1、 简介
本文主要讲述如何通过SpringSecurity+CAS在springboot项目中实现单点登录和单点注销的功能。
参考内容有Spring Security官方文档中的
本文为Jaune161的原创文章。 原文地址http://blog.csdn.net/jaune161/article/details/78060780,转载请注明出处。
2、 项目依赖
主要依赖如下
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-cas</artifactId>
</dependency>
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
<optional>true</optional>
</dependency>
3、 项目配置
Application配置。
@SpringBootApplication(scanBasePackages = "com.wawscm")
@EnableWebSecurity
public class Application {
public static void main(String[] args) {
new SpringApplicationBuilder(Application.class).web(true).run(args);
}
}
增加CAS参数配置
这里分为CASServer配置和CASService配置。其中Server是CAS服务的配置,Service是我们自己服务的配置。
@Data
@ConfigurationProperties(prefix = "security.cas.server")
public class CasServerConfig {
private String host;
private String login;
private String logout;
}
@Data
@ConfigurationProperties(prefix = "security.cas.service")
public class CasServiceConfig {
private String host;
private String login;
private String logout;
private Boolean sendRenew = false;
}
配置内容如下
security:
cas:
server:
host: http://192.168.1.202:9082/cas
login: ${security.cas.server.host}/login
logout: ${security.cas.server.host}/logout
service:
host: http://localhost:9088
login: /login/cas
logout: /logout
后面需要根据实际配置再拼接参数。
SpringSecurity Bean配置
@Configuration
@EnableConfigurationProperties({CasServerConfig.class, CasServiceConfig.class})
public class SecurityConfiguration {
@Autowired
private CasServerConfig casServerConfig;
@Autowired
private CasServiceConfig casServiceConfig;
@Bean
public ServiceProperties serviceProperties() {
ServiceProperties serviceProperties = new ServiceProperties();
serviceProperties.setService(this.casServiceConfig.getHost() + this.casServiceConfig.getLogin());
serviceProperties.setSendRenew(this.casServiceConfig.getSendRenew());
return serviceProperties;
}
@Bean
public CasAuthenticationFilter casAuthenticationFilter(AuthenticationManager authenticationManager, ServiceProperties serviceProperties) {
CasAuthenticationFilter casAuthenticationFilter = new CasAuthenticationFilter();
casAuthenticationFilter.setAuthenticationManager(authenticationManager);
casAuthenticationFilter.setServiceProperties(serviceProperties);
casAuthenticationFilter.setFilterProcessesUrl(this.casServiceConfig.getLogin());
casAuthenticationFilter.setContinueChainBeforeSuccessfulAuthentication(false);
casAuthenticationFilter.setAuthenticationSuccessHandler(
new SimpleUrlAuthenticationSuccessHandler("/")
);
return casAuthenticationFilter;
}
@Bean
public CasAuthenticationEntryPoint casAuthenticationEntryPoint(ServiceProperties serviceProperties) {
CasAuthenticationEntryPoint entryPoint = new CasAuthenticationEntryPoint();
entryPoint.setLoginUrl(this.casServerConfig.getLogin());
entryPoint.setServiceProperties(serviceProperties);
return entryPoint;
}
@Bean
public Cas20ServiceTicketValidator cas20ServiceTicketValidator() {
return new Cas20ServiceTicketValidator(this.casServerConfig.getHost());
}
@Bean
public CasAuthenticationProvider casAuthenticationProvider(
AuthenticationUserDetailsService<CasAssertionAuthenticationToken> userDetailsService,
ServiceProperties serviceProperties, Cas20ServiceTicketValidator ticketValidator) {
CasAuthenticationProvider provider = new CasAuthenticationProvider();
provider.setKey("casProvider");
provider.setServiceProperties(serviceProperties);
provider.setTicketValidator(ticketValidator);
provider.setAuthenticationUserDetailsService(userDetailsService);
return provider;
}
@Bean
public LogoutFilter logoutFilter() {
String logoutRedirectPath = this.casServerConfig.getLogout() + "?service=" +
this.casServiceConfig.getHost();
LogoutFilter logoutFilter = new LogoutFilter(logoutRedirectPath, new SecurityContextLogoutHandler());
logoutFilter.setFilterProcessesUrl(this.casServiceConfig.getLogout());
return logoutFilter;
}
}
ServiceProperties :服务配置,我们自己的服务。 CasAuthenticationFilter:CAS认证过滤器,主要实现票据认证和认证成功后的跳转。 LogoutFilter:注销功能
Spring Security配置
@Configuration
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
public class CasWebSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
private CasAuthenticationEntryPoint casAuthenticationEntryPoint;
@Autowired
private CasAuthenticationProvider casAuthenticationProvider;
@Autowired
private CasAuthenticationFilter casAuthenticationFilter;
@Autowired
private LogoutFilter logoutFilter;
@Autowired
private CasServerConfig casServerConfig;
@Override
protected void configure(HttpSecurity http) throws Exception {
http.headers().frameOptions().disable();
http.csrf().disable();
http.authorizeRequests()
.requestMatchers(CorsUtils::isPreFlightRequest).permitAll()
.antMatchers("/static/**").permitAll() // 不拦截静态资源
.antMatchers("/api/**").permitAll() // 不拦截对外API
.anyRequest().authenticated(); // 所有资源都需要登陆后才可以访问。
http.logout().permitAll(); // 不拦截注销
http.exceptionHandling().authenticationEntryPoint(casAuthenticationEntryPoint);
// 单点注销的过滤器,必须配置在SpringSecurity的过滤器链中,如果直接配置在Web容器中,貌似是不起作用的。我自己的是不起作用的。
SingleSignOutFilter singleSignOutFilter = new SingleSignOutFilter();
singleSignOutFilter.setCasServerUrlPrefix(this.casServerConfig.getHost());
http.addFilter(casAuthenticationFilter)
.addFilterBefore(logoutFilter, LogoutFilter.class)
.addFilterBefore(singleSignOutFilter, CasAuthenticationFilter.class);
http.antMatcher("/**");
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(casAuthenticationProvider);
}
@Bean
public ServletListenerRegistrationBean<SingleSignOutHttpSessionListener> singleSignOutHttpSessionListener(){
ServletListenerRegistrationBean<SingleSignOutHttpSessionListener> servletListenerRegistrationBean =
new ServletListenerRegistrationBean<>();
servletListenerRegistrationBean.setListener(new SingleSignOutHttpSessionListener());
return servletListenerRegistrationBean;
}
}
到此SpringBoot、SpringSecurity、CAS集成结束。但是这样配置有一个问题,那就是如果我们登录之前的请求是带参数的,或者跳转的不是首页,那么就会出现登录成功之后直接跳转到主页,而不是我们想要访问的页面,参数也丢失了。下面我们来解决这个问题。
4 、处理回跳地址
处理的思路是,在登录之前记住访问地址及请求参数,在登录成功之后再取到这个地址然后回跳到对应的地址。
首先我们需要写一个过滤器来获取我们的请求地址,并放到Session中。
public class HttpParamsFilter implements Filter {
public String REQUESTED_URL = "CasRequestedUrl";
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain chain)
throws IOException, ServletException {
final HttpServletRequest request = (HttpServletRequest) servletRequest;
final HttpServletResponse response = (HttpServletResponse) servletResponse;
HttpSession session = request.getSession();
String requestPath = WebUtils.getFullPath(request);
session.setAttribute(REQUESTED_URL, requestPath);
chain.doFilter(request, response);
}
@Override
public void destroy() {
}
}
然后在CasWebSecurityConfiguration中增加对应的配置。
@Bean
public FilterRegistrationBean httpParamsFilter() {
FilterRegistrationBean filterRegistrationBean = new FilterRegistrationBean();
filterRegistrationBean.setFilter(new HttpParamsFilter());
filterRegistrationBean.setOrder(-999);
filterRegistrationBean.addUrlPatterns("/");
return filterRegistrationBean;
}
然后扩展SimpleUrlAuthenticationSuccessHandler来实现我们的功能。
public class MyUrlAuthenticationSuccessHandler extends SimpleUrlAuthenticationSuccessHandler {
public NeteaseUrlAuthenticationSuccessHandler() {
super();
}
public NeteaseUrlAuthenticationSuccessHandler(String defaultTargetUrl) {
super(defaultTargetUrl);
}
@Override
protected String determineTargetUrl(HttpServletRequest request, HttpServletResponse response) {
if (isAlwaysUseDefaultTargetUrl()) {
return this.getDefaultTargetUrl();
}
// Check for the parameter and use that if available
String targetUrl = null;
if (this.getTargetUrlParameter() != null) {
targetUrl = request.getParameter(this.getTargetUrlParameter());
if (StringUtils.hasText(targetUrl)) {
logger.debug("Found targetUrlParameter in request: " + targetUrl);
return targetUrl;
}
}
if (!StringUtils.hasText(targetUrl)) {
HttpSession session = request.getSession();
targetUrl = (String) session.getAttribute(HttpParamsFilter.REQUESTED_URL);
}
if (!StringUtils.hasText(targetUrl)) {
targetUrl = this.getDefaultTargetUrl();
logger.debug("Using default Url: " + targetUrl);
}
return targetUrl;
}
}
最后将CasAuthenticationFilter中的SimpleUrlAuthenticationSuccessHandler替换为MyUrlAuthenticationSuccessHandler就可以了。
这里需要注意一个问题,由于CAS回调是访问的/login/cas(这里是我的配置),所以过滤器一定不能拦截/login/cas否则HttpParamsFilter会将/login/cas放到Session中,就出现了无限循环。
1. 访问http://host/?id=1 -- session: /?id=1
2. CAS登录成功,然后回跳到login/cas?ticket=xxx -- session: login/cas?ticket=xxx
3. 验证票据成功NeteaseUrlAuthenticationSuccessHandler处理跳转,从session中获取跳转地址:login/cas?ticket=xxx
4. 跳转到`login/cas?ticket=xxx`然后重复步骤 2-4
主要是我们保留了请求中的参数,所以一直会有票据信息。所以就出现了无限循环。如果没有保留票据信息,就直接报错了,因为第二次访问的时候票据丢了。
由于我的是单页应用,所以我直接拦截主页就可以了。 另一种处理方法是在HttpParamsFilter判断访问地址,如果是login/cas就不更新Session中的值。
文章编写的有点仓促,如内容有误,或有纰漏欢迎各位读者指正。 原文地址http://blog.csdn.net/jaune161/article/details/78060780,转载请注明出处。
