Spring Security 3 与 CAS单点登录配置-Server

最新推荐文章于 2018-05-17 18:00:17 发布

iteye_19031

最新推荐文章于 2018-05-17 18:00:17 发布

阅读量283

点赞数

分类专栏： Java相关文章标签： Security Spring 配置管理 Hibernate Acegi

本文链接：https://blog.csdn.net/iteye_19031/article/details/81895742

版权

Java相关专栏收录该内容

4 篇文章 0 订阅

订阅专栏

一、环境说明：
Tomcat 6.0.20
JDK 1.6.x
Spring 3.0.0.RELEASE
Spring Security 3.0.0.RELEASE
CAS cas-server-3.4.2
cas-client-3.1.10
下载地址：[url]http://www.jasig.org/cas/download[/url]

配置环境变量
JAVA_HOME ： C:\Java\jdk1.6.0_11
CATALINA_HOME ： C:\Tomcat 6.0
Path ：C:\Java\jdk1.6.0_11\bin;

二、开发步骤
1.制作SSL证书
2.配置CAS Server
3.配置CAS Client
4.安全框架合并
5.简单测试

三、开始
证书制作，请参考
[url]http://linliangyi2007.iteye.com/blog/165304[/url]
说明
[color=blue]
*附件是制作证书的批处理程序，可以按照提示完成证书制作。
*局域网用户，不要使用localhost做这个域名，因为你的证书设置了localhost，其他客户端要从你的域名下证书，而localhost又是客户端的域(可以查看%SystemRoot%\system32\drivers\etc\hosts)[/color]
所以CAS服务器，修改%SystemRoot%\system32\drivers\etc\hosts文件
增加：127.0.0.1 cas.com


127.0.0.1        localhost
127.0.0.1        cas.boc.com

而CAS客户端，也修改hosts文件，但要域要对应服务器端的IP


127.0.0.1        localhost
192.168.0.2      cas.boc.com

配置Tomcat的Server.xml文件


	<Connector protocol="org.apache.coyote.http11.Http11Protocol"
               port="8443" minSpareThreads="5" maxSpareThreads="75"
			   enableLookups="true" disableUploadTimeout="true" 
			   acceptCount="100" maxThreads="200" scheme="https" secure="true" SSLEnabled="true"
			   keystoreFile="%USERPROFILE%/.keystore"
			   keystorePass="changeit" clientAuth="false"
			   sslProtocol="TLS"/>

开始配置CAS Server
解压缩cas-server-3.4.2-release.zip文件
eclipse导入modules文件夹内的cas-server-webapp-3.4.2.war
并改名为casServer
导入后需要配置casServer工程的Java Build Path
[img]http://dl.iteye.com/upload/attachment/282317/2f8d8db5-359a-3a82-b501-e5a458265d55.jpg[/img]

这时运行会报一个错误，找不到AutowiringSchedulerFactoryBean类
AutowiringSchedulerFactoryBean类是一个Quartz的一个调度程序，定时监控CAS Server状态
[color=blue]删除WEB-INF/spring-configuration/applicationContext.xml中的配置[/color]
或者
[color=blue] AutowiringSchedulerFactoryBean添加到org.jasig.cas.util包下
(AutowiringSchedulerFactoryBean类在最后附件中可以下载)
[/color]

如果你对CAS单点登录的工作不是很熟悉，请查看
打开/WEB-INF/deployerConfigContext.xml


<bean id="authenticationManager"
		class="org.jasig.cas.authentication.AuthenticationManagerImpl">
		<!--
			| This is the List of CredentialToPrincipalResolvers that identify what Principal is trying to authenticate.
			| The AuthenticationManagerImpl considers them in order, finding a CredentialToPrincipalResolver which 
			| supports the presented credentials.
			|
			| AuthenticationManagerImpl uses these resolvers for two purposes.  First, it uses them to identify the Principal
			| attempting to authenticate to CAS /login .  In the default configuration, it is the DefaultCredentialsToPrincipalResolver
			| that fills this role.  If you are using some other kind of credentials than UsernamePasswordCredentials, you will need to replace
			| DefaultCredentialsToPrincipalResolver with a CredentialsToPrincipalResolver that supports the credentials you are
			| using.
			|
			| Second, AuthenticationManagerImpl uses these resolvers to identify a service requesting a proxy granting ticket. 
			| In the default configuration, it is the HttpBasedServiceCredentialsToPrincipalResolver that serves this purpose. 
			| You will need to change this list if you are identifying services by something more or other than their callback URL.
			+-->
		<property name="credentialsToPrincipalResolvers">
			<list>
				<!--
					| UsernamePasswordCredentialsToPrincipalResolver supports the UsernamePasswordCredentials that we use for /login 
					| by default and produces SimplePrincipal instances conveying the username from the credentials.
					| 
					| If you've changed your LoginFormAction to use credentials other than UsernamePasswordCredentials then you will also
					| need to change this bean declaration (or add additional declarations) to declare a CredentialsToPrincipalResolver that supports the
					| Credentials you are using.
					+-->
				<bean
					class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" />
				<!--
					| HttpBasedServiceCredentialsToPrincipalResolver supports HttpBasedCredentials.  It supports the CAS 2.0 approach of
					| authenticating services by SSL callback, extracting the callback URL from the Credentials and representing it as a
					| SimpleService identified by that callback URL.
					|
					| If you are representing services by something more or other than an HTTPS URL whereat they are able to
					| receive a proxy callback, you will need to change this bean declaration (or add additional declarations).
					+-->
				<bean
					class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" />
			</list>
		</property>

		<!--
			| Whereas CredentialsToPrincipalResolvers identify who it is some Credentials might authenticate, 
			| AuthenticationHandlers actually authenticate credentials.  Here we declare the AuthenticationHandlers that
			| authenticate the Principals that the CredentialsToPrincipalResolvers identified.  CAS will try these handlers in turn
			| until it finds one that both supports the Credentials presented and succeeds in authenticating.
			+-->
		<property name="authenticationHandlers">
			<list>
				<!--
					| This is the authentication handler that authenticates services by means of callback via SSL, thereby validating
					| a server side SSL certificate.
					+-->
				<bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
					p:httpClient-ref="httpClient" />
				<!--
					| This is the authentication handler declaration that every CAS deployer will need to change before deploying CAS 
					| into production.  The default SimpleTestUsernamePasswordAuthenticationHandler authenticates UsernamePasswordCredentials
					| where the username equals the password.  You will need to replace this with an AuthenticationHandler that implements your
					| local authentication strategy.  You might accomplish this by coding a new such handler and declaring
					| edu.someschool.its.cas.MySpecialHandler here, or you might use one of the handlers provided in the adaptors modules.
					+-->
				<!-- <bean
					class="org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler" /> 
					<bean class="com.cas.service.CasUsernamePasswordAuthenticationHandler">
						<property name="userDao" ref="userDao" />
					</bean> -->
					<ref bean="casAuthenticationHandler"/>
			</list>
		</property>
	</bean>

其中authenticationHandlers属性是个关键，它为CAS服务器提供用户认证的依据
(它只负责用户的认证，不负责受权服务。也就是说，CAS服务器不关心用户角色)
应该注意的是，authenticationHandlers属性的值是实现了AuthenticationHandler接口类的List，多个应用提供用户账号和密码的数据源，CAS验证时，会在这个List的验证接口中逐一遍历。
可能会有疑问，当有两个应用A和B，分别有账号abc/123和abc/abc
当B系统登陆时，使用了A的账户和密码(即同账户不同密码问题)，这时，CAS将提供一个有效验证，返回给B应用。这不会乱套？
其实，当你配置了Client端时，这个问题就能被解释了，其实，CAS为Client提供一个ticket后，Client需要用登陆的账号和密码再验证一次，并且取得用户的角色信息。如果没有权限，则提示401，账号被锁定
[img]http://dl.iteye.com/upload/attachment/287943/dc9ae065-a63f-3643-8cdf-4d8e06836d75.jpg[/img]

言归正传，这里的casAuthenticationHandler是一个类实现authenticationHandlers接口的类，但你可以继承一个抽象类AbstractUsernamePasswordAuthenticationHandler去实现。
因为我的cas使用了iBatis.所以直接注入UserDao进行登录有效性验证


package com.cas.service;

import org.jasig.cas.authentication.handler.AuthenticationException;
import org.jasig.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler;
import org.jasig.cas.authentication.principal.UsernamePasswordCredentials;

import com.cas.dao.UserDao;
import com.cas.model.User;

public class CasUsernamePasswordAuthenticationHandler extends AbstractUsernamePasswordAuthenticationHandler {

	/**
	 * 用户信息操作层
	 */
	private UserDao userDao;

	@Override
	protected boolean authenticateUsernamePasswordInternal(
			UsernamePasswordCredentials credentials)
			throws AuthenticationException {
		User user = userDao.findUserByName(credentials.getUsername());

		if (user == null) {return false;}

		if (user.getPassword().equals(credentials.getPassword())) {
			return true;
		}

		return false;
	}

	public void setUserDao(UserDao userDao) {
		this.userDao = userDao;
	}
}

接下来修改deployerConfigContext.xml文件的


    <sec:user-service id="userDetailsService">
    	<sec:user name="user01" password="user01" authorities="ROLE_USER" />
    	<sec:user name="admin" password="admin" authorities="ROLE_ADMIN" />
        <sec:user name="@@THIS SHOULD BE REPLACED@@" password="notused" authorities="ROLE_ADMIN" />
    </sec:user-service>

这是登录cas管理页面的账号密码(这是一个简单的配置,也可以实现UserDetailsService接口,进行配置。这跟Spring Security的用户登录验证接口其实是一个)

配置cas.properties文件


#cas.securityContext.serviceProperties.service=http://localhost:8080/casServer/services/j_acegi_cas_security_check
cas.securityContext.serviceProperties.service=http://cas.boc.com:8080/casServer/services/j_acegi_cas_security_check
# Names of roles allowed to access the CAS service manager
cas.securityContext.serviceProperties.adminRoles=ROLE_ADMIN
cas.securityContext.casProcessingFilterEntryPoint.loginUrl=http://cas.boc.com:8080/casServer/login
cas.securityContext.ticketValidator.casServerUrlPrefix=http://cas.boc.com:8080/casServer


cas.themeResolver.defaultThemeName=default
cas.viewResolver.basename=default_views

host.name=casServer

#database.hibernate.dialect=org.hibernate.dialect.OracleDialect
#database.hibernate.dialect=org.hibernate.dialect.MySQLDialect
database.hibernate.dialect=org.hibernate.dialect.HSQLDialect

启动Cas Server
如果一切正常，能看到服务启动
因为配置了


    <bean id="scheduler" class="org.jasig.cas.util.AutowiringSchedulerFactoryBean"/>

每隔一段时间，控制台将有当前服务信息提示。

到目前为止，CAS服务器的雏形配置完成。这是一个基本的配置，我们查看cas-servlet.xml
文件


	<bean
		id="handlerMappingC"
		class="org.springframework.web.servlet.handler.SimpleUrlHandlerMapping">
		<property
			name="mappings">
			<props>
				<prop
					key="/logout">
					logoutController
				</prop>
				<prop
					key="/serviceValidate">
					serviceValidateController
				</prop>
				<prop
					key="/validate">
					legacyValidateController
				</prop>
				<prop
					key="/proxy">
					proxyController
				</prop>
				<prop
					key="/proxyValidate">
					proxyValidateController
				</prop>
				<prop
					key="/samlValidate">
					samlValidateController
				</prop>

				<prop
					key="/services/add.html">
					addRegisteredServiceSimpleFormController
				</prop>

				<prop
					key="/services/edit.html">
					editRegisteredServiceSimpleFormController
				</prop>

				<prop
					key="/services/loggedOut.html">
					serviceLogoutViewController
				</prop>

                <prop key="/services/viewStatistics.html">
                    viewStatisticsController
                </prop>

				<prop
					key="/services/*">
					manageRegisteredServicesMultiActionController
				</prop>
				<prop
					key="/openid/*">openIdProviderController</prop>
                <prop
                        key="/authorizationFailure.html">passThroughController</prop>
			</props>
		</property>
		<property
			name="alwaysUseFullPath" value="true" />
		<!--
		uncomment this to enable sending PageRequest events. 
		<property
			name="interceptors">
			<list>
				<ref bean="pageRequestHandlerInterceptorAdapter" />
			</list>
		</property>
		 -->
	</bean>

这里有很多映射关系，我们关注/services/viewStatistics.html这个地址
在浏览器中打开（系统会先提示你登陆，如果你跟我的配置一样，那么admin/admin即可登陆）
[img]http://dl.iteye.com/upload/attachment/287911/bb7d4b59-c5c2-3715-b941-1d99953a601c.jpg[/img]

里面红色提示内容大体是说
[color=red]因为你没有配置提供的服务，所以CAS处于开放模式，一旦你配置了一个服务，CAS将不再是开放模式，任何应用希望提供CAS，则必须注册。如果你要用这个工具，第一件事是需要将自己加入到这个工具中，默认服务管理工具的URL为"http://cas.boc.com:8080/casServer/services/j_acegi_cas_security_check"[/color]

这里我们先不要去管它，因为要做的工作还有很多，这里只不过是刚刚开始。

下一步对Client端进行配置

iteye_19031

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
Spring Security 3 与 CAS单点登录配置-Server

一、环境说明： Tomcat 6.0.20 JDK 1.6.x Spring 3.0.0.RELEASE Spring Security 3.0.0.RELEASE CAS cas-server-3.4.2 cas-client-3.1.10 下载地址：[url]http://www.jasi...
复制链接

扫一扫