casLogin.png
1.cas server 搭建
請參考CAS 5.3.x 初體驗 — 官方Demo Server部署
2.cas server 支持http協議
到 cas-overlay-template目錄下,將target目錄下的cas.war放到tomcat webapps下啟動
打開解壓后的cas
到/WEB-INF/classes/services里找到HTTPSandIMAPS-10000001.json
編輯HTTPSandIMAPS-10000001.json,serviceId中加入http協議
{
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "^(https|http|imaps)://.*",
"name" : "HTTPS and IMAPS",
"id" : 10000001,
"description" : "This service definition authorizes all application urls that support HTTPS and IMAPS protocols.",
"evaluationOrder" : 10000
}
到/WEB-INF/classes里找到application.properties
編輯application.properties 在末尾加入以下兩行配置
cas.tgc.secure=false
cas.serviceRegistry.initFromJson=true
重啟tomcat
瀏覽器訪問 http://localhost:8080/cas/login,可以正常訪問即可
3.spring boot + spring security + cas整合
1. 創建項目
- 使用idea創建項目
file -> new -> Project -> Spring Initializr -> next
依賴Spring Web 和 Spring Security
點擊 next ,finish - 引入cas client 依賴
pom.xml 加入cas的依賴
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-cas</artifactId>
</dependency>
- 添加一個controller IndexController.java
package com.cas.demo;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
@RestController
public class IndexController {
@RequestMapping("/")
public String index(){
return "cas test";
}
}
- application.properties配置端口為16001
server.port=16001
- 運行demo
查看控制臺日志,copy隨機生成的密碼
Using generated security password:9e58649d-a5dd-42d9-abbf-e285d3a3b7a3
瀏覽器訪問http://localhost:16001/
會跳到登錄界面
使用用戶名:user 密碼:9e58649d-a5dd-42d9-abbf-e285d3a3b7a3
進行登錄,會看到瀏覽器輸出cas test - 對接cas
- 新建SecurityConfiguration.java 繼承WebSecurityConfigurerAdapter
代碼如下
package com.cas.demo;
import org.jasig.cas.client.session.SingleSignOutFilter;
import org.jasig.cas.client.validation.Cas20ServiceTicketValidator;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Bean;
import org.springframework.http.HttpMethod;
import org.springframework.security.cas.ServiceProperties;
import org.springframework.security.cas.authentication.CasAuthenticationProvider;
import org.springframework.security.cas.web.CasAuthenticationEntryPoint;
import org.springframework.security.cas.web.CasAuthenticationFilter;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.web.authentication.logout.LogoutFilter;
import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler;
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
@Qualifier("userDetailsService")
private UserDetailsService userDetailsService;
@Bean
public ServiceProperties serviceProperties() {
ServiceProperties serviceProperties = new ServiceProperties();
//TODO: 讀配置
serviceProperties.setService("http://localhost:16001/login/cas");
serviceProperties.setSendRenew(false);
return serviceProperties;
}
@Bean
public CasAuthenticationEntryPoint casAuthenticationEntryPoint() {
CasAuthenticationEntryPoint casAuthenticationEntryPoint = new CasAuthenticationEntryPoint();
//TODO: 改成讀配置
casAuthenticationEntryPoint.setLoginUrl("http://localhost:8080/cas/login");
casAuthenticationEntryPoint.setServiceProperties(serviceProperties());
return casAuthenticationEntryPoint;
}
@Bean
public UserDetailsByNameServiceWrapper userDetailsByNameServiceWrapper() {
UserDetailsByNameServiceWrapper userDetailsByNameServiceWrapper = new UserDetailsByNameServiceWrapper();
userDetailsByNameServiceWrapper.setUserDetailsService(userDetailsService);
return userDetailsByNameServiceWrapper;
}
@Bean
public Cas20ServiceTicketValidator cas20ServiceTicketValidator() {
//TODO: 讀配置
Cas20ServiceTicketValidator cas20ServiceTicketValidator = new Cas20ServiceTicketValidator(
"http://localhost:8080/cas");
return cas20ServiceTicketValidator;
}
@Bean
public CasAuthenticationProvider casAuthenticationProvider() {
CasAuthenticationProvider casAuthenticationProvider = new CasAuthenticationProvider();
casAuthenticationProvider
.setAuthenticationUserDetailsService(userDetailsByNameServiceWrapper());
casAuthenticationProvider.setServiceProperties(serviceProperties());
casAuthenticationProvider.setTicketValidator(cas20ServiceTicketValidator());
casAuthenticationProvider.setKey("an_id_for_this_auth_provider_only");
return casAuthenticationProvider;
}
@Bean
public CasAuthenticationFilter casAuthenticationFilter() throws Exception {
CasAuthenticationFilter casAuthenticationFilter = new CasAuthenticationFilter();
casAuthenticationFilter.setAuthenticationManager(authenticationManager());
return casAuthenticationFilter;
}
@Bean
public LogoutFilter casLogoutFilter() {
//TODO: 讀配置
LogoutFilter logoutFilter = new LogoutFilter(
"http://localhost:8080/cas/logout?service=http://localhost:8080/cas/login",
new SecurityContextLogoutHandler());
//與上面的url是映射關系,可配成其他的
logoutFilter.setFilterProcessesUrl("/logout/cas");
return logoutFilter;
}
@Bean
public SingleSignOutFilter singleSignOutFilter() {
SingleSignOutFilter singleSignOutFilter = new SingleSignOutFilter();
singleSignOutFilter.setIgnoreInitConfiguration(true);
return singleSignOutFilter;
}
@Override
public void configure(WebSecurity web) {
web.ignoring()
.antMatchers(HttpMethod.OPTIONS, "/**")
.antMatchers("/app/**/*.{js,html}")
.antMatchers("/i18n/**")
.antMatchers("/content/**")
.antMatchers("/swagger-ui/index.html")
.antMatchers("/test/**");
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
super.configure(auth);
auth.authenticationProvider(casAuthenticationProvider());
}
@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/**").hasAuthority("ROLE_USER")
.and().exceptionHandling().authenticationEntryPoint(casAuthenticationEntryPoint())
.and()
.addFilterAt(casAuthenticationFilter(), CasAuthenticationFilter.class)
.addFilterBefore(casLogoutFilter(), LogoutFilter.class)
.addFilterBefore(singleSignOutFilter(), CasAuthenticationFilter.class);
}
}
- 添加DomainUserDetailsService.java 實現 UserDetailsService.java的loadUserByUsername方法
代碼如下
package com.cas.demo;
import java.util.ArrayList;
import java.util.List;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Component;
@Component("userDetailsService")
public class DomainUserDetailsService implements UserDetailsService {
private final Logger log = LoggerFactory.getLogger(DomainUserDetailsService.class);
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
log.info("經過認證類:{}", username);
List<GrantedAuthority> authorities = new ArrayList();
authorities.add(new SimpleGrantedAuthority("ROLE_USER"));
return new User(username, "", authorities);
}
}
- 重啟demo,tomcat運行cas
瀏覽器訪問http://localhost:16001/
會跳轉到cas登錄界面,用 用戶名:casuser 密碼:Mellon登錄
登錄后,會跳轉回demo應用,界面顯示cas test 則對接成功
