CAS Server的搭建就不用介绍了,这里介绍一下OpenJWeb平台中Spring Security如何与CAS集成.Spring security集成CAS的官方例子可从https://src.springframework.org/svn/spring-security/trunk/samples/cas/client/src/main/webapp下载,但是这个例子过于简单,权限ID是配置在xml中,而本文介绍的配置,权限ID是存储在数据库中的.下面是配置的applicationContext-security.xml(这个配置已测通):
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:sec="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsdhttp://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.xsd"> <sec:http entry-point-ref="casProcessingFilterEntryPoint"> <sec:intercept-url pattern="/secure/extreme/**" access="ROLE_SUPERVISOR" requires-channel="https"/><sec:intercept-url pattern="/secure/**" access="ROLE_USER" /> <sec:logout logout-success-url="/index.jsp"/> </sec:http> <sec:authentication-manager alias="authenticationManager"/>
<bean id="casProcessingFilter" class="org.springframework.security.ui.cas.CasProcessingFilter"> <sec:custom-filter after="CAS_PROCESSING_FILTER"/> <property name="authenticationManager" ref="authenticationManager"/> <property name="authenticationFailureUrl" value="/casfailed.jsp"/> <property name="defaultTargetUrl" value="/comm/index.action?operate=selectPageList"/> <property name="proxyGrantingTicketStorage" ref="proxyGrantingTicketStorage" /> <property name="proxyReceptorUrl" value="/secure/receptor" /> </bean>
<bean id="casProcessingFilterEntryPoint" class="org.springframework.security.ui.cas.CasProcessingFilterEntryPoint"> <property name="loginUrl" value="https://casserver.haoyisheng.com:8443/cas/login"/> <property name="serviceProperties" ref="serviceProperties"/> </bean>
<bean id="casAuthenticationProvider" class="org.springframework.security.providers.cas.CasAuthenticationProvider"> <sec:custom-authentication-provider /> <property name="userDetailsService" ref="userDetailsService"/> <property name="serviceProperties" ref="serviceProperties" /> <property name="ticketValidator"> <bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator"> <constructor-arg index="0" value="https://casserver.haoyisheng.com:8443/cas" /> <property name="proxyGrantingTicketStorage" ref="proxyGrantingTicketStorage" /> <property name="proxyCallbackUrl" value="https://bzwang.haoyisheng.com:8443/crm/secure/receptor" /> </bean> </property> <property name="key" value="an_id_for_this_auth_provider_only"/> </bean> <bean id="proxyGrantingTicketStorage" class="org.jasig.cas.client.proxy.ProxyGrantingTicketStorageImpl" />
<bean id="serviceProperties" class="org.springframework.security.ui.cas.ServiceProperties"> <property name="service" value="https://bzwang.haoyisheng.com:8443/crm/j_spring_cas_security_check"/> <property name="sendRenew" value="false"/> </bean> <bean id="daoAuthenticationProvider"class="org.springframework.security.providers.dao.DaoAuthenticationProvider"><property name="userDetailsService" ref="userDetailsService" /><property name="userCache" ref="userCache" /><property name="passwordEncoder" ref="passwordEncoder" /></bean><bean id="passwordEncoder"class="org.springframework.security.providers.encoding.Md5PasswordEncoder" /><bean id="userDetailsService"class="org.openjweb.core.springsecurity.UserDetailsServiceImpl"><constructor-arg><ref bean="IBaseDao3" /></constructor-arg></bean>
<bean id="userCache"class="org.springframework.security.providers.dao.cache.EhCacheBasedUserCache"><property name="cache" ref="userCacheBacked" /></bean>
<bean id="userCacheBacked"class="org.springframework.cache.ehcache.EhCacheFactoryBean"><property name="cacheManager" ref="cacheManager" /><property name="cacheName" value="userCache" /></bean>
<bean id="cacheManager"class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean"><property name="configLocation"value="classpath:ehcache-security.xml" /></bean><bean id="filterSecurityInterceptor"class="org.springframework.security.intercept.web.FilterSecurityInterceptor"><sec:custom-filter before="FILTER_SECURITY_INTERCEPTOR" /><property name="authenticationManager"ref="authenticationManager" /><property name="accessDecisionManager"ref="accessDecisionManager" /><property name="alwaysReauthenticate" value="true" /><property name="objectDefinitionSource"ref="databaseFilterInvocationDefinitionSource" /></bean><bean id="accessDecisionManager"class="org.springframework.security.vote.AffirmativeBased"><property name="decisionVoters"><list><beanclass="org.springframework.security.vote.RoleVoter"><property name="rolePrefix" value="" /></bean></list></property></bean><bean id="databaseFilterInvocationDefinitionSource"class="org.springframework.security.intercept.web.DefaultFilterInvocationDefinitionSource"><constructor-argtype="org.springframework.security.util.UrlMatcher"ref="antUrlPathMatcher" /><constructor-arg type="java.util.LinkedHashMap" ref="requestMap" /></bean>
<bean id="antUrlPathMatcher"class="org.springframework.security.util.AntUrlPathMatcher" />
<bean id="requestMap"class="org.openjweb.core.springsecurity.RequestMapFactoryBean"init-method="init"></bean>
</beans>
说明:(1)SSO认证入口为/secure/index.jsp,这个文件有个重定向语句,作用是当SSO认证通过后跳转到系统主页面.在测试过程中发现只有访问/secure目录下jsp才自动到cas server认证,sec:intercept-url 配置其他的目录不跳转到cas server进行认证,不知道是什么原因.
(2) cas server采用3.3.2版本
(3)client端为cas-client-core-3.1.3.jar
作者QQ:29803446
Msn:baozhengw999@hotmail.com
