Spring security集成CAS
定义casService
<bean id="serviceProperties" class="org.springframework.security.cas.ServiceProperties"> <property name="service" value="https://localhost:8080/cas-client/j_spring_cas_security_check" /> <property name="sendRenew" value="false" /> </bean>
- service必须是一个CasAuthenticationFilter监控的url。这个是一个callback的url,我们使用默认的spring 验证url,会登陆到cas server进行验证
- sendRenew 这个是是否需要重新登陆,默认是false.个人理解是设置为true的时候,单点登录就会失效了。
- 设置security配置.
<security:http entry-point-ref="casEntryPoint">
...
<security:custom-filter position="CAS_FILTER" ref="casFilter" />
</security:http>
- 这里需要定义casFilter,单点登录filter,session管理filter.
- 配置casFilter
<bean id="casFilter"
class="org.springframework.security.cas.web.CasAuthenticationFilter">
<property name="authenticationManager" ref="authenticationManager"/>
<!-- 定义验证成功处理器 -->
<property name="authenticationSuccessHandler" ref="authenticationSuccessHandler" />
<!-- 定义验证失败处理器 -->
<property name="authenticationFailureHandler"
ref="authenticationFailureHandler" />
</bean>
- 定义casEntryPoint
<bean id="casEntryPoint"
class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">
<property name="loginUrl" value="https://localhost:8443/cas/login"/>
<property name="serviceProperties" ref="serviceProperties"/>
</bean>
- loginUrl是cas server的url
设置casAuthenticationManager
<security:authentication-manager alias="authenticationManager"> <security:authentication-provider ref="casAuthenticationProvider" /> </security:authentication-manager> <bean id="casAuthenticationProvider" class="org.springframework.security.cas.authentication.CasAuthenticationProvider"> <property name="userDetailsService" ref="userService"/> <property name="serviceProperties" ref="serviceProperties" /> <property name="ticketValidator"> <bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator"> <constructor-arg index="0" value="https://localhost:9443/cas" /> </bean> </property> <property name="key" value="an_id_for_this_auth_provider_only"/> </bean>
- userDetail Service
<!-- Spring security demo使用的是 -->
<security:user-service id="userService">
<security:user name="joe" password="joe" authorities="ROLE_USER" />
...
</security:user-service>
<!-- 我们一般使用自己定义的userService -->
<bean id="userService class="com.sut.web.security.UserDetailService" >
</bean>
- 当cas Server认证成功后返回一个id
- 定义success handler
<!-- cas 认证成功控制器 -->
<bean id="authenticationSuccessHandler" class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
<!-- 认证返回页面 -->
<property name="defaultTargetUrl" value="/xxx/xx" />
<!-- 是否强制返回登陆页面 -->
<property name="alwaysUseDefaultTargetUrl" value="true" />
</bean>
- 定义失败的failure handler
<bean id="authenticationFailureHandler" class="org.speingframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
<property name="defaultFailureUrl" value="xxx/xx" />
</bean>
至此,spring security 集成 cas 的基本要素配置完成了。基本原理是:
1. spring security拦截的url然后去验证默认的j_spring_security_check
2. 这个url去访问cas server的login url
3. 返回成功就调用成功处理器,失败就调用失败处理器.
具体的细节仍需要一个工程去看着做。
一个可以参考的链接: