首先要创建证书,证书认证一般都是由VeriSign认证, 中文官方网:http://www.verisign.com/cn/ ,由于时间关系,我用keytool自己创建
1、打开cmd窗口
2、创建证书到Z:\YYY:
keytool -genkey -alias XXX -keyalg RSA -keystore Z:/YYY/XXX
(What?XXX、YYY、Z乜意思?你懂的......)
3、导出证书的crt文件到Z:\YYY:
keytool -export -file Z:/YYY/XXX.crt -alias XXX -keystore Z:/YYY/XXX
4、导入证书到JVM
keytool -import -keystore %JAVA_HOME%\jre\lib\security\cacerts -file Z:/YYY/XXX.crt -alias XXX
5、检查
keytool -list -keystore %JAVA_HOME%\jre\lib\security\cacerts | findstr /i XXX
如果出现【XXX, YYYY-M-D, trustedCertEntry】就说明导入成功
第二步,配置CAS Server(版本:3.5.2)
1、打开CAS\WebContent\WEB-INF\deployerConfigContext.xml
2、注释以下代码(这个类只要用户名和密码一致就Pass,所以要注释)
<bean class="org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler" />
3、在注释代码下加上以下代码,从数据库上取得登录信息
<bean class="org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler">
<property name="dataSource" ref="dataSource"></property>
<property name="sql" value="SQL语句"></property>
<!-- e.g. SELECT lower(user_pwd) FROM um_user WHERE (account = ?)-->
<property name="passwordEncoder" ref="MD5PasswordEncoder"></property>
</bean>
4、增加数据源
<bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource">
<property name="driverClassName"><value>net.sourceforge.jtds.jdbc.Driver</value></property>
<property name="url"><value>jdbc:jtds:sqlserver://XXX.XXX.XXX.XXX:XXXX/XX</value></property>
<property name="username"><value>username</value></property>
<property name="password"><value>password</value></property>
</bean>
5、增加MD5加密转换
<bean id="MD5PasswordEncoder" class="org.jasig.cas.authentication.handler.DefaultPasswordEncoder" autowire="byName">
<constructor-arg value="MD5" />
</bean>
6、注释以下代码
<bean id="attributeRepository" class="org.jasig.services.persondir.support.StubPersonAttributeDao">
<property name="backingMap">
<map>
<entry key="uid" value="uid" />
<entry key="eduPersonAffiliation" value="eduPersonAffiliation" />
<entry key="groupMembership" value="groupMembership" />
</map>
</property>
</bean>
7、增加权限设置的取得方法
<bean id="attributeRepository" class="org.jasig.services.persondir.support.jdbc.SingleRowJdbcPersonAttributeDao">
<constructor-arg index="0" ref="dataSource" />
<constructor-arg index="1" value="SQL语句" />
<property name="queryAttributeMapping">
<map>
<!--这里的key需写username,value对应数据库用户名字段 -->
<entry key="username" value="account"/>
</map>
</property>
<property name="resultAttributeMapping">
<map>
<!-- 从数据库中获取的角色,用于在应用中security的权限验证 -->
<entry key="role_name" value="authorities"/>
</map>
</property>
</bean>
8、打开CAS\WebContent\WEB-INF\view\jsp\protocol\2.0\casServiceValidationSuccess.jsp
9、在</cas:authenticationSuccess>(大概是最后3行)之前加上以下代码
<c:if test="${fn:length(assertion.chainedAuthentications[fn:length(assertion.chainedAuthentications)-1].principal.attributes)> 0}">
<cas:attributes>
<c:forEach var="attr"
items="${assertion.chainedAuthentications[fn:length(assertion.chainedAuthentications)-1].principal.attributes}"
varStatus="loopStatus"
begin="0"
end="${fn:length(assertion.chainedAuthentications[fn:length(assertion.chainedAuthentications)-1].principal.attributes)-1}"
step="1">
<cas:${fn:escapeXml(attr.key)}>${fn:escapeXml(attr.value)}</cas:${fn:escapeXml(attr.key)}>
</c:forEach>
</cas:attributes>
</c:if>
第三步,配置Spring Security
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd"
default-lazy-init="true">
<description>Security配置</description>
<security:http pattern="/login.jsp" security="none" />
<security:http pattern="/timeout.jsp" security="none" />
<!-- Enable security, let the casEntryPoint handle all intercepted urls.The CAS_FILTER needs to be in the right position within the filter chain. -->
<security:http auto-config="false" entry-point-ref="casEntryPoint" servlet-api-provision="true">
<security:intercept-url pattern="/pass.jsp" access="ROLE_ADMIN" />
<security:intercept-url pattern="/**" access="ROLE_USER"/>
<security:custom-filter ref="requestSingleLogoutFilter" before="LOGOUT_FILTER" />
<security:custom-filter ref="casFilter" position="FORM_LOGIN_FILTER"/>
<security:custom-filter ref="singleLogoutFilter" before="CAS_FILTER"/>
</security:http>
<!-- The entryPoint intercepts all the CAS authentication requests.It redirects to the CAS loginUrl for the CAS login page. -->
<bean id="casEntryPoint" class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">
<property name="loginUrl" value="https://localhost:8443/cas/login"></property><!-- SSO登录地址 -->
<property name="serviceProperties" ref="serviceProperties"></property>
</bean>
<!--This section is used to configure CAS. The service is the actual redirect that will be triggered after the CAS login sequence. -->
<bean id="serviceProperties" class="org.springframework.security.cas.ServiceProperties">
<!-- j_spring_cas_security_check spring的虚拟URL,此标志标识使用 CAS authentication upon return from CAS SSO login -->
<property name="service" value="http://localhost:8080/satan/j_spring_cas_security_check" />
<property name="sendRenew" value="false" />
</bean>
<!--
The CAS filter handles the redirect from the CAS server and starts the ticket validation.
-->
<bean id="casFilter" class="org.springframework.security.cas.web.CasAuthenticationFilter">
<property name="authenticationManager" ref="authenticationManager" />
</bean>
<!-- Required for the casProcessingFilter, so define it explicitly set and specify an Id Even though the authenticationManager is created by default when namespace based config is used. -->
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="casAuthenticationProvider" />
</security:authentication-manager>
<!-- authorities对应 CAS server的 登录属性, 在此设置到spirng security中,用于spring security的验证 -->
<bean id="casAuthenticationUserDetailsService" class="org.springframework.security.cas.userdetails.GrantedAuthorityFromAssertionAttributesUserDetailsService">
<constructor-arg>
<array>
<value>authorities</value>
</array>
</constructor-arg>
</bean>
<!--
Handles the CAS ticket processing.
-->
<bean id="casAuthenticationProvider" class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
<property name="authenticationUserDetailsService" ref="casAuthenticationUserDetailsService" />
<property name="serviceProperties" ref="serviceProperties" />
<property name="ticketValidator">
<bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
<constructor-arg index="0" value="https://localhost:8443/cas" />
<!-- SSO登录地址,这里不能有/login,否则会报超时! -->
</bean>
</property>
<property name="key" value="cas" />
</bean>
<!-- 注销客户端 -->
<bean id="singleLogoutFilter" class="org.jasig.cas.client.session.SingleSignOutFilter" />
<!-- 注销服务器端 -->
<bean id="requestSingleLogoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
<constructor-arg value="https://localhost:8443/cas/logout" />
<constructor-arg>
<bean class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" />
</constructor-arg>
</bean>
</beans>