First, Set SpringSide's web.xml, we use Acegi CAS Filter:
<
filter-mapping
>
<
filter-name
>
hibernateFilter
</
filter-name
>
<
url-pattern
>
/j_acegi_cas_security_check
</
url-pattern
>
</
filter-mapping
>
We Should Set Main ACEGI application Context:
1) filterChainProxy should add a cas filter as Acegi's Sample, but here, we reuse
authenticationProcessingFilter, which we act as cas client filter.
<
bean
id
="filterChainProxy"
class
="org.acegisecurity.util.FilterChainProxy"
>
<
property
name
="filterInvocationDefinitionSource"
>
<
value
>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/**=httpSessionContextIntegrationFilter,anonymousProcessingFilter,authenticationProcessingFilter,rememberMeProcessingFilter,logoutFilter,channelProcessingFilter,basicProcessingFilter,securityContextHolderAwareRequestFilter,exceptionTranslationFilter,filterInvocationInterceptor
</
value
>
</
property
>
</
bean
>
2) authenticationProcessingFilter, of course, play the most important role in this
applicationContext_acegi.xml.
In
SpringSide, /admin is protected resource, so defaultTargetUrl protected it
and all those request to the target url must be authenticated by authenticationManager.
<bean id="authenticationProcessingFilter" class="org.acegisecurity.ui.cas.CasProcessingFilter">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="authenticationFailureUrl">
<value>/security/login.jsp?login_error=1</value>
</property>
<property name="defaultTargetUrl">
<value>/admin/</value>
</property>
<property name="filterProcessesUrl">
<value>/j_acegi_cas_security_check</value>
</property>
<property name="rememberMeServices" ref="rememberMeServices"/>
<property name="exceptionMappings">
<value>
org.acegisecurity.userdetails.UsernameNotFoundException=/security/login.jsp?login_error=user_not_found_error
org.acegisecurity.BadCredentialsException=/security/login.jsp?login_error=user_psw_error
org.acegisecurity.concurrent.ConcurrentLoginException=/security/login.jsp?login_error=too_many_user_error
</value>
</property>
</bean>3) Then, we set all the needed beans in CAS Filter
<!-- ========= Acegi as a CAS Client的配置============= -->
<bean id="exceptionTranslationFilter" class="org.acegisecurity.ui.ExceptionTranslationFilter">
<property name="authenticationEntryPoint">
<ref local="casProcessingFilterEntryPoint"/>
</property>
</bean>
<!-- cas config -->
<bean id="casProcessingFilterEntryPoint" class="org.acegisecurity.ui.cas.CasProcessingFilterEntryPoint">
<property name="loginUrl"><value>https://sourcesite:8443/cas/login</value></property>
<property name="serviceProperties"><ref local="serviceProperties"/></property>
</bean>
<bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager">
<property name="providers">
<list>
<ref local="casAuthenticationProvider"/>
</list>
</property>
</bean>
<bean id="casAuthenticationProvider" class="org.acegisecurity.providers.cas.CasAuthenticationProvider">
<property name="casAuthoritiesPopulator"><ref bean="casAuthoritiesPopulator"/></property>
<property name="casProxyDecider"><ref local="casProxyDecider"/></property>
<property name="ticketValidator"><ref local="casProxyTicketValidator"/></property>
<property name="statelessTicketCache"><ref local="statelessTicketCache"/></property>
<property name="key"><value>my_password_for_this_auth_provider_only</value></property>
</bean>
<bean id="casProxyTicketValidator" class="org.acegisecurity.providers.cas.ticketvalidator.CasProxyTicketValidator">
<property name="casValidate"><value>https://sourcesite:8443/cas/proxyValidate</value></property>
<property name="serviceProperties"><ref local="serviceProperties"/></property>
</bean>
<!--
<bean id="casProxyDecider" class="org.acegisecurity.providers.cas.proxy.AcceptAnyCasProxy" />
-->
<bean id="casProxyDecider" class="org.acegisecurity.providers.cas.proxy.RejectProxyTickets" />
<bean id="serviceProperties" class="org.acegisecurity.ui.cas.ServiceProperties">
<property name="service">
<value>http://gzug:8080/springside/j_acegi_cas_security_check</value>
</property>
<property name="sendRenew">
<value>false</value>
</property>
</bean>
<bean id="statelessTicketCache" class="org.acegisecurity.providers.cas.cache.EhCacheBasedTicketCache">
<property name="cache">
<bean class="org.springframework.cache.ehcache.EhCacheFactoryBean">
<property name="cacheManager">
<bean class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean"/>
</property>
<property name="cacheName" value="userCache"/>
</bean>
</property>
</bean>
<bean id="casAuthoritiesPopulator" class="org.acegisecurity.providers.cas.populator.DaoCasAuthoritiesPopulator">
<property name="userDetailsService"><ref local="jdbcDaoImpl"/></property>
</bean>
<bean id="casProcessingFilter" class="org.acegisecurity.ui.cas.CasProcessingFilter">
<property name="authenticationManager"><ref local="authenticationManager"/></property>
<property name="authenticationFailureUrl"><value>/casfailed.jsp</value></property>
<property name="defaultTargetUrl"><value>/</value></property>
<property name="filterProcessesUrl"><value>/j_acegi_cas_security_check</value></property>
</bean>
casProcessingFilterEntryPoint is very critical,
loginUrl is the CAS Server's /login url, you should set up your CAS Server(2.0 or 3.0) and config for
those JKS keystore after enable SSL in Tomcat(Tomcat 5.5/conf/server.xml) and place the cacerts that
have the CAS Server's public cert to Acegi Client's
JDK/jre/lib/security/
Check serviceProperties to make sure that
SpringSide Service url is config as /j_acegi_cas_security_check
because Yale CAS use ticket cache for SSO impl, so we should config for statelessTicketCache
Just use springframework's ehcache for cacheManager.
SpringSide use jdbcDaoImpl which perform database authentication. So I am very happy to use it
as casAuthoritiesPopulator , which will set use detail for the user. And these info are very useful for
application authorization.
<bean id="jdbcDaoImpl"
class="org.acegisecurity.userdetails.jdbc.JdbcDaoImpl">
<property name="dataSource" ref="dataSource"/>
<property name="usersByUsernameQuery">
<value>
select loginid,passwd,1 from ss_users where status='1' and loginid = ?
</value>
</property>
<property name="authoritiesByUsernameQuery">
<value>
select u.loginid,p.name from ss_users u,ss_roles r,ss_permissions
p,ss_user_role ur,ss_role_permis rp where u.id=ur.user_id and
r.id=ur.role_id and p.id=rp.permis_id and
r.id=rp.role_id and p.status='1' and u.loginid=?
</value>
</property>
</bean>
There is little difference between casclient 2.0.12 and Acegi, right?
Note that in my env, gzug:8080/springside is bookstore webapp
and sourcesite:8443 is the CAS 3 Server.
Hope for suggestion.....
分享到:
相关推荐
2. `casclient-http.jar` 和 `casclient-https.jar`:这些是针对HTTP和HTTPS协议的扩展,确保了在与CAS服务器通信时的数据安全性和完整性。HTTPS是SSL/TLS协议的上层应用,用于加密网络通信,防止数据在传输过程中被...
2. **初始化客户端**:创建`CasClient`实例,配置CAS Server的URL和服务验证URL。 3. **服务票证验证**:当用户访问受保护的资源时,客户端会检查是否存在有效的服务票证(ST)。如果没有,它将重定向用户到CAS ...
"Yale CAS SSO DotNet Client" 是一个专为.NET框架设计的客户端库,用于集成耶鲁大学(Yale)的中央认证服务(Central Authentication Service, CAS)。CAS是一种开源的身份验证协议,它允许用户通过单一登录...
Yale CAS实现单点登陆的客户端源码和服务端源码,客户端cas-client-3.1.10代码和cas-server-3.4.2.1代码
解决普元EOS报错:edu.yale.its.tp.cas.client.IContextInit 下载后需jar到lib里面且单击右键在属性一栏的弹出框内添加该jar包即可解决爆粗
**Yale CAS(Central Authentication Service)是耶鲁大学开发的一款基于Web的身份验证系统,它允许用户通过单一登录(Single Sign-On, SSO)访问多个应用系统。本篇将详细探讨Yale CAS的最佳实践,包括环境准备、...
8. **Yale大学**:CAS最初由耶鲁大学开发并开源,现在已成为一个广泛使用的标准,有许多社区维护的实现,如Apereo CAS,它提供了更多的特性和扩展。 通过理解和应用这些知识点,开发者可以有效地利用CAS客户端...
这两个包可以从官方提供的链接获取,分别是cas-server-2.0.12.zip和cas-client-2.0.11.zip。解压缩CAS服务器的war文件(cas.war)并将其部署到Tomcat的webapps目录下。如果访问http://localhost:8080/cas/login看到...
软件介绍: ...下载后先解压,然后将sso-client-java-7.0.8.jar文件复制到lib里面,鼠标单击右键在属性一栏的弹出框内添加该jar包即可解决解决普元EOS报错问题:edu.yale.its.tp.cas.client.IContextInit
五、部署CAS Client 1. 与CAS Server建立信任关系:每个需要支持SSO的客户端应用都需要配置为信任CAS Server,通常在应用的web.xml中添加CAS Filter配置。 2. 配置CAS Filter:设置过滤器以拦截未认证的请求,重定向...
【标题】"Yale CAS服务器端深度定制"主要涉及到的是CAS(Central Authentication Service)系统,这是一个基于Java开发的开源身份验证框架,由耶鲁大学开发并广泛应用于各个机构的单点登录(Single Sign-On,SSO)...
CAS(Central Authentication Service)是 Yale 大学开发的一个开源项目,主要用于实现单点登录(Single Sign-On, SSO)。它是一个基于Web的认证协议,旨在简化用户对多个应用系统的访问管理,通过一次登录即可访问...
Weblogic 使用 YALE CAS 实现 SSO 单点登录的方法 一、Yale CAS 简介 Yale CAS 是耶鲁大学开发的一种开源的单点登录(SSO)解决方案,提供了一个通用的身份验证框架,允许用户使用单个身份验证来访问多个应用程序。...
Yale CAS(Central Authentication Service)是由耶鲁大学开发的一个开源项目,专门用于实现SSO功能。它是一个平台无关的解决方案,易于理解和部署,并且支持代理功能,这意味着它可以与各种不同的应用程序和服务...
在Java应用中,我们通常使用CAS客户端库(如`cas-client-support-spring`)来与CAS服务器通信。首先,在项目中引入CAS客户端依赖,然后配置Spring的ApplicationContext,添加CAS服务器的URL以及服务验证的端点等信息...
edu.yale.its.tp.cas.client.filter.CASFilter <!-- server login url --> edu.yale.its.tp.cas.client.filter.loginUrl https://www.test.com:8443/cas/login <!-- server...
### CAS SSO配置文档详解 #### 一、SSO实现原理与CAS的作用 单点登录(Single Sign-On,简称SSO)是一种用户身份验证机制,允许用户在一个安全领域内访问多个应用系统,而无需多次输入身份验证信息。在税务行业...