1.什么是单点登录
单点登录SSO(Single Sign On)实际上就是用户在一个系统登录之后,在单点登录的其他客户端(应用)不用重复的登陆,登陆校验交给中央认证服务器去校验。单点登录的应用场景通常为一个大型的系统下有很多小系统,并且这些系统使用的是同一套认证体系。
常用的单点登录框架为cas,cas分为cas-server,cas-client.
2.使用jeesite实现单点登录的配置
看过jeesite的应该知道,jeesite使用的是shiro整合spring的方式,并且自定义实现了多种SessionManager和多种cacheManager,。由于单点登录的特殊性,需要我们自定义realm,realm可以看做是一个安全数据源,用来收集用户的认证信息和授权信息。
2.1单点登录的配置文件
2.1.1 loginUrl配置的为单点登录认证服务器的地址和service回调地址
2.1.2 需要单独配置logoutFilter,用于到认证服务器进行单点退出。
2.1.3 配置casFilter用于接收认证服务器验证之后的信息。并进行认证授权的处理
2.1.4自定义relam,在SystemAuthorizingRealm基础上进行改造。
2.1.5单点登录的配置文件:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.0.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.0.xsd"
default-lazy-init="true">
<description>Shiro Configuration</description>
<!-- 加载配置属性文件 -->
<context:property-placeholder
ignore-unresolvable="true" location="classpath:app.properties" />
<!-- Shiro权限过滤过滤器定义 -->
<bean name="shiroFilterChainDefinitions" class="java.lang.String">
<constructor-arg>
<value>
/static/** = anon
/userfiles/** = anon
${adminPath}/cas = cas
<!-- ${adminPath}/login = authc -->
${adminPath}/logout = logout
${adminPath}/** = user
/act/rest/service/editor/** = perms[act:model:edit]
/act/rest/service/model/** = perms[act:model:edit]
/act/rest/service/** = user
/ReportServer/** = user
</value>
</constructor-arg>
</bean>
<!-- 安全认证过滤器 -->
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager" />
<property name="loginUrl" value="${cas.server.url}/login?service=${cas.project.url}${adminPath}/cas"
/>
<!-- <property name="loginUrl" value="${adminPath}/login" /> -->
<property name="successUrl" value="${adminPath}/index?login" />
<property name="filters">
<map>
<entry key="cas" value-ref="casFilter" />
<entry key="logout">
<bean class="org.apache.shiro.web.filter.authc.LogoutFilter">
<property name="redirectUrl" value="${cas.server.url}/logout?service=${cas.project.url}${frontPath}"></property>
</bean>
</entry>
<!-- <entry key="authc" value-ref="formAuthenticationFilter" /> -->
</map>
</property>
<property name="filterChainDefinitions">
<ref bean="shiroFilterChainDefinitions" />
</property>
</bean>
<!-- CAS认证过滤器 -->
<bean id="casFilter" class="org.apache.shiro.cas.CasFilter">
<property name="failureUrl" value="${frontPath}/login" />
</bean>
<!-- 定义Shiro安全管理配置 -->
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="realm" ref="casAuthorizingRealm" />
<property name="sessionManager" ref="sessionManager" />
<property name="cacheManager" ref="shiroCacheManager" />
</bean>
<bean id="casAuthorizingRealm" class="com.aligns.administrator.sys.security.CasAuthorizingRealm">
<property name="casServerUrlPrefix" value="${cas.server.url}" />
<property name="casService" value="${cas.project.url}${adminPath}/cas" />
</bean>
<!-- 自定义会话管理配置 -->
<bean id="sessionManager"
class="com.aligns.plat.core.security.shiro.session.SessionManager">
<property name="sessionDAO" ref="sessionDAO" />
<!-- 会话超时时间,单位:毫秒 -->
<property name="globalSessionTimeout" value="${session.sessionTimeout}" />
<!-- 定时清理失效会话, 清理用户直接关闭浏览器造成的孤立会话 -->
<property name="sessionValidationInterval" value="${session.sessionTimeoutClean}" />
<!-- <property name="sessionValidationSchedulerEnabled" value="false"/> -->
<property name="sessionValidationSchedulerEnabled" value="true" />
<property name="sessionIdCookie" ref="sessionIdCookie" />
<property name="sessionIdCookieEnabled" value="true" />
</bean>
<!-- 指定本系统SESSIONID, 默认为: JSESSIONID 问题: 与SERVLET容器名冲突, 如JETTY, TOMCAT 等默认JSESSIONID,
当跳出SHIRO SERVLET时如ERROR-PAGE容器会为JSESSIONID重新分配值导致登录会话丢失! -->
<bean id="sessionIdCookie" class="org.apache.shiro.web.servlet.SimpleCookie">
<constructor-arg name="name" value="jeesite.session.id" />
</bean>
<!-- 自定义Session存储容器 -->
<!-- <bean id="sessionDAO" class="com.thinkgem.jeesite.common.security.shiro.session.JedisSessionDAO">
<property name="sessionIdGenerator" ref="idGen" />
<property name="sessionKeyPrefix" value="${redis.keyPrefix}_session_" />
</bean> -->
<bean id="sessionDAO"
class="com.aligns.plat.core.security.shiro.session.CacheSessionDAO">
<property name="sessionIdGenerator" ref="idGen" />
<property name="activeSessionsCacheName" value="activeSessionsCache" />
<property name="cacheManager" ref="jedisCacheManager" />
</bean>
<!--
<bean id="jedisUtils" class="com.aligns.plat.utils.JedisUtils"></bean>
-->
<!-- 如果需要集群配置,则将SessionDao设置为jedis -->
<!-- <bean id="sessionDAO"
class="com.aligns.plat.core.security.shiro.session.JedisSessionDAO" >
<property name="sessionIdGenerator" ref="idGen" />
<property name="activeSessionsCacheName" value="activeSessionsCache" />
<property name="cacheManager" ref="jedisCacheManager" />
</bean> -->
<!-- 定义授权缓存管理器 -->
<!-- <bean id="shiroCacheManager" class="com.aligns.plat.core.common.security.shiro.cache.SessionCacheManager"
/> -->
<bean id="shiroCacheManager" class="org.apache.shiro.cache.ehcache.EhCacheManager">
<property name="cacheManager" ref="cacheManager" />
</bean>
<bean id="jedisCacheManager" class="com.aligns.plat.core.security.shiro.cache.JedisCacheManager">
</bean>
<!-- 保证实现了Shiro内部lifecycle函数的bean执行 -->
<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor" />
<!-- AOP式方法级权限检查 -->
<bean
class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"
depends-on="lifecycleBeanPostProcessor">
<property name="proxyTargetClass" value="true" />
</bean>
<bean
class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
<property name="securityManager" ref="securityManager" />
</bean>
</beans>
2.1.6单点登录的自定义relam(CasAuthorizingRealm)
/**
*
*/
package com.aligns.administrator.sys.security;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.cas.CasAuthenticationException;
import org.apache.shiro.cas.CasRealm;
import org.apache.shiro.cas.CasToken;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.subject.SimplePrincipalCollection;
import org.apache.shiro.util.CollectionUtils;
import org.apache.shiro.util.StringUtils;
import org.jasig.cas.client.authentication.AttributePrincipal;
import org.jasig.cas.client.validation.Assertion;
import org.jasig.cas.client.validation.TicketValidationException;
import org.jasig.cas.client.validation.TicketValidator;
import com.aligns.administrator.sys.entity.Menu;
import com.aligns.administrator.sys.entity.Role;
import com.aligns.administrator.sys.entity.User;
import com.aligns.administrator.sys.security.SystemAuthorizingRealm.Principal;
import com.aligns.administrator.sys.service.SystemService;
import com.aligns.administrator.sys.utils.LogUtils;
import com.aligns.administrator.sys.utils.UserUtils;
import com.aligns.plat.core.Servlets;
import com.aligns.plat.utils.SpringContextHolder;
/**
* 系统安全认证单点登录实现类
*
* @author kefan
* @version 2014-7-5
*/
//@Service
// @DependsOn({"userDao","roleDao","menuDao"})
public class CasAuthorizingRealm extends CasRealm {
private SystemService systemService;
public CasAuthorizingRealm() {
super();
}
/**
* 认证
* */
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
CasToken casToken = (CasToken) token;
if (token == null)
return null;
String ticket = (String) casToken.getCredentials();
if (!StringUtils.hasText(ticket))
return null;
TicketValidator ticketValidator = ensureTicketValidator();
try {
Assertion casAssertion = ticketValidator.validate(ticket, getCasService());
//casPrincipal 认证后的用户信息
AttributePrincipal casPrincipal = casAssertion.getPrincipal();
String userId = casPrincipal.getName();
//获取用户
User user = getSystemService().getUserByLoginName(userId);
Map<String,Object> attributes = casPrincipal.getAttributes();
casToken.setUserId(userId);
String rememberMeAttributeName = getRememberMeAttributeName();
String rememberMeStringValue = (String) attributes.get(rememberMeAttributeName);
boolean isRemembered = rememberMeStringValue != null && Boolean.parseBoolean(rememberMeStringValue);
if (isRemembered)
casToken.setRememberMe(true);
// 这里可以拿到Cas的登录账号信息,加载到对应权限体系信息放到缓存中...
return new SimpleAuthenticationInfo(new Principal(user, false), ticket,getName());
} catch (TicketValidationException e) {
throw new CasAuthenticationException((new StringBuilder()).append("Unable to validate ticket [")
.append(ticket).append("]").toString(), e);
}
}
/**
* 授权
* */
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
Principal principal = (Principal) getAvailablePrincipal(principals);
User user = getSystemService().getUserByLoginName(principal.getLoginName());
if (user != null) {
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
List<Menu> list = UserUtils.getMenuList();
for (Menu menu : list){
if (org.apache.commons.lang3.StringUtils.isNotBlank(menu.getPermission())){
// 添加基于Permission的权限信息
for (String permission : org.apache.commons.lang3.StringUtils.split(menu.getPermission(),",")){
info.addStringPermission(permission);
}
}
}
// 添加用户权限
info.addStringPermission("user");
// 添加用户角色信息
for (Role role : user.getRoleList()){
info.addRole(role.getEnname());
}
// 更新登录IP和时间
getSystemService().updateUserLoginInfo(user);
// 记录登录日志
LogUtils.saveLog(Servlets.getRequest(), "系统登录");
return info;
} else {
return null;
}
}
protected List<String> split(String s) {
List<String> list = new ArrayList<String>();
String elements[] = StringUtils.split(s, ',');
if (elements != null && elements.length > 0) {
String arr$[] = elements;
int len$ = arr$.length;
for (int i$ = 0; i$ < len$; i$++) {
String element = arr$[i$];
if (StringUtils.hasText(element))
list.add(element.trim());
}
}
return list;
}
protected void addRoles(SimpleAuthorizationInfo simpleAuthorizationInfo, List<String> roles) {
String role;
for (Iterator<String> i$ = roles.iterator(); i$.hasNext(); simpleAuthorizationInfo.addRole(role))
role = (String) i$.next();
}
protected void addPermissions(SimpleAuthorizationInfo simpleAuthorizationInfo, List<String> permissions) {
String permission;
for (Iterator<String> i$ = permissions.iterator(); i$.hasNext(); simpleAuthorizationInfo
.addStringPermission(permission))
permission = (String) i$.next();
}
public SystemService getSystemService() {
if (systemService == null){
systemService = SpringContextHolder.getBean(SystemService.class);
}
return systemService;
}
}
3.需要注意的事项:
配置文件中配置的logout,为logoutFilter,redirectUrl为认证服务器注销之后的重定向地址,单点登录需要配置用于注销重定向,否则注销之后,页面会停留在单点登录服务器,不会调到我们自己的应用。修改认证服务器的cas-servlet,路径为WEB-INF/cas-servet.xml,把false改为true