- 浏览: 8455 次
- 性别:
- 来自: 长沙
最新评论
Spring Security 集成 CAS(基于HTTP协议版本)
近段时间一直研究Spring Security 集成 CAS,网上资料相关资料也很多,不过大都是基于Https的安全认证;使用https协议方式验证需要创建证书等一系列事情比较繁琐,且证书是自己制作每次导航至登录界面时都会有安全提示给人感觉不太好;所以整理此文档供有需要的同学参考。
一、服务端配置(cas 3.5)
(1).Http协议的CAS比Https版本的步骤要少了ssl的配置,然后修改服务端部分配置文件即可。
(2).配置CAS服务应用程序的配置文件:WEB_INF下cas.properties、deployerConfigContext.xml
以及WEB-INF子目录spring-configuration下的ticketGrantingTicketCookieGenerator.xml、warmCookieGenerator.xml
(3).修改cas.properties
(4).deployerConfigContext.xml 添加数据源和密码密码编译器Bean验证用户登录信息;
设置不要使用Https方式(p:requireSecure="false")。
注意:SpringSecurity,CAS 的版本不同有可能类存在不同的包内。
(5).ticketGrantingTicketCookieGenerator.xml
设置cookie安全要求为false使用http协议
(6).warnCookieGenerator.xml 设置cookie安全要求为false使用http协议
(7).jar包支持
数据库连接池:commons-dbcp-1.2.2.jar,commons-pool-1.3.jar,commons-logging-1.1.jar,commons-lang-2.5.jar,commons-io-2.0.jar,commons-collections-3.2.1.jar
SpringJdbc: cas-server-support-jdbc-3.5.0.jar
数据库驱动:ojdbc14.jar
二、客户端配置
三.参考资料
http://www.docin.com/p-277698606.html#documentinfo
(1).Http协议的CAS比Https版本的步骤要少了ssl的配置,然后修改服务端部分配置文件即可。
(2).配置CAS服务应用程序的配置文件:WEB_INF下cas.properties、deployerConfigContext.xml
以及WEB-INF子目录spring-configuration下的ticketGrantingTicketCookieGenerator.xml、warmCookieGenerator.xml
(3).修改cas.properties
# Services Management Web UI Security server.name=http://localhost:8080 server.prefix=${server.name}/cas cas.securityContext.serviceProperties.service=${server.prefix}/services/j_acegi_cas_security_check # Names of roles allowed to access the CAS service manager cas.securityContext.serviceProperties.adminRoles=ROLE_ADMINISTRATOR cas.securityContext.casProcessingFilterEntryPoint.loginUrl=${server.prefix}/login cas.securityContext.ticketValidator.casServerUrlPrefix=${server.prefix} # IP address or CIDR subnet allowed to access the /status URI of CAS that exposes health check information cas.securityContext.status.allowedSubnet=127.0.0.1 cas.themeResolver.defaultThemeName=cas-theme-default cas.viewResolver.basename=default_views ## # Unique CAS node name # host.name is used to generate unique Service Ticket IDs and SAMLArtifacts. This is usually set to the specific # hostname of the machine running the CAS node, but it could be any label so long as it is unique in the cluster. host.name=cas ## # Database flavors for Hibernate # # One of these is needed if you are storing Services or Tickets in an RDBMS via JPA. # database.hibernate.dialect=org.hibernate.dialect.OracleDialect # database.hibernate.dialect=org.hibernate.dialect.MySQLInnoDBDialect #database.hibernate.dialect=org.hibernate.dialect.HSQLDialect
(4).deployerConfigContext.xml 添加数据源和密码密码编译器Bean验证用户登录信息;
设置不要使用Https方式(p:requireSecure="false")。
注意:SpringSecurity,CAS 的版本不同有可能类存在不同的包内。
<?xml version="1.0" encoding="UTF-8"?> <!-- | deployerConfigContext.xml centralizes into one file some of the declarative configuration that | all CAS deployers will need to modify. | | This file declares some of the Spring-managed JavaBeans that make up a CAS deployment. | The beans declared in this file are instantiated at context initialization time by the Spring | ContextLoaderListener declared in web.xml. It finds this file because this | file is among those declared in the context parameter "contextConfigLocation". | | By far the most common change you will need to make in this file is to change the last bean | declaration to replace the default SimpleTestUsernamePasswordAuthenticationHandler with | one implementing your approach for authenticating usernames and passwords. +--> <!-- ~ Licensed to Jasig under one or more contributor license ~ agreements. See the NOTICE file distributed with this work ~ for additional information regarding copyright ownership. ~ Jasig licenses this file to you under the Apache License, ~ Version 2.0 (the "License"); you may not use this file ~ except in compliance with the License. You may obtain a ~ copy of the License at the following location: ~ ~ http://www.apache.org/licenses/LICENSE-2.0 ~ ~ Unless required by applicable law or agreed to in writing, ~ software distributed under the License is distributed on an ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY ~ KIND, either express or implied. See the License for the ~ specific language governing permissions and limitations ~ under the License. --> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p" xmlns:sec="http://www.springframework.org/schema/security" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd"> <!-- | This bean declares our AuthenticationManager. The CentralAuthenticationService service bean | declared in applicationContext.xml picks up this AuthenticationManager by reference to its id, | "authenticationManager". Most deployers will be able to use the default AuthenticationManager | implementation and so do not need to change the class of this bean. We include the whole | AuthenticationManager here in the userConfigContext.xml so that you can see the things you will | need to change in context. +--> <bean id="authenticationManager" class="org.jasig.cas.authentication.AuthenticationManagerImpl"> <!-- Uncomment the metadata populator to allow clearpass to capture and cache the password This switch effectively will turn on clearpass. <property name="authenticationMetaDataPopulators"> <list> <bean class="org.jasig.cas.extension.clearpass.CacheCredentialsMetaDataPopulator"> <constructor-arg index="0" ref="credentialsCache" /> </bean> </list> </property> --> <!-- | This is the List of CredentialToPrincipalResolvers that identify what Principal is trying to authenticate. | The AuthenticationManagerImpl considers them in order, finding a CredentialToPrincipalResolver which | supports the presented credentials. | | AuthenticationManagerImpl uses these resolvers for two purposes. First, it uses them to identify the Principal | attempting to authenticate to CAS /login . In the default configuration, it is the DefaultCredentialsToPrincipalResolver | that fills this role. If you are using some other kind of credentials than UsernamePasswordCredentials, you will need to replace | DefaultCredentialsToPrincipalResolver with a CredentialsToPrincipalResolver that supports the credentials you are | using. | | Second, AuthenticationManagerImpl uses these resolvers to identify a service requesting a proxy granting ticket. | In the default configuration, it is the HttpBasedServiceCredentialsToPrincipalResolver that serves this purpose. | You will need to change this list if you are identifying services by something more or other than their callback URL. +--> <property name="credentialsToPrincipalResolvers"> <list> <!-- | UsernamePasswordCredentialsToPrincipalResolver supports the UsernamePasswordCredentials that we use for /login | by default and produces SimplePrincipal instances conveying the username from the credentials. | | If you've changed your LoginFormAction to use credentials other than UsernamePasswordCredentials then you will also | need to change this bean declaration (or add additional declarations) to declare a CredentialsToPrincipalResolver that supports the | Credentials you are using. +--> <bean class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" /> <!-- | HttpBasedServiceCredentialsToPrincipalResolver supports HttpBasedCredentials. It supports the CAS 2.0 approach of | authenticating services by SSL callback, extracting the callback URL from the Credentials and representing it as a | SimpleService identified by that callback URL. | | If you are representing services by something more or other than an HTTPS URL whereat they are able to | receive a proxy callback, you will need to change this bean declaration (or add additional declarations). +--> <bean class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" /> </list> </property> <!-- | Whereas CredentialsToPrincipalResolvers identify who it is some Credentials might authenticate, | AuthenticationHandlers actually authenticate credentials. Here we declare the AuthenticationHandlers that | authenticate the Principals that the CredentialsToPrincipalResolvers identified. CAS will try these handlers in turn | until it finds one that both supports the Credentials presented and succeeds in authenticating. +--> <property name="authenticationHandlers"> <list> <!-- | This is the authentication handler that authenticates services by means of callback via SSL, thereby validating | a server side SSL certificate. +--> <bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" p:httpClient-ref="httpClient" p:requireSecure="false"/> <!-- | This is the authentication handler declaration that every CAS deployer will need to change before deploying CAS | into production. The default SimpleTestUsernamePasswordAuthenticationHandler authenticates UsernamePasswordCredentials | where the username equals the password. You will need to replace this with an AuthenticationHandler that implements your | local authentication strategy. You might accomplish this by coding a new such handler and declaring | edu.someschool.its.cas.MySpecialHandler here, or you might use one of the handlers provided in the adaptors modules. +--> <!-- <bean class="org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler" /> --> <!-- 使用查询数据库的方式验证: sql语句返回密码,然后指定一个密码编码器,将提交的密码编码后与查询出来的密码进行比较。 密码编码器实现org.jasig.cas.authentication.handler.PasswordEncoder接口 --> <bean class="org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler"> <property name="dataSource" ref="casDataSource" /> <property name="sql" value="select lower(password) from tb_sys_user where lower(username) = lower(?)" /> <property name="passwordEncoder" ref="passwordEncoder"/> </bean> </list> </property> </bean> <!-- This bean defines the security roles for the Services Management application. Simple deployments can use the in-memory version. More robust deployments will want to use another option, such as the Jdbc version. The name of this should remain "userDetailsService" in order for Spring Security to find it. --> <!-- <sec:user name="@@THIS SHOULD BE REPLACED@@" password="notused" authorities="ROLE_ADMIN" />--> <bean id="userDetailsService" class="org.springframework.security.core.userdetails.memory.InMemoryDaoImpl"> <property name="userMap"> <value> </value> </property> </bean> <!-- Bean that defines the attributes that a service may return. This example uses the Stub/Mock version. A real implementation may go against a database or LDAP server. The id should remain "attributeRepository" though. --> <bean id="attributeRepository" class="org.jasig.services.persondir.support.StubPersonAttributeDao"> <property name="backingMap"> <map> <entry key="uid" value="uid"/> <entry key="eduPersonAffiliation" value="eduPersonAffiliation" /> <entry key="groupMembership" value="groupMembership" /> </map> </property> </bean> <!-- Sample, in-memory data store for the ServiceRegistry. A real implementation would probably want to replace this with the JPA-backed ServiceRegistry DAO The name of this bean should remain "serviceRegistryDao". --> <bean id="serviceRegistryDao" class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl"> <property name="registeredServices"> <list> <bean class="org.jasig.cas.services.RegexRegisteredService"> <property name="id" value="0" /> <property name="name" value="HTTP and IMAP" /> <property name="description" value="Allows HTTP(S) and IMAP(S) protocols" /> <property name="serviceId" value="^(https?|imaps?)://.*" /> <property name="evaluationOrder" value="10000001" /> </bean> </list> </property> </bean> <bean id="auditTrailManager" class="com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager" /> <bean id="healthCheckMonitor" class="org.jasig.cas.monitor.HealthCheckMonitor"> <property name="monitors"> <list> <bean class="org.jasig.cas.monitor.MemoryMonitor" p:freeMemoryWarnThreshold="10" /> <!-- NOTE The following ticket registries support SessionMonitor: * DefaultTicketRegistry * JpaTicketRegistry Remove this monitor if you use an unsupported registry. --> <bean class="org.jasig.cas.monitor.SessionMonitor" p:ticketRegistry-ref="ticketRegistry" p:serviceTicketCountWarnThreshold="5000" p:sessionCountWarnThreshold="100000" /> </list> </property> </bean> <bean id="casDataSource" class="org.apache.commons.dbcp.BasicDataSource"> <property name="driverClassName"> <value>oracle.jdbc.driver.OracleDriver</value> </property> <property name="url"> <value>jdbc:oracle:thin:@x.x.x.x:1521:x</value> </property> <property name="username"> <value>username</value> </property> <property name="password"> <value>123456</value> </property> </bean> <bean id="passwordEncoder" class="org.jasig.cas.authentication.handler.DefaultPasswordEncoder"> <constructor-arg value="MD5"/> </bean> </beans>
(5).ticketGrantingTicketCookieGenerator.xml
设置cookie安全要求为false使用http协议
<bean id="ticketGrantingTicketCookieGenerator" class="org.jasig.cas.web.support.CookieRetrievingCookieGenerator" p:cookieSecure="false" p:cookieMaxAge="-1" p:cookieName="CASTGC" p:cookiePath="/cas" />
(6).warnCookieGenerator.xml 设置cookie安全要求为false使用http协议
<bean id="warnCookieGenerator" class="org.jasig.cas.web.support.CookieRetrievingCookieGenerator" p:cookieSecure="false" p:cookieMaxAge="-1" p:cookieName="CASPRIVACY" p:cookiePath="/cas" />
(7).jar包支持
数据库连接池:commons-dbcp-1.2.2.jar,commons-pool-1.3.jar,commons-logging-1.1.jar,commons-lang-2.5.jar,commons-io-2.0.jar,commons-collections-3.2.1.jar
SpringJdbc: cas-server-support-jdbc-3.5.0.jar
数据库驱动:ojdbc14.jar
二、客户端配置
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:sec="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.4.xsd" default-autowire="byType" default-lazy-init="true"> <sec:http entry-point-ref="casProcessingFilterEntryPoint"> <sec:intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" /> <sec:logout /> </sec:http> <sec:authentication-manager alias="authenticationManager" /> <bean id="casProcessingFilter" class="org.springframework.security.ui.cas.CasProcessingFilter"> <sec:custom-filter after="CAS_PROCESSING_FILTER" /> <property name="authenticationManager" ref="authenticationManager" /> <property name="authenticationFailureUrl" value="/casfailed.jsp" /> <property name="defaultTargetUrl" value="/" /> </bean> <bean id="casProcessingFilterEntryPoint" class="org.springframework.security.ui.cas.CasProcessingFilterEntryPoint"> <property name="loginUrl" value="http://localhost:8080/cas/login" /> <property name="serviceProperties" ref="serviceProperties" /> </bean> <bean id="serviceProperties" class="org.springframework.security.ui.cas.ServiceProperties"> <property name="service" value="http://localhost:8080/sample2/j_spring_cas_security_check" /> <property name="sendRenew" value="false"/> </bean> <bean id="casAuthenticationProvider" class="org.springframework.security.providers.cas.CasAuthenticationProvider"> <sec:custom-authentication-provider /> <property name="userDetailsService" ref="userDetailsService"/> <property name="serviceProperties" ref="serviceProperties" /> <property name="ticketValidator"> <bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator"> <constructor-arg index="0" value="http://localhost:8080/cas/" /> </bean> </property> <property name="key" value="integratedreport"/> </bean> <!-- 需要自己实现userservice --> <bean id="userDetailsService" class="cas.ava.UserDetailsServiceImpl" /> <bean id="passwordEncoder" class="org.springframework.security.providers.encoding.Md5PasswordEncoder" /> </beans>
三.参考资料
http://www.docin.com/p-277698606.html#documentinfo
相关推荐
**Spring Security集成CAS客户端实例详解** 在Web应用中,安全是至关重要的,Spring Security和CAS(Central Authentication Service)是两种广泛使用的安全框架。本实例旨在展示如何将Spring Security与CAS结合,...
"springboot+security+cas集成demo"的目的是展示如何在Spring Boot应用中集成Spring Security和CAS,实现SSO功能。以下是一些关键步骤: 1. **配置CAS客户端**:在Spring Boot应用中,我们需要引入CAS客户端库,...
cas版本3.4.0,spring security版本3.1.4,经测试可用!
SpringBoot+Security+Cas是一个集成解决方案,用于构建安全的Web应用程序。这个Demo是为那些希望了解如何在Spring Boot应用中整合Spring Security和CAS(Central Authentication Service)服务的开发者准备的。下面...
cas是Central Authentication Service的简写.提供中央认证服务,实现企业级单点登录.详细参考:http://blog.csdn.net/xiejx618/article/details/51703469
Spring Boot 使用 Spring Security 集成 CAS Spring Boot 是一个基于 Java 的开源框架,用于快速构建生产级别的应用程序。Spring Security 是一个基于 Spring 的安全框架,提供了身份验证、授权和访问控制等功能。...
3. **CAS客户端配置**:在应用中集成CAS作为SSO的客户端,需要在Spring Security的配置中加入CAS的相关配置,如指定CAS服务器地址、服务验证URL等。同时,配置CAS过滤器以处理用户的身份验证请求。 4. **Spring ...
**Cas入门及SpringSecurity集成CasDemo详解** CAS(Central Authentication Service)是一种开源的单点登录(Single Sign-On,SSO)框架,它为各种应用程序提供了一种集中式的身份验证服务。在本文中,我们将深入...
标题中的"Spring Security 3 与 CAS 单点登录配置-Server"涉及到的是在Java Web开发中使用Spring Security 3框架集成Central Authentication Service (CAS)实现单点登录(Single Sign-On, SSO)的服务器端配置。...
- `CAS-spring-security-cas-client.jar`:支持 CAS 协议的单点登录功能。 - `OpenID-spring-security-openid.jar`:支持 OpenID 身份验证。 - **获得源代码**:可以从 GitHub 或 Maven 仓库获取 Spring Security ...
Spring Boot 整合 CAS Client 实现单点登录验证的示例 Spring Boot 整合 CAS Client 是一种流行的解决方案,用于实现单点登录(Single Sign-On,简称 SSO)。在多个应用系统中,用户只需要登录一次就可以访问所有...
##### 3.2 开始部署SpringSecurity - **配置CAS Filter**:Spring Security中有一个专门的CAS Filter,用于处理与CAS Server之间的通信。 - **配置登录和登出逻辑**:定义用户登录和登出的行为。 ##### 3.3 Spring...
### Spring Security 整合 CAS 全程详解 #### 一、引言 ##### 1.1 概述 ###### 1.1.1 单点登录介绍 单点登录(Single Sign-On,简称 SSO)是一种流行的解决方案,用于简化用户在多个相互信任的应用系统之间的身份...
本项目是关于前后端分离集成CAS(Central Authentication Service)的一个实例,主要使用了Spring Boot、Shiro、Oracle数据库以及Vue.js等技术。 首先,Spring Boot是基于Spring框架的轻量级开发工具,它简化了新...
在实现集成登录认证组件时,我们需要了解OAuth2.0认证体系、SpringBoot、SpringSecurity以及Spring Cloud等相关知识。同时,我们还需要了解如何定义拦截器、如何在拦截的通知进行预处理、如何在UserDetailService....
Spring Security提供了丰富的认证机制,支持多种认证方式,包括但不限于表单认证、LDAP认证、CAS认证等。认证成功后,用户的身份会被标记为已认证,然后系统根据用户的权限来进行授权,授权是指决定一个已认证的用户...
- **CAS (spring-security-cas-client.jar)**:提供了与 Central Authentication Service (CAS) 的集成支持。 - **OpenID (spring-security-openid.jar)**:提供了 OpenID 认证支持。 - **获得源代码**:开发者...
在提供的压缩包中,`spring-security-3.0.0.RELEASE.zip`包含了3.0.0版本的源码,而`spring-security-3.1.3.RELEASE-dist.zip`包含了3.1.3版本的jar文件,可以方便地集成到你的项目中。 总的来说,Spring Security...
3. **集成CAS客户端**:添加CAS客户端库到项目中,如`cas-client-support-springboot`或`cas-client-support-spring`。在Spring配置文件中声明`CasClientConfigurer`和`CasFilter`,并配置CAS服务器的URL、服务验证...