Spring Security结合CAS的配置

最新推荐文章于 2021-08-24 10:40:31 发布

weixin_33859231

最新推荐文章于 2021-08-24 10:40:31 发布

阅读量138

点赞数

文章标签： java 数据库 python

原文链接：https://my.oschina.net/since1986/blog/209152

版权

2019独角兽企业重金招聘Python工程师标准>>>

在我的几个项目里需要用到单点登录，我选用了CAS，下面给出一个一般性的Spring Security结合CAS的配置文件

<?xml version="1.0"?>
<beans xmlns="http://www.springframework.org/schema/beans"
	xmlns:security="http://www.springframework.org/schema/security"
	xmlns:context="http://www.springframework.org/schema/context"
	xmlns:util="http://www.springframework.org/schema/util"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://www.springframework.org/schema/beans
	http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
	http://www.springframework.org/schema/security
	http://www.springframework.org/schema/security/spring-security-3.0.xsd
	
	http://www.springframework.org/schema/context
 	http://www.springframework.org/schema/context/spring-context-3.0.xsd
	http://www.springframework.org/schema/util/spring-util.xsd
 	http://www.springframework.org/schema/util/spring-util-3.0.xsd">
	
	<!--
		Enable security, let the casAuthenticationEntryPoint handle all
		intercepted urls. The CAS_FILTER needs to be in the right position within
		the filter chain.
	-->
	<security:http auto-config="true" entry-point-ref="casAuthenticationEntryPoint" path-type="regex">
		<security:port-mappings>
			<security:port-mapping http="${portHttp}" https="${portHttps}"/>
		</security:port-mappings>
		<security:logout success-handler-ref="simpleUrlLogoutSuccessHandler" />
		
		<security:intercept-url pattern="/.*" requires-channel="https" />
		<security:intercept-url pattern="(/admin/){1}\S*" access="ROLE_ADMIN" />
		<security:intercept-url pattern="/{1}\S*" access="ROLE_USER, ROLE_ADMIN" />
		<security:intercept-url pattern="(/api/ws/){1}\S*" filters="none" />
		<security:custom-filter position="CAS_FILTER" ref="casAuthenticationFilter" />
	</security:http>

	<!--
		似乎casFilter与casEntryPoint的功能有重叠。其实，casEntryPoint只是提供认证入口的作用，当没有登录，将跳转到该地址。 
		The entryPoint intercepts all the CAS authentication requests. It
		redirects to the CAS loginUrl for the CAS login page.
	-->
	<bean id="casAuthenticationEntryPoint"
		class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">
		<property name="loginUrl" value="${casAuthenticationEntryPoint.loginUrl}" />
		<property name="serviceProperties" ref="serviceProperties" />
	</bean>
	
	<!-- 注销的url是/j_spring_security_logout -->

	<!--
		The CAS filter handles the redirect from the CAS server and starts the
		ticket validation.
		casFilter是处理CAS service ticket的。
	-->
	<bean id="casAuthenticationFilter" class="org.springframework.security.cas.web.CasAuthenticationFilter">
		<property name="authenticationManager" ref="authenticationManager" />
	</bean>
	

	<!--
		Required for the casProcessingFilter, so define it explicitly set and
		specify an Id Even though the authenticationManager is created by default
		when namespace based config is used.
	-->
	<security:authentication-manager alias="authenticationManager">
		<security:authentication-provider ref="casAuthenticationProvider" />
	</security:authentication-manager>

	<!-- 
		Handles the CAS ticket processing.
	 -->
	<bean id="casAuthenticationProvider"
		class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
		<property name="serviceProperties" ref="serviceProperties" />
		<property name="authenticationUserDetailsService" ref="authenticationUserDetailsService" />
		<property name="ticketValidator">
			<bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
				<constructor-arg index="0" value="${casAuthenticationProvider.casServerUrlPrefix}" />
			</bean>
		</property>
		<property name="key" value="${casAuthenticationProvider.key}" />
	</bean>

	<!--
		你需要添加一个 ServiceProperties bean，到你的application context里。 这表现你的CAS服务。
		这里的service必须是一个由CasAuthenticationFilter监控的URL。 这个sendRenew默认是false，但如果你的程序特别敏感就应该设置成true。 这个参数作用是，告诉CAS登录服务，一个单点登录没有到达。 否则，用户需要重新输入                他们的用户名和密码，来获得访问服务的权限。
	-->
	<bean id="serviceProperties" class="org.springframework.security.cas.ServiceProperties">
		<property name="service" value="${serviceProperties.service}" />
	</bean>
  	
  	<bean id="authenticationUserDetailsService" class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
  		<property name="userDetailsService" ref="jdbcUserDetailsService" />
  	</bean>
  	<security:jdbc-user-service data-source-ref="ucDataSource" id="jdbcUserDetailsService" authorities-by-username-query="${jdbcUserDetailsService.authoritiesByUsernameQuery}" />
  	
  	<bean id="simpleUrlLogoutSuccessHandler" class="org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler">
  		<property name="alwaysUseDefaultTargetUrl" value="true" />
  		<property name="defaultTargetUrl" value="${simpleUrlLogoutSuccessHandler.defaultTargetUrl}" />
  	</bean>
  	
</beans>

附加说明：

这里我使用的是数据库保存授权信息的方式，因此使用了jdbc-user-service：（在我的项目里数据库名叫“uc”，下面给出数据库结构吧）

DROP TABLE IF EXISTS `uc`.`users`;
CREATE TABLE  `uc`.`users` (`username` varchar(32) NOT NULL, `password` varchar(255) NOT NULL DEFAULT '', `enabled` bit(1) NOT NULL DEFAULT b'1', PRIMARY KEY (`username`)) ENGINE=InnoDB DEFAULT CHARSET=utf8;

DROP TABLE IF EXISTS `uc`.`authorities`;
CREATE TABLE  `uc`.`authorities` (`username` varchar(32) NOT NULL, `application_context` varchar(32) NOT NULL, `authority` varchar(32) NOT NULL, PRIMARY KEY (`username`,`authority`,`application_context`)) ENGINE=InnoDB DEFAULT CHARSET=utf8;

DROP TABLE IF EXISTS `uc`.`persistent_logins`;
CREATE TABLE `uc`.`persistent_logins` ( `username` varchar(32) NOT NULL, `series` varchar(255) NOT NULL, `token` varchar(255) NOT NULL, `last_used` datetime NOT NULL, PRIMARY KEY (`series`)) ENGINE=InnoDB DEFAULT CHARSET=utf8;