CAS 服务器端流程解读

本文详细解析CAS Server的配置文件及其功能,包括login-webflow.xml、cas-servlet.xml等,阐述如何自定义AuthenticationHandler、credentialsToPrincipalResolvers以及Principal,实现个性化认证流程。
摘要由CSDN通过智能技术生成

CAS Server 配置文件

login-webflow.xml:其中内容指定了当访问cas/login时的程序流程,初始“initialFlowSetup”

cas-servlet.xml:servlet与class对应关系

deployerConfigContext.xml:认证管理器相关

cas.properties:系统属性设置

applicationContext.xml:系统属性相关

argumentExtractorsConfiguration.xml:不是很了解它的用途

ticketExpirationPolicies.xml:ticket过期时间设置

ticketGrantingTicketCookieGenerator.xml:TGT cookie属性相关,是否支持http也在这儿修改

ticketRegistry.xml:保存ticket的类相关设置

uniqueIdGenerators.xml:ticket自动生成类设置

warnCookieGenerator.xml:同ticketGrantingTicketCookieGenerator.xml,生成的 cookie名为CASPRIVACY

/login :

当访问/login时,会调用login-webflow.xml中的流程图: 
/serviceValidate:
对应的处理类是org.jasig.cas.web.ServiceValidateController,主要负责对service ticket的验证,失败返回casServiceValidationFailure.jsp,成功返回casServiceValidationSuccess.jsp

对service ticket的验证是通过client端向server端发送http(或https)实现的
逻辑:
1.

通过由client端传来的ticket到DefaultTicketRegistry中获取缓存的ServiceTicketImpl对象,并判断其是否已经过期(ST过期时间默认是5分钟,TGT默认是2个小时,可以在ticketExpirationPolicies.xml中进行修改)以及与当前service的id是否相一,以上都满足则表示验证通过。

2.

通过ServiceTicketImpl对象获取到登录之后的Authentication对象,借助于它生成ImmutableAssertionImpl对象并返回

3.成功返回

CAS数据流程
Credentials-->Principal-->Authentication
定义自己的AuthenticationHandler 
     在中心认证进行认证的过程中会调用deployerConfigContext.xml中设置的AuthenticationHandler来进行认证工作。
Java代码 
        <property name="authenticationHandlers">  
            <list>  
<!--  
 
                    This is the authentication handler that authenticates services by means of callback via SSL, thereby validating  
 
                    a server side SSL certificate.  
-->  
                <bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" 
                    p:httpClient-ref="httpClient" />  
                <!--  
                     This is the authentication handler declaration that every CAS deployer will need to change before deploying CAS   
                     into production.  The default SimpleTestUsernamePasswordAuthenticationHandler authenticates UsernamePasswordCredentials  
                     where the username equals the password.  You will need to replace this with an AuthenticationHandler that implements your  
                     local authentication strategy.  You might accomplish this by coding a new such handler and declaring  
                     edu.someschool.its.cas.MySpecialHandler here, or you might use one of the handlers provided in the adaptors modules.  
                    -->  
                <bean  
                    class="org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler" />  
                <bean class="com.goldarmor.live800.cas.Live800CasAuthenticationHandler">  
                    <property name="dataSource" ref="casDataSource" />  
                </bean>  
            </list  
        </property> 

<property name="authenticationHandlers">
<list>
<!--

This is the authentication handler that authenticates services by means of callback via SSL, thereby validating

a server side SSL certificate.
-->
<bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
p:httpClient-ref="httpClient" />
<!--
This is the authentication handler declaration that every CAS deployer will need to change before deploying CAS
into production.  The default SimpleTestUsernamePasswordAuthenticationHandler authenticates UsernamePasswordCredentials
where the username equals the password.  You will need to replace this with an AuthenticationHandler that implements your
local authentication strategy.  You might accomplish this by coding a new such handler and declaring
edu.someschool.its.cas.MySpecialHandler here, or you might use one of the handlers provided in the adaptors modules.
-->
<bean
class="org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler" />
<bean class="com.goldarmor.live800.cas.Live800CasAuthenticationHandler">
<property name="dataSource" ref="casDataSource" />
</bean>
</list
</property> 如上,我们定义了3个AuthenticationHandler,这正是CAS的一个 ,通过配置,我们可以实现针对不同的应用提供不同的认证方式,这样可以实现任意的中心认证。再来看看AuthenticationHandler的代码

Java代码 
/** 
* Method to determine if the credentials supplied are valid. 
*  
* @param credentials The credentials to validate. 
* @return true if valid, return false otherwise. 
* @throws AuthenticationException An AuthenticationException can contain 
* details about why a particular authentication request failed. 
*/ 
 
boolean authenticate(Credentials credentials)  
    throws AuthenticationException;  
 
/** 
* Method to check if the handler knows how to handle the credentials 
* provided. It may be a simple check of the Credentials class or something 
* more complicated such as scanning the information contained in the 
* Credentials object. 
*  
* @param credentials The credentials to check. 
* @return true if the handler supports the Credentials, false othewrise. 
*/ 
boolean supports(Credentials credentials); 

    /**
     * Method to determine if the credentials supplied are valid.
     *
     * @param credentials The credentials to validate.
     * @return true if valid, return false otherwise.
     * @throws AuthenticationException An AuthenticationException can contain
     * details about why a particular authentication request failed.
     */

    boolean authenticate(Credentials credentials)
        throws AuthenticationException;

    /**
     * Method to check if the handler knows how to handle the credentials
     * provided. It may be a simple check of the Credentials class or something
     * more complicated such as scanning the information contained in the
     * Credentials object.
     *
     * @param credentials The credentials to check.
     * @return true if the handler supports the Credentials, false othewrise.
     */
    boolean supports(Credentials credentials); 我们要做的就是实现这俩个方法而已,特别提醒:可以在cas-servlet.xml中设置你所使用的Credentials,如下:(其中的p:formObjectClass值,如果不指定默认使用UsernamePasswordCredentials)

Java代码 
<bean id="authenticationViaFormAction" class="org.jasig.cas.web.flow.AuthenticationViaFormAction" 
    p:formObjectClass="com.goldarmor.live800.cas.Live800CasCredentials" 
    p:centralAuthenticationService-ref="centralAuthenticationService" 
    p:warnCookieGenerator-ref="warnCookieGenerator" /> 

<bean id="authenticationViaFormAction" class="org.jasig.cas.web.flow.AuthenticationViaFormAction"
p:formObjectClass="com.goldarmor.live800.cas.Live800CasCredentials"
p:centralAuthenticationService-ref="centralAuthenticationService"
p:warnCookieGenerator-ref="warnCookieGenerator" />

定义自己的credentialsToPrincipalResolvers

通过AuthenticationHandler的认证后,会调用在deployerConfigContext.xml中配置的credentialsToPrincipalResolvers来处理Credentials,生成Principal对象:

Java代码 
        <property name="credentialsToPrincipalResolvers">  
            <list>  
                <!--  
                    UsernamePasswordCredentialsToPrincipalResolver supports the UsernamePasswordCredentials that we use for /login   
                    by default and produces SimplePrincipal instances conveying the username from the credentials.  
                    If you've changed your LoginFormAction to use credentials other than UsernamePasswordCredentials then you will also  
                    need to change this bean declaration (or add additional declarations) to declare a CredentialsToPrincipalResolver that supports the  
                    Credentials you are using.  
-->              <bean  
                    class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" />  
                <!--  
                    HttpBasedServiceCredentialsToPrincipalResolver supports HttpBasedCredentials.  It supports the CAS 2.0 approach of  
                    authenticating services by SSL callback, extracting the callback URL from the Credentials and representing it as a  
                    SimpleService identified by that callback URL.  
                    If you are representing services by something more or other than an HTTPS URL whereat they are able to  
                    receive a proxy callback, you will need to change this bean declaration (or add additional declarations).  
                    -->  
                <bean  
                    class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" />  
                <bean class="com.goldarmor.live800.cas.Live800CasCredentialsToPrincipalResolver"/>  
            </list>  
        </property> 

<property name="credentialsToPrincipalResolvers">
<list>
<!--
UsernamePasswordCredentialsToPrincipalResolver supports the UsernamePasswordCredentials that we use for /login
by default and produces SimplePrincipal instances conveying the username from the credentials.
If you've changed your LoginFormAction to use credentials other than UsernamePasswordCredentials then you will also
need to change this bean declaration (or add additional declarations) to declare a CredentialsToPrincipalResolver that supports the
Credentials you are using.
--> <bean
class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" />
<!--
HttpBasedServiceCredentialsToPrincipalResolver supports HttpBasedCredentials.  It supports the CAS 2.0 approach of
authenticating services by SSL callback, extracting the callback URL from the Credentials and representing it as a
SimpleService identified by that callback URL.
If you are representing services by something more or other than an HTTPS URL whereat they are able to
receive a proxy callback, you will need to change this bean declaration (or add additional declarations).
-->
<bean
class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" />
<bean class="com.goldarmor.live800.cas.Live800CasCredentialsToPrincipalResolver"/>
</list>
</property> 如上:我们也可以像定义AuthenticationHandler一样,可以定义多个credentialsToPrincipalResolvers来处理Credentials,返回你所需要的Principal对象,下面来看看credentialsToPrincipalResolvers的方法:

Java代码 
/** 
* Turn Credentials into a Principal object by analyzing the information 
* provided in the Credentials and constructing a Principal object based on 
* that information or information derived from the Credentials object. 
*  
* @param credentials from which to resolve Principal 
* @return resolved Principal, or null if the principal could not be resolved. 
*/ 
Principal resolvePrincipal(Credentials credentials);  
 
/** 
* Determine if a credentials type is supported by this resolver. This is 
* checked before calling resolve principal. 
*  
* @param credentials The credentials to check if we support. 
* @return true if we support these credentials, false otherwise. 
*/ 
 
 
boolean supports(Credentials credentials); 

    /**
     * Turn Credentials into a Principal object by analyzing the information
     * provided in the Credentials and constructing a Principal object based on
     * that information or information derived from the Credentials object.
     *
     * @param credentials from which to resolve Principal
     * @return resolved Principal, or null if the principal could not be resolved.
     */
    Principal resolvePrincipal(Credentials credentials);

    /**
     * Determine if a credentials type is supported by this resolver. This is
     * checked before calling resolve principal.
     *
     * @param credentials The credentials to check if we support.
     * @return true if we support these credentials, false otherwise.
     */


    boolean supports(Credentials credentials); 
在CAS验证的时候,通过访问/serviceValidate可知:验证成功之后返回的casServiceValidationSuccess.jsp中的数据来源于Assertion,下面来看看它的代码:

Java代码 
List<Authentication> getChainedAuthentications();  
 
/** 
* True if the validated ticket was granted in the same transaction as that 
* in which its grantor GrantingTicket was originally issued. 
*  
* @return true if validated ticket was granted simultaneous with its 
* grantor's issuance 
*/ 
 
boolean isFromNewLogin();  
 
 
/** 
* Method to obtain the service for which we are asserting this ticket is 
* valid for. 
*  
* @return the service for which we are asserting this ticket is valid for. 
*/ 
 
Service getService(); 

    List<Authentication> getChainedAuthentications();

    /**
     * True if the validated ticket was granted in the same transaction as that
     * in which its grantor GrantingTicket was originally issued.
     *
     * @return true if validated ticket was granted simultaneous with its
     * grantor's issuance
     */

    boolean isFromNewLogin();


    /**
     * Method to obtain the service for which we are asserting this ticket is
     * valid for.
     *
     * @return the service for which we are asserting this ticket is valid for.
     */

    Service getService(); 通过getChainedAuthentications()方法,我们可以得到Authentication对象列表,再看看Authentication的代码:

Java代码 
/** 
* Method to obtain the Principal. 
*  
* @return a Principal implementation 
*/ 
 
Principal getPrincipal();  
 
/** 
* Method to retrieve the timestamp of when this Authentication object was 
* created. 
*  
* @return the date/time the authentication occurred. 
*/ 
 
Date getAuthenticatedDate();  
 
/** 
* Attributes of the authentication (not the Principal). 
* @return the map of attributes. 
*/ 
Map<String, Object> getAttributes(); 

    /**
     * Method to obtain the Principal.
     *
     * @return a Principal implementation
     */

    Principal getPrincipal();

    /**
     * Method to retrieve the timestamp of when this Authentication object was
     * created.
     *
     * @return the date/time the authentication occurred.
     */

    Date getAuthenticatedDate();

    /**
     * Attributes of the authentication (not the Principal).
     * @return the map of attributes.
     */
    Map<String, Object> getAttributes(); 而这其中的Principal就来源于上面提到的由credentialsToPrincipalResolvers处理得到的Principal对象,最后看一下Principal的代码,我们只要再做一个实现他的代码,整个CAS Server就可以信手拈来了,呵呵

Java代码 
/** 
* Returns the unique id for the Principal 
* @return the unique id for the Principal. 
*/ 
 
String getId();  
 
 
/** 
*  
* @return 
*/ 
 
Map<String, Object> getAttributes(); 

    /**
     * Returns the unique id for the Principal
     * @return the unique id for the Principal.
     */

    String getId();


     /**
     *
     * @return
     */

    Map<String, Object> getAttributes();

我们还可以自定义自己的casServiceValidationSuccess.jsp和casLoginView.jsp页面等,具体的操作办法也是最简单的办法就是备份以前的页面之后修改成自己需要的页面。

转载于:https://my.oschina.net/abcijkxyz/blog/720332

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值