spring Security 和CAS 整合 修改要点总结

1、前后台登录页面；扩展AuthenticationEntryPoint过滤器 
2、前后台认证成功页面；自定义过滤器扩展AuthenticationProcessingFilter过滤器 
3、前后台认证失败页面；自定义过滤器扩展AuthenticationProcessingFilter过滤器 
4、前后台无权限页面； access-denied-page 
5、前后台注销返回页面。配置<logout logout-success-url="/login.jsp" invalidate-session="true" />标签 

1）现象描述由于我们主页采用ajaxlogin方式因此结合springsecurity的话有一个默认的defaluttarget 和 intercepet page

通过把defaluttarget 定义为一个action 内部含有status 调用的时候利用struts的ajaxplugin 把转为json状态。当有intercept页面的时候通过

重写AbstractProcessingFilter.java 类中涉及到的RedirectUtils里面让其不要自动跳转而是向页面端发送一个json格式的字符串。

2）当解决了1中的描述后，又遇到一个问题，就是在注册的时候我们想要实现注册最后一步后自动登录的实现。但是由于spring security 是根据defaluttarget 和 intercepet page来redirct后者当我们改成ajax方式后就会像前台发送ajax的数据。但是在注册的时候没有拦截到跳转页就会导向action页面 而我们想让其导向其他页面，因此做法就是：

在登录的最后一步把一个值放到session中然后在redirect的时候判断这个值是否存在 存在就按照我想的跳转。

具体修改可以如下：

AbstractProcessingFilter.java 为 AuthenticationProcessingFilter的父类 修改 AbstractProcessingFilter来实现登录不同行为的跳转

我通过修改

protected void sendRedirect(HttpServletRequest request, HttpServletResponse response, String url)
            throws IOException {
     if (request.getSession().getAttribute("login_type") != null) {
           Properties properties = PropertiesFile.getProperties("/properties/casUrl.properties");
           java.lang.String httpPrefix = properties.getProperty("httpPrefix");
           java.lang.String httpAVerPortalPrefix = properties.getProperty("httpAVerPortalPrefix");
           java.lang.String str = httpPrefix + httpAVerPortalPrefix;
           request.getSession().removeAttribute("login_type");
           url = str;
         }
        RedirectUtils.sendRedirect(request, response, url, useRelativeContext);
    }

方法加入了加色字体部分来改变redirect 方向。

 

但是这个方法有些时候不能取到session中的东西，有些时候能成功，但是有些时候session中没值，不知道什么原因

 

因此通过在request后带参数参数格式为XXX/j_spring_cas_security_check?type=XX&URL=xxx

修改使得service      XXX/j_spring_cas_security_check支持后带参数修改如下：

修改pacpackage org.jasig.cas中的CentralAuthenticationServiceImpl中的validateServiceTicket目的是由于在XML配置的service是不带参数的，而传过去的service是带参数的，两个就不会相同，因此要改写这个方法使得只要去除参数后相同就可以了。

public Assertion validateServiceTicket(final String serviceTicketId, final Service service) throws TicketException { Assert.notNull(serviceTicketId, "serviceTicketId cannot be null"); Assert.notNull(service, "service cannot be null"); final ServiceTicket serviceTicket = (ServiceTicket) this.serviceTicketRegistry .getTicket(serviceTicketId, ServiceTicket.class); final RegisteredService registeredService = this.servicesManager .findServiceBy(service); if (registeredService == null || !registeredService.isEnabled()) { throw new UnauthorizedServiceException( "Service not allowed to validate tickets."); } if (serviceTicket == null) { if (log.isDebugEnabled()) { log.debug("ServiceTicket [" + serviceTicketId + "] does not exist."); } throw new InvalidTicketException(); } try { synchronized (serviceTicket) { if (serviceTicket.isExpired()) { if (log.isDebugEnabled()) { log.debug("ServiceTicket [" + serviceTicketId + "] has expired."); } throw new InvalidTicketException(); } //tony add // System.out.println("------------prototype----------"+service); // System.out.println("------------getAttributes----------"+service.getAttributes()); // System.out.println("------------getId----------"+service.getId()); String str = null; // if(serviceTicket!=null){ // String serviceTicket_temp = serviceTicket.getId(); // str = serviceTicket_temp.substring(0, serviceTicket_temp.indexOf("?")); // System.out.println("------------str----------"+str); // } // if (!str.equals(service.getId())) { // if (log.isErrorEnabled()) { // log.error("ServiceTicket [" + serviceTicketId // + "] with service [" + serviceTicket.getService().getId() + " does not match supplied service [" + service + "]"); // } // throw new TicketValidationException(serviceTicket.getService()); // } // } String serviceTicket_temp = serviceTicket.getService().getId(); if(serviceTicket_temp.indexOf("?")!=-1) str = serviceTicket_temp.substring(0, serviceTicket_temp.indexOf("?")); else str = serviceTicket_temp; // System.out.println("--------------------looking-------------"+str); if (!str.endsWith(service.toString())) { if (log.isErrorEnabled()) { log.error("ServiceTicket [" + serviceTicketId + "] with service [" + serviceTicket.getService().getId() + " does not match supplied service [" + service + "]"); } throw new TicketValidationException(serviceTicket.getService()); } } final int authenticationChainSize = serviceTicket .getGrantingTicket().getChainedAuthentications().size(); final Authentication authentication = serviceTicket .getGrantingTicket().getChainedAuthentications().get( authenticationChainSize - 1); final Principal principal = authentication.getPrincipal(); final String principalId = registeredService.isAnonymousAccess() ? this.persistentIdGenerator.generate(principal, serviceTicket .getService()) : principal.getId(); final Authentication authToUse; if (!registeredService.isIgnoreAttributes()) { final Map<String, Object> attributes = new HashMap<String, Object>(); for (final String attribute : registeredService .getAllowedAttributes()) { final Object value = principal.getAttributes().get( attribute); if (value != null) { attributes.put(attribute, value); } } final Principal modifiedPrincipal = new SimplePrincipal( principalId, attributes); final MutableAuthentication mutableAuthentication = new MutableAuthentication( modifiedPrincipal, authentication.getAuthenticatedDate()); mutableAuthentication.getAttributes().putAll( authentication.getAttributes()); mutableAuthentication.getAuthenticatedDate().setTime( authentication.getAuthenticatedDate().getTime()); authToUse = mutableAuthentication; } else { authToUse = authentication; } final List<Authentication> authentications = new ArrayList<Authentication>(); for (int i = 0; i < authenticationChainSize - 1; i++) { authentications.add(serviceTicket.getGrantingTicket() .getChainedAuthentications().get(i)); } authentications.add(authToUse); return new ImmutableAssertionImpl(authentications, serviceTicket .getService(), serviceTicket.isFromNewLogin()); } finally { if (serviceTicket.isExpired()) { this.serviceTicketRegistry.deleteTicket(serviceTicketId); } } }

完整的类CentralAuthenticationServiceImpl