acegi 作为 yale cas认证服务器的客户端在springside项目中的应用

<iframe align="top" marginwidth="0" marginheight="0" src="http://www.zealware.com/46860.html" frameborder="0" width="468" scrolling="no" height="60"></iframe>

First, Set SpringSide's web.xml, we use Acegi CAS Filter:

filter-mapping >
filter-name > hibernateFilter filter-name >
url-pattern > /j_acegi_cas_security_check url-pattern >
filter-mapping >

We Should Set Main ACEGI application Context：
1) filterChainProxy should add a cas filter as Acegi's Sample, but here, we reuse
authenticationProcessingFilter, which we act as cas client filter.

bean id ="filterChainProxy"
class ="org.acegisecurity.util.FilterChainProxy" >
property name ="filterInvocationDefinitionSource" >
value >
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/**=httpSessionContextIntegrationFilter,anonymousProcessingFilter,authenticationProcessingFilter,rememberMeProcessingFilter,logoutFilter,channelProcessingFilter,basicProcessingFilter,securityContextHolderAwareRequestFilter,exceptionTranslationFilter,filterInvocationInterceptor
value >
property >
bean >

2) authenticationProcessingFilter, of course, play the most important role in this
applicationContext_acegi.xml.
In SpringSide, /admin is protected resource, so defaultTargetUrl protected it
andall those request to the target url must be authenticated by authenticationManager.

beanid="authenticationProcessingFilter"class="org.acegisecurity.ui.cas.CasProcessingFilter">
propertyname="authenticationManager"ref="authenticationManager"/>
propertyname="authenticationFailureUrl">
value>/security/login.jsp?login_error=1value>
property>
propertyname="defaultTargetUrl">
value>/admin/value>
property>
propertyname="filterProcessesUrl">
value>/j_acegi_cas_security_checkvalue>
property>
propertyname="rememberMeServices"ref="rememberMeServices"/>
propertyname="exceptionMappings">
value>
org.acegisecurity.userdetails.UsernameNotFoundException=/security/login.jsp?login_error=user_not_found_error
org.acegisecurity.BadCredentialsException=/security/login.jsp?login_error=user_psw_error
org.acegisecurity.concurrent.ConcurrentLoginException=/security/login.jsp?login_error=too_many_user_error
value>
property>
bean>

3) Then, we set all the needed beans in CAS Filter

<!--</span><span style="COLOR: #008000">=========AcegiasaCASClient的配置=============</span><span style="COLOR: #008000">-->
beanid="exceptionTranslationFilter"class="org.acegisecurity.ui.ExceptionTranslationFilter">
propertyname="authenticationEntryPoint">
reflocal="casProcessingFilterEntryPoint"/>
property>
bean>

<!--</span><span style="COLOR: #008000">casconfig</span><span style="COLOR: #008000">-->
beanid="casProcessingFilterEntryPoint"class="org.acegisecurity.ui.cas.CasProcessingFilterEntryPoint">
propertyname="loginUrl">value>https://sourcesite:8443/cas/loginvalue>property>
propertyname="serviceProperties">reflocal="serviceProperties"/>property>
bean>

beanid="authenticationManager"class="org.acegisecurity.providers.ProviderManager">
propertyname="providers">
list>
reflocal="casAuthenticationProvider"/>
list>
property>
bean>

beanid="casAuthenticationProvider"class="org.acegisecurity.providers.cas.CasAuthenticationProvider">
propertyname="casAuthoritiesPopulator">refbean="casAuthoritiesPopulator"/>property>
propertyname="casProxyDecider">reflocal="casProxyDecider"/>property>
propertyname="ticketValidator">reflocal="casProxyTicketValidator"/>property>
propertyname="statelessTicketCache">reflocal="statelessTicketCache"/>property>
propertyname="key">value>my_password_for_this_auth_provider_onlyvalue>property>
bean>
beanid="casProxyTicketValidator"class="org.acegisecurity.providers.cas.ticketvalidator.CasProxyTicketValidator">
propertyname="casValidate">value>https://sourcesite:8443/cas/proxyValidatevalue>property>
propertyname="serviceProperties">reflocal="serviceProperties"/>property>
bean>
<!--</span><span style="COLOR: #008000"><br /><beanid="casProxyDecider"class="org.acegisecurity.providers.cas.proxy.AcceptAnyCasProxy"/><br /></span><span style="COLOR: #008000">-->
beanid="casProxyDecider"class="org.acegisecurity.providers.cas.proxy.RejectProxyTickets"/>

beanid="serviceProperties"class="org.acegisecurity.ui.cas.ServiceProperties">
propertyname="service">
value>http://gzug:8080/springside/j_acegi_cas_security_checkvalue>
property>
propertyname="sendRenew">
value>falsevalue>
property>
bean>

beanid="statelessTicketCache"class="org.acegisecurity.providers.cas.cache.EhCacheBasedTicketCache">
propertyname="cache">
beanclass="org.springframework.cache.ehcache.EhCacheFactoryBean">
propertyname="cacheManager">
beanclass="org.springframework.cache.ehcache.EhCacheManagerFactoryBean"/>
property>
propertyname="cacheName"value="userCache"/>
bean>
property>
bean>

beanid="casAuthoritiesPopulator"class="org.acegisecurity.providers.cas.populator.DaoCasAuthoritiesPopulator">
propertyname="userDetailsService">reflocal="jdbcDaoImpl"/>property>
bean>

beanid="casProcessingFilter"class="org.acegisecurity.ui.cas.CasProcessingFilter">
propertyname="authenticationManager">reflocal="authenticationManager"/>property>
propertyname="authenticationFailureUrl">value>/casfailed.jspvalue>property>
propertyname="defaultTargetUrl">value>/value>property>
propertyname="filterProcessesUrl">value>/j_acegi_cas_security_checkvalue>property>
bean>

casProcessingFilterEntryPoint is very critical,
loginUrl is the CAS Server's /login url, you should set up your CAS Server(2.0 or 3.0) and config for
those JKS keystore after enable SSL in Tomcat(Tomcat 5.5/conf/server.xml) and place the cacerts that
have the CAS Server's public cert to Acegi Client's JDK/jre/lib/security/
Check serviceProperties to make sure thatSpringSide Service url is config as /j_acegi_cas_security_check

because Yale CAS use ticket cache for SSO impl, so we should config for statelessTicketCache
Just use springframework's ehcache for cacheManager.

SpringSide use jdbcDaoImpl which perform database authentication. So I am very happy to use it
ascasAuthoritiesPopulator , which will set use detail for the user. And these info are very useful for
application authorization.

beanid="jdbcDaoImpl"
class="org.acegisecurity.userdetails.jdbc.JdbcDaoImpl">
propertyname="dataSource"ref="dataSource"/>
propertyname="usersByUsernameQuery">
value>
selectloginid,passwd,1fromss_userswherestatus='1'andloginid=?
value>
property>
propertyname="authoritiesByUsernameQuery">
value>
selectu.loginid,p.namefromss_usersu,ss_rolesr,ss_permissions
p,ss_user_roleur,ss_role_permisrpwhereu.id=ur.user_idand
r.id=ur.role_idandp.id=rp.permis_idand
r.id=rp.role_idandp.status='1'andu.loginid=?
value>
property>
bean>

There is little difference between casclient 2.0.12 and Acegi, right?

Note that in my env, gzug:8080/springside is bookstore webapp
and sourcesite:8443 is the CAS 3 Server.

Hope for suggestion.....

Trackback: http://tb.blog.csdn.net/TrackBack.aspx?PostId=1503506