随着接入cas的子系统增多,每个子系统的web.xml中的AuthenticationFilter和Cas30ProxyReceivingTicketValidationFilter都需要配置casServerUrlPrefix和serverName,每次开发和发布来说需要挨个web.xml去修改配置地址,造成了极大不便。受到https://blog.csdn.net/bitree1/article/details/55212283配置的启发,对web.xml中的配置做了如下改造。
web.xml
<!-- cas单点登录集成 -->
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
<!--该过滤器用于实现单点登出功能,可选配置。 -->
<filter>
<filter-name>casSingleSignOutFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>casSingleSignOutFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--该过滤器负责决定对那些request请求进行单点拦截 -->
<filter>
<filter-name>casAuthenticationFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>casAuthenticationFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--该过滤器负责对Ticket的校验工作,必须启用它 -->
<filter>
<filter-name>casTicketValidationFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>casTicketValidationFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--
该过滤器负责实现HttpServletRequest请求的包裹,
比如允许开发者通过HttpServletRequest的getRemoteUser()方法获得SSO登录用户的登录名,可选配置。
-->
<filter>
<filter-name>casHttpServletRequestWrapperFilter</filter-name>
<filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>casHttpServletRequestWrapperFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--
该过滤器使得开发者可以通过org.jasig.cas.client.util.AssertionHolder来获取用户的登录名。
比如AssertionHolder.getAssertion().getPrincipal().getName()。
-->
<filter>
<filter-name>casAssertionThreadLocalFilter</filter-name>
<filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>casAssertionThreadLocalFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
applicationContext.xml
<!-- cas -->
<bean name="casSingleSignOutFilter" class="org.jasig.cas.client.session.SingleSignOutFilter">
<property name="casServerUrlPrefix" value="${cas-server}"/>
</bean>
<bean name="casAuthenticationFilter" class="com.gysoft.sso.filter.CustomAuthenticationFilter">
<property name="serverName" value="${dcp-center}"/>
<property name="casServerLoginUrl" value="${cas-server-login}"/>
</bean>
<bean name="casTicketValidationFilter" class="com.gysoft.sso.filter.CustomCas30ProxyReceivingTicketValidationFilter">
<property name="serverName" value="${dcp-center}"/>
<property name="exceptionOnValidationFailure" value="true"/>
<property name="ticketValidator">
<bean class="org.jasig.cas.client.validation.Cas30ServiceTicketValidator">
<constructor-arg index="0" value="${cas-server}"/>
</bean>
</property>
</bean>
踩坑总结,前期参照别人的配置没有给CustomCas30ProxyReceivingTicketValidationFilter配置项添加<property name="exceptionOnValidationFailure" value="true"/>属性,造成403错误如下
经查阅源码出现原因为AbstractTicketValidationFilter.doFilter方法的
注意圈中的地方,exceptionOnValidationFailure属性默认配置为false。