CAS做单点登陆（SSO）——集成Java Web 项目

添加cas-client的jar包

下载cas-client，地址：http://www.ja-sig.org/downloads/cas-clients/，当前最新版本是cas-client-3.2.1-release.zip。然后解压cas-client-3.2.1-release.zip，在modules拷贝cas-client-core-3.2.1.jar到应用的WEB-INF/lib目录中。

撰写支持CAS集成的客户化包

除了在web.xml添加CAS内置的filter外（具体看配置web.xml），我们需要撰写自己支持CAS集成的客户化包。大致思路如下：

	@Override
	public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
		
		HttpServletRequest request = (HttpServletRequest)servletRequest;
		HttpServletResponse response = (HttpServletResponse)servletResponse;
		
		HttpSession session = request.getSession();
		//在session中自定义一个参数，以它来校验是否完成过自动登陆
		Object user_login = session.getAttribute(AURORA_USER_LOGIN);
		if (user_login != null){
			//登陆过，就继续执行其他filter
			filterChain.doFilter(request, response);
			return;
		}
		//通过CAS的API获得登陆账号
		String loginName = AssertionHolder.getAssertion().getPrincipal().getName();
		try {
			//执行本系统的登陆。跟平常同时校验用户名和密码不同，这里只有用户名。
			executeLoginProc(request,response,loginName);
		} catch (Exception e) {
			logger.log(Level.SEVERE, "executeLoginProc error:", e);
			return;
		}
		//登陆成功
		session.setAttribute(AURORA_USER_LOGIN, Boolean.TRUE);
		//跳转到登陆成功后的页面
		response.sendRedirect(roleSelectPageUrl);
	}

把这个class打包成一个jar拷贝到应用的WEB-INF/lib目录中。

如果有兴趣，还可以简单了解下org.jasig.cas.client.authentication.AuthenticationFilter这个CAS内置filter的功能

public final void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {     HttpServletRequest request = (HttpServletRequest)servletRequest;     HttpServletResponse response = (HttpServletResponse)servletResponse;     HttpSession session = request.getSession(false);  //检查自定义属性"_const_cas_assertion_"     Assertion assertion = session != null ? (Assertion)session.getAttribute("_const_cas_assertion_") : null;

    if (assertion != null) {    //已经成功登陆过CAS       filterChain.doFilter(request, response);       return;     }   //拿到url，并检查url参数中的ticket是否有效     String serviceUrl = constructServiceUrl(request, response);     String ticket = CommonUtils.safeGetParameter(request, getArtifactParameterName());     boolean wasGatewayed = this.gatewayStorage.hasGatewayedAlready(request, serviceUrl);

    if ((CommonUtils.isNotBlank(ticket)) || (wasGatewayed)) {    //ticket有效       filterChain.doFilter(request, response);       return;     }

    this.log.debug("no ticket and no assertion found");     String modifiedServiceUrl;     String modifiedServiceUrl;     if (this.gateway) {       this.log.debug("setting gateway attribute in session");       modifiedServiceUrl = this.gatewayStorage.storeGatewayInformation(request, serviceUrl);     } else {       modifiedServiceUrl = serviceUrl;     }

    if (this.log.isDebugEnabled()) {       this.log.debug("Constructed service url: " + modifiedServiceUrl);     }

    String urlToRedirectTo = CommonUtils.constructRedirectUrl(this.casServerLoginUrl, getServiceParameterName(), modifiedServiceUrl, this.renew, this.gateway);

    if (this.log.isDebugEnabled()) {       this.log.debug("redirecting to \"" + urlToRedirectTo + "\"");     }   //重定向到cas的登陆页面     response.sendRedirect(urlToRedirectTo);   }

 

修改web.xml

在应用WEB-INF/web.xml添加filter的内容，效果如下所示

	
	
		org.jasig.cas.client.session.SingleSignOutHttpSessionListener
	

	
	
		CAS Single Sign Out Filter
		org.jasig.cas.client.session.SingleSignOutFilter
	
	
		CAS Single Sign Out Filter
		/*
	

	
	
		CASFilter
		org.jasig.cas.client.authentication.AuthenticationFilter
		
			casServerLoginUrl
			https://sso.aurora-framework.org:8080/cas/login
			
		
		
			serverName
			https://sso.aurora-framework.org:8080
		
	
	
		CASFilter
		/*
	

	
	
		CAS Validation Filter
		
			org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter
		
			casServerUrlPrefix
			https://sso.aurora-framework.org:8080/cas
		
		
			serverName
			https://sso.aurora-framework.org:8080
		
	
	
		CAS Validation Filter
		/*
	

	
	
		CAS HttpServletRequest Wrapper Filter
		
			org.jasig.cas.client.util.HttpServletRequestWrapperFilter
	
	
		CAS HttpServletRequest Wrapper Filter
		/*
	

	
	
		CAS Assertion Thread Local Filter
		org.jasig.cas.client.util.AssertionThreadLocalFilter
	
	
		CAS Assertion Thread Local Filter
		/*
	
	
	
	
		AutoSetUserAdapterFilter
		AutoSetUserAdapterFilter
		aurora.plugin.sso.cas.AutoSetUserFilter
		
			roleSelectPageUrl
			https://sso.aurora-framework.org:8080/yourapp/role_select.screen
		
	
	
		AutoSetUserAdapterFilter
		/*
	
	

 

前面几个都是CAS的标准配置，最后一个AutoSetUserAdapterFilter（自定义，可以取其他任意名字）才是我们支持cas的客户化程序。其中roleSelectPageUrl是指用户完成单点登录后跳转的页面。

本文档撰写时java web项目和CAS用同一个tomcat，所以都用的https。否则只需要配置CAS的链接为HTTPS，本项目连接用HTTP。

 

修改CAS的认证逻辑

CAS默认的逻辑是用户名和密码一致就可以登陆，现在需要把原web系统的用户名和密码校验挪到CAS中。这里假设原先web系统中有一张sys_user表存储了用户名和MD5散列后的密码。

 

打开cas/WEB-INF/deployerConfigContext.xml

1. 注释掉SimpleTestUsernamePasswordAuthenticationHandler这个Handler，并添加

    

   
    

2.  在文件末尾之前加入数据库的链接：

       
           
               oracle.jdbc.driver.OracleDriver
           
           
               jdbc:oracle:thin:@yourIP:1521:yourOracleInstanceId
           
           
               yourName
           
           
               yourPassword
           
       
       
           
               MD5
           
       

    

3. cas加入jdbc支持
   复制cas-server-3.5.2\modules\cas-server-support-jdbc-3.5.2.jar和oracle驱动（这里采用oracle数据）的ojdbc14.jar或者classes12.jar放到cas/WEB-INF/lib目录下。

4. 重新登陆Web系统

   重启tomcat，在浏览器中输入https://sso.aurora-framework.org:8080/yourapp/，自动跳转到如下页面：

5. 输入web系统预先定义的用户名和密码，并跳转到自定义（web.xml中定义的）登陆成功后的页面。