CAS单点登录相关配置

一、CAS单点登录服务端的部署

  • 部署

把CAS所对应的war包部署到tomcat中

4.品优购资源V1.3\配套软件\配套软件\CAS\cas.war

  • 配置

  • 更改tomcat的端口号

 

<Connector URIEncoding="UTF-8" connectionTimeout="20000" port="8099" protocol="HTTP/1.1" redirectPort="8443"/>

 

  server.name=http://localhost:8099

  在cas文件夹中中找到一下配置文件,并更改相应的配置

deployerConfigContext.xml <!-- required for proxy ticket mechanism. --> <bean id = "proxyAuthenticationHandler" class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" p:httpClient-ref="httpClient" p:requireSecure="false"/> spring-configuration\ticketGrantingTicketCookieGenerator.xml <bean id="ticketGrantingTicketCookieGenerator" class="org.jasig.cas.web.support.CookieRetrievingCookieGenerator" p:cookieSecure="false" p:cookieMaxAge="3600" p:cookieName="CASTGC" p:cookiePath="/cas" /> spring-configuration\warnCookieGenerator.xml <bean id="warnCookieGenerator" class="org.jasig.cas.web.support.CookieRetrievingCookieGenerator" p:cookieSecure="false" p:cookieMaxAge="3600" p:cookieName="CASPRIVACY" p:cookiePath="/cas" />

二、CAS客户端的使用

  1. 加入cas客户端相关的依赖
    <!-- cas -->  
    <dependency>  
        <groupId>org.jasig.cas.client</groupId>  
        <artifactId>cas-client-core</artifactId>  
        <version>3.3.3</version>  
    </dependency>  

     

  2. 在web.xml文件中进行配置(过滤器)
    - 单点登出的过滤器
    
        <!-- 用于单点退出,该过滤器用于实现单点登出功能,可选配置 -->  
        <listener>  
            <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>  
        </listener>  
        
        <!-- 该过滤器用于实现单点登出功能,可选配置。 -->  
        <filter>  
            <filter-name>CAS Single Sign Out Filter</filter-name>  
            <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>  
        </filter>  
        <filter-mapping>  
            <filter-name>CAS Single Sign Out Filter</filter-name>  
            <url-pattern>/*</url-pattern>  
        </filter-mapping>  
    
    
    
    - 认证过滤器
    
        <!-- 该过滤器负责用户的认证工作,必须启用它 -->  
        <filter>  
            <filter-name>CASFilter</filter-name>  
            <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>  
            <init-param>  
                <param-name>casServerLoginUrl</param-name>  
                <param-value>http://localhost:8099/cas/login</param-value>       <!--这里的server是服务端的IP -->
            </init-param>  
            <init-param>  
                <param-name>serverName</param-name>  
                <param-value>http://localhost:9002</param-value>                 <!-- 当前应用的地址 -->
            </init-param>  
        </filter>  
        <filter-mapping>  
            <filter-name>CASFilter</filter-name>  
            <url-pattern>/*</url-pattern>  
        </filter-mapping>  
    
    
    
    - 票据校验过滤器
    
        <!-- 该过滤器负责对Ticket的校验工作,必须启用它 -->  
        <filter>  
            <filter-name>CAS Validation Filter</filter-name>  
            <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>  
            <init-param>  
                <param-name>casServerUrlPrefix</param-name>  
                <param-value>http://localhost:8099/cas</param-value>        <!--这里的server是服务端的IP -->
            </init-param>  
            <init-param>  
                <param-name>serverName</param-name>  
                <param-value>http://localhost:9002</param-value>            <!-- 当前应用的地址 -->
            </init-param>  
        </filter>  
        <filter-mapping>  
            <filter-name>CAS Validation Filter</filter-name>  
            <url-pattern>/*</url-pattern>  
        </filter-mapping>  
    
    
    
    - 获取登录名所需要的过滤器
    
        <!-- 该过滤器负责实现HttpServletRequest请求的包裹, 比如允许开发者通过HttpServletRequest的getRemoteUser()方法获得SSO登录用户登录名,可选配置。 -->  
        <filter>  
            <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>  
            <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>  
        </filter>  
        <filter-mapping>  
            <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>  
            <url-pattern>/*</url-pattern>  
        </filter-mapping>  
        
        <!-- 该过滤器使得开发者可以通过org.jasig.cas.client.util.AssertionHolder来获取用户登录名。 比如AssertionHolder.getAssertion().getPrincipal().getName()。 -->  
        <filter>  
            <filter-name>CAS Assertion Thread Local Filter</filter-name>  
            <filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>  
        </filter>  
        <filter-mapping>  
            <filter-name>CAS Assertion Thread Local Filter</filter-name>  
            <url-pattern>/*</url-pattern>  
        </filter-mapping>  

    三、单点退出

    之前请求退出登录的地址: http://localhost:8099/cas/logout

     

    如果退出完毕以后,我们需要跳转到指定的地址,这时我们就需要做一些配置;

     

    CAS服务端的配置:cas-servlet.xml

    <bean id="logoutAction" class="org.jasig.cas.web.flow.logoutAction"         p:servicesManager-ref="servicesManager"         p:followServiceRedirects="${cas.logout.followServiceRedirects:true}"/>

    在进行退出的时候,就需要把要访问的目标地址作为参数传递过去:

    http://localhost:8099/cas/logout?service=http://www.itcast.cn

    四、配置数据源

    在实际应用中,我们通常需要使用外部的数据源进行登陆操作,此时我们就需要对数据源进行相应的配置,配置方案如下:
    修改deployerConfigContext.xml这个文件: 1. 加入如下配置 <bean id="dataSource" class="com.mchange.v2.c3p0.ComboPooledDataSource" p:driverClass="com.MysqL.jdbc.Driver" p:jdbcUrl="jdbc:MysqL://127.0.0.1:3306/pinyougoudb?characterEncoding=utf8" p:user="root" p:password="1234" /> <bean id="passwordEncoder" class="org.jasig.cas.authentication.handler.DefaultPasswordEncoder" c:encodingalgorithm="MD5" p:characterEncoding="UTF-8" /> <bean id="dbAuthHandler" class="org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler" p:dataSource-ref="dataSource" p:sql="select password from tb_user where username = ?" p:passwordEncoder-ref="passwordEncoder"/> 2. 修改原有的配置 <bean id="authenticationManager" class="org.jasig.cas.authentication.PolicyBasedAuthenticationManager"> <constructor-arg> <map> <entry key-ref="proxyAuthenticationHandler" value-ref="proxyPrincipalResolver" /> <entry key-ref="dbAuthHandler" value-ref="primaryPrincipalResolver" /> </map> </constructor-arg> <property name="authenticationPolicy"> <bean class="org.jasig.cas.authentication.AnyAuthenticationPolicy" /> </property> </bean> 3. 加入相关依赖

     

     

    重点:CAS单点登陆系统和SpringSecurity安全 框架的整合

    1. 在pom.xml文件中加入依赖
    
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-web</artifactId>
            <version>4.1.0.RELEASE</version>
        </dependency>
        
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-config</artifactId>
            <version>4.1.0.RELEASE</version>
        </dependency>
    
    
    
    2. 在web.xml文件中去配置委托代理过滤器DelegatingFilterProxy
    
        <filter>
            <filter-name>springSecurityFilterChain</filter-name>
            <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
        </filter>
        <filter-mapping>
            <filter-name>springSecurityFilterChain</filter-name>
            <url-pattern>/*</url-pattern>
        </filter-mapping>
        
        <!-- 配置spring核心监听器ContextLoaderListener -->
        <context-param>
            <param-name>contextConfigLocation</param-name>
            <param-value>classpath:spring-security.xml</param-value>
        </context-param>
        <listener>
            <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
        </listener>
    
    
    
    3. 在spring-security.xml配置文件中进行配置
    
    认证的配置: <authentication-manager></authentication-manager>
    
    授权的配置: <http></http>
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    2. 整合
    
    思路:
    
    CAS Client在使用的时候在web.xml文件中去配置了很多的过滤器
    
    Spring Security的原理  -----> Spring Security功能实现也是通过过滤器进行实现的,在Spring Security中提供了很多的过滤器,如果我们把Spring Security
    
    所提供的过滤器配置到了web.xml文件中,那么web.xml的内容就比较繁琐; 为了简化开发Spring Security提供了一个过滤器链,在该过滤器链中去配置过滤器。
    
    整合的思路: 就是把CAS Client所使用到了的过滤器加入到Spring Security的过滤器链中
    
    
    
    步骤:
    
    1. 在pom.xml加入依赖
    
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-cas</artifactId>
            <version>4.1.0.RELEASE</version>
        </dependency>
        
        <dependency>
            <groupId>org.jasig.cas.client</groupId>
            <artifactId>cas-client-core</artifactId>
            <version>3.3.3</version>
            <exclusions>
                <exclusion>
                    <groupId>org.slf4j</groupId>
                    <artifactId>log4j-over-slf4j</artifactId>
                </exclusion>
            </exclusions>
        </dependency>
    
    
    
    2. 在web.xml文件中去配置DelegatingFilterProxy
    
        <filter>
            <filter-name>springSecurityFilterChain</filter-name>
            <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
        </filter>
        <filter-mapping>
            <filter-name>springSecurityFilterChain</filter-name>
            <url-pattern>/*</url-pattern>
        </filter-mapping>
        
        <!-- 配置spring核心监听器ContextLoaderListener -->
        <context-param>
            <param-name>contextConfigLocation</param-name>
            <param-value>classpath:spring-security.xml</param-value>
        </context-param>
        <listener>
            <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
        </listener>
    
    
    
    3. 修改spring-security.xml文件
    
    - 入口点的配置: 告诉我们的应用程序,现在要进行认证,请请求CAS完成
    
        <!--   entry-point-ref  入口点引用 -->
        <http use-expressions="false" entry-point-ref="casProcessingFilterEntryPoint">
        
            <intercept-url pattern="/**" access="ROLE_USER"/>   
            <csrf disabled="true"/>
        
            <!-- custom-filter为过滤器, position 表示将过滤器放在指定的位置上,before表示放在指定位置之前  ,after表示放在指定的位置之后  -->           
            <custom-filter ref="casAuthenticationFilter"  position="CAS_FILTER" />      
            <custom-filter ref="requestSinglelogoutFilter" before="logoUT_FILTER"/>  
            <custom-filter ref="singlelogoutFilter" before="CAS_FILTER"/>
        
        </http>
        
        
        <!-- CAS入口点 开始 -->
        <beans:bean id="casProcessingFilterEntryPoint" class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">  
            <beans:property name="loginUrl" value="http://localhost:8099/cas/login"/>       <!-- 单点登录服务器登录URL -->
            <beans:property name="serviceProperties" ref="serviceProperties"/>  
        </beans:bean>      
        <beans:bean id="serviceProperties" class="org.springframework.security.cas.ServiceProperties">  
        <beans:property name="service" value="http://localhost:9003/login/cas"/>        <!--service 配置自身工程的根地址+/login/cas   -->
        </beans:bean>  
        <!-- CAS入口点 结束 -->
    
    
    
    - 认证过滤器
    
        <!-- 认证过滤器 开始 -->
        <beans:bean id="casAuthenticationFilter" class="org.springframework.security.cas.web.CasAuthenticationFilter">  
            <beans:property name="authenticationManager" ref="authenticationManager"/>  
        </beans:bean>
        
        <!-- 认证管理器 -->
        <authentication-manager alias="authenticationManager">
            <authentication-provider  ref="casAuthenticationProvider"></authentication-provider>
        </authentication-manager>
        
        <!-- 认证提供者 -->
        <beans:bean id="casAuthenticationProvider" class="org.springframework.security.cas.authentication.CasAuthenticationProvider">  
            <beans:property name="authenticationUserDetailsService">  
                <beans:bean class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">  
                    <beans:constructor-arg ref="userDetailsService" />  
                </beans:bean>  
            </beans:property>  
            <beans:property name="serviceProperties" ref="serviceProperties"/>  
            <!-- ticketValidator 为票据验证器 -->
            <beans:property name="ticketValidator">  
                <beans:bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">  
                    <beans:constructor-arg index="0" value="http://localhost:8099/cas"/>  
                </beans:bean>  
            </beans:property>  
            <beans:property name="key" value="an_id_for_this_auth_provider_only"/> 
        </beans:bean>        
        
        <!-- 认证类 -->
        <beans:bean id="userDetailsService" class="cn.itcast.demo.service.UserDetailServiceImpl"/>  
    
    
    
    - 退出过滤器
    
        <!-- 认证过滤器 结束 -->
        <!-- 单点登出  开始  完成真正的退出-->     
        <beans:bean id="singlelogoutFilter" class="org.jasig.cas.client.session.SingleSignOutFilter"/>   
        
        <!-- 经过此配置,当用户在地址栏输入本地工程 /logout/cas ; 配置了退出地址的映射,目的:为了提高安全性 -->      
        <beans:bean id="requestSinglelogoutFilter" class="org.springframework.security.web.authentication.logout.logoutFilter">  
            <beans:constructor-arg value="http://localhost:8099/cas/logout?service=http://localhost:9003/index2.html"/>  
            <beans:constructor-arg>  
                <beans:bean class="org.springframework.security.web.authentication.logout.SecurityContextlogoutHandler"/>  
            </beans:constructor-arg>  
            <beans:property name="filterProcessesUrl" value="/logout/cas"/>  
        </beans:bean>  
        <!-- 单点登出  结束 -->

     

     

相关文章

php输出xml格式字符串
J2ME Mobile 3D入门教程系列文章之一
XML轻松学习手册
XML入门的常见问题(一)
XML入门的常见问题(三)
XML轻松学习手册(2)XML概念