Spring boot security权限管理集成cas单点登录

最新推荐文章于 2024-03-06 11:59:12 发布
最新推荐文章于 2024-03-06 11:59:12 发布
阅读量1k 收藏 3
点赞数 1
文章标签: 数据库 java javascript ViewUI
原文链接:http://www.cnblogs.com/aljy/p/9543914.html
版权

挣扎了两周,Spring security的cas终于搞出来了,废话不多说,开篇!

  1. Spring boot集成Spring security
    本篇是使用spring security集成cas,因此,先得集成spring security
    新建一个Spring boot项目,加入maven依赖,我这里是用的架构是Spring boot2.0.4+Spring mvc+Spring data jpa+Spring security5
    pom.xml:
      1 <?xml version="1.0" encoding="UTF-8"?>
  2 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  3          xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
  4     <modelVersion>4.0.0</modelVersion>
  5 
  6     <groupId>com.cas.client1</groupId>
  7     <artifactId>cas-client1</artifactId>
  8     <version>0.0.1-SNAPSHOT</version>
  9     <packaging>jar</packaging>
 10 
 11     <name>cas-client1</name>
 12     <description>Demo project for Spring Boot</description>
 13 
 14     <parent>
 15         <groupId>org.springframework.boot</groupId>
 16         <artifactId>spring-boot-starter-parent</artifactId>
 17         <version>2.0.4.RELEASE</version>
 18         <relativePath/> <!-- lookup parent from repository -->
 19     </parent>
 20 
 21     <properties>
 22         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
 23         <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
 24         <java.version>1.8</java.version>
 25     </properties>
 26 
 27     <dependencies>
 28         <dependency>
 29             <groupId>org.springframework.boot</groupId>
 30             <artifactId>spring-boot-starter-web</artifactId>
 31         </dependency>
 32         <dependency>
 33             <groupId>org.springframework.boot</groupId>
 34             <artifactId>spring-boot-starter-thymeleaf</artifactId>
 35         </dependency>
 36 
 37         <dependency>
 38             <groupId>org.springframework.boot</groupId>
 39             <artifactId>spring-boot-starter-tomcat</artifactId>
 40             <scope>provided</scope>
 41         </dependency>
 42         <dependency>
 43             <groupId>junit</groupId>
 44             <artifactId>junit</artifactId>
 45             <version>4.12</version>
 46             <scope>test</scope>
 47         </dependency>
 48         <dependency>
 49             <groupId>org.springframework.boot</groupId>
 50             <artifactId>spring-boot-starter-test</artifactId>
 51             <scope>test</scope>
 52         </dependency>
 53         <dependency>
 54             <groupId>org.springframework.boot</groupId>
 55             <artifactId>spring-boot-starter-security</artifactId>
 56         </dependency>
 57         <dependency>
 58             <groupId>org.springframework.security</groupId>
 59             <artifactId>spring-security-test</artifactId>
 60             <scope>test</scope>
 61         </dependency>
 62         <!-- security taglibs -->
 63         <dependency>
 64             <groupId>org.springframework.security</groupId>
 65             <artifactId>spring-security-taglibs</artifactId>
 66         </dependency>
 67         <dependency>
 68             <groupId>org.springframework.security.oauth</groupId>
 69             <artifactId>spring-security-oauth2</artifactId>
 70             <version>RELEASE</version>
 71         </dependency>
 72         <dependency>
 73             <groupId>org.springframework.boot</groupId>
 74             <artifactId>spring-boot-starter-data-jpa</artifactId>
 75         </dependency>
 76         <dependency>
 77             <groupId>org.springframework.boot</groupId>
 78             <artifactId>spring-boot-starter-jdbc</artifactId>
 79         </dependency>
 80         <dependency>
 81             <groupId>mysql</groupId>
 82             <artifactId>mysql-connector-java</artifactId>
 83             <version>5.1.46</version>
 84         </dependency>
 85         <!-- https://mvnrepository.com/artifact/com.alibaba/druid-spring-boot-starter -->
 86         <dependency>
 87             <groupId>com.alibaba</groupId>
 88             <artifactId>druid-spring-boot-starter</artifactId>
 89             <version>1.1.10</version>
 90         </dependency>
 91         <dependency>
 92             <groupId>org.springframework.boot</groupId>
 93             <artifactId>spring-boot</artifactId>
 94             <version>2.0.2.RELEASE</version>
 95             <scope>compile</scope>
 96         </dependency>
 97     </dependencies>
 98 
 99     <build>
100         <plugins>
101             <plugin>
102                 <groupId>org.springframework.boot</groupId>
103                 <artifactId>spring-boot-maven-plugin</artifactId>
104             </plugin>
105         </plugins>
106     </build>
107 
108 
109 </project>

    application.properties:

     1 server.port=8083
 2 #静态文件访问存放地址
 3 spring.resources.static-locations=classpath:/html/
 4 # thymeleaf 模板存放地址
 5 spring.thymeleaf.prefix=classpath:/html/
 6 spring.thymeleaf.suffix=.html
 7 spring.thymeleaf.mode=LEGACYHTML5
 8 spring.thymeleaf.encoding=UTF-8
 9 
10 # JDBC 配置(驱动类自动从url的mysql识别,数据源类型自动识别)
11 # 或spring.datasource.url=
12 spring.datasource.druid.url=jdbc:mysql://localhost:3306/vhr?useUnicode=true&characterEncoding=UTF8
13 # 或spring.datasource.username=
14 spring.datasource.druid.username=root
15 # 或spring.datasource.password=
16 spring.datasource.druid.password=1234
17 #或 spring.datasource.driver-class-name=
18 #spring.datasource.druid.driver-class-name=com.mysql.jdbc.Driver
19 
20 #连接池配置(通常来说,只需要修改initialSize、minIdle、maxActive
21 # 如果用Oracle,则把poolPreparedStatements配置为true,mysql可以配置为false。分库分表较多的数据库,建议配置为false。removeabandoned不建议在生产环境中打开如果用SQL Server,建议追加配置)
22 spring.datasource.druid.initial-size=1
23 spring.datasource.druid.max-active=20
24 spring.datasource.druid.min-idle=1
25 # 配置获取连接等待超时的时间
26 spring.datasource.druid.max-wait=60000
27 #打开PSCache,并且指定每个连接上PSCache的大小
28 spring.datasource.druid.pool-prepared-statements=true
29 spring.datasource.druid.max-pool-prepared-statement-per-connection-size=20
30 #spring.datasource.druid.max-open-prepared-statements=和上面的等价
31 spring.datasource.druid.validation-query=SELECT 'x'
32 #spring.datasource.druid.validation-query-timeout=
33 spring.datasource.druid.test-on-borrow=false
34 spring.datasource.druid.test-on-return=false
35 spring.datasource.druid.test-while-idle=true
36 #配置间隔多久才进行一次检测,检测需要关闭的空闲连接,单位是毫秒
37 spring.datasource.druid.time-between-eviction-runs-millis=60000
38 #配置一个连接在池中最小生存的时间,单位是毫秒
39 spring.datasource.druid.min-evictable-idle-time-millis=300000
40 #spring.datasource.druid.max-evictable-idle-time-millis=
41 #配置多个英文逗号分隔
42 #spring.datasource.druid.filters= stat
43 
44 # WebStatFilter配置,说明请参考Druid Wiki,配置_配置WebStatFilter
45 #是否启用StatFilter默认值true
46 spring.datasource.druid.web-stat-filter.enabled=true
47 spring.datasource.druid.web-stat-filter.url-pattern=/*
48 spring.datasource.druid.web-stat-filter.exclusions=*.js,*.gif,*.jpg,*.png,*.css,*.ico,/druid/*
49 spring.datasource.druid.web-stat-filter.session-stat-enable=false
50 spring.datasource.druid.web-stat-filter.session-stat-max-count=1000
51 spring.datasource.druid.web-stat-filter.principal-session-name=admin
52 spring.datasource.druid.web-stat-filter.principal-cookie-name=admin
53 spring.datasource.druid.web-stat-filter.profile-enable=true
54 
55 # StatViewServlet配置
56 #展示Druid的统计信息,StatViewServlet的用途包括:1.提供监控信息展示的html页面2.提供监控信息的JSON API
57 #是否启用StatViewServlet默认值true
58 spring.datasource.druid.stat-view-servlet.enabled=true
59 spring.datasource.druid.stat-view-servlet.url-pattern=/druid/*
60 
61 
62 # JPA config
63 spring.jpa.database=mysql
64 spring.jpa.hibernate.ddl-auto=update
65 spring.jpa.show-sql=true
66 spring.jpa.generate-ddl=true
67 spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.MySQL5Dialect
68 spring.jpa.open-in-view=true
69 # 解决jpa no session的问题
70 spring.jpa.properties.hibernate.enable_lazy_load_no_trans=true

     

    这里使用数据库存储角色权限信息,分三种实体:用户;角色;资源;用户对角色多对多;角色对资源多对多
    创建几个实体类:
    用户:这里直接使用用户持久化对象实现Spring security要求的UserDetails接口,并实现对应方法

      1 package com.cas.client1.entity;
  2 
  3 import org.springframework.security.core.GrantedAuthority;
  4 import org.springframework.security.core.userdetails.UserDetails;
  5 import org.springframework.util.CollectionUtils;
  6 
  7 import javax.persistence.*;
  8 import java.util.ArrayList;
  9 import java.util.Collection;
 10 import java.util.List;
 11 
 12 @Entity
 13 @Table(name = "s_user")
 14 public class User implements UserDetails {
 15     @Id
 16     private String id;
 17     @Column(name = "username")
 18     private String username;
 19     @Column(name = "password")
 20     private String password;
 21 
 22     @ManyToMany(fetch = FetchType.LAZY)
 23     @JoinTable(
 24             name = "s_user_role",
 25             joinColumns = @JoinColumn(name = "user_id"),
 26             inverseJoinColumns = @JoinColumn(name = "role_id")
 27     )
 28     private List<Role> roles;
 29 
 30     public User() {
 31     }
 32 
 33     public User(String id, String username, String password) {
 34         this.id = id;
 35         this.username = username;
 36         this.password = password;
 37     }
 38 
 39     public String getId() {
 40         return id;
 41     }
 42 
 43     public void setId(String id) {
 44         this.id = id;
 45     }
 46 
 47     public List<Role> getRoles() {
 48         return roles;
 49     }
 50 
 51     public void setRoles(List<Role> roles) {
 52         this.roles = roles;
 53     }
 54 
 55     @Override
 56     public String getUsername() {
 57         return username;
 58     }
 59 
 60     @Override
 61     public boolean isAccountNonExpired() {
 62         return true;
 63     }
 64 
 65     @Override
 66     public boolean isAccountNonLocked() {
 67         return true;
 68     }
 69 
 70     @Override
 71     public boolean isCredentialsNonExpired() {
 72         return true;
 73     }
 74 
 75     @Override
 76     public boolean isEnabled() {
 77         return true;
 78     }
 79 
 80     public void setUsername(String username) {
 81         this.username = username;
 82     }
 83 
 84     @Transient
 85     List<GrantedAuthority> grantedAuthorities=new ArrayList<>();
 86     @Override
 87     public Collection<? extends GrantedAuthority> getAuthorities() {
 88         if (grantedAuthorities.size()==0){
 89             if (!CollectionUtils.isEmpty(roles)){
 90                 for (Role role:roles){
 91                     List<Resource> resources = role.getResources();
 92                     if (!CollectionUtils.isEmpty(resources)){
 93                         for (Resource resource:resources){
 94                             grantedAuthorities.add(new SimpleGrantedAuthority(resource.getResCode()));
 95                         }
 96                     }
 97                 }
 98             }
 99             grantedAuthorities.add(new SimpleGrantedAuthority("AUTH_0"));
100         }
101         return grantedAuthorities;
102     }
103     @Override
104     public String getPassword() {
105         return password;
106     }
107 
108     public void setPassword(String password) {
109         this.password = password;
110     }
111 }

    注意看这里:

    我给每一位登录的用户都授予了AUTH_0的权限,AUTH_0在下面的SecurityMetaDataSource里被关联的url为:/**,也就是说除开那些机密程度更高的,这个登录用户能访问所有资源

    角色:

     1 package com.cas.client1.entity;
 2 
 3 import javax.persistence.*;
 4 import java.util.List;
 5 
 6 /**
 7  * @author Administrator
 8  */
 9 @Entity
10 @Table(name = "s_role")
11 public class Role {
12     @Id
13     @Column(name = "id")
14     private String id;
15     @Column(name = "role_name")
16     private String roleName;
17 
18     @ManyToMany(fetch = FetchType.LAZY)
19     @JoinTable(
20             name = "s_role_res",
21             joinColumns = @JoinColumn(name = "role_id"),
22             inverseJoinColumns = @JoinColumn(name = "res_id")
23     )
24     private List<Resource> resources;
25     @ManyToMany(fetch = FetchType.LAZY)
26     @JoinTable(
27             name = "s_user_role",
28             joinColumns = @JoinColumn(name = "role_id"),
29             inverseJoinColumns = @JoinColumn(name = "user_id")
30     )
31     private List<User> users;
32 
33     public String getId() {
34         return id;
35     }
36 
37     public void setId(String id) {
38         this.id = id;
39     }
40 
41     public String getRoleName() {
42         return roleName;
43     }
44 
45     public void setRoleName(String roleName) {
46         this.roleName = roleName;
47     }
48 
49     public List<Resource> getResources() {
50         return resources;
51     }
52 
53     public void setResources(List<Resource> resources) {
54         this.resources = resources;
55     }
56 
57     public List<User> getUsers() {
58         return users;
59     }
60 
61     public void setUsers(List<User> users) {
62         this.users = users;
63     }
64 }

    权限:

     1 package com.cas.client1.entity;
 2 
 3 import javax.persistence.Column;
 4 import javax.persistence.Entity;
 5 import javax.persistence.Id;
 6 import javax.persistence.Table;
 7 
 8 @Entity
 9 @Table(name = "s_resource")
10 public class Resource {
11     @Id
12     @Column(name = "id")
13     private String id;
14     @Column(name = "res_name")
15     private String resName;
16     @Column(name = "res_code")
17     private String resCode;
18     @Column(name = "url")
19     private String url;
20     @Column(name = "priority")
21     private String priority;
22 
23     public String getId() {
24         return id;
25     }
26 
27     public void setId(String id) {
28         this.id = id;
29     }
30 
31     public String getResName() {
32         return resName;
33     }
34 
35     public void setResName(String resName) {
36         this.resName = resName;
37     }
38 
39     public String getResCode() {
40         return resCode;
41     }
42 
43     public void setResCode(String resCode) {
44         this.resCode = resCode;
45     }
46 
47     public String getUrl() {
48         return url;
49     }
50 
51     public void setUrl(String url) {
52         this.url = url;
53     }
54 
55     public String getPriority() {
56         return priority;
57     }
58 
59     public void setPriority(String priority) {
60         this.priority = priority;
61     }
62 }

    建立几个DAO
    UserDao:

     1 package com.cas.client1.dao;
 2 
 3 import com.cas.client1.entity.User;
 4 import org.springframework.data.jpa.repository.JpaRepository;
 5 import org.springframework.data.jpa.repository.Query;
 6 import org.springframework.data.repository.query.Param;
 7 import org.springframework.stereotype.Repository;
 8 
 9 import java.util.List;
10 
11 @Repository
12 public interface UserDao extends JpaRepository<User,String> {
13     @Override
14     List<User> findAll();
15 
16     List<User> findByUsername(String username);
17 
18     /**
19      * 根据用户名like查询
20      * @param username
21      * @return
22      */
23     List<User> getUserByUsernameContains(String username);
24 
25     @Query("from User where id=:id")
26     User getUserById(@Param("id") String id);
27 
28 }

     ResourceDao:

     1 package com.cas.client1.dao;
 2 
 3 import com.cas.client1.entity.Resource;
 4 import org.springframework.data.jpa.repository.JpaRepository;
 5 import org.springframework.data.jpa.repository.Query;
 6 import org.springframework.stereotype.Repository;
 7 
 8 import java.util.List;
 9 
10 /**
11  * @author Administrator
12  */
13 @Repository
14 public interface ResourceDao extends JpaRepository<Resource,String> {
15 
16     @Query("from Resource order by priority")
17     List<Resource> getAllResource();
18 }

     

     Service
    UserService:

     1 package com.cas.client1.service;
 2 
 3 import com.cas.client1.dao.UserDao;
 4 import com.cas.client1.entity.User;
 5 import org.springframework.beans.factory.annotation.Autowired;
 6 import org.springframework.stereotype.Service;
 7 
 8 import java.util.List;
 9 
10 @Service
11 public class UserService {
12     @Autowired
13     private UserDao userDao;
14 
15     public User findByUsername(String username){
16         List<User> list = userDao.findByUsername(username);
17         return list!=null&&list.size()>0?list.get(0):null;
18     }
19 }
    ResourceService:
     1 package com.cas.client1.service;
 2 
 3 import com.cas.client1.dao.ResourceDao;
 4 import com.cas.client1.entity.Resource;
 5 import org.springframework.beans.factory.annotation.Autowired;
 6 import org.springframework.stereotype.Service;
 7 
 8 import java.util.List;
 9 
10 @Service
11 public class ResourceService {
12     @Autowired
13     private ResourceDao resourceDao;
14 
15     public List<Resource> getAll(){
16         return resourceDao.getAllResource();
17     }
18 }

     

    创建UserDetailsServiceImpl,实现UserDetailsService接口,这个类是用以提供给Spring security从数据库加载用户信息的
     1 package com.cas.client1.security;
 2 
 3 import com.cas.client1.entity.User;
 4 import com.cas.client1.service.UserService;
 5 import org.springframework.beans.factory.annotation.Autowired;
 6 import org.springframework.security.cas.authentication.CasAssertionAuthenticationToken;
 7 import org.springframework.security.core.userdetails.AuthenticationUserDetailsService;
 8 import org.springframework.security.core.userdetails.UserDetails;
 9 import org.springframework.security.core.userdetails.UserDetailsService;
10 import org.springframework.security.core.userdetails.UsernameNotFoundException;
11 import org.springframework.stereotype.Component;
12 
13 /**
14  * @author Administrator
15  */
16 @SuppressWarnings("ALL")
17 @Component
18 public class UserDetailsServiceImpl implements UserDetailsService{
19     @Autowired
20     private UserService userService;
21     @Override
22     public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
23         User user = userService.findByUsername(username);
24         return user;
25     }
26 
27 
28 }
    记得加@Component注解,以把实例交由Spring管理,或@Service,你们喜欢就好

    创建SecurityMetaDataSource类
    该类实现Spring security的FilterInvocationSecurityMetadataSource接口,作用是提供权限的元数据定义,并根据请求url匹配该url所需要的权限,获取权限后交由AccessDecisionManager的实现者裁定能否访问这个url,不能则会返回403的http错误码
    SecurityMetaDataSource:

     1 package com.cas.client1.security;
 2 
 3 import com.cas.client1.entity.Resource;
 4 import com.cas.client1.service.ResourceService;
 5 import org.springframework.beans.factory.annotation.Autowired;
 6 import org.springframework.security.access.AccessDecisionManager;
 7 import org.springframework.security.access.ConfigAttribute;
 8 import org.springframework.security.access.SecurityConfig;
 9 import org.springframework.security.access.intercept.AbstractSecurityInterceptor;
10 import org.springframework.security.web.FilterInvocation;
11 import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;
12 import org.springframework.security.web.util.matcher.AndRequestMatcher;
13 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
14 import org.springframework.security.web.util.matcher.RequestMatcher;
15 import org.springframework.stereotype.Component;
16 
17 import javax.annotation.PostConstruct;
18 import java.util.*;
19 
20 @Component
21 public class SecurityMetaDataSource implements FilterInvocationSecurityMetadataSource {
22 
23     @Autowired
24     private ResourceService resourceService;
25 
26     private LinkedHashMap<String,Collection<ConfigAttribute>> metaData;
27     @PostConstruct
28     private void loadSecurityMetaData(){
29         List<Resource> list = resourceService.getAll();
30         metaData=new LinkedHashMap<>();
31         for (Resource resource:list){
32             List<ConfigAttribute> attributes=new ArrayList<>();
33             attributes.add(new SecurityConfig(resource.getResCode()));
34             metaData.put(resource.getUrl(),attributes);
35         }
36         List<ConfigAttribute> base=new ArrayList<>();
37         base.add(new SecurityConfig("AUTH_0"));
38         metaData.put("/**",base);
39     }
40 
41     @Override
42     public Collection<ConfigAttribute> getAttributes(Object object) throws IllegalArgumentException {
43         FilterInvocation invocation= (FilterInvocation) object;
44         if (metaData==null){
45             return new ArrayList<>(0);
46         }
47         String requestUrl = invocation.getRequestUrl();
48         System.out.println("请求Url:"+requestUrl);
49         Iterator<Map.Entry<String, Collection<ConfigAttribute>>> iterator = metaData.entrySet().iterator();
50         Collection<ConfigAttribute> rs=new ArrayList<>();
51         while (iterator.hasNext()){
52             Map.Entry<String, Collection<ConfigAttribute>> next = iterator.next();
53             String url = next.getKey();
54             Collection<ConfigAttribute> value = next.getValue();
55             RequestMatcher requestMatcher=new AntPathRequestMatcher(url);
56             if (requestMatcher.matches(invocation.getRequest())){
57                 rs = value;
58                 break;
59             }
60         }
61         System.out.println("拦截认证权限为:"+rs);
62         return rs;
63     }
64 
65     @Override
66     public Collection<ConfigAttribute> getAllConfigAttributes() {
67         System.out.println("invoke getAllConfigAttributes ");
68         //loadSecurityMetaData();
69         //System.out.println("初始化元数据");
70         Collection<Collection<ConfigAttribute>> values = metaData.values();
71         Collection<ConfigAttribute> all=new ArrayList<>();
72         for (Collection<ConfigAttribute> each:values){
73             each.forEach(configAttribute -> {
74                 all.add(configAttribute);
75             });
76         }
77         return all;
78     }
79 
80     @Override
81     public boolean supports(Class<?> clazz) {
82         return true;
83     }
84 }

     

    同理:记得加上@Component注解

    重头戏来了!Spring security的配置
    创建SpringSecurityConfig类
    该类继承于WebSecurityConfigurerAdapter,核心的配置类,在这里定义Spring security的使用方式
    SpringSecurityConfig

      1 package com.cas.client1.security;
  2 
  3 import com.cas.client1.config.CasProperties;
  4 import org.springframework.beans.factory.annotation.Autowired;
  5 import org.springframework.context.annotation.Bean;
  6 import org.springframework.context.annotation.Configuration;
  7 import org.springframework.security.access.AccessDecisionManager;
  8 import org.springframework.security.access.AccessDecisionVoter;
  9 import org.springframework.security.access.vote.AffirmativeBased;
 10 import org.springframework.security.access.vote.RoleVoter;
 11 import org.springframework.security.authentication.AuthenticationManager;
 12 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 13 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 14 import org.springframework.security.config.annotation.web.builders.WebSecurity;
 15 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 16 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 17 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 18 import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
 19 
 20 import java.util.ArrayList;
 21 import java.util.List;
 22 
 23 /**
 24  * Spring security配置
 25  * @author youyp
 26  * @date 2018-8-10
 27  */
 28 @SuppressWarnings("ALL")
 29 @Configuration
 30 @EnableWebSecurity
 31 public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {
 32     @Autowired
 33     private UserDetailsServiceImpl userDetailsService;
 34 
 35     @Autowired
 36     private SecurityMetaDataSource securityMetaDataSource;
 37 
 38     @Override
 39     protected void configure(AuthenticationManagerBuilder auth) throws Exception {
 40         super.configure(auth);
 41     }
 42 
 43     @Override
 44     public void configure(WebSecurity web) throws Exception {
 45         web.ignoring().antMatchers("/js/**","/css/**","/img/**","/*.ico","/login.html",
 46                 "/error","/login.do");
 47     }
 48 
 49     @Override
 50     protected void configure(HttpSecurity http) throws Exception {
 51         System.out.println("配置Spring security");
 52         http.formLogin()
 53                 //指定登录页是”/login”
 54                 .loginPage("/login.html").permitAll()
 55                 .loginProcessingUrl("/login.do").permitAll()
 56                 .defaultSuccessUrl("/home",true)
 57                 .permitAll()
 58                 //登录成功后可使用loginSuccessHandler()存储用户信息,可选。
 59                 //.successHandler(loginSuccessHandler()).permitAll()
 60                 .and()
 61                 .logout().permitAll()
 62                 .invalidateHttpSession(true)
 63                 .and()
 64                 //登录后记住用户,下次自动登录,数据库中必须存在名为persistent_logins的表
 65                 .rememberMe()
 66                 .tokenValiditySeconds(1209600)
 67                 .and()
 68                 .csrf().disable()
 69                 //其他所有资源都需要认证,登陆后访问
 70                 .authorizeRequests().anyRequest().fullyAuthenticated();
 71         
 72         http.addFilterBefore(filterSecurityInterceptor(),FilterSecurityInterceptor.class);
 73     }
 74 
 75     /**
 76      * 注意:这里不能加@Bean注解
 77      * @return
 78      * @throws Exception
 79      */
 80     //@Bean
 81     public FilterSecurityInterceptor filterSecurityInterceptor() throws Exception {
 82         FilterSecurityInterceptor filterSecurityInterceptor=new FilterSecurityInterceptor();
 83         filterSecurityInterceptor.setSecurityMetadataSource(securityMetaDataSource);
 84         filterSecurityInterceptor.setAuthenticationManager(authenticationManager());
 85         filterSecurityInterceptor.setAccessDecisionManager(affirmativeBased());
 86         return filterSecurityInterceptor;
 87     }
 88 
 89 
 90     /**
 91      * 重写AuthenticationManager获取的方法并且定义为Bean
 92      * @return
 93      * @throws Exception
 94      */
 95     @Override
 96     @Bean
 97     public AuthenticationManager authenticationManagerBean() throws Exception {
 98         return super.authenticationManagerBean();
 99     }
100 
101     @Autowired
102     public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
103         //指定密码加密所使用的加密器为passwordEncoder()
104         //需要将密码加密后写入数据库
105         auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());
106         auth.eraseCredentials(false);
107     }
108 
109     @Bean
110     public BCryptPasswordEncoder passwordEncoder() {
111 
112         return new BCryptPasswordEncoder(4);
113     }
114 
115 
116     /**
117      * 定义决策管理器,这里可直接使用内置的AffirmativeBased选举器,
118      * 如果需要,可自定义,继承AbstractAccessDecisionManager,实现decide方法即可
119      * @return
120      */
121     @Bean
122     public AccessDecisionManager affirmativeBased(){
123         List<AccessDecisionVoter<? extends Object>> voters=new ArrayList<>();
124         voters.add(roleVoter());
125         System.out.println("正在创建决策管理器");
126         return new AffirmativeBased(voters);
127     }
128 
129     /**
130      * 定义选举器
131      * @return
132      */
133     @Bean
134     public RoleVoter roleVoter(){
135         //这里使用角色选举器
136         RoleVoter voter=new RoleVoter();
137         System.out.println("正在创建选举器");
138         voter.setRolePrefix("AUTH_");
139         System.out.println("已将角色选举器的前缀修改为AUTH_");
140         return voter;
141     }
142 
143 }

    说一个注意点:

    FilterSecurityInterceptor这个过滤器最为重要,它负责数据库权限信息加载,权限鉴定等关键动作,这个过滤器位于SpringSecurityFilterChain,即Spring security的过滤器链中,如果将这个类在配置类中加了@Bean注解,那么它将直接加入web容器的过滤器链中,这个链是首层过滤器链,
    进入这个过滤器链之后才会进入SpringSecurityFilterChain这个负责安全的链条,如果这个跑到外层去了,就会导致这个独有的过滤器一直在生效,请求无限被拦截重定向,因为这个过滤器前面没有别的过滤器阻止它生效,如果它位于SpringSecurityFilterChain中,在进入FilterSecurityInterceptor这个
    过滤器之前会有很多的Spring security过滤器在生效,如果不满足前面的过滤器的条件,不会进入到这个过滤器。也就是说,要进入到这个过滤器,必须要从SpringSecurityFilterChain进入,从其他地方进入都会导致请求被无限重定向

    另外
    FilterSecurityInterceptor这个类继承于AbstractSecurityInterceptor并实现Filter接口,由此我们可以重写该类,自定义我们的特殊业务,但是,个人觉得FilterSecurityInterceptor这个实现类已经很完整地实现了这个过滤器应做的工作,没有必要重写
    类似的,还有AccessDecisionManager这个“决策者”,Spring security为这个功能提供了几个默认的实现者,如AffirmativeBased这个类,是一个基于投票的决策器,投票器(Voter)要求实现AccessDecisionVoter接口,Spring security已为我们提供了几个很有用的投票器如RoleVoter,WebExpressionVoter
    这些我们都没有必要去自定义,而且自定义出来的也没有默认实现拓展性和稳定性更好

    再定义一个登陆的Controller
    LoginController

     1 package com.cas.client2.casclient2.controller;
 2 
 3 import org.springframework.beans.factory.annotation.Autowired;
 4 import org.springframework.security.authentication.AuthenticationManager;
 5 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 6 import org.springframework.security.cas.authentication.CasAuthenticationToken;
 7 import org.springframework.security.cas.web.CasAuthenticationFilter;
 8 import org.springframework.security.core.Authentication;
 9 import org.springframework.security.core.context.SecurityContextHolder;
10 import org.springframework.stereotype.Controller;
11 import org.springframework.web.bind.annotation.RequestMapping;
12 
13 import javax.servlet.http.HttpSession;
14 
15 @SuppressWarnings("ALL")
16 @Controller
17 public class LoginController {
18     @Autowired
19     private AuthenticationManager authenticationManager;
20 
21     /**
22      * 自定义登录地址
23      * @param username
24      * @param password
25      * @param session
26      * @return
27      */
28     @RequestMapping("login.do")
29     public String login(String username,String passwod, HttpSession session){
30         try {
31             System.out.println("进入登录请求..........");
32             UsernamePasswordAuthenticationToken token=new UsernamePasswordAuthenticationToken(username,passwod);
33 
34             Authentication authentication=authenticationManager.authenticate(token);
35             SecurityContextHolder.getContext().setAuthentication(authentication);
36             session.setAttribute("SPRING_SECURITY_CONTEXT", SecurityContextHolder.getContext());
37             System.out.println("登录成功");
38             return "redirect:home.html";
39         }catch (Exception e){
40             e.printStackTrace();
41             return "login.html";
42         }
43 
44     }
45 }

    创建几个页面:在resources下创建文件夹html,用于存放html静态文件,
    home.html 

     1 <!DOCTYPE html>
 2 <html lang="en">
 3 <head>
 4     <meta charset="UTF-8">
 5     <title>HOME</title>
 6 </head>
 7 <body>
 8 <h1>welcome to Home</h1>
 9 <button onclick="javascript:location.href='/logout'">退出</button>
10 </body>
11 </html>

     

    login.html

     1 <!DOCTYPE html>
 2 <html lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:th="http://www.thymeleaf.org"
 3       xmlns:sec="http://www.thymeleaf.org/thymeleaf-extras-springsecurity3">
 4 <head>
 5     <meta charset="UTF-8">
 6     <title>登录</title>
 7 </head>
 8 
 9 <body>
10 <span style="color: red" id="msg"></span>
11 <form action="/login.do" method="post">
12     <div><label> User Name : <input type="text" name="username"/> </label></div>
13     <div><label> Password: <input type="password" name="password"/> </label></div>
14     <div><input type="submit" value="Sign In"/></div>
15     <input type="checkbox" name="remember-me" value="true" th:checked="checked"/><p>Remember me</p>
16 </form>
17 
18 </body>
19 <script type="text/javascript">
20     var url=location.href
21     var param=url.split("?")[1];
22     console.log(param);
23     if (param){
24         var p=param.split("&");
25         var msg=p[0].split("=")[1];
26         document.getElementById("msg").innerHTML=msg;
27     }
28 </script>
29 </html>

     

    admin.html

    <!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>admin</title>
</head>
<body>
你好,欢迎登陆,这是管理员界面,拥有/admin.html的访问权限才能访问
</body>
</html>

     再定义几个错误页面
    在html文件夹下创建一个error文件夹,在error文件夹中创建403.html,404.html,500.html;在程序遇到这些错误码时,会自动跳转到对应的页面

    先启动一下项目,让spring-data-jpa反向生成一下表结构
    再往数据库插入几条数据:
    用户表的密码需要放密文,我们把我们的明文密码使用我们的密码encoder转一下:BCryptPasswordEncoder.encode("123");得到密文后存到数据库的password字段中
    用户表:

     资源表:即权限信息表

    角色表:

    角色权限中间表:

    我们先不给用户配置角色,现在是空角色

    启动Spring boot启动类,访问localhost:8083,检测到没登录会自动跳到登录页面,登录后自动跳转到home.html

    访问admin.html,返回403页面,当前用户无权限访问

    再将刚刚的角色分配给用户,再次访问

    此时便可访问,大功告成!




  2. 部署CAS server
    cas全称 Central Authentication Service,翻译为:中央认证服务;从名字我们便可得知,这是一个独立的服务,主要负责用户登录凭证的验证;事实也是如此,cas有认证中心和client端,认证中心就是我们的cas server,负责用户凭证的验证,需要独立部署,cas client就是我们的各个相互信任的应用
    我们从cas官网下载源码,从moudle中找到一个.war后缀的文件,将这个文件拷出来,
    改一下文件名为:cas,放到一个Tomcat中,启动tomcat,(端口先改一下,如8081),在浏览器中访问localhost:8081/cas即可看到cas的登录界面

    报了个警告,说我们没有配置ssl,也就是需要配置https,不过可以不用配置,
    我们可以配置使用http:

    设置cas server使用http非安全协议

     

    主要有以下步骤:

    1.WEB-INF/deployerConfigContext.xml中在< bean class = "org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" p:httpClient-ref = "httpClient" />增加参数 p:requireSecure="false" ,是否需要安全验证,即 HTTPS,false 为不采用 如下:< bean class = "org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" p:httpClient-ref = "httpClient" p:requireSecure= "false" />

     

    1. WEB-INF/spring-configuration/ticketGrantingTicketCookieGenerator.xml中将p:cookieSecure="true"修改为 p:cookieSecure="false"

    2. WEB-INF/spring-configuration/warnCookieGenerator.xml中将p:cookieSecure="true"改为p:cookieSecure="false"

    3. 在tomcat的server.xml中关闭8443端口,如下图



  3. 配置CAS client
    在之前Spring security的基础上,我们加入cas认证
    在pom.xml中加入依赖包:
    1 <!-- security 对CAS支持 -->
2         <dependency>
3             <groupId>org.springframework.security</groupId>
4             <artifactId>spring-security-cas</artifactId>
5         </dependency>

     修改一下我们的UserDetailsServiceImpl类,让它实现AuthenticationUserDetailsService<CasAssertionAuthenticationToken>接口
    UserDetailsServiceImpl:

     1 package com.cas.client1.security;
 2 
 3 import com.cas.client1.entity.User;
 4 import com.cas.client1.service.UserService;
 5 import org.springframework.beans.factory.annotation.Autowired;
 6 import org.springframework.security.cas.authentication.CasAssertionAuthenticationToken;
 7 import org.springframework.security.core.userdetails.AuthenticationUserDetailsService;
 8 import org.springframework.security.core.userdetails.UserDetails;
 9 import org.springframework.security.core.userdetails.UserDetailsService;
10 import org.springframework.security.core.userdetails.UsernameNotFoundException;
11 import org.springframework.stereotype.Component;
12 
13 /**
14  * @author Administrator
15  */
16 @SuppressWarnings("ALL")
17 @Component
18 public class UserDetailsServiceImpl implements UserDetailsService,
19         AuthenticationUserDetailsService<CasAssertionAuthenticationToken> {
20     @Autowired
21     private UserService userService;
22     @Override
23     public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
24         User user = userService.findByUsername(username);
25         return user;
26     }
27 
28     /**
29      * 实现AuthenticationUserDetailsService的方法,
30      * 用于获取cas server返回的用户信息,再根据用户关键信息加载出用户在当前系统的权限
31      * @param token
32      * @return
33      * @throws UsernameNotFoundException
34      */
35     @Override
36     public UserDetails loadUserDetails(CasAssertionAuthenticationToken token) throws UsernameNotFoundException {
37         String name = token.getName();
38         System.out.println("获得的用户名:"+name);
39         User user = userService.findByUsername(name);
40         if (user==null){
41             throw new UsernameNotFoundException(name+"不存在");
42         }
43         return user;
44     }
45 }

     

    在application.properties文件中加上以下内容:

     1 # cas服务器地址
 2 cas.server.host.url=http://localhost:8081/cas
 3 # cas服务器登录地址
 4 cas.server.host.login_url=${cas.server.host.url}/login
 5 # cas服务器登出地址
 6 cas.server.host.logout_url=${cas.server.host.url}/logout?service=${app.server.host.url}
 7 # 应用访问地址
 8 app.server.host.url=http://localhost:8083
 9 # 应用登录地址
10 app.login.url=/login.do
11 # 应用登出地址
12 app.logout.url=/logout

     

    新增一个配置实体类

    CasProperties

    package com.cas.client1.config;

import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Component;

@Component
public class CasProperties {
    @Value("${cas.server.host.url}")
    private String casServerUrl;

    @Value("${cas.server.host.login_url}")
    private String casServerLoginUrl;

    @Value("${cas.server.host.logout_url}")
    private String casServerLogoutUrl;

    @Value("${app.server.host.url}")
    private String appServerUrl;

    @Value("${app.login.url}")
    private String appLoginUrl;

    @Value("${app.logout.url}")
    private String appLogoutUrl;

   /**get set方法略
    */
}

     


    再修改一下我们的Spring security配置类

      1 package com.cas.client1.security;
  2 
  3 import com.cas.client1.config.CasProperties;
  4 import org.jasig.cas.client.session.SingleSignOutFilter;
  5 import org.jasig.cas.client.validation.Cas20ServiceTicketValidator;
  6 import org.springframework.beans.factory.annotation.Autowired;
  7 import org.springframework.context.annotation.Bean;
  8 import org.springframework.context.annotation.Configuration;
  9 import org.springframework.http.HttpMethod;
 10 import org.springframework.security.access.AccessDecisionManager;
 11 import org.springframework.security.access.AccessDecisionVoter;
 12 import org.springframework.security.access.vote.AffirmativeBased;
 13 import org.springframework.security.access.vote.RoleVoter;
 14 import org.springframework.security.authentication.AuthenticationManager;
 15 import org.springframework.security.cas.ServiceProperties;
 16 import org.springframework.security.cas.authentication.CasAuthenticationProvider;
 17 import org.springframework.security.cas.web.CasAuthenticationEntryPoint;
 18 import org.springframework.security.cas.web.CasAuthenticationFilter;
 19 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 20 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 21 import org.springframework.security.config.annotation.web.builders.WebSecurity;
 22 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 23 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 24 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 25 import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
 26 import org.springframework.security.web.authentication.logout.LogoutFilter;
 27 import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler;
 28 
 29 import java.util.ArrayList;
 30 import java.util.List;
 31 
 32 /**
 33  * Spring security配置
 34  * @author youyp
 35  * @date 2018-8-10
 36  */
 37 @SuppressWarnings("ALL")
 38 @Configuration
 39 @EnableWebSecurity
 40 public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {
 41     @Autowired
 42     private CasProperties casProperties;
 43 
 44     @Autowired
 45     private UserDetailsServiceImpl userDetailsService;
 46 
 47     @Autowired
 48     private SecurityMetaDataSource securityMetaDataSource;
 49 
 50     @Override
 51     protected void configure(AuthenticationManagerBuilder auth) throws Exception {
 52         super.configure(auth);
 53         auth.authenticationProvider(casAuthenticationProvider());
 54     }
 55 
 56     @Override
 57     public void configure(WebSecurity web) throws Exception {
 58         web.ignoring().antMatchers("/js/**","/css/**","/img/**","/*.ico","/login.html",
 59                 "/error","/login.do");
 60         //web.ignoring().antMatchers("/js/**","/css/**","/img/**","/*.ico",,"/home");
 61         //web.ignoring().antMatchers("/**");
 62 //        super.configure(web);
 63 
 64     }
 65 
 66     @Override
 67     protected void configure(HttpSecurity http) throws Exception {
 68         System.out.println("配置Spring security");
 69         http.formLogin()
 70                 //指定登录页是”/login”
 71                 //.loginPage("/login.html").permitAll()
 72                 //.loginProcessingUrl("/login.do").permitAll()
 73                 //.defaultSuccessUrl("/home",true)
 74                 //.permitAll()
 75                 //登录成功后可使用loginSuccessHandler()存储用户信息,可选。
 76                 //.successHandler(loginSuccessHandler()).permitAll()
 77                 .and()
 78                 .logout().permitAll()
 79                 //退出登录后的默认网址是”/home”
 80                 //.logoutSuccessUrl("/home.html")
 81                 //.permitAll()
 82                 .invalidateHttpSession(true)
 83                 .and()
 84                 //登录后记住用户,下次自动登录,数据库中必须存在名为persistent_logins的表
 85                 .rememberMe()
 86                 .tokenValiditySeconds(1209600)
 87                 .and()
 88                 .csrf().disable()
 89                 //其他所有资源都需要认证,登陆后访问
 90                 .authorizeRequests().anyRequest().fullyAuthenticated();
 91         http.exceptionHandling().authenticationEntryPoint(casAuthenticationEntryPoint())
 92                 .and()
 93                 .addFilterAt(casAuthenticationFilter(),CasAuthenticationFilter.class)
 94                 .addFilterBefore(casLogoutFilter(),LogoutFilter.class)
 95                 .addFilterBefore(singleSignOutFilter(),CasAuthenticationFilter.class);
 96         /**
 97          *  FilterSecurityInterceptor本身属于过滤器,不能在外面定义为@Bean,
 98          *  如果定义在外面,则这个过滤器会被独立加载到webContext中,导致请求会一直被这个过滤器拦截
 99          *  加入到Springsecurity的过滤器链中,才会使它完整的生效
100          */
101         http.addFilterBefore(filterSecurityInterceptor(),FilterSecurityInterceptor.class);
102     }
103 
104     /**
105      * 注意:这里不能加@Bean注解
106      * @return
107      * @throws Exception
108      */
109 //    @Bean
110     public FilterSecurityInterceptor filterSecurityInterceptor() throws Exception {
111         FilterSecurityInterceptor filterSecurityInterceptor=new FilterSecurityInterceptor();
112         filterSecurityInterceptor.setSecurityMetadataSource(securityMetaDataSource);
113         filterSecurityInterceptor.setAuthenticationManager(authenticationManager());
114         filterSecurityInterceptor.setAccessDecisionManager(affirmativeBased());
115         return filterSecurityInterceptor;
116     }
117 
118     /**
119      * 认证入口
120      *  <p>
121      *    <b>Note:</b>浏览器访问不可直接填客户端的login请求,若如此则会返回Error页面,无法被此入口拦截
122      *  </p>
123      * @return
124      */
125     @Bean
126     public CasAuthenticationEntryPoint casAuthenticationEntryPoint(){
127         CasAuthenticationEntryPoint casAuthenticationEntryPoint=new CasAuthenticationEntryPoint();
128         casAuthenticationEntryPoint.setLoginUrl(casProperties.getCasServerLoginUrl());
129         casAuthenticationEntryPoint.setServiceProperties(serviceProperties());
130         return casAuthenticationEntryPoint;
131     }
132 
133     @Bean
134     public ServiceProperties serviceProperties() {
135         ServiceProperties serviceProperties=new ServiceProperties();
136         serviceProperties.setService(casProperties.getAppServerUrl()+casProperties.getAppLoginUrl());
137         serviceProperties.setAuthenticateAllArtifacts(true);
138         return serviceProperties;
139     }
140 
141     //    @Bean
142     public CasAuthenticationFilter casAuthenticationFilter() throws Exception {
143         CasAuthenticationFilter casAuthenticationFilter=new CasAuthenticationFilter();
144         casAuthenticationFilter.setAuthenticationManager(authenticationManager());
145         casAuthenticationFilter.setFilterProcessesUrl(casProperties.getAppLoginUrl());
146 //        casAuthenticationFilter.setAuthenticationSuccessHandler(
147 //                new SimpleUrlAuthenticationSuccessHandler("/home.html"));
148         return casAuthenticationFilter;
149     }
150 
151     @Bean
152     public CasAuthenticationProvider casAuthenticationProvider(){
153         CasAuthenticationProvider casAuthenticationProvider=new CasAuthenticationProvider();
154         casAuthenticationProvider.setAuthenticationUserDetailsService(userDetailsService);
155 
156         casAuthenticationProvider.setServiceProperties(serviceProperties());
157         casAuthenticationProvider.setTicketValidator(cas20ServiceTicketValidator());
158         casAuthenticationProvider.setKey("casAuthenticationProviderKey");
159         return casAuthenticationProvider;
160     }
161 
162     @Bean
163     public Cas20ServiceTicketValidator cas20ServiceTicketValidator() {
164         return new Cas20ServiceTicketValidator(casProperties.getCasServerUrl());
165     }
166 
167     //    @Bean
168     public SingleSignOutFilter singleSignOutFilter(){
169         SingleSignOutFilter singleSignOutFilter=new SingleSignOutFilter();
170         singleSignOutFilter.setCasServerUrlPrefix(casProperties.getCasServerUrl());
171         singleSignOutFilter.setIgnoreInitConfiguration(true);
172         return singleSignOutFilter;
173     }
174 
175     //    @Bean
176     public LogoutFilter casLogoutFilter(){
177         LogoutFilter logoutFilter = new LogoutFilter(casProperties.getCasServerLogoutUrl(), new SecurityContextLogoutHandler());
178         logoutFilter.setFilterProcessesUrl(casProperties.getAppLogoutUrl());
179         return logoutFilter;
180     }
181 
182     /**
183      * 重写AuthenticationManager获取的方法并且定义为Bean
184      * @return
185      * @throws Exception
186      */
187     @Override
188     @Bean
189     public AuthenticationManager authenticationManagerBean() throws Exception {
190         return super.authenticationManagerBean();
191     }
192 
193     @Autowired
194     public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
195         //指定密码加密所使用的加密器为passwordEncoder()
196         //需要将密码加密后写入数据库
197         //auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());
198         //auth.eraseCredentials(false);
199     }
200 
201     @Bean
202     public BCryptPasswordEncoder passwordEncoder() {
203 
204         return new BCryptPasswordEncoder(4);
205     }
206 
207 
208     /**
209      * 定义决策管理器,这里可直接使用内置的AffirmativeBased选举器,
210      * 如果需要,可自定义,继承AbstractAccessDecisionManager,实现decide方法即可
211      * @return
212      */
213     @Bean
214     public AccessDecisionManager affirmativeBased(){
215         List<AccessDecisionVoter<? extends Object>> voters=new ArrayList<>();
216         voters.add(roleVoter());
217         System.out.println("正在创建决策管理器");
218         return new AffirmativeBased(voters);
219     }
220 
221     /**
222      * 定义选举器
223      * @return
224      */
225     @Bean
226     public RoleVoter roleVoter(){
227         //这里使用角色选举器
228         RoleVoter voter=new RoleVoter();
229         System.out.println("正在创建选举器");
230         voter.setRolePrefix("AUTH_");
231         System.out.println("已将角色选举器的前缀修改为AUTH_");
232         return voter;
233     }
234 
235 
236     @Bean
237     public LoginSuccessHandler loginSuccessHandler() {
238         return new LoginSuccessHandler();
239     }
240 
241 
242 }

     

    这里我们新增了几个filter,请注意,这几个filter定义时都不能配置@Bean注解,原因以上相同,这几个filter都要加入到springSecurity的FilterChain中,而不是直接加入到web容器的FilterChain中
    再修改一下LoginController

     1 package com.cas.client1.controller;
 2 
 3 import org.springframework.beans.factory.annotation.Autowired;
 4 import org.springframework.security.authentication.AuthenticationManager;
 5 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 6 import org.springframework.security.cas.web.CasAuthenticationFilter;
 7 import org.springframework.security.core.Authentication;
 8 import org.springframework.security.core.context.SecurityContextHolder;
 9 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
10 import org.springframework.stereotype.Controller;
11 import org.springframework.web.bind.annotation.RequestMapping;
12 
13 import javax.servlet.http.HttpSession;
14 
15 @SuppressWarnings("Duplicates")
16 @Controller
17 public class LoginController {
18     @Autowired
19     private AuthenticationManager authenticationManager;
20 
21     /**
22      * 自定义登录地址
23      * @param username
24      * @param password
25      * @param session
26      * @return
27      */
28     @RequestMapping("login.do")
29     public String login(String ticket, HttpSession session){
30         try {
31             System.out.println("进入登录请求..........");
32             //cas单点登录的用户名就是:_cas_stateful_ ,用户凭证是server传回来的ticket
33             String username = CasAuthenticationFilter.CAS_STATEFUL_IDENTIFIER;
34             UsernamePasswordAuthenticationToken token=new UsernamePasswordAuthenticationToken(username,ticket);
35             Authentication authentication=authenticationManager.authenticate(token);
36             SecurityContextHolder.getContext().setAuthentication(authentication);
37             session.setAttribute("SPRING_SECURITY_CONTEXT", SecurityContextHolder.getContext());
38             System.out.println("登录成功");
39             return "redirect:home.html";
40         }catch (Exception e){
41             e.printStackTrace();
42             return "login.html";
43         }
44 
45     }
46 }

     

    这时,之前负责登录的loginController不再是验证用户名和密码正不正确了,因为用户名密码的验证已经交给cas server了,LoginController的工作就是接收cas server重定向时传回来的ticket,验证ticket的有效性,如果没有异常,则会进入到UserDetailsServiceImpl中的loadUserDetails方法,并根据用户名加载用户权限等信息,然后我们再将用户信息存入Session,完成本地登录,本地登录之后,用户每次请求时,就不需要再次验证ticket了,而是验证Session

    到这里,cas client已经配置完成,为了看清楚流程,我们以debug模式启动一下项目,在loginController的login方法开头打一个断点,打开浏览器调试模式(F12),切换到network看请求,在浏览器中输入:localhost:8083,浏览器会自动重定向到cas server 的登录页面,如下图:

    我们输入一个数据库中有的用户名,再在密码栏中输入一次用户名,因为这里的cas server验证方式还没改,只要求用户名和密码相同就可通过验证,后面我会研究一下怎么修改cas server 的验证方式为数据库验证
    如输入:用户名:user 密码:user
    点击登录,验证成功后,我们看F12 network请求,发现浏览器发送了两个请求,一个是8081的,也就是cas server的,另外一个是8083的,也就是我们的client端的,如图:

    另一个

    因为我们在后台开了debug模式,打了断点,所以后面这个请求一直在pending状态,我们先看第一个请求的详细情况:

    很明显的,这个请求发送了我们的用户名和密码,由此可知,这个请求的作用就是负责在cas server后台验证用户名的密码,验证成功后,会自动重定向到第二个请求
    我们再来看第二个请求:

    这个请求就是我们cas client所配置的登录地址,此时这个请求后面自动带上了一个名为ticket的参数,参数值是一串自动生成的随机字符串,由cas server生成的
    我们再回到后台,没什么错误的话,我们可以看到LoginController接收到了这个参数,我们先在UserDetailsServiceImpl类的loadUserDetails方法的开头打一个断点,按F8让调试器跑走,此时,我们就可以看到调试器跳到了我们刚刚打的UserDetasServiceImpl的断点中,再看看参数

    可以看出,我们接收到了cas server认证完ticket后传回来的用户名,我们根据用户名加载对应的权限,返回即可,此时我们再次按F8跳走
    再回到界面,发现我们已经可以访问页面了:

    下一步,就是验证多个应用之间是否能只登陆一次就不用再登陆了;
    我们将当前项目拷贝一份,改名称为cas-client2(maven的groupId和artifactId),再修改一下端口为8082,,记得对应的cas配置也要改:

    启动项目
    先访问localhost:8082

    发现它自动跳转到了8081的cas server
    再打开另外一个浏览器标签,访问localhost:8083

    发现它也自动跳到了cas的登录页面,我们先在这里输入账号密码登录:

     

    登录成功后,我们再切换回刚刚没登录的8082的网页标签,刷新一下,

     

    ok,8082也不用登陆了,大功告成!

    源码地址:

    https://github.com/yupingyou/casclient.git


    另:Spring security原本默认有个/login和/logout的handler,(以前不是这个地址,不知道从哪个版本开始改了,以前好像是_spring_security_check,大概是这个,记不太清,我用了4以后就发现地址变了),但是我发现我访问/login的时候出现404,但/logout可以访问,没发现什么原因,后来我就自定义一个登陆了,也就是我配置的/login.do,代替了默认的/login


    第一次动手写这么长的博客...............累

转载于:https://www.cnblogs.com/aljy/p/9543914.html

weixin_33781606
关注
spring security 整合 CAS
hwt_211博客
12-03 1489
Spring security+CAS单点登录 Spring security 版本 3.2.4  CAS Server版本  3.4.10 CAS client 版本 3.2.1 JDK 1.7 Tomcat 8.0   原理: 从结构上看,CAS 包含两个部分: CAS Server 和 CAS Client。CAS Server 需要独立部署,主要负责对用户的认证工作;CAS
Spring Security整合CAS
new_ord的博客
11-15 1万+
CAS(中央认证服务) 从结构上看,CAS 包含两个部分: CAS Server 和 CAS Client。CAS Server 需要独立部署,主要负责对用户的认证工作;CAS Client 负责处理对客户端受保护资源的访问请求,需要登录时,重定向到 CAS Server。图1 是 CAS 最基本的协议过程: CAS Client 与受保护的客户端应用部署在一起,以 Filter 方式保护受保护的资源。对于访问受保护资源的每个 Web 请求,CAS Client 会分析该请求的 Http 请求中是否
Spring security集成CAS
韦军辉
08-31 869
什么是Spring security? Spring Security是一个能够为基于Spring的企业应用系统提供声明式的安全访问控制解决方案的安全框架。它提供了一组可以在Spring应用上下文中配置的Bean,充分利用了Spring IOC,DI(控制反转Inversion of Control ,DI:Dependency Injection 依赖注入)和AOP(面向切面编程)功能,为应用...
spring security 集成cas
qq_37001186的博客
07-13 763
pom.xml增加 security.xml <!-- 指定登录入口为casEntryPoint --> <http auto-config="true" use-expressions="true" entry-point-ref="casEntryPoint"> <custom-filter ref="casAuthenticationFilter" position="CA
spring security 整合cas
极客on之路
03-23 3926
目录 1.1           配置登录认证 1.1.1     配置AuthenticationEntryPoint 1.1.2     配置CasAuthenticationFilter 1.1.3     配置AuthenticationManager 1.2           单点登出 1.3           使用代理 1.3.1     代理端 1.3.2    
详解Spring Boot 使用Spring security 集成CAS
08-30
Spring Boot 使用 Spring Security 集成...通过使用 Spring Security,我们可以轻松地实现身份验证和授权,而 CAS 客户端则提供了单点登录功能。这些技术的结合使用,可以提供一个安全、可靠的身份验证和授权解决方案。
spring boot整合CAS Client实现单点登陆验证的示例
08-28
Spring Boot 整合 CAS Client 实现单点登录验证的示例 Spring Boot 整合 CAS Client 是一种流行的解决方案,用于实现单点登录(Single Sign-On,简称 SSO)。在多个应用系统中,用户只需要登录一次就可以访问所有...
cas-security-spring-boot-starter:用于Apereo CAS客户端的Spring Boot Starter与Spring Security完全集成
01-30
Spring Security CAS启动器 一个Spring Boot Starter,它将帮助您在应用程序安全上下文中配置 。 产品特点 Spring Boot 1和2支持 配置CAS身份验证和授权 支持基于当前HttpServletRequest动态服务解析 通过高级配置 ...
springboot集成CAS实现单点登录的示例代码
08-19
总的来说,SpringBoot集成CAS实现单点登录是一项涉及安全配置、网络通信以及服务器管理的复杂任务。通过理解上述步骤和配置,开发者可以为自己的应用提供安全、便捷的单点登录功能,提高用户体验。同时,熟悉这一...
详解spring boot配置单点登录
08-31
2.灵活性强:spring boot 配置单点登录支持多种身份验证方式和授权机制,且支持多种安全框架集成。 3.高安全性:spring boot 配置单点登录使用 Shiro 框架,提供了高安全性的身份验证和授权机制。 spring boot 配置...
springSecurity集成cas
06-18
cas是Central Authentication Service的简写.提供中央认证服务,实现企业级单点登录.详细参考:http://blog.csdn.net/xiejx618/article/details/51703469
springboot+security+cas集成demo
11-23
springboot+security+cas集成demo。。
Spring Security集成CAS客户端实例
03-02
这是一个Spring Security集成CAS实现单点登录的客户端实例,使用Maven集成开发,项目中使用到的Oframer和otauser(CAS服务端)请至我的资源中寻找下载。
spring securitycas 集成(中)
snoopy
04-25 9752
上一篇对于spring securitycas集成中涉及的名词,认证与授权进行简单说明,现在将spring securitycas集成的配置文件简单贴上来,这其中所需要的jar太多了,主要涉及cas client 3.1,spring security 3.2, spring security-cas client,spring 3.2这几类jar包。 主要配置如下: web.xm
4) Spring Boot + Spring Security集成CAS
悟空、的博客园
03-17 1万+
4) Spring Boot + Spring Security集成CAS 预期效果: 1. 访问客户端时跳转到cas登录 2. 登录完后,展示默认的用户信息 3. 对cas用户进行用户映射 分支代码:https://github.com/grissomsh/cas/tree/1.x-integration-spring-boot cas校验流程: 用户访问业务系统(clien...
16.Spring Boot 使用Spring security 集成CAS
热门推荐
编码语言Codelang
01-03 4万+
在上一篇中说了Spring Boot 使用Spring security,在这一篇中将讲讲Spring security 集成CAS
SpringBoot集成SpringSecurity+CAS
chongmiandun5173的博客
09-22 154
1、 简介 本文主要讲述如何通过SpringSecurity+CASspringboot项目中实现单点登录和单点注销的功能。 参考内容有Spring Security官方文档中的 5. Java Configuration 32. CAS Authentication 本文为Jaune1...
Spring Security整合CAS实现单点登录
战丶后风!!的博客
09-14 708
CAS-Client03项目结构图 CAS-Client03项目运行示例 ① 初次访问没有登录会跳转至CAS登录页面 ② 登录成功后 ③ 退出登录 pom.xml依赖 <properties> <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> ...
解锁Spring Security注解鉴权与CAS整合实践
最新发布
weixin_44837153的博客
03-06 1655
在这个例子中,我们使用SimpleGrantedAuthority表示自定义权限,并在构造CustomUserDetails时进行相应的处理。在上述配置中,我们通过authenticationUserDetailsService()方法返回了一个自定义的AuthenticationUserDetailsService实现,用于从CAS验证结果中构建CustomUserDetails对象。在接口层面,我们可以使用Spring Security提供的注解鉴权功能,结合CAS验证结果的权限信息进行精细控制。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值