5.1SpringSecurity搭建
5.1.1 pom.xml
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.itheima</groupId>
<artifactId>springsecurity-cas-annotation-demo</artifactId>
<version>1.0-SNAPSHOT</version>
<!--war包-->
<packaging>war</packaging>
<dependencies>
<!--spring-security-->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>4.2.4.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>4.2.4.RELEASE</version>
</dependency>
<!--集成包-->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-cas</artifactId>
<version>4.2.4.RELEASE</version>
</dependency>
<!--cas核心包-->
<dependency>
<groupId>org.jasig.cas.client</groupId>
<artifactId>cas-client-core</artifactId>
<version>3.3.3</version>
<exclusions>
<exclusion>
<groupId>org.slf4j</groupId>
<artifactId>log4j-over-slf4j</artifactId>
</exclusion>
</exclusions>
</dependency>
<!--日志包-->
<dependency>
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
<version>1.2</version>
</dependency>
<!--servlet-->
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>servlet-api</artifactId>
<version>2.5</version>
<scope>provided</scope>
</dependency>
</dependencies>
</project>
5.1.2 web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
version="3.1">
<!--指定spring配置文件-->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:spring.xml</param-value>
</context-param>
<!--spring监听-->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<!--委托过滤器:springSecurityFilterChain-->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
5.1.3 spring.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd">
<!--包扫描-->
<context:component-scan base-package="org.example" />
</beans>
5.1.4 创建自定义授权认证类
@Component
public class UserDetailsServiceImpl implements UserDetailsService {
/***
* 自定义认证授权
* @param username
* @return
* @throws UsernameNotFoundException
*/
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
String password="123456";
//角色信息
List<GrantedAuthority> grantedAuthorities = new ArrayList<GrantedAuthority>();
grantedAuthorities.add(new SimpleGrantedAuthority("ROLE_ADMIN"));
return new User(username,password,grantedAuthorities);
}
}
5.1.5 创建SpringSecur配置类
配置类需要注意加上@Component、@EnableWebSecurity注解,同时注解3个方法分别为忽略某些地址的安全校验、设置需要拦截过滤的地址的安全校验规则、设置授权认证器三个方法都是configure方法。代码如下:
@Component
@EnableWebSecurity
public class SpringSecurityCOnfig extends WebSecurityConfigurerAdapter {
/***
* 三个configure方法
* 1)忽略某些地址的安全校验
* 2)设置需要拦截过滤的地址的安全校验规则
* 3)设置授权认证器
*/
/***
* 1)忽略某些地址的安全校验
* @param web
* @throws Exception
*/
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/image/**");
web.ignoring().antMatchers("/403.html");
}
/***
* 2)设置需要拦截过滤的地址的安全校验规则
* @param http
* @throws Exception
*/
@Override
protected void configure(HttpSecurity http) throws Exception {
//除了上面忽略安全校验的地址,其他的一律需要ROLE_ADMIN角色权限访问
http.authorizeRequests().anyRequest().access("hasAnyRole('ADMIN')");
//允许iframe的使用
http.headers().frameOptions().disable();
//禁止csrf
http.csrf().disable();
//开启登录功能
http.formLogin();
//开启登出功能
http.logout();
//异常处理
http.exceptionHandling().accessDeniedPage("/403.html");
}
/***
* 注入自定义授权认证类
*/
@Autowired
private UserDetailsService userDetailsService;
/***
* 3)设置授权认证器
* @param auth
* @throws Exception
*/
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService);
}
}
5.1.6 新建资源文件
创建image,并拷贝1.jpg进去,作为开放资源。创建jsp/1.jsp,作为权限控制目录。创建403,作为无权访问的页面。
image.jpg
5.2 集成CAS
5.2.1 创建cas.properties
这里面记录了cas相关的访问地址以及自身相关的访问地址
#CAS服务地址
cas.server.host.url=http://localhost:28083/cas
#CAS服务登录地址
cas.server.host.login_url=http://localhost:28083/cas/login
#CAS服务登出地址
cas.server.host.logout_url=http://localhost:28083/cas/logout?service=http://localhost:28086
#应用访问地址
app.server.host.url=http://localhost:28086
#应用登录地址
app.login.url=/login
#应用登出地址
app.logout.url=/logout
5.2.2 创建CasProperties.java配置类
该类的作用是用于读取上面的配置文件
@Component
public class CasProperties {
@Value("${cas.server.host.url}")
private String casServerUrl;
@Value("${cas.server.host.login_url}")
private String casServerLoginUrl;
@Value("${cas.server.host.logout_url}")
private String casServerLogoutUrl;
@Value("${app.server.host.url}")
private String appServerUrl;
@Value("${app.login.url}")
private String appLoginUrl;
@Value("${app.logout.url}")
private String appLogoutUrl;
//get...set...
}
5.2.3 集成CAS认证和相关过滤器
修改configure方法,代码如下,分别加入了自定义授权认证类和Cas过滤器以及登出配置。我们需要将之前的用户自定义授权认证类去掉.
/***
* 2)设置需要拦截过滤的地址的安全校验规则
* @param http
* @throws Exception
*/
@Override
protected void configure(HttpSecurity http) throws Exception {
//除了上面忽略安全校验的地址,其他的一律需要ROLE_ADMIN角色权限访问
http.authorizeRequests().anyRequest().access("hasAnyRole('ADMIN')");
//允许iframe的使用
http.headers().frameOptions().disable();
//禁止csrf
http.csrf().disable();
//开启登录功能
http.formLogin();
//开启登出功能
http.logout();
//异常处理
http.exceptionHandling().accessDeniedPage("/403.html")
.authenticationEntryPoint(casAuthenticationEntryPoint()) //设置自定义授权认证类
.and()
.addFilter(casAuthenticationFilter()) //设置CAS授权过滤器
.addFilterBefore(casLogoutFilter(),LogoutFilter.class) //登出配置
.addFilterBefore(singleSignOutFilter(), CasAuthenticationFilter.class);//登出配置
}
过滤器以及授权认证类的实现
/***
* UserDetailsServiceImpl在SpringIOC容器中
*/
@Autowired
private UserDetailsService userDetailsService;
//Cas认证入口
@Bean
public CasAuthenticationEntryPoint casAuthenticationEntryPoint(){
//用于配置Cas认证入口信息
CasAuthenticationEntryPoint casAuthenticationEntryPoint = new CasAuthenticationEntryPoint();
//设置登录地址
casAuthenticationEntryPoint.setLoginUrl(casProperties.getCasServerLoginUrl());
//返回的服务信息
casAuthenticationEntryPoint.setServiceProperties(serviceProperties());
return casAuthenticationEntryPoint;
}
/****
* 服务配置信息
* @return
*/
@Bean
public ServiceProperties serviceProperties(){
//服务信息配置
ServiceProperties serviceProperties = new ServiceProperties();
//设置应用访问信息
serviceProperties.setService(casProperties.getAppServerUrl()+casProperties.getAppLoginUrl());
//针对非空登录用户进行身份校验
serviceProperties.setAuthenticateAllArtifacts(true);
return serviceProperties;
}
/**CAS认证过滤器*/
@Bean
public CasAuthenticationFilter casAuthenticationFilter() throws Exception {
//设置CAS授权过滤器
CasAuthenticationFilter casAuthenticationFilter = new CasAuthenticationFilter();
//集成SpringSecurity授权认证器
casAuthenticationFilter.setAuthenticationManager(authenticationManager());
casAuthenticationFilter.setFilterProcessesUrl(casProperties.getAppLoginUrl());
return casAuthenticationFilter;
}
/**
* cas 认证 Provider
* */
@Bean
public CasAuthenticationProvider casAuthenticationProvider() {
//创建CAS授权认证器
CasAuthenticationProvider casAuthenticationProvider = new CasAuthenticationProvider();
//集成自定义授权认证器
casAuthenticationProvider.setUserDetailsService(userDetailsService);
//设置Cas授权认证器相关配置
casAuthenticationProvider.setServiceProperties(serviceProperties());
//设置票据校验器
casAuthenticationProvider.setTicketValidator(cas20ServiceTicketValidator());
casAuthenticationProvider.setKey("casAuthenticationProviderKey");
return casAuthenticationProvider;
}
/**
* 设置票据校验地址-CAS地址
* @return
*/
@Bean
public Cas20ServiceTicketValidator cas20ServiceTicketValidator() {
return new Cas20ServiceTicketValidator(casProperties.getCasServerUrl());
}
/**单点登出过滤器*/
@Bean
public SingleSignOutFilter singleSignOutFilter() {
SingleSignOutFilter singleSignOutFilter = new SingleSignOutFilter();
singleSignOutFilter.setCasServerUrlPrefix(casProperties.getCasServerUrl());
singleSignOutFilter.setIgnoreInitConfiguration(true);
return singleSignOutFilter;
}
/**请求单点退出过滤器*/
@Bean
public LogoutFilter casLogoutFilter() {
LogoutFilter logoutFilter = new LogoutFilter(casProperties.getCasServerLogoutUrl(), new SecurityContextLogoutHandler());
logoutFilter.setFilterProcessesUrl(casProperties.getAppLogoutUrl());
return logoutFilter;
}
5.2.4 完整代码
@Component
@EnableWebSecurity //开启SpringSecurity注解配置
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private CasProperties casProperties;
//三个方法的方法名都是:configure
/***
* 1)忽略某些地址的安全校验
* @param web
* @throws Exception
*/
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/image/**");
web.ignoring().antMatchers("/403.html");
}
/***
* 2)设置需要拦截过滤的地址的安全校验规则
* @param http
* @throws Exception
*/
@Override
protected void configure(HttpSecurity http) throws Exception {
//除了上面忽略安全校验的地址,其他的一律需要ROLE_ADMIN角色权限访问
http.authorizeRequests().anyRequest().access("hasAnyRole('ADMIN')");
//允许iframe的使用
http.headers().frameOptions().disable();
//禁止csrf
http.csrf().disable();
//开启登录功能
http.formLogin();
//开启登出功能
http.logout();
//异常处理
http.exceptionHandling().accessDeniedPage("/403.html")
.authenticationEntryPoint(casAuthenticationEntryPoint()) //设置自定义授权认证类
.and()
.addFilter(casAuthenticationFilter()) //设置CAS授权过滤器
.addFilterBefore(casLogoutFilter(),LogoutFilter.class) //登出配置
.addFilterBefore(singleSignOutFilter(), CasAuthenticationFilter.class);//登出配置
}
/***
* UserDetailsServiceImpl在SpringIOC容器中
*/
@Autowired
private UserDetailsService userDetailsService;
//Cas认证入口
@Bean
public CasAuthenticationEntryPoint casAuthenticationEntryPoint(){
//用于配置Cas认证入口信息
CasAuthenticationEntryPoint casAuthenticationEntryPoint = new CasAuthenticationEntryPoint();
//设置登录地址
casAuthenticationEntryPoint.setLoginUrl(casProperties.getCasServerLoginUrl());
//返回的服务信息
casAuthenticationEntryPoint.setServiceProperties(serviceProperties());
return casAuthenticationEntryPoint;
}
/****
* 服务配置信息
* @return
*/
@Bean
public ServiceProperties serviceProperties(){
//服务信息配置
ServiceProperties serviceProperties = new ServiceProperties();
//设置应用访问信息
serviceProperties.setService(casProperties.getAppServerUrl()+casProperties.getAppLoginUrl());
//针对非空登录用户进行身份校验
serviceProperties.setAuthenticateAllArtifacts(true);
return serviceProperties;
}
/**CAS认证过滤器*/
@Bean
public CasAuthenticationFilter casAuthenticationFilter() throws Exception {
//设置CAS授权过滤器
CasAuthenticationFilter casAuthenticationFilter = new CasAuthenticationFilter();
//集成SpringSecurity授权认证器
casAuthenticationFilter.setAuthenticationManager(authenticationManager());
casAuthenticationFilter.setFilterProcessesUrl(casProperties.getAppLoginUrl());
return casAuthenticationFilter;
}
/**
* cas 认证 Provider
* */
@Bean
public CasAuthenticationProvider casAuthenticationProvider() {
//创建CAS授权认证器
CasAuthenticationProvider casAuthenticationProvider = new CasAuthenticationProvider();
//集成自定义授权认证器
casAuthenticationProvider.setUserDetailsService(userDetailsService);
//设置Cas授权认证器相关配置
casAuthenticationProvider.setServiceProperties(serviceProperties());
//设置票据校验器
casAuthenticationProvider.setTicketValidator(cas20ServiceTicketValidator());
casAuthenticationProvider.setKey("casAuthenticationProviderKey");
return casAuthenticationProvider;
}
/**
* 设置票据校验地址-CAS地址
* @return
*/
@Bean
public Cas20ServiceTicketValidator cas20ServiceTicketValidator() {
return new Cas20ServiceTicketValidator(casProperties.getCasServerUrl());
}
/**单点登出过滤器*/
@Bean
public SingleSignOutFilter singleSignOutFilter() {
SingleSignOutFilter singleSignOutFilter = new SingleSignOutFilter();
singleSignOutFilter.setCasServerUrlPrefix(casProperties.getCasServerUrl());
singleSignOutFilter.setIgnoreInitConfiguration(true);
return singleSignOutFilter;
}
/**请求单点退出过滤器*/
@Bean
public LogoutFilter casLogoutFilter() {
LogoutFilter logoutFilter = new LogoutFilter(casProperties.getCasServerLogoutUrl(), new SecurityContextLogoutHandler());
logoutFilter.setFilterProcessesUrl(casProperties.getAppLogoutUrl());
return logoutFilter;
}
}
