Spring Security 集成 CAS(基于HTTP协议版本)

最新推荐文章于 2024-09-13 18:30:21 发布
最新推荐文章于 2024-09-13 18:30:21 发布
阅读量178 收藏
点赞数
分类专栏: Spring Security CAS 文章标签: spring security cas

                                   Spring Security 集成 CAS(基于HTTP协议版本)

近段时间一直研究Spring Security 集成 CAS,网上资料相关资料也很多,不过大都是基于Https的安全认证;使用https协议方式验证需要创建证书等一系列事情比较繁琐,且证书是自己制作每次导航至登录界面时都会有安全提示给人感觉不太好;所以整理此文档供有需要的同学参考。

 

一、服务端配置(cas 3.5)
(1).Http协议的CAS比Https版本的步骤要少了ssl的配置,然后修改服务端部分配置文件即可。
(2).配置CAS服务应用程序的配置文件:WEB_INF下cas.properties、deployerConfigContext.xml
以及WEB-INF子目录spring-configuration下的ticketGrantingTicketCookieGenerator.xml、warmCookieGenerator.xml
(3).修改cas.properties 
# Services Management Web UI Security
server.name=http://localhost:8080
server.prefix=${server.name}/cas
cas.securityContext.serviceProperties.service=${server.prefix}/services/j_acegi_cas_security_check
# Names of roles allowed to access the CAS service manager
cas.securityContext.serviceProperties.adminRoles=ROLE_ADMINISTRATOR
cas.securityContext.casProcessingFilterEntryPoint.loginUrl=${server.prefix}/login
cas.securityContext.ticketValidator.casServerUrlPrefix=${server.prefix}
# IP address or CIDR subnet allowed to access the /status URI of CAS that exposes health check information
cas.securityContext.status.allowedSubnet=127.0.0.1


cas.themeResolver.defaultThemeName=cas-theme-default
cas.viewResolver.basename=default_views

##
# Unique CAS node name
# host.name is used to generate unique Service Ticket IDs and SAMLArtifacts. This is usually set to the specific
# hostname of the machine running the CAS node, but it could be any label so long as it is unique in the cluster.
host.name=cas

##
# Database flavors for Hibernate
#
# One of these is needed if you are storing Services or Tickets in an RDBMS via JPA.
#
  database.hibernate.dialect=org.hibernate.dialect.OracleDialect
# database.hibernate.dialect=org.hibernate.dialect.MySQLInnoDBDialect
#database.hibernate.dialect=org.hibernate.dialect.HSQLDialect
 


(4).deployerConfigContext.xml 添加数据源和密码密码编译器Bean验证用户登录信息;
设置不要使用Https方式(p:requireSecure="false")。
注意:SpringSecurity,CAS 的版本不同有可能类存在不同的包内。 
<?xml version="1.0" encoding="UTF-8"?>
<!--
| deployerConfigContext.xml centralizes into one file some of the declarative configuration that
| all CAS deployers will need to modify.
|
| This file declares some of the Spring-managed JavaBeans that make up a CAS deployment.
| The beans declared in this file are instantiated at context initialization time by the Spring
| ContextLoaderListener declared in web.xml. It finds this file because this
| file is among those declared in the context parameter "contextConfigLocation".
|
| By far the most common change you will need to make in this file is to change the last bean
| declaration to replace the default SimpleTestUsernamePasswordAuthenticationHandler with
| one implementing your approach for authenticating usernames and passwords.
+-->

<!--
~ Licensed to Jasig under one or more contributor license
~ agreements. See the NOTICE file distributed with this work
~ for additional information regarding copyright ownership.
~ Jasig licenses this file to you under the Apache License,
~ Version 2.0 (the "License"); you may not use this file
~ except in compliance with the License. You may obtain a
~ copy of the License at the following location:
~
~ http://www.apache.org/licenses/LICENSE-2.0
~
~ Unless required by applicable law or agreed to in writing,
~ software distributed under the License is distributed on an
~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
~ KIND, either express or implied. See the License for the
~ specific language governing permissions and limitations
~ under the License.
-->

<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:sec="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<!--
| This bean declares our AuthenticationManager. The CentralAuthenticationService service bean
| declared in applicationContext.xml picks up this AuthenticationManager by reference to its id,
| "authenticationManager". Most deployers will be able to use the default AuthenticationManager
| implementation and so do not need to change the class of this bean. We include the whole
| AuthenticationManager here in the userConfigContext.xml so that you can see the things you will
| need to change in context.
+-->
<bean id="authenticationManager"
class="org.jasig.cas.authentication.AuthenticationManagerImpl">

<!-- Uncomment the metadata populator to allow clearpass to capture and cache the password
This switch effectively will turn on clearpass.
<property name="authenticationMetaDataPopulators">
<list>
<bean class="org.jasig.cas.extension.clearpass.CacheCredentialsMetaDataPopulator">
<constructor-arg index="0" ref="credentialsCache" />
</bean>
</list>
</property>
-->

<!--
| This is the List of CredentialToPrincipalResolvers that identify what Principal is trying to authenticate.
| The AuthenticationManagerImpl considers them in order, finding a CredentialToPrincipalResolver which
| supports the presented credentials.
|
| AuthenticationManagerImpl uses these resolvers for two purposes. First, it uses them to identify the Principal
| attempting to authenticate to CAS /login . In the default configuration, it is the DefaultCredentialsToPrincipalResolver
| that fills this role. If you are using some other kind of credentials than UsernamePasswordCredentials, you will need to replace
| DefaultCredentialsToPrincipalResolver with a CredentialsToPrincipalResolver that supports the credentials you are
| using.
|
| Second, AuthenticationManagerImpl uses these resolvers to identify a service requesting a proxy granting ticket.
| In the default configuration, it is the HttpBasedServiceCredentialsToPrincipalResolver that serves this purpose.
| You will need to change this list if you are identifying services by something more or other than their callback URL.
+-->
<property name="credentialsToPrincipalResolvers">
<list>
<!--
| UsernamePasswordCredentialsToPrincipalResolver supports the UsernamePasswordCredentials that we use for /login
| by default and produces SimplePrincipal instances conveying the username from the credentials.
|
| If you've changed your LoginFormAction to use credentials other than UsernamePasswordCredentials then you will also
| need to change this bean declaration (or add additional declarations) to declare a CredentialsToPrincipalResolver that supports the
| Credentials you are using.
+-->
<bean
class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" />
<!--
| HttpBasedServiceCredentialsToPrincipalResolver supports HttpBasedCredentials. It supports the CAS 2.0 approach of
| authenticating services by SSL callback, extracting the callback URL from the Credentials and representing it as a
| SimpleService identified by that callback URL.
|
| If you are representing services by something more or other than an HTTPS URL whereat they are able to
| receive a proxy callback, you will need to change this bean declaration (or add additional declarations).
+-->
<bean
class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" />
</list>
</property>

<!--
| Whereas CredentialsToPrincipalResolvers identify who it is some Credentials might authenticate,
| AuthenticationHandlers actually authenticate credentials. Here we declare the AuthenticationHandlers that
| authenticate the Principals that the CredentialsToPrincipalResolvers identified. CAS will try these handlers in turn
| until it finds one that both supports the Credentials presented and succeeds in authenticating.
+-->
<property name="authenticationHandlers">
<list>
<!--
| This is the authentication handler that authenticates services by means of callback via SSL, thereby validating
| a server side SSL certificate.
+-->
<bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
p:httpClient-ref="httpClient" p:requireSecure="false"/>
<!--
| This is the authentication handler declaration that every CAS deployer will need to change before deploying CAS
| into production. The default SimpleTestUsernamePasswordAuthenticationHandler authenticates UsernamePasswordCredentials
| where the username equals the password. You will need to replace this with an AuthenticationHandler that implements your
| local authentication strategy. You might accomplish this by coding a new such handler and declaring
| edu.someschool.its.cas.MySpecialHandler here, or you might use one of the handlers provided in the adaptors modules.
+-->
<!--
<bean class="org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler" />
-->
<!-- 使用查询数据库的方式验证: sql语句返回密码,然后指定一个密码编码器,将提交的密码编码后与查询出来的密码进行比较。
密码编码器实现org.jasig.cas.authentication.handler.PasswordEncoder接口
-->
<bean class="org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler">
<property name="dataSource" ref="casDataSource" />
<property name="sql" value="select lower(password) from tb_sys_user where lower(username) = lower(?)" />
<property name="passwordEncoder" ref="passwordEncoder"/>
</bean>
</list>
</property>
</bean>


<!--
This bean defines the security roles for the Services Management application. Simple deployments can use the in-memory version.
More robust deployments will want to use another option, such as the Jdbc version.

The name of this should remain "userDetailsService" in order for Spring Security to find it.
-->
<!-- <sec:user name="@@THIS SHOULD BE REPLACED@@" password="notused" authorities="ROLE_ADMIN" />-->

<bean id="userDetailsService" class="org.springframework.security.core.userdetails.memory.InMemoryDaoImpl">
<property name="userMap">
<value> </value>
</property>
</bean>

<!--
Bean that defines the attributes that a
service may return. This example uses the Stub/Mock version. A real
implementation
may go against a database or LDAP server. The id should
remain "attributeRepository" though.
-->
<bean id="attributeRepository" class="org.jasig.services.persondir.support.StubPersonAttributeDao">
<property name="backingMap">
<map>
<entry key="uid" value="uid"/>
<entry key="eduPersonAffiliation" value="eduPersonAffiliation" />
<entry key="groupMembership" value="groupMembership" />
</map>
</property>
</bean>

<!--
Sample, in-memory data store for
the ServiceRegistry. A real implementation
would probably want to replace
this with the JPA-backed ServiceRegistry DAO
The name of this bean should
remain "serviceRegistryDao".
-->
<bean id="serviceRegistryDao" class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl">
<property name="registeredServices">
<list>
<bean class="org.jasig.cas.services.RegexRegisteredService">
<property name="id" value="0" />
<property name="name" value="HTTP and IMAP" />
<property name="description" value="Allows HTTP(S) and IMAP(S) protocols" />
<property name="serviceId" value="^(https?|imaps?)://.*" />
<property name="evaluationOrder" value="10000001" />
</bean>
</list>
</property>
</bean>

<bean id="auditTrailManager" class="com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager" />

<bean id="healthCheckMonitor" class="org.jasig.cas.monitor.HealthCheckMonitor">
<property name="monitors">
<list>
<bean class="org.jasig.cas.monitor.MemoryMonitor"
p:freeMemoryWarnThreshold="10" />
<!--
NOTE
The following ticket registries support SessionMonitor:
* DefaultTicketRegistry
* JpaTicketRegistry
Remove this monitor if you use an unsupported registry.
-->
<bean class="org.jasig.cas.monitor.SessionMonitor"
p:ticketRegistry-ref="ticketRegistry"
p:serviceTicketCountWarnThreshold="5000"
p:sessionCountWarnThreshold="100000" />
</list>
</property>
</bean>
 
<bean id="casDataSource" class="org.apache.commons.dbcp.BasicDataSource">
<property name="driverClassName">
<value>oracle.jdbc.driver.OracleDriver</value>
</property>
<property name="url">
<value>jdbc:oracle:thin:@x.x.x.x:1521:x</value>
</property>
<property name="username">
<value>username</value>
</property>
<property name="password">
<value>123456</value>
</property>
</bean>

<bean id="passwordEncoder" class="org.jasig.cas.authentication.handler.DefaultPasswordEncoder">
<constructor-arg value="MD5"/>
</bean>
 
</beans>
 
 
(5).ticketGrantingTicketCookieGenerator.xml
设置cookie安全要求为false使用http协议 
<bean id="ticketGrantingTicketCookieGenerator" class="org.jasig.cas.web.support.CookieRetrievingCookieGenerator"
p:cookieSecure="false" p:cookieMaxAge="-1" p:cookieName="CASTGC" p:cookiePath="/cas" />
 
(6).warnCookieGenerator.xml 设置cookie安全要求为false使用http协议 
<bean id="warnCookieGenerator" class="org.jasig.cas.web.support.CookieRetrievingCookieGenerator"
p:cookieSecure="false" p:cookieMaxAge="-1" p:cookieName="CASPRIVACY" p:cookiePath="/cas" />
 
(7).jar包支持
数据库连接池:commons-dbcp-1.2.2.jar,commons-pool-1.3.jar,commons-logging-1.1.jar,commons-lang-2.5.jar,commons-io-2.0.jar,commons-collections-3.2.1.jar
SpringJdbc: cas-server-support-jdbc-3.5.0.jar
数据库驱动:ojdbc14.jar

二、客户端配置 
<?xml version="1.0" encoding="UTF-8"?>
		<beans xmlns="http://www.springframework.org/schema/beans"
			xmlns:sec="http://www.springframework.org/schema/security"
			xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
			xsi:schemaLocation="http://www.springframework.org/schema/beans
								http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
		                        http://www.springframework.org/schema/security
		                        http://www.springframework.org/schema/security/spring-security-2.0.4.xsd"
			default-autowire="byType"
			default-lazy-init="true">
		
			<sec:http entry-point-ref="casProcessingFilterEntryPoint">
				<sec:intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
				<sec:logout />
			</sec:http>
		
			<sec:authentication-manager alias="authenticationManager" />
		
			<bean id="casProcessingFilter" class="org.springframework.security.ui.cas.CasProcessingFilter">
				<sec:custom-filter after="CAS_PROCESSING_FILTER" />
				<property name="authenticationManager" ref="authenticationManager" />
				<property name="authenticationFailureUrl" value="/casfailed.jsp" />
				<property name="defaultTargetUrl" value="/" />
			</bean>
		
			<bean id="casProcessingFilterEntryPoint" class="org.springframework.security.ui.cas.CasProcessingFilterEntryPoint">
				<property name="loginUrl" value="http://localhost:8080/cas/login" />
				<property name="serviceProperties" ref="serviceProperties" />
			</bean>
		
			<bean id="serviceProperties" class="org.springframework.security.ui.cas.ServiceProperties">
				<property name="service" value="http://localhost:8080/sample2/j_spring_cas_security_check" />
				<property name="sendRenew" value="false"/>
			</bean>
		
			<bean id="casAuthenticationProvider" class="org.springframework.security.providers.cas.CasAuthenticationProvider">
				<sec:custom-authentication-provider />
				<property name="userDetailsService" ref="userDetailsService"/>
				<property name="serviceProperties" ref="serviceProperties" />
				<property name="ticketValidator">
					<bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
						<constructor-arg index="0" value="http://localhost:8080/cas/" />
					</bean>
				</property>
				<property name="key" value="integratedreport"/>
			</bean>
		  <!-- 需要自己实现userservice -->
			<bean id="userDetailsService" class="cas.ava.UserDetailsServiceImpl" />
			<bean id="passwordEncoder" class="org.springframework.security.providers.encoding.Md5PasswordEncoder" />		
		</beans>
 

三.参考资料
http://www.docin.com/p-277698606.html#documentinfo
 
qqzj-ztq
关注
专栏目录
spring security 整合 CAS
hwt_211博客
12-03 1473
Spring security+CAS单点登录 Spring security 版本 3.2.4  CAS Server版本  3.4.10 CAS client 版本 3.2.1 JDK 1.7 Tomcat 8.0   原理: 从结构上看,CAS 包含两个部分: CAS Server 和 CAS Client。CAS Server 需要独立部署,主要负责对用户的认证工作;CAS
Spring Security(20)——整合Cas
Elim的博客
06-19 7433
众所周知,Cas是对单点登录的一种实现。本文假设读者已经了解了Cas的原理及其使用,这些内容在本文将不会讨论。Cas有Server端和Client端,Client端通常对应着我们自己的应用,Spring Security整合Cas指的就是在Spring Security应用中整合Cas Client,已达到使用Cas Server实现单点登录和登出的效果。本文旨在描述如何在Spring Secur
casspring security 单点登录 配置
07-03
NULL 博文链接:https://yangguowen.iteye.com/blog/678498
Spring Security 结合CAS登入登出配置文件详解
程序员的专栏
05-09 3921
<br />Spring Security配置文件<br /><?xml version="1.0" encoding="UTF-8"?> <b:beans xmlns="http://www.springframework.org/schema/security" xmlns:b="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
cas单点登录整合spring security
Ang_DD的专栏
10-13 8067
在学习security的过程中接触到了cas,并学习了cas的配置和整合security    Cas服务器端的配置     一、使用java keytool工具为系统生成Https证书,并注册 1.删除已有的证书 C:\Program Files\Java\jdk1.6.0_10\bin>keytool -delete -alias tomcat(随意起的别名) -keystore
(翻译)Spring Security-2.0.x参考文档“CAS认证”
xyz20003的专栏
08-07 167
Chapter 19. CAS认证 19.1. 概述 JA-SIG开发了一个企业级的单点登录系统,叫做CAS。 与其他项目不同,JA-SIG的中心认证服务是开源的,广泛使用的,简单理解的,不依赖平台的,而且支持代理能力。 Spring Security完全支持CAS,提供一个简单的整合方式,把使用Spring Security的单应用发布,转换成使用企业级CAS服务器的多应用发布安全 ...
详解Spring Boot 使用Spring security 集成CAS
08-30
Spring Boot 使用 Spring Security 集成 CAS Spring Boot 是一个基于 Java 的开源框架,用于快速构建生产级别的应用程序。Spring Security 是一个基于 Spring 的安全框架,提供了身份验证、授权和访问控制等功能。...
Spring Security集成CAS客户端实例
03-02
**Spring Security集成CAS客户端实例详解** 在Web应用中,安全是至关重要的,Spring SecurityCAS(Central Authentication Service)是两种广泛使用的安全框架。本实例旨在展示如何将Spring SecurityCAS结合,...
springboot+security+cas集成demo
11-23
"springboot+security+cas集成demo"的目的是展示如何在Spring Boot应用中集成Spring SecurityCAS,实现SSO功能。以下是一些关键步骤: 1. **配置CAS客户端**:在Spring Boot应用中,我们需要引入CAS客户端库,...
[www.java1234.com]J2EE中文API.chw
09-02
j2ee帮助文档
cas-security-spring-boot-starter:用于Apereo CAS客户端的Spring Boot Starter与Spring Security完全集成
01-30
Spring Security CAS启动器 一个Spring Boot Starter,它将帮助您在应用程序安全上下文中配置 。 产品特点 Spring Boot 1和2支持 配置CAS身份验证和授权 支持基于当前HttpServletRequest动态服务解析 通过高级配置 ...
springSecurity集成cas
06-18
cas是Central Authentication Service的简写.提供中央认证服务,实现企业级单点登录.详细参考:http://blog.csdn.net/xiejx618/article/details/51703469
cas (三) 数据库验证
weixin_30887919的博客
11-18 259
一 \cas\apache-tomcat-7.0.42\webapps\cas\WEB-INF\lib 新增jar cas-server-support-jdbc-3.5.2.jar mysql-connector-java-5.1.6.jar c3p0-0.9.1.2.jar 二、deployerConfigContext.xml <?xml version="1...
SpringSecurity———单点登录CAS
不积跬步无以至千里
11-02 716
所谓单点登录,SSO(Single Sign On),就是把N个应用的登录系统整合在一起,这样一来无论用户登录了任何一个应用,都可以直接以登录过的身份访问其他应用,不用每次访问其他系统再去登陆一遍了。 Spring Security没有实现自己的SSO,而是整合了耶鲁大学单点登陆(JA-SIG),这是当前使用很广泛的一种SSO实现,它是基于中央认证服务CAS(Center Authenticat
Cas(05)——修改Cas的其它配置
热门推荐
Elim的博客
03-08 1万+
修改Cas Server的其它配置   1.1     修改host.name        host.name是定义在cas.properties文件中的一个属性。该属性将被定义在uniqueIdGenerators.xml文件中的各种UniqueTicketIdGenerator用来生成TGT、ST等ticket。默认在生成这些ticket时会将host.name作为对应ticket的后
spring security 整合cas
极客on之路
03-23 3908
目录 1.1           配置登录认证 1.1.1     配置AuthenticationEntryPoint 1.1.2     配置CasAuthenticationFilter 1.1.3     配置AuthenticationManager 1.2           单点登出 1.3           使用代理 1.3.1     代理端 1.3.2    
cas 集群部署配置
dengzhongju的专栏
03-12 2676
https://wiki.jasig.org/display/CASUM/Clustering+CAS The clustering guide describes concerns and configuration guidelines for deploying CAS in a high availability (HA) environment.
Spring Framework 学习总结博客
最新发布
2302_80084329的博客
09-13 1017
通过本文的学习,我们从Spring的核心架构入手,逐步理解了IoC和DI的概念,并通过代码示例掌握了如何在实际项目中使用这些技术。Spring通过IoC容器管理bean,依赖注入将bean之间的关系解耦,大大简化了复杂系统的开发过程。这些基本的Spring知识是理解其高级特性(如AOP、事务管理)的基础,掌握这些概念后,我们可以更加自如地使用Spring构建复杂的企业级应用。
Spring Boot与Spring Security集成CAS实战教程
集成CAS之前,你需要有一个运行的CAS服务器。你可以下载并部署CAS开源项目,或者使用云服务提供的CAS服务。配置文件(如`application.properties`或`application.yml`)需要包含CAS服务器的URL和其他相关信息。 ...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值