spring boot + spring security + cas实现单点登录

casLogin.png

1.cas server 搭建

请参考CAS 5.3.x 初体验 — 官方Demo Server部署

2.cas server 支持http协议

到 cas-overlay-template目录下,将target目录下的cas.war放到tomcat webapps下启动
打开解压后的cas
到/WEB-INF/classes/services里找到HTTPSandIMAPS-10000001.json
编辑HTTPSandIMAPS-10000001.json,serviceId中加入http协议

{
  "@class" : "org.apereo.cas.services.RegexRegisteredService",
  "serviceId" : "^(https|http|imaps)://.*",
  "name" : "HTTPS and IMAPS",
  "id" : 10000001,
  "description" : "This service definition authorizes all application urls that support HTTPS and IMAPS protocols.",
  "evaluationOrder" : 10000
}

到/WEB-INF/classes里找到application.properties
编辑application.properties 在末尾加入以下两行配置

cas.tgc.secure=false
cas.serviceRegistry.initFromJson=true

重启tomcat
浏览器访问 http://localhost:8080/cas/login,可以正常访问即可

3.spring boot + spring security + cas整合

1. 创建项目

  1. 使用idea创建项目
    file -> new -> Project -> Spring Initializr -> next
    依赖Spring Web 和 Spring Security
    点击 next ,finish
  2. 引入cas client 依赖
    pom.xml 加入cas的依赖

      org.springframework.security
      spring-security-cas

  1. 添加一个controller IndexController.java
package com.cas.demo;

import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;

@RestController
public class IndexController {

  @RequestMapping("/")
  public String index(){
    return "cas test";
  }

}
  1. application.properties配置端口为16001
server.port=16001
  1. 运行demo
    查看控制台日志,copy随机生成的密码
    Using generated security password:9e58649d-a5dd-42d9-abbf-e285d3a3b7a3
    浏览器访问http://localhost:16001/
    会跳到登录界面
    使用用户名:user 密码:9e58649d-a5dd-42d9-abbf-e285d3a3b7a3
    进行登录,会看到浏览器输出cas test
  2. 对接cas
  • 新建SecurityConfiguration.java 继承WebSecurityConfigurerAdapter
    代码如下
package com.cas.demo;

import org.jasig.cas.client.session.SingleSignOutFilter;
import org.jasig.cas.client.validation.Cas20ServiceTicketValidator;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Bean;
import org.springframework.http.HttpMethod;
import org.springframework.security.cas.ServiceProperties;
import org.springframework.security.cas.authentication.CasAuthenticationProvider;
import org.springframework.security.cas.web.CasAuthenticationEntryPoint;
import org.springframework.security.cas.web.CasAuthenticationFilter;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.web.authentication.logout.LogoutFilter;
import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler;

@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

  @Autowired
  @Qualifier("userDetailsService")
  private UserDetailsService userDetailsService;

  @Bean
  public ServiceProperties serviceProperties() {
    ServiceProperties serviceProperties = new ServiceProperties();
    //TODO: 读配置
    serviceProperties.setService("http://localhost:16001/login/cas");
    serviceProperties.setSendRenew(false);
    return serviceProperties;
  }

  @Bean
  public CasAuthenticationEntryPoint casAuthenticationEntryPoint() {
    CasAuthenticationEntryPoint casAuthenticationEntryPoint = new CasAuthenticationEntryPoint();
    //TODO: 改成读配置
    casAuthenticationEntryPoint.setLoginUrl("http://localhost:8080/cas/login");
    casAuthenticationEntryPoint.setServiceProperties(serviceProperties());
    return casAuthenticationEntryPoint;
  }

  @Bean
  public UserDetailsByNameServiceWrapper userDetailsByNameServiceWrapper() {
    UserDetailsByNameServiceWrapper userDetailsByNameServiceWrapper = new UserDetailsByNameServiceWrapper();
    userDetailsByNameServiceWrapper.setUserDetailsService(userDetailsService);
    return userDetailsByNameServiceWrapper;
  }

  @Bean
  public Cas20ServiceTicketValidator cas20ServiceTicketValidator() {
    //TODO: 读配置
    Cas20ServiceTicketValidator cas20ServiceTicketValidator = new Cas20ServiceTicketValidator(
        "http://localhost:8080/cas");
    return cas20ServiceTicketValidator;
  }

  @Bean
  public CasAuthenticationProvider casAuthenticationProvider() {
    CasAuthenticationProvider casAuthenticationProvider = new CasAuthenticationProvider();
    casAuthenticationProvider
        .setAuthenticationUserDetailsService(userDetailsByNameServiceWrapper());
    casAuthenticationProvider.setServiceProperties(serviceProperties());
    casAuthenticationProvider.setTicketValidator(cas20ServiceTicketValidator());
    casAuthenticationProvider.setKey("an_id_for_this_auth_provider_only");
    return casAuthenticationProvider;
  }


  @Bean
  public CasAuthenticationFilter casAuthenticationFilter() throws Exception {
    CasAuthenticationFilter casAuthenticationFilter = new CasAuthenticationFilter();
    casAuthenticationFilter.setAuthenticationManager(authenticationManager());
    return casAuthenticationFilter;
  }

  @Bean
  public LogoutFilter casLogoutFilter() {
    //TODO: 读配置
    LogoutFilter logoutFilter = new LogoutFilter(
        "http://localhost:8080/cas/logout?service=http://localhost:8080/cas/login",
        new SecurityContextLogoutHandler());
    //与上面的url是映射关系,可配成其他的
    logoutFilter.setFilterProcessesUrl("/logout/cas");
    return logoutFilter;
  }

  @Bean
  public SingleSignOutFilter singleSignOutFilter() {
    SingleSignOutFilter singleSignOutFilter = new SingleSignOutFilter();
    singleSignOutFilter.setIgnoreInitConfiguration(true);
    return singleSignOutFilter;
  }

  @Override
  public void configure(WebSecurity web) {
    web.ignoring()
        .antMatchers(HttpMethod.OPTIONS, "/**")
        .antMatchers("/app/**/*.{js,html}")
        .antMatchers("/i18n/**")
        .antMatchers("/content/**")
        .antMatchers("/swagger-ui/index.html")
        .antMatchers("/test/**");
  }

  @Override
  protected void configure(AuthenticationManagerBuilder auth) throws Exception {
    super.configure(auth);
    auth.authenticationProvider(casAuthenticationProvider());
  }

  @Override
  public void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests()
        .antMatchers("/**").hasAuthority("ROLE_USER")
        .and().exceptionHandling().authenticationEntryPoint(casAuthenticationEntryPoint())
        .and()
        .addFilterAt(casAuthenticationFilter(), CasAuthenticationFilter.class)
        .addFilterBefore(casLogoutFilter(), LogoutFilter.class)
        .addFilterBefore(singleSignOutFilter(), CasAuthenticationFilter.class);

  }
}

  • 添加DomainUserDetailsService.java 实现 UserDetailsService.java的loadUserByUsername方法
    代码如下
package com.cas.demo;

import java.util.ArrayList;
import java.util.List;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Component;

@Component("userDetailsService")
public class DomainUserDetailsService implements UserDetailsService {

  private final Logger log = LoggerFactory.getLogger(DomainUserDetailsService.class);

  @Override
  public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
    log.info("经过认证类:{}", username);

    List authorities = new ArrayList();
    authorities.add(new SimpleGrantedAuthority("ROLE_USER"));

    return new User(username, "", authorities);
  }
}

  1. 重启demo,tomcat运行cas
    浏览器访问http://localhost:16001/
    会跳转到cas登录界面,用 用户名:casuser 密码:Mellon登录
    登录后,会跳转回demo应用,界面显示cas test 则对接成功

你可能感兴趣的:(spring boot + spring security + cas实现单点登录)