CAS 客户端登录验证

• 基于 cas-client v3.2.1
• 参考文章：http://blog.csdn.net/dovejing/article/details/44426547

CAS 客户端登录验证的核心在于两个 Filter，如下

CAS 客户端的 web.xml

<filter>
    <filter-name>CAS Authentication Filterfilter-name>
    <filter-class>org.jasig.cas.client.authentication.AuthenticationFilterfilter-class>
    <init-param>
        <param-name>casServerLoginUrlparam-name>
        <param-value>http://pomer.com:8080/cas/loginparam-value>
    init-param>
    <init-param>
        <param-name>serverNameparam-name>
        <param-value>http://pomer.com:8080/param-value>
    init-param>
filter>
<filter-mapping>
    <filter-name>CAS Authentication Filterfilter-name>
    <url-pattern>/*url-pattern>
filter-mapping>


<filter>
    <filter-name>CAS Validation Filterfilter-name>
    <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilterfilter-class>
    <init-param>
        <param-name>casServerUrlPrefixparam-name>
        <param-value>http://pomer.com:8080/casparam-value>
    init-param>
    <init-param>
        <param-name>serverNameparam-name>
        <param-value>http://pomer.com:8080/param-value>
    init-param>
    <init-param>
        <param-name>renewparam-name>
        <param-value>falseparam-value>
    init-param>
    <init-param>
        <param-name>gatewayparam-name>
        <param-value>falseparam-value>
    init-param>
    <init-param>
        <param-name>encodingparam-name>
        <param-value>UTF-8param-value>
    init-param>
filter>
<filter-mapping>
    <filter-name>CAS Validation Filterfilter-name>
    <url-pattern>/*url-pattern>
filter-mapping>

进入第一个 Filter 源码，AuthenticationFilter 的 doFilter 方法

public final void doFilter(final ServletRequest servletRequest, final ServletResponse servletResponse, final FilterChain filterChain) throws IOException, ServletException {
    final HttpServletRequest request = (HttpServletRequest) servletRequest;
    final HttpServletResponse response = (HttpServletResponse) servletResponse;
    final HttpSession session = request.getSession(false);
    
    final Assertion assertion = session != null ? (Assertion) session.getAttribute(CONST_CAS_ASSERTION) : null;

    if (assertion != null) {
        
        filterChain.doFilter(request, response);
        return;
    }

    
    final String serviceUrl = constructServiceUrl(request, response);
    
    final String ticket = CommonUtils.safeGetParameter(request,getArtifactParameterName());
    final boolean wasGatewayed = this.gatewayStorage.hasGatewayedAlready(request, serviceUrl);

    if (CommonUtils.isNotBlank(ticket) || wasGatewayed) {
        
        filterChain.doFilter(request, response);
        return;
    }

    final String modifiedServiceUrl;

    
    log.debug("no ticket and no assertion found");
    if (this.gateway) {
        log.debug("setting gateway attribute in session");
        modifiedServiceUrl = this.gatewayStorage.storeGatewayInformation(request, serviceUrl);
    } else {
        modifiedServiceUrl = serviceUrl;
    }

    if (log.isDebugEnabled()) {
        log.debug("Constructed service url: " + modifiedServiceUrl);
    }

    
    final String urlToRedirectTo = CommonUtils.constructRedirectUrl(this.casServerLoginUrl, getServiceParameterName(), modifiedServiceUrl, this.renew, this.gateway);

    if (log.isDebugEnabled()) {
        log.debug("redirecting to \"" + urlToRedirectTo + "\"");
    }

    
    response.sendRedirect(urlToRedirectTo);
}

进入第二个 Filter，Cas20ProxyReceivingTicketValidationFilter；doFilter 方法位于其父类 AbstractTicketValidationFilter，进入源码

public final void doFilter(final ServletRequest servletRequest, final ServletResponse servletResponse, final FilterChain filterChain) throws IOException, ServletException {

    if (!preFilter(servletRequest, servletResponse, filterChain)) {
        return;
    }

    final HttpServletRequest request = (HttpServletRequest) servletRequest;
    final HttpServletResponse response = (HttpServletResponse) servletResponse;
    
    final String ticket = CommonUtils.safeGetParameter(request, getArtifactParameterName());

    
    if (CommonUtils.isNotBlank(ticket)) {
        
        if (log.isDebugEnabled()) {
            log.debug("Attempting to validate ticket: " + ticket);
        }

        try {
            
            final Assertion assertion = this.ticketValidator.validate(ticket, constructServiceUrl(request, response));

            if (log.isDebugEnabled()) {
                log.debug("Successfully authenticated user: " + assertion.getPrincipal().getName());
            }

            request.setAttribute(CONST_CAS_ASSERTION, assertion);

            
            if (this.useSession) {
                request.getSession().setAttribute(CONST_CAS_ASSERTION, assertion);
            }
            
            onSuccessfulValidation(request, response, assertion);
            
            if (this.redirectAfterValidation) {
                log. debug("Redirecting after successful ticket validation.");
                response.sendRedirect(constructServiceUrl(request, response));
                return;
            }
        } catch (final TicketValidationException e) {
            response.setStatus(HttpServletResponse.SC_FORBIDDEN);
            log.warn(e, e);
            
            onFailedValidation(request, response);

            if (this.exceptionOnValidationFailure) {
                throw new ServletException(e);
            }

            return;
        }
    }

    
    filterChain.doFilter(request, response);

}

• CAS 交互流程：http://blog.csdn.net/pomer_huang/article/details/76862386
• CAS 服务端登录验证流程（一）：http://blog.csdn.net/pomer_huang/article/details/76862455