近段时间一直研究Spring Security 集成 CAS,网上资料相关资料也很多,不过大都是基于Https的安全认证;使用https协议方式验证需要创建证书等一系列事情比较繁琐,且证书是自己制作每次导航至登录界面时都会有安全提示给人感觉不太好;所以整理此文档供有需要的同学参考。
一、服务端配置(cas 3.5)
(1).Http协议的CAS比Https版本的步骤要少了ssl的配置,然后修改服务端部分配置文件即可。
(2).配置CAS服务应用程序的配置文件:WEB_INF下cas.properties、deployerConfigContext.xml
以及WEB-INF子目录spring-configuration下的ticketGrantingTicketCookieGenerator.xml、warmCookieGenerator.xml
(3).修改cas.properties
- # Services Management Web UI Security
- server.name=http://localhost:8080
- server.prefix=${server.name}/cas
- cas.securityContext.serviceProperties.service=${server.prefix}/services/j_acegi_cas_security_check
- # Names of roles allowed to access the CAS service manager
- cas.securityContext.serviceProperties.adminRoles=ROLE_ADMINISTRATOR
- cas.securityContext.casProcessingFilterEntryPoint.loginUrl=${server.prefix}/login
- cas.securityContext.ticketValidator.casServerUrlPrefix=${server.prefix}
- # IP address or CIDR subnet allowed to access the /status URI of CAS that exposes health check information
- cas.securityContext.status.allowedSubnet=127.0.0.1
-
-
- cas.themeResolver.defaultThemeName=cas-theme-default
- cas.viewResolver.basename=default_views
-
- ##
- # Unique CAS node name
- # host.name is used to generate unique Service Ticket IDs and SAMLArtifacts. This is usually set to the specific
- # hostname of the machine running the CAS node, but it could be any label so long as it is unique in the cluster.
- host.name=cas
-
- ##
- # Database flavors for Hibernate
- #
- # One of these is needed if you are storing Services or Tickets in an RDBMS via JPA.
- #
- database.hibernate.dialect=org.hibernate.dialect.OracleDialect
- # database.hibernate.dialect=org.hibernate.dialect.MySQLInnoDBDialect
- #database.hibernate.dialect=org.hibernate.dialect.HSQLDialect
(4).deployerConfigContext.xml 添加数据源和密码密码编译器Bean验证用户登录信息;
设置不要使用Https方式(p:requireSecure="false")。
注意:SpringSecurity,CAS 的版本不同有可能类存在不同的包内。
- <?xml version="1.0" encoding="UTF-8"?>
- <!--
- | deployerConfigContext.xml centralizes into one file some of the declarative configuration that
- | all CAS deployers will need to modify.
- |
- | This file declares some of the Spring-managed JavaBeans that make up a CAS deployment.
- | The beans declared in this file are instantiated at context initialization time by the Spring
- | ContextLoaderListener declared in web.xml. It finds this file because this
- | file is among those declared in the context parameter "contextConfigLocation".
- |
- | By far the most common change you will need to make in this file is to change the last bean
- | declaration to replace the default SimpleTestUsernamePasswordAuthenticationHandler with
- | one implementing your approach for authenticating usernames and passwords.
- +-->
-
- <!--
- ~ Licensed to Jasig under one or more contributor license
- ~ agreements. See the NOTICE file distributed with this work
- ~ for additional information regarding copyright ownership.
- ~ Jasig licenses this file to you under the Apache License,
- ~ Version 2.0 (the "License"); you may not use this file
- ~ except in compliance with the License. You may obtain a
- ~ copy of the License at the following location:
- ~
- ~ http://www.apache.org/licenses/LICENSE-2.0
- ~
- ~ Unless required by applicable law or agreed to in writing,
- ~ software distributed under the License is distributed on an
- ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- ~ KIND, either express or implied. See the License for the
- ~ specific language governing permissions and limitations
- ~ under the License.
- -->
-
- <beans xmlns="http://www.springframework.org/schema/beans"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xmlns:p="http://www.springframework.org/schema/p"
- xmlns:sec="http://www.springframework.org/schema/security"
- xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
- http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
- <!--
- | This bean declares our AuthenticationManager. The CentralAuthenticationService service bean
- | declared in applicationContext.xml picks up this AuthenticationManager by reference to its id,
- | "authenticationManager". Most deployers will be able to use the default AuthenticationManager
- | implementation and so do not need to change the class of this bean. We include the whole
- | AuthenticationManager here in the userConfigContext.xml so that you can see the things you will
- | need to change in context.
- +-->
- <bean id="authenticationManager"
- class="org.jasig.cas.authentication.AuthenticationManagerImpl">
-
- <!-- Uncomment the metadata populator to allow clearpass to capture and cache the password
- This switch effectively will turn on clearpass.
- <property name="authenticationMetaDataPopulators">
- <list>
- <bean class="org.jasig.cas.extension.clearpass.CacheCredentialsMetaDataPopulator">
- <constructor-arg index="0" ref="credentialsCache" />
- </bean>
- </list>
- </property>
- -->
-
- <!--
- | This is the List of CredentialToPrincipalResolvers that identify what Principal is trying to authenticate.
- | The AuthenticationManagerImpl considers them in order, finding a CredentialToPrincipalResolver which
- | supports the presented credentials.
- |
- | AuthenticationManagerImpl uses these resolvers for two purposes. First, it uses them to identify the Principal
- | attempting to authenticate to CAS /login . In the default configuration, it is the DefaultCredentialsToPrincipalResolver
- | that fills this role. If you are using some other kind of credentials than UsernamePasswordCredentials, you will need to replace
- | DefaultCredentialsToPrincipalResolver with a CredentialsToPrincipalResolver that supports the credentials you are
- | using.
- |
- | Second, AuthenticationManagerImpl uses these resolvers to identify a service requesting a proxy granting ticket.
- | In the default configuration, it is the HttpBasedServiceCredentialsToPrincipalResolver that serves this purpose.
- | You will need to change this list if you are identifying services by something more or other than their callback URL.
- +-->
- <property name="credentialsToPrincipalResolvers">
- <list>
- <!--
- | UsernamePasswordCredentialsToPrincipalResolver supports the UsernamePasswordCredentials that we use for /login
- | by default and produces SimplePrincipal instances conveying the username from the credentials.
- |
- | If you‘ve changed your LoginFormAction to use credentials other than UsernamePasswordCredentials then you will also
- | need to change this bean declaration (or add additional declarations) to declare a CredentialsToPrincipalResolver that supports the
- | Credentials you are using.
- +-->
- <bean
- class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" />
- <!--
- | HttpBasedServiceCredentialsToPrincipalResolver supports HttpBasedCredentials. It supports the CAS 2.0 approach of
- | authenticating services by SSL callback, extracting the callback URL from the Credentials and representing it as a
- | SimpleService identified by that callback URL.
- |
- | If you are representing services by something more or other than an HTTPS URL whereat they are able to
- | receive a proxy callback, you will need to change this bean declaration (or add additional declarations).
- +-->
- <bean
- class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" />
- </list>
- </property>
-
- <!--
- | Whereas CredentialsToPrincipalResolvers identify who it is some Credentials might authenticate,
- | AuthenticationHandlers actually authenticate credentials. Here we declare the AuthenticationHandlers that
- | authenticate the Principals that the CredentialsToPrincipalResolvers identified. CAS will try these handlers in turn
- | until it finds one that both supports the Credentials presented and succeeds in authenticating.
- +-->
- <property name="authenticationHandlers">
- <list>
- <!--
- | This is the authentication handler that authenticates services by means of callback via SSL, thereby validating
- | a server side SSL certificate.
- +-->
- <bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
- p:httpClient-ref="httpClient" p:requireSecure="false"/>
- <!--
- | This is the authentication handler declaration that every CAS deployer will need to change before deploying CAS
- | into production. The default SimpleTestUsernamePasswordAuthenticationHandler authenticates UsernamePasswordCredentials
- | where the username equals the password. You will need to replace this with an AuthenticationHandler that implements your
- | local authentication strategy. You might accomplish this by coding a new such handler and declaring
- | edu.someschool.its.cas.MySpecialHandler here, or you might use one of the handlers provided in the adaptors modules.
- +-->
- <!-- 使用查询数据库的方式验证: sql语句返回密码,然后指定一个密码编码器,将提交的密码编码后与查询出来的密码进行比较。
- 密码编码器实现org.jasig.cas.authentication.handler.PasswordEncoder接口
- -->
- <bean class="org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler">
- <property name="dataSource" ref="casDataSource" />
- <property name="sql" value="select lower(password) from tb_sys_user where lower(username) = lower(?)" />
- <property name="passwordEncoder" ref="passwordEncoder"/>
- </bean>
- </list>
- </property>
- </bean>
-
-
- <!--
- This bean defines the security roles for the Services Management application. Simple deployments can use the in-memory version.
- More robust deployments will want to use another option, such as the Jdbc version.
-
- The name of this should remain "userDetailsService" in order for Spring Security to find it.
- -->
-
- <bean id="userDetailsService" class="org.springframework.security.core.userdetails.memory.InMemoryDaoImpl">
- <property name="userMap">
- <value> </value>
- </property>
- </bean>
-
- <!--
- Bean that defines the attributes that a
- service may return. This example uses the Stub/Mock version. A real
- implementation
- may go against a database or LDAP server. The id should
- remain "attributeRepository" though.
- -->
- <bean id="attributeRepository" class="org.jasig.services.persondir.support.StubPersonAttributeDao">
- <property name="backingMap">
- <map>
- <entry key="uid" value="uid"/>
- <entry key="eduPersonAffiliation" value="eduPersonAffiliation" />
- <entry key="groupMembership" value="groupMembership" />
- </map>
- </property>
- </bean>
-
- <!--
- Sample, in-memory data store for
- the ServiceRegistry. A real implementation
- would probably want to replace
- this with the JPA-backed ServiceRegistry DAO
- The name of this bean should
- remain "serviceRegistryDao".
- -->
- <bean id="serviceRegistryDao" class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl">
- <property name="registeredServices">
- <list>
- <bean class="org.jasig.cas.services.RegexRegisteredService">
- <property name="id" value="0" />
- <property name="name" value="HTTP and IMAP" />
- <property name="description" value="Allows HTTP(S) and IMAP(S) protocols" />
- <property name="serviceId" value="^(https?|imaps?)://.*" />
- <property name="evaluationOrder" value="10000001" />
- </bean>
- </list>
- </property>
- </bean>
-
- <bean id="auditTrailManager" class="com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager" />
-
- <bean id="healthCheckMonitor" class="org.jasig.cas.monitor.HealthCheckMonitor">
- <property name="monitors">
- <list>
- <bean class="org.jasig.cas.monitor.MemoryMonitor"
- p:freeMemoryWarnThreshold="10" />
- <!--
- NOTE
- The following ticket registries support SessionMonitor:
- * DefaultTicketRegistry
- * JpaTicketRegistry
- Remove this monitor if you use an unsupported registry.
- -->
- <bean class="org.jasig.cas.monitor.SessionMonitor"
- p:ticketRegistry-ref="ticketRegistry"
- p:serviceTicketCountWarnThreshold="5000"
- p:sessionCountWarnThreshold="100000" />
- </list>
- </property>
- </bean>
-
- <bean id="casDataSource" class="org.apache.commons.dbcp.BasicDataSource">
- <property name="driverClassName">
- <value>oracle.jdbc.driver.OracleDriver</value>
- </property>
- <property name="url">
- <value>jdbc:oracle:thin:@x.x.x.x:1521:x</value>
- </property>
- <property name="username">
- <value>username</value>
- </property>
- <property name="password">
- <value>123456</value>
- </property>
- </bean>
-
- <bean id="passwordEncoder" class="org.jasig.cas.authentication.handler.DefaultPasswordEncoder">
- <constructor-arg value="MD5"/>
- </bean>
-
- </beans>
(5).ticketGrantingTicketCookieGenerator.xml
设置cookie安全要求为false使用http协议
- <bean id="ticketGrantingTicketCookieGenerator" class="org.jasig.cas.web.support.CookieRetrievingCookieGenerator"
- p:cookieSecure="false" p:cookieMaxAge="-1" p:cookieName="CASTGC" p:cookiePath="/cas" />
(6).warnCookieGenerator.xml 设置cookie安全要求为false使用http协议
- <bean id="warnCookieGenerator" class="org.jasig.cas.web.support.CookieRetrievingCookieGenerator"
- p:cookieSecure="false" p:cookieMaxAge="-1" p:cookieName="CASPRIVACY" p:cookiePath="/cas" />
(7).jar包支持
数据库连接池:commons-dbcp-1.2.2.jar,commons-pool-1.3.jar,commons-logging-1.1.jar,commons-lang-2.5.jar,commons-io-2.0.jar,commons-collections-3.2.1.jar
SpringJdbc: cas-server-support-jdbc-3.5.0.jar
数据库驱动:ojdbc14.jar
二、客户端配置
- <?xml version="1.0" encoding="UTF-8"?>
- <beans xmlns="http://www.springframework.org/schema/beans"
- xmlns:sec="http://www.springframework.org/schema/security"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://www.springframework.org/schema/beans
- http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
- http://www.springframework.org/schema/security
- http://www.springframework.org/schema/security/spring-security-2.0.4.xsd"
- default-autowire="byType"
- default-lazy-init="true">
-
- <sec:http entry-point-ref="casProcessingFilterEntryPoint">
- <sec:intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
- <sec:logout />
- </sec:http>
-
- <sec:authentication-manager alias="authenticationManager" />
-
- <bean id="casProcessingFilter" class="org.springframework.security.ui.cas.CasProcessingFilter">
- <sec:custom-filter after="CAS_PROCESSING_FILTER" />
- <property name="authenticationManager" ref="authenticationManager" />
- <property name="authenticationFailureUrl" value="/casfailed.jsp" />
- <property name="defaultTargetUrl" value="/" />
- </bean>
-
- <bean id="casProcessingFilterEntryPoint" class="org.springframework.security.ui.cas.CasProcessingFilterEntryPoint">
- <property name="loginUrl" value="http://localhost:8080/cas/login" />
- <property name="serviceProperties" ref="serviceProperties" />
- </bean>
-
- <bean id="serviceProperties" class="org.springframework.security.ui.cas.ServiceProperties">
- <property name="service" value="http://localhost:8080/sample2/j_spring_cas_security_check" />
- <property name="sendRenew" value="false"/>
- </bean>
-
- <bean id="casAuthenticationProvider" class="org.springframework.security.providers.cas.CasAuthenticationProvider">
- <sec:custom-authentication-provider />
- <property name="userDetailsService" ref="userDetailsService"/>
- <property name="serviceProperties" ref="serviceProperties" />
- <property name="ticketValidator">
- <bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
- <constructor-arg index="0" value="http://localhost:8080/cas/" />
- </bean>
- </property>
- <property name="key" value="integratedreport"/>
- </bean>
-
- <bean id="userDetailsService" class="cas.ava.UserDetailsServiceImpl" />
- <bean id="passwordEncoder" class="org.springframework.security.providers.encoding.Md5PasswordEncoder" />
- </beans>
三.参考资料
http://www.docin.com/p-277698606.html#documentinfo