锁定老帖子 主题:CAS客户端证书认证登录
精华帖 (0) :: 良好帖 (0) :: 新手帖 (0) :: 隐藏帖 (0)
|
|
---|---|
作者 | 正文 |
发表时间:2010-04-18
最后修改:2010-04-18
前端时间需要实现公司内网证书自动登录CAS. 由于对CAS的底层还不是特别了解所以学习了下,看了下源码.
这里我由上而下的讲解实现的过程.
1.Web Flow我们都知道CAS目前使用了Spring Web Flow, 在CAS中Spring Web Flow的配置文件为login-webflow.xml 里面主要配置了登录的流程.这个如果用图来表示的话那应该是一个状态图, 一些节点会有一些判断然后会有不同的分支. 这里增加了startX509Authenticate这个节点,当需要登录的时候首先进入这个节点来验证,如果这里验证不成功的话才会进入普通的登录界面.负责直接登录成功,或者登录失败.
修改后的配置文件如下: <?xml version="1.0" encoding="UTF-8"?> <flow xmlns="http://www.springframework.org/schema/webflow" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation=" http://www.springframework.org/schema/webflow http://www.springframework.org/schema/webflow/spring-webflow-1.0.xsd"> <start-state idref="initialFlowSetup"/> <action-state id="initialFlowSetup"> <action bean="initialFlowSetupAction" /> <transition on="success" to="ticketGrantingTicketExistsCheck" /> </action-state> <decision-state id="ticketGrantingTicketExistsCheck"> <if test="${flowScope.ticketGrantingTicketId != null}" then="hasServiceCheck" else="gatewayRequestCheck" /> </decision-state> <decision-state id="gatewayRequestCheck"> <if test="${externalContext.requestParameterMap['gateway'] != '' && externalContext.requestParameterMap['gateway'] != null && flowScope.service != null}" then="redirect" else="startX509Authenticate" /> </decision-state> <decision-state id="hasServiceCheck"> <if test="${flowScope.service != null}" then="renewRequestCheck" else="viewGenericLoginSuccess" /> </decision-state> <decision-state id="renewRequestCheck"> <if test="${externalContext.requestParameterMap['renew'] != '' && externalContext.requestParameterMap['renew'] != null}" then="startX509Authenticate" else="generateServiceTicket" /> </decision-state> <decision-state id="warn"> <if test="${flowScope.warnCookieValue}" then="showWarningView" else="redirect" /> </decision-state> <action-state id="startX509Authenticate"> <action bean="x509Check" /> <transition on="success" to="sendTicketGrantingTicket" /> <transition on="error" to="viewLoginForm" /> </action-state> <view-state id="viewLoginForm" view="casLoginView"> <render-actions> <action bean="authenticationViaFormAction" method="setupForm"/> <action bean="authenticationViaFormAction" method="referenceData"/> </render-actions> <transition on="submit" to="bindAndValidate" /> </view-state> <action-state id="bindAndValidate"> <action bean="authenticationViaFormAction" /> <transition on="success" to="submit" /> <transition on="error" to="viewLoginForm" /> </action-state> <action-state id="submit"> <action bean="authenticationViaFormAction" method="submit" /> <transition on="warn" to="warn" /> <transition on="success" to="sendTicketGrantingTicket" /> <transition on="error" to="viewLoginForm" /> </action-state> <action-state id="sendTicketGrantingTicket"> <action bean="sendTicketGrantingTicketAction" /> <transition on="success" to="serviceCheck" /> </action-state> <decision-state id="serviceCheck"> <if test="${flowScope.service != null}" then="generateServiceTicket" else="viewGenericLoginSuccess" /> </decision-state> <action-state id="generateServiceTicket"> <action bean="generateServiceTicketAction" /> <transition on="success" to ="warn" /> <transition on="error" to="viewLoginForm" /> <transition on="gateway" to="redirect" /> </action-state> <end-state id="viewGenericLoginSuccess" view="casLoginGenericSuccessView" /> <end-state id="showWarningView" view="casLoginConfirmView" /> <end-state id="redirect" view="bean:alibabaDynamicRedirectViewSelector" /> <end-state id="viewServiceErrorView" view="viewServiceErrorView" /> <end-state id="viewServiceSsoErrorView" view="viewServiceSsoErrorView" /> <global-transitions> <transition to="viewServiceErrorView" on-exception="org.springframework.webflow.execution.repository.NoSuchFlowExecutionException" /> <transition to="viewServiceSsoErrorView" on-exception="org.jasig.cas.services.UnauthorizedSsoServiceException" /> <transition to="viewServiceErrorView" on-exception="org.jasig.cas.services.UnauthorizedServiceException" /> </global-transitions> </flow>
2.从X509Check着手从上面的配置文件我们可看出startX509Authenticate这个节点对应的Bean是x509Check 那么我们需要增加这样的一个Bean 我们在cas-servlet.xml这个配置文件中增加这个类的配置,因为CAS自带了证书认证的Action <bean id="x509Check" class="org.jasig.cas.adaptors.x509.web.flow.X509CertificateCredentialsNonInteractiveAction" p:centralAuthenticationService-ref="centralAuthenticationService"/> 这里不得不插进来说一下,在执行的时候是怎么个机制了.
当有一个请求过来之后,web flow安排对应节点的Action 来处理, Action便通过它的centralAuthenticationService 来进行createTicketGrantingTicket,传递的参数是credentials. centralAuthenticationService ,即org.jasig.cas.CentralAuthenticationServiceImpl这个类. 在颁发TGT之前先通过自己的authenticationManager来验证当前传递过来的credentials是否合法. 来到authenticationManager 的家中之后,使用什么来验证credentials呢,对了各种authenticationHandlers该上场了,这些authenticationHandlers 们也都是在配置authenticationManager的时候xml配置进去的.这里会选择一个能够处理当前credential的authenticationHandler来进行验证工作(authenticationHandler.supports(credentials)).也就是这些处理器都需要实现supports这个方法. 如果验证成功了,我们需要将一些标示信息带到cas的client端阿,那边需要这个信息. 所以验证之后,credentialsToPrincipalResolvers 们上场了,他们能够很好的带出需要传回给cas client的信息.
经过上面的分析,我们需要将我们自己的Handler和credentialsToPrincipalResolvers添加到authenticationManager的配置中 <bean id="authenticationManager" class="org.jasig.cas.authentication.AuthenticationManagerImpl"> <property name="credentialsToPrincipalResolvers"> <list> <bean class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" /> <bean class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" /> <bean class="org.jasig.cas.adaptors.x509.authentication.principal.X509CertificateCredentialsToDNEmailPrincipalResolver"/> </list> </property> <property name="authenticationHandlers"> <list> <bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" p:httpClient-ref="httpClient" /> <ref bean="dynamicAuthenticationHandler" /> <ref bean="x509CredentialsAuthenticationHandler"/> </list> </property> </bean> x509CredentialsAuthenticationHandler这个CAS自带了,但是我们需要返回到CAS Client的为证书的邮箱,而CAS没有提供这样的Resolver,所以我自己写了一个从证书中取得email的X509CertificateCredentialsToDNEmailPrincipalResolver
当然这里引用到的类也需要在Spring中进行配置 <bean id="x509CredentialsAuthenticationHandler" class="org.jasig.cas.adaptors.x509.authentication.handler.support.X509CredentialsAuthenticationHandler" > <property name="trustedIssuerDnPattern" value="CN=intranet.+"/> </bean> 这样便可以了.
3.Tomcat配置
|
|
返回顶楼 | |
发表时间:2010-08-19
你好!可以配置多种证书吗?
|
|
返回顶楼 | |
浏览 4941 次