cas單點登陸實現

前言

此文爲記錄單點登陸實現過程,包括cas服務端和客戶端的定製擴展java

服務端

單點登陸服務端採用cas,以cas-server-webapp版本號爲3.5.2.1爲基礎進行定製擴展實現。web

定製實現的源碼功能以上傳至svn代碼庫,路徑爲:svn://192.168.9.16/minxin/Repositories/minxinloan/trunk/mxcas-server-webapp。spring

此版本的定製擴展實現採用http協議(關閉了https協議),下面對此版的定製擴展進行詳細的描述。sql

  1. 關閉https協議:
     
    • 修改deployerConfigContext.xml中的「<bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" p:httpClient-ref="httpClient" p:requireSecure="false"/>」,將p:requireSecure="false"屬性值設置爲「false」;
    • 修改ticketGrantingTicketCookieGenerator.xml中的<bean id="ticketGrantingTicketCookieGenerator" class="org.jasig.cas.web.support.CookieRetrievingCookieGenerator" p:cookieSecure="false" p:cookieMaxAge="-1" p:cookieName="CASTGC" p:cookiePath="/cas" />,將p:cookieSecure="false" 屬性值設置爲「false」。
  2. 數據庫用戶名密碼驗證
    •  在deployerConfigContext.xml配置文件中添加數據源配置:
      <bean id="dataSource" class="org.springframework.jndi.JndiObjectFactoryBean">
            <property name="jndiName">
            <value>java:comp/env/jdbc/minxinDataSource</value>
            </property>
      </bean>
    • 添加com.minxinloan.cas.server.MxloanPasswordEncoder類,實現定製密碼加密器。
    • 在deployerConfigContext.xml配置文件中添加<bean id="mxPasswordEncoder" class="com.minxinloan.cas.server.MxloanPasswordEncoder"/>配置。
    • 在deployerConfigContext.xml配置文件中將<bean class="org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler" />替換爲:數據庫

      <bean class="org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler">
              <property name="dataSource" ref="dataSource"></property>
              <property name="sql" value="select t.password from uc_employee t where t.login_name=? and t.status=1"></property>
              <property name="passwordEncoder" ref="mxPasswordEncoder"></property>
      </bean>cookie

  3. 定製登陸用戶信息屬性
    • 添加com.minxinloan.cas.server.MxloanPersonAttributeDao類,實現經過查詢數據庫構建登陸人的信息。
    • 在deployerConfigContext.xml配置文件中將

    <bean id="attributeRepository" class="org.jasig.services.persondir.support.StubPersonAttributeDao">
             <property name="backingMap">
                 <map>
                        <entry key="uid" value="uid" />
                        <entry key="eduPersonAffiliation" value="eduPersonAffiliation" />
                        <entry key="groupMembership" value="groupMembership" />
               </map>
             </property>
    </bean>session

    替換爲:app

    <bean id="attributeRepository" class="com.minxinloan.cas.server.MxloanPersonAttributeDao">
               <property name="dataSource" ref="dataSource"/>
    </bean>webapp

    • 在/view/jsp/protocol/2.0/casServiceValidationSuccess.jsp文件中添加
      <cas:attributes>
             <c:forEach items="${assertion.chainedAuthentications[fn:length(assertion.chainedAuthentications)-1].principal.attributes}" var="attr">
                    <cas:${attr.key}>${attr.value}</cas:${attr.key}>
            </c:forEach>
      </cas:attributes>
  4. 登出支持重定向
    • 將cas.properties文件中的cas.logout.followServiceRedirects=true註釋放開。
  5. 定製登陸頁面
    • 修改/view/jsp/default/ui/casLoginView.jsp頁面(暫時未修改定製)

客戶端

    1. 添加com.minxinloan.web.utils.WebUtils類。
    2. 添加com.minxinloan.web.utils.CasSessionUserFilter類,處理單點登陸返回的用戶信息,並保存至session中。
    3. 在客戶端web應用中的web.xml添加以下內容,其中filter的映射地址路徑根據實際狀況進行設置。

      <listener>
      <listener-class>
      org.jasig.cas.client.session.SingleSignOutHttpSessionListener
      </listener-class>
      </listener>
      <filter>
      <filter-name>CasSingleSignOutFilter</filter-name>
      <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
      </filter>
      <filter-mapping>
      <filter-name>CasSingleSignOutFilter</filter-name>
      <url-pattern>/*</url-pattern>
      </filter-mapping>
      <filter>
      <filter-name>CASFilter</filter-name>
      <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
      <init-param>
      <param-name>casServerLoginUrl</param-name>
      <param-value>http://localhost:8088/cas/login</param-value> <!-- 此地址爲cas登陸url-->
      </init-param>
      <init-param>
      <param-name>serverName</param-name>
      <param-value>http://localhost:8080</param-value>
      </init-param>
      </filter>
      <filter-mapping>
      <filter-name>CASFilter</filter-name>
      <url-pattern>/*</url-pattern>
      </filter-mapping>
      <filter>
      <filter-name>CasTicketFilter</filter-name>
      <filter-class>
      org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter
      </filter-class>
      <init-param>
      <param-name>casServerUrlPrefix</param-name>
      <param-value>http://localhost:8088/cas</param-value>
      </init-param>
      <init-param>
      <param-name>serverName</param-name>
      <param-value>http://localhost:8080</param-value>
      </init-param>
      <init-param>
      <param-name>encoding</param-name>
      <param-value>UTF-8</param-value>  <!--處理中文亂碼問題-->
      </init-param>
      </filter>
      <filter-mapping>
      <filter-name>CasTicketFilter</filter-name>
      <url-pattern>/*</url-pattern>
      </filter-mapping>
      <filter>
      <filter-name>CasRequestWrapFilter</filter-name>
      <filter-class>
      org.jasig.cas.client.util.HttpServletRequestWrapperFilter
      </filter-class>
      </filter>
      <filter-mapping>
      <filter-name>CasRequestWrapFilter</filter-name>
      <url-pattern>/*</url-pattern>
      </filter-mapping>
      <filter>
      <filter-name>AssertionThreadLocalFilter</filter-name>
      <filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
      </filter>
      <filter-mapping>
      <filter-name>AssertionThreadLocalFilter</filter-name>
      <url-pattern>/*</url-pattern>
      </filter-mapping>
      <filter-name>CasSessionUserFilter</filter-name>
      <filter-class>com.minxinloan.web.utils.CasSessionUserFilter</filter-class>
      </filter>
      <filter-mapping>
      <filter-name>CasSessionUserFilter</filter-name>
      <url-pattern>/*</url-pattern>
      </filter-mapping>jsp

    4. 退出登陸直接訪問url地址http://localhost:8088/cas/logout,也能夠在此url後面加上service參數指定重定向地址,例如http://localhost:8088/cas/logout?service=http://localhost:8080/foo。
相關文章
相關標籤/搜索