四.改造acegi-security-sample-tutorial
解壓縮acegi-security-1.0.1.zip,拷貝acegi-security-sample-tutorial.war到%CATALINA_HOME%/webapps目錄下,重啟tomcat,acegi-security-sample-tutorial即已發(fā)布。現(xiàn)在我們將其改造為使用CAS進行用戶的登錄和認證。
用編輯器打開WEB-INF/applicationContext-acegi-security.xml,找到
<bean id="authenticationProcessingFilter" class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilter">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="authenticationFailureUrl" value="/acegilogin.jsp?login_error=1"/>
<property name="defaultTargetUrl" value="/"/>
<property name="filterProcessesUrl" value="/j_acegi_security_check"/>
<property name="rememberMeServices" ref="rememberMeServices"/>
</bean>
將其替換為:
<bean id="authenticationProcessingFilter" class="org.acegisecurity.ui.cas.CasProcessingFilter">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="authenticationFailureUrl" value="/acegilogin.jsp?login_error=1"/>
<property name="defaultTargetUrl" value="/"/>
<property name="filterProcessesUrl" value="/j_acegi_cas_security_check"/>
<property name="rememberMeServices" ref="rememberMeServices"/>
</bean>
其中,authenticationFailureUrl是認證失敗時顯示的頁面,acegi-security-sample-tutorial登錄失敗時會在登錄頁(acegilogin.jsp)顯示失敗原因,現(xiàn)改為使用CAS之后,acegi-security-sample-tutorial使用CAS的登錄頁面,故acegilogin.jsp可去掉。接下來,找到
<bean class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint">
<property name="loginFormUrl" value="/acegilogin.jsp"/>
<property name="forceHttps" value="false"/>
</bean>
替換為:
<bean class="org.acegisecurity.ui.cas.CasProcessingFilterEntryPoint">
<property name="loginUrl">
<value>https://localhost:8443/cas/login</value>
</property>
<property name="serviceProperties">
<ref bean="serviceProperties"/>
</property>
</bean>
再接下來,找到
<bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager">
<property name="providers">
<list>
<ref local="daoAuthenticationProvider"/>
<bean class="org.acegisecurity.providers.anonymous.AnonymousAuthenticationProvider">
<property name="key" value="changeThis"/>
</bean>
<bean class="org.acegisecurity.providers.rememberme.RememberMeAuthenticationProvider">
<property name="key" value="changeThis"/>
</bean>
</list>
</property>
</bean>
將<ref local="daoAuthenticationProvider"/>修改為<ref local="casAuthenticationProvider"/>,并添加以下bean:
<bean id="casAuthenticationProvider" class="org.acegisecurity.providers.cas.CasAuthenticationProvider">
<property name="ticketValidator">
<ref bean="ticketValidator"/>
</property>
<property name="casProxyDecider">
<ref bean="casProxyDecider"/>
</property>
<property name="statelessTicketCache">
<ref bean="statelessTicketCache"/>
</property>
<property name="casAuthoritiesPopulator">
<ref bean="casAuthritiesPopulator"/>
</property>
<property name="key">
<value>some_unique_key</value>
</property>
</bean>
<bean id="ticketValidator" class="org.acegisecurity.providers.cas.ticketvalidator.CasProxyTicketValidator">
<property name="casValidate">
<value>https://localhost:8443/cas/proxyValidate</value>
</property>
<property name="serviceProperties">
<ref bean="serviceProperties"/>
</property>
</bean>
<bean id="serviceProperties" class="org.acegisecurity.ui.cas.ServiceProperties">
<property name="service">
<value>https://localhost:8443/acegi-security-sample-tutorial/j_acegi_cas_security_check</value>
</property>
</bean>
<bean id="casProxyDecider" class="org.acegisecurity.providers.cas.proxy.RejectProxyTickets"/>
<bean id="statelessTicketCache" class="org.acegisecurity.providers.cas.cache.EhCacheBasedTicketCache">
<property name="cache">
<bean class="org.springframework.cache.ehcache.EhCacheFactoryBean">
<property name="cacheManager">
<bean class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean"/>
</property>
<property name="cacheName" value="userCache"/>
</bean>
</property>
</bean>
<bean id="casAuthritiesPopulator" class="org.acegisecurity.providers.cas.populator.DaoCasAuthoritiesPopulator">
<property name="userDetailsService">
<ref bean="userDetailsService"/>
</property>
</bean>
改造完畢!
五.配置CAS使用JDBC數(shù)據(jù)源進行用戶認證
CAS默認設置為只要用戶名和密碼相同,即可進行登錄,這在現(xiàn)實使用中是不允許的。我們修改為使用MySQL的test數(shù)據(jù)庫中的app_user表作為用戶數(shù)據(jù)源。首先,我們在test庫中創(chuàng)建一個表:
CREATE TABLE `app_user` (
`username` varchar(30) NOT NULL default '',
`password` varchar(45) NOT NULL default '',
PRIMARY KEY (`username`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
并添加如下用戶:
INSERT INTO `app_user` (`username`,`password`) VALUES
('dianne','emu'),
('marissa','koala'),
('peter','opal'),
('scott','wombat');
用編輯器打開%CATALINA_HOME%/webapps/cas/WEB-INF/deployerConfigContext.xml,找到
<bean class="org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler" />
注釋掉該行,在其下加入:
<bean class="org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler">
<property name="sql" value="select password from app_user where username=?" />
<property name="dataSource" ref="dataSource" />
</bean>
并添加一個bean:
<bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource" destroy-method="close">
<property name="driverClassName"><value>com.mysql.jdbc.Driver</value></property>
<property name="url"><value>jdbc:mysql://localhost:3306/test</value></property>
<property name="username"><value>test</value></property>
<property name="password"><value>test</value></property>
</bean>
拷貝cas-server-jdbc-3.0.5-rc2.jar和mysql-connector-java-3.1.12-bin.jar到%CATALINA_HOME%/webapps/cas/WEB-INF/lib下。
重新啟動tomcat,在瀏覽器中輸入http://localhost:8080/acegi-security-sample-tutorial,你會發(fā)現(xiàn),一旦你訪問了受保護的頁面,請求就會被重定向到CAS的登錄頁面,登錄成功之后請求會被再被定向到最初訪問的頁面,如果有多個系統(tǒng),在這些系統(tǒng)之間進行切換將不會要求用戶重新登錄,這就達到了單點登錄的目的。
參考文獻: