CAS 单点登录配置
这几天一直在搞这个单点登录,今天终于是告一段落了,以下为自己配置过程,如果有问题还请大家指教。其中多数都是从网上参考的文章进行配置的,还有一部分是自己反复调试搞定的。
1.服务器配置:
A、修改deployerConfigContext.xml配置
a).添加数据源BEAN,以SQL为例
<bean id="dataSource" class="org.apache.commons.dbcp.BasicDataSource">
<property name="driverClassName" value="com.microsoft.sqlserver.jdbc.SQLServerDriver" />
<property name="url" value="jdbc:sqlserver://localhost:1433;DatabaseName=Tsinghua" />
<property name="username" value="sa" />
<property name="password" value="111111" />
</bean>
b).修改认证对象authenticationManager配置:
将默认的:SimpleTestUsernamePasswordAuthenticationHandler认证方式改为org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler认证方式:
<bean class="org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler" >
<property name="dataSource" ref="dataSource"></property>
<property name="sql" value="select password from userInfo where userName = ? "></property>
</bean>
dataSource:引用上面配置的数据源BEAN
sql:配置要执行的SQL语句。
另外可以自己定义认证BEAN,需要继承AbstractJdbcUsernamePasswordAuthenticationHandler。如果使用自定义认证方式,则将SimpleTestUsernamePasswordAuthenticationHandler改为自己定义的认证类的类名
c).修改attributeRepository BEAN配置:
<bean id="attributeRepository" class="org.jasig.services.persondir.support.jdbc.SingleRowJdbcPersonAttributeDao">
<constructor-arg index="0" ref="dataSource" />
<constructor-arg index="1" value="select * from userinfo where {0}" />
<property name="queryAttributeMapping">
<map>
<entry key="username" value="username" />
</map>
</property>
<property name="resultAttributeMapping">
<map>
<entry key="username" value="username1" />
<entry key="password" value="password1" />
</map>
</property>
</bean>
queryAttributeMapping:配置查询语句中的查询条件
resultAttributeMapping:配置返回给客户端的参数,Key是数据库的字段名称,value是客户端接受参数名称
d).修改authenticationManager->credentialsToPrincipalResolvers->org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver BEAN,注入
attributeRepository:
<bean class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver">
<property name="attributeRepository" ref="attributeRepository"></property>
</bean>
B)、修改验证成功后的返回参数页面 WEB-INF->View->jsp->protocol->2.0->casServiceValidationSuccess.jsp,在<cas:authenticationSuccess>节点下添加
<c:if test="${fn:length(assertion.chainedAuthentications[fn:length(assertion.chainedAuthentications)-1].principal.attributes) > 0}">
<cas:attributes>
<c:forEach var="attr" items="${assertion.chainedAuthentications[fn:length(assertion.chainedAuthentications)-1].principal.attributes}">
<cas:${fn:escapeXml(attr.key)}>${fn:escapeXml(attr.value)}</cas:${fn:escapeXml(attr.key)}>
</c:forEach>
</cas:attributes>
</c:if>
需要注意的是:<cas:${fn:escapeXml(attr.key)}>${fn:escapeXml(attr.value)}</cas:${fn:escapeXml(attr.key)}>这一行配置的时候不能换行,可能会因为换行导致XML解析出问题。
C)、修改org.jasig.cas.CentralAuthenticationServiceImpl类部分代码,
for (final String attribute : registerService.getAllowAttributes()) {
修改为:
for (final String attribute : principal.getAttributes().keySet()) {
final Object value = principal.getAttributes().get(
attribute);
if (value != null) {
attributes.put(attribute, value);
}
}
2.客户端配置
A)、修改WEB.xml文件,添加Filter
<context-param>
<param-name>serverName</param-name>
<param-value>localhost</param-value>
</context-param>
<!-- 注销监听 此部分要放在所有的监听之前-->
<filter>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class>
org.jasig.cas.client.session.SingleSignOutFilter
</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Single Sign Out Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>
org.jasig.cas.client.session.SingleSignOutHttpSessionListener
</listener-class>
</listener>
<!-- 注销监听 End -->
<!-- 认证过滤器 -->
<filter>
<filter-name>CAS Authentication Filter</filter-name>
<filter-class>
org.jasig.cas.client.authentication.AuthenticationFilter
</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>https://www.jacas.com:8443/Dhcc_SSO_Server_V1.0/login</param-value>
</init-param>
</filter>
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>
org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter
</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://www.jacas.com:8443/Dhcc_SSO_Server_V1.0</param-value>
</init-param>
</filter>
<filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>
org.jasig.cas.client.util.HttpServletRequestWrapperFilter
</filter-class>
</filter>
<filter>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<filter-class>
org.jasig.cas.client.util.AssertionThreadLocalFilter
</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Authentication Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- 注销监听 End -->
备注:如果直接访问CAS的logout话,会出现注销成功页面,其实大部分情况下这个页面是没有必要的,更多的需求可能是退出后显示登录页
面,并且登录成功后还是会进入到之前的业务系统,那么可以修改cas-servlet.xml文件,
在"logoutController"的bean配置中增加属性“followServiceRedirects”,设置为“true”,
然后在业务系统的注销连接中加入"service参数",值为业务系统的绝对URL,这样就OK了,
如你的业务系统URL为:http://localhost/Test3,
你的认证服务器URL为:https://www.jacas.com:8443/CasServer
那么注销URL就为:https://www.jacas.com:8443/CasServer/logout?service=http://localhost/Test