cas單點登入整合spring security
在學習security的過程中接觸到了cas,並學習了cas的配置和整合security
Cas伺服器端的配置
一、使用java keytool工具為系統生成Https證書,並註冊
1.刪除已有的證書
C:\Program Files\Java\jdk1.6.0_10\bin>keytool -delete -alias tomcat(隨意起的別名) -keystore D:/Java/jdk1.6.0_37/jre/lib/security/cacerts -storepass changeit
2生成金鑰庫
輸入金鑰庫密碼和相應引數,密碼統一為changeit 第一個引數CN要求輸入你主機的名字,不可隨便輸入,其他隨意
C:\Program Files\Java\jdk1.6.0_10\bin>keytool -genkey -alias tomcat -keypass changeit -keyalg RSA -keystore D:/server.keystore(金鑰檔名)
3.匯入數字證書
C:\Program Files\Java\jdk1.6.0_10\bin>keytool -export -alias tomcat -keypass changeit -file D:/server.crt -keystore D:/server.keystore
輸入keystore密碼:changeit
輸入上一步中的密碼,結果在當前目錄生成server.crt金鑰檔案。(注意:這個檔案是要匯入客戶端的JVM上的)
4.數字證書匯入jre中C:\Program Files\Java\jdk1.6.0_10\bin>keytool -import -alias tomcat -file D:/server.crt -keypass changeit -keystore D:/Java/jdk1.6.0_37/jre/lib/security/cacerts
這裡的jre地址和tomcat使用的jre必須一致,講建立cacerts檔案
5.檢視可信正如列表
C:\Program Files\Java\jdk1.6.0_10\bin>keytool -list -keystore D:/Java/jdk1.6.0_37/jre/lib/security/cacerts
二、配置tomcat的https服務
啟動Tomcat,訪問https://localhost:8443/,出現以下介面說明HTTPS配置生效:
三、構建cas伺服器
下載服務端cas-server
解壓後將modules下面的cas-server-webapp-3.3.3.war改名為cas.war部署到web伺服器,作為單點登入的伺服器。
啟動Tomcat,訪問網址http://localhost:8080/cas/index.jsp或https://localhost:8443,出現以下畫面:
表示CAS伺服器配置執行成功
四、cas整合spring security
pom.xml中新增依賴
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.1.3.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.1.3.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>3.1.3.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-cas</artifactId>
<version>3.1.3.RELEASE</version>
</dependency>
web.xml配置
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
classpath:spring/applicationContext.xml,classpath:spring/applicationContext-security.xml
</param-value>
</context-param>
<filter>
<filter-name>encodingFilter</filter-name>
<filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
<init-param>
<param-name>encoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>encodingFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<listener>
<listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>
applicationContext-security配置
參考spring-security包下的說明文件
<http auto-config='true' entry-point-ref="casProcessingFilterEntryPoint" access-denied-page="/index.jsp">
<logout logout-success-url="/cas-logout.jsp"></logout>
<custom-filter ref="requestSingleLogoutFilter" before="LOGOUT_FILTER"/>
<custom-filter ref="singleLogoutFilter" before="CAS_FILTER"/>
<intercept-url pattern="/admin.jsp" access="ROLE_ADMIN" />
<intercept-url pattern="/**" access="ROLE_USER" />
<logout logout-success-url="/cas-logout.jsp"></logout>
<custom-filter position="CAS_FILTER" ref="casProcessingFilter"/>
<session-management>
<concurrency-control error-if-maximum-exceeded="true"/>
</session-management>
</http>
<beans:bean id="singleLogoutFilter" class="org.jasig.cas.client.session.SingleSignOutFilter"/><!--這個過濾器處理單個登出請求從CAS伺服器-->
<beans:bean id="requestSingleLogoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
<beans:constructor-arg value="https://longdd-pc:8443/cas/logout"/>
<beans:constructor-arg>
<beans:bean class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler">
</beans:bean>
</beans:constructor-arg>
<beans:property name="filterProcessesUrl" value="/j_spring_cas_security_logout"/>
</beans:bean>
<beans:bean id="casProcessingFilterEntryPoint" class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">
<beans:property name="loginUrl" value="https://longdd-pc:8443/cas/login"/>
<beans:property name="serviceProperties" ref="casServiceProperties"/>
</beans:bean>
<authentication-manager alias="authenticationManager">
<authentication-provider ref="casAuthenticationProvider"></authentication-provider>
</authentication-manager>
<!--自己的服務,使用者名稱和密碼,以及角色-->
<user-service id="userService">
<user name="admin" password="admin" authorities="ROLE_USER, ROLE_ADMIN" />
<user name="user" password="user" authorities="ROLE_USER" />
</user-service>
<beans:bean id="casProcessingFilter" class="org.springframework.security.cas.web.CasAuthenticationFilter">
<beans:property name="authenticationManager" ref="authenticationManager"></beans:property>
</beans:bean>
<beans:bean id="casServiceProperties" class="org.springframework.security.cas.ServiceProperties">
<beans:property name="service" value="https://longdd-pc:8443/security/j_spring_cas_security_check"></beans:property>
<beans:property name="sendRenew" value="false"/>
</beans:bean>
<beans:bean id="casAuthenticationProvider" class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
<beans:property name="authenticationUserDetailsService">
<beans:bean class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
<beans:constructor-arg ref="userService">
</beans:constructor-arg>
</beans:bean>
</beans:property>
<!--新增serviceProperties bean到上下文中,代表cas服務-->
<beans:property name="serviceProperties" ref="casServiceProperties"></beans:property>
<beans:property name="ticketValidator">
<beans:bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
<beans:constructor-arg index="0" value="https://longdd-pc:8443/cas"/>
</beans:bean>
</beans:property>
<beans:property name="key" value="security"/>
</beans:bean>
</beans:beans>
啟動tomcat後訪問工程 http://localhost:8080/security 後會跳轉到cas的頁面
使用admin/admin登入後跳轉到首頁面 登出連結<a href="j_spring_cas_security_logout">登出</a>
登出後跳轉到cas的登出頁面
spring security整合cas的簡單例項完成了,可以參照spring-security包下的使用文件。