CAS 4.1.10 版本服务端源码解读

最新推荐文章于 2024-03-14 15:23:05 发布
最新推荐文章于 2024-03-14 15:23:05 发布
阅读量2.3k 收藏 10
点赞数 4
分类专栏: cas 源码分析 cas 单点登录 文章标签: cas源码分析 cas 单点登录原理 cas服务端源码
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/AaronSimon/article/details/83381395
版权

在工作中经常会对CAS进行二次改造适应不同的单点登录场景。这篇文章主要对CAS 4.1.10版本进行源码解读(主要是登录流程)。不同版本可以在github下载

一、准备

下载下来的cas-overlay-template的依赖中默认只有

<dependency>
  <groupId>org.jasig.cas</groupId>
  <artifactId>cas-server-webapp</artifactId>
  <version>${cas.version}</version>
  <type>war</type>
  <scope>runtime</scope>
</dependency>

为了跟踪相关的代码还需要添加下面的两个依赖

<dependency>
  <groupId>org.jasig.cas</groupId>
  <artifactId>cas-server-core</artifactId>
  <version>${cas.version}</version>
  </dependency>
  <dependency>
    <groupId>org.jasig.cas</groupId>
    <artifactId>cas-server-webapp-support</artifactId>
    <version>${cas.version}</version>
</dependency>

二、源码解读

2.1 访问CAS服务端进行认证

CAS 是使用SpringMVC+Spring WebFlow(工作流框架)控制登录,登出流程的。

一般情况下,我们在浏览器访问http://localhost:8080/cas,cas 服务端会默认访问index.jsp页面

<%@ page language="java"  session="false" %>
<%
final String queryString = request.getQueryString();
final String url = request.getContextPath() + "/login" + (queryString != null ? "?" + queryString : "");
response.sendRedirect(response.encodeURL(url));%>

从上面index.jsp页面的内容发现,它会从定向到http://localhost:8080/cas/login,该路径是由名为cas 的 servlet进行处理的

<servlet>
    <servlet-name>cas</servlet-name>
    <servlet-class>
        org.springframework.web.servlet.DispatcherServlet
    </servlet-class>
    <init-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>/WEB-INF/cas-servlet.xml, /WEB-INF/cas-servlet-*.xml</param-value>
    </init-param>
    <init-param>
        <param-name>publishContext</param-name>
        <param-value>false</param-value>
    </init-param>
    <load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
    <servlet-name>cas</servlet-name>
    <url-pattern>/login</url-pattern>
</servlet-mapping>

这里将请求交给了SpringMVC进行处理。

2.2 SpringMVC与Spring WebFlow整合

在上面的servlet配置中会发现,其核心的配置文件是/WEB-INF/cas-servlet.xml, /WEB-INF/cas-servlet-*.xml。SpringMVC在初始化的时候会去自动加载cas-servlet.xmlcas-servlet-*.xml配置。在WEB-INF目录下我们找到了cas-servlet.xml这个文件,里面对SpringMVC和Spring WebFlow进行了整合配置。如果想深入了解可以参考整合细节

<!--为login登录请求开启流处理-->
<bean id="loginHandlerAdapter" class="org.jasig.cas.web.flow.SelectiveFlowHandlerAdapter"
        p:supportedFlowId="login" p:flowExecutor-ref="loginFlowExecutor" p:flowUrlHandler-ref="loginFlowUrlHandler" />
<!-- login webflow configuration -->
<!--将特定应用程序资源映射到流-->
<bean id="loginFlowHandlerMapping" class="org.springframework.webflow.mvc.servlet.FlowHandlerMapping"
      p:flowRegistry-ref="loginFlowRegistry" p:order="2">
  <property name="interceptors">
      <array value-type="org.springframework.web.servlet.HandlerInterceptor">
          <ref bean="localeChangeInterceptor" />
      </array>
  </property>
</bean>
<!--注册一个工作流节点,login的请求交由login-webflow.xml定义的处理器进行处理-->
<webflow:flow-registry id="loginFlowRegistry" flow-builder-services="builder" base-path="/WEB-INF/webflow">
  <webflow:flow-location-pattern value="/login/*-webflow.xml"/>
</webflow:flow-registry>
<!--view-factory-creator属性,该属性就定义了视图解析工厂-->
<webflow:flow-builder-services id="builder" view-factory-creator="viewFactoryCreator" expression-parser="expressionParser" />
<bean id="viewFactoryCreator" class="org.springframework.webflow.mvc.builder.MvcViewFactoryCreator">
  <property name="viewResolvers">
    <util:list>
      <ref bean="viewResolver"/>
      <ref bean="internalViewResolver"/>
    </util:list>
  </property>
</bean>
<!-- View Resolver  -->
<bean id="viewResolver" class="org.springframework.web.servlet.view.ResourceBundleViewResolver"
      p:order="0">
  <property name="basenames">
      <util:list>
          <value>cas_views</value>
      </util:list>
  </property>
</bean>

如果对SpringMVC的请求路径是login,那么SpringMVC会交给webflow进行处理。flow-builder-services节点中有个view-factory-creator属性,该属性定义了视图解析工厂。该视图解析工厂是由视图解析器组成的。这里只定义了一个视图解析器,就是viewResolvers。该视图解析器是springFramework中的ResourceBundleViewResolver的一个实例,该类可以通过basenames属性,找到value值对应的properties属性文件,该文件中式类似ke=values类型的内容,正是该文件将jsp文件映射成视图名称。

2.3 CAS 登录流程解析

由上面的分析知道,登录流程的配置文件是/WEB-INF/webflow/login目录下的login-webflow

<var name="credential" class="org.jasig.cas.authentication.UsernamePasswordCredential"/>

定义UsernamePasswordCredential类型的变量,用于存放用户名和密码(默认),可进行扩展存放更多的属性。

<on-start>
    <evaluate expression="initialFlowSetupAction"/>
</on-start>

这是流程开始的操作,要去执行initialFlowSetupAction这个bean,它定义在cas-servlet.xml里面

<bean id="initialFlowSetupAction" class="org.jasig.cas.web.flow.InitialFlowSetupAction"
        p:argumentExtractors-ref="argumentExtractors"
        p:warnCookieGenerator-ref="warnCookieGenerator"
        p:ticketGrantingTicketCookieGenerator-ref="ticketGrantingTicketCookieGenerator"
        p:servicesManager-ref="servicesManager"
        p:enableFlowOnAbsentServiceRequest="${create.sso.missing.service:true}"  />

org.jasig.cas.web.flow.InitialFlowSetupAction继承自AbstractActionAbstractAction方法是org.springframework.webflow.action包中的类,是webflow中的基础类。该类中的doExecute方法是对应处理业务的方法。

  protected Event doExecute(RequestContext context) throws Exception {
    HttpServletRequest request = WebUtils.getHttpServletRequest(context);
    String contextPath = context.getExternalContext().getContextPath();
    String cookiePath = StringUtils.isNotBlank(contextPath) ? contextPath + '/' : "/";
    if (StringUtils.isBlank(this.warnCookieGenerator.getCookiePath())) {
      this.logger.info("Setting path for cookies for warn cookie generator to: {} ", cookiePath);
      this.warnCookieGenerator.setCookiePath(cookiePath);
    } else {
      this.logger.debug("Warning cookie path is set to {} and path {}", this.warnCookieGenerator.getCookieDomain(), this.warnCookieGenerator.getCookiePath());
    }

    if (StringUtils.isBlank(this.ticketGrantingTicketCookieGenerator.getCookiePath())) {
      this.logger.info("Setting path for cookies for TGC cookie generator to: {} ", cookiePath);
      this.ticketGrantingTicketCookieGenerator.setCookiePath(cookiePath);
    } else {
      this.logger.debug("TGC cookie path is set to {} and path {}", this.ticketGrantingTicketCookieGenerator.getCookieDomain(), this.ticketGrantingTicketCookieGenerator.getCookiePath());
    }
    //将TGT放在RequestScope作用域中
    WebUtils.putTicketGrantingTicketInScopes(context, this.ticketGrantingTicketCookieGenerator.retrieveCookieValue(request));
    //将warnCookieValue放在RequestScope作用域中
    WebUtils.putWarningCookie(context, Boolean.valueOf(this.warnCookieGenerator.retrieveCookieValue(request)));
    //获取service参数
    Service service = WebUtils.getService(this.argumentExtractors, context);
    if (service != null) {
      this.logger.debug("Placing service in context scope: [{}]", service.getId());
      //查找注册的service
      RegisteredService registeredService = this.servicesManager.findServiceBy(service);
      if (registeredService != null && registeredService.getAccessStrategy().isServiceAccessAllowed()) {
        this.logger.debug("Placing registered service [{}] with id [{}] in context scope", registeredService.getServiceId(), registeredService.getId());
        WebUtils.putRegisteredService(context, registeredService);
        RegisteredServiceAccessStrategy accessStrategy = registeredService.getAccessStrategy();
        if (accessStrategy.getUnauthorizedRedirectUrl() != null) {
          this.logger.debug("Placing registered service's unauthorized redirect url [{}] with id [{}] in context scope", accessStrategy.getUnauthorizedRedirectUrl(), registeredService.getServiceId());
          WebUtils.putUnauthorizedRedirectUrl(context, accessStrategy.getUnauthorizedRedirectUrl());
        }
      }
    } else if (!this.enableFlowOnAbsentServiceRequest) {
      this.logger.warn("No service authentication request is available at [{}]. CAS is configured to disable the flow.", WebUtils.getHttpServletRequest(context).getRequestURL());
      throw new NoSuchFlowExecutionException(context.getFlowExecutionContext().getKey(), new UnauthorizedServiceException("screen.service.required.message", "Service is required"));
    }

    WebUtils.putService(context, service);
    return this.result("success");
  }

该方法的参数是RequestContext对象,该参数是一个流程的容器。该方法从request中获取TGT,并且构建一个临时的service对象(不同域注册的service,详情见接入系统管理)。并且,将TGT,warnCookieValue和service放在RequestContext作用域中,以便在登录流程中的state中进行判断

<action-state id="ticketGrantingTicketCheck">
    <evaluate expression="ticketGrantingTicketCheckAction"/>
    <transition on="notExists" to="gatewayRequestCheck"/>
    <transition on="invalid" to="terminateSession"/>
    <transition on="valid" to="hasServiceCheck"/>
</action-state>

初始化完成后,登录流程流转到第一个state(ticketGrantingTicketExistsCheck)

<bean id="ticketGrantingTicketCheckAction" class="org.jasig.cas.web.flow.TicketGrantingTicketCheckAction"
       c:centralAuthenticationService-ref="centralAuthenticationService" />

它会去执行ticketGrantingTicketCheckdoExecute方法检查requestContext中是否存在TGT,TGT是否有效

protected Event doExecute(RequestContext requestContext) throws Exception {
    String tgtId = WebUtils.getTicketGrantingTicketId(requestContext);
    if (!StringUtils.hasText(tgtId)) {
      return new Event(this, "notExists");
    } else {
      String eventId = "invalid";

      try {
        //验证TGT是否有效
        Ticket ticket = this.centralAuthenticationService.getTicket(tgtId, Ticket.class);
        if (ticket != null && !ticket.isExpired()) {
          eventId = "valid";
        }
      } catch (TicketException var5) {
        this.logger.trace("Could not retrieve ticket id {} from registry.", var5);
      }

      return new Event(this, eventId);
    }
  }

第一次访问应用系统http://app1.example.com,此时应用系统会跳转到CAS单点登录的服务器端http://127.0.0.1:8081/cas-server/login?service=http%3a%2f%2fapp1.example.com,此时,request的cookies中不存在CASTGC(TGT),因此RequestContext作用域中的ticketGrantingTicketId为null,登录流程流转到第二个state(gatewayRequestCheck)

<decision-state id="gatewayRequestCheck">
    <if test="requestParameters.gateway != '' and requestParameters.gateway != null and flowScope.service != null"
        then="gatewayServicesManagementCheck" else="serviceAuthorizationCheck"/>
</decision-state>

初始化时,把service保存在了RequestContext作用域中,但request中的参数gateway不存在,登录流程流转到第三个state(serviceAuthorizationCheck)

<!-- Do a service authorization check early without the need to login first -->
<action-state id="serviceAuthorizationCheck">
    <evaluate expression="serviceAuthorizationCheck"/>
    <transition to="generateLoginTicket"/>
</action-state>

<bean id="serviceAuthorizationCheck" class="org.jasig.cas.web.flow.ServiceAuthorizationCheck"
   c:servicesManager-ref="servicesManager" />

执行它的doExecute方法

protected Event doExecute(RequestContext context) throws Exception {
    Service service = WebUtils.getService(context);
    if (service == null) {
      return this.success();
    } else if (this.servicesManager.getAllServices().isEmpty()) {
      String msg = String.format("No service definitions are found in the service manager. Service [%s] will not be automatically authorized to request authentication.", service.getId());
      this.logger.warn(msg);
      throw new UnauthorizedServiceException("screen.service.empty.error.message");
    } else {
      RegisteredService registeredService = this.servicesManager.findServiceBy(service);
      String msg;
      if (registeredService == null) {
        msg = String.format("Service Management: Unauthorized Service Access. Service [%s] is not found in service registry.", service.getId());
        this.logger.warn(msg);
        throw new UnauthorizedServiceException("screen.service.error.message", msg);
      } else if (!registeredService.getAccessStrategy().isServiceAccessAllowed()) {
        msg = String.format("Service Management: Unauthorized Service Access. Service [%s] is not allowed access via the service registry.", service.getId());
        this.logger.warn(msg);
        WebUtils.putUnauthorizedRedirectUrlIntoFlowScope(context, registeredService.getAccessStrategy().getUnauthorizedRedirectUrl());
        throw new UnauthorizedServiceException("screen.service.error.message", msg);
      } else {
        return this.success();
      }
    }
  }

doExecute方法,要做的就是判断RequestContext作用域中是否存在service,如果service存在,查找service的注册信息。登录流程流转到第四个state(generateLoginTicket)

<action-state id="generateLoginTicket">
    <evaluate expression="generateLoginTicketAction.generate(flowRequestContext)"/>
    <transition on="generated" to="viewLoginForm"/>
</action-state>

<bean id="generateLoginTicketAction" class="org.jasig.cas.web.flow.GenerateLoginTicketAction"
      p:ticketIdGenerator-ref="loginTicketUniqueIdGenerator"/>

执行generate方法

public class GenerateLoginTicketAction {
  private static final String PREFIX = "LT";
  private final Logger logger = LoggerFactory.getLogger(this.getClass());
  @NotNull
  private UniqueTicketIdGenerator ticketIdGenerator;

  public GenerateLoginTicketAction() {
  }

  public final String generate(RequestContext context) {
    String loginTicket = this.ticketIdGenerator.getNewTicketId("LT");
    this.logger.debug("Generated login ticket {}", loginTicket);
    //放入RequestContext域
    WebUtils.putLoginTicket(context, loginTicket);
    return "generated";
  }

  public void setTicketIdGenerator(UniqueTicketIdGenerator generator) {
    this.ticketIdGenerator = generator;
  }
}

UniqueTicketIdGenerator要做的就是生成以LT作为前缀的loginTicket(例:LT-2-pfDmbEHfX2OkS0swLtDd7iDwmzlhsn),并且把loginTicket放到RequestContext作用域中(LT只作为登录时使用的票据)。登录流程流转到第五个state(viewLoginForm)

<view-state id="viewLoginForm" view="casLoginView" model="credential">
    <binder>
        <binding property="username" required="true"/>
        <binding property="password" required="true"/>
    </binder>
    <on-entry>
        <set name="viewScope.commandName" value="'credential'"/>

        <!--
        <evaluate expression="samlMetadataUIParserAction" />
        -->
    </on-entry>
    <transition on="submit" bind="true" validate="true" to="realSubmit"/>
</view-state>

这样经过流程的流转登录界面展示在浏览器上,默认的用户界面是/WEB-INF/jsp/ui/default/ui/casLoginView.jsp,如果想要自定义登录界面可以参考这个。

默认的登录页面中有lt、execution和_eventId三个隐藏参数

<input type="hidden" name="lt" value="${loginTicket}" />
<input type="hidden" name="execution" value="${flowExecutionKey}" />
<input type="hidden" name="_eventId" value="submit" />

lt参数值就是在GenerateLoginTicketAction的generate方法中生成的loginTicket

当用户输入了用户名和密码,点击登录按钮就会进入realSubmit这个state

<action-state id="realSubmit">
    <evaluate
            expression="authenticationViaFormAction.submit(flowRequestContext, flowScope.credential, messageContext)"/>
    <transition on="warn" to="warn"/>
    <!--
    To enable AUP workflows, replace the 'success' transition with the following:
    <transition on="success" to="acceptableUsagePolicyCheck" />
    -->
    <transition on="success" to="sendTicketGrantingTicket"/>
    <transition on="successWithWarnings" to="showMessages"/>
    <transition on="authenticationFailure" to="handleAuthenticationFailure"/>
    <transition on="error" to="generateLoginTicket"/>
</action-state>

执行authenticationViaFormActionsubmit方法

public class AuthenticationViaFormAction {
  public static final String SUCCESS = "success";
  public static final String SUCCESS_WITH_WARNINGS = "successWithWarnings";
  public static final String WARN = "warn";
  public static final String AUTHENTICATION_FAILURE = "authenticationFailure";
  public static final String ERROR = "error";
  public static final String PUBLIC_WORKSTATION_ATTRIBUTE = "publicWorkstation";
  protected final Logger logger = LoggerFactory.getLogger(this.getClass());
  @NotNull
  private CentralAuthenticationService centralAuthenticationService;
  @NotNull
  private CookieGenerator warnCookieGenerator;

  public AuthenticationViaFormAction() {
  }

  public final Event submit(RequestContext context, Credential credential, MessageContext messageContext) {
    if (!this.checkLoginTicketIfExists(context)) {
      return this.returnInvalidLoginTicketEvent(context, messageContext);
    } else {
      return this.isRequestAskingForServiceTicket(context) ? this.grantServiceTicket(context, credential) : this.createTicketGrantingTicket(context, credential, messageContext);
    }
  }

  protected boolean checkLoginTicketIfExists(RequestContext context) {
    String loginTicketFromFlowScope = WebUtils.getLoginTicketFromFlowScope(context);
    String loginTicketFromRequest = WebUtils.getLoginTicketFromRequest(context);
    this.logger.trace("Comparing login ticket in the flow scope [{}] with login ticket in the request [{}]", loginTicketFromFlowScope, loginTicketFromRequest);
    //判断FlowScope和request中的loginTicket是否相同
    return StringUtils.equals(loginTicketFromFlowScope, loginTicketFromRequest);
  }

  protected Event returnInvalidLoginTicketEvent(RequestContext context, MessageContext messageContext) {
    String loginTicketFromRequest = WebUtils.getLoginTicketFromRequest(context);
    this.logger.warn("Invalid login ticket [{}]", loginTicketFromRequest);
    messageContext.addMessage((new MessageBuilder()).error().code("error.invalid.loginticket").build());
    return this.newEvent("error");
  }

  protected boolean isRequestAskingForServiceTicket(RequestContext context) {
    //requestScope和FlowScope中获取TGT
    String ticketGrantingTicketId = WebUtils.getTicketGrantingTicketId(context);
    FlowScope中获取service
    Service service = WebUtils.getService(context);
    return StringUtils.isNotBlank(context.getRequestParameters().get("renew")) && ticketGrantingTicketId != null && service != null;
  }

  protected Event grantServiceTicket(RequestContext context, Credential credential) {
    String ticketGrantingTicketId = WebUtils.getTicketGrantingTicketId(context);

    try {
      Service service = WebUtils.getService(context);
      ServiceTicket serviceTicketId = this.centralAuthenticationService.grantServiceTicket(ticketGrantingTicketId, service, new Credential[]{credential});
      WebUtils.putServiceTicketInRequestScope(context, serviceTicketId);
      this.putWarnCookieIfRequestParameterPresent(context);
      return this.newEvent("warn");
    } catch (AuthenticationException var6) {
      return this.newEvent("authenticationFailure", var6);
    } catch (TicketException var7) {
      if (var7 instanceof TicketCreationException) {
        this.logger.warn("Invalid attempt to access service using renew=true with different credential. Ending SSO session.");
        this.centralAuthenticationService.destroyTicketGrantingTicket(ticketGrantingTicketId);
      }

      return this.newEvent("error", var7);
    }
  }

  protected Event createTicketGrantingTicket(RequestContext context, Credential credential, MessageContext messageContext) {
    try {
      //根据用户凭证构造TGT,把TGT放到requestScope中,同时把TGT缓存到服务器的cache<ticketId,TGT>中
      TicketGrantingTicket tgt = this.centralAuthenticationService.createTicketGrantingTicket(new Credential[]{credential});
      WebUtils.putTicketGrantingTicketInScopes(context, tgt);
      this.putWarnCookieIfRequestParameterPresent(context);
      this.putPublicWorkstationToFlowIfRequestParameterPresent(context);
      return this.addWarningMessagesToMessageContextIfNeeded(tgt, messageContext) ? this.newEvent("successWithWarnings") : this.newEvent("success");
    } catch (AuthenticationException var5) {
      this.logger.debug(var5.getMessage(), var5);
      return this.newEvent("authenticationFailure", var5);
    } catch (Exception var6) {
      this.logger.debug(var6.getMessage(), var6);
      return this.newEvent("error", var6);
    }
  }

  protected boolean addWarningMessagesToMessageContextIfNeeded(TicketGrantingTicket tgtId, MessageContext messageContext) {
    boolean foundAndAddedWarnings = false;
    Iterator i$ = tgtId.getAuthentication().getSuccesses().entrySet().iterator();

    while(i$.hasNext()) {
      Entry<String, HandlerResult> entry = (Entry)i$.next();

      for(Iterator i$ = ((HandlerResult)entry.getValue()).getWarnings().iterator(); i$.hasNext(); foundAndAddedWarnings = true) {
        MessageDescriptor message = (MessageDescriptor)i$.next();
        this.addWarningToContext(messageContext, message);
      }
    }

    return foundAndAddedWarnings;
  }

  private void putWarnCookieIfRequestParameterPresent(RequestContext context) {
    HttpServletResponse response = WebUtils.getHttpServletResponse(context);
    if (StringUtils.isNotBlank(context.getExternalContext().getRequestParameterMap().get("warn"))) {
      this.warnCookieGenerator.addCookie(response, "true");
    } else {
      this.warnCookieGenerator.removeCookie(response);
    }

  }

  private void putPublicWorkstationToFlowIfRequestParameterPresent(RequestContext context) {
    if (StringUtils.isNotBlank(context.getExternalContext().getRequestParameterMap().get("publicWorkstation"))) {
      context.getFlowScope().put("publicWorkstation", Boolean.TRUE);
    }

  }

  private Event newEvent(String id) {
    return new Event(this, id);
  }

  private Event newEvent(String id, Exception error) {
    return new Event(this, id, new LocalAttributeMap("error", error));
  }

  public final void setCentralAuthenticationService(CentralAuthenticationService centralAuthenticationService) {
    this.centralAuthenticationService = centralAuthenticationService;
  }

  public final void setWarnCookieGenerator(CookieGenerator warnCookieGenerator) {
    this.warnCookieGenerator = warnCookieGenerator;
  }

  /** @deprecated */
  @Deprecated
  public void setTicketRegistry(TicketRegistry ticketRegistry) {
    this.logger.warn("setTicketRegistry() has no effect and will be removed in future CAS versions.");
  }

  private void addWarningToContext(MessageContext context, MessageDescriptor warning) {
    MessageBuilder builder = (new MessageBuilder()).warning().code(warning.getCode()).defaultText(warning.getDefaultMessage()).args(warning.getParams());
    context.addMessage(builder.build());
  }
}

AuthenticationViaFormAction的submit要做的就是判断FlowScope和request中的loginTicket是否相同。如果不同跳转到错误页面,如果相同,则根据用户凭证生成TGT(登录成功票据),并放到requestScope作用域中,同时把TGT缓存到服务器的cache<ticketId,TGT>中。登录流程流转到下个state(sendTicketGrantingTicket)

<action-state id="sendTicketGrantingTicket">
    <evaluate expression="sendTicketGrantingTicketAction"/>
    <transition to="serviceCheck"/>
</action-state>

执行 sendTicketGrantingTicketAction 的 doExecute方法

protected Event doExecute(RequestContext context) {
  //requestScope和FlowScope中获取TGT
  String ticketGrantingTicketId = WebUtils.getTicketGrantingTicketId(context);
  String ticketGrantingTicketValueFromCookie = (String)context.getFlowScope().get("ticketGrantingTicketId");
  if (ticketGrantingTicketId == null) {
    return this.success();
  } else {
    if (this.isAuthenticatingAtPublicWorkstation(context)) {
      LOGGER.info("Authentication is at a public workstation. SSO cookie will not be generated. Subsequent requests will be challenged for authentication.");
    } else if (!this.createSsoSessionCookieOnRenewAuthentications && this.isAuthenticationRenewed(context)) {
      LOGGER.info("Authentication session is renewed but CAS is not configured to create the SSO session. SSO cookie will not be generated. Subsequent requests will be challenged for authentication.");
    } else {
      //response中添加TGC
      this.ticketGrantingTicketCookieGenerator.addCookie(WebUtils.getHttpServletRequest(context), WebUtils.getHttpServletResponse(context), ticketGrantingTicketId);
    }

    if (ticketGrantingTicketValueFromCookie != null && !ticketGrantingTicketId.equals(ticketGrantingTicketValueFromCookie)) {
      this.centralAuthenticationService.destroyTicketGrantingTicket(ticketGrantingTicketValueFromCookie);
    }

    return this.success();
  }
}

SendTicketGrantingTicketAction的doExecute要做的是获取TGT,并根据TGT生成cookie添加到response。登录流程流转到下一个state(serviceCheck)

<decision-state id="serviceCheck">
    <if test="flowScope.service != null" then="generateServiceTicket" else="viewGenericLoginSuccess"/>
</decision-state>

由于此时FlowScope中存在service(http://127.0.0.1:8081/cas-server/login?service=http%3A%2F%2Fapp1.example.com),登录流程流转到下一个state(generateServiceTicket)

<action-state id="generateServiceTicket">
    <evaluate expression="generateServiceTicketAction"/>
    <transition on="success" to="warn"/>
    <transition on="authenticationFailure" to="handleAuthenticationFailure"/>
    <transition on="error" to="generateLoginTicket"/>
    <transition on="gateway" to="gatewayServicesManagementCheck"/>
</action-state>

执行generateServiceTicketActiondoExecute方法

protected Event doExecute(RequestContext context) {
  Service service = WebUtils.getService(context);
  String ticketGrantingTicket = WebUtils.getTicketGrantingTicketId(context);

  try {
    //根据TGT和service生成service ticket(ST-2-97kwhcdrBW97ynpBbZH5-cas01.example.org)
    ServiceTicket serviceTicketId = this.centralAuthenticationService.grantServiceTicket(ticketGrantingTicket, service);
    ST放到requestScope中
    WebUtils.putServiceTicketInRequestScope(context, serviceTicketId);
    return this.success();
  } catch (TicketException var5) {
    if (var5 instanceof InvalidTicketException) {
      this.centralAuthenticationService.destroyTicketGrantingTicket(ticketGrantingTicket);
    }

    return this.isGatewayPresent(context) ? this.result("gateway") : this.newEvent("error", var5);
  }
}

GenerateServiceTicketActiondoExecute要做的是获取service和TGT,并根据service和TGT生成以ST为前缀的serviceTicket(例:ST-2-97kwhcdrBW97ynpBbZH5-cas01.example.org),并把serviceTicket放到requestScope中。登录流程流转到下一个state(warn)

<decision-state id="warn">
    <if test="flowScope.warnCookieValue" then="showWarningView" else="redirect"/>
</decision-state>

FlowScope中不存在warnCookieValue,登录流程流转到下一个state(redirect)

<action-state id="redirect">
    <evaluate expression="flowScope.service.getResponse(requestScope.serviceTicketId)"
              result-type="org.jasig.cas.authentication.principal.Response" result="requestScope.response"/>
    <transition to="postRedirectDecision"/>
</action-state>

从requestScope中获取serviceTicket,构造response对象,并把response放到requestScope中。登录流程流转到下一个state(postRedirectDecision)

<decision-state id="postRedirectDecision">
    <if test="requestScope.response.responseType.name() == 'POST'" then="postView" else="redirectView"/>
</decision-state>

由于request请求是get类型,登录流程流转到下一个state(redirectView)

<end-state id="redirectView" view="externalRedirect:#{requestScope.response.url}"/>

此时流程如下:

  1. 跳转到应用系统(http://app1.example.com/?ticket=ST-1-4hH2s5tzsMGCcToDvGCb-cas01.example.org)
  2. 进入CAS客户端的AuthenticationFilter过滤器,由于session中获取名为_const_cas_assertion_的assertion对象不存在,但是request有ticket参数,所以进入到下一个过滤器
  3. TicketValidationFilter过滤器的validate方法通过httpClient访问CAS服务器端(http://127.0.0.1:8081/cas/serviceValidate?ticket=ST-1-4hH2s5tzsMGCcToDvGCb-cas01.example.org&service=http://app1.example.com)验证ticket是否正确,并返回assertion对象。
    Assertion对象格式类似于
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
	<cas:authenticationSuccess>
		<cas:user>system</cas:user>

	</cas:authenticationSuccess>
</cas:serviceResponse>

至此就完成了登录的整个流程
参考文档:(https://blog.csdn.net/dovejing/article/details/44523545 https://www.ibm.com/developerworks/cn/education/java/j-spring-webflow/index.html)

AaronSimon
关注
  • 4
    点赞
  • 10
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
【并发】深度解析CAS原理与底层源码
金鳞踏雨
12-10 640
CAS全称是(Compare And Swap,比较并交换),通常指的是这样一种原子操作(针对一个变量,首先比较它的内存值与某个期望值是否相同,如果相同,就给它赋一个新值)CAS可以看做是乐观锁(对比数据库的悲观、乐观锁)的一种实现方式,我们稍后要讲的Java原子类中的递增操作(i++)就通过CAS自旋实现的。 CAS是一种无锁算法,在不使用锁(没有线程被阻塞)的情况下实现多线程之间的变量同步!
cas-overlay-template-6.4 服务端代码
01-28
----------------------------使用--------------------------------- gradle-7.3.3 JDK-11 TOMCAT-9 MYSQL-5.7.35 REDIS-5.X ----------------------------实现功能如下------------------------------------ 1.CAS-集成mysql 2.CAS-日志审计 3.CAS-连接池配置 4.CAS-自定义错误信息 5.CAS-识别json文件 6.CAS-页面缓存记住我 7.CAS-cookie设置 8.CAS-tgc设置 9.CAS-登出 10.CAS-redisCluster集群存储ticket(相应redis必须配置成cluster集群) 11.CAS-加密存储ticket 12.CAS-实习动态验证码 13.CAS-实习自定义登录 14.CAS-实现自定义返回用户登录信息 15.CAS-页面缓存记住我 ------------------------------建表脚本在文件里登录用户/密码:ll/123456
单点登录cas的最简单使用
amd2015的博客
10-22 127
单点登录-----cas 技术 1 网上下载cas工程 找到cas.war 放在服务器下(可以改cas的端口)启动 2 建立项目maven 工程 2.1 pom.xml 引入 <!--单点登录--> <dependency> <groupId>org.jasig.cas.client</grou...
spring boot 集成cas(一) 服务端搭建
最新发布
慕孑晨的博客
03-14 544
简单点就是统一服务认证,多个系统一次登录。俗称单点登录
cas 4.0 集群中的ticket共享
WenChao_Liu的专栏
06-13 1427
1、jar 引入    &lt;dependency&gt; &lt;groupId&gt;org.springframework.data&lt;/groupId&gt; &lt;artifactId&gt;spring-data-redis&lt;/artifactId&gt; &lt;version&gt;1.5.1.RELEASE&lt;/version&gt; &lt;/d
单点登录CAS使用记(八):使用maven的overlay实现无侵入的改造CAS
04-01 404
前期在学习CAS部署的过程中,都是网上各种教程,各种方案不停的尝试。 期间各种侵入改源码,时间久了,改了哪个文件,改了哪段配置,增加了哪段代码,都有可能混淆不清了。 而且最大的问题是,万一换个人来维护或者哪天需要升级CAS版本,从何下手? 还好,maven的overlay的功能,可以帮助我解决这个问题。 什么是maven的overlay? overlay可以把多个项...
CAS配置(3)之restful-api接入接口
bamang6147的博客
06-23 955
第一步,cas服务端对api接口支持 在cas-server-webapp下pom.xml添加如下依赖 <dependency> <groupId>org.jasig.cas</groupId> <artifactId>cas-server-integration-restlet...
springboot 接入cas-client-core单点登录
an74520的专栏
12-13 5713
1.maven引入相关包 <dependency> <groupId>net.unicon.cas</groupId> <artifactId>cas-client-autoconfig-support</artifactId> <version>1.4.0-GA</version> </de...
cas4.x 单点登录开发入门
z634075513的专栏
09-06 4174
从github上下载cas最新的server和client相关代码,这里就不多说了 1、项目导入与部署 首先将server代码导入到myeclipse下,项目部署到tomcat中。启动项目后尝试登入,登入配置默认在WEB-INF的deployerConfigContext.xml文件下有如下代码 <bean id="primaryAuthenticationHandler"
web工程中集成cas单点登录
qq_36323075的博客
12-16 665
背景 cas服务端已经搭建成功,现在需要在web项目中集成cas client。我们项目使用spring 1、在pom中配置 <!--cas单点登录 --> <dependency> <groupId>org.jasig.cas.client</groupId> <artifactId>ca...
cas 服务端4.1.10
11-12
这是cas4.1.1.10 服务端的数据资源,在这里共享依稀资源分享
simple-cas4-overlay-template:基本CAS4 Maven War叠加模板
02-22
CAS4重叠模板 通用CAS Maven战争叠加层可以执行最新版本CAS 4.x系列。 该覆盖图可自由用作本地CAS Maven战争覆盖图的起始模板。 版本号 < cas>4.2.1</ cas> 建议要求 JDK 1.8以上 配置 etc目录包含需要复制到/cas/etc的配置文件。 当前文件是: cas.properties log4j2.xml 建造 mvnw clean package 或者 mvnw.bat clean package 部署方式 嵌入式码头 在/etc/cas/jetty/thekeystore使用密码changeit创建一个Java密钥库。 将您的CAS服务器证书导入此密钥库中。 mvnw jetty:run-forked CAS将在以下位置提供: http://cas.server.name:8080/cas
CAS4.1.4服务端和客户端实例
02-02
CAS4.1.4服务端和客户端实例,直接修改配置即可运行,详细参见博文:http://blog.csdn.net/chenhai201/article/details/50623395
cas 服务端源码
12-13
cas 服务端 单点登录 集中验证 源码 cas 服务端 单点登录 集中验证 源码
ffepeg-4.1.10 版本源码
10-22
ffepeg-4.1.10 版本源码,可以用来在linux环境中源码编译安装
Hutool Java基础工具 v4.1.10
10-10
Hutool是一个Java基础工具类,对文件、流、加密解密、转码、正则、线程、XML等JDK方法进行封装,组成各种Util工具类,同时提供以下组件: 布隆过滤 缓存 克隆接口 类型转换 日期处理
asp.net版本kindeditor4.1.10
10-30
欢迎大家发表意见,自己也可以去官网下载最新的版本
Catfish(鲶鱼) CMS v4.1.10
12-03
Catfish(鲶鱼) CMS是一款开源的PHP内容管理系统,适合... Catfish(鲶鱼) CMS系统适合不同程度的使用者使用。 1、您不需要专业技术就可以轻松搭建您需要的网站,操作简单,灵活方便,稳定快捷。 2、Catfish(鲶鱼) CMS使
CAS 5.1.x版本代理模式实现
AaronSimon的博客
09-14 4460
一、什么是CAS的代理认证   在我们的项目中,有这样一个场景:有两个服务holiday(节假日服务)和mainWeb(集成服务),这两个服务都集成了CAS,所有的请求都要经过CAS Server的认证。由于mainWeb内部会去调用holiday的服务,但是mainWeb的请求会被holiday配置的CAS拦截器AuthenticationFilter拦截并重定向到CAS Server。这样我...
openoffice4.1.10
05-13
OpenOffice 4.1.10是一款流行的免费开源办公软件套件,可以替代微软Office。它由Apache软件基金会开发,支持Windows、MacOS和Linux操作系统。OpenOffice的主要组件包括Writer、Calc、Impress、Draw、Base和Math,...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值