Spring security集成CAS

Spring security集成CAS

1. 定义casService

   <bean id="serviceProperties" class="org.springframework.security.cas.ServiceProperties">
   
       <property name="service" value="https://localhost:8080/cas-client/j_spring_cas_security_check" />
       <property name="sendRenew" value="false" />
   </bean>

   • service必须是一个CasAuthenticationFilter监控的url。这个是一个callback的url，我们使用默认的spring 验证url，会登陆到cas server进行验证
   • sendRenew 这个是是否需要重新登陆，默认是false.个人理解是设置为true的时候，单点登录就会失效了。
2. 设置security配置.
   
<security:http entry-point-ref="casEntryPoint">
...
<security:custom-filter position="CAS_FILTER" ref="casFilter" />
</security:http>

   
   • 这里需要定义casFilter，单点登录filter，session管理filter.
3. 配置casFilter
   
<bean id="casFilter"
class="org.springframework.security.cas.web.CasAuthenticationFilter">
<property name="authenticationManager" ref="authenticationManager"/>
<!-- 定义验证成功处理器 -->
<property name="authenticationSuccessHandler" ref="authenticationSuccessHandler" />
<!-- 定义验证失败处理器 -->
<property name="authenticationFailureHandler"
ref="authenticationFailureHandler" />
</bean>

4. 定义casEntryPoint
   
<bean id="casEntryPoint"
class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">
<property name="loginUrl" value="https://localhost:8443/cas/login"/>
<property name="serviceProperties" ref="serviceProperties"/>
</bean>

   
   • loginUrl是cas server的url

5. 设置casAuthenticationManager

   <security:authentication-manager alias="authenticationManager">
   <security:authentication-provider ref="casAuthenticationProvider" />
   </security:authentication-manager>
   
   <bean id="casAuthenticationProvider"
       class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
       <property name="userDetailsService" ref="userService"/>
       <property name="serviceProperties" ref="serviceProperties" />
       <property name="ticketValidator">
         <bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
           <constructor-arg index="0" value="https://localhost:9443/cas" />
           </bean>
       </property>
       <property name="key" value="an_id_for_this_auth_provider_only"/>
   </bean>

6. userDetail Service
   
<!-- Spring security demo使用的是 -->
<security:user-service id="userService">
<security:user name="joe" password="joe" authorities="ROLE_USER" />
...
</security:user-service>
<!-- 我们一般使用自己定义的userService -->
<bean id="userService class="com.sut.web.security.UserDetailService" >
</bean>

   
   • 当cas Server认证成功后返回一个id
7. 定义success handler
   
<!-- cas 认证成功控制器 -->
<bean id="authenticationSuccessHandler" class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
<!-- 认证返回页面 -->
<property name="defaultTargetUrl" value="/xxx/xx" />
<!-- 是否强制返回登陆页面 -->
<property name="alwaysUseDefaultTargetUrl" value="true" />
</bean>

8. 定义失败的failure handler
   
<bean id="authenticationFailureHandler" class="org.speingframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
<property name="defaultFailureUrl" value="xxx/xx" />
</bean>


至此，spring security 集成 cas 的基本要素配置完成了。基本原理是:
1. spring security拦截的url然后去验证默认的j_spring_security_check
2. 这个url去访问cas server的login url
3. 返回成功就调用成功处理器，失败就调用失败处理器.

---

具体的细节仍需要一个工程去看着做。

---

一个可以参考的链接:

Spring Security实践（三）：通过CAS实现SSO