源码下载:http://pan.baidu.com/s/1bniDFD9
1、下载cas-server-3.5.2-release.zip并把cas-server-webapp.war部署到tomcat
2、配置依赖jar包
//spring
compile 'org.springframework:spring-beans:3.0.4.RELEASE'
compile 'org.springframework:spring-core:3.0.4.RELEASE'
compile 'org.springframework:spring-web:3.0.4.RELEASE'
compile 'org.springframework:spring-webmvc:3.0.4.RELEASE'
compile 'org.springframework:spring-context:3.0.4.RELEASE'
compile 'org.springframework:spring-context-support:3.0.4.RELEASE'
//json
compile 'org.codehaus.jackson:jackson-core-lgpl:1.8.1'
compile 'org.codehaus.jackson:jackson-mapper-lgpl:1.8.1'
compile 'commons-fileupload:commons-fileupload:1.3.1'
compile 'commons-io:commons-io:2.4'
compile 'org.apache.commons:commons-lang3:3.4'
//shiro
compile 'org.apache.shiro:shiro-core:1.2.3'
compile 'org.apache.shiro:shiro-web:1.2.3'
compile 'org.apache.shiro:shiro-spring:1.2.3'
compile 'org.apache.shiro:shiro-cas:1.2.3'
//j2ee
compile 'javax.servlet:javax.servlet-api:3.1.0'
//log
compile "org.slf4j:slf4j-log4j12:1.7.5"
//jedis
compile "redis.clients:jedis:2.1.0"
testCompile 'junit:junit:4.11'
3、Shiro 对 cas 集成后,cas client的配置更加简单了。原理就是将casFilter添加到到shiroFilter的filterChain中,在Spring项目中集成Shiro和CAS
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:aop="http://www.springframework.org/schema/aop"
xmlns:tx="http://www.springframework.org/schema/tx" xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.0.xsd http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.0.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd">
<bean id="shiroFilter" class="org.demo.shiro.MyShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager" />
<!--没有单点登录下的配置:没有权限或者失败后跳转的页面 -->
<!-- <property name="loginUrl" value="/" /> -->
<!--有单点登录的配置:登录 CAS 服务端地址,参数 service 为服务端的返回地址 -->
<property name="loginUrl"
value="http://192.168.1.128:9090/login?service=http://192.168.1.1:9080/shiro-cas" />
<!--<property name="successUrl" value="/page/index.jsp"/> -->
<property name="successUrl" value="/casSuccess" />
<property name="filters">
<map>
<!--添加casFilter到shiroFilter -->
<entry key="casFilter" value-ref="casFilter">
</entry>
</map>
</property>
<property name="filterChainDefinitions">
<value>
/shiro-cas= casFilter,anon
/styles/**= anon
/login =anon
/**= user
</value>
</property>
</bean>
<bean id="myRealm" class="org.demo.shiro.MyRealm" />
<!-- 安全管理器 -->
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<!--Single realm app. If you have multiple realms, use the 'realms' property
instead. -->
<!--没有单点登录下的配置: -->
<!-- <property name="realm" ref="myRealm" /> -->
<property name="realm" ref="casRealm" />
<property name="subjectFactory" ref="casSubjectFactory" />
<property name="cacheManager" ref="shiroEhcacheManager" />
</bean>
<bean id="casFilter" class="org.apache.shiro.cas.CasFilter">
<!--配置验证错误时的失败页面(Ticket 校验不通过时展示的错误页面) -->
<property name="failureUrl" value="/casFailure" />
</bean>
<!--
没有单点登录情况下的话,登录认证和授权认证默认在AuthorizingRealm的doGetAuthorizationInfo和doGetAuthenticationInfo中进行,所以我这里是通过shiroDbRealm(继承AuthorizingRealm的自定义类)覆写doGetAuthorizationInfo和doGetAuthenticationInfo,实现自定义登录认证和授权认证。
<br />
有单点登录情况下,登录认证是在 casserver 进行的,那么执行流程是这样的:用户从 cas server 登录成功后,跳到 cas client 的CasRealm执行默认的doGetAuthorizationInfo和doGetAuthenticationInfo,此时doGetAuthenticationInfo做的工作是把登录用户信息传递给 shiro ,保持默认即可,而对于授权的处理,可以通过MyCasRealm(继承CasRealm的自定义类)覆写doGetAuthorizationInfo进行自定义授权认证。 -->
<bean id="casRealm" class="org.apache.shiro.cas.CasRealm">
<property name="defaultRoles" value="ROLE_USER" />
<property name="casServerUrlPrefix" value="http://192.168.1.128:9090" />
<!--客户端的回调地址设置,必须和上面的shiro-cas过滤器拦截的地址一致 -->
<property name="casService" value="http://192.168.1.1:9080/shiro-cas" />
</bean>
<bean id="casSubjectFactory" class="org.apache.shiro.cas.CasSubjectFactory" />
<!--用户授权/认证信息Cache, 采用EhCache 缓存 -->
<bean id="shiroEhcacheManager" class="org.apache.shiro.cache.ehcache.EhCacheManager">
<property name="cacheManagerConfigFile" value="classpath:ehcache.xml" />
</bean>
<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor" />
</beans>
4、部署多个应用,去除cas的https登录,如果不去除,https的cookie会出问题,导致多个web应用单点登录失败
5、注意事项&成功截图
vim /opt/tomcat7/webapps/ROOT/WEB-INF/spring-configuration/ticketGrantingTicketCookieGenerator.xml
vim /opt/tomcat7/webapps/ROOT/WEB-INF/deployerConfigContext.xml
修改cas Server端:
/WebRoot/WEB-INF/spring-configuration/ticketGrantingTicketCookieGenerator.xml 文件:
<bean id="ticketGrantingTicketCookieGenerator" class="org.jasig.cas.web.support.CookieRetrievingCookieGenerator"
p:cookieSecure="true" //默认为true,使用https,如果只需要http,修改为false即可
p:cookieMaxAge="-1"
p:cookieName="CASTGC"
p:cookiePath="/cas" />
第二个要修改的地方:
修改deployerConfigContext.xml文件,在authenticationHandlers属性中
<bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
p:httpClient-ref="httpClient"
p:requireSecure="false" />
这个文件增加属性 p:requireSecure="false"
如果不修改deployerConfigContext.xml会报错误:
TicketCreationException: error.authentication.credentials.bad
成功截图