jasig CAS登录验证分析

最新推荐文章于 2020-01-21 12:06:09 发布
最新推荐文章于 2020-01-21 12:06:09 发布
阅读量388 收藏
点赞数
文章标签: 前端 python 数据库 ViewUI
原文链接:https://my.oschina.net/indestiny/blog/202454
版权

2019独角兽企业重金招聘Python工程师标准>>> hot3.png

jasig CAS登录验证分析:

之前文章讲到了怎么利用jasig CAS实现sso:

http://my.oschina.net/indestiny/blog/200768

本文对jasig CAS验证过程做个简单的分析,便于以后能够更好定制自己的CAS, 要了解CAS流程你需要知道spring,springmvc等知识,也要了解spring-webflow, 因为整个验证流程都是由spring-webflow定制的,你可以参考我转载的一篇spring-webflow的文章:

http://my.oschina.net/indestiny/blog/201988

ok, 就开始了。

  • 先说说我们未登录状态时:

重点就是服务器端的配置:WEB-INF/login-webflow.xml中,它定义了整个登录流程,我们先就分析其流程: 

<flow xmlns="http://www.springframework.org/schema/webflow"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:schemaLocation="http://www.springframework.org/schema/webflow
                          http://www.springframework.org/schema/webflow/spring-webflow-2.0.xsd">

    <var name="credentials" class="org.jasig.cas.authentication.principal.UsernamePasswordCredentials" />
    <on-start>
        <evaluate expression="initialFlowSetupAction" />
    </on-start>

	<decision-state id="ticketGrantingTicketExistsCheck">
		<if test="flowScope.ticketGrantingTicketId != null" then="hasServiceCheck" else="gatewayRequestCheck" />
	</decision-state>
    
	<decision-state id="gatewayRequestCheck">
		<if test="requestParameters.gateway != '' and requestParameters.gateway != null and flowScope.service != null" then="gatewayServicesManagementCheck" else="serviceAuthorizationCheck" />
	</decision-state>
	
	<decision-state id="hasServiceCheck">
		<if test="flowScope.service != null" then="renewRequestCheck" else="viewGenericLoginSuccess" />
	</decision-state>
	
	<decision-state id="renewRequestCheck">
		<if test="requestParameters.renew != '' and requestParameters.renew != null" then="serviceAuthorizationCheck" else="generateServiceTicket" />
	</decision-state>

    <!-- Do a service authorization check early without the need to login first -->
    <action-state id="serviceAuthorizationCheck">
        <evaluate expression="serviceAuthorizationCheck"/>
        <transition to="generateLoginTicket"/>
    </action-state>
	
	<!-- 
		The "warn" action makes the determination of whether to redirect directly to the requested
		service or display the "confirmation" page to go back to the server.
	-->
	<decision-state id="warn">
		<if test="flowScope.warnCookieValue" then="showWarningView" else="redirect" />
	</decision-state>
	
	<!-- 
	<action-state id="startAuthenticate">
		<action bean="x509Check" />
		<transition on="success" to="sendTicketGrantingTicket" />
		<transition on="warn" to="warn" />
		<transition on="error" to="generateLoginTicket" />
	</action-state>
	 -->
    
    <!--
   		LPPE transitions begin here: You will also need to
   		move over the 'lppe-configuration.xml' file from the
   		'unused-spring-configuration' folder to the 'spring-configuration' folder
   		so CAS can pick up the definition for the bean 'passwordPolicyAction'.
   	-->
	<action-state id="passwordPolicyCheck">
		<evaluate expression="passwordPolicyAction" />
		<transition on="showWarning" to="passwordServiceCheck" />
		<transition on="success" to="sendTicketGrantingTicket" />
		<transition on="error" to="viewLoginForm" />
	</action-state>

	<action-state id="passwordServiceCheck">
		<evaluate expression="sendTicketGrantingTicketAction" />
		<transition to="passwordPostCheck" />
	</action-state>

	<decision-state id="passwordPostCheck">
		<if test="flowScope.service != null" then="warnPassRedirect" else="pwdWarningPostView" />
	</decision-state>

	<action-state id="warnPassRedirect">
		<evaluate expression="generateServiceTicketAction" />
		<transition on="success" to="pwdWarningPostView" />
		<transition on="error" to="generateLoginTicket" />
		<transition on="gateway" to="gatewayServicesManagementCheck" />
	</action-state>

	<end-state id="pwdWarningAbstractView">
		<on-entry>
			<set name="flowScope.passwordPolicyUrl" value="passwordPolicyAction.getPasswordPolicyUrl()" />
		</on-entry>
	</end-state>
	<end-state id="pwdWarningPostView" view="casWarnPassView" parent="#pwdWarningAbstractView" />
	<end-state id="casExpiredPassView" view="casExpiredPassView" parent="#pwdWarningAbstractView" />
	<end-state id="casMustChangePassView" view="casMustChangePassView" parent="#pwdWarningAbstractView" />
	<end-state id="casAccountDisabledView" view="casAccountDisabledView" />
	<end-state id="casAccountLockedView" view="casAccountLockedView" />
	<end-state id="casBadHoursView" view="casBadHoursView" />
	<end-state id="casBadWorkstationView" view="casBadWorkstationView" />
	<!-- LPPE transitions end here... -->
	
	<action-state id="generateLoginTicket">
        <evaluate expression="generateLoginTicketAction.generate(flowRequestContext)" />
		<transition on="generated" to="viewLoginForm" />
	</action-state>
    
	<view-state id="viewLoginForm" view="casLoginView" model="credentials">
        <binder>
            <binding property="username" />
            <binding property="password" />
        </binder>
        <on-entry>
            <set name="viewScope.commandName" value="'credentials'" />
        </on-entry>
		<transition on="submit" bind="true" validate="true" to="realSubmit">
            <evaluate expression="authenticationViaFormAction.doBind(flowRequestContext, flowScope.credentials)" />
        </transition>
	</view-state>

  	<action-state id="realSubmit">
        <evaluate expression="authenticationViaFormAction.submit(flowRequestContext, flowScope.credentials, messageContext)" />
        <!--
	      To enable LPPE on the 'warn' replace the below transition with:
	      <transition on="warn" to="passwordPolicyCheck" />

	      CAS will attempt to transition to the 'warn' when there's a 'renew' parameter
	      and there exists a ticketGrantingId and a service for the incoming request.
	    -->
		<transition on="warn" to="warn" />
		<!--
	      To enable LPPE on the 'success' replace the below transition with:
	      <transition on="success" to="passwordPolicyCheck" />
	    -->
		<transition on="success" to="sendTicketGrantingTicket" />
		<transition on="error" to="generateLoginTicket" />
		<transition on="accountDisabled" to="casAccountDisabledView" />
	    <transition on="mustChangePassword" to="casMustChangePassView" />
	    <transition on="accountLocked" to="casAccountLockedView" />
	    <transition on="badHours" to="casBadHoursView" />
	    <transition on="badWorkstation" to="casBadWorkstationView" />
	    <transition on="passwordExpired" to="casExpiredPassView" />
	</action-state>
	
	<action-state id="sendTicketGrantingTicket">
        <evaluate expression="sendTicketGrantingTicketAction" />
		<transition to="serviceCheck" />
	</action-state>

	<decision-state id="serviceCheck">
		<if test="flowScope.service != null" then="generateServiceTicket" else="viewGenericLoginSuccess" />
	</decision-state>
	
	<action-state id="generateServiceTicket">
        <evaluate expression="generateServiceTicketAction" />
		<transition on="success" to ="warn" />
		<transition on="error" to="generateLoginTicket" />
		<transition on="gateway" to="gatewayServicesManagementCheck" />
	</action-state>

    <action-state id="gatewayServicesManagementCheck">
        <evaluate expression="gatewayServicesManagementCheck" />
        <transition on="success" to="redirect" />
    </action-state>

    <action-state id="redirect">
        <evaluate expression="flowScope.service.getResponse(requestScope.serviceTicketId)" result-type="org.jasig.cas.authentication.principal.Response" result="requestScope.response" />
        <transition to="postRedirectDecision" />
    </action-state>

    <decision-state id="postRedirectDecision">
        <if test="requestScope.response.responseType.name() == 'POST'" then="postView" else="redirectView" />
    </decision-state>

	<!-- 
		the "viewGenericLogin" is the end state for when a user attempts to login without coming directly from a service.
		They have only initialized their single-sign on session.
	-->
	<end-state id="viewGenericLoginSuccess" view="casLoginGenericSuccessView" />

	<!-- 
		The "showWarningView" end state is the end state for when the user has requested privacy settings (to be "warned") to be turned on.  It delegates to a 
		view defines in default_views.properties that display the "Please click here to go to the service." message.
	-->
	<end-state id="showWarningView" view="casLoginConfirmView" />

    <end-state id="postView" view="postResponseView">
        <on-entry>
            <set name="requestScope.parameters" value="requestScope.response.attributes" />
            <set name="requestScope.originalUrl" value="flowScope.service.id" />
        </on-entry>
    </end-state>

	<!-- 
		The "redirect" end state allows CAS to properly end the workflow while still redirecting
		the user back to the service required.
	-->
	<end-state id="redirectView" view="externalRedirect:${requestScope.response.url}" />
	
	<end-state id="viewServiceErrorView" view="viewServiceErrorView" />
    
    <end-state id="viewServiceSsoErrorView" view="viewServiceSsoErrorView" />

	<global-transitions>
        <!-- CAS-1023 This one is simple - redirects to a login page (same as renew) when 'ssoEnabled' flag is unchecked
             instead of showing an intermediate unauthorized view with a link to login page -->
        <transition to="viewLoginForm" on-exception="org.jasig.cas.services.UnauthorizedSsoServiceException"/>
        <transition to="viewServiceErrorView" on-exception="org.springframework.webflow.execution.repository.NoSuchFlowExecutionException" />
		<transition to="viewServiceErrorView" on-exception="org.jasig.cas.services.UnauthorizedServiceException" />
	</global-transitions>
</flow>
首先设置了一个变量 credentials来保存用户名及密码信息: 

<var name="credentials" class="org.jasig.cas.authentication.principal.UsernamePasswordCredentials" />
在该flow执行一开始,做一次初始化: 

<on-start>
     <evaluate expression="initialFlowSetupAction" />
</on-start>

对应其配置在/WEB-INF/cas-servlet.xml中: 

<bean id="initialFlowSetupAction" class="org.jasig.cas.web.flow.InitialFlowSetupAction"
        p:argumentExtractors-ref="argumentExtractors"
        p:warnCookieGenerator-ref="warnCookieGenerator"
        p:ticketGrantingTicketCookieGenerator-ref="ticketGrantingTicketCookieGenerator"/>

其中argumentExtractors配置/WEB-INF/spring-configuration/argumentExtractorsConfiguration.xml中: 

<bean
    id="casArgumentExtractor"
    class="org.jasig.cas.web.support.CasArgumentExtractor"
    p:httpClient-ref="noRedirectHttpClient"
    p:disableSingleSignOut="${slo.callbacks.disabled:false}" />

<bean id="samlArgumentExtractor" class="org.jasig.cas.web.support.SamlArgumentExtractor"
    p:httpClient-ref="noRedirectHttpClient"
    p:disableSingleSignOut="${slo.callbacks.disabled:false}" />
 	
 <util:list id="argumentExtractors">
    <ref bean="casArgumentExtractor" />
    <ref bean="samlArgumentExtractor" />
 </util:list>

其中ticketGrantingTicketCookieGenerator配置在/WEB-INF/spring-configuration/ticketGrantingTicketCookieGenerator.xml: 

<bean id="ticketGrantingTicketCookieGenerator" class="org.jasig.cas.web.support.CookieRetrievingCookieGenerator"
	p:cookieSecure="true"
	p:cookieMaxAge="-1"
	p:cookieName="CASTGC"
	p:cookiePath="/cas" />

其中warnCookieGenerator的配置在/WEB-INF/spring-configuration/warnCookieGenerator.xml: 

<bean id="warnCookieGenerator" class="org.jasig.cas.web.support.CookieRetrievingCookieGenerator"
	p:cookieSecure="true"
	p:cookieMaxAge="-1"
	p:cookieName="CASPRIVACY"
	p:cookiePath="/cas" />
对应会调用InitialFlowSetupAction的doExecute方法: 

protected Event doExecute(final RequestContext context) throws Exception {
        final HttpServletRequest request = WebUtils.getHttpServletRequest(context);
        if (!this.pathPopulated) {
            final String contextPath = context.getExternalContext().getContextPath();
            final String cookiePath = StringUtils.hasText(contextPath) ? contextPath + "/" : "/";
            logger.info("Setting path for cookies to: "
                + cookiePath);
            this.warnCookieGenerator.setCookiePath(cookiePath);
            this.ticketGrantingTicketCookieGenerator.setCookiePath(cookiePath);
            this.pathPopulated = true;
        }
        context.getFlowScope().put(
            "ticketGrantingTicketId", this.ticketGrantingTicketCookieGenerator.retrieveCookieValue(request));
        context.getFlowScope().put(
            "warnCookieValue",
            Boolean.valueOf(this.warnCookieGenerator.retrieveCookieValue(request)));

     final Service service = WebUtils.getService(this.argumentExtractors, context);
     context.getFlowScope().put("service", service);
     return result("success");
}

讲完初始化flow配置,看看第一个state(ticketGrantingTicketExistsCheck), 当第一次登录cas时(https://cas_server:8443/cas/login), 没有ticketGrantingTicketId, 所以会留向gatewayRequestCheck state: 

<decision-state id="ticketGrantingTicketExistsCheck">
    <if test="flowScope.ticketGrantingTicketId != null" then="hasServiceCheck" else="gatewayRequestCheck" />
</decision-state>
看gatewayRequestCheck state,第一次service也是为null, 所以流向serviceAuthorizationCheck state: 
<decision-state id="gatewayRequestCheck">
    <if test="requestParameters.gateway != '' and requestParameters.gateway != null and flowScope.service != null" then="gatewayServicesManagementCheck" else="serviceAuthorizationCheck" />
</decision-state>
继续看serviceAuthorizationCheck state, 其会先调用 org.jasig.cas.web.flow.ServiceAuthorizationCheck的doExecute方法,之后流向generateLoginTicket,生成ticket: 
<action-state id="serviceAuthorizationCheck">
    <evaluate expression="serviceAuthorizationCheck"/>
    <transition to="generateLoginTicket"/>
</action-state>
看generateLoginTicket state, 调用generateLoginTicketAction.generate方法来生成ticket,返回给客户端: 
<action-state id="generateLoginTicket">
    <evaluate expression="generateLoginTicketAction.generate(flowRequestContext)" />
    <transition on="generated" to="viewLoginForm" />
</action-state>
从CAS server debug信息和我的请求信息来看,server先生成这个ticket,返回给浏览器,当我们登录时,会带上这个ticket:

我登录时请求信息:

还是看看ticket怎么生成的吧,generateLoginTicketAction bean: 

<bean id="generateLoginTicketAction" class="org.jasig.cas.web.flow.GenerateLoginTicketAction"
        p:ticketIdGenerator-ref="loginTicketUniqueIdGenerator"/>
/WEB-INF/spring-configuration/uniqueIdGenerators.xml定义了很多Generator, 比如上面的LoginTicketUniqueIdGenerator: 
<bean id="loginTicketUniqueIdGenerator" class="org.jasig.cas.util.DefaultUniqueTicketIdGenerator">
    <constructor-arg index="0" type="int" value="30" />
</bean>
接着看GenerateLoginTicketAction的generate方法: 
public class GenerateLoginTicketAction {
    /** 3.5.1 - Login tickets SHOULD begin with characters "LT-" */
    private static final String PREFIX = "LT";
    @NotNull
    private UniqueTicketIdGenerator ticketIdGenerator;

    public final String generate(final RequestContext context) {
        final String loginTicket = this.ticketIdGenerator.getNewTicketId(PREFIX);//调用generator生成
        this.logger.debug("Generated login ticket " + loginTicket);
        WebUtils.putLoginTicket(context, loginTicket);//最终放到flowScope中
        return "generated";
    }
    ...
}

生成之后,就流向viewLoginForm state,其view未casLoginView,对应就是/WEB-INF/jsp/ui/default/casLoginView.jsp了: 

<view-state id="viewLoginForm" view="casLoginView" model="credentials">
    <binder><!-- 绑定html form表单中的用户名及密码 -->
        <binding property="username" />
        <binding property="password" />
    </binder>
    <on-entry>
        <set name="viewScope.commandName" value="'credentials'" />
    </on-entry>
    <transition on="submit" bind="true" validate="true" to="realSubmit">
        <evaluate expression="authenticationViaFormAction.doBind(flowRequestContext, flowScope.credentials)" />
    </transition>
</view-state>

于是就看到了CAS的登录界面:

对应的html表单内容大概是: 

<form id="fm1" class="fm-v clearfix" action="/cas/login" method="post">
    <h2>请输入您的用户名和密码.</h2>
    <div class="row fl-controls-left">
        <label for="username" class="fl-label">用户名:</label>					
        <input id="username" name="username" class="required" tabindex="1" accesskey="n" type="text" value                ="" size="25" autocomplete="false"/>
    </div>
    <div class="row fl-controls-left">
        <label for="password" class="fl-label">密 码:</label>
        <input id="password" name="password" class="required" tabindex="2" accesskey="p" type="password" v                alue="" size="25" autocomplete="off"/>
    </div>
    <div class="row check">
        <input id="warn" name="warn" value="true" tabindex="3" accesskey="w" type="checkbox" />
        <label for="warn">转向其他站点前提示我。</label>
    </div>
    <div class="row btn-row">
        <input type="hidden" name="lt" value="LT-5-rCdFkUxqSVKWTpzNgn2hLoZe9Fq0I2" /><!--生成的ticket-->
        <input type="hidden" name="execution" value="e1s1" />
	 <input type="hidden" name="_eventId" value="submit" /> <!-- 对应提交到submit事件上-->
        <input class="btn-submit" name="submit" accesskey="l" value="登录" tabindex="4" type="submit" />
        <input class="btn-reset" name="reset" accesskey="c" value="重置" tabindex="5" type="reset" />
    </div>
</form>

当我们点击“登录”后,首先就到 authenticationViaFormAction.doBind(flowRequestContext, flowScope.credentials), authenticationViaFormAction在cas-servlet.xml中配置: 

<bean id="authenticationViaFormAction" class="org.jasig.cas.web.flow.AuthenticationViaFormAction"
     p:centralAuthenticationService-ref="centralAuthenticationService"
     p:warnCookieGenerator-ref="warnCookieGenerator"/>

看doBind()方法: 

public final void doBind(final RequestContext context, final Credentials credentials) throws Exception {
     final HttpServletRequest request = WebUtils.getHttpServletRequest(context);
     // 在authenticationViaFormAction bean定义中并没有注入credentialsBinder, 这里也不会做什么了
     if (this.credentialsBinder != null && this.credentialsBinder.supports(credentials.getClass())) {
        this.credentialsBinder.bind(request, credentials);
     }
 }

接着看submit transition最终流向realSubmit: 

<action-state id="realSubmit">
    <evaluate expression="authenticationViaFormAction.submit(flowRequestContext, flowScope.credentials, messageContext)" />   
    <transition on="warn" to="warn" />
    <transition on="success" to="sendTicketGrantingTicket" />
    <transition on="error" to="generateLoginTicket" />
    <transition on="accountDisabled" to="casAccountDisabledView" />
    <transition on="mustChangePassword" to="casMustChangePassView" />
    <transition on="accountLocked" to="casAccountLockedView" />
    <transition on="badHours" to="casBadHoursView" />
    <transition on="badWorkstation" to="casBadWorkstationView" />
    <transition on="passwordExpired" to="casExpiredPassView" />
</action-state>
看看authenticationViaFormAction的submit()方法: 
public final String submit(final RequestContext context, final Credentials credentials, final MessageContext messageContext) throws Exception {
    // 首先验证ticket的一致性
    final String authoritativeLoginTicket = WebUtils.getLoginTicketFromFlowScope(context);
    final String providedLoginTicket = WebUtils.getLoginTicketFromRequest(context);
    if (!authoritativeLoginTicket.equals(providedLoginTicket)) {
        this.logger.warn("Invalid login ticket " + providedLoginTicket);
        final String code = "INVALID_TICKET";
        messageContext.addMessage(
             new MessageBuilder().error().code(code).arg(providedLoginTicket).defaultText(code).build());
        return "error";
    }
    final String ticketGrantingTicketId = WebUtils.getTicketGrantingTicketId(context);
    final Service service = WebUtils.getService(context);
    if (StringUtils.hasText(context.getRequestParameters().get("renew")) && ticketGrantingTicketId != null && service != null) {
       try {
          final String serviceTicketId = this.centralAuthenticationService.grantServiceTicket(ticketGrantingTicketId, service, credentials);
          WebUtils.putServiceTicketInRequestScope(context, serviceTicketId);
          putWarnCookieIfRequestParameterPresent(context);
          return "warn";
       } catch (final TicketException e) {
          if (isCauseAuthenticationException(e)) {
              populateErrorsInstance(e, messageContext);
              return getAuthenticationExceptionEventId(e);
          }
          this.centralAuthenticationService.destroyTicketGrantingTicket(ticketGrantingTicketId);
       }
    }
    try {
         WebUtils.putTicketGrantingTicketInRequestScope(context, this.centralAuthenticationService.createTicketGrantingTicket(credentials)); //这里会调用AuthenticationManagerImpl的authenticateAndObtainPricipal方法,该方法会依次调用我们在deployerConfigContext.xml中配置的authenticationManager bean的authenticationHandlers, 比如之前文章配置的数据库认证处理器等,验证成功了就会生成TGT(TicketGrantingTicket)返回给客户端。
putWarnCookieIfRequestParameterPresent(context);
return "success";
} catch (final TicketException e) {
         populateErrorsInstance(e, messageContext);
         if (isCauseAuthenticationException(e))
                return getAuthenticationExceptionEventId(e);
         return "error";
    }
}

假如我们登录成功了,flow继续流向sendTicketGrantingTicket state: 

<action-state id="sendTicketGrantingTicket">
    <evaluate expression="sendTicketGrantingTicketAction" />
    <transition to="serviceCheck" />
</action-state>
看看SendTicketGrantingTicketAction做了什么: 

protected Event doExecute(final RequestContext context) {
        final String ticketGrantingTicketId = WebUtils.getTicketGrantingTicketId(context); 
        final String ticketGrantingTicketValueFromCookie = (String) context.getFlowScope().get("ticketGrantingTicketId");
        
        if (ticketGrantingTicketId == null) {
            return success();
        }
        
        this.ticketGrantingTicketCookieGenerator.addCookie(WebUtils.getHttpServletRequest(context), WebUtils.getHttpServletResponse(context), ticketGrantingTicketId);//将TGT作为Cookie加到Response中

        if (ticketGrantingTicketValueFromCookie != null && !ticketGrantingTicketId.equals(ticketGrantingTicketValueFromCookie)) {
            this.centralAuthenticationService
                .destroyTicketGrantingTicket(ticketGrantingTicketValueFromCookie);
        }

        return success();
    }

返回后,继续流向serviceCheck state, 会根据service是否为空来决定怎么流,也就是说,如果你是直接登录/cas/login, 那么就没有service属性,如果你是由其他客户端跳转过来登录的,那么service就是那个客户端跳转登录的url: 

<decision-state id="serviceCheck">
    <if test="flowScope.service != null" then="generateServiceTicket" else="viewGenericLoginSuccess" />
</decision-state>

如果是直接登录的cas服务器,登录成功后,你就可以看到下面的界面:

我们假设是从你的另一个web client跳转过来的,那么就会流向generateServiceTicket: 

<action-state id="generateServiceTicket">
    <evaluate expression="generateServiceTicketAction" />
    <transition on="success" to ="warn" />
    <transition on="error" to="generateLoginTicket" />
    <transition on="gateway" to="gatewayServicesManagementCheck" />
</action-state>

看GenerateServiceTicketAction的doExecute方法: 

protected Event doExecute(final RequestContext context) {
     final Service service = WebUtils.getService(context);
     final String ticketGrantingTicket = WebUtils.getTicketGrantingTicketId(context);

     try {
          final String serviceTicketId = this.centralAuthenticationService
               .grantServiceTicket(ticketGrantingTicket,service); //根据TGT生成service ticket
          WebUtils.putServiceTicketInRequestScope(context, serviceTicketId); //放到request中
          return success();
     } catch (final TicketException e) {
            if (isGatewayPresent(context)) {
                return result("gateway");
            }
     }
     return error();
}
之后,又流向warn state, warnCookieValue就是我们登录界面上是否勾选了提示复选框: 

<decision-state id="warn">
	<if test="flowScope.warnCookieValue" then="showWarningView" else="redirect" />
</decision-state>

直接看redirect, 其主要构建Response对象,并放到requestScope中: 

<action-state id="redirect">
        <evaluate expression="flowScope.service.getResponse(requestScope.serviceTicketId)" result-type="org.jasig.cas.authentication.principal.Response" result="requestScope.response" />
        <transition to="postRedirectDecision" />
</action-state>
对于postRedirectDecision state,若是post过来的请求就到视图就到 /WEB-INF/view/ jsp /protocol/casPostResponseView.jsp ,若get则外部跳转到会之前的客户端url 

<decision-state id="postRedirectDecision">
    <if test="requestScope.response.responseType.name() == 'POST'" then="postView" else="redirectView" />
</decision-state>

这就基本说了CAS服务整个登录怎么流动,下面也说说,我们客户端的处理流程。

-----------------------------------------------------------

web客户端主要的配置就在web.xml中: 

<listener>
    <listener-class>
        org.jasig.cas.client.session.SingleSignOutHttpSessionListener
    </listener-class>
    </listener>
    <filter>
        <filter-name>CasSingleSignOutFilter</filter-name>
	 <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>CasSingleSignOutFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
    <filter>
        <filter-name>CASFilter</filter-name>
        <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
        <init-param>
            <param-name>casServerLoginUrl</param-name>
            <param-value>https://localhost:8443/cas/login</param-value>
        </init-param>
        <init-param>
            <param-name>serverName</param-name>
            <param-value>http://localhost:8080</param-value>
        </init-param>
    </filter>
    <filter-mapping>
        <filter-name>CASFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
    <filter>
        <filter-name>CasTicketFilter</filter-name>
        <filter-class>
            org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
        <init-param>
            <param-name>casServerUrlPrefix</param-name>
            <param-value>https://localhost:8443/cas</param-value>
        </init-param>
        <init-param>
            <param-name>serverName</param-name>
            <param-value>http://localhost:8080</param-value>
        </init-param>
    </filter>
    <filter-mapping>
        <filter-name>CasTicketFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
    <filter>
        <filter-name>CasRequestWrapFilter</filter-name>
        <filter-class>
            org.jasig.cas.client.util.HttpServletRequestWrapperFilter                                            </filter-class>
    </filter>
    <filter-mapping>
        <filter-name>CasRequestWrapFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
    <filter>
        <filter-name>AssertionThreadLocalFilter</filter-name>
        <filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>AssertionThreadLocalFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
SingleSignOutHttpSessionListener和SingleSignOutFilter用于登出操作。

CASFilter: 其doFilter方法实现: 

public final void doFilter(final ServletRequest servletRequest, final ServletResponse servletResponse, final FilterChain filterChain) throws IOException, ServletException {
        final HttpServletRequest request = (HttpServletRequest) servletRequest;
        final HttpServletResponse response = (HttpServletResponse) servletResponse;
        final HttpSession session = request.getSession(false);
        final Assertion assertion = session != null ? (Assertion) session.getAttribute(CONST_CAS_ASSERTION) : null;

        if (assertion != null) { //有assertion信息(登录信息)就通过
            filterChain.doFilter(request, response);
            return;
        }

        final String serviceUrl = constructServiceUrl(request, response);//获取serviceUrl,即当前url
        final String ticket = CommonUtils.safeGetParameter(request,getArtifactParameterName());
        final boolean wasGatewayed = this.gatewayStorage.hasGatewayedAlready(request, serviceUrl);

        if (CommonUtils.isNotBlank(ticket) || wasGatewayed) { //如果有TGT就表示已登录过了
            filterChain.doFilter(request, response);
            return;
        }
        final String modifiedServiceUrl;
        if (this.gateway) {
            log.debug("setting gateway attribute in session");
            modifiedServiceUrl = this.gatewayStorage.storeGatewayInformation(request, serviceUrl);
        } else {
            modifiedServiceUrl = serviceUrl;
        }
        final String urlToRedirectTo = CommonUtils.constructRedirectUrl(this.casServerLoginUrl, getServiceParameterName(), modifiedServiceUrl, this.renew, this.gateway); //即将要跳转到CAS登录界面的url及其一些参数
        response.sendRedirect(urlToRedirectTo);
    }
其中urlToRedirectTo类似: 

https://${cas-server-host}:port/cas/login?service=http%3A%2F%2Flocalhost%3A8080%2Fcas-web-client1%2Findex.jsp

经过跳转,然后登录成功后的请求信息:

登录成功以后我们再访问需要认证的url时,这时有了TGT, CAS服务端的login-webflow就有变化: 

<decision-state id="ticketGrantingTicketExistsCheck">
    <if test="flowScope.ticketGrantingTicketId != null" then="hasServiceCheck" else="gatewayRequestCheck" />
</decision-state>
流向hasServiceCheck state: 
<decision-state id="hasServiceCheck">
    <if test="flowScope.service != null" then="renewRequestCheck" else="viewGenericLoginSuccess" />
</decision-state>
接着流向renewRequestCheck state: 
<decision-state id="renewRequestCheck">
    <if test="requestParameters.renew != '' and requestParameters.renew != null" 
        then="serviceAuthorizationCheck" else="generateServiceTicket" />
</decision-state>
后面就和之前说的流程一样了。

当我们通过redirect返回之前的web客户端时,还会发生什么呢,这时有了TGT了,AuthenticationFilter中: 

if (CommonUtils.isNotBlank(ticket) || wasGatewayed) { //有TGT通过
     filterChain.doFilter(request, response);
     return;
}

于是接着web客户端下一个的filter Cas20ProxyReceivingTicketValidationFilter: 

<filter>
    <filter-name>CasTicketFilter</filter-name>
    <filter-class>
        org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
    <init-param>
        <param-name>casServerUrlPrefix</param-name>
        <param-value>https://localhost:8443/cas</param-value>
    </init-param>
    <init-param>
        <param-name>serverName</param-name>
        <param-value>http://localhost:8080</param-value>
    </init-param>
</filter>

Cas20ProxyReceivingTicketValidationFilter过滤处理主要是其父类AbstractTicketValidationFilter实现: 

public final void doFilter(final ServletRequest servletRequest, final ServletResponse servletResponse, final FilterChain filterChain) throws IOException, ServletException {
  //子类预处理,Cas20ProxyReceivingTicketValidationFliter做了一些处理
  if (!preFilter(servletRequest, servletResponse, filterChain)) {
     return;
  }

  final HttpServletRequest request = (HttpServletRequest) servletRequest;
  final HttpServletResponse response = (HttpServletResponse) servletResponse;
  final String ticket = CommonUtils.safeGetParameter(request, getArtifactParameterName());//获取ticket

  if (CommonUtils.isNotBlank(ticket)) {
     try { 
      final Assertion assertion = this.ticketValidator.validate(ticket, constructServiceUrl(request, response));//再次拿ticket到服务端验证,看是否确实存在,或者是否过期, 默认实现为Cas20ProxyTicketValidator
      request.setAttribute(CONST_CAS_ASSERTION, assertion);

      if (this.useSession) {//Aseesion放到session中,所以你就知道怎么在我们应用中访问登录的用户信息了
          request.getSession().setAttribute(CONST_CAS_ASSERTION, assertion);
      }
      onSuccessfulValidation(request, response, assertion);

      if (this.redirectAfterValidation) { // 默认true
          log. debug("Redirecting after successful ticket validation.");
          response.sendRedirect(constructServiceUrl(request, response));
          return;
      }
    }catch (final TicketValidationException e) {
          response.setStatus(HttpServletResponse.SC_FORBIDDEN);
          onFailedValidation(request, response);
          if (this.exceptionOnValidationFailure) {
              throw new ServletException(e);
          }
          return;
    }
  }
  filterChain.doFilter(request, response);
}

validate方法由AbstractBasedTicketValidator实现: 

public Assertion validate(final String ticket, final String service) throws TicketValidationException {
      //获取验证url, 类似https:${cas-server-host}:port/cas/serviceValidate?ticket=xxx&service=yyy final String validationUrl = constructValidationUrl(ticket, service);
      if (log.isDebugEnabled()) {
            log.debug("Constructing validation url: " + validationUrl);
      }

      try {
            //发送请求并获取返回内容(通过java URLConnection发送请求,直接读取Response输入流)
            final String serverResponse = retrieveResponseFromServer(new URL(validationUrl), ticket);                                                                                           
            if (serverResponse == null) {
                throw new TicketValidationException("The CAS server returned no response.");
            }
            
            if (log.isDebugEnabled()) {
            	log.debug("Server response: " + serverResponse);
            }
            //解析CAS服务端返回的内容为Assertion对象
            return parseResponseFromServer(serverResponse);
      } catch (final MalformedURLException e) {
            throw new TicketValidationException(e);
    }
}

上面发送认证请求后的返回内容类似: 

<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
    <cas:authenticationSuccess>
        <cas:user>admin</cas:user>
    </cas:authenticationSuccess>
</cas:serviceResponse>

验证请求/cas/serviceValidate则对应服务器端配置的SafeDispatcherServlet:

这个Servlet中包含有一个我们熟悉的Spring-MVC的前端分发器DispatcherServlet, 明显由它来奋发我们的请求,那么/validateService对应那个Controller呢?看cas-servlet.xml配置:

看ServiceValidateController的handleRequestInternal方法重要的一句: 

final Assertion assertion = this.centralAuthenticationService.validateServiceTicket(serviceTicketId, service);

就是根据CentralAuthenticationServiceImpl的下面两个变量来验证: 

/** TicketRegistry for storing and retrieving tickets as needed. */
@NotNull
private TicketRegistry ticketRegistry;
/** New Ticket Registry for storing and retrieving services tickets. Can point to the same one as the ticketRegistry variable. */
@NotNull
private TicketRegistry serviceTicketRegistry;

整个登录基本流程简单的了解over.

转载于:https://my.oschina.net/indestiny/blog/202454

weixin_34302798
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
cas-server-4.0.0
10-24
CAS是Central Authentication Service的缩写,中央认证服务,一种独立开放指令协议。CAS 是 Yale 大学发起的一个开源项目,旨在为 Web 应用系统提供一种可靠的单点登录方法,CAS 在 2004 年 12 月正式成为 JA-SIG 的一个项目。
jasig cas 问题检查点
凌晨四点的书签
11-11 281
常见问题 1.票根xxxx不符合目标服务 2.未能够识别出明白的票根 检查点: 1.检查cas.properties的host.name配置 2.如果没有dns解析,检查服务器hosts配置 3.如果使用反向代理,修改apache配置为域名或修改cas url配置为内部ip...
jasig4.0 cas 登录测试
libinnihaoa的博客
01-21 420
只是简单的验证csa服务器登录和读取数据库账号密码登录 环境window2008+tomcat7+jdk7+cas-server-4.0.0-release  1. 首先到 http://downloads.jasig.org/ 地址下载 cas-server-4.0.0-release.zip,解压后到modules目录中找到cas-server-webapp-4.0.0.war,复制到...
搭建Jasig CAS中央认证服务实现单点登录——搭建Tomcat并实现SSL安全连接
weixin_34410662的博客
03-30 146
预期的工作任务: 实现CASCAS采用Jasig CAS)单点登录搭建,开发api以实现java、php、.net等单点登录接口;实现数据库、LDAP身份认证对接。 (一)平台(Linux和Windows都能实现): 1.Windows Server 2008 R2(Windows 2000以上即可),用于承载Tomcat和其他开发环境,如数据库等(设置为服务器的IP是172.16.201....
CAS 4.0.0RC 配置通过数据库认证用户登录
weixin_30662109的博客
05-05 102
配置通过数据库认证用户登录 打开webapp\WEB-INF目录下的deployerConfigContext.xml,替换 <bean id="primaryAuthenticationHandler" class="org.jasig.cas.authentication.AcceptUsersAuthenticationHandler"&gt...
jasig cas4.1.4+oracle数据库认证
07-21
Jasig Central Authentication ServiceCAS)是一个开源的身份验证框架,主要用于实现单点登录(Single Sign-On, SSO)。它允许用户在一个应用系统中登录后,无需再次认证即可访问其他集成的应用系统。CAS 4.1.4 是...
cas:Jasig CAS 4.1 Docker映像,具有战争建立,ldap,数据库cas管理支持
05-04
#DockerFile用于具有cas-management的JASIG CAS Jasig Cas 4.1映像 ##先决条件 码头工人 JVM和Maven(战争大楼) 码头工人组成 ssl证书 ## image build mvn clean package; docker-compose rm -f; docker-compose ...
jasig-cas-4.0.x-overlay-template:ala-casjasig cas 3.4.2升级到4.0.1
05-07
Jasig CAS(Central Authentication Service)是一款广泛使用的开源身份验证系统,主要用于提供单一登录(Single Sign-On, SSO)服务。在从3.4.2版本升级到4.0.1的过程中,开发者通常会遇到兼容性问题和新功能的集成...
cas:已打补丁的JASIG CAS服务器,用于Eureka进行身份验证
05-12
临床中央认证服务(CAS) ,,佐治亚州亚特兰大它有什么作用? 这是一个修补的服务器,用于Eureka进行身份验证! 临床项目。 它在所有尤里卡上提供单一登录! 临床微服务,因此允许将微服务组合为单个集成应用程序...
jasig-cas-rest-client:Jasig CAS(中央身份验证服务 http)的一个非常基本的 REST 客户端
07-10
Jasig CAS(中央身份验证服务)的一个非常基本的 REST 客户端; #要求 #部署 npm install Download source from remote repositories #使用组件 设置支持 REST 的 Jasig CAS 实例后(有关更多信息,请访问 ),...
CAS 4.1.10 版本服务端源码解读
AaronSimon的博客
10-25 2384
在工作中经常会对CAS进行二次改造适应不同的单点登录场景。这篇文章主要对CAS 4.1.10版本进行源码解读(主要是登录流程)。不同版本可以在github下载。 一、准备 下载下来的cas-overlay-template的依赖中默认只有 &lt;dependency&gt; &lt;groupId&gt;org.jasig.cas&lt;/groupId&gt; &lt;artifact...
CAS单点登录开源框架解读(十六)--单点登录服务端TGC校验,导致无法获取到tgt,响应401
joeljx的专栏
01-21 5954
单点登录情况下的现象 在单点登录情况,客户端应用接入CAS服务端后,特别是外网环境会经常出现401的问题,要么直接跳转到登录页面,要么就直接响应401。注意此时CAS服务端的TGT并没有超时。只能排查后端的日志信息,开启debug模式看到了如下的后端异常信息: [org.jasig.cas.web.support.TGCCookieRetrievingCookieGenerator] - Inv...
操作 单点登录JasigCAS (2)
moonbis的博客
01-10 1万+
CAS服务的部署 部署需要准备jdk8环境,tomcat7,cas4.0 Cas服务端其实就是一个war包。 放在toncat目录下的webapps下。启动tomcat自动解压war包。浏览器输入http://localhost:8080/cas/login ,可看到登录页面 这里有个固定的用户名和密码 casuser /Mellon. 端口修改 打开tomcat 目录 co
CAS服务报错: java.net.ConnectException: Connection timed out: connect
热门推荐
学习真香
01-21 6万+
错误 ERROR [org.jasig.cas.authentication.AuthenticationManagerImpl] - &lt;org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler threw error authenticating [username: admin]&gt; org.springfra...
cas4.2.7实现其它登陆系统和cas之间的认证,即其他登陆系统登陆后,cas不需要再次登陆,效果跟cas登陆一样
a1833255的博客
11-26 1991
因为cas登陆是流程化的,先修改文件login-webflow.xml,将认证流程改变, 上面是我修改后的代码,需要我们自己在serviceAuthorizationCheck类内判断该用户是否已在其他系统成功登陆,是就走success后续就是cas原有的逻辑,否则就是no(这里就是我们自己新加的逻辑了),接下来我们进入到流程autoLog
CAS 服务端部署 部分配置
qq_21166213的博客
11-03 2584
使用的版本是 CAS-4.1.0 一、修改登录页面 1、默认的登陆页面是WEB-INF/view/jsp/default里面的ui/casLoginView.jsp为登陆页面,首先copy一份default命名为szcourt。原来的default用于备份。 2、默认的properties文件是cas-theme-default.properties,同样copy一份命名为c
jiasig cas 4.0注销后返回登录页面的实现
u011463444的专栏
08-05 3433
我们访问某个系统登录的时候,会发现url后面所带的service参数类似这样的                     https://localhost:8443/cas/login?service=http%3A%2F%2Flocalhost%3A8080%2Fcasclient%2Fbase%2Findex,      参考这样,我们登出的时候设置的链接也可以这样:        
CAS 5.x搭建常见问题系列(1).未认证的授权服务
好用的CAS
07-01 8196
错误内容 未认证授权的服务 CAS的服务记录是空的,没有定义服务。希望通过CAS进行认证的应用程序必须在服务记录中明确定义 错误原因 CAS 5.x 默认情况下不支持HTTP的客户端接入,建议客户端采用HTTPS协议。 不过,确实无法升级为HTTP的,那也可以把CAS Server开启支持HTTP的客户端接入。 具体开发的方法如下: ·1. 修改http支持的配置 打开文...
用Java 实现cas 单点登录
最新发布
08-18
CAS(Central Authentication Service)是一种单点登录SSO)协议,用于集中管理多个应用系统的用户身份认证。下面是用Java实现CAS单点登录的简要流程: 1. 配置CAS服务端: 首先,在服务器上搭建CAS服务端。一般...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值