CAS 实现站内单点登录及实现第三方 OAuth、OpenId 登录(四)
一、OAuth 配置
配置 OAuth 提供商
<bean id="weibo" class="com.buession.oauth.provider.impl.WeiboProvider"> <property name="key" value="the_key_for_weibo" /> <property name="secret" value="the_secret_for_weibo" /> </bean> <bean id="qq" class="com.buession.oauth.provider.impl.QqProvider"> <property name="key" value="the_key_for_qq" /> <property name="secret" value="the_secret_for_qq" /> </bean> ... ...
提供商 OAuth 2.0 版本需继承类 org.scribe.up.provider.BaseOAuth20Provider
提供商 OAuth 1.0 版本需继承类 org.scribe.up.provider.BaseOAuth20Provider
所有的 OAuth Provider 必须定义在 WEB-INF/spring-configuration/applicationContext.xml 中OAuthConfiguration 配置(在 WEB-INF/spring-configuration/applicationContext.xml 添加)
<bean id="oAuthConfiguration" class="org.jasig.cas.support.oauth.OAuthConfiguration">
<property name="loginUrl" value="${cas.securityContext.casProcessingFilterEntryPoint.loginUrl}" />
<property name="providers">
<list>
<ref bean="weibo" />
<ref bean="qq" />
... ...
</list>
</property>
</bean>
二、OAuth Action 配置
在 WEB-INF/cas-servlet.xml 添加:
<bean id="oAuthAction" class="com.buession.cas.web.flow.OAuthAction" p:configuration-ref="oAuthConfiguration" p:centralAuthenticationService-ref="centralAuthenticationService" />
com.buession.cas.web.flow.OAuthAction 与 org.jasig.cas.support.oauth.web.flow.OAuthAction 的唯一区别就是:前者把 org.jasig.cas.support.oauth.authentication.principal.OAuthCredentials 注册到了 spring FlowScope 中,以便后续方便使用。
final Credentials credentials = new OAuthCredentials(credential); flowScope.put(Constants.OAUTH_CREDENTIALS, credentials);
在 WEB-INF/login-webflow.xml 中添加:
<action-state id="oAuthAction"> <evaluate expression="oAuthAction" /> <transition on="success" to="sendTicketGrantingTicket" /> <transition on="error" to="ticketGrantingTicketExistsCheck" /> </action-state>
作用是 OAuth 身份验证后进行拦截来自供应商的 OAuth 回调
同时,此时会向页面注册“请求用户授权Token URL”的变量:驱动提供商 type+"Url",即:$provider.getType()+"Url",默认即为 Provider 的类名+"Url",如:WeiboProviderUrl,这样在模板中即可通过:${WeiboProviderUrl} 形式的来生成“请求用户授权Token URL”的链接地址。
<a href="${QqProviderUrl}">QQ 登录</a>
<a href="${WeiboProviderUrl}">新浪微博登录</a>
三、OAuth 用户站内绑定
在大部分情况下,我们都需要把通过 OAuth 拿到的用户信息,如ID、昵称、头像、key 等存储一份到本地数据库,以方便使用。
这是需要修改:
<action-state id="oAuthAction"> <evaluate expression="oAuthAction" /> <transition on="success" to="oAuthBindCheckAction" /> <transition on="error" to="ticketGrantingTicketExistsCheck" /> </action-state>
在 WEB-INF/cas-servlet.xml 添加:
<!-- 验证 OAuth 用户是否已绑定 Action --> <bean id="oAuthBindCheckAction" class="com.sso.web.flow.OAuthBindCheckAction" p:configuration-ref="oAuthConfiguration" p:jdbcTemplate-ref="slaveJdbcTemplate" p:sql="SELECT count(0) FROM `members_bind` WHERE `type` = ? AND `key` = ? LIMIT 1" /> <!-- OAuth 用户绑定 Action --> <bean id="oAuthBindAction" class="com.sso.web.flow.OAuthBindAction" p:configuration-ref="oAuthConfiguration" p:jdbcTemplate-ref="masterJdbcTemplate" p:transactionManager-ref="masterTransactionManager" p:passwordEncoder-ref="passwordEncoder" />
在 WEB-INF/login-webflow.xml 中添加:
<action-state id="oAuthBindCheckAction"> <evaluate expression="oAuthBindCheckAction" /> <transition on="success" to="sendTicketGrantingTicket" /> <transition on="error" to="oAuthBindAction" /> </action-state> <action-state id="oAuthBindAction"> <evaluate expression="oAuthBindAction" /> <transition on="success" to="sendTicketGrantingTicket" /> <transition on="error" to="ticketGrantingTicketExistsCheck" /> </action-state>
OAuthBindCheckAction.java(验证 OAuth 用户是否绑定 Action)
public class OAuthBindCheckAction extends com.buession.cas.web.flow.OAuthBindJdbcCheckAction {
@Override
protected boolean valid(final OAuthProvider provider, final OAuthCredentials credentials) {
if (credentials == null) {
return false;
}
BaseOAuthProfile profile = (BaseOAuthProfile) credentials.getUserProfile();
if (profile == null) {
return false;
}
String providerName = provider.getType().replace("Provider", "").toLowerCase();
try {
return jdbcTemplate.queryForObject(sql, Integer.class, providerName,
profile.getId()) > 0;
} catch (final IncorrectResultSizeDataAccessException e) {
}
return false;
}
}
OAuthBindAction.java(OAuth 用户绑定 Action)
public class OAuthBindAction extends com.buession.cas.web.flow.OAuthBindAction {
@NotNull
private DataSourceTransactionManager transactionManager;
@NotNull
private PasswordEncoder passwordEncoder;
public DataSourceTransactionManager getTransactionManager() {
return transactionManager;
}
public void setTransactionManager(DataSourceTransactionManager transactionManager) {
this.transactionManager = transactionManager;
}
public PasswordEncoder getPasswordEncoder() {
return passwordEncoder;
}
public void setPasswordEncoder(PasswordEncoder passwordEncoder) {
this.passwordEncoder = passwordEncoder;
}
@Override
protected boolean bind(final HttpServletRequest request, final OAuthProvider provider,
final OAuthCredentials credentials) {
if (credentials == null) {
return false;
}
BaseOAuthProfile profile = (BaseOAuthProfile) credentials.getUserProfile();
if (profile == null) {
return false;
}
TransactionTemplate transactionTemplate = new TransactionTemplate(getTransactionManager());
return transactionTemplate.execute(new TransactionCallback<Boolean>() {
@Override
public Boolean doInTransaction(TransactionStatus status) {
BaseOAuthProfile profile = (BaseOAuthProfile) credentials.getUserProfile();
if (profile == null) {
return false;
}
... ...
return false;
}
});
}
}
在 WEB-INF/deployerConfigContext.xml 中添加
<bean id="authenticationManager" class="org.jasig.cas.authentication.AuthenticationManagerImpl"> <property name="authenticationMetaDataPopulators"> <list> <!-- 如果想从 OAuth 获取用户信息,则需添加 --> <bean class="com.buession.cas.oauth.authentication.OAuthAuthenticationMetaDataPopulator" /> <!-- 或者 --> <bean class="org.jasig.cas.support.oauth.authentication.OAuthAuthenticationMetaDataPopulator" /> </list> </property> <property name="credentialsToPrincipalResolvers"> <list> <!-- --> <bean class="org.jasig.cas.support.oauth.authentication.principal.OAuthCredentialsToPrincipalResolver" p:attributeRepository-ref="oAuthAttributeRepositoryDao" /> </list> </property> <property name="authenticationHandlers"> <list> <!-- 使其 CAS 支持 OAuth 认证 --> <bean class="org.jasig.cas.support.oauth.authentication.handler.support.OAuthAuthenticationHandler" p:configuration-ref="oAuthConfiguration" /> </list> </property> </bean> <!-- OAuth 登录成功后,查询本地用户数据 --> <bean id="oAuthAttributeRepositoryDao" class="com.sso.persondir.OAuthSingleRowJdbcPersonAttributeDao"> <property name="jdbcTemplate" ref="slaveJdbcTemplate" /> <property name="queryTemplate" value="SELECT `m`.* FROM `members` AS `m`, `members_bind` AS `mb` WHERE `m`.`id` = `mb`.`members_id` AND `mb`.`type` = ? AND `mb`.`app_userid` = ? LIMIT 1" /> <property name="resultAttributeMapping"> <map> <entry key="uid" value="id" /> <entry key="username" value="username" /> <entry key="email" value="email" /> ... ... </map> </property> </bean>
com.buession.cas.oauth.authentication.OAuthAuthenticationMetaDataPopulator 与 org.jasig.cas.support.oauth.authentication.OAuthAuthenticationMetaDataPopulator 的区别:前者能够将 OAuth 获取到的用户信息与本地查询到的用户信息合并,得到更加丰富完善的用户信息;否则就只能返回 OAuth 获取到的用户信息。
OAuthSingleRowJdbcPersonAttributeDao.java()
public class OAuthSingleRowJdbcPersonAttributeDao extends com.buession.cas.service.persondir.support.jdbc.OAuthSingleRowJdbcPersonAttributeDao {
@Override
protected List<Map<String, Object>> query(ProviderId providerId) {
final ParameterizedRowMapper<Map<String, Object>> rowMapper = getRowMapper();
List<Map<String, Object>> results = null;
if (providerId != null) {
results = jdbcTemplate.query(queryTemplate, rowMapper, providerId.getProviderName(),
providerId.getId());
} else {
results = jdbcTemplate.query(queryTemplate, rowMapper);
}
return results;
}
/**
* @param uid
* @return ProviderId
*/
@Override
protected ProviderId convertAttributesMap(String uid) {
String[] temp = uid.split("#");
return temp.length >= 2 ? new ProviderId(temp[0].replace("Profile", "").toLowerCase(), temp[1]) : null;
}
}
使用 org.jasig.cas.support.oauth.authentication.OAuthAuthenticationMetaDataPopulator,所得结果,如图:
使用 com.buession.cas.oauth.authentication.OAuthAuthenticationMetaDataPopulator,所得结果,如图:
