CAS Server的搭建就不用介绍了,这里介绍一下OpenJWeb平台中Spring Security如何与CAS集成.Spring security集成CAS的官方例子可从 https://src.springframework.org/svn/spring-security/trunk/samples/cas/client/src/main/webapp 下载,但是这个例子过于简单,权限ID是配置在xml中,而本文介绍的配置,权限ID是存储在数据库中的.下面是配置的applicationContext-security.xml(这个配置已测通):
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="
http://www.springframework.org/schema/beans
"
xmlns:sec="
http://www.springframework.org/schema/security
"
xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance
"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-2.0.xsd
">
<sec:http entry-point-ref="casProcessingFilterEntryPoint">
<sec:intercept-url pattern="/secure/extreme/**" access="ROLE_SUPERVISOR" requires-channel="https"/>
<sec:intercept-url pattern="/secure/**" access="ROLE_USER" />
<sec:logout logout-success-url="/index.jsp"/>
</sec:http>
<sec:authentication-manager alias="authenticationManager"/>
<bean id="casProcessingFilter" class="org.springframework.security.ui.cas.CasProcessingFilter">
<sec:custom-filter after="CAS_PROCESSING_FILTER"/>
<property name="authenticationManager" ref="authenticationManager"/>
<property name="authenticationFailureUrl" value="/casfailed.jsp"/>
<property name="defaultTargetUrl" value="/comm/index.action?operate=selectPageList"/>
<property name="proxyGrantingTicketStorage" ref="proxyGrantingTicketStorage" />
<property name="proxyReceptorUrl" value="/secure/receptor" />
</bean>
<bean id="casProcessingFilterEntryPoint" class="org.springframework.security.ui.cas.CasProcessingFilterEntryPoint">
<property name="loginUrl" value="
https://casserver.haoyisheng.com:8443/cas/login"/
>
<property name="serviceProperties" ref="serviceProperties"/>
</bean>
<bean id="casAuthenticationProvider" class="org.springframework.security.providers.cas.CasAuthenticationProvider">
<sec:custom-authentication-provider />
<property name="userDetailsService" ref="userDetailsService"/>
<property name="serviceProperties" ref="serviceProperties" />
<property name="ticketValidator">
<bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
<constructor-arg index="0" value="
https://casserver.haoyisheng.com:8443/cas
" />
<property name="proxyGrantingTicketStorage" ref="proxyGrantingTicketStorage" />
<property name="proxyCallbackUrl" value="
https://bzwang.haoyisheng.com:8443/crm/secure/receptor
" />
</bean>
</property>
<property name="key" value="an_id_for_this_auth_provider_only"/>
</bean>
<bean id="proxyGrantingTicketStorage" class="org.jasig.cas.client.proxy.ProxyGrantingTicketStorageImpl" />
<bean id="serviceProperties" class="org.springframework.security.ui.cas.ServiceProperties">
<property name="service" value="
https://bzwang.haoyisheng.com:8443/crm/j_spring_cas_security_check"/
>
<property name="sendRenew" value="false"/>
</bean>
<bean id="daoAuthenticationProvider"
class="org.springframework.security.providers.dao.DaoAuthenticationProvider">
<property name="userDetailsService" ref="userDetailsService" />
<property name="userCache" ref="userCache" />
<property name="passwordEncoder" ref="passwordEncoder" />
</bean>
<bean id="passwordEncoder"
class="org.springframework.security.providers.encoding.Md5PasswordEncoder" />
<bean id="userDetailsService"
class="org.openjweb.core.springsecurity.UserDetailsServiceImpl">
<constructor-arg>
<ref bean="IBaseDao3" />
</constructor-arg>
</bean>
<bean id="userCache"
class="org.springframework.security.providers.dao.cache.EhCacheBasedUserCache">
<property name="cache" ref="userCacheBacked" />
</bean>
<bean id="userCacheBacked"
class="org.springframework.cache.ehcache.EhCacheFactoryBean">
<property name="cacheManager" ref="cacheManager" />
<property name="cacheName" value="userCache" />
</bean>
<bean id="cacheManager"
class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean">
<property name="configLocation"
value="classpath:ehcache-security.xml" />
</bean>
<bean id="filterSecurityInterceptor"
class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
<sec:custom-filter before="FILTER_SECURITY_INTERCEPTOR" />
<property name="authenticationManager"
ref="authenticationManager" />
<property name="accessDecisionManager"
ref="accessDecisionManager" />
<property name="alwaysReauthenticate" value="true" />
<property name="objectDefinitionSource"
ref="databaseFilterInvocationDefinitionSource" />
</bean>
<bean id="accessDecisionManager"
class="org.springframework.security.vote.AffirmativeBased">
<property name="decisionVoters">
<list>
<bean
class="org.springframework.security.vote.RoleVoter">
<property name="rolePrefix" value="" />
</bean>
</list>
</property>
</bean>
<bean id="databaseFilterInvocationDefinitionSource"
class="org.springframework.security.intercept.web.DefaultFilterInvocationDefinitionSource">
<constructor-arg
type="org.springframework.security.util.UrlMatcher"
ref="antUrlPathMatcher" />
<constructor-arg type="java.util.LinkedHashMap" ref="requestMap" />
</bean>
<bean id="antUrlPathMatcher"
class="org.springframework.security.util.AntUrlPathMatcher" />
<bean id="requestMap"
class="org.openjweb.core.springsecurity.RequestMapFactoryBean"
init-method="init">
</bean>
</beans>
说明:(1)SSO认证入口为/secure/index.jsp,这个文件有个重定向语句,作用是当SSO认证通过后跳转到系统主页面.在测试过程中发现只有访问/secure目录下jsp才自动到cas server认证,sec:intercept-url 配置其他的目录不跳转到cas server进行认证,不知道是什么原因.
(2) cas server采用3.3.2版本
(3)client端为cas-client-core-3.1.3.jar
作者QQ:29803446
Msn:baozhengw999@hotmail.com