SSO实现方式有多种,主流的OAUTH2.0、SAML2.0、OPENID
一些SSO实现的组件也应运而生,目前接触的有CAS、KEYCLOAK
笔者对CAS接触不多,可能是先使用了KEYCLOAK的缘故
CAS首先要部署一个极简版CAS-server
CAS默认要求开启https
首次使用建议 WEB-INF\classes\services\HTTPSandIMAPS-10000001.json
1.设置 "serviceId" : "^(https|imaps)://.*"改为"serviceId" : "^(https|http|imaps)://.*"
\WEB-INF\classes\application.properties
2.设置 cas.authn.accept.users=admin::admin //设置用户信息
cas.tgc.secure=false
cas.serviceRegistry.initFromJson=true
部署后效果如图
应用APP集成方式:
pom引入
<dependency>
<groupId>org.jasig.cas.client</groupId>
<artifactId>cas-client-core</artifactId>
<version>3.5.0</version>
</dependency>
web.xml做如下配置:
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
<!-- 该过滤器用于实现单点登出功能,可选配置。 -->
<filter>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>http://hostname/cas</param-value><!--这里的 server 是 CAS 服务端的 IP -->
</init-param>
</filter>
<!-- 该过滤器负责用户的认证工作,必须启用它 -->
<filter>
<filter-name>CASFilter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>http://hostname/cas/login</param-value><!--这里的 server 是 CAS 服务端的 IP -->
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://apphostname</param-value> <!--这里的 server 是 DMS 系统的 IP -->
</init-param>
</filter>
<!-- 该过滤器负责对 Ticket 的校验工作,必须启用它 -->
<filter>
<filter-name>CASValidationFilter</filter-name>
<filter-class>org.jasig.cas.client.validation.Cas30ProxyReceivingTicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>http://hostname/cas</param-value> <!--这里的 server 是 CAS 服务端 -->
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://apphostname</param-value> <!--这里的 server 是 DMS 系统地址 -->
</init-param>
</filter>
<filter>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Single Sign Out Filter</filter-name>
<url-pattern>/WmsLogoutAction</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CASFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CASValidationFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
认证逻辑
1.拦截APP进入CAS登录页面
http://cashostname/cas/login?service=apphostname
2.CAS登录后认证票据
http://cashostname/cas/p3/serviceValidate?ticket=XXX&service=apphostname
3.用户信息获取
AssertionHolder.getAssertion().getPrincipal().getName();
4.登出
http://cashostname/cas/logout?service=apphostname