一、 配置CAS客户端及个性化定制
目前实现了由cas统一认证登陆,但用户在每个系统的权限由各个系统自己进行验证,相当于各个系统根据返回的用户信息后台登陆了一次。
因为我们的系统需要支持内外网址都能访问,因此我对cas客户端做了一些修改,主要是访问地址的修改。
Web.xml中的配置信息如下:
<!--单点登出 -->
<filter>
<filter-name>CASSingle Sign Out Filter</filter-name>
<filter-class>cas.session.SingleSignOutFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CASSingle Sign Out Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>cas.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
<!--单点登录 -->
<filter>
<filter-name>CASAuthentication Filter</filter-name>
<filter-class>cas.authentication.AuthenticationFilter</filter-class>
<!--CAS login 服务地址-->
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>https://cas.server:8443/cas/login</param-value>
</init-param>
<init-param>
<param-name>renew</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>gateway</param-name>
<param-value>false</param-value>
</init-param>
<!--客户端应用服务地址-->
<init-param>
<param-name>serverName</param-name>
<param-value>http://localhost:9999/</param-value>
</init-param>
<init-param>
<param-name>service</param-name>
<param-value>http://localhost:9999/ewp/login/doLogin</param-value>
</init-param>
</filter>
<!--负责Ticket校验-->
<filter>
<filter-name>CASValidation Filter</filter-name>
<filter-class>cas.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://cas.server:8443/cas</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://localhost:9999</param-value><!--这里写客户端的端口号-->
</init-param>
<init-param>
<param-name>service</param-name>
<param-value>http://localhost:9999/ewp/login/doLogin</param-value>
</init-param>
<init-param>
<param-name>useSession</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>redirectAfterValidation</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter>
<filter-name>CASHttpServletRequestWrapperFilter</filter-name>
<filter-class>cas.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<filter>
<filter-name>CASAssertion Thread Local Filter</filter-name>
<filter-class>cas.util.AssertionThreadLocalFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CASAuthentication Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CASValidation Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CASHttpServletRequestWrapperFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CASAssertion Thread Local Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
主要修改了以下几点:
1、修改AuthenticationFilter文件中的doFilter
publicfinal void doFilter(final ServletRequestservletRequest, final ServletResponseservletResponse,final FilterChainfilterChain) throws IOException, ServletException {
finalHttpServletRequestrequest = (HttpServletRequest) servletRequest;
finalHttpServletResponseresponse = (HttpServletResponse) servletResponse;
finalHttpSessionsession = request.getSession(false);
finalString ticket = request.getParameter(getArtifactParameterName());
finalAssertion assertion = session != null ? (Assertion) session
.getAttribute(CONST_CAS_ASSERTION) : null;
finalbooleanwasGatewayed= session != null
&&session.getAttribute(CONST_CAS_GATEWAY)!= null;
//判断是否为注销的url参数中带有isToLogout=1参数的url均认为是系统注销的url
StringisToLogout=request.getParameter("isToLogout");
if(CommonUtils.isBlank(ticket) && assertion == null && !wasGatewayed&& !("1".equals(isToLogout))) {
log.debug("noticket and no assertion found");
if(this.gateway) {
log.debug("settinggateway attribute in session");
request.getSession(true).setAttribute(CONST_CAS_GATEWAY,"yes");
}
finalString serviceUrl = constructServiceUrl(request, response,"auth");
//从配置文件中取出cas服务器的登陆地址
Map<String,String>config=CustomConfigUtil.getCustomConfig(request.getServletContext(), request);
this.casServerLoginUrl=config.get("authServerUrl").toString();
finalString urlToRedirectTo =CommonUtils.constructRedirectUrl(this.casServerLoginUrl,getServiceParameterName(), serviceUrl, this.renew, this.gateway);
if(log.isDebugEnabled()) {
log.debug("redirectingto \"" + urlToRedirectTo + "\"");
}
response.sendRedirect(urlToRedirectTo);
return;
}
if(session != null) {
log.debug("removinggateway attribute from session");
session.setAttribute(CONST_CAS_GATEWAY,null);
}
filterChain.doFilter(request,response);
}
2、修改文件AbstractCasFilter中的constructServiceUrl
protectedfinal String constructServiceUrl(final HttpServletRequest request, finalHttpServletResponseresponse,final String type) {
//从配置文件中取出cas服务器的登陆地址
Map<String,String>config= CustomConfigUtil.getCustomConfig(request.getServletContext(),request);
if("auth".equals(type)){
this.serverName=config.get("localAuthServerName").toString();
this.service=config.get("localAuthServiceUrl").toString();
}else if("validation".equals(type)){
this.serverName=config.get("localValidationServerName").toString();
this.service=config.get("localValidationServiceUrl").toString();
}
returnCommonUtils.constructServiceUrl(request,response, this.service, this.serverName, this.artifactParameterName,this.encodeServiceUrl);
附上customConfig源码:
package cn.com.wz
/**
* @Description 系统配置公共方法类
* @Author: huxx
* @createTime: 2013-5-28 上午11:25
*/
class CustomConfigUtil {
/**
* @Description 获取属性文件中的属性信息
* @param servletContext ,request 可以为null,如果为null就取工作流内部地址
* @return
* @create huxx 2013-05-28
*/
static Map<String,String> getCustomConfig(def servletContext,def request){
def result=[:]
def realPath=servletContext.getRealPath('/data/config.xml')
def xml=FileUtil.readXML(realPath)
result.appCode="${xml.app.appCode}" //应用系统编码
result.defaultCategoryId="${xml.home.defaultCategoryId}" //页面默认栏目ids
result.defaultChecked="${xml.home.defaultChecked}" //页面默认选中栏目ids
result.inWFRootUrl="${xml.home.inWFRootUrl}" //工作流内部根地址
result.outWFRootUrl="${xml.home.outWFRootUrl}" //工作流外部根地址
result.inEWPRootUrl="${xml.home.inRootUrl}" //EWP内部跟地址
result.outEWPRootUrl="${xml.home.outRootUrl}"//EWP外部根地址
result.isSSO="${xml.isSSO}"
//判断ewp请求是从外网访问还是从内网访问,判断使用工作流的外网地址还是内网地址
String rootUrl=""
String authServerUrl=""
String localAuthServiceUrl=""
String localAuthServerName=""
String validationServerUrl=""
String localValidationServiceUrl=""
String localValidationServerName=""
String logoutUrl=""
if (request){
def url=request.getRequestURL()
def outRootUrl="${xml.home.outRootUrl}"
if (url.toString().toUpperCase().indexOf(outRootUrl.toString().toUpperCase())>=0){
rootUrl="${xml.home.outWFRootUrl}"
authServerUrl="${xml.cas.authserver.outurl}"
localAuthServiceUrl="${xml.cas.localauthserviceurl.outurl}"
localAuthServerName= "${xml.cas.localauthservername.outurl}"
validationServerUrl="${xml.cas.validationserver.outurl}"
localValidationServiceUrl="${xml.cas.localvalidationserviceurl.outurl}"
localValidationServerName= "${xml.cas.localvalidationservername.outurl}"
logoutUrl="${xml.cas.logout.outurl}"
}else{
rootUrl="${xml.home.inWFRootUrl}"
authServerUrl="${xml.cas.authserver.inurl}"
localAuthServiceUrl="${xml.cas.localauthserviceurl.inurl}"
localAuthServerName= "${xml.cas.localauthservername.inurl}"
validationServerUrl="${xml.cas.validationserver.inurl}"
localValidationServiceUrl="${xml.cas.localvalidationserviceurl.inurl}"
localValidationServerName= "${xml.cas.localvalidationservername.inurl}"
logoutUrl="${xml.cas.logout.inurl}"
}
}else{
rootUrl="${xml.home.inWFRootUrl}"
authServerUrl="${xml.cas.authserver.inurl}"
localAuthServiceUrl="${xml.cas.localauthserviceurl.inurl}"
localAuthServerName= "${xml.cas.localauthservername.inurl}"
validationServerUrl="${xml.cas.validationserver.inurl}"
localValidationServiceUrl="${xml.cas.localvalidationserviceurl.inurl}"
localValidationServerName= "${xml.cas.localvalidationservername.inurl}"
logoutUrl="${xml.cas.logout.inurl}"
}
result.logoutUrl=logoutUrl
result.authServerUrl=authServerUrl
result.localAuthServiceUrl=localAuthServiceUrl
result.localAuthServerName= localAuthServerName
result.validationServerUrl=validationServerUrl
result.localValidationServiceUrl=localValidationServiceUrl
result.localValidationServerName= localValidationServerName
result.rootUrl=rootUrl
result.getBackLogUrl="${xml.home.getBackLogUrl}"
result.getmessages="${xml.home.getmessages}"
result.uploadRootDir="${xml.upload.rootDir}"
result.noNeedLoginUrl="${xml.security.noNeedLoginUrl}".toString()
return result
}
}
配置文件信息:
<?xml version="1.0" encoding="UTF-8"?>
<wz>
<app>
<appCode>app_ewp</appCode>
</app>
<home>
<defaultCategoryId>div_userInfo,div_linkTools,div_links;div_workFlow,div_schedule,div_message,div_address;div_bookTicket,div_itAndPro,div_activity,div_ygwy,div_gszd,div_qywh</defaultCategoryId>
<defaultChecked>div_userInfo,div_linkTools,div_workFlow,div_schedule,div_message,div_address,div_bookTicket,div_itAndPro,div_activity,div_links,div_gszd,div_ygwy,div_qywh</defaultChecked>
<inWFRootUrl>http://192.168.1.162/</inWFRootUrl>
<outWFRootUrl>http://wf.wuzheng.com.cn/</outWFRootUrl>
<inRootUrl>http://192.168.1.8/</inRootUrl>
<outRootUrl>http://192.168.107.24:9999/ewp/</outRootUrl>
<getBackLogUrl>interfaces/getBackLog</getBackLogUrl>
<getmessages>message/processMessages</getmessages>
</home>
<cas>
<authserver>
<inurl>https://cas.server:8443/cas</inurl>
<outurl>https://192.168.107.8:8443/cas</outurl>
</authserver>
<localauthservername>
<inurl></inurl>
<outurl></outurl>
</localauthservername>
<localauthserviceurl>
<inurl>http://localhost:9999/ewp/login/doLogin</inurl>
<outurl>http://192.168.107.24:9999/ewp/login/doLogin</outurl>
</localauthserviceurl>
<validationserver>
<inurl>https://cas.server:8443/cas</inurl>
<outurl>https://192.168.107.8:8443/cas</outurl>
</validationserver>
<localvalidationservername>
<inurl>http://localhost:9999</inurl>
<outurl>http://192.168.107.24:9999</outurl>
</localvalidationservername>
<localvalidationserviceurl>
<inurl></inurl>
<outurl></outurl>
</localvalidationserviceurl>
<logout>
<inurl>https://cas.server:8443/cas/logout</inurl>
<outurl>https://192.168.107.8:8443/cas/logout</outurl>
</logout>
</cas>
<upload>
<rootDir>D:</rootDir>
</upload>
<!--安全相关的配置-->
<security>
<!--不需进行登录验证的url,每个不需登录验证的url后要加上下划线“_”-->
<noNeedLoginUrl>/_</noNeedLoginUrl>
<noNeedLoginUrl>/login/doLogin_</noNeedLoginUrl>
<noNeedLoginUrl>/login/doLoginForCas_</noNeedLoginUrl>
<noNeedLoginUrl>/login/login_</noNeedLoginUrl>
<noNeedLoginUrl>/common/ajax_</noNeedLoginUrl>
<noNeedLoginUrl>/ShortMessage/sendForWF_</noNeedLoginUrl>
</security>
<isSSO>1</isSSO>
</wz>