Spring Security 3 与 CAS单点登录配置-Server
转载:http://www.hxdw.com/bbs/post/view?bid=60&id=144184&sty=3&keywords=Spring+Security+3
enableLookups="true" disableUploadTimeout="true"?
acceptCount="100" maxThreads="200" scheme="https" secure="true" SSLEnabled="true"?
keystoreFile="%USERPROFILE%/.keystore"?
keystorePass="changeit" clientAuth="false"?
sslProtocol="TLS"/>?
??<Connector protocol="org.apache.coyote.http11.Http11Protocol"
port="8443" minSpareThreads="5" maxSpareThreads="75"
?????? enableLookups="true" disableUploadTimeout="true"?
?????? acceptCount="100" maxThreads="200" scheme="https" secure="true" SSLEnabled="true"
?????? keystoreFile="%USERPROFILE%/.keystore"
?????? keystorePass="changeit" clientAuth="false"
?????? sslProtocol="TLS"/>
开始配置CAS Server?
解压缩cas-server-3.4.2-release.zip文件?
eclipse导入modules文件夹内的cas-server-webapp-3.4.2.war?
并改名为casServer?
导入后需要配置casServer工程的Java Build Path?
这时运行会报一个错误,找不到AutowiringSchedulerFactoryBean类?
AutowiringSchedulerFactoryBean类是一个Quartz的一个调度程序,定时监控CAS Server状态?
删除WEB-INF/spring-configuration/applicationContext.xml中的配置?
或者?
AutowiringSchedulerFactoryBean添加到org.jasig.cas.util包下?
(AutowiringSchedulerFactoryBean类在最后附件中可以下载)?
如果你对CAS单点登录的工作不是很熟悉,请查看?
打开/WEB-INF/deployerConfigContext.xml?
Xml代码?
<bean id="authenticationManager"?
/>?
<!--?
| HttpBasedServiceCredentialsToPrincipalResolver supports HttpBasedCredentials. It supports the CAS 2.0 approach of?
| authenticating services by SSL callback, extracting the callback URL from the Credentials and representing it as a?
| SimpleService identified by that callback URL.?
|?
| If you are representing services by something more or other than an HTTPS URL whereat they are able to?
| receive a proxy callback, you will need to change this bean declaration (or add additional declarations).?
+-->?
<bean?
/>?
</list>?
</property>?
<!--?
| Whereas CredentialsToPrincipalResolvers identify who it is some Credentials might authenticate,?
| AuthenticationHandlers actually authenticate credentials. Here we declare the AuthenticationHandlers that?
| authenticate the Principals that the CredentialsToPrincipalResolvers identified. CAS will try these handlers in turn?
| until it finds one that both supports the Credentials presented and succeeds in authenticating.?
+-->?
<property name="authenticationHandlers">?
<list>?
<!--?
| This is the authentication handler that authenticates services by means of callback via SSL, thereby validating?
| a server side SSL certificate.?
+-->?
<bean />?
<!--?
| This is the authentication handler declaration that every CAS deployer will need to change before deploying CAS?
| into production. The default SimpleTestUsernamePasswordAuthenticationHandler authenticates UsernamePasswordCredentials?
| where the username equals the password. You will need to replace this with an AuthenticationHandler that implements your?
| local authentication strategy. You might accomplish this by coding a new such handler and declaring?
| edu.someschool.its.cas.MySpecialHandler here, or you might use one of the handlers provided in the adaptors modules.?
+-->?
<!-- <bean?
/>?
<bean ref="userDao" />?
</bean> -->?
<ref bean="casAuthenticationHandler"/>?
</list>?
</property>?
</bean>?
<bean id="authenticationManager"
????/>
????????<!--
??????????| HttpBasedServiceCredentialsToPrincipalResolver supports HttpBasedCredentials. It supports the CAS 2.0 approach of
??????????| authenticating services by SSL callback, extracting the callback URL from the Credentials and representing it as a
??????????| SimpleService identified by that callback URL.
??????????|
??????????| If you are representing services by something more or other than an HTTPS URL whereat they are able to
??????????| receive a proxy callback, you will need to change this bean declaration (or add additional declarations).
??????????+-->
????????<bean
??????????/>
??????</list>
????</property>
????<!--
??????| Whereas CredentialsToPrincipalResolvers identify who it is some Credentials might authenticate,?
??????| AuthenticationHandlers actually authenticate credentials. Here we declare the AuthenticationHandlers that
??????| authenticate the Principals that the CredentialsToPrincipalResolvers identified. CAS will try these handlers in turn
??????| until it finds one that both supports the Credentials presented and succeeds in authenticating.
??????+-->
????<property name="authenticationHandlers">
??????<list>
????????<!--
??????????| This is the authentication handler that authenticates services by means of callback via SSL, thereby validating
??????????| a server side SSL certificate.
??????????+-->
????????<bean />
????????<!--
??????????| This is the authentication handler declaration that every CAS deployer will need to change before deploying CAS?
??????????| into production. The default SimpleTestUsernamePasswordAuthenticationHandler authenticates UsernamePasswordCredentials
??????????| where the username equals the password. You will need to replace this with an AuthenticationHandler that implements your
??????????| local authentication strategy. You might accomplish this by coding a new such handler and declaring
??????????| edu.someschool.its.cas.MySpecialHandler here, or you might use one of the handlers provided in the adaptors modules.
??????????+-->
????????<!-- <bean
??????????/>?
??????????<bean ref="userDao" />
??????????</bean> -->
??????????<ref bean="casAuthenticationHandler"/>
??????</list>
????</property>
??</bean>
其中authenticationHandlers属性是个关键,它为CAS服务器提供用户认证的依据?
(它只负责用户的认证,不负责受权服务。也就是说,CAS服务器不关心用户角色)?
应该注意的是,authenticationHandlers属性的值是实现了AuthenticationHandler接口类的List,多个应用提供用户账号和密码的数据源,CAS验证时,会在这个List的验证接口中逐一遍历。?
可能会有疑问,当有两个应用A和B,分别有账号abc/123和abc/abc?
当B系统登陆时,使用了A的账户和密码(即同账户不同密码问题),这时,CAS将提供一个有效验证,返回给B应用。这不会乱套??
其实,当你配置了Client端时,这个问题就能被解释了,其实,CAS为Client提供一个ticket后,Client需要用登陆的账号和密码再验证一次,并且取得用户的角色信息。如果没有权限,则提示401,账号被锁定?
言归正传,这里的casAuthenticationHandler是一个类实现authenticationHandlers接口的类,但你可以继承一个抽象类AbstractUsernamePasswordAuthenticationHandler去实现。?
因为我的cas使用了iBatis.所以直接注入UserDao进行登录有效性验证?
Java代码?
package com.cas.service;?
import org.jasig.cas.authentication.handler.AuthenticationException;?
import org.jasig.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler;?
import org.jasig.cas.authentication.principal.UsernamePasswordCredentials;?
import com.cas.dao.UserDao;?
import com.cas.model.User;?
public class CasUsernamePasswordAuthenticationHandler extends AbstractUsernamePasswordAuthenticationHandler {?
/**?
* 用户信息操作层?
*/?
private UserDao userDao;?
@Override?
protected boolean authenticateUsernamePasswordInternal(?
UsernamePasswordCredentials credentials)?
throws AuthenticationException {?
User user = userDao.findUserByName(credentials.getUsername());?
if (user == null) {return false;}?
if (user.getPassword().equals(credentials.getPassword())) {?
return true;?
}?
return false;?
}?
public void setUserDao(UserDao userDao) {?
this.userDao = userDao;?
}?
}?
package com.cas.service;
import org.jasig.cas.authentication.handler.AuthenticationException;
import org.jasig.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler;
import org.jasig.cas.authentication.principal.UsernamePasswordCredentials;
import com.cas.dao.UserDao;
import com.cas.model.User;
public class CasUsernamePasswordAuthenticationHandler extends AbstractUsernamePasswordAuthenticationHandler {
??/**
?? * 用户信息操作层
?? */
??private UserDao userDao;
??
??@Override
??protected boolean authenticateUsernamePasswordInternal(
??????UsernamePasswordCredentials credentials)
??????throws AuthenticationException {
????User user = userDao.findUserByName(credentials.getUsername());
????
????if (user == null) {return false;}
????
????if (user.getPassword().equals(credentials.getPassword())) {
??????return true;
????}
????
????return false;
??}
??public void setUserDao(UserDao userDao) {
????this.userDao = userDao;
??}
}
接下来修改deployerConfigContext.xml文件的?
Xml代码?
<sec:user-service id="userDetailsService">?
<sec:user name="user01" password="user01" authorities="ROLE_USER" />?
<sec:user name="admin" password="admin" authorities="ROLE_ADMIN" />?
<sec:user name="@@THIS SHOULD BE REPLACED@@" password="notused" authorities="ROLE_ADMIN" />?
</sec:user-service>?
<sec:user-service id="userDetailsService">
??<sec:user name="user01" password="user01" authorities="ROLE_USER" />
??<sec:user name="admin" password="admin" authorities="ROLE_ADMIN" />
<sec:user name="@@THIS SHOULD BE REPLACED@@" password="notused" authorities="ROLE_ADMIN" />
</sec:user-service>
这是登录cas管理页面的账号密码(这是一个简单的配置,也可以实现UserDetailsService接口,进行配置。这跟Spring?Security的用户登录验证接口其实是一个)?
配置cas.properties文件?
Xml代码?
#cas.securityContext.serviceProperties.service=http://localhost:8080/casServer/services/j_acegi_cas_security_check?
cas.securityContext.serviceProperties.service=http://cas.boc.com:8080/casServer/services/j_acegi_cas_security_check?
# Names of roles allowed to access the CAS service manager?
cas.securityContext.serviceProperties.adminRoles=ROLE_ADMIN?
cas.securityContext.casProcessingFilterEntryPoint.loginUrl=http://cas.boc.com:8080/casServer/login?
cas.securityContext.ticketValidator.casServerUrlPrefix=http://cas.boc.com:8080/casServer?
cas.themeResolver.defaultThemeName=default?
cas.viewResolver.basename=default_views?
host.name=casServer?
#database.hibernate.dialect=org.hibernate.dialect.OracleDialect?
#database.hibernate.dialect=org.hibernate.dialect.MySQLDialect?
database.hibernate.dialect=org.hibernate.dialect.HSQLDialect?
#cas.securityContext.serviceProperties.service=http://localhost:8080/casServer/services/j_acegi_cas_security_check
cas.securityContext.serviceProperties.service=http://cas.boc.com:8080/casServer/services/j_acegi_cas_security_check
# Names of roles allowed to access the CAS service manager
cas.securityContext.serviceProperties.adminRoles=ROLE_ADMIN
cas.securityContext.casProcessingFilterEntryPoint.loginUrl=http://cas.boc.com:8080/casServer/login
cas.securityContext.ticketValidator.casServerUrlPrefix=http://cas.boc.com:8080/casServer
cas.themeResolver.defaultThemeName=default
cas.viewResolver.basename=default_views
host.name=casServer
#database.hibernate.dialect=org.hibernate.dialect.OracleDialect
#database.hibernate.dialect=org.hibernate.dialect.MySQLDialect
database.hibernate.dialect=org.hibernate.dialect.HSQLDialect
启动Cas Server?
如果一切正常,能看到服务启动?
因为配置了?
Xml代码?
<bean id="scheduler" value="true" />?
<!--?
uncomment this to enable sending PageRequest events.?
<property?
name="interceptors">?
<list>?
<ref bean="pageRequestHandlerInterceptorAdapter" />?
</list>?
</property>?
-->?
</bean>?
??<bean
????id="handlerMappingC"
????value="true" />
????<!--
????uncomment this to enable sending PageRequest events.?
????<property
??????name="interceptors">
??????<list>
????????<ref bean="pageRequestHandlerInterceptorAdapter" />
??????</list>
????</property>
???? -->
??</bean>
这里有很多映射关系,我们关注/services/viewStatistics.html这个地址?
在浏览器中打开(系统会先提示你登陆,如果你跟我的配置一样,那么admin/admin即可登陆)?
里面红色提示内容大体是说?
因为你没有配置提供的服务,所以CAS处于开放模式,一旦你配置了一个服务,CAS将不再是开放模式,任何应用希望提供CAS,则必须注册。如果你要用这个工具,第一件事是需要将自己加入到这个工具中,默认服务管理工具的URL为"http://cas.boc.com:8080/casServer/services/j_acegi_cas_security_check"?
这里我们先不要去管它,因为要做的工作还有很多,这里只不过是刚刚开始。?
下一步对Client端进行配置?
