Topic: Spring Security 3 与 CAS单点登录配置-Client

转载：

 

http://www.hxdw.com/bbs/post/print?bid=60&id=144183

Topic: Spring Security 3 与 CAS单点登录配置-Client

---

1.Spring Security 3 与 CAS单点登录配置-Client

Copy to clipboard

Posted by: netboy Posted on: 2010-11-12 11:27 如果CAS配置完成。就可以进行Client的配置了。  以下Client的配置前提是你对Spring Security有一定了解。如果不熟悉，还是希望能先读一下Spring Security相关的文章。  下面是Client的Spring Security 3的最基础的配置  1.配置<http>标签  Xml代码  <http auto-config="false" entry-point-ref="casEntryPoint" servlet-api-provision="true">  <intercept-url pattern="/manage/**" access="ROLE_ADMIN" />  <intercept-url pattern="/**" access="ROLE_USER,ROLE_ADMIN" />  <!-- logout-success-url="/login.html" -->  <logout logout-url="/logout.html" success-handler-ref="casLogoutSuccessHandler"/>  <custom-filter position="FORM_LOGIN_FILTER" ref="casFilter"/>  </http>    <http auto-config="false" entry-point-ref="casEntryPoint" servlet-api-provision="true">     <intercept-url pattern="/manage/**" access="ROLE_ADMIN" />     <intercept-url pattern="/**" access="ROLE_USER,ROLE_ADMIN" />     <!-- logout-success-url="/login.html" -->     <logout logout-url="/logout.html" success-handler-ref="casLogoutSuccessHandler"/>     <custom-filter position="FORM_LOGIN_FILTER" ref="casFilter"/>   </http> 这里，重点是：  * 不使用http的自动配置。  * entry-point-ref="casEntryPoint"作用是认证的入口，是一个实现 AuthenticationEntryPoint接口的类。为ExceptionTranslationFilter类提供认证依据。  * <custom-filter position="FORM_LOGIN_FILTER" ref="casFilter"/> 使用自定义的Filter，放置在过滤器链的FORM_LOGIN_FILTER的位置。  似乎casFilter与casEntryPoint的功能有重叠。  其实，casEntryPoint只是提供认证入口的作用，当没有权限，将跳转到该地址。  casFilter是处理CAS service ticket的。当无权访问时，会使用casEntryPoint提供认证入口。  2.分别配置casEntryPoint和casFilter  配置：casEntryPoint  Xml代码  <beans:bean id="casEntryPoint"  class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">  <beans:property name="loginUrl" value="https://cas.boc.com:8443/casServer/login"/>  <beans:property name="serviceProperties" ref="serviceProperties"/>  </beans:bean>  <beans:bean id="serviceProperties" class="org.springframework.security.cas.ServiceProperties">  <beans:property name="service"  value="https://report.boc.com:8443/report/j_spring_cas_security_check"/>  <beans:property name="sendRenew" value="false"/>  </beans:bean>  <beans:bean id="casEntryPoint"   class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">   <beans:property name="loginUrl" value="https://cas.boc.com:8443/casServer/login"/>   <beans:property name="serviceProperties" ref="serviceProperties"/> </beans:bean> <beans:bean id="serviceProperties" class="org.springframework.security.cas.ServiceProperties">   <beans:property name="service"   value="https://report.boc.com:8443/report/j_spring_cas_security_check"/> <beans:property name="sendRenew" value="false"/> </beans:bean> 配置casFilter  Xml代码  <beans:bean id="casFilter"  class="org.springframework.security.cas.web.CasAuthenticationFilter">  <beans:property name="authenticationManager" ref="authenticationManager"/>  </beans:bean>  <authentication-manager alias="authenticationManager">  <authentication-provider ref="casAuthenticationProvider"/>  </authentication-manager>  <beans:bean id="userDetailsService" class="com.reportstart.security.service.impl.BocUserDetaislServiceImpl">  <beans:property name="userDao">  <beans:ref bean="userDao"/>  </beans:property>  </beans:bean>  <beans:bean id="casAuthenticationUserDetailsService" class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">  <beans:property name="userDetailsService" >  <beans:ref local="userDetailsService"/>  </beans:property>  </beans:bean>  <beans:bean id="casAuthenticationProvider"  class="org.springframework.security.cas.authentication.CasAuthenticationProvider">  <beans:property name="authenticationUserDetailsService" ref="casAuthenticationUserDetailsService"/>  <beans:property name="serviceProperties" ref="serviceProperties" />  <beans:property name="ticketValidator">  <beans:bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">  <beans:constructor-arg index="0" value="https://cas.boc.com:8443/casServer" />  </beans:bean>  </beans:property>  <beans:property name="key" value="an_id_for_this_auth_provider_only"/>  </beans:bean>  </beans:bean>  <beans:bean id="casFilter"       class="org.springframework.security.cas.web.CasAuthenticationFilter">     <beans:property name="authenticationManager" ref="authenticationManager"/>   </beans:bean>      <authentication-manager alias="authenticationManager">     <authentication-provider ref="casAuthenticationProvider"/>   </authentication-manager>      <beans:bean id="userDetailsService" class="com.reportstart.security.service.impl.BocUserDetaislServiceImpl">     <beans:property name="userDao">       <beans:ref bean="userDao"/>     </beans:property>   </beans:bean>   <beans:bean id="casAuthenticationUserDetailsService" class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">     <beans:property name="userDetailsService" >       <beans:ref local="userDetailsService"/>     </beans:property>   </beans:bean>   <beans:bean id="casAuthenticationProvider"       class="org.springframework.security.cas.authentication.CasAuthenticationProvider">     <beans:property name="authenticationUserDetailsService" ref="casAuthenticationUserDetailsService"/>     <beans:property name="serviceProperties" ref="serviceProperties" />     <beans:property name="ticketValidator">       <beans:bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">        <beans:constructor-arg index="0" value="https://cas.boc.com:8443/casServer" />    </beans:bean>     </beans:property>     <beans:property name="key" value="an_id_for_this_auth_provider_only"/>   </beans:bean> </beans:bean> 如果对Spring Security比较熟悉，就不用多说什么了。  这里的"https://report.boc.com:8443/report/j_spring_cas_security_check"地址要注意，以后这个地址要注册到CAS service里，从而改变CAS的"open model".  也只有这个地址是指向Client的，其他都指向Server  最后，casLogoutSuccessHandler  如果Client要注销，需在Client先注销，之后让Server注销提供的ticket。  如果不这样，不论是只注销Client还是Server，注销后，系统仍然还是可以访问的。  (按照开始的想法，注销Client，Client应该可以主动去Server去注销ticket，但是org.springframework.security.web.authentication.logout.LogoutFilter总注销自己，而不去跟Client交互。如果你知道的话，请告知。)  CasLogoutSuccessHandler 代码  Java代码  package net.viiso.security.util;  import java.io.IOException;  import javax.servlet.ServletException;  import javax.servlet.http.HttpServletRequest;  import javax.servlet.http.HttpServletResponse;  import org.springframework.security.core.Authentication;  import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;  public class CasLogoutSuccessHandler implements LogoutSuccessHandler {  private String url = "";  @Override  public void onLogoutSuccess(HttpServletRequest request,  HttpServletResponse response, Authentication authentication)  throws IOException, ServletException {  if ("".equals(url)) {  url = "https://cas.boc.com:8443/casServer/logout";  }  response.sendRedirect(url);  }  public void setTargetUrl(String url) {  this.url = url;  }  }  package net.viiso.security.util; import java.io.IOException; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.springframework.security.core.Authentication; import org.springframework.security.web.authentication.logout.LogoutSuccessHandler; public class CasLogoutSuccessHandler implements LogoutSuccessHandler {   private String url = "";   @Override   public void onLogoutSuccess(HttpServletRequest request,       HttpServletResponse response, Authentication authentication)       throws IOException, ServletException {     if ("".equals(url)) {       url = "https://cas.boc.com:8443/casServer/logout";     }     response.sendRedirect(url);   }   public void setTargetUrl(String url) {     this.url = url;   } } 启动后，对一个安全地址进行访问，会跳到CAS登录地址。  如果登录成功，会跳至访问页。  到此，简单的Client已经配置完成。  接下来，还要在Server注册Client。这个虽然不是必须，但是出于安全考虑，如果CAS服务器在外网，就非常有必要对支持的Client进行注册了，因为当你访问Client在CAS登陆成功后，CAS会给你的Client提供登录者的用户信息。如果你模拟一个Client应用，使用暴力方式，不断给CAS提供用户口令和密码，会对安全性造成破坏。  另外，也可以给CAS登录页加一个验证码。