1.使用shiro進行權限校驗的系統接入方法
1.1 shiro.xml配置
#單點登錄CAS設置
cas.server.url=http://sso.smeha.cn:18443/sso
cas.project.url=http://www.smeha.cn:8080
|
<!--Shiro 安全認證過濾器--> <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"> <property name="securityManager" ref="securityManager" /> <property name="loginUrl" value="${cas.server.url}?service=${cas.project.url}${adminPath}/cas" /> <!--<property name="loginUrl" value="${adminPath}/login" />--> <property name="successUrl" value="${adminPath}?login" /> <property name="filters"> <map> <entry key="authc" value-ref="formAuthenticationFilter"/> <entry key="cas" value-ref="casFilter"/> <entry key="logout" value-ref="logoutFilter"/> </map> </property> <property name="filterChainDefinitions" ref="shiroFilterChainDefinitions"/> </bean> <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager"> <property name="realm" ref="casAuthorizingRealm" /> <!--<property name="realm" ref="systemAuthorizingRealm" />--> <property name="sessionManager" ref="sessionManager" /> <property name="cacheManager" ref="shiroCacheManager" /> </bean>
<!-- CAS認證過濾器 --> <bean id="casFilter" class="com.rj.smeha.modules.sys.security.CustomCasFilter"> <property name="failureUrl" value="${adminPath}/login"/> </bean> <bean id="logoutFilter" class="org.apache.shiro.web.filter.authc.LogoutFilter"> <property name="redirectUrl" value="${cas.server.url}/logout?service=${cas.project.url}${frontPath}"/> </bean> <bean id="casAuthorizingRealm" class="com.rj.smeha.modules.sys.security.CasAuthorizingRealm"> <property name="casServerUrlPrefix" value="${cas.server.url}" /> <property name="casService" value="${cas.project.url}${adminPath}/cas" /> </bean> |
1.2 Web.xml配置
|
<!--允許通過HttpServletRequest的getRemoteUser()方法獲得SSO登錄用戶的登錄名可選--> <filter> <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> <filter-class> org.jasig.cas.client.util.HttpServletRequestWrapperFilter </filter-class> </filter> <filter-mapping> <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- 該過濾器使得可以通過org.jasig.cas.client.util.AssertionHolder來獲取用戶的登錄名。比如AssertionHolder.getAssertion().getPrincipal().getName()。 這個類把Assertion信息放在ThreadLocal變量中,這樣應用程序不在web層也能夠獲取到當前登錄信息 --> <filter> <filter-name>CAS Assertion Thread Local Filter</filter-name> <filter-class> org.jasig.cas.client.util.AssertionThreadLocalFilter </filter-class> </filter> <filter-mapping> <filter-name>CAS Assertion Thread Local Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!--單點登出 所有客戶端均退出--> <listener> <listener-class> org.jasig.cas.client.session.SingleSignOutHttpSessionListener </listener-class> </listener> |
2.未使用shiro進行權限校驗的系統接入方法
2.1.添加jar包
有兩種方式:
第一種,下載cas-client-3.2.1.zip然後解壓,在modules文件夾中有需要的jar包,請根據自己的項目情況選擇使用,把相應的jar包放到你項目WEB-INF/lib下。
第二種,通過maven的方式引用:
|
<dependency> <groupId>org.jasig.cas.client</groupId> <artifactId>cas-client-core</artifactId> <version>3.1.12</version> </dependency> |
2.2.配置 CAS Filter
|
<!--SSO客戶端配置 用於單點退出,該過濾器用於實現單點登出功能,可選配置 --> <listener> <listener-class> org.jasig.cas.client.session.SingleSignOutHttpSessionListener </listener-class> </listener> <!-- 該過濾器用於實現單點登出功能,可選配置。 --> <filter> <filter-name>SingleSignOutFilter</filter-name> <filter-class> org.jasig.cas.client.session.SingleSignOutFilter </filter-class> </filter> <filter-mapping> <filter-name>SingleSignOutFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- 該過濾器負責對Ticket的校驗工作,必須啓用它 --> <filter> <filter-name>CASValidationFilter</filter-name> <filter-class> org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter </filter-class> <init-param> <param-name>casServerUrlPrefix</param-name> <param-value>http://sso.smeha.cn/sso</param-value> </init-param> <init-param> <param-name>serverName</param-name> <param-value>http://you.client.com:8080</param-value> <!—客戶端URL地址--> </init-param> <init-param> <param-name>useSession</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>exceptionOnValidationFailure</param-name> <param-value>false</param-value> </init-param> <init-param> <param-name>redirectAfterValidation</param-name> <param-value>true</param-value> </init-param> </filter> <filter-mapping> <filter-name>CASValidationFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- 該過濾器負責用戶的認證工作,必須啓用它 --> <filter> <filter-name>CASFilter</filter-name> <filter-class> org.jasig.cas.client.authentication.AuthenticationFilter </filter-class> <init-param> <param-name>casServerLoginUrl</param-name> <param-value> http://sso.smeha.cn/sso/login</param-value> </init-param> <init-param> <param-name>serverName</param-name> <param-value> http://you.client.com:8080</param-value> </init-param> </filter> <filter-mapping> <filter-name>CASFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- 允許通過HttpServletRequest的getRemoteUser()方法獲得SSO登錄用戶的登錄名,可選配置。 --> <filter> <filter-name>CASHttpServletRequestWrapperFilter</filter-name> <filter-class> org.jasig.cas.client.util.HttpServletRequestWrapperFilter </filter-class> </filter> <filter-mapping> <filter-name>CASHttpServletRequestWrapperFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- 該過濾器可以通過org.jasig.cas.client.util.AssertionHolder來獲取用戶的登錄名。 比如AssertionHolder.getAssertion().getPrincipal().getName()。 --> <filter> <filter-name>CASAssertionThreadLocalFilter</filter-name> <filter-class> org.jasig.cas.client.util.AssertionThreadLocalFilter </filter-class> </filter> <filter-mapping> <filter-name>CASAssertionThreadLocalFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- 攔截成功登錄SSO系統之後返回的數據並做相關處理. --> <filter> <filter-name>SSO4InvokeContextFilter</filter-name> <filter-class>com.common.web.filter.SSO4InvokeContextFilter </filter-class> </filter> <filter-mapping> <filter-name>SSO4InvokeContextFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> |