单点登录cas常见问题(十一) - 怎么搭建oauth服务器?
1、cas项目导入cas-server-support-oauth子项目
如果pom.xml中注释掉了这个模块,放开注释:<module>cas-server-support-oauth</module>
2、cas-server-webapp项目的pom.xml中添加
<dependency>
<groupId>org.jasig.cas</groupId>
<artifactId>cas-server-support-oauth</artifactId>
<version>${project.version}</version>
</dependency>
3、cas-server-webapp项目的web.xml中有
<servlet-mapping>
<servlet-name>cas</servlet-name>
<url-pattern>/v1/*</url-pattern>
</servlet-mapping>
如果上面的代码被注释掉了,放开注释
4、修改cas-server-webapp的cas-servlet.xml文件,
添加一个bean oauth20WrapperController
<bean id="oauth20WrapperController" class="org.jasig.cas.support.oauth.web.OAuth20WrapperController"
p:loginUrl="http://www.ittenyear.com/cas/login"
p:servicesManager-ref="servicesManager"
p:ticketRegistry-ref="ticketRegistry"
p:timeout="7200" />
在handlerMappingC bean中添加红色标识的代码
<bean
id="handlerMappingC"
class="org.springframework.web.servlet.handler.SimpleUrlHandlerMapping"
p:alwaysUseFullPath="true">
<property name="mappings">
<util:properties>
<prop key="/serviceValidate">serviceValidateController</prop>
<prop key="/proxyValidate">proxyValidateController</prop>
<!--
<prop key="/samlValidate">samlValidateController</prop>
-->
<prop key="/p3/serviceValidate">v3ServiceValidateController</prop>
<prop key="/p3/proxyValidate">v3ProxyValidateController</prop>
<prop key="/validate">legacyValidateController</prop>
<prop key="/proxy">proxyController</prop>
<prop key="/authorizationFailure.html">passThroughController</prop>
<prop key="/oauth/*">oauth20WrapperController</prop>
5、在deployerConfigContext.xml文件中添加service
One service is needed to make the OAuth wrapper works in CAS. It defines the callback url after CAS authentication to return to the OAuth wrapper as a CAS service.
<bean class="org.jasig.cas.support.oauth.services.OAuthCallbackAuthorizeService"
p:id="2"
p:name="HTTP"
p:description="oauth wrapper callback url"
p:serviceId="${server.prefix}/oauth/callbackAuthorize" />
6、在deployerConfigContext.xml文件中为每一个oauth客户端添加一个service
Every OAuth client must be defined as a CAS service (notice the new clientId and clientSecret properties, specific to OAuth):
<bean class="org.jasig.cas.support.oauth.services.OAuthRegisteredService"
p:id="3"
p:name="serviceName"
p:description="Service Description"
p:serviceId="http://bbs.ittenyear.com"
p:bypassApprovalPrompt="false"
p:clientId="key"
p:clientSecret="secret" />
原文档在这里: http://jasig.github.io/cas/4.1.x/installation/OAuth-OpenId-Authentication.html
7、测试
http:// www.ittenyear.com/cas/oauth/authorize?client_id=key&redirect_uri=http://bbs.ittenyear.com&response_type=code
拿到ST
http://bbs.ittenyear.com/?code=ST-1-Ftbt6i5Odk7GaKQTp3yn-cas01.example.org
http://www.ittenyear.com/cas/oauth/accessToken?client_id=key&client_secret=secret&grant_type=authorization_code&redirect_uri=http://bbs.ittenyear.com&code=
拿到access_token
TGT-2-3fkIcMgFnN15VQ6VsAkcLigDdq0KqdEzev0kJN5WnoEPYSJ7ze-cas01.example.org
访问资源:用户信息
http://www.ittenyear.com/cas/oauth/profile?access_token=TGT-2-3fkIcMgFnN15VQ6VsAkcLigDdq0KqdEzev0kJN5WnoEPYSJ7ze-cas01.example.org
拿到ST
http://bbs.ittenyear.com/?code=ST-1-Ftbt6i5Odk7GaKQTp3yn-cas01.example.org
http://www.ittenyear.com/cas/oauth/accessToken?client_id=key&client_secret=secret&grant_type=authorization_code&redirect_uri=http://bbs.ittenyear.com&code=
拿到access_token
TGT-2-3fkIcMgFnN15VQ6VsAkcLigDdq0KqdEzev0kJN5WnoEPYSJ7ze-cas01.example.org
访问资源:用户信息
http://www.ittenyear.com/cas/oauth/profile?access_token=TGT-2-3fkIcMgFnN15VQ6VsAkcLigDdq0KqdEzev0kJN5WnoEPYSJ7ze-cas01.example.org