Spring Security 集成 CAS(基于HTTP协议版本)
Spring Security 集成 CAS(基于HTTP协议版本)
近段时间一直研究Spring Security 集成 CAS,网上资料相关资料也很多,不过大都是基于Https的安全认证;使用https协议方式验证需要创建证书等一系列事情比较繁琐,且证书是自己制作每次导航至登录界面时都会有安全提示给人感觉不太好;所以整理此文档供有需要的同学参考。
(1).Http协议的CAS比Https版本的步骤要少了ssl的配置,然后修改服务端部分配置文件即可。
(2).配置CAS服务应用程序的配置文件:WEB_INF下cas.properties、deployerConfigContext.xml
以及WEB-INF子目录spring-configuration下的ticketGrantingTicketCookieGenerator.xml、warmCookieGenerator.xml
(3).修改cas.properties
- # Services Management Web UI Security
- server.name=http://localhost:8080
- server.prefix=${server.name}/cas
- cas.securityContext.serviceProperties.service=${server.prefix}/services/j_acegi_cas_security_check
- # Names of roles allowed to access the CAS service manager
- cas.securityContext.serviceProperties.adminRoles=ROLE_ADMINISTRATOR
- cas.securityContext.casProcessingFilterEntryPoint.loginUrl=${server.prefix}/login
- cas.securityContext.ticketValidator.casServerUrlPrefix=${server.prefix}
- # IP address or CIDR subnet allowed to access the /status URI of CAS that exposes health check information
- cas.securityContext.status.allowedSubnet=127.0.0.1
- cas.themeResolver.defaultThemeName=cas-theme-default
- cas.viewResolver.basename=default_views
- ##
- # Unique CAS node name
- # host.name is used to generate unique Service Ticket IDs and SAMLArtifacts. This is usually set to the specific
- # hostname of the machine running the CAS node, but it could be any label so long as it is unique in the cluster.
- host.name=cas
- ##
- # Database flavors for Hibernate
- #
- # One of these is needed if you are storing Services or Tickets in an RDBMS via JPA.
- #
- database.hibernate.dialect=org.hibernate.dialect.OracleDialect
- # database.hibernate.dialect=org.hibernate.dialect.MySQLInnoDBDialect
- #database.hibernate.dialect=org.hibernate.dialect.HSQLDialect
(4).deployerConfigContext.xml 添加数据源和密码密码编译器Bean验证用户登录信息;
设置不要使用Https方式(p:requireSecure="false")。
注意:SpringSecurity,CAS 的版本不同有可能类存在不同的包内。
- <?xml version="1.0" encoding="UTF-8"?>
- <!--
- | deployerConfigContext.xml centralizes into one file some of the declarative configuration that
- | all CAS deployers will need to modify.
- |
- | This file declares some of the Spring-managed JavaBeans that make up a CAS deployment.
- | The beans declared in this file are instantiated at context initialization time by the Spring
- | ContextLoaderListener declared in web.xml. It finds this file because this
- | file is among those declared in the context parameter "contextConfigLocation".
- |
- | By far the most common change you will need to make in this file is to change the last bean
- | declaration to replace the default SimpleTestUsernamePasswordAuthenticationHandler with
- | one implementing your approach for authenticating usernames and passwords.
- +-->
- <!--
- ~ Licensed to Jasig under one or more contributor license
- ~ agreements. See the NOTICE file distributed with this work
- ~ for additional information regarding copyright ownership.
- ~ Jasig licenses this file to you under the Apache License,
- ~ Version 2.0 (the "License"); you may not use this file
- ~ except in compliance with the License. You may obtain a
- ~ copy of the License at the following location:
- ~
- ~ http://www.apache.org/licenses/LICENSE-2.0
- ~
- ~ Unless required by applicable law or agreed to in writing,
- ~ software distributed under the License is distributed on an
- ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- ~ KIND, either express or implied. See the License for the
- ~ specific language governing permissions and limitations
- ~ under the License.
- -->
- <beans xmlns="http://www.springframework.org/schema/beans"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xmlns:p="http://www.springframework.org/schema/p"
- xmlns:sec="http://www.springframework.org/schema/security"
- xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
- http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
- <!--
- | This bean declares our AuthenticationManager. The CentralAuthenticationService service bean
- | declared in applicationContext.xml picks up this AuthenticationManager by reference to its id,
- | "authenticationManager". Most deployers will be able to use the default AuthenticationManager
- | implementation and so do not need to change the class of this bean. We include the whole
- | AuthenticationManager here in the userConfigContext.xml so that you can see the things you will
- | need to change in context.
- +-->
- <bean id="authenticationManager"
- class="org.jasig.cas.authentication.AuthenticationManagerImpl">
- <!-- Uncomment the metadata populator to allow clearpass to capture and cache the password
- This switch effectively will turn on clearpass.
- <property name="authenticationMetaDataPopulators">
- <list>
- <bean class="org.jasig.cas.extension.clearpass.CacheCredentialsMetaDataPopulator">
- <constructor-arg index="0" ref="credentialsCache" />
- </bean>
- </list>
- </property>
- -->
- <!--
- | This is the List of CredentialToPrincipalResolvers that identify what Principal is trying to authenticate.
- | The AuthenticationManagerImpl considers them in order, finding a CredentialToPrincipalResolver which
- | supports the presented credentials.
- |
- | AuthenticationManagerImpl uses these resolvers for two purposes. First, it uses them to identify the Principal
- | attempting to authenticate to CAS /login . In the default configuration, it is the DefaultCredentialsToPrincipalResolver
- | that fills this role. If you are using some other kind of credentials than UsernamePasswordCredentials, you will need to replace
- | DefaultCredentialsToPrincipalResolver with a CredentialsToPrincipalResolver that supports the credentials you are
- | using.
- |
- | Second, AuthenticationManagerImpl uses these resolvers to identify a service requesting a proxy granting ticket.
- | In the default configuration, it is the HttpBasedServiceCredentialsToPrincipalResolver that serves this purpose.
- | You will need to change this list if you are identifying services by something more or other than their callback URL.
- +-->
- <property name="credentialsToPrincipalResolvers">
- <list>
- <!--
- | UsernamePasswordCredentialsToPrincipalResolver supports the UsernamePasswordCredentials that we use for /login
- | by default and produces SimplePrincipal instances conveying the username from the credentials.
- |
- | If you've changed your LoginFormAction to use credentials other than UsernamePasswordCredentials then you will also
- | need to change this bean declaration (or add additional declarations) to declare a CredentialsToPrincipalResolver that supports the
- | Credentials you are using.
- +-->
- <bean
- class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" />
- <!--
- | HttpBasedServiceCredentialsToPrincipalResolver supports HttpBasedCredentials. It supports the CAS 2.0 approach of
- | authenticating services by SSL callback, extracting the callback URL from the Credentials and representing it as a
- | SimpleService identified by that callback URL.
- |
- | If you are representing services by something more or other than an HTTPS URL whereat they are able to
- | receive a proxy callback, you will need to change this bean declaration (or add additional declarations).
- +-->
- <bean
- class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" />
- </list>
- </property>
- <!--
- | Whereas CredentialsToPrincipalResolvers identify who it is some Credentials might authenticate,
- | AuthenticationHandlers actually authenticate credentials. Here we declare the AuthenticationHandlers that
- | authenticate the Principals that the CredentialsToPrincipalResolvers identified. CAS will try these handlers in turn
- | until it finds one that both supports the Credentials presented and succeeds in authenticating.
- +-->
- <property name="authenticationHandlers">
- <list>
- <!--
- | This is the authentication handler that authenticates services by means of callback via SSL, thereby validating
- | a server side SSL certificate.
- +-->
- <bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
- p:httpClient-ref="httpClient" p:requireSecure="false"/>
- <!--
- | This is the authentication handler declaration that every CAS deployer will need to change before deploying CAS
- | into production. The default SimpleTestUsernamePasswordAuthenticationHandler authenticates UsernamePasswordCredentials
- | where the username equals the password. You will need to replace this with an AuthenticationHandler that implements your
- | local authentication strategy. You might accomplish this by coding a new such handler and declaring
- | edu.someschool.its.cas.MySpecialHandler here, or you might use one of the handlers provided in the adaptors modules.
- +-->
- <!--
- <bean class="org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler" />
- -->
- <!-- 使用查询数据库的方式验证: sql语句返回密码,然后指定一个密码编码器,将提交的密码编码后与查询出来的密码进行比较。
- 密码编码器实现org.jasig.cas.authentication.handler.PasswordEncoder接口
- -->
- <bean class="org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler">
- <property name="dataSource" ref="casDataSource" />
- <property name="sql" value="select lower(password) from tb_sys_user where lower(username) = lower(?)" />
- <property name="passwordEncoder" ref="passwordEncoder"/>
- </bean>
- </list>
- </property>
- </bean>
- <!--
- This bean defines the security roles for the Services Management application. Simple deployments can use the in-memory version.
- More robust deployments will want to use another option, such as the Jdbc version.
- The name of this should remain "userDetailsService" in order for Spring Security to find it.
- -->
- <!-- <sec:user name="@@THIS SHOULD BE REPLACED@@" password="notused" authorities="ROLE_ADMIN" />-->
- <bean id="userDetailsService" class="org.springframework.security.core.userdetails.memory.InMemoryDaoImpl">
- <property name="userMap">
- <value> </value>
- </property>
- </bean>
- <!--
- Bean that defines the attributes that a
- service may return. This example uses the Stub/Mock version. A real
- implementation
- may go against a database or LDAP server. The id should
- remain "attributeRepository" though.
- -->
- <bean id="attributeRepository" class="org.jasig.services.persondir.support.StubPersonAttributeDao">
- <property name="backingMap">
- <map>
- <entry key="uid" value="uid"/>
- <entry key="eduPersonAffiliation" value="eduPersonAffiliation" />
- <entry key="groupMembership" value="groupMembership" />
- </map>
- </property>
- </bean>
- <!--
- Sample, in-memory data store for
- the ServiceRegistry. A real implementation
- would probably want to replace
- this with the JPA-backed ServiceRegistry DAO
- The name of this bean should
- remain "serviceRegistryDao".
- -->
- <bean id="serviceRegistryDao" class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl">
- <property name="registeredServices">
- <list>
- <bean class="org.jasig.cas.services.RegexRegisteredService">
- <property name="id" value="0" />
- <property name="name" value="HTTP and IMAP" />
- <property name="description" value="Allows HTTP(S) and IMAP(S) protocols" />
- <property name="serviceId" value="^(https?|imaps?)://.*" />
- <property name="evaluationOrder" value="10000001" />
- </bean>
- </list>
- </property>
- </bean>
- <bean id="auditTrailManager" class="com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager" />
- <bean id="healthCheckMonitor" class="org.jasig.cas.monitor.HealthCheckMonitor">
- <property name="monitors">
- <list>
- <bean class="org.jasig.cas.monitor.MemoryMonitor"
- p:freeMemoryWarnThreshold="10" />
- <!--
- NOTE
- The following ticket registries support SessionMonitor:
- * DefaultTicketRegistry
- * JpaTicketRegistry
- Remove this monitor if you use an unsupported registry.
- -->
- <bean class="org.jasig.cas.monitor.SessionMonitor"
- p:ticketRegistry-ref="ticketRegistry"
- p:serviceTicketCountWarnThreshold="5000"
- p:sessionCountWarnThreshold="100000" />
- </list>
- </property>
- </bean>
- <bean id="casDataSource" class="org.apache.commons.dbcp.BasicDataSource">
- <property name="driverClassName">
- <value>oracle.jdbc.driver.OracleDriver</value>
- </property>
- <property name="url">
- <value>jdbc:oracle:thin:@x.x.x.x:1521:x</value>
- </property>
- <property name="username">
- <value>username</value>
- </property>
- <property name="password">
- <value>123456</value>
- </property>
- </bean>
- <bean id="passwordEncoder" class="org.jasig.cas.authentication.handler.DefaultPasswordEncoder">
- <constructor-arg value="MD5"/>
- </bean>
- </beans>
(5).ticketGrantingTicketCookieGenerator.xml
设置cookie安全要求为false使用http协议
- <bean id="ticketGrantingTicketCookieGenerator" class="org.jasig.cas.web.support.CookieRetrievingCookieGenerator"
- p:cookieSecure="false" p:cookieMaxAge="-1" p:cookieName="CASTGC" p:cookiePath="/cas" />
(6).warnCookieGenerator.xml 设置cookie安全要求为false使用http协议
- <bean id="warnCookieGenerator" class="org.jasig.cas.web.support.CookieRetrievingCookieGenerator"
- p:cookieSecure="false" p:cookieMaxAge="-1" p:cookieName="CASPRIVACY" p:cookiePath="/cas" />
(7).jar包支持
数据库连接池:commons-dbcp-1.2.2.jar,commons-pool-1.3.jar,commons-logging-1.1.jar,commons-lang-2.5.jar,commons-io-2.0.jar,commons-collections-3.2.1.jar
SpringJdbc: cas-server-support-jdbc-3.5.0.jar
数据库驱动:ojdbc14.jar
二、客户端配置
- <?xml version="1.0" encoding="UTF-8"?>
- <beans xmlns="http://www.springframework.org/schema/beans"
- xmlns:sec="http://www.springframework.org/schema/security"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://www.springframework.org/schema/beans
- http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
- http://www.springframework.org/schema/security
- http://www.springframework.org/schema/security/spring-security-2.0.4.xsd"
- default-autowire="byType"
- default-lazy-init="true">
- <sec:http entry-point-ref="casProcessingFilterEntryPoint">
- <sec:intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
- <sec:logout />
- </sec:http>
- <sec:authentication-manager alias="authenticationManager" />
- <bean id="casProcessingFilter" class="org.springframework.security.ui.cas.CasProcessingFilter">
- <sec:custom-filter after="CAS_PROCESSING_FILTER" />
- <property name="authenticationManager" ref="authenticationManager" />
- <property name="authenticationFailureUrl" value="/casfailed.jsp" />
- <property name="defaultTargetUrl" value="/" />
- </bean>
- <bean id="casProcessingFilterEntryPoint" class="org.springframework.security.ui.cas.CasProcessingFilterEntryPoint">
- <property name="loginUrl" value="http://localhost:8080/cas/login" />
- <property name="serviceProperties" ref="serviceProperties" />
- </bean>
- <bean id="serviceProperties" class="org.springframework.security.ui.cas.ServiceProperties">
- <property name="service" value="http://localhost:8080/sample2/j_spring_cas_security_check" />
- <property name="sendRenew" value="false"/>
- </bean>
- <bean id="casAuthenticationProvider" class="org.springframework.security.providers.cas.CasAuthenticationProvider">
- <sec:custom-authentication-provider />
- <property name="userDetailsService" ref="userDetailsService"/>
- <property name="serviceProperties" ref="serviceProperties" />
- <property name="ticketValidator">
- <bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
- <constructor-arg index="0" value="http://localhost:8080/cas/" />
- </bean>
- </property>
- <property name="key" value="integratedreport"/>
- </bean>
- <!-- 需要自己实现userservice -->
- <bean id="userDetailsService" class="cas.ava.UserDetailsServiceImpl" />
- <bean id="passwordEncoder" class="org.springframework.security.providers.encoding.Md5PasswordEncoder" />
- </beans>
三.参考资料
http://www.docin.com/p-277698606.html#documentinfo
Spring Security 集成 CAS(基于HTTP协议版本)的更多相关文章
- spring security集成cas实现单点登录
spring security集成cas 0.配置本地ssl连接 操作记录如下: =====================1.创建证书文件thekeystore ,并导出为thekeystore.c ...
- Spring Security 集成CAS实现单点登录
参考:http://elim.iteye.com/blog/2270446 众所周知,Cas是对单点登录的一种实现.本文假设读者已经了解了Cas的原理及其使用,这些内容在本文将不会讨论.Cas有Ser ...
- 单点登录(SSO)解决方案之 CAS客户端与Spring Security集成
接上篇:单点登录(SSO)解决方案之 CAS服务端数据源设置及页面改造 Spring Security Spring Security是一个能够为基于Spring的企业应用系统提供声明式的安全访问控制 ...
- JWT和Spring Security集成
通常情况下,把API直接暴露出去是风险很大的, 我们一般需要对API划分出一定的权限级别,然后做一个用户的鉴权,依据鉴权结果给予用户对应的API (一)JWT是什么,为什么要使用它? 互联网服务离不开 ...
- Spring Security 解析(六) —— 基于JWT的单点登陆(SSO)开发及原理解析
Spring Security 解析(六) -- 基于JWT的单点登陆(SSO)开发及原理解析 在学习Spring Cloud 时,遇到了授权服务oauth 相关内容时,总是一知半解,因此决定先把 ...
- Spring Security教程之基于方法的权限控制(十二)
目录 1.1 intercept-methods定义方法权限控制 1.2 使用pointcut定义方法权限控制 1.3 使用注解定义方法权限控制 1.3.1 JSR-25 ...
- Spring Security教程之基于表达式的权限控制(九)
目录 1.1 通过表达式控制URL权限 1.2 通过表达式控制方法权限 1.2.1 使用@PreAuthorize和@PostAuthorize进行访问控制 1.2.2 ...
- spring boot+spring security集成以及Druid数据库连接池的问题
贴工程目录,其中bll目录下是service+dao层,common是一些公用的模块及功能类,web是controller层 用到了druid及Redis,工具及配置类目录(本文不介绍如何配置drui ...
- Spring Security入门(基于SSM环境配置)
一.前期准备 配置SSM环境 二.不使用数据库进行权限控制 配置好SSM环境以后,配置SpringSecurity环境 添加security依赖 <dependency> <gr ...
随机推荐
- Android Support Design 控件 FloatingActionButton
经常刚可以看到悬浮控件,比如印象笔记的下面那个绿色的悬浮按钮,这个控件非常简单也是来自Design Support Library中同理需要在android studio中加入依赖库:design库 ...
- 超过1个G免费资源,16套质量超高风格多样的移动UIKIT
编者按:前两天发了一篇价值4000元的收费可商用Web 模版,今天来一波同样高质量的的App UI KIT,包括音乐/餐厅/运动等等类型的App,无论是下载来学习还是商用(对的可商用!)都不容错过,@ ...
- Linux网络设置(第二版) --Linux网络设置
Linux网络设置 --网络配置文件与命令 个 附- 服务程序可以不使用固定端口,但是一般对外公开的WebServer不会改变端口,但是像SSH一般推荐更改,可以回避扫描 nmap [IP地址] #扫 ...
- 集群增量会话管理器——DeltaManager
DeltaManager会话管理器是tomcat默认的集群会话管理器,它主要用于集群中各个节点之间会话状态的同步维护,由于相关内容涉及到集群,可能会需要一些集群通信相关知识,如果有疑问可结合集群相关章 ...
- Altium Designer设计PCB板之“精神”
通过一小段时间的练习,感觉先领悟设计PCB板的“精神”更加重要.在这里,我指的“精神”是指PCB板中涉及的元器件原理图及其封装设计.当然,设计PCB板还有其他方面重要的精神需要掌握.本文所提到的“精神 ...
- 坚持自己的追求,迎来 “中国系统开发网” (CSDN)的专访
坚持自己的追求,迎来 "中国系统开发网" (CSDN)的专访: 专访马根峰:海量数据处理与分析大师的中国本土程序员" http://www.csdn.net/articl ...
- how tomcat works 读书笔记 十一 StandWrapper 下
StandardWrapperValve StandardWrapperValve是StandardWrapper的基础阀,主要完成了三个工作. 1 调用StandardWrapper的allocat ...
- MCU实战经验:多种的按键处理
按键通常有:IO口按键(BUTTON),AD按键(通过AD采样电压),IR(遥控器) 按按键功能分:有短按键,长按键,连续按键.打个比方,遥控电视机,按一下音量键,音量增加1,这个就是短按键.按住音量 ...
- linux下如何查询未知库所依赖的包
经常会遇到linux下安装软件时提示少文件,如何知道所缺少的文件属于哪个包?用什么命令查看? 例如:/lib/ld-linux.so.2: bad ELF interpreter: 没有那个文件或目录 ...
- ruby和linux shell共同编程的示例
有了shell为毛还要ruby呢?话不能这么说,有些小功能用ruby还是很方便的,比如说字符串的反转再加1功能用shell来写就比较麻烦.str="123456",我们定义一个反转 ...