SpringSecurity 3.1 与 CAS 集成的配置文件及说明
注:
1、testSecurityMetadataSource为自定义,实现用户访问url与role对应关系的查询和验证。
2、testUserDetailServiceProxy为自定义,根据用户的用户id,查询用户详细信息的功能。
<?xml version="1.0"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:security="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd"> <!-- CAS验证配置。--> <!-- 适用环境:用户身份验证由CAS完成,用户是否有权限访问指定url则由业务系统来负责验证 --> <!-- 验证过程:1.用户访问受限的url,springsecurity 将请求转发到cas服务器上 --> <!-- 验证过程:2.用户在cas服务器上登录,cas服务器将验证返馈信息返回给应用 --> <!-- 验证过程:3.用户登录成功后,继续是行下面的验证过滤器testFilterSecurityInterceptor的验证,如果用户拥有访问url的指定角色,则转发到目标url,否则转发到禁止访问页面。--> <!-- Enable security, let the casAuthenticationEntryPoint handle all intercepted urls. The CAS_FILTER needs to be in the right position within the filter chain. --> <!-- 在http标签上添加entry-point-ref 指定验证入口为 casAuthenticationEntryPoint --> <security:http entry-point-ref="casAuthenticationEntryPoint" auto-config="false" pattern="/**"> <!-- 设置所有url访问需要包括角色ROLE_USER,可选。 --> <security:intercept-url pattern="/**" access="ROLE_USER"></security:intercept-url> <!-- 在验证链中添加cas的过滤器,用于进行cas验证。 --> <security:custom-filter position="CAS_FILTER" ref="casAuthenticationFilter"></security:custom-filter> <!-- 添加自定义url权限的验证过滤,放在FILTER_SECURITY_INTERCEPTOR前面,用于进行验证当前用户是否拥有访问指定url的权限。 --> <security:custom-filter before="FILTER_SECURITY_INTERCEPTOR" ref="testFilterSecurityInterceptor"></security:custom-filter> </security:http> <!-- 定义资源权限验证的过滤器。 --> <bean id="testFilterSecurityInterceptor" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor"> <!-- 身份验证器 --> <property name="authenticationManager" ref="authenticationManager" /> <!-- 访问决策器 --> <property name="accessDecisionManager" ref="testAccessDecisionManager" /> <!-- 获取可访问资源的role列表 --> <property name="securityMetadataSource" ref="testSecurityMetadataSource" /> </bean> <!-- 访问决策器 --> <bean id="testAccessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased"> <constructor-arg index="0"> <list> <bean class="org.springframework.security.access.vote.RoleVoter"> <property name="rolePrefix" value=""></property> </bean> </list> </constructor-arg> </bean> <!-- 获取可访问资源的role列表 --> <bean id="testSecurityMetadataSource" class="com.balance.test.integeration.acegi.AutoDelegatingSecurityMetadataSource" /> <!-- Required for the casProcessingFilter, so define it explicitly set and specify an Id Even though the authenticationManager is created by default when namespace based config is used. --> <!-- 身份验证器 --> <security:authentication-manager alias="authenticationManager"> <!-- CAS身份验证器 --> <security:authentication-provider ref="casAuthenticationProvider"></security:authentication-provider> </security:authentication-manager> <!-- This section is used to configure CAS. The service is the actual redirect that will be triggered after the CAS login sequence. --> <bean id="serviceProperties" class="org.springframework.security.cas.ServiceProperties"> <!-- http://localhost:8088/具体应用/j_spring_cas_security_check spring的虚拟URL,此标志标识使用 CAS authentication (upon return from CAS SSO login.) --> <property name="service" value="http://PCNAME:8080/test/j_spring_cas_security_check"></property> <property name="sendRenew" value="false"></property> </bean> <!--The CAS filter handles the redirect from the CAS server and starts the ticket validation.--> <bean id="casAuthenticationFilter" class="org.springframework.security.cas.web.CasAuthenticationFilter"> <property name="authenticationManager" ref="authenticationManager"></property> </bean> <!-- The entryPoint intercepts all the CAS authentication requests. It redirects to the CAS loginUrl for the CAS login page. --> <bean id="casAuthenticationEntryPoint" class="org.springframework.security.cas.web.CasAuthenticationEntryPoint"> <!-- SSO登录地址 --> <property name="loginUrl" value="https://PCNAME:8443/cas/login"></property> <property name="serviceProperties" ref="serviceProperties"></property> </bean> <!--Handles the CAS ticket processing.--> <bean id="casAuthenticationProvider" class="org.springframework.security.cas.authentication.CasAuthenticationProvider"> <property name="authenticationUserDetailsService" ref="casAuthenticationUserDetailsService" /> <property name="serviceProperties" ref="serviceProperties"></property> <property name="ticketValidator"> <bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator"> <!-- SSO验证地址 --> <constructor-arg index="0" value="https:/PCNAME:8443/cas" /> </bean> </property> <property name="key" value="cas"></property> </bean> <!-- userdetail service cas wrapper --> <bean id="casAuthenticationUserDetailsService" class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper"> <property name="userDetailsService"> <ref bean="testUserDetailServiceProxy" /> </property> </bean> <!-- userdetailService 定义 --> <bean id="testUserDetailServiceProxy" class="com.balance.test.integeration.acegi.AutoDelegatingUserDetailService"> <property name="reservedUsernamePrefixs" value="admin,manager,user" /> </bean> </beans>