spring security與cas client集成(無http標籤方式)
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.0.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-4.0.xsd">
<bean id="securityFilter" class="org.springframework.security.web.FilterChainProxy">
<constructor-arg>
<util:list>
<security:filter-chain pattern="/favicon.ico" filters="none" />
<security:filter-chain pattern="/**.html" filters="none" />
<security:filter-chain pattern="/static/**" filters="none" />
<security:filter-chain pattern="/site/**" filters="none" />
<security:filter-chain pattern="/login**" filters="none" />
<security:filter-chain pattern="/login/**" filters="none" />
<security:filter-chain pattern="/signup**" filters="none" />
<security:filter-chain pattern="/signup/**" filters="none" />
<security:filter-chain pattern="/join**" filters="none" />
<security:filter-chain pattern="/join/**" filters="none" />
<security:filter-chain pattern="/remote/**" filters="none" />
<!-- <security:filter-chain pattern="/" filters="casValidationFilter, wrappingFilter" /> -->
<security:filter-chain pattern="/secure/receptor" filters="casValidationFilter" />
<security:filter-chain pattern="/logout" filters="requestSingleLogoutFilter,exceptionTranslationFilter,filterSecurityInterceptor" />
<security:filter-chain pattern="/**"
filters="concurrentSessionFilter,securityContextFilter,casFilter,wrappingFilter,
exceptionTranslationFilter,filterSecurityInterceptor" />
</util:list>
</constructor-arg>
</bean>
<bean id="concurrentSessionFilter" class="org.springframework.security.web.session.ConcurrentSessionFilter"
p:sessionRegistry-ref="sessionRegistry" p:expiredUrl="${security.login}" />
<bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl"/>
<!-- <bean id="sessionRegistry" class="com.weaver.teams.security.session.TeamsSessionRegistry" /> -->
<bean id="securityContextFilter" class="org.springframework.security.web.context.SecurityContextPersistenceFilter">
<constructor-arg name="repo" ref="securityContextRepository" />
</bean>
<bean id="securityContextRepository" class="com.weaver.teams.security.session.TeamsSessionSecurityContextRepository"
p:sessionRegistry-ref="sessionRegistry" />
<bean id="filterSecurityInterceptor" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="accessDecisionManager" ref="accessDecisionManager"/>
<property name="securityMetadataSource">
<security:filter-invocation-definition-source>
<security:intercept-url pattern="/secure/extreme/**" access="ROLE_SUPERVISOR"/>
<security:intercept-url pattern="/secure/**" access="ROLE_USER"/>
<security:intercept-url pattern="/**" access="ROLE_USER"/>
</security:filter-invocation-definition-source>
</property>
</bean>
<bean id="wrappingFilter" class="org.jasig.cas.client.util.HttpServletRequestWrapperFilter" />
<bean id="serviceProperties" class="org.springframework.security.cas.ServiceProperties">
<property name="service"
value="http://test.eteams.cn:9080/securitycheck"/>
<property name="sendRenew" value="false"/>
</bean>
<bean id="casFilter" class="org.springframework.security.cas.web.CasAuthenticationFilter">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="sessionAuthenticationStrategy" ref="concurrentSessionControlStrategy"/>
<property name="filterProcessesUrl" value="/securitycheck"/>
</bean>
<bean id="concurrentSessionControlStrategy" class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
<constructor-arg ref="sessionRegistry"/>
</bean>
<bean id="casValidationFilter" class="org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter">
<property name="serverName" value="https://test.eteams.cn:9082" />
<property name="exceptionOnValidationFailure" value="true" />
<property name="proxyGrantingTicketStorage" ref="proxyGrantingTicketStorage" />
<property name="redirectAfterValidation" value="true" />
<property name="ticketValidator" ref="ticketValidator" />
<property name="proxyReceptorUrl" value="/secure/receptor" />
</bean>
<bean id="proxyGrantingTicketStorage" class="org.jasig.cas.client.proxy.ProxyGrantingTicketStorageImpl" />
<bean id="casEntryPoint" class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">
<property name="loginUrl" value="https://test.eteams.cn:9082/login"/>
<property name="serviceProperties" ref="serviceProperties"/>
</bean>
<bean id="ticketValidator" class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator" >
<constructor-arg index="0" value="https://test.eteams.cn:9082" />
<property name="proxyGrantingTicketStorage" ref="proxyGrantingTicketStorage" />
<property name="proxyCallbackUrl" value="https://test.eteams.cn:9082/secure/receptor" />
</bean>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="casAuthenticationProvider"/>
</security:authentication-manager>
<bean id="casAuthenticationProvider" class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
<property name="authenticationUserDetailsService" ref="teamsUserDetailsByNameService" />
<property name="serviceProperties" ref="serviceProperties" />
<property name="ticketValidator" ref="ticketValidator" />
<property name="key" value="an_id_for_this_auth_provider_only"/>
</bean>
<bean id="teamsUserDetailsByNameService" class="com.weaver.teams.security.cas.TeamsUserDetailsByNameService" />
<!-- <bean id="casAuthenticationUserDetailsService" class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
<property name="userDetailsService" >
<ref bean="userService" />
</property>
</bean>
<security:user-service id="userService">
<security:user name="1111" authorities="ROLE_USER" />
</security:user-service> -->
<bean id="requestSingleLogoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
<constructor-arg value="https://test.eteams.cn:9082/logout"/>
<constructor-arg>
<bean class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"/>
</constructor-arg>
<property name="filterProcessesUrl" value="/logout"/>
</bean>
<bean id="exceptionTranslationFilter" class="org.springframework.security.web.access.ExceptionTranslationFilter"
p:authenticationEntryPoint-ref="casEntryPoint" p:accessDeniedHandler-ref="accessDeniedHandler" />
<bean id="accessDeniedHandler" class="org.springframework.security.web.access.AccessDeniedHandlerImpl"/>
<bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased"
p:allowIfAllAbstainDecisions="false" p:decisionVoters-ref="decisionVoters" />
<util:list id="decisionVoters">
<bean class="org.springframework.security.access.vote.RoleVoter" p:rolePrefix="ROLE_" />
<bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
</util:list>
<bean id="sessionStrategy" class="com.weaver.teams.security.session.TeamsConcurrentSessionControlStrategy">
<constructor-arg name="sessionRegistry" ref="sessionRegistry" />
</bean>
</beans>
自定義了一個testfilter用於測試,能夠刪掉,usermanager是實現的UserDetailsService接口(注意這個在和cas整合後是不須要放入密碼的),至於爲何不用http標籤方式配置,由於這個靈活度高,可擴展性強!html
ConcurrentSessionFilter,管理session,若是session過時則logoutweb
SecurityContextPersistenceFilter,從SecurityContextRepository(session或jdbc或別的實現)取出SecurityContext(若是爲空則建立一個新的empty SecurityContext),放入SecurityContextHolder(默認爲ThreadLocal實現)spring
CasAuthenticationFilter,攔截/j_spring_cas_security_check的url(默認,能夠自定義此url,此例子中爲/securitycheck),取得服務器返回的ticket(ServiceTicket)參數進行驗證,調用cas服務器的/validate接口,將返回的xml解析爲Assertion對象,若是驗證失敗會拋出異常,這個filter能夠配置一個sessionAuthenticationStrategy的策略接口的屬性,實現防止固化攻擊和session最大數量控制(非cas的spring security則是經過SessionManagementFilter來實現的,http標籤方式也有對應標籤<session-management>)api
HttpServletRequestWrappingFilter,支持servlet api,填充HttpServletRequest對象服務器
ExceptionTranslationFilter,代碼裏有try,catch結構,try裏會執行doFilter即filterSecurityInterceptor的驗證和權限判斷邏輯,若是驗證失敗或者權限校驗失敗則調用casEntryPoint的url轉向cas server的login進行登陸session
FilterSecurityInterceptor,驗證Authentication對象,驗證權限app
只要理清了這些filter的邏輯,自定義一些實現好比驗證碼,usb動態密碼,客戶端的信息記錄如客戶端類型(pc,手機等)等等均可以自定義實現ide
相關文章
- 1. spring security集成cas
- 2. security 集成cas
- 3. spring security+cas(cas proxy配置)
- 4. CAS與Spring的集成
- 5. cas介紹及與spring-security整合
- 6. 單點登陸:spring-security-cas
- 7. Spring Security(18)——Jsp標籤
- 8. spring security的標籤庫
- 9. Spring Boot CAS 集成
- 10. eureka server 集成security,eureka client報錯com.netflix.discovery.shared.transport.TransportException...
- 更多相關文章...
- • MyBatis if標籤 - MyBatis教程
- • Mybatis select標籤 - MyBatis教程
- • Spring Cloud 微服務實戰(三) - 服務註冊與發現
- • 常用的分佈式事務解決方案
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
歡迎關注本站公眾號,獲取更多信息
相關文章
- 1. spring security集成cas
- 2. security 集成cas
- 3. spring security+cas(cas proxy配置)
- 4. CAS與Spring的集成
- 5. cas介紹及與spring-security整合
- 6. 單點登陸:spring-security-cas
- 7. Spring Security(18)——Jsp標籤
- 8. spring security的標籤庫
- 9. Spring Boot CAS 集成
- 10. eureka server 集成security,eureka client報錯com.netflix.discovery.shared.transport.TransportException...