最近对几个系统进行单点登录改造,认真服务器使用jasig cas 4.0.0,整理配置如下:
连接数据库验证用户
部署modules下cas-server-webapp-xxx.war至tomact
拷贝modules下jar包以及oracle驱动至web-inf
修改Web-inf下depleyerConfigContext.xml文件配置数据库
配置datasource:
<bean id="dataSource"class="org.springframework.jdbc.datasource.DriverManagerDataSource">
<propertyname="driverClassName"><value>oracle.jdbc.driver.OracleDriver</value></property>
<propertyname="url"><value>jdbc:oracle:thin:@localhost:1521:xe</value></property>
<propertyname="username"><value>hisdb</value></property>
<propertyname="password"><value>hisdb</value></property>
</bean>
修改primaryAuthenticationHandler:
<beanid="primaryAuthenticationHandler"
class="org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler">
<property name="sql"value="select PASSWORD from USER_INFO where USERNAME=?" />
<propertyname="dataSource" ref="dataSource" />
</bean>
取消https
在网络安全性较好,对系统安全没有那么高的情况下可以取消https验证,使系统更加容易部署。
1.修改ticketGrantingTicketCookieGenerator.xml
XML/HTML代码
<beanid="ticketGrantingTicketCookieGenerator"class="org.jasig.cas.web.support.CookieRetrievingCookieGenerator"
p:cookieSecure="false"
p:cookieMaxAge="-1"
p:cookieName="CASTGC"
p:cookiePath="/cas" />
p:cookieSecure改成false,客户端web.xml中单独服务器的链接改成http
warnCookieGenerator.xml的p:cookieSecure同样设置为false
deployerConfigContext.xml 改成:
<beanclass="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" p:httpClient-ref="httpClient"p:requireSecure="false"/>
增加p:requireSecure="false"
单点退出配置
客户端web.xml添加filter
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
<filter>
<filter-name>CAS Single Sign OutFilter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Single Sign OutFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
在cas服务器logout时,客户端也会退出
单点登录与shiro
客户端之前使用shiro做权限管理,cas支持shiro,具体修改如下
web.xml添加:
<listener>
<listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class>
</listener>
<filter>
<filter-name>ShiroFilter</filter-name>
<filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>ShiroFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
<dispatcher>INCLUDE</dispatcher>
<dispatcher>ERROR</dispatcher>
</filter-mapping>
客户端Shiro.ini配置,根据具体配置修改几个URL地址即可
[main]
casFilter =org.apache.shiro.cas.CasFilter
casFilter.failureUrl= /error.jsp
casRealm = com.cheers.common.shiroCas.CasRealm
casRealm.defaultRoles= ROLE_USER
casRealm.casServerUrlPrefix= http://localhost:8081/cas/
casRealm.casService= http://localhost:8082/garden/shiro-cas
casSubjectFactory= org.apache.shiro.cas.CasSubjectFactory
securityManager.subjectFactory= $casSubjectFactory
user.loginUrl =http://localhost:8081/cas/login?service=http://localhost:8082/garden/shiro-cas
[urls]
/shiro-cas =casFilter
/** = user
CAS服务器多属性返回
修改deployerConfigContext.xml
删除原attributeRepository,替换为如下:
<bean id="attributeRepository"
class="org.jasig.services.persondir.support.jdbc.SingleRowJdbcPersonAttributeDao">
<constructor-argindex="0" ref="dataSource" />
<constructor-argindex="1" value="SELECT * FROM USER_INFO WHERE {0}" />
<property name="queryAttributeMapping">
<map>
<entrykey="username" value="USER_NAME" />
<!—转换为whereUSER_NAME = username -->
</map>
</property>
<propertyname="resultAttributeMapping">
<map>
<!—key数据库列名,value属性名-->
<entrykey="USER_NAME" value="username" />
<entrykey="FULLNAME" value="fullname" />
<entrykey="USER_ID" value="userId" />
</map>
</property>
</bean>
修改registeredServicesList为:
<util:listid="registeredServicesList">
<beanclass="org.jasig.cas.services. RegexRegisteredService">
<propertyname="id" value="0" />
<propertyname="name" value="HTTP and IMAP" />
<propertyname="description" value="Allows HTTP(S) and IMAP(S)protocols" />
<propertyname="serviceId" value="^(https?|imaps?)://.*"/>
<property name="evaluationOrder"value="0" />
<propertyname="allowedAttributes">
<list>
<!—返回的属性-->
<value>username</value>
<value>fullname</value>
<value>userId</value>
</list>
</property>
</bean>
</util:list>
修改WEB-INF\view\jsp\protocol\2.0\casServiceValidationSuccess.jsp
<cas:user>下一行增加,将属性返回客户端:
<cas:attributes>
<c:forEachvar="attr"items="${assertion.chainedAuthentications[fn:length(assertion.chainedAuthentications)-1].principal.attributes}">
<c:setvar="key" value="${fn:escapeXml(attr.key)}"scope="request"/>
<c:setvar="value" value="${fn:escapeXml(attr.value)}"scope="request"/>
<cas:${key}><%=java.net.URLEncoder.encode((String)request.getAttribute("value"),"UTF-8")%></cas:${key}>
</c:forEach>
</cas:attributes>
这里将属性编码为UTF-8,客户端获取后需要解码才能正常读取数据。