Spring Security3 + CAS 配置

首先要创建证书，证书认证一般都是由VeriSign认证， 中文官方网：http://www.verisign.com/cn/ ，由于时间关系，我用keytool自己创建

1、打开cmd窗口

2、创建证书到Z:\YYY：

keytool -genkey -alias XXX -keyalg RSA -keystore Z:/YYY/XXX

（What?XXX、YYY、Z乜意思？你懂的......）

3、导出证书的crt文件到Z:\YYY：

keytool -export -file Z:/YYY/XXX.crt -alias XXX -keystore Z:/YYY/XXX

4、导入证书到JVM

keytool -import -keystore %JAVA_HOME%\jre\lib\security\cacerts -file Z:/YYY/XXX.crt -alias XXX

5、检查

keytool -list -keystore %JAVA_HOME%\jre\lib\security\cacerts | findstr /i XXX

如果出现【XXX, YYYY-M-D, trustedCertEntry】就说明导入成功

第二步，配置CAS Server（版本：3.5.2）

1、打开CAS\WebContent\WEB-INF\deployerConfigContext.xml

2、注释以下代码（这个类只要用户名和密码一致就Pass，所以要注释）

<bean class="org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler" />

3、在注释代码下加上以下代码，从数据库上取得登录信息

<bean class="org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler">
	<property name="dataSource" ref="dataSource"></property>
	<property name="sql" value="SQL语句"></property>
	<!-- e.g. SELECT lower(user_pwd) FROM um_user WHERE (account = ?)-->
	<property name="passwordEncoder" ref="MD5PasswordEncoder"></property>
</bean>

4、增加数据源

<bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource">
	<property name="driverClassName"><value>net.sourceforge.jtds.jdbc.Driver</value></property>
	<property name="url"><value>jdbc:jtds:sqlserver://XXX.XXX.XXX.XXX:XXXX/XX</value></property>
	<property name="username"><value>username</value></property>
	<property name="password"><value>password</value></property>
</bean>

5、增加MD5加密转换

<bean id="MD5PasswordEncoder" class="org.jasig.cas.authentication.handler.DefaultPasswordEncoder" autowire="byName">
	<constructor-arg value="MD5" />
</bean>

6、注释以下代码

<bean id="attributeRepository" class="org.jasig.services.persondir.support.StubPersonAttributeDao">
	<property name="backingMap">
		<map>
			<entry key="uid" value="uid" />
			<entry key="eduPersonAffiliation" value="eduPersonAffiliation" /> 
			<entry key="groupMembership" value="groupMembership" />
		</map>
	</property>
</bean>

7、增加权限设置的取得方法

<bean id="attributeRepository" class="org.jasig.services.persondir.support.jdbc.SingleRowJdbcPersonAttributeDao">
	<constructor-arg index="0" ref="dataSource" />
	<constructor-arg index="1" value="SQL语句" /> 	
	<property name="queryAttributeMapping">
		<map>
			<!--这里的key需写username,value对应数据库用户名字段 -->
			<entry key="username" value="account"/>
		</map>
	</property>
	<property name="resultAttributeMapping">
		<map>
			<!-- 从数据库中获取的角色，用于在应用中security的权限验证 -->
			<entry key="role_name" value="authorities"/>
		</map>
	</property>
</bean>

8、打开CAS\WebContent\WEB-INF\view\jsp\protocol\2.0\casServiceValidationSuccess.jsp

9、在</cas:authenticationSuccess>（大概是最后3行）之前加上以下代码

<c:if test="${fn:length(assertion.chainedAuthentications[fn:length(assertion.chainedAuthentications)-1].principal.attributes)> 0}">
	<cas:attributes>
		<c:forEach var="attr" 
			 items="${assertion.chainedAuthentications[fn:length(assertion.chainedAuthentications)-1].principal.attributes}"
			 varStatus="loopStatus"
			 begin="0"
			 end="${fn:length(assertion.chainedAuthentications[fn:length(assertion.chainedAuthentications)-1].principal.attributes)-1}"
			 step="1">
			<cas:${fn:escapeXml(attr.key)}>${fn:escapeXml(attr.value)}</cas:${fn:escapeXml(attr.key)}>
		</c:forEach>
	</cas:attributes>
</c:if>

第三步，配置Spring Security

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
	xmlns:security="http://www.springframework.org/schema/security"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://www.springframework.org/schema/beans 
			http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
			http://www.springframework.org/schema/security 
			http://www.springframework.org/schema/security/spring-security-3.2.xsd" 
	default-lazy-init="true">
	
	<description>Security配置</description>
	
	<security:http pattern="/login.jsp" security="none" />
	<security:http pattern="/timeout.jsp" security="none" />

	<!-- Enable security, let the casEntryPoint handle all intercepted urls.The CAS_FILTER needs to be in the right position within the filter chain. -->
	<security:http auto-config="false" entry-point-ref="casEntryPoint" servlet-api-provision="true">
		<security:intercept-url pattern="/pass.jsp" access="ROLE_ADMIN" />
		<security:intercept-url pattern="/**" access="ROLE_USER"/>
		
		<security:custom-filter ref="requestSingleLogoutFilter" before="LOGOUT_FILTER" />
		<security:custom-filter ref="casFilter" position="FORM_LOGIN_FILTER"/>
		<security:custom-filter ref="singleLogoutFilter" before="CAS_FILTER"/>
	</security:http>
	
	<!-- The entryPoint intercepts all the CAS authentication requests.It redirects to the CAS loginUrl for the CAS login page. -->
	<bean id="casEntryPoint" class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">
		<property name="loginUrl" value="https://localhost:8443/cas/login"></property><!-- SSO登录地址 -->
		<property name="serviceProperties" ref="serviceProperties"></property>
	</bean>

	 <!--This section is used to configure CAS. The service is the actual redirect that will be triggered after the CAS login sequence. -->
	<bean id="serviceProperties" class="org.springframework.security.cas.ServiceProperties">
		<!--  j_spring_cas_security_check spring的虚拟URL，此标志标识使用 CAS authentication upon return from CAS SSO login -->
		<property name="service" value="http://localhost:8080/satan/j_spring_cas_security_check" />
		<property name="sendRenew" value="false" />
	</bean>
	
	<!--
	The CAS filter handles the redirect from the CAS server and starts the ticket validation.
	-->
	<bean id="casFilter" class="org.springframework.security.cas.web.CasAuthenticationFilter">
		<property name="authenticationManager" ref="authenticationManager" />
	</bean>
	
	<!-- Required for the casProcessingFilter, so define it explicitly set and specify an Id Even though the authenticationManager is created by default when namespace based config is used.	-->
	<security:authentication-manager alias="authenticationManager">
		<security:authentication-provider ref="casAuthenticationProvider" />
	</security:authentication-manager>
	
	<!-- authorities对应 CAS server的 登录属性， 在此设置到spirng security中，用于spring security的验证  -->
	
	<bean id="casAuthenticationUserDetailsService" class="org.springframework.security.cas.userdetails.GrantedAuthorityFromAssertionAttributesUserDetailsService">
		<constructor-arg>
			<array>
				<value>authorities</value>
			</array>
		</constructor-arg>
	</bean>

	<!--
	Handles the CAS ticket processing.
	-->
	<bean id="casAuthenticationProvider" class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
		<property name="authenticationUserDetailsService" ref="casAuthenticationUserDetailsService" />
		<property name="serviceProperties" ref="serviceProperties" />
		<property name="ticketValidator">
			<bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
				<constructor-arg index="0" value="https://localhost:8443/cas" />
<!-- SSO登录地址，这里不能有/login，否则会报超时！ -->
			</bean>
		</property>
		<property name="key" value="cas" />
	</bean>
	
	<!-- 注销客户端 -->
	<bean id="singleLogoutFilter" class="org.jasig.cas.client.session.SingleSignOutFilter" />
	
	<!-- 注销服务器端 -->
	<bean id="requestSingleLogoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
		<constructor-arg value="https://localhost:8443/cas/logout" />
		<constructor-arg>
			<bean class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" />
		</constructor-arg>
	</bean>
</beans>