一、CAS單點登錄服務端的部署
-
部署
把CAS所對應的war包部署到tomcat中
4.品優購資源V1.3\配套軟件\配套軟件\CAS\cas.war
-
配置
-
更改tomcat的端口號
<Connector URIEncoding="UTF-8" connectionTimeout="20000" port="8099" protocol="HTTP/1.1" redirectPort="8443"/>
- 更改cas.properties配置文件
server.name=http://localhost:8099
-
去除HTTPS的認證方式
在cas文件夾中中找到一下配置文件,並更改相應的配置
deployerConfigContext.xml <!-- Required for proxy ticket mechanism. --> <bean id = "proxyAuthenticationHandler" class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" p:httpClient-ref="httpClient" p:requireSecure="false"/> spring-configuration\ticketGrantingTicketCookieGenerator.xml <bean id="ticketGrantingTicketCookieGenerator" class="org.jasig.cas.web.support.CookieRetrievingCookieGenerator" p:cookieSecure="false" p:cookieMaxAge="3600" p:cookieName="CASTGC" p:cookiePath="/cas" /> spring-configuration\warnCookieGenerator.xml <bean id="warnCookieGenerator" class="org.jasig.cas.web.support.CookieRetrievingCookieGenerator" p:cookieSecure="false" p:cookieMaxAge="3600" p:cookieName="CASPRIVACY" p:cookiePath="/cas" />
二、CAS客戶端的使用
- 加入cas客戶端相關的依賴
<!-- cas --> <dependency> <groupId>org.jasig.cas.client</groupId> <artifactId>cas-client-core</artifactId> <version>3.3.3</version> </dependency>
- 在web.xml文件中進行配置(過濾器)
- 單點登出的過濾器 <!-- 用於單點退出,該過濾器用於實現單點登出功能,可選配置 --> <listener> <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class> </listener> <!-- 該過濾器用於實現單點登出功能,可選配置。 --> <filter> <filter-name>CAS Single Sign Out Filter</filter-name> <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class> </filter> <filter-mapping> <filter-name>CAS Single Sign Out Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> - 認證過濾器 <!-- 該過濾器負責用戶的認證工作,必須啟用它 --> <filter> <filter-name>CASFilter</filter-name> <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class> <init-param> <param-name>casServerLoginUrl</param-name> <param-value>http://localhost:8099/cas/login</param-value> <!--這里的server是服務端的IP --> </init-param> <init-param> <param-name>serverName</param-name> <param-value>http://localhost:9002</param-value> <!-- 當前應用的地址 --> </init-param> </filter> <filter-mapping> <filter-name>CASFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> - 票據校驗過濾器 <!-- 該過濾器負責對Ticket的校驗工作,必須啟用它 --> <filter> <filter-name>CAS Validation Filter</filter-name> <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class> <init-param> <param-name>casServerUrlPrefix</param-name> <param-value>http://localhost:8099/cas</param-value> <!--這里的server是服務端的IP --> </init-param> <init-param> <param-name>serverName</param-name> <param-value>http://localhost:9002</param-value> <!-- 當前應用的地址 --> </init-param> </filter> <filter-mapping> <filter-name>CAS Validation Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> - 獲取登錄名所需要的過濾器 <!-- 該過濾器負責實現HttpServletRequest請求的包裹, 比如允許開發者通過HttpServletRequest的getRemoteUser()方法獲得SSO登錄用戶的登錄名,可選配置。 --> <filter> <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class> </filter> <filter-mapping> <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- 該過濾器使得開發者可以通過org.jasig.cas.client.util.AssertionHolder來獲取用戶的登錄名。 比如AssertionHolder.getAssertion().getPrincipal().getName()。 --> <filter> <filter-name>CAS Assertion Thread Local Filter</filter-name> <filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class> </filter> <filter-mapping> <filter-name>CAS Assertion Thread Local Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
三、
之前請求退出登錄的地址: http://localhost:8099/cas/logout
如果退出完畢以后,我們需要跳轉到指定的地址,這時我們就需要做一些配置;
CAS服務端的配置:cas-servlet.xml
<bean id="logoutAction" class="org.jasig.cas.web.flow.LogoutAction" p:servicesManager-ref="servicesManager" p:followServiceRedirects="${cas.logout.followServiceRedirects:true}"/>
在進行退出的時候,就需要把要訪問的目標地址作為參數傳遞過去:
http://localhost:8099/cas/logout?service=http://www.itcast.cn
四、
在實際應用中,我們通常需要使用外部的數據源進行登陸操作,此時我們就需要對數據源進行相應的配置,配置方案如下:
修改deployerConfigContext.xml這個文件: 1. 加入如下配置 <bean id="dataSource" class="com.mchange.v2.c3p0.ComboPooledDataSource" p:driverClass="com.mysql.jdbc.Driver" p:jdbcUrl="jdbc:mysql://127.0.0.1:3306/pinyougoudb?characterEncoding=utf8" p:user="root" p:password="1234" /> <bean id="passwordEncoder" class="org.jasig.cas.authentication.handler.DefaultPasswordEncoder" c:encodingAlgorithm="MD5" p:characterEncoding="UTF-8" /> <bean id="dbAuthHandler" class="org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler" p:dataSource-ref="dataSource" p:sql="select password from tb_user where username = ?" p:passwordEncoder-ref="passwordEncoder"/> 2. 修改原有的配置 <bean id="authenticationManager" class="org.jasig.cas.authentication.PolicyBasedAuthenticationManager"> <constructor-arg> <map> <entry key-ref="proxyAuthenticationHandler" value-ref="proxyPrincipalResolver" /> <entry key-ref="dbAuthHandler" value-ref="primaryPrincipalResolver" /> </map> </constructor-arg> <property name="authenticationPolicy"> <bean class="org.jasig.cas.authentication.AnyAuthenticationPolicy" /> </property> </bean> 3. 加入相關依賴1. 在pom.xml文件中加入依賴 <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-web</artifactId> <version>4.1.0.RELEASE</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-config</artifactId> <version>4.1.0.RELEASE</version> </dependency> 2. 在web.xml文件中去配置委托代理過濾器DelegatingFilterProxy <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- 配置spring核心監聽器ContextLoaderListener --> <context-param> <param-name>contextConfigLocation</param-name> <param-value>classpath:spring-security.xml</param-value> </context-param> <listener> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> </listener> 3. 在spring-security.xml配置文件中進行配置 認證的配置: <authentication-manager></authentication-manager> 授權的配置: <http></http> 2. 整合 思路: CAS Client在使用的時候在web.xml文件中去配置了很多的過濾器 Spring Security的原理 -----> Spring Security的功能實現也是通過過濾器進行實現的,在Spring Security中提供了很多的過濾器,如果我們把Spring Security 所提供的過濾器配置到了web.xml文件中,那么web.xml的內容就比較繁瑣; 為了簡化開發Spring Security提供了一個過濾器鏈,在該過濾器鏈中去配置過濾器。 整合的思路: 就是把CAS Client所使用到了的過濾器加入到Spring Security的過濾器鏈中 步驟: 1. 在pom.xml加入依賴 <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-cas</artifactId> <version>4.1.0.RELEASE</version> </dependency> <dependency> <groupId>org.jasig.cas.client</groupId> <artifactId>cas-client-core</artifactId> <version>3.3.3</version> <exclusions> <exclusion> <groupId>org.slf4j</groupId> <artifactId>log4j-over-slf4j</artifactId> </exclusion> </exclusions> </dependency> 2. 在web.xml文件中去配置DelegatingFilterProxy <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- 配置spring核心監聽器ContextLoaderListener --> <context-param> <param-name>contextConfigLocation</param-name> <param-value>classpath:spring-security.xml</param-value> </context-param> <listener> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> </listener> 3. 修改spring-security.xml文件 - 入口點的配置: 告訴我們的應用程序,現在要進行認證,請請求CAS完成 <!-- entry-point-ref 入口點引用 --> <http use-expressions="false" entry-point-ref="casProcessingFilterEntryPoint"> <intercept-url pattern="/**" access="ROLE_USER"/> <csrf disabled="true"/> <!-- custom-filter為過濾器, position 表示將過濾器放在指定的位置上,before表示放在指定位置之前 ,after表示放在指定的位置之后 --> <custom-filter ref="casAuthenticationFilter" position="CAS_FILTER" /> <custom-filter ref="requestSingleLogoutFilter" before="LOGOUT_FILTER"/> <custom-filter ref="singleLogoutFilter" before="CAS_FILTER"/> </http> <!-- CAS入口點 開始 --> <beans:bean id="casProcessingFilterEntryPoint" class="org.springframework.security.cas.web.CasAuthenticationEntryPoint"> <beans:property name="loginUrl" value="http://localhost:8099/cas/login"/> <!-- 單點登錄服務器登錄URL --> <beans:property name="serviceProperties" ref="serviceProperties"/> </beans:bean> <beans:bean id="serviceProperties" class="org.springframework.security.cas.ServiceProperties"> <beans:property name="service" value="http://localhost:9003/login/cas"/> <!--service 配置自身工程的根地址+/login/cas --> </beans:bean> <!-- CAS入口點 結束 --> - 認證過濾器 <!-- 認證過濾器 開始 --> <beans:bean id="casAuthenticationFilter" class="org.springframework.security.cas.web.CasAuthenticationFilter"> <beans:property name="authenticationManager" ref="authenticationManager"/> </beans:bean> <!-- 認證管理器 --> <authentication-manager alias="authenticationManager"> <authentication-provider ref="casAuthenticationProvider"></authentication-provider> </authentication-manager> <!-- 認證提供者 --> <beans:bean id="casAuthenticationProvider" class="org.springframework.security.cas.authentication.CasAuthenticationProvider"> <beans:property name="authenticationUserDetailsService"> <beans:bean class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper"> <beans:constructor-arg ref="userDetailsService" /> </beans:bean> </beans:property> <beans:property name="serviceProperties" ref="serviceProperties"/> <!-- ticketValidator 為票據驗證器 --> <beans:property name="ticketValidator"> <beans:bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator"> <beans:constructor-arg index="0" value="http://localhost:8099/cas"/> </beans:bean> </beans:property> <beans:property name="key" value="an_id_for_this_auth_provider_only"/> </beans:bean> <!-- 認證類 --> <beans:bean id="userDetailsService" class="cn.itcast.demo.service.UserDetailServiceImpl"/> - 退出過濾器 <!-- 認證過濾器 結束 --> <!-- 單點登出 開始 完成真正的退出--> <beans:bean id="singleLogoutFilter" class="org.jasig.cas.client.session.SingleSignOutFilter"/> <!-- 經過此配置,當用戶在地址欄輸入本地工程 /logout/cas ; 配置了退出地址的映射,目的:為了提高安全性 --> <beans:bean id="requestSingleLogoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter"> <beans:constructor-arg value="http://localhost:8099/cas/logout?service=http://localhost:9003/index2.html"/> <beans:constructor-arg> <beans:bean class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"/> </beans:constructor-arg> <beans:property name="filterProcessesUrl" value="/logout/cas"/> </beans:bean> <!-- 單點登出 結束 -->