces SimplePrincipal instances conveying the username from the credentials.
|
| If you've changed your LoginFormAction to use credentials other than UsernamePasswordCredentials then you will also
| need to change this bean declaration (or add additional declarations) to declare a CredentialsToPrincipalResolver that supports the
| Credentials you are using.
+-->
<bean
class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" />
<!--
| HttpBasedServiceCredentialsToPrincipalResolver supports HttpBasedCredentials. It supports the CAS 2.0 approach of
| authenticating services by SSL callback, extracting the callback URL from the Credentials and representing it as a
| SimpleService identified by that callback URL.
|
| If you are representing services by something more or other than an HTTPS URL whereat they are able to
| receive a proxy callback, you will need to change this bean declaration (or add additional declarations).
+-->
<bean
class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" />
</list>
</property>

<!--
| Whereas CredentialsToPrincipalResolvers identify who it is some Credentials might authenticate,
| AuthenticationHandlers actually authenticate credentials. Here we declare the AuthenticationHandlers that
| authenticate the Principals that the CredentialsToPrincipalResolvers identified. CAS will try these handlers in turn
| until it finds one that both supports the Credentials presented and succeeds in authenticating.
+-->
<property name="authenticationHandlers">
<list>
<!--
| This is the authentication handler that authenticates services by means of callback via SSL, thereby validating
| a server side SSL certificate.
+-->
<bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
p:httpClient-ref="httpClient" p:requireSecure="false"/>
<!--
| This is the authentication handler declaration that every CAS deployer will need to change before deploying CAS
| into production. The default SimpleTestUsernamePasswordAuthenticationHandler authenticates UsernamePasswordCredentials
| where the username equals the password. You will need to replace this with an AuthenticationHandler that implements your
| local authentication strategy. You might accomplish this by coding a new such handler and declaring
| edu.someschool.its.cas.MySpecialHandler here, or you might use one of the handlers provided in the adaptors modules.
+-->
<!--
<bean class="org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler" />
-->
<!-- 使用查詢數據庫的方式驗證: sql語句返回密碼，然后指定一個密碼編碼器，將提交的密碼編碼后與查詢出來的密碼進行比較。
密碼編碼器實現org.jasig.cas.authentication.handler.PasswordEncoder接口
-->
<bean class="org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler">
<property name="dataSource" ref="casDataSource" />
<property name="sql" value="select lower(password) from tb_sys_user where lower(username) = lower(?)" />
<property name="passwordEncoder" ref="passwordEncoder"/>
</bean>
</list>
</property>
</bean>


<!--
This bean defines the security roles for the Services Management application. Simple deployments can use the in-memory version.
More robust deployments will want to use another option, such as the Jdbc version.

The name of this should remain "userDetailsService" in order for Spring Security to find it.
-->
<!-- <sec:user name="@@THIS SHOULD BE REPLACED@@" password="notused" authorities="ROLE_ADMIN" />-->

<bean id="userDetailsService" class="org.springframework.security.core.userdetails.memory.InMemoryDaoImpl">
<property name="userMap">
<value> </value>
</property>
</bean>

<!--
Bean that defines the attributes that a
service may return. This example uses the Stub/Mock version. A real
implementation
may go against a database or LDAP server. The id should
remain "attributeRepository" though.
-->
<bean id="attributeRepository" class="org.jasig.services.persondir.support.StubPersonAttributeDao">
<property name="backingMap">
<map>
<entry key="uid" value="uid"/>
<entry key="eduPersonAffiliation" value="eduPersonAffiliation" />
<entry key="groupMembership" value="groupMembership" />
</map>
</property>
</bean>

<!--
Sample, in-memory data store for
the ServiceRegistry. A real implementation
would probably want to replace
this with the JPA-backed ServiceRegistry DAO
The name of this bean should
remain "serviceRegistryDao".
-->
<bean id="serviceRegistryDao" class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl">
<property name="registeredServices">
<list>
<bean class="org.jasig.cas.services.RegexRegisteredService">
<property name="id" value="0" />
<property name="name" value="HTTP and IMAP" />
<property name="description" value="Allows HTTP(S) and IMAP(S) protocols" />
<property name="serviceId" value="^(https?|imaps?)://.*" />
<property name="evaluationOrder" value="10000001" />
</bean>
</list>
</property>
</bean>

<bean id="auditTrailManager" class="com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager" />

<bean id="healthCheckMonitor" class="org.jasig.cas.monitor.HealthCheckMonitor">
<property name="monitors">
<list>
<bean class="org.jasig.cas.monitor.MemoryMonitor"
p:freeMemoryWarnThreshold="10" />
<!--
NOTE
The following ticket registries support SessionMonitor:
* DefaultTicketRegistry
* JpaTicketRegistry
Remove this monitor if you use an unsupported registry.
-->
<bean class="org.jasig.cas.monitor.SessionMonitor"
p:ticketRegistry-ref="ticketRegistry"
p:serviceTicketCountWarnThreshold="5000"
p:sessionCountWarnThreshold="100000" />
</list>
</property>
</bean>

<bean id="casDataSource" class="org.apache.commons.dbcp.BasicDataSource">
<property name="driverClassName">
<value>oracle.jdbc.driver.OracleDriver</value>
</property>
<property name="url">
<value>jdbc:oracle:thin:@x.x.x.x:1521:x</value>
</property>
<property name="username">
<value>username</value>
</property>
<property name="password">
<value>123456</value>
</property>
</bean>

<bean id="passwordEncoder" class="org.jasig.cas.authentication.handler.DefaultPasswordEncoder">
<constructor-arg value="MD5"/>
</bean>

</beans>

 
 
（5）.ticketGrantingTicketCookieGenerator.xml
設置cookie安全要求為false使用http協議

<bean id="ticketGrantingTicketCookieGenerator" class="org.jasig.cas.web.support.CookieRetrievingCookieGenerator"
p:cookieSecure="false" p:cookieMaxAge="-1" p:cookieName="CASTGC" p:cookiePath="/cas" />

 
（6）.warnCookieGenerator.xml 設置cookie安全要求為false使用http協議

<bean id="warnCookieGenerator" class="org.jasig.cas.web.support.CookieRetrievingCookieGenerator"
p:cookieSecure="false" p:cookieMaxAge="-1" p:cookieName="CASPRIVACY" p:cookiePath="/cas" />

 
(7).jar包支持
數據庫連接池：commons-dbcp-1.2.2.jar，commons-pool-1.3.jar，commons-logging-1.1.jar，commons-lang-2.5.jar，commons-io-2.0.jar，commons-collections-3.2.1.jar
SpringJdbc: cas-server-support-jdbc-3.5.0.jar
數據庫驅動：ojdbc14.jar

二、客戶端配置

<?xml version="1.0" encoding="UTF-8"?>
        <beans xmlns="http://www.springframework.org/schema/beans"
            xmlns:sec="http://www.springframework.org/schema/security"
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
            xsi:schemaLocation="http://www.springframework.org/schema/beans
                                http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
                                http://www.springframework.org/schema/security
                                http://www.springframework.org/schema/security/spring-security-2.0.4.xsd"
            default-autowire="byType"
            default-lazy-init="true">

            <sec:http entry-point-ref="casProcessingFilterEntryPoint">
                <sec:intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
                <sec:logout />
            </sec:http>

            <sec:authentication-manager alias="authenticationManager" />

            <bean id="casProcessingFilter" class="org.springframework.security.ui.cas.CasProcessingFilter">
                <sec:custom-filter after="CAS_PROCESSING_FILTER" />
                <property name="authenticationManager" ref="authenticationManager" />
                <property name="authenticationFailureUrl" value="/casfailed.jsp" />
                <property name="defaultTargetUrl" value="/" />
            </bean>

            <bean id="casProcessingFilterEntryPoint" class="org.springframework.security.ui.cas.CasProcessingFilterEntryPoint">
                <property name="loginUrl" value="http://localhost:8080/cas/login" />
                <property name="serviceProperties" ref="serviceProperties" />
            </bean>

            <bean id="serviceProperties" class="org.springframework.security.ui.cas.ServiceProperties">
                <property name="service" value="http://localhost:8080/sample2/j_spring_cas_security_check" />
                <property name="sendRenew" value="false"/>
            </bean>

            <bean id="casAuthenticationProvider" class="org.springframework.security.providers.cas.CasAuthenticationProvider">
                <sec:custom-authentication-provider />
                <property name="userDetailsService" ref="userDetailsService"/>
                <property name="serviceProperties" ref="serviceProperties" />
                <property name="ticketValidator">
                    <bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
                        <constructor-arg index="0" value="http://localhost:8080/cas/" />
                    </bean>
                </property>
                <property name="key" value="integratedreport"/>
            </bean>
          <!-- 需要自己實現userservice -->
            <bean id="userDetailsService" class="cas.ava.UserDetailsServiceImpl" />
            <bean id="passwordEncoder" class="org.springframework.security.providers.encoding.Md5PasswordEncoder" />
        </beans>

 

三.參考資料
http://www.docin.com/p-277698606.html#documentinfo