配置 OAuth 提供商
<bean id="weibo" class="com.buession.oauth.provider.impl.WeiboProvider"> <property name="key" value="the_key_for_weibo" /> <property name="secret" value="the_secret_for_weibo" /> </bean> <bean id="qq" class="com.buession.oauth.provider.impl.QqProvider"> <property name="key" value="the_key_for_qq" /> <property name="secret" value="the_secret_for_qq" /> </bean> ... ...
提供商 OAuth 2.0 版本需继承类 org.scribe.up.provider.BaseOAuth20Provider
提供商 OAuth 1.0 版本需继承类 org.scribe.up.provider.BaseOAuth20Provider
所有的 OAuth Provider 必须定义在 WEB-INF/spring-configuration/applicationContext.xml 中
OAuthConfiguration 配置(在 WEB-INF/spring-configuration/applicationContext.xml 添加)
<bean id="oAuthConfiguration" class="org.jasig.cas.support.oauth.OAuthConfiguration"> <property name="loginUrl" value="${cas.securityContext.casProcessingFilterEntryPoint.loginUrl}" /> <property name="providers"> <list> <ref bean="weibo" /> <ref bean="qq" /> ... ... </list> </property> </bean>
在 WEB-INF/cas-servlet.xml 添加:
<bean id="oAuthAction" class="com.buession.cas.web.flow.OAuthAction" p:configuration-ref="oAuthConfiguration" p:centralAuthenticationService-ref="centralAuthenticationService" />
com.buession.cas.web.flow.OAuthAction 与 org.jasig.cas.support.oauth.web.flow.OAuthAction 的唯一区别就是:前者把 org.jasig.cas.support.oauth.authentication.principal.OAuthCredentials 注册到了 spring FlowScope 中,以便后续方便使用。
final Credentials credentials = new OAuthCredentials(credential); flowScope.put(Constants.OAUTH_CREDENTIALS, credentials);
在 WEB-INF/login-webflow.xml 中添加:
<action-state id="oAuthAction"> <evaluate expression="oAuthAction" /> <transition on="success" to="sendTicketGrantingTicket" /> <transition on="error" to="ticketGrantingTicketExistsCheck" /> </action-state>
作用是 OAuth 身份验证后进行拦截来自供应商的 OAuth 回调
同时,此时会向页面注册“请求用户授权Token URL”的变量:驱动提供商 type+"Url",即:$provider.getType()+"Url",默认即为 Provider 的类名+"Url",如:WeiboProviderUrl,这样在模板中即可通过:${WeiboProviderUrl} 形式的来生成“请求用户授权Token URL”的链接地址。
<a href="${QqProviderUrl}">QQ 登录</a> <a href="${WeiboProviderUrl}">新浪微博登录</a>
在大部分情况下,我们都需要把通过 OAuth 拿到的用户信息,如ID、昵称、头像、key 等存储一份到本地数据库,以方便使用。
这是需要修改:
<action-state id="oAuthAction"> <evaluate expression="oAuthAction" /> <transition on="success" to="oAuthBindCheckAction" /> <transition on="error" to="ticketGrantingTicketExistsCheck" /> </action-state>
在 WEB-INF/cas-servlet.xml 添加:
<!-- 验证 OAuth 用户是否已绑定 Action --> <bean id="oAuthBindCheckAction" class="com.sso.web.flow.OAuthBindCheckAction" p:configuration-ref="oAuthConfiguration" p:jdbcTemplate-ref="slaveJdbcTemplate" p:sql="SELECT count(0) FROM `members_bind` WHERE `type` = ? AND `key` = ? LIMIT 1" /> <!-- OAuth 用户绑定 Action --> <bean id="oAuthBindAction" class="com.sso.web.flow.OAuthBindAction" p:configuration-ref="oAuthConfiguration" p:jdbcTemplate-ref="masterJdbcTemplate" p:transactionManager-ref="masterTransactionManager" p:passwordEncoder-ref="passwordEncoder" />
在 WEB-INF/login-webflow.xml 中添加:
<action-state id="oAuthBindCheckAction"> <evaluate expression="oAuthBindCheckAction" /> <transition on="success" to="sendTicketGrantingTicket" /> <transition on="error" to="oAuthBindAction" /> </action-state> <action-state id="oAuthBindAction"> <evaluate expression="oAuthBindAction" /> <transition on="success" to="sendTicketGrantingTicket" /> <transition on="error" to="ticketGrantingTicketExistsCheck" /> </action-state>
OAuthBindCheckAction.java(验证 OAuth 用户是否绑定 Action)
public class OAuthBindCheckAction extends com.buession.cas.web.flow.OAuthBindJdbcCheckAction { @Override protected boolean valid(final OAuthProvider provider, final OAuthCredentials credentials) { if (credentials == null) { return false; } BaseOAuthProfile profile = (BaseOAuthProfile) credentials.getUserProfile(); if (profile == null) { return false; } String providerName = provider.getType().replace("Provider", "").toLowerCase(); try { return jdbcTemplate.queryForObject(sql, Integer.class, providerName, profile.getId()) > 0; } catch (final IncorrectResultSizeDataAccessException e) { } return false; } }
OAuthBindAction.java(OAuth 用户绑定 Action)
public class OAuthBindAction extends com.buession.cas.web.flow.OAuthBindAction { @NotNull private DataSourceTransactionManager transactionManager; @NotNull private PasswordEncoder passwordEncoder; public DataSourceTransactionManager getTransactionManager() { return transactionManager; } public void setTransactionManager(DataSourceTransactionManager transactionManager) { this.transactionManager = transactionManager; } public PasswordEncoder getPasswordEncoder() { return passwordEncoder; } public void setPasswordEncoder(PasswordEncoder passwordEncoder) { this.passwordEncoder = passwordEncoder; } @Override protected boolean bind(final HttpServletRequest request, final OAuthProvider provider, final OAuthCredentials credentials) { if (credentials == null) { return false; } BaseOAuthProfile profile = (BaseOAuthProfile) credentials.getUserProfile(); if (profile == null) { return false; } TransactionTemplate transactionTemplate = new TransactionTemplate(getTransactionManager()); return transactionTemplate.execute(new TransactionCallback<Boolean>() { @Override public Boolean doInTransaction(TransactionStatus status) { BaseOAuthProfile profile = (BaseOAuthProfile) credentials.getUserProfile(); if (profile == null) { return false; } ... ... return false; } }); } }
在 WEB-INF/deployerConfigContext.xml 中添加
<bean id="authenticationManager" class="org.jasig.cas.authentication.AuthenticationManagerImpl"> <property name="authenticationMetaDataPopulators"> <list> <!-- 如果想从 OAuth 获取用户信息,则需添加 --> <bean class="com.buession.cas.oauth.authentication.OAuthAuthenticationMetaDataPopulator" /> <!-- 或者 --> <bean class="org.jasig.cas.support.oauth.authentication.OAuthAuthenticationMetaDataPopulator" /> </list> </property> <property name="credentialsToPrincipalResolvers"> <list> <!-- --> <bean class="org.jasig.cas.support.oauth.authentication.principal.OAuthCredentialsToPrincipalResolver" p:attributeRepository-ref="oAuthAttributeRepositoryDao" /> </list> </property> <property name="authenticationHandlers"> <list> <!-- 使其 CAS 支持 OAuth 认证 --> <bean class="org.jasig.cas.support.oauth.authentication.handler.support.OAuthAuthenticationHandler" p:configuration-ref="oAuthConfiguration" /> </list> </property> </bean> <!-- OAuth 登录成功后,查询本地用户数据 --> <bean id="oAuthAttributeRepositoryDao" class="com.sso.persondir.OAuthSingleRowJdbcPersonAttributeDao"> <property name="jdbcTemplate" ref="slaveJdbcTemplate" /> <property name="queryTemplate" value="SELECT `m`.* FROM `members` AS `m`, `members_bind` AS `mb` WHERE `m`.`id` = `mb`.`members_id` AND `mb`.`type` = ? AND `mb`.`app_userid` = ? LIMIT 1" /> <property name="resultAttributeMapping"> <map> <entry key="uid" value="id" /> <entry key="username" value="username" /> <entry key="email" value="email" /> ... ... </map> </property> </bean>
com.buession.cas.oauth.authentication.OAuthAuthenticationMetaDataPopulator 与 org.jasig.cas.support.oauth.authentication.OAuthAuthenticationMetaDataPopulator 的区别:前者能够将 OAuth 获取到的用户信息与本地查询到的用户信息合并,得到更加丰富完善的用户信息;否则就只能返回 OAuth 获取到的用户信息。
OAuthSingleRowJdbcPersonAttributeDao.java()
public class OAuthSingleRowJdbcPersonAttributeDao extends com.buession.cas.service.persondir.support.jdbc.OAuthSingleRowJdbcPersonAttributeDao { @Override protected List<Map<String, Object>> query(ProviderId providerId) { final ParameterizedRowMapper<Map<String, Object>> rowMapper = getRowMapper(); List<Map<String, Object>> results = null; if (providerId != null) { results = jdbcTemplate.query(queryTemplate, rowMapper, providerId.getProviderName(), providerId.getId()); } else { results = jdbcTemplate.query(queryTemplate, rowMapper); } return results; } /** * @param uid * @return ProviderId */ @Override protected ProviderId convertAttributesMap(String uid) { String[] temp = uid.split("#"); return temp.length >= 2 ? new ProviderId(temp[0].replace("Profile", "").toLowerCase(), temp[1]) : null; } }
使用 org.jasig.cas.support.oauth.authentication.OAuthAuthenticationMetaDataPopulator,所得结果,如图:
使用 com.buession.cas.oauth.authentication.OAuthAuthenticationMetaDataPopulator,所得结果,如图: