添加cas-client的jar包
下载cas-client,地址:http://www.ja-sig.org/downloads/cas-clients/,当前最新版本是cas-client-3.2.1-release.zip。然后解压cas-client-3.2.1-release.zip,在modules拷贝cas-client-core-3.2.1.jar到应用的WEB-INF/lib目录中。
撰写支持CAS集成的客户化包
除了在web.xml添加CAS内置的filter外(具体看配置web.xml),我们需要撰写自己支持CAS集成的客户化包。大致思路如下:
- @Override
- public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
- HttpServletRequest request = (HttpServletRequest)servletRequest;
- HttpServletResponse response = (HttpServletResponse)servletResponse;
- HttpSession session = request.getSession();
- //在session中自定义一个参数,以它来校验是否完成过自动登陆
- Object user_login = session.getAttribute(AURORA_USER_LOGIN);
- if (user_login != null){
- //登陆过,就继续执行其他filter
- filterChain.doFilter(request, response);
- return;
- }
- //通过CAS的API获得登陆账号
- String loginName = AssertionHolder.getAssertion().getPrincipal().getName();
- try {
- //执行本系统的登陆。跟平常同时校验用户名和密码不同,这里只有用户名。
- executeLoginProc(request,response,loginName);
- } catch (Exception e) {
- logger.log(Level.SEVERE, "executeLoginProc error:", e);
- return;
- }
- //登陆成功
- session.setAttribute(AURORA_USER_LOGIN, Boolean.TRUE);
- //跳转到登陆成功后的页面
- response.sendRedirect(roleSelectPageUrl);
- }
把这个class打包成一个jar拷贝到应用的WEB-INF/lib目录中。
如果有兴趣,还可以简单了解下org.jasig.cas.client.authentication.AuthenticationFilter这个CAS内置filter的功能
- public final void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
- HttpServletRequest request = (HttpServletRequest)servletRequest;
- HttpServletResponse response = (HttpServletResponse)servletResponse;
- HttpSession session = request.getSession(false);
- //检查自定义属性"_const_cas_assertion_"
- Assertion assertion = session != null ? (Assertion)session.getAttribute("_const_cas_assertion_") : null;
if (assertion != null) {
- //已经成功登陆过CAS
- filterChain.doFilter(request, response);
- return;
- }
- //拿到url,并检查url参数中的ticket是否有效
- String serviceUrl = constructServiceUrl(request, response);
- String ticket = CommonUtils.safeGetParameter(request, getArtifactParameterName());
- boolean wasGatewayed = this.gatewayStorage.hasGatewayedAlready(request, serviceUrl);
if ((CommonUtils.isNotBlank(ticket)) || (wasGatewayed)) {
- //ticket有效
- filterChain.doFilter(request, response);
- return;
- }
this.log.debug("no ticket and no assertion found");
- String modifiedServiceUrl;
- String modifiedServiceUrl;
- if (this.gateway) {
- this.log.debug("setting gateway attribute in session");
- modifiedServiceUrl = this.gatewayStorage.storeGatewayInformation(request, serviceUrl);
- } else {
- modifiedServiceUrl = serviceUrl;
- }
if (this.log.isDebugEnabled()) {
- this.log.debug("Constructed service url: " + modifiedServiceUrl);
- }
String urlToRedirectTo = CommonUtils.constructRedirectUrl(this.casServerLoginUrl, getServiceParameterName(), modifiedServiceUrl, this.renew, this.gateway);
if (this.log.isDebugEnabled()) {
- this.log.debug("redirecting to \"" + urlToRedirectTo + "\"");
- }
- //重定向到cas的登陆页面
- response.sendRedirect(urlToRedirectTo);
- }
修改web.xml
在应用WEB-INF/web.xml添加filter的内容,效果如下所示
- <listener>
- <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListenerlistener-class>
- listener>
- <filter>
- <filter-name>CAS Single Sign Out Filterfilter-name>
- <filter-class>org.jasig.cas.client.session.SingleSignOutFilterfilter-class>
- filter>
- <filter-mapping>
- <filter-name>CAS Single Sign Out Filterfilter-name>
- <url-pattern>/*url-pattern>
- filter-mapping>
- <filter>
- <filter-name>CASFilterfilter-name>
- <filter-class>org.jasig.cas.client.authentication.AuthenticationFilterfilter-class>
- <init-param>
- <param-name>casServerLoginUrlparam-name>
- <param-value>https://sso.aurora-framework.org:8080/cas/loginparam-value>
- init-param>
- <init-param>
- <param-name>serverNameparam-name>
- <param-value>https://sso.aurora-framework.org:8080param-value>
- init-param>
- filter>
- <filter-mapping>
- <filter-name>CASFilterfilter-name>
- <url-pattern>/*url-pattern>
- filter-mapping>
- <filter>
- <filter-name>CAS Validation Filterfilter-name>
- <filter-class>
- org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilterfilter-class>
- <init-param>
- <param-name>casServerUrlPrefixparam-name>
- <param-value>https://sso.aurora-framework.org:8080/casparam-value>
- init-param>
- <init-param>
- <param-name>serverNameparam-name>
- <param-value>https://sso.aurora-framework.org:8080param-value>
- init-param>
- filter>
- <filter-mapping>
- <filter-name>CAS Validation Filterfilter-name>
- <url-pattern>/*url-pattern>
- filter-mapping>
- <filter>
- <display-name>AutoSetUserAdapterFilterdisplay-name>
- <filter-name>AutoSetUserAdapterFilterfilter-name>
- <filter-class>aurora.plugin.sso.cas.AutoSetUserFilterfilter-class>
- <init-param>
- <param-name>roleSelectPageUrlparam-name>
- <param-value>https://sso.aurora-framework.org:8080/yourapp/role_select.screenparam-value>
- init-param>
- filter>
- <filter-mapping>
- <filter-name>AutoSetUserAdapterFilterfilter-name>
- <url-pattern>/*url-pattern>
- filter-mapping>
前面几个都是CAS的标准配置,最后一个AutoSetUserAdapterFilter(自定义,可以取其他任意名字)才是我们支持cas的客户化程序。其中roleSelectPageUrl是指用户完成单点登录后跳转的页面。
本文档撰写时Java web项目和CAS用同一个tomcat,所以都用的https。否则只需要配置CAS的链接为HTTPS,本项目连接用HTTP。
修改CAS的认证逻辑
CAS默认的逻辑是用户名和密码一致就可以登陆,现在需要把原web系统的用户名和密码校验挪到CAS中。这里假设原先web系统中有一张sys_user表存储了用户名和MD5散列后的密码。
打开cas/WEB-INF/deployerConfigContext.xml
- 注释掉SimpleTestUsernamePasswordAuthenticationHandler这个Handler,并添加
- <bean class="org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler">
- <property ref="dataSource" name="dataSource">property>
- <property name="sql" value="select t.encrypted_user_password from sys_user t where t.user_name=?">property>
- <property ref="MD5PasswordEncoder" name="passwordEncoder">property>
- bean>
在文件末尾之前加入数据库的链接:
- <bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource">
- <property name="driverClassName">
- <value>oracle.jdbc.driver.OracleDrivervalue>
- property>
- <property name="url">
- <value>jdbc:oracle:thin:@yourIP:1521:yourOracleInstanceIdvalue>
- property>
- <property name="username">
- <value>yourNamevalue>
- property>
- <property name="password">
- <value>yourPasswordvalue>
- property>
- bean>
- <bean id="MD5PasswordEncoder" class="org.jasig.cas.authentication.handler.DefaultPasswordEncoder">
- <constructor-arg index="0">
- <value>MD5value>
- constructor-arg>
- bean>
cas加入jdbc支持
复制cas-server-3.5.2\modules\cas-server-support-jdbc-3.5.2.jar和Oracle驱动(这里采用oracle数据)的ojdbc14.jar或者classes12.jar放到cas/WEB-INF/lib目录下。重新登陆Web系统
重启tomcat,在浏览器中输入https://sso.aurora-framework.org:8080/yourapp/,自动跳转到如下页面:
输入web系统预先定义的用户名和密码,并跳转到自定义(web.xml中定义的)登陆成功后的页面。