单点cas环境的搭建,以及原理
1、请参考cas单点登录,登录,注销逻辑时序图
2、部署cas服务器
(1)先从github下载cas服务端代码,自己打包war
https://github.com/apereo/cas-management-overlay
注意:打包的时候修改propertyFileConfigurer.xml,文件里面的文件路径把casProperties放在相应的位置
(2)tomcat或者jetty部署
(3)如果需要设置https,以tomcat为列
keystoreFile 是加密的证书问价
keystorePass为密码
请参考
https://blog.csdn.net/u012970850/article/details/82533555
(4)访问https://127.0.0.1:8080/cas/Login;默认用户名密码为: 默认是 casuser:Mellon
3、客户端的配置
我使用的springboot手动配置的方式,没使用springboot自带的
使用的jar包为cas-client-core-3.1.10.jar
不同的jar代码会有一下差异,但是不大
(1)配置参数
@Configuration
@Getter
@Setter
public class CasConfiguration {
//cas登录路径
@Value("${cas.casServerLoginUrl}")
private String casServerLoginUrl;
@Value("${cas.casServerLogoutUrl}")
private String casServerLogoutUrl;
//cas客户端服务器
@Value("${cas.clientService}")
private String clientService;
//登录成功地址
@Value("${cas.clientLoginSuccessUrl}")
private String clientLoginSuccessUrl;
//白名单
@Value("${cas.whiteList}")
private String whiteList;
//cas服务器
@Value("${cas.casServerUrlPrefix}")
private String casServerUrlPrefix;
//cas客户端服务器根目录
@Value("${cas.clientServerName}")
private String clientServerName;
}
(2)配置过滤器
@Configuration
public class CasFilter {
@Autowired
CasConfiguration casConfiguration;
/*
* @Description:退出登录过滤器,需要放在最前面
* @Param:[]
* @Return: org.springframework.boot.web.servlet.FilterRegistrationBean
* @Throws:
* @Author: wangwei
* @Date:2020/3/31 15:44
*/
@Bean
public FilterRegistrationBean CasSingleSignOutFilter() {
FilterRegistrationBean filterRegistrationBean = new FilterRegistrationBean();
//配置拦截器参数map
Map map = new HashMap<>(16);
SingleSignOutFilter singleSignOutFilter = new SingleSignOutFilter();
filterRegistrationBean.setFilter(singleSignOutFilter);
map.put("casServerUrlPrefix", casConfiguration.getCasServerUrlPrefix());
filterRegistrationBean.setInitParameters(map);
String url = "/*";
filterRegistrationBean.addUrlPatterns(url);
filterRegistrationBean.setName("CasSingleSignOutFilter");
filterRegistrationBean.setOrder(1);
return filterRegistrationBean;
}
//配置 SingleSignOutHttpSessionListener
@Bean
public ServletListenerRegistrationBean casListener() {
return new ServletListenerRegistrationBean<>(
new org.jasig.cas.client.session.SingleSignOutHttpSessionListener());
}
/*
* @Description:CAS认证filter casServerLoginUrl参数:表示CAS Server登录URL,后面追加appResId参数,表明应用类型(公文系统暂时使用GONGWEN,备案系统使用BHXT)。
service参数:表示在通过CAS Server认证后的返回页面。 localLoginUrl参数:本地登录URL。 renew参数:请不要修改。
whiteList参数:不进行认证检查的URI,使用分号进行分割。如果以/为结尾,则表示该路径下的所有URI均不进行认证检查。
* @Param:[]
* @Return: org.springframework.boot.web.servlet.FilterRegistrationBean
* @Throws:
* @Author: wangwei
* @Date:2020/3/27 11:10
*/
@Bean
public FilterRegistrationBean CasAuthenticationFilter() {
FilterRegistrationBean filterRegistrationBean = new FilterRegistrationBean();
//配置拦截器参数map
Map map = new HashMap<>(16);
AuthenticationFilter casAuthenticationFilter = new AuthenticationFilter();
filterRegistrationBean.setFilter(casAuthenticationFilter);
map.put("casServerLoginUrl", casConfiguration.getCasServerLoginUrl());
map.put("service", casConfiguration.getClientLoginSuccessUrl());
map.put("localLoginUrl", casConfiguration.getClientLoginSuccessUrl());
map.put("renew", "false");
map.put("whiteList", casConfiguration.getWhiteList());
filterRegistrationBean.setInitParameters(map);
String url = "/*";
filterRegistrationBean.addUrlPatterns(url);
filterRegistrationBean.setName("casAuthenticationFilter");
filterRegistrationBean.setOrder(2);
return filterRegistrationBean;
}
/*
* @Description:CAS验证filter serverName参数:应用根路径。 CAS Http请求Wrapper filter:在通过CAS认证或验证通过后,将user id赋值到request中remoteUser中
* @Param:[]
* @Return: org.springframework.boot.web.servlet.FilterRegistrationBean
* @Throws:
* @Author: wangwei
* @Date:2020/3/27 11:10
*/
@Bean
public FilterRegistrationBean CasValidationFilter() {
FilterRegistrationBean filterRegistrationBean = new FilterRegistrationBean();
//配置拦截器参数map
Map map = new HashMap<>(16);
CustomCas30ProxyReceivingTicketValidationFilter casValidationFilter = new CustomCas30ProxyReceivingTicketValidationFilter();
filterRegistrationBean.setFilter(casValidationFilter);
map.put("casServerUrlPrefix", casConfiguration.getCasServerUrlPrefix());
map.put("serverName", casConfiguration.getClientServerName());
filterRegistrationBean.setInitParameters(map);
String url = "/*";
filterRegistrationBean.addUrlPatterns(url);
filterRegistrationBean.setName("casValidationFilter");
filterRegistrationBean.setOrder(3);
return filterRegistrationBean;
}
@Bean
public FilterRegistrationBean CasHttpServletRequestFilter() {
FilterRegistrationBean filterRegistrationBean = new FilterRegistrationBean();
//配置拦截器参数map
HttpServletRequestWrapperFilter casHttpServletRequestFilter = new HttpServletRequestWrapperFilter();
filterRegistrationBean.setFilter(casHttpServletRequestFilter);
String url = "/*";
filterRegistrationBean.addUrlPatterns(url);
filterRegistrationBean.setName("casHttpServletRequestFilter");
filterRegistrationBean.setOrder(4);
return filterRegistrationBean;
}
}
(3)登录成功,校验成功后获取登录用户信息
public class CustomCas30ProxyReceivingTicketValidationFilter extends Cas10TicketValidationFilter {
@Override
protected void onSuccessfulValidation(HttpServletRequest request, HttpServletResponse response, Assertion assertion) {
String dcpLoginInfo = (String) assertion.getPrincipal().getName();
javax.servlet.http.HttpSession session=request.getSession(false);
if(session!=null){
session.setAttribute("systemUser",dcpLoginInfo);
}
}
}
(4)配置信息
cas:
casServerLoginUrl: https://127.0.0.1:8080/cas/Login?appResId=BI
casServerLogoutUrl: https://127.0.0.1:8080/cas/logout?appResId=BI
clientService: https://cas01.example.org/BI
clientLoginSuccessUrl: https://cas01.example.org/BI/index.html
whiteList: /swagger-resources/**,/swagger-ui.html,/v2/api-docs
casServerUrlPrefix: https://127.0.0.1:8080/cas
clientServerName: https://cas01.example.org
4、注意事项
(1)、如果不做配置,客户端需要使用域名,如果使用ip,token校验通不过
(2)、客户端使用http连接需要配置cas服务器,里面的这个两个文件
(3)、注销后跳转指定路径需要配置cas服务器
(4)、客户端可能会证书认证的错误,可以忽略证书
/**
* 忽略https证书
*/
private static void disableSslVerification() {
try
{
// Create a trust manager that does not validate certificate chains
TrustManager[] trustAllCerts = new TrustManager[] {new X509TrustManager() {
@Override
public void checkClientTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
}
@Override
public void checkServerTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
}
@Override
public java.security.cert.X509Certificate[] getAcceptedIssuers() {
return null;
}
}
};
// Install the all-trusting trust manager
SSLContext sc = SSLContext.getInstance("SSL");
sc.init(null, trustAllCerts, new java.security.SecureRandom());
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
// Create all-trusting host name verifier
HostnameVerifier allHostsValid = new HostnameVerifier() {
@Override
public boolean verify(String hostname, SSLSession session) {
return true;
}
};
// Install the all-trusting host verifier
HttpsURLConnection.setDefaultHostnameVerifier(allHostsValid);
} catch (NoSuchAlgorithmException e) {
e.printStackTrace();
} catch (KeyManagementException e) {
e.printStackTrace();
}
}
启动的时候调用
5、客户端访问
登录访问路径,会自动跳到cas登录地址
https://cas01.example.org/BI/index.html
注销路径
https://127.0.0.1:8080/cas/logout?appResId=bjzdgc-BI&service=注销后的路径
6、对应的资源文件
(1)war包
https://download.csdn.net/download/weixin_40010498/12288839
(2)core包网上找有很多,已经有资源了不能上传了
cas-client-core