casLogin.png
1.cas server 搭建
请参考CAS 5.3.x 初体验 — 官方Demo Server部署
2.cas server 支持http协议
到 cas-overlay-template目录下,将target目录下的cas.war放到tomcat webapps下启动
打开解压后的cas
到/WEB-INF/classes/services里找到HTTPSandIMAPS-10000001.json
编辑HTTPSandIMAPS-10000001.json,serviceId中加入http协议
{
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "^(https|http|imaps)://.*",
"name" : "HTTPS and IMAPS",
"id" : 10000001,
"description" : "This service definition authorizes all application urls that support HTTPS and IMAPS protocols.",
"evaluationOrder" : 10000
}
到/WEB-INF/classes里找到application.properties
编辑application.properties 在末尾加入以下两行配置
cas.tgc.secure=false
cas.serviceRegistry.initFromJson=true
重启tomcat
浏览器访问 http://localhost:8080/cas/login,可以正常访问即可
3.spring boot + spring security + cas整合
1. 创建项目
- 使用idea创建项目
file -> new -> Project -> Spring Initializr -> next
依赖Spring Web 和 Spring Security
点击 next ,finish - 引入cas client 依赖
pom.xml 加入cas的依赖
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-cas</artifactId>
</dependency>
- 添加一个controller IndexController.java
package com.cas.demo;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
@RestController
public class IndexController {
@RequestMapping("/")
public String index(){
return "cas test";
}
}
- application.properties配置端口为16001
server.port=16001
- 运行demo
查看控制台日志,copy随机生成的密码
Using generated security password:9e58649d-a5dd-42d9-abbf-e285d3a3b7a3
浏览器访问http://localhost:16001/
会跳到登录界面
使用用户名:user 密码:9e58649d-a5dd-42d9-abbf-e285d3a3b7a3
进行登录,会看到浏览器输出cas test - 对接cas
- 新建SecurityConfiguration.java 继承WebSecurityConfigurerAdapter
代码如下
package com.cas.demo;
import org.jasig.cas.client.session.SingleSignOutFilter;
import org.jasig.cas.client.validation.Cas20ServiceTicketValidator;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Bean;
import org.springframework.http.HttpMethod;
import org.springframework.security.cas.ServiceProperties;
import org.springframework.security.cas.authentication.CasAuthenticationProvider;
import org.springframework.security.cas.web.CasAuthenticationEntryPoint;
import org.springframework.security.cas.web.CasAuthenticationFilter;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.web.authentication.logout.LogoutFilter;
import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler;
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
@Qualifier("userDetailsService")
private UserDetailsService userDetailsService;
@Bean
public ServiceProperties serviceProperties() {
ServiceProperties serviceProperties = new ServiceProperties();
//TODO: 读配置
serviceProperties.setService("http://localhost:16001/login/cas");
serviceProperties.setSendRenew(false);
return serviceProperties;
}
@Bean
public CasAuthenticationEntryPoint casAuthenticationEntryPoint() {
CasAuthenticationEntryPoint casAuthenticationEntryPoint = new CasAuthenticationEntryPoint();
//TODO: 改成读配置
casAuthenticationEntryPoint.setLoginUrl("http://localhost:8080/cas/login");
casAuthenticationEntryPoint.setServiceProperties(serviceProperties());
return casAuthenticationEntryPoint;
}
@Bean
public UserDetailsByNameServiceWrapper userDetailsByNameServiceWrapper() {
UserDetailsByNameServiceWrapper userDetailsByNameServiceWrapper = new UserDetailsByNameServiceWrapper();
userDetailsByNameServiceWrapper.setUserDetailsService(userDetailsService);
return userDetailsByNameServiceWrapper;
}
@Bean
public Cas20ServiceTicketValidator cas20ServiceTicketValidator() {
//TODO: 读配置
Cas20ServiceTicketValidator cas20ServiceTicketValidator = new Cas20ServiceTicketValidator(
"http://localhost:8080/cas");
return cas20ServiceTicketValidator;
}
@Bean
public CasAuthenticationProvider casAuthenticationProvider() {
CasAuthenticationProvider casAuthenticationProvider = new CasAuthenticationProvider();
casAuthenticationProvider
.setAuthenticationUserDetailsService(userDetailsByNameServiceWrapper());
casAuthenticationProvider.setServiceProperties(serviceProperties());
casAuthenticationProvider.setTicketValidator(cas20ServiceTicketValidator());
casAuthenticationProvider.setKey("an_id_for_this_auth_provider_only");
return casAuthenticationProvider;
}
@Bean
public CasAuthenticationFilter casAuthenticationFilter() throws Exception {
CasAuthenticationFilter casAuthenticationFilter = new CasAuthenticationFilter();
casAuthenticationFilter.setAuthenticationManager(authenticationManager());
return casAuthenticationFilter;
}
@Bean
public LogoutFilter casLogoutFilter() {
//TODO: 读配置
LogoutFilter logoutFilter = new LogoutFilter(
"http://localhost:8080/cas/logout?service=http://localhost:8080/cas/login",
new SecurityContextLogoutHandler());
//与上面的url是映射关系,可配成其他的
logoutFilter.setFilterProcessesUrl("/logout/cas");
return logoutFilter;
}
@Bean
public SingleSignOutFilter singleSignOutFilter() {
SingleSignOutFilter singleSignOutFilter = new SingleSignOutFilter();
singleSignOutFilter.setIgnoreInitConfiguration(true);
return singleSignOutFilter;
}
@Override
public void configure(WebSecurity web) {
web.ignoring()
.antMatchers(HttpMethod.OPTIONS, "/**")
.antMatchers("/app/**/*.{js,html}")
.antMatchers("/i18n/**")
.antMatchers("/content/**")
.antMatchers("/swagger-ui/index.html")
.antMatchers("/test/**");
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
super.configure(auth);
auth.authenticationProvider(casAuthenticationProvider());
}
@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/**").hasAuthority("ROLE_USER")
.and().exceptionHandling().authenticationEntryPoint(casAuthenticationEntryPoint())
.and()
.addFilterAt(casAuthenticationFilter(), CasAuthenticationFilter.class)
.addFilterBefore(casLogoutFilter(), LogoutFilter.class)
.addFilterBefore(singleSignOutFilter(), CasAuthenticationFilter.class);
}
}
- 添加DomainUserDetailsService.java 实现 UserDetailsService.java的loadUserByUsername方法
代码如下
package com.cas.demo;
import java.util.ArrayList;
import java.util.List;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Component;
@Component("userDetailsService")
public class DomainUserDetailsService implements UserDetailsService {
private final Logger log = LoggerFactory.getLogger(DomainUserDetailsService.class);
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
log.info("经过认证类:{}", username);
List<GrantedAuthority> authorities = new ArrayList();
authorities.add(new SimpleGrantedAuthority("ROLE_USER"));
return new User(username, "", authorities);
}
}
- 重启demo,tomcat运行cas
浏览器访问http://localhost:16001/
会跳转到cas登录界面,用 用户名:casuser 密码:Mellon登录
登录后,会跳转回demo应用,界面显示cas test 则对接成功
