前言
此文为记录单点登录实现过程,包括cas服务端和客户端的定制扩展
服务端
单点登录服务端采用cas,以cas-server-webapp版本号为3.5.2.1为基础进行定制扩展实现。
定制实现的源码功能以上传至svn代码库,路径为:svn://192.168.9.16/minxin/Repositories/minxinloan/trunk/mxcas-server-webapp。
此版本的定制扩展实现采用http协议(关闭了https协议),下面对此版的定制扩展进行详细的描述。
- 关闭https协议:
- 修改deployerConfigContext.xml中的“<bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" p:httpClient-ref="httpClient" p:requireSecure="false"/>”,将p:requireSecure="false"属性值设置为“false”;
- 修改ticketGrantingTicketCookieGenerator.xml中的<bean id="ticketGrantingTicketCookieGenerator" class="org.jasig.cas.web.support.CookieRetrievingCookieGenerator" p:cookieSecure="false" p:cookieMaxAge="-1" p:cookieName="CASTGC" p:cookiePath="/cas" />,将p:cookieSecure="false" 属性值设置为“false”。
- 数据库用户名密码验证
- 在deployerConfigContext.xml配置文件中添加数据源配置:
<bean id="dataSource" class="org.springframework.jndi.JndiObjectFactoryBean">
<property name="jndiName">
<value>java:comp/env/jdbc/minxinDataSource</value>
</property>
</bean> - 添加com.minxinloan.cas.server.MxloanPasswordEncoder类,实现定制密码加密器。
- 在deployerConfigContext.xml配置文件中添加<bean id="mxPasswordEncoder" class="com.minxinloan.cas.server.MxloanPasswordEncoder"/>配置。
-
在deployerConfigContext.xml配置文件中将<bean class="org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler" />替换为:
<bean class="org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler">
<property name="dataSource" ref="dataSource"></property>
<property name="sql" value="select t.password from uc_employee t where t.login_name=? and t.status=1"></property>
<property name="passwordEncoder" ref="mxPasswordEncoder"></property>
</bean>
- 在deployerConfigContext.xml配置文件中添加数据源配置:
- 定制登录用户信息属性
- 添加com.minxinloan.cas.server.MxloanPersonAttributeDao类,实现通过查询数据库构建登录人的信息。
- 在deployerConfigContext.xml配置文件中将
<bean id="attributeRepository" class="org.jasig.services.persondir.support.StubPersonAttributeDao">
<property name="backingMap">
<map>
<entry key="uid" value="uid" />
<entry key="eduPersonAffiliation" value="eduPersonAffiliation" />
<entry key="groupMembership" value="groupMembership" />
</map>
</property>
</bean>替换为:
<bean id="attributeRepository" class="com.minxinloan.cas.server.MxloanPersonAttributeDao">
<property name="dataSource" ref="dataSource"/>
</bean>- 在/view/jsp/protocol/2.0/casServiceValidationSuccess.jsp文件中添加
<cas:attributes>
<c:forEach items="${assertion.chainedAuthentications[fn:length(assertion.chainedAuthentications)-1].principal.attributes}" var="attr">
<cas:${attr.key}>${attr.value}</cas:${attr.key}>
</c:forEach>
</cas:attributes>
- 登出支持重定向
- 将cas.properties文件中的cas.logout.followServiceRedirects=true注释放开。
- 定制登录页面
- 修改/view/jsp/default/ui/casLoginView.jsp页面(暂时未修改定制)
客户端
- 添加com.minxinloan.web.utils.WebUtils类。
- 添加com.minxinloan.web.utils.CasSessionUserFilter类,处理单点登录返回的用户信息,并保存至session中。
- 在客户端web应用中的web.xml添加如下内容,其中filter的映射地址路径根据实际情况进行设置。
<listener>
<listener-class>
org.jasig.cas.client.session.SingleSignOutHttpSessionListener
</listener-class>
</listener>
<filter>
<filter-name>CasSingleSignOutFilter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CasSingleSignOutFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>CASFilter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>http://localhost:8088/cas/login</param-value> <!-- 此地址为cas登录url-->
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://localhost:8080</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CASFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>CasTicketFilter</filter-name>
<filter-class>
org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter
</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>http://localhost:8088/cas</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://localhost:8080</param-value>
</init-param>
<init-param>
<param-name>encoding</param-name>
<param-value>UTF-8</param-value> <!--处理中文乱码问题-->
</init-param>
</filter>
<filter-mapping>
<filter-name>CasTicketFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>CasRequestWrapFilter</filter-name>
<filter-class>
org.jasig.cas.client.util.HttpServletRequestWrapperFilter
</filter-class>
</filter>
<filter-mapping>
<filter-name>CasRequestWrapFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>AssertionThreadLocalFilter</filter-name>
<filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>AssertionThreadLocalFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-name>CasSessionUserFilter</filter-name>
<filter-class>com.minxinloan.web.utils.CasSessionUserFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CasSessionUserFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping> - 退出登录直接访问url地址http://localhost:8088/cas/logout,也可以在此url后面加上service参数指定重定向地址,例如http://localhost:8088/cas/logout?service=http://localhost:8080/foo。