多租户多域名访问同一个服务实现

已于 2022-03-23 19:57:20 修改
阅读量3.7k 收藏 5
点赞数
文章标签: 多租户 多域名 单点登录cas security 一个服务
于 2022-03-23 19:53:30 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/lgq2016/article/details/123693532
版权

之前做的项目要迭代多租户功能,不同租户对应同一个数据库的多个schema,进行逻辑上的数据隔离。每个租户要求独立域名,但是前端服务和后端服务仍然只有一份(部署是集群部署)。本来只需要在dns服务器上配置一下域名解析就可以了,但是要集成单点登录cas和安全框架(security), cas 中原生的类是不支持多个serve-name(服务域名)的,需要修改一下cas中的一些组件,所以总结一下。

看一下关键的配置文件:SecurityConfiguration

package com.xxx.config;

import java.util.ArrayList;
import java.util.List;

import javax.annotation.Resource;

import com.xxx.handler.multidomain.MDCasAuthenticationEntryPoint;
import com.xxx.handler.multidomain.MDCasServiceTicketValidator;
import com.xxx.handler.multidomain.MDSimpleUrlLogoutSuccessHandler;

import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.ProviderManager;
import org.springframework.security.cas.ServiceProperties;
import org.springframework.security.cas.authentication.CasAssertionAuthenticationToken;
import org.springframework.security.cas.authentication.CasAuthenticationProvider;
import org.springframework.security.cas.web.CasAuthenticationFilter;
import org.springframework.security.core.userdetails.AuthenticationUserDetailsService;
import org.springframework.security.web.authentication.logout.LogoutFilter;
import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler;

/**
 * cas与security整合,需要配置的对象
 * <p>
 * 在cas与security整合中,首先需要做的是将应用的登录认证入口改为使用CasAuthenticationEntryPoint。
 * 所以首先我们需要配置一个CasAuthenticationEntryPoint对应的bean,
 * 然后指定需要进行登录认证时使用该AuthenticationEntryPoint。
 * 配置CasAuthenticationEntryPoint时需要指定一个ServiceProperties,
 * 该对象主要用来描述service (Cas概念) 相关的属性,主要是指定在Cas Server认证成功后将要跳转的地址。
 * <p>
 * CasAuthenticationFilter认证过滤器,负责认证跳转和票据验证
 */
@Configuration
@EnableConfigurationProperties(value = {com.xxx.config.CasServerProperties.class})
public class SecurityConfiguration {

    @Resource
    private com.xxx.config.CasServerProperties casServerProperties;

    @Resource
    private AuthenticationUserDetailsService<CasAssertionAuthenticationToken> userDetailsService;

    @Bean
    public AuthenticationManager authenticationManager(CasAuthenticationProvider provider) {
        List<AuthenticationProvider> providers = new ArrayList<>();
        providers.add(provider);
        ProviderManager providerManager = new ProviderManager(providers);
        return providerManager;
    }

    /**
     * 我们自己应用的配置信息,该对象主要用于构建CasAuthenticationEntryPoint。
     *
     * @return
     */
    @Bean
    public ServiceProperties serviceProperties() {
        ServiceProperties serviceProperties = new ServiceProperties();
        //设置默认的cas登陆后回跳地址
        serviceProperties.setService(casServerProperties.getServerName() + "/login");
        //设置我们应用是否敏感
        serviceProperties.setSendRenew(false);
        //设置是否对未拥有ticket的访问均需要验证
        serviceProperties.setAuthenticateAllArtifacts(true);
        return serviceProperties;
    }

    /**
     * CAS认证过滤器,主要实现票据认证和认证成功后的跳转。
     *
     * @param auth
     * @param serviceProperties
     * @return
     */
    @Bean
    public CasAuthenticationFilter casAuthenticationFilter(AuthenticationManager auth, ServiceProperties serviceProperties) {
        CasAuthenticationFilter casAuthenticationFilter = new CasAuthenticationFilter();
        //给过滤器设置我们应用的基本配置
        casAuthenticationFilter.setServiceProperties(serviceProperties);
        //给过滤器设置认证管理器
        casAuthenticationFilter.setAuthenticationManager(auth);
        //设置过滤器到cas server认证的地址
        casAuthenticationFilter.setFilterProcessesUrl(casServerProperties.getCasServerLoginUrl());
        //设置是否继续执行其他过滤器,在完成认证前
        casAuthenticationFilter.setContinueChainBeforeSuccessfulAuthentication(false);
        //设置认证成功后的处理handler, 目前使用默认的SavedRequestAwareAuthenticationSuccessHandler
//        casAuthenticationFilter.setAuthenticationSuccessHandler(new AddressBarUrlAuthenticationSuccessHandler());
//        casAuthenticationFilter.setAuthenticationSuccessHandler(new SimpleUrlAuthenticationSuccessHandler("/demo/admin"));
        return casAuthenticationFilter;
    }

    /**
     * 认证的入口,即跳转至服务端的cas地址
     * security框架整合cas认证的入口,也就是security不再走自己的认证入口,而是cas的,该对象就是cas的认证入口
     *
     * @param serviceProperties
     * @return
     */
    @Bean
    public MDCasAuthenticationEntryPoint mCasAuthenticationEntryPoint(ServiceProperties serviceProperties) {
        MDCasAuthenticationEntryPoint mdCasAuthenticationEntryPoint = new MDCasAuthenticationEntryPoint();
        //security框架整合cas认证的入口,也就是security不再走自己的认证入口,而是cas的,该对象就是cas的认证入口
        mdCasAuthenticationEntryPoint.setServiceProperties(serviceProperties);
        mdCasAuthenticationEntryPoint.setLoginUrl(casServerProperties.getCasServerLoginUrl());
        return mdCasAuthenticationEntryPoint;
    }

    /**
     * 配置TicketValidator在登录认证成功后验证ticket
     * 该对象就是一个ticket校验器
     *
     * @return
     */
    @Bean
    public MDCasServiceTicketValidator cas20ServiceTicketValidator() {
        //需要设置cas server的前缀,也就是根路径
        return new MDCasServiceTicketValidator(casServerProperties.getCasServerUrlPrefix());
    }

    /**
     * 该对象为cas校验对象,TicketValidator、AuthenticationUserDetailService属性必须设置;
     * serviceProperties属性主要应用于ticketValidator用于去cas服务端校验ticket
     *
     * @param userDetailsService
     * @param serviceProperties
     * @param ticketValidator
     * @return
     */
    @Bean("casProvider")
    public CasAuthenticationProvider casAuthenticationProvider(AuthenticationUserDetailsService<CasAssertionAuthenticationToken>
                                                                           userDetailsService,
                                                               ServiceProperties serviceProperties,
                                                               MDCasServiceTicketValidator ticketValidator) {
        CasAuthenticationProvider provider = new CasAuthenticationProvider();
        provider.setKey("casProvider");
        provider.setServiceProperties(serviceProperties);
        provider.setTicketValidator(ticketValidator);
        provider.setAuthenticationUserDetailsService(userDetailsService);
        return provider;
    }

    @Bean
    public LogoutFilter logoutFilter(MDSimpleUrlLogoutSuccessHandler mdSimpleUrlLogoutSuccessHandler) {
        LogoutFilter logoutFilter = new LogoutFilter(mdSimpleUrlLogoutSuccessHandler, new SecurityContextLogoutHandler());
        logoutFilter.setFilterProcessesUrl("/checkSession");
        return logoutFilter;
    }

    @Bean
    public MDSimpleUrlLogoutSuccessHandler mdSimpleUrlLogoutSuccessHandler() {
        String logoutRedirectPath = casServerProperties.getCasServerLogoutUrl();
        MDSimpleUrlLogoutSuccessHandler mdSimpleUrlLogoutSuccessHandler = new MDSimpleUrlLogoutSuccessHandler();
        mdSimpleUrlLogoutSuccessHandler.setDefaultTargetUrl(logoutRedirectPath);
        return mdSimpleUrlLogoutSuccessHandler;
    }

}

MDCasAuthenticationEntryPoint我们自己定义的入口类,实现接口AuthenticationEntryPoint,主要是copy了CasAuthenticationEntryPoint的内容,修改了createServiceUrl的逻辑,这个方法主要是创建服务地址(域名),一个项目只能有一个,因此改造它,根据请求的域名动态进行生成。

package com.xxx.handler.multidomain;

import java.io.IOException;

import javax.annotation.Resource;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import com.xxx.config.CasServerProperties;
import com.xxx.util.ProgramVariable;

import org.jasig.cas.client.util.CommonUtils;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.security.cas.ServiceProperties;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.util.Assert;

/**
 * author:lgq
 * date:2022-1-1
 */
public class MDCasAuthenticationEntryPoint implements AuthenticationEntryPoint,
        InitializingBean {
    @Resource
    private ProgramVariable programVariable;

    @Resource
    private CasServerProperties casServerProperties;

    private ServiceProperties serviceProperties;

    private String loginUrl;

    /**
     * Determines whether the Service URL should include the session id for the specific
     * user. As of CAS 3.0.5, the session id will automatically be stripped. However,
     * older versions of CAS (i.e. CAS 2), do not automatically strip the session
     * identifier (this is a bug on the part of the older server implementations), so an
     * option to disable the session encoding is provided for backwards compatibility.
     *
     * By default, encoding is enabled.
     */
    private boolean encodeServiceUrlWithSessionId = true;

    // ~ Methods
    // ========================================================================================================

    public void afterPropertiesSet() throws Exception {
        Assert.hasLength(this.loginUrl, "loginUrl must be specified");
        Assert.notNull(this.serviceProperties, "serviceProperties must be specified");
        Assert.notNull(this.serviceProperties.getService(),
                "serviceProperties.getService() cannot be null.");
    }

    public final void commence(final HttpServletRequest servletRequest,
                               final HttpServletResponse response,
                               final AuthenticationException authenticationException) throws IOException,
            ServletException {

        final String urlEncodedService = createServiceUrl(servletRequest, response);
        final String redirectUrl = createRedirectUrl(urlEncodedService);

        preCommence(servletRequest, response);

        response.sendRedirect(redirectUrl);
    }

    /**
     * Constructs a new Service Url. The default implementation relies on the CAS client
     * to do the bulk of the work.
     * @param request the HttpServletRequest
     * @param response the HttpServlet Response
     * @return the constructed service url. CANNOT be NULL.
     *  改造该方法,根据请求url动态获取服务地址
     */
    protected String createServiceUrl(final HttpServletRequest request,
                                      final HttpServletResponse response) {
        //自定义方法
        String service = getService(request);
        this.serviceProperties.setService(service);
        return CommonUtils.constructServiceUrl(null, response,
                service, null,
                this.serviceProperties.getArtifactParameter(),
                this.encodeServiceUrlWithSessionId);
    }

    /**
     * Constructs the Url for Redirection to the CAS server. Default implementation relies
     * on the CAS client to do the bulk of the work.
     *
     * @param serviceUrl the service url that should be included.
     * @return the redirect url. CANNOT be NULL.
     */
    protected String createRedirectUrl(final String serviceUrl) {
        return CommonUtils.constructRedirectUrl(this.loginUrl,
                this.serviceProperties.getServiceParameter(), serviceUrl,
                this.serviceProperties.isSendRenew(), false);
    }

    /**
     * Template method for you to do your own pre-processing before the redirect occurs.
     *
     * @param request the HttpServletRequest
     * @param response the HttpServletResponse
     */
    protected void preCommence(final HttpServletRequest request,
                               final HttpServletResponse response) {

    }

    /**
     * The enterprise-wide CAS login URL. Usually something like
     * <code>https://www.mycompany.com/cas/login</code>.
     *
     * @return the enterprise-wide CAS login URL
     */
    public final String getLoginUrl() {
        return this.loginUrl;
    }

    public final ServiceProperties getServiceProperties() {
        return this.serviceProperties;
    }

    public final void setLoginUrl(final String loginUrl) {
        this.loginUrl = loginUrl;
    }

    public final void setServiceProperties(final ServiceProperties serviceProperties) {
        this.serviceProperties = serviceProperties;
    }

    /**
     * Sets whether to encode the service url with the session id or not.
     *
     * @param encodeServiceUrlWithSessionId whether to encode the service url with the
     * session id or not.
     */
    public final void setEncodeServiceUrlWithSessionId(
            final boolean encodeServiceUrlWithSessionId) {
        this.encodeServiceUrlWithSessionId = encodeServiceUrlWithSessionId;
    }

    /**
     * Sets whether to encode the service url with the session id or not.
     * @return whether to encode the service url with the session id or not.
     *
     */
    protected boolean getEncodeServiceUrlWithSessionId() {
        return this.encodeServiceUrlWithSessionId;
    }

    /**
     * 根据请求url设置服务地址,即域名
     *
     */
    private String getService(HttpServletRequest request) {
        String url = request.getRequestURL().toString();
        if (url.contains("www.alibabagroup.com")) {
            return programVariable.getAliServiceName() + "/login";
        } else if (url.contains("www.tencent.com") ) {
            return programVariable.getTencentServerName() + "/login";
        } else {
            return casServerProperties.getServerName() + "/login";
        }
    }
}

输入账号密码后,客户端获得ticket票据,还需要到cas服务器进行验证,这里需要访问应用服务地址,也需要和一开始输入的url是同一个域名,否则会报错。我定义的类MDCasServiceTicketValidator实现了TicketValidator接口,主要是汇总了Cas20ServiceTicketValidator及其父类AbstractCasProtocolUrlBasedTicketValidator中的内容。重写validate方法,目的是动态修改validationUrl,修改的逻辑和上面描述的一样。
package com.xxx.handler.multidomain;

import java.io.StringReader;
import java.io.UnsupportedEncodingException;
import java.net.MalformedURLException;
import java.net.URL;
import java.net.URLEncoder;
import java.util.Collections;
import java.util.HashMap;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;

import javax.annotation.Resource;
import javax.servlet.http.HttpServletRequest;
import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;

import com.xxx.config.CasServerProperties;
import com.xxx.util.ProgramVariable;

import org.jasig.cas.client.authentication.AttributePrincipal;
import org.jasig.cas.client.authentication.AttributePrincipalImpl;
import org.jasig.cas.client.proxy.Cas20ProxyRetriever;
import org.jasig.cas.client.proxy.ProxyGrantingTicketStorage;
import org.jasig.cas.client.proxy.ProxyRetriever;
import org.jasig.cas.client.ssl.HttpURLConnectionFactory;
import org.jasig.cas.client.ssl.HttpsURLConnectionFactory;
import org.jasig.cas.client.util.CommonUtils;
import org.jasig.cas.client.util.XmlUtils;
import org.jasig.cas.client.validation.Assertion;
import org.jasig.cas.client.validation.AssertionImpl;
import org.jasig.cas.client.validation.TicketValidationException;
import org.jasig.cas.client.validation.TicketValidator;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;
import org.xml.sax.Attributes;
import org.xml.sax.InputSource;
import org.xml.sax.SAXException;
import org.xml.sax.XMLReader;
import org.xml.sax.helpers.DefaultHandler;

/**
 * author:lgq
 * date:2022-1-1
 */
public class MDCasServiceTicketValidator implements TicketValidator {
    @Resource
    private ProgramVariable programVariable;

    @Resource
    private CasServerProperties casServerProperties;

    protected final Logger logger = LoggerFactory.getLogger(getClass());
    /** The CAS 2.0 protocol proxy callback url. */
    private String proxyCallbackUrl;

    /** The storage location of the proxy granting tickets. */
    private ProxyGrantingTicketStorage proxyGrantingTicketStorage;

    /** Implementation of the proxy retriever. */
    private ProxyRetriever proxyRetriever;

    /**
     * Prefix for the CAS server.   Should be everything up to the url endpoint, including the /.
     *
     * i.e. https://cas.rutgers.edu/
     */
    private final String casServerUrlPrefix;

    /**
     * URLConnection factory instance to use when making validation requests to the CAS server.
     * Defaults to {@link HttpsURLConnectionFactory}
     */
    private HttpURLConnectionFactory urlConnectionFactory = new HttpsURLConnectionFactory();

    /**
     * Whether the request include a renew or not.
     */
    private boolean renew;

    /**
     * A map containing custom parameters to pass to the validation url.
     */
    private Map<String, String> customParameters;

    private String encoding;

    /**
     * Constructs an instance of the CAS 2.0 Service Ticket Validator with the supplied
     * CAS server url prefix.
     *
     * @param casServerUrlPrefix the CAS Server URL prefix.
     */
    public MDCasServiceTicketValidator(final String casServerUrlPrefix) {
        CommonUtils.assertNotNull(casServerUrlPrefix, "casServerUrlPrefix cannot be null.");
        this.casServerUrlPrefix = CommonUtils.addTrailingSlash(casServerUrlPrefix);
        this.proxyRetriever = new Cas20ProxyRetriever(casServerUrlPrefix, getEncoding(), getURLConnectionFactory());
    }

    /**
     * Adds the pgtUrl to the list of parameters to pass to the CAS server.
     *
     * @param urlParameters the Map containing the existing parameters to send to the server.
     */
    protected final void populateUrlAttributeMap(final Map<String, String> urlParameters) {
        urlParameters.put("pgtUrl", this.proxyCallbackUrl);
    }

    protected String getUrlSuffix() {
        return "serviceValidate";
    }

    protected Assertion parseResponseFromServer(final String response) throws TicketValidationException {
        final String error = parseAuthenticationFailureFromResponse(response);

        if (CommonUtils.isNotBlank(error)) {
            throw new TicketValidationException(error);
        }

        final String principal = parsePrincipalFromResponse(response);
        final String proxyGrantingTicketIou = parseProxyGrantingTicketFromResponse(response);

        final String proxyGrantingTicket;
        if (CommonUtils.isBlank(proxyGrantingTicketIou) || this.proxyGrantingTicketStorage == null) {
            proxyGrantingTicket = null;
        } else {
            proxyGrantingTicket = this.proxyGrantingTicketStorage.retrieve(proxyGrantingTicketIou);
        }

        if (CommonUtils.isEmpty(principal)) {
            throw new TicketValidationException("No principal was found in the response from the CAS server.");
        }

        final Assertion assertion;
        final Map<String, Object> attributes = extractCustomAttributes(response);
        if (CommonUtils.isNotBlank(proxyGrantingTicket)) {
            final AttributePrincipal attributePrincipal = new AttributePrincipalImpl(principal, attributes,
                    proxyGrantingTicket, this.proxyRetriever);
            assertion = new AssertionImpl(attributePrincipal);
        } else {
            assertion = new AssertionImpl(new AttributePrincipalImpl(principal, attributes));
        }

        customParseResponse(response, assertion);

        return assertion;
    }

    protected String parseProxyGrantingTicketFromResponse(final String response) {
        return XmlUtils.getTextForElement(response, "proxyGrantingTicket");
    }

    protected String parsePrincipalFromResponse(final String response) {
        return XmlUtils.getTextForElement(response, "user");
    }

    protected String parseAuthenticationFailureFromResponse(final String response) {
        return XmlUtils.getTextForElement(response, "authenticationFailure");
    }

    /**
     * Default attribute parsing of attributes that look like the following:
     * &lt;cas:attributes&gt;
     *  &lt;cas:attribute1&gt;value&lt;/cas:attribute1&gt;
     *  &lt;cas:attribute2&gt;value&lt;/cas:attribute2&gt;
     * &lt;/cas:attributes&gt;
     * <p>
     *
     * Attributes look like following also parsed correctly:
     * &lt;cas:attributes&gt;&lt;cas:attribute1&gt;value&lt;/cas:attribute1&gt;&lt;cas:attribute2&gt;value&lt;
     * /cas:attribute2&gt;&lt;/cas:attributes&gt;
     * <p>
     *
     * This code is here merely for sample/demonstration purposes for those wishing to modify the CAS2 protocol.  You'll
     * probably want a more robust implementation or to use SAML 1.1
     *
     * @param xml the XML to parse.
     * @return the map of attributes.
     */
    protected Map<String, Object> extractCustomAttributes(final String xml) {
        final SAXParserFactory spf = SAXParserFactory.newInstance();
        spf.setNamespaceAware(true);
        spf.setValidating(false);
        try {
            final SAXParser saxParser = spf.newSAXParser();
            final XMLReader xmlReader = saxParser.getXMLReader();
            final MDCasServiceTicketValidator.CustomAttributeHandler handler = new MDCasServiceTicketValidator.CustomAttributeHandler();
            xmlReader.setContentHandler(handler);
            xmlReader.parse(new InputSource(new StringReader(xml)));
            return handler.getAttributes();
        } catch (final Exception e) {
            logger.error(e.getMessage(), e);
            return Collections.emptyMap();
        }
    }

    /**
     * Template method if additional custom parsing (such as Proxying) needs to be done.
     *
     * @param response the original response from the CAS server.
     * @param assertion the partially constructed assertion.
     * @throws TicketValidationException if there is a problem constructing the Assertion.
     */
    protected void customParseResponse(final String response, final Assertion assertion)
            throws TicketValidationException {
        // nothing to do
    }

    public final void setProxyCallbackUrl(final String proxyCallbackUrl) {
        this.proxyCallbackUrl = proxyCallbackUrl;
    }

    public final void setProxyGrantingTicketStorage(final ProxyGrantingTicketStorage proxyGrantingTicketStorage) {
        this.proxyGrantingTicketStorage = proxyGrantingTicketStorage;
    }

    public final void setProxyRetriever(final ProxyRetriever proxyRetriever) {
        this.proxyRetriever = proxyRetriever;
    }

    protected final String getProxyCallbackUrl() {
        return this.proxyCallbackUrl;
    }

    protected final ProxyGrantingTicketStorage getProxyGrantingTicketStorage() {
        return this.proxyGrantingTicketStorage;
    }

    protected final ProxyRetriever getProxyRetriever() {
        return this.proxyRetriever;
    }

    /**
     *
     */
    private class CustomAttributeHandler extends DefaultHandler {

        private Map<String, Object> attributes;

        private boolean foundAttributes;

        private String currentAttribute;

        private StringBuilder value;

        @Override
        public void startDocument() throws SAXException {
            this.attributes = new HashMap<String, Object>();
        }

        @Override
        public void startElement(final String namespaceURI, final String localName, final String qName,
                                 final Attributes attributes) throws SAXException {
            if ("attributes".equals(localName)) {
                this.foundAttributes = true;
            } else if (this.foundAttributes) {
                this.value = new StringBuilder();
                this.currentAttribute = localName;
            }
        }

        @Override
        public void characters(final char[] chars, final int start, final int length) throws SAXException {
            if (this.currentAttribute != null) {
                value.append(chars, start, length);
            }
        }

        @Override
        public void endElement(final String namespaceURI, final String localName, final String qName)
                throws SAXException {
            if ("attributes".equals(localName)) {
                this.foundAttributes = false;
                this.currentAttribute = null;
            } else if (this.foundAttributes) {
                final Object o = this.attributes.get(this.currentAttribute);

                if (o == null) {
                    this.attributes.put(this.currentAttribute, this.value.toString());
                } else {
                    final List<Object> items;
                    if (o instanceof List) {
                        items = (List<Object>) o;
                    } else {
                        items = new LinkedList<Object>();
                        items.add(o);
                        this.attributes.put(this.currentAttribute, items);
                    }
                    items.add(this.value.toString());
                }
            }
        }

        public Map<String, Object> getAttributes() {
            return this.attributes;
        }
    }

    protected final String getEncoding() {
        return this.encoding;
    }

    protected HttpURLConnectionFactory getURLConnectionFactory() {
        return this.urlConnectionFactory;
    }

    /**
     * Constructs the URL to send the validation request to.
     *
     * @param ticket the ticket to be validated.
     * @param serviceUrl the service identifier.
     * @return the fully constructed URL.
     */
    protected final String constructValidationUrl(final String ticket, final String serviceUrl) {
        final Map<String, String> urlParameters = new HashMap<String, String>();

        logger.debug("Placing URL parameters in map.");
        urlParameters.put("ticket", ticket);
        urlParameters.put("service", serviceUrl);

        if (this.renew) {
            urlParameters.put("renew", "true");
        }

        logger.debug("Calling template URL attribute map.");
        populateUrlAttributeMap(urlParameters);

        logger.debug("Loading custom parameters from configuration.");
        if (this.customParameters != null) {
            urlParameters.putAll(this.customParameters);
        }

        final String suffix = getUrlSuffix();
        final StringBuilder buffer = new StringBuilder(urlParameters.size() * 10 + this.casServerUrlPrefix.length()
                + suffix.length() + 1);

        int i = 0;

        buffer.append(this.casServerUrlPrefix);
        buffer.append(suffix);

        for (Map.Entry<String, String> entry : urlParameters.entrySet()) {
            final String key = entry.getKey();
            final String value = entry.getValue();

            if (value != null) {
                buffer.append(i++ == 0 ? "?" : "&");
                buffer.append(key);
                buffer.append("=");
                final String encodedValue = encodeUrl(value);
                buffer.append(encodedValue);
            }
        }

        return buffer.toString();

    }

    /**
     * Encodes a URL using the URLEncoder format.
     *
     * @param url the url to encode.
     * @return the encoded url, or the original url if "UTF-8" character encoding could not be found.
     */
    protected final String encodeUrl(final String url) {
        if (url == null) {
            return null;
        }

        try {
            return URLEncoder.encode(url, "UTF-8");
        } catch (final UnsupportedEncodingException e) {
            return url;
        }
    }

    /**
     * Retrieves the response from the server by opening a connection and merely reading the response.
     */
    protected final String retrieveResponseFromServer(final URL validationUrl, final String ticket) {
        return CommonUtils.getResponseFromServer(validationUrl, getURLConnectionFactory(), getEncoding());
    }

    /**
     * Contacts the CAS Server to retrieve the response for the ticket validation.
     *
     * @param ticket the ticket to validate.
     * @return the response from the CAS server.
     * 改造方法,动态获取validationUrl
     */

    public final Assertion validate(final String ticket, final String service) throws TicketValidationException {
        ServletRequestAttributes attributes = (ServletRequestAttributes) RequestContextHolder.getRequestAttributes();
        HttpServletRequest request = attributes.getRequest();
        String url = request.getRequestURL().toString();
        String serviceUrl;
        if (url.contains("www.alibabagroup.com")) {
            serviceUrl = programVariable.getAliServiceName() + "/login";
        } else if (url.contains("www.tencent.com") ) {
            serviceUrl = programVariable.getTencentServerName() + "/login";
        } else {
            serviceUrl = casServerProperties.getServerName() + "/login";
        }
        final String validationUrl = constructValidationUrl(ticket, serviceUrl);
        logger.debug("Constructing validation url: {}", validationUrl);

        try {
            logger.debug("Retrieving response from server.");
            final String serverResponse = retrieveResponseFromServer(new URL(validationUrl), ticket);

            if (serverResponse == null) {
                throw new TicketValidationException("The CAS server returned no response.");
            }

            logger.debug("Server response: {}", serverResponse);

            return parseResponseFromServer(serverResponse);
        } catch (final MalformedURLException e) {
            throw new TicketValidationException(e);
        }
    }

    public final void setRenew(final boolean renew) {
        this.renew = renew;
    }

    public final void setCustomParameters(final Map<String, String> customParameters) {
        this.customParameters = customParameters;
    }

    public final void setEncoding(final String encoding) {
        this.encoding = encoding;
    }

    protected final boolean isRenew() {
        return this.renew;
    }

    protected final String getCasServerUrlPrefix() {
        return this.casServerUrlPrefix;
    }

    protected final Map<String, String> getCustomParameters() {
        return this.customParameters;
    }

    public void setURLConnectionFactory(final HttpURLConnectionFactory urlConnectionFactory) {
        this.urlConnectionFactory = urlConnectionFactory;
    }
}

最后是登出的处理,登出完成后再登录还需要访问之前的域名,因此需要动态获取登出后重定向的地址。自定义类MDSimpleUrlLogoutSuccessHandler模仿SimpleUrlLogoutSuccessHandler类(默认类),只有一个方法,即重写onLogoutSuccess方法。动态获取地址的逻辑和上面一样。

package com.xxx.handler.multidomain;

import java.io.IOException;

import javax.annotation.Resource;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import com.xxx.util.ProgramVariable;

import org.springframework.security.core.Authentication;
import org.springframework.security.web.authentication.AbstractAuthenticationTargetUrlRequestHandler;
import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;

/**
 * author:lgq
 * date:2022-1-1
 */
public class MDSimpleUrlLogoutSuccessHandler extends
        AbstractAuthenticationTargetUrlRequestHandler implements LogoutSuccessHandler {
    @Resource
    private ProgramVariable programVariable;

    @Override
    public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response,
                                Authentication authentication) throws IOException {
        String targetUrl;
        String url = request.getRequestURL().toString();
        if (url.contains("www.alibabagroup.com")) {
            targetUrl = programVariable.getAliServiceName() + "/login";
        } else if (url.contains("www.tencent.com") ) {
            targetUrl = programVariable.getTencentServerName() + "/login";
        } else {
            targetUrl = casServerProperties.getServerName() + "/login";
        }
        if (response.isCommitted()) {
            logger.debug("Response has already been committed. Unable to redirect to "
                    + targetUrl);
            return;
        }

        getRedirectStrategy().sendRedirect(request, response, targetUrl);
    }
}

lgq2016
关注
多租户代码 根据域名切换
01-19
多租户代码 根据域名切换
多租户saas 架构_碧桂园DevOps平台多租户SAAS架构设计思考与分析
weixin_39761481的博客
12-14 1084
随着公司的信息化建设快速发展,也随着业务不断地扩展,DevOps平台陆续接入了数管中心、博智林机器人、基础院、信管院、研究院等诸多子公司的业务系统,平台后续还会持续接入更多子公司业务,其中部分子公司为防止数据/代码泄漏,对安全性要求非常严格。此外,笔者心中和领导有着一个共同的建设蓝图(将整个DevOps运维服务打包做成商务化),为避免每一个子公司部署一套DevOps平台,...
CSA实现单点登录原理详解 ,如何判断访问不同域名时用户是否登录
Sunny__wei的博客
06-04 1629
原理图 www.cas.client.com为cas客户端,也就是用户要访问的资源所在,www.cas.server.com为cas服务端,是单点登录的认证中心。 图中各步骤拆解说明: ①:首先用户访问www.cas.client.com,cas客户端收到请求判断用户是否登录。判断过程在AuthenticationFilter过滤器中进行。AuthenticationFilter主要判断用户是否登录,未登录则重定向到登录页面。 那么是如何验证用户是否登录过呢? 如果session中包含“const_cas
Spring Boot 构建多租户SaaS平台核心技术指南
weixin_34008805的博客
05-26 2626
本次教程所涉及到的源码已上传至Github,如果你不需要继续阅读下面的内容,你可以直接点击此链接获取源码内容。github.com/ramostear/u… 1. 概述 笔者从2014年开始接触SaaS(Software as a Service),即多租户(或多承租)软件应用平台;并一直从事相关领域的架构设计及研发工作。机缘巧合,在笔者本科毕业设计时完成了一个基于SaaS的高效财务管理平台的...
SAAS 租户识别的方案
_
01-30 2182
通过域名(网页url)识别租户 SAAS系统是给租户生成一个指定或者随机的二级域名,比如 baidu.salesforce.com 如果客户想使用自己的域名,可以在cname到系统生成二级域名,并在域名管理系统里面做绑定 这样一个租户可以有两个域名 企业绑定的 saas系统生成的二级域名 这样通过域名识别租户,然后初始化 TenantContext(租户上下文). 如果不想通过域名来识别租户,也可以通过登录名来判断。这种方式要涉及到租户切换问题,不同在同一个浏览器下进行多个企业办公。 ..
建设一个SaaS平台需要知道什么,做什么(附多图)
weixin_54556126的博客
10-10 6982
SaaS是什么 SaaS与传统服务、互联网服务的不同 SaaS作为租户系统,需要为租户(C端)提供注册、购买、业务系统的入口,还得为B端(运营/运维)提供租户管理、流量监控、服务状态监控运维入口,示意图如下: SaaS的服务对象是租户,那么新进入平台未进行服务购买及认证的用户我们暂且称为散户,为了推广平台增加销售成功率,散户登录进入后会跳转进入产品介绍及销售页面,提供详细的产品功能清单及费用信息,提供演示平台供散户进行试用。 传统软件供应商 出售软件及配套设备,将软件部署在客户服务器或客.
云平台多租户实现方案.docx
10-23
【云平台多租户实现方案】是针对云环境中软件应用如何高效、安全地服务于多个独立客户(租户)的一种架构设计。多租户方案旨在确保资源隔离、性能扩展、数据安全以及运维自动化。 1. **多租户模式支持**: - **...
laravel5-multi-tenancy:使用 Laravel 5 的多租户应用程序的起点
06-24
"多租户" 指的是同一个软件系统能够支持多个独立的用户或组织(称为“租户”),每个租户都有自己的数据和配置,互不干扰。在 Web 开发中,这种模式常用于 SaaS(Software as a Service)应用,允许服务提供商以订阅...
c#中实现二级域名完整示例
07-06
在C#中实现二级域名是一项常见的任务,尤其在构建多租户应用或大型网站时,二级域名可以帮助我们为不同用户提供个性化的访问入口。本示例将深入探讨如何在C# Web应用程序中设置和管理二级域名。 首先,我们需要理解...
关于SaaS多租户系统设计的思考
u014203449的博客
09-26 1100
多租户
cas 客户端一个IP对应多个域名
wpeng_1024的博客
08-22 5548
公司的项目比较特殊,一个应用可以用多个域名访问,看上去没什么问题,但是集成cas就存在问题,由于安全框架使用的shiro,shiro与cas的集成也是基于spring 前面   cas-shiro文章中也给出了一个粗略的配置 可以发现casService的地址的需要配置固定的,只能配置一个,如果多个域名就没法处理,同样logoUrl也是一样 ,多域名肯定是哪个域名访问回跳就到哪个域名,但这里提
SSO之CAS单点+Redis(实现不同顶级域名单点登录)
believer
04-07 4817
目录SSO之CAS单点+Redis(实现不同顶级域名单点登录)一、环境准备二、MVT系统、Music系统代码构建并运行2.1、MVT系统代码2.2、Music系统代码2.3、将两个系统运行起来2.4、域名绑定三、CAS系统构建3.1、创建SpringBoot工程3.2、导入依赖3.3、配置文件编写3.3.1、application.yml3.3.2、application-dev.yml3.4、...
多租户saas 架构_saas系统架构经验总结
weixin_39517859的博客
11-12 1602
五年前写在博客园上。一直都有点赞留言,还有人主动让我提供收费咨询。由于比较少去博客园未来所以就转载到这里。----------------------------------------------2B Saas系统最近几年都很火。很多创业公司都在尝试创建企业级别的应用 cRM, HR,销售, Desk Saas系统。很多Saas创业公司也拿了大额风投。毕竟Saas相对传统软件的优势非常明显。 ...
一个nginx代理多个域名并且使用CAS实现单点登录
止境博客
09-18 1947
1.在使用一个nginx代理多个域名并且使用CAS实现单点登录,容易出现的问题是Session混乱造成单点登陆失败。 2.使用一个Nginx代理多个域名配置如下,nginx使用的是80端口,项目使用不同端口配置不同域名。 #user nobody; worker_processes 1; #error_log logs/error.log; #error_log logs/erro...
FreeSWITCH 启用多域(多租户)的配置\绑域名
irizhao的专栏
09-17 2123
如果将FreeSWITCH用于云端, 支持大规模并发呼叫, 就要用到 多域/多租户 技术了, FreeSWITCH 本身可以直接支持. 每个域可以单独, 拥有相同的分机号也互相打不通, 各自线路, IVR , 路由等不相同. 配置方式如下: 1. conf/vars.xml <X-PRE-PROCESS cmd="set" data="domain=$${local_ip_v4}" /> <X-PRE-PROCESS cmd="set" data="domain_name=...
Mastodon 长毛象多租户:自定义域名、自定义账号别名
最新发布
Willin Wang 的全栈升级指南
05-24 824
假设,Mastodon 主节点域名,我在该域名下拥有一个用户。配置自定义域名后缀支持后,也可以通过搜索到。该配置需要在主节点中设置。假设,Mastodon 主节点域名,我在该域名下拥有一个用户。配置自定义账号别名支持后,可以通过搜索到(即用户名和域名均可自定义)。如果您想要一个属于自己的账号别名,但没有服务器的话,可以参考一下我的发电计划:首先检查环境变量中的配置好重启 Mastodon 服务。如果您想要一个属于自己的账号别名,但没有服务器的话,可以参考一下我的发电计划:该方法理论上来说并不需要在。
基于spring通过多数据源实现多租户应用
bdyz1016的博客
07-10 1351
背景 将您的 web 应用程序转化为多租户 SaaS 解决方案,介绍了将传统应用转化为saas服务时,需要实现多租户模型。 多租户模型.gif 简单来说就是以上三种: 1.租户使用独立的一套应用服务和数据库服务实现思路:每个租户有一个独立的二级域名。通过二级域名访问单独的应用或应用集群,应用访问该租户独立的数据库实例。 2.租户合用一组应用服务和单独的数据库服务实现思路:租户在注册时,会分配一个租户编码。当租户通过统一的域名访问系统时,应用会根据用户的会话ID.
JAVA+Netty根据二级域名实现多租户内网穿透功能【设计实践】
殷长庆的博客
01-29 2043
3、访客通过二级域名访问Nginx(c1.test.com),Nginx转发请求到服务端访客代理接口(16002端口),服务端监听到之后解析二级域名,获取客户端专用连接通道,创建访客ID,然后通过(server-client通道)向客户端发送指令,客户端接收指令后连接到真实服务端口(8080,可根据启动参数修改),连接真实服务成功后,客户端会重新向服务端建立一条连接(访客-server通道),服务端把访客和该通道进行绑定。这三步最终形成了(访客-Nginx-代理-客户端-真实服务)完整的通道。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值