springboot + shiro + cas 实现 登录 + 授权 + sso单点登录 (一)
springboot + shiro + cas 实现 登录 + 授权 + sso单点登录 (二)
springboot + shiro + cas 实现 登录 + 授权 + sso单点登录 (三)
springboot + shiro + cas 实现 登录 + 授权 + sso单点登录 (五)
springboot + shiro + cas 实现 登录 + 授权 + sso单点登录 (六)
上篇文章我们使用cas-server和cas-client测试SSO单点登录的功能,本篇文章我们将在springboot + shiro + cas 实现 登录 + 授权 + sso单点登录 (二) 这篇文章的基础上改,所以建议先把这篇shiro的配置做好。我们在shiro里集成cas,把它作为cas-client,然后和cas-server一起来测试SSO单点登录的功能。
相比之前文章,这里的改动主要在以下几个方面:
ShiroConfiguration ——> ShiroCasConfiguration:主要是单点登录、登出的相关配置和跳转地址,把shiro-session拿掉,不然单点登出会有问题。
UserShiroRealm ——> UserShiroCasRealm:无需在做登录认证,因为登录认证这一块我们在cas-server里去做,只需做授权即可
ShiroController ——> ShiroCasController:主要是重定向的地址变了
增加pom
<!-- shiro-cas -->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-cas</artifactId>
<version>1.2.4</version>
</dependency>
ShiroCasConfiguration:
package com.gane.maple.member.config.shiro;
import org.apache.shiro.cas.CasFilter;
import org.apache.shiro.cas.CasSubjectFactory;
import org.apache.shiro.codec.Base64;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.spring.LifecycleBeanPostProcessor;
import org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.CookieRememberMeManager;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.apache.shiro.web.servlet.SimpleCookie;
import org.apache.shiro.web.session.mgt.DefaultWebSessionManager;
import org.crazycake.shiro.RedisCacheManager;
import org.crazycake.shiro.RedisManager;
import org.crazycake.shiro.RedisSessionDAO;
import org.jasig.cas.client.session.SingleSignOutFilter;
import org.jasig.cas.client.session.SingleSignOutHttpSessionListener;
import org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.boot.web.servlet.ServletListenerRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.DependsOn;
import org.springframework.core.Ordered;
import org.springframework.core.annotation.Order;
import org.springframework.web.filter.DelegatingFilterProxy;
import javax.servlet.Filter;
import java.util.HashMap;
import java.util.LinkedHashMap;
import java.util.Map;
/**
* @Description TODO
* @Date 2020/4/9 19:58
* @Created by 王弘博
*/
@Configuration
public class ShiroCasConfiguration {
// cas server地址
public static final String casServerUrlPrefix = "https://sso.maple.com:8443/cas";
// Cas登录页面地址
public static final String casLoginUrl = casServerUrlPrefix + "/login";
// Cas登出页面地址
public static final String casLogoutUrl = casServerUrlPrefix + "/logout";
// 当前工程对外提供的服务地址
public static final String shiroServerUrlPrefix = "http://localhost:8081";
// casFilter UrlPattern
public static final String casFilterUrlPattern = "/cas";
// 登录地址
public static final String loginUrl = casLoginUrl + "?service=" + shiroServerUrlPrefix + casFilterUrlPattern;
// 登出地址(casserver启用service跳转功能,需在webapps\cas\WEB-INF\cas.properties文件中启用cas.logout.followServiceRedirects=true)
public static final String logoutUrl = casLogoutUrl + "?service=" + shiroServerUrlPrefix;
// 登录成功地址
public static final String loginSuccessUrl = "/user";
// 权限认证失败跳转地址
public static final String unauthorizedUrl = "/403.html";
@Value("${jedis.pool.host}")
private String host;
@Value("${jedis.pool.port}")
private int port;
/*@Value("${jedis.pool.password}")
private String password;*/
/*@Value("${jedis.pool.database}")
private int database;*/
@Bean
public SecurityManager securityManager() {
DefaultWebSecurityManager defaultSecurityManager = new DefaultWebSecurityManager();
defaultSecurityManager.setRealm(userRealm());
defaultSecurityManager.setCacheManager(cacheManager());
//defaultSecurityManager.setSessionManager(sessionManager());
defaultSecurityManager.setRememberMeManager(rememberMeManager());
defaultSecurityManager.setSubjectFactory(new CasSubjectFactory());
return defaultSecurityManager;
}
@Bean
public UserShiroCasRealm userRealm() {
UserShiroCasRealm userShiroCasRealm = new UserShiroCasRealm();
userShiroCasRealm.setCacheManager(cacheManager());
//userShiroCasRealm.setCredentialsMatcher(hashedCredentialsMatcher());
userShiroCasRealm.setCachingEnabled(false);
userShiroCasRealm.setCasServerUrlPrefix(ShiroCasConfiguration.casServerUrlPrefix);
userShiroCasRealm.setCasService(ShiroCasConfiguration.shiroServerUrlPrefix + ShiroCasConfiguration.casFilterUrlPattern);
return userShiroCasRealm;
}
/**
* 注册单点登出listener
*
* @return
*/
@Bean
@Order(Ordered.HIGHEST_PRECEDENCE)
public ServletListenerRegistrationBean singleSignOutHttpSessionListener() {
ServletListenerRegistrationBean bean = new ServletListenerRegistrationBean();
bean.setListener(new SingleSignOutHttpSessionListener());
bean.setEnabled(true);
return bean;
}
/**
* 注册单点登出filter
*
* @return
*/
@Bean
public FilterRegistrationBean singleSignOutFilter() {
FilterRegistrationBean bean = new FilterRegistrationBean();
bean.setName("singleSignOutFilter");
bean.setFilter(new SingleSignOutFilter());
bean.addUrlPatterns("/*");
bean.setEnabled(true);
return bean;
}
/**
* 注册DelegatingFilterProxy(Shiro)
*
* @return
*/
@Bean
public FilterRegistrationBean delegatingFilterProxy() {
FilterRegistrationBean filterRegistration = new FilterRegistrationBean();
filterRegistration.setFilter(new DelegatingFilterProxy("shiroFilter"));
// 该值缺省为false,表示生命周期由SpringApplicationContext管理,设置为true则表示由ServletContainer管理
filterRegistration.addInitParameter("targetFilterLifecycle", "true");
filterRegistration.setEnabled(true);
filterRegistration.addUrlPatterns("/*");
return filterRegistration;
}
/**
* CAS过滤器
*
* @return
*/
@Bean(name = "casFilter")
public CasFilter getCasFilter() {
CasFilter casFilter = new CasFilter();
casFilter.setName("casFilter");
casFilter.setEnabled(true);
// 登录失败后跳转的URL,也就是 Shiro 执行 CasRealm 的 doGetAuthenticationInfo 方法向CasServer验证tiket
casFilter.setFailureUrl(loginUrl);// 我们选择认证失败后再打开登录页面
casFilter.setSuccessUrl(loginSuccessUrl);
return casFilter;
}
@Bean(name = "shiroFilter")
public ShiroFilterFactoryBean shiroFilter(SecurityManager securityManager, CasFilter casFilter) {
ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
shiroFilterFactoryBean.setSecurityManager(securityManager);
shiroFilterFactoryBean.setLoginUrl(loginUrl);
//shiroFilterFactoryBean.setSuccessUrl(loginSuccessUrl);
shiroFilterFactoryBean.setUnauthorizedUrl(unauthorizedUrl);
Map<String, Filter> filters = new HashMap<>();
filters.put("casFilter", casFilter);
shiroFilterFactoryBean.setFilters(filters);
//anon为不用登陆就可以访问的,authc 是必须登陆才可以访问,filterChainDefinitionMap.put("/**", "authc") 这个一定要放在最后
Map<String, String> filterChainDefinitionMap = new LinkedHashMap<>();
//1.shiro集成cas后,首先添加该规则
filterChainDefinitionMap.put(casFilterUrlPattern, "casFilter");
filterChainDefinitionMap.put("/logout", "anon");
filterChainDefinitionMap.put("/login", "anon");
//filterChainDefinitionMap.put("/index", "anon");
filterChainDefinitionMap.put("/**", "authc");
shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap);
return shiroFilterFactoryBean;
}
/**
* 给static,不然Redis注入不进来
*
* @return
*/
@Bean
public static LifecycleBeanPostProcessor lifecycleBeanPostProcessor() {
return new LifecycleBeanPostProcessor();
}
/**
* 开启Shiro的注解(如@RequiresRoles,@RequiresPermissions)
* 需借助SpringAOP扫描使用Shiro注解的类,并在必要时进行安全逻辑验证
* 配置以下两个bean(DefaultAdvisorAutoProxyCreator(可选)和
* AuthorizationAttributeSourceAdvisor)即可实现此功能
*/
@Bean
@DependsOn({"lifecycleBeanPostProcessor"})
public DefaultAdvisorAutoProxyCreator advisorAutoProxyCreator() {
DefaultAdvisorAutoProxyCreator advisorAutoProxyCreator = new DefaultAdvisorAutoProxyCreator();
advisorAutoProxyCreator.setProxyTargetClass(true);
return advisorAutoProxyCreator;
}
@Bean
public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor() {
AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor = new AuthorizationAttributeSourceAdvisor();
authorizationAttributeSourceAdvisor.setSecurityManager(securityManager());
return authorizationAttributeSourceAdvisor;
}
/**
* 用户注册的时候,程序将明文通过加密方式加密,存到数据库的是密文,
* 登录时将密文取出来,再通过shiro将用户输入的密码进行加密对比,一样则成功,不一样则失败。
*
* @return
*/
/*@Bean
public HashedCredentialsMatcher hashedCredentialsMatcher() {
HashedCredentialsMatcher hashedCredentialsMatcher = new HashedCredentialsMatcher();
hashedCredentialsMatcher.setHashAlgorithmName("md5");//散列算法:这里使用md5算法;
hashedCredentialsMatcher.setHashIterations(1024);//散列的次数,比如散列两次,相当于 md5( md5(""));
return hashedCredentialsMatcher;
}*/
/**
* cacheManager 缓存 redis实现
* 使用的是shiro-redis开源插件
*
* @return
*/
@Bean
public RedisCacheManager cacheManager() {
RedisCacheManager redisCacheManager = new RedisCacheManager();
redisCacheManager.setRedisManager(redisManager());
return redisCacheManager;
}
/**
* 配置shiro redisManager
* 使用的是shiro-redis开源插件
*
* @return
*/
@Bean
public RedisManager redisManager() {
RedisManager redisManager = new RedisManager();
redisManager.setHost(host);
redisManager.setPort(port);
//redisManager.setPassword(password);
//redisManager.setDatabase(database);
return redisManager;
}
/**
* Session Manager
* 使用的是shiro-redis开源插件
*/
/*@Bean
public DefaultWebSessionManager sessionManager() {
DefaultWebSessionManager sessionManager = new DefaultWebSessionManager();
sessionManager.setSessionDAO(redisSessionDAO());
return sessionManager;
}*/
/**
* RedisSessionDAO shiro sessionDao层的实现 通过redis
* 使用的是shiro-redis开源插件
*/
/*@Bean
public RedisSessionDAO redisSessionDAO() {
RedisSessionDAO redisSessionDAO = new RedisSessionDAO();
redisSessionDAO.setRedisManager(redisManager());
return redisSessionDAO;
}*/
/**
* 记住我
*
* @return
*/
@Bean
public CookieRememberMeManager rememberMeManager() {
CookieRememberMeManager cookieRememberMeManager = new CookieRememberMeManager();
//rememberme cookie加密的密钥 建议每个项目都不一样 默认AES算法 密钥长度(128 256 512 位),通过以下代码可以获取
//KeyGenerator keygen = KeyGenerator.getInstance("AES");
//SecretKey deskey = keygen.generateKey();
//System.out.println(Base64.encodeToString(deskey.getEncoded()));
byte[] cipherKey = Base64.decode("wGiHplamyXlVB11UXWol8g==");
cookieRememberMeManager.setCipherKey(cipherKey);
cookieRememberMeManager.setCookie(rememberMeCookie());
return cookieRememberMeManager;
}
@Bean
public SimpleCookie rememberMeCookie() {
//这个参数是cookie的名称,对应前端的checkbox的name = rememberMe
SimpleCookie simpleCookie = new SimpleCookie("rememberMe");
//如果httyOnly设置为true,则客户端不会暴露给客户端脚本代码,使用HttpOnly cookie有助于减少某些类型的跨站点脚本攻击;
simpleCookie.setHttpOnly(true);
//记住我cookie生效时间,默认30天 ,单位秒:60 * 60 * 24 * 30
simpleCookie.setMaxAge(60 * 60 * 7);
return simpleCookie;
}
}
UserShiroCasRealm:
package com.gane.maple.member.config.shiro;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.cas.CasRealm;
import org.apache.shiro.crypto.hash.SimpleHash;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.util.ByteSource;
/**
* @Description UserShiroCasRealm
* @Date 2020/4/9 19:59
* @Created by 王弘博
*/
public class UserShiroCasRealm extends CasRealm {
/**
* 权限授权
*
* @param principalCollection
* @return
*/
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
//表明当前登录者的角色(真实项目中这里会去查询DB,拿到用户的角色,存到redis里)
info.addRole("admin");
//表明当前登录者的角色(真实项目中这里会去查询DB,拿到该角色的资源权限,存到redis里)
info.addStringPermission("admin:manage");
return info;
}
/**
* 登录认证
*
* @param authenticationToken
* @return
*/
/*@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) {
*//*UsernamePasswordToken token = (UsernamePasswordToken) authenticationToken;
//通过token去查询DB,获取用户的密码,这里密码直接写死
User user = new User();
user.setUsername(token.getUsername());
return new SimpleAuthenticationInfo(user, "26bfdfe8689183e9235b1f0beb7a6f46",
ByteSource.Util.bytes(user.getUsername()), getName());*//*
}*/
/**
* 密码(123456) + salt(maple),得出存进数据库里的密码:26bfdfe8689183e9235b1f0beb7a6f46
*
* @param args
*/
public static void main(String[] args) {
String hashAlgorithName = "MD5";
String password = "123456";
int hashIterations = 1024;//加密次数
ByteSource credentialsSalt = ByteSource.Util.bytes("maple");
SimpleHash simpleHash = new SimpleHash(hashAlgorithName, password, credentialsSalt, hashIterations);
String s = simpleHash.toHex();
System.out.println(s);
}
}
ShiroCasController:主要是登录/登出的重定向地址变了
package com.gane.maple.member.controller;
import com.gane.maple.member.config.shiro.ShiroCasConfiguration;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.*;
import org.apache.shiro.authz.annotation.RequiresPermissions;
import org.apache.shiro.subject.Subject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PostMapping;
import javax.servlet.http.HttpServletRequest;
/**
* @Description TODO
* @Date 2020/4/9 18:49
* @Created by 王弘博
*/
@Controller
public class ShiroCasController {
private static final Logger logger = LoggerFactory.getLogger(ShiroCasController.class);
@GetMapping("/index")
public String index(HttpServletRequest request, Model model) {
System.out.println(request.getUserPrincipal().getName());
System.out.println(SecurityUtils.getSubject().getPrincipal());
model.addAttribute("userName", "maple");
return "/index";
}
@GetMapping("/user")
public String user(Model model) {
model.addAttribute("userName", "maple");
return "/user";
}
@RequiresPermissions("admin:manage")
@GetMapping("/manage")
public String manage(Model model) {
model.addAttribute("userName", "maple");
return "/user_manage";
}
@RequiresPermissions("admin:query")
@GetMapping("/query")
public String query(Model model) {
model.addAttribute("userName", "maple");
return "/user_query";
}
@GetMapping("/login")
public String login(Model model) {
model.addAttribute("userName", "maple");
//return "/login";
return "redirect:" + ShiroCasConfiguration.loginUrl;
}
@PostMapping("/login")
public String login(String username, String password) {
Subject subject = SecurityUtils.getSubject();
UsernamePasswordToken token = new UsernamePasswordToken(username, password, true);
try {
logger.info("对用户[" + username + "]进行登录验证..验证开始");
subject.login(token);
logger.info("对用户[" + username + "]进行登录验证..验证通过");
} catch (UnknownAccountException uae) {
logger.info("对用户[" + username + "]进行登录验证..验证未通过,未知账户");
} catch (IncorrectCredentialsException ice) {
logger.info("对用户[" + username + "]进行登录验证..验证未通过,错误的凭证");
} catch (LockedAccountException lae) {
logger.info("对用户[" + username + "]进行登录验证..验证未通过,账户已锁定");
} catch (ExcessiveAttemptsException eae) {
logger.info("对用户[" + username + "]进行登录验证..验证未通过,错误次数过多");
} catch (AuthenticationException ae) {
logger.info("对用户[" + username + "]进行登录验证..验证未通过,堆栈轨迹如下");
ae.printStackTrace();
}
if (subject.isAuthenticated()) {
logger.info("用户[" + username + "]登录认证通过(这里可以进行一些认证通过后的一些系统参数初始化操作)");
return "redirect:/user";
}
token.clear();
return "redirect:/login";
}
@GetMapping("/logout")
public String logout() {
/*Subject subject = SecurityUtils.getSubject();
if (subject.isAuthenticated()) {
subject.logout();
}*/
//return "redirect:/login";
return "redirect:" + ShiroCasConfiguration.logoutUrl;
}
@GetMapping("/403")
public String unauthorizedRole() {
logger.info("------没有权限-------");
return "403";
}
}
测试:
1、我们输入http://localhost:8081/index,由于没有登录,我们将会跳到 cas-server的登录界面去登录,登录成功之后
跳转到:
输入默认账号密码:casuser/Mellon
2、我们输入登出地址:http://localhost:8081/logout,发现调到cas-server的登录功能
3、我们再次访问http://localhost:8081/index,因为登出成功了,所以这个时候又跳转到登录页面了
ok,至此,SSO单点登录测试完成。
下篇文章我们将cas-server进行改造,因为我们现在登录的账号都是casuser/Mellon,实际项目中,都是用户输入自己的账号密码,然后我们去DB里校验是否正确的。
springboot + shiro + cas 实现 登录 + 授权 + sso单点登录 (一)
springboot + shiro + cas 实现 登录 + 授权 + sso单点登录 (二)
springboot + shiro + cas 实现 登录 + 授权 + sso单点登录 (三)
springboot + shiro + cas 实现 登录 + 授权 + sso单点登录 (五)
springboot + shiro + cas 实现 登录 + 授权 + sso单点登录 (六)