cas 4.1.5 添加验证码 亲测成功

最新推荐文章于 2022-01-25 13:22:16 发布
最新推荐文章于 2022-01-25 13:22:16 发布
阅读量198 收藏
点赞数
原文链接:https://my.oschina.net/u/2380830/blog/835328
版权

转自 http://blog.csdn.net/attackmind/article/details/52052502 

1、在cas工程的web.xml增加验证码功能的支持:

<!-- 验证码功能 -->  
<servlet>  
    <servlet-name>Kaptcha</servlet-name>  
    <servlet-class>com.google.code.kaptcha.servlet.KaptchaServlet</servlet-class>  
    <init-param>  
        <param-name>kaptcha.border</param-name>  
        <param-value>no</param-value>  
    </init-param>  
    <init-param>  
        <param-name>kaptcha.textproducer.char.space</param-name>  
        <param-value>5</param-value>  
    </init-param>  
    <init-param>  
        <param-name>kaptcha.textproducer.char.length</param-name>  
        <param-value>5</param-value>  
    </init-param>  
</servlet>  
  
<servlet-mapping>  
    <servlet-name>Kaptcha</servlet-name>  
    <url-pattern>/captcha.jpg</url-pattern>  
</servlet-mapping>

2、新建一个类UsernamePasswordCredentialWithAuthCode,该类继承了

org.jasig.cas.authentication.UsernamePasswordCredential,添加一个验证码字段,

并且重写equals和hashCode方法,添加关于验证码比较的信息

package org.spire.cas.core.authentication;  
  
import javax.validation.constraints.NotNull;  
import javax.validation.constraints.Size;  
  
import org.apache.commons.lang3.builder.HashCodeBuilder;  
import org.jasig.cas.authentication.UsernamePasswordCredential;  
  
public class UsernamePasswordCredentialWithAuthCode extends  
        UsernamePasswordCredential {  
    /** 
     * 带验证码的登录界面 
     */  
    private static final long serialVersionUID = 1L;  
    /** 验证码*/  
    @NotNull  
    @Size(min = 1, message = "required.authcode")  
    private String authcode;  
  
    /** 
     *  
     * @return 
     */  
    public final String getAuthcode() {  
        return authcode;  
    }  
  
    /** 
     *  
     * @param authcode 
     */  
    public final void setAuthcode(String authcode) {  
        this.authcode = authcode;  
    }  
  
    @Override  
    public boolean equals(final Object o) {  
        if (this == o) {  
            return true;  
        }  
        if (o == null || getClass() != o.getClass()) {  
            return false;  
        }  
  
        final UsernamePasswordCredentialWithAuthCode that = (UsernamePasswordCredentialWithAuthCode) o;  
  
        if (getPassword() != null ? !getPassword().equals(that.getPassword())  
                : that.getPassword() != null) {  
            return false;  
        }  
  
        if (getPassword() != null ? !getPassword().equals(that.getPassword())  
                : that.getPassword() != null) {  
            return false;  
        }  
        if (authcode != null ? !authcode.equals(that.authcode)  
                : that.authcode != null)  
            return false;  
  
        return true;  
    }  
  
    @Override  
    public int hashCode() {  
        return new HashCodeBuilder().append(getUsername())  
                .append(getPassword()).append(authcode).toHashCode();  
    }  
  
}

3.新建一个类AuthenticationViaFormActionWithAuthCode,该类继承了org.jasig.cas.web.flow.AuthenticationViaFormAction类,增加一个验证码方法validatorCode:

package org.spire.cas.core.authentication;  
  
import javax.servlet.http.HttpServletRequest;  
import javax.servlet.http.HttpSession;  
  
import org.apache.commons.lang3.StringUtils;  
import org.jasig.cas.authentication.Credential;  
import org.jasig.cas.authentication.RootCasException;  
import org.jasig.cas.web.flow.AuthenticationViaFormAction;  
import org.jasig.cas.web.support.WebUtils;  
import org.springframework.binding.message.MessageBuilder;  
import org.springframework.binding.message.MessageContext;  
import org.springframework.webflow.execution.RequestContext;  
  
/** 
 * 验证码校验类 
 *  
 * @author Langyou02 
 * 
 */  
public class AuthenticationViaFormActionWithAuthCode extends  
        AuthenticationViaFormAction {  
    /** 
     * authcode check 
     */  
    public final String validatorCode(final RequestContext context,  
            final Credential credentials, final MessageContext messageContext)  
            throws Exception {  
        final HttpServletRequest request = WebUtils  
                .getHttpServletRequest(context);  
        HttpSession session = request.getSession();  
        String authcode = (String) session  
                .getAttribute(com.google.code.kaptcha.Constants.KAPTCHA_SESSION_KEY);  
        session.removeAttribute(com.google.code.kaptcha.Constants.KAPTCHA_SESSION_KEY);  
  
        UsernamePasswordCredentialWithAuthCode upc = (UsernamePasswordCredentialWithAuthCode) credentials;  
        String submitAuthcode = upc.getAuthcode();  
        if (StringUtils.isEmpty(submitAuthcode)  
                || StringUtils.isEmpty(authcode)) {  
            populateErrorsInstance(new NullAuthcodeAuthenticationException(),  
                    messageContext);  
            return "error";  
        }  
        if (submitAuthcode.equals(authcode)) {  
            return "success";  
        }  
        populateErrorsInstance(new BadAuthcodeAuthenticationException(),  
                messageContext);  
        return "error";  
    }  
  
    private void populateErrorsInstance(final RootCasException e,  
            final MessageContext messageContext) {  
  
        try {  
            messageContext.addMessage(new MessageBuilder().error()  
                    .code(e.getCode()).defaultText(e.getCode()).build());  
        } catch (final Exception fe) {  
            logger.error(fe.getMessage(), fe);  
        }  
    }  
}

其中NullAuthcodeAuthenticationException和BadAuthcodeAuthenticationException是自定义的异常类,用于取得异常码:

/* 
 * Licensed to Jasig under one or more contributor license 
 * agreements. See the NOTICE file distributed with this work 
 * for additional information regarding copyright ownership. 
 * Jasig licenses this file to you under the Apache License, 
 * Version 2.0 (the "License"); you may not use this file 
 * except in compliance with the License.  You may obtain a 
 * copy of the License at the following location: 
 * 
 *   http://www.apache.org/licenses/LICENSE-2.0 
 * 
 * Unless required by applicable law or agreed to in writing, 
 * software distributed under the License is distributed on an 
 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 
 * KIND, either express or implied.  See the License for the 
 * specific language governing permissions and limitations 
 * under the License. 
 */  
package org.spire.cas.core.authentication;  
  
import org.jasig.cas.authentication.RootCasException;  
  
/** 
 * The exception to throw when we know the authcode is null 
 *  
 * @author Scott Battaglia 
 * @version $Revision$ $Date$ 
 * @since 3.0 
 */  
public class NullAuthcodeAuthenticationException extends RootCasException {  
      
    /** Serializable ID for unique id. */  
    private static final long serialVersionUID = 5501212207531289993L;  
  
    /** Code description. */  
    public static final String CODE = "required.authcode";  
  
    /** 
     * Constructs a TicketCreationException with the default exception code. 
     */  
    public NullAuthcodeAuthenticationException() {  
        super(CODE);  
    }  
  
    /** 
     * Constructs a TicketCreationException with the default exception code and 
     * the original exception that was thrown. 
     *  
     * @param throwable the chained exception 
     */  
    public NullAuthcodeAuthenticationException(final Throwable throwable) {  
        super(CODE, throwable);  
    }}  
  
  
/* 
 * Licensed to Jasig under one or more contributor license 
 * agreements. See the NOTICE file distributed with this work 
 * for additional information regarding copyright ownership. 
 * Jasig licenses this file to you under the Apache License, 
 * Version 2.0 (the "License"); you may not use this file 
 * except in compliance with the License.  You may obtain a 
 * copy of the License at the following location: 
 * 
 *   http://www.apache.org/licenses/LICENSE-2.0 
 * 
 * Unless required by applicable law or agreed to in writing, 
 * software distributed under the License is distributed on an 
 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 
 * KIND, either express or implied.  See the License for the 
 * specific language governing permissions and limitations 
 * under the License. 
 */  
package org.spire.cas.core.authentication;  
  
import org.jasig.cas.authentication.RootCasException;  
  
/** 
 * The exception to throw when we know the authcoe is not correct 
 *  
 * @author Scott Battaglia 
 * @version $Revision$ $Date$ 
 * @since 3.0 
 */  
public class BadAuthcodeAuthenticationException extends RootCasException {  
      
    /** Serializable ID for unique id. */  
    private static final long serialVersionUID = 5501212207531289993L;  
  
    /** Code description. */  
    public static final String CODE = "error.authentication.authcode.bad";  
  
    /** 
     * Constructs a TicketCreationException with the default exception code. 
     */  
    public BadAuthcodeAuthenticationException() {  
        super(CODE);  
    }  
  
    /** 
     * Constructs a TicketCreationException with the default exception code and 
     * the original exception that was thrown. 
     *  
     * @param throwable the chained exception 
     */  
    public BadAuthcodeAuthenticationException(final Throwable throwable) {  
        super(CODE, throwable);  
    }}

4、在spire_cas工程的login_webflow.xml修改登录验证流程:

<view-state id="viewLoginForm" view="casLoginView" model="credential">  
       <binder>  
           <binding property="username" required="true"/>  
           <binding property="password" required="true"/>  
           <binding property="authcode" required="true"/>  
           <binding property="rememberMe" />  
       </binder>  
       <on-entry>  
           <set name="viewScope.commandName" value="'credential'"/>  
  
           <!-- 
           <evaluate expression="samlMetadataUIParserAction" /> 
           -->  
       </on-entry>  
       <transition on="submit" bind="true" validate="true" to="authcodeValidate">  
            
       </transition>    
   </view-state>  
<action-state id="authcodeValidate">      
       <evaluate expression="authenticationViaFormAction.validatorCode(flowRequestContext, flowScope.credential, messageContext)" />      
       <transition on="error" to="generateLoginTicket" />      
       <transition on="success" to="realSubmit" />      
   </action-state>

并修改cas-servlet.xmlbean id ="AuthenticationViaFormAction"的class="org.spire.cas.core.authentication.AuthenticationViaFormActionWithAuthCode";

5、增加国际化显示信息:

screen.welcome.label.authcode=\u9A8C\u8BC1\u7801:

screen.welcome.label.authcode.accesskey=a

required.authcode=\u5FC5\u987B\u5F55\u5165\u9A8C\u8BC1\u7801\u3002

error.authentication.authcode.bad=\u9A8C\u8BC1\u7801\u8F93\u5165\u6709\u8BEF\u3002

6、登录页面casLoginView.jsp添加验证码输入框:

<section class="row fl-controls-left">  
        <label for="authcode"><spring:message code="screen.welcome.label.authcode" /></label>  
        <spring:message code="screen.welcome.label.authcode.accesskey" var="authcodeAccessKey" />  
        <table>  
            <tr>  
                <td>  
                    <form:input cssClass="required" cssErrorClass="error" id="authcode" size="10" tabindex="2" path="authcode"  accesskey="${authcodeAccessKey}" htmlEscape="true" autocomplete="off" />  
                </td>  
                <td style="vertical-align: bottom;">  
                    <img onclick="this.src='captcha.jpg?'+Math.random()" width="93" height="30" src="captcha.jpg">  
                                    </td>  
            </tr>  
        </table>  
       </section>

7、如果要默认中文页面显示,修改cas-servlet.xml 下的local Resolver默认值为zh_CN:

 

 <bean id="localeResolver" class="org.springframework.web.servlet.i18n.CookieLocaleResolver" p:defaultLocale="zh_CN" />

8、效果图(spire_cas是另外一个web工程登录跳转到cas服务器认证):

9、参考博文:http://blog.csdn.net/zhu_tianwei/article/details/19153549

转载于:https://my.oschina.net/u/2380830/blog/835328

chuanyanban5120
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
cas-server-webapp-4.1.5.war
03-18
cas-server-webapp-4.1.5.war 可直接部署
CAS 4.1.5 添加登录及登出日志,基于拦截器(简陋的实现,自学用)
qq_38357744的博客
05-27 1736
首先,添加拦截器LogInterceptor.java package com.les.cas.interceptor; import com.les.cas.entity.SysLogonLog; import org.apache.commons.collections4.Predicate; import org.jasig.cas.CentralAuthenticationSe...
Apereo CAS 4.1 反序列化漏洞复现
LuckySec
08-27 1998
PS:欢迎访问我的个人博客 http://luckyzmj.cn 0x01 漏洞简介 Apereo CAS是一款Apereo发布的集中认证服务平台,常被用于企业内部单点登录系统。其4.1.7版本之前存在一处默认密钥的问题,利用这个默认密钥我们可以构造恶意信息触发目标反序列化漏洞,进而执行任意命令。 影响版本 Apereo CAS <= 4.1.7 0x02 环境准备 使用vulhub复现漏洞环境。 vulhub官网地址:https://vulhub.org cd vulhub/apereo-
cas4.1.4server服务端+client端
07-06
- 用户成功登录后,CAS服务器返回一个服务票给客户端应用,客户端再将服务票发送到CAS服务器进行验证。 - 验证通过后,客户端应用允许用户访问受保护的资源,至此完成一次单点登录流程。 4. CAS的扩展性: - CAS...
Siege压力测试和评测工具 v4.1.5.zip
最新发布
03-27
- Siege在测试结束后会提供详细的性能报告,包括成功和失败的请求、响应时间、吞吐量(Requests/Second)、错误率等关键指标。 - 通过这些信息,可以分析服务器在压力下的性能瓶颈。 5. **Siege在毕业设计论文和...
ffmpeg-4.1.5.tar.bz2
06-01
ffmpeg-4.1.5.tar.bz2
Apereo CAS 4.1 反序列化 RCE 漏洞复现实验报告
weixin_48400575的博客
01-25 3167
演示视频 Apereo CAS 4.1 反序列化 RCE 漏洞_哔哩哔哩_bilibiliBGM:《芳华慢》+《霜雪千年》(by等什么君)https://www.bilibili.com/video/BV16Y411b7T8/ 参考文章 https://vulhub.org/#/environments/apereo-cas/4.1-rce/ Apereo-cas 4.1 反序列化 RCE 漏洞_菜鸟的学习笔记-CSDN博客Apereo-cas 4.1 反序列化 RCE 漏洞一. 环境搭建使用vul
Apereo CAS 4.1 反序列化漏洞
黑白的博客
12-21 1189
声明 好好学习,天天向上 漏洞描述 Apereo CAS是一款Apereo发布的集中认证服务平台,常被用于企业内部单点登录系统。其4.1.7版本之前存在一处默认密钥的问题,利用这个默认密钥我们可以构造恶意信息触发目标反序列化漏洞,进而执行任意命令。 影响范围 Apereo CAS <= 4.1.7 复现过程 这里使用4.1.5版本 使用vulhub cd /app/vulhub-master/apereo-cas/4.1-rce 使用docker启动 docker-compose build doc
jasig cas4.1.4+oracle数据库认证
07-21
jasig cas4.1.4+oracle数据库认证,可以直接部署到 tomcat中去。自己建表user_info。
Apereo CAS 4.1/4.x 反序列化RCE漏洞 漏洞复现
ADummy的博客
02-20 1982
Apereo CAS 4.1反序列化RCE漏洞 by ADummy 0x00利用路线 ​ 构造(可以使用ysoserial)可执行命令的序列化对象—>发送给目标61616端口—>访问web管理页面,读取消息,触发漏洞—>代码执行 0x01漏洞介绍 ​ Apereo CAS是企业级单点登录系统。CAS试图通过Apache Commons Collections库对对象进行反序列化的过程中存在一个问题,该案例引起了RCE漏洞。Apereo Cas一般是用来做身份认证的,所以有一定的攻击
CAS登入添加手机验证码
Black Monkey
02-26 5716
(1):casLoginView.jsp  添加如下信息 1 2 3 4 5 6 7 8 9 10 11 12 13 14 view-state id="viewLoginForm" view="casLoginView" model="credentials">
Apereo CAS 4.1 反序列化
weixin_44912035的博客
01-02 405
漏洞背景 Apereo CAS是一款Apereo发布的集中认证服务平台,常被用于企业内部单点登录系统。其4.1.7版本之前存在一处默认密钥的问题,利用这个默认密钥我们可以构造恶意信息触发目标反序列化漏洞,进而执行任意命令。 漏洞复现 环境启动后,访问页面如图所示: 漏洞原理是Webflow中使用了默认密钥changeit: 下载地址:https://github.com/vulhub/Apereo-CAS-Attack/releases/download/v1.0.0/apereo-cas-attack-
cas 5.2.0登陆界面添加验证码和校验功能
c_kkl213的博客
08-17 4169
生成验证码 1、使用google的kaptcha,需引入jar的包 &amp;amp;amp;amp;lt;dependency&amp;amp;amp;amp;gt; &amp;amp;amp;amp;lt;groupId&amp;amp;amp;amp;gt;com.github.penggle&amp;amp;amp;amp;lt;/groupId&amp;amp;amp;amp;gt; &amp;amp;amp;amp;
CAS修改登录界面
Kei's Blog
05-11 3637
客户端篇: 1.替换原来过滤器org.jasig.cas.client.authentication.AuthenticationFilter,改成自己的过滤器RemoteAuthenticationFilter.Java,这个过滤器可以自己随便放到哪个包中,保证web.xml能够正确引用到就行: Java代码 public class RemoteAuthentic
CAS之5.2x版本登录验证码-yellowcong
02-08 5297
系统验证码 或者邮箱验证等,这个都是必须的,不然你搞个机器人注入 啥的,我咋玩。<font color='red'>首先声明,这个5.2.x的和5.1.x的有所区别,有的时候,不通用,需要注意点,我这个地方,以5.2.x讲解,如果需要5.1.x的请自己研究,或则联系我。</font>实现自定义ajax验证码的步骤:1、创建控制器。2、配置到springboot、3、配置spring.factories文件。4、配置自
CAS 数据库校验
endercc的专栏
04-10 705
1. UnknownUsernameAuthenticationException --> BadUsernameOrPasswordAuthenticationException --> BadCredentialsAuthenticationException --> AuthenticationException -->   Exception 2. AuthenticationMana
CAS服务器5.2.6图片验证码
喝醉的咕咕鸟
06-22 1008
在login-webflow.xml中,可以看到登陆的用户名和密码信息绑定到了credential这个对象上. 那credential这个model到底是哪个类呢? 源码: //DefaultWebflowConfigurer protected void createRememberMeAuthnWebflowConfig(Flow flow) { //是...
SED流编辑器手册:版本4.1.5使用指南
sed_manual sed是一款流编辑器,主要用于对文本流进行基本转换操作。以下是sed_manual的详细知识点: **流编辑器的概念** 流编辑器是一种特殊类型的编辑器,用于对文本流进行处理和转换。它可以对输入流(文件或...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值