cas服務端和cas用戶端配好,通路cas服務端可以登入,通路用戶端應用資源的時候出現拒絕通路問題
首次登入直接出現拒絕通路
cas服務端配置:
cas.properties
Java代碼
![](https://img.laitimes.com/img/__Qf2AjLwojIjJCLyojI0JCLicmbw5ichR3cf52bjl2LcNXZnFWbp9CXt92YuUWelRXau4WasFWevFGduFmZvw1LcpDc0RHaiojIsJye.png)
- #server.prefix=http://localhost:8080/cas
- #server.prefix=http://cas.wucht.com:8080/casServer
- server.prefix=http://localhost:8080/casServer
- cas.securityContext.serviceProperties.service=${server.prefix}/j_acegi_cas_security_check
- # Names of roles allowed to access the CAS service manager
- cas.securityContext.serviceProperties.adminRoles=ROLE_ADMIN
- cas.securityContext.casProcessingFilterEntryPoint.loginUrl=${server.prefix}/login
- cas.securityContext.ticketValidator.casServerUrlPrefix=${server.prefix}
- cas.themeResolver.defaultThemeName=cas-theme-default
- #cas.themeResolver.defaultThemeName=default
- cas.viewResolver.basename=default_views
- #host.name=cas
- host.name=casServer
- #database.hibernate.dialect=org.hibernate.dialect.OracleDialect
- database.hibernate.dialect=org.hibernate.dialect.MySQLDialect
- #database.hibernate.dialect=org.hibernate.dialect.HSQLDialect
deployerConfigContext.xml
Java代碼
![](https://img.laitimes.com/img/__Qf2AjLwojIjJCLyojI0JCLicmbw5ichR3cf52bjl2LcNXZnFWbp9CXt92YuUWelRXau4WasFWevFGduFmZvw1LcpDc0RHaiojIsJye.png)
- <?xml version="1.0" encoding="UTF-8"?>
- <!--
- | deployerConfigContext.xml centralizes into one file some of the declarative configuration that
- | all CAS deployers will need to modify.
- |
- | This file declares some of the Spring-managed JavaBeans that make up a CAS deployment.
- | The beans declared in this file are instantiated at context initialization time by the Spring
- | ContextLoaderListener declared in web.xml. It finds this file because this
- | file is among those declared in the context parameter "contextConfigLocation".
- |
- | By far the most common change you will need to make in this file is to change the last bean
- | declaration to replace the default SimpleTestUsernamePasswordAuthenticationHandler with
- | one implementing your approach for authenticating usernames and passwords.
- +-->
- <beans xmlns="http://www.springframework.org/schema/beans"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xmlns:p="http://www.springframework.org/schema/p"
- xmlns:sec="http://www.springframework.org/schema/security"
- xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
- http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">
- <!--
- | This bean declares our AuthenticationManager. The CentralAuthenticationService service bean
- | declared in applicationContext.xml picks up this AuthenticationManager by reference to its id,
- | "authenticationManager". Most deployers will be able to use the default AuthenticationManager
- | implementation and so do not need to change the class of this bean. We include the whole
- | AuthenticationManager here in the userConfigContext.xml so that you can see the things you will
- | need to change in context.
- +-->
- <bean id="authenticationManager"
- class="org.jasig.cas.authentication.AuthenticationManagerImpl">
- <!--
- | This is the List of CredentialToPrincipalResolvers that identify what Principal is trying to authenticate.
- | The AuthenticationManagerImpl considers them in order, finding a CredentialToPrincipalResolver which
- | supports the presented credentials.
- |
- | AuthenticationManagerImpl uses these resolvers for two purposes. First, it uses them to identify the Principal
- | attempting to authenticate to CAS /login . In the default configuration, it is the DefaultCredentialsToPrincipalResolver
- | that fills this role. If you are using some other kind of credentials than UsernamePasswordCredentials, you will need to replace
- | DefaultCredentialsToPrincipalResolver with a CredentialsToPrincipalResolver that supports the credentials you are
- | using.
- |
- | Second, AuthenticationManagerImpl uses these resolvers to identify a service requesting a proxy granting ticket.
- | In the default configuration, it is the HttpBasedServiceCredentialsToPrincipalResolver that serves this purpose.
- | You will need to change this list if you are identifying services by something more or other than their callback URL.
- +-->
- <property name="credentialsToPrincipalResolvers">
- <list>
- <!--
- | UsernamePasswordCredentialsToPrincipalResolver supports the UsernamePasswordCredentials that we use for /login
- | by default and produces SimplePrincipal instances conveying the username from the credentials.
- |
- | If you've changed your LoginFormAction to use credentials other than UsernamePasswordCredentials then you will also
- | need to change this bean declaration (or add additional declarations) to declare a CredentialsToPrincipalResolver that supports the
- | Credentials you are using.
- +-->
- <bean
- class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver">
- <!--增加此屬性,為認證過的使用者的Principal添加屬性-->
- <property name="attributeRepository" ref="attributeRepository"></property>
- </bean>
- <!--
- | HttpBasedServiceCredentialsToPrincipalResolver supports HttpBasedCredentials. It supports the CAS 2.0 approach of
- | authenticating services by SSL callback, extracting the callback URL from the Credentials and representing it as a
- | SimpleService identified by that callback URL.
- |
- | If you are representing services by something more or other than an HTTPS URL whereat they are able to
- | receive a proxy callback, you will need to change this bean declaration (or add additional declarations).
- +-->
- <bean
- class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" />
- </list>
- </property>
- <!--
- | Whereas CredentialsToPrincipalResolvers identify who it is some Credentials might authenticate,
- | AuthenticationHandlers actually authenticate credentials. Here we declare the AuthenticationHandlers that
- | authenticate the Principals that the CredentialsToPrincipalResolvers identified. CAS will try these handlers in turn
- | until it finds one that both supports the Credentials presented and succeeds in authenticating.
- +-->
- <property name="authenticationHandlers">
- <list>
- <!--
- | This is the authentication handler that authenticates services by means of callback via SSL, thereby validating
- | a server side SSL certificate.
- +-->
- <bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
- p:httpClient-ref="httpClient" />
- <!--
- | This is the authentication handler declaration that every CAS deployer will need to change before deploying CAS
- | into production. The default SimpleTestUsernamePasswordAuthenticationHandler authenticates UsernamePasswordCredentials
- | where the username equals the password. You will need to replace this with an AuthenticationHandler that implements your
- | local authentication strategy. You might accomplish this by coding a new such handler and declaring
- | edu.someschool.its.cas.MySpecialHandler here, or you might use one of the handlers provided in the adaptors modules.
- +-->
- <!--
- <bean
- class="org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler" />
- -->
- <!-- 資料庫認證.wucht-->
- <bean class="org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler">
- <property name="dataSource" ref="dataSource" />
- <property name="sql" value="select password from users where name=?" />
- </bean>
- </list>
- </property>
- </bean>
- <!-- DATABASE 增加資料源配置 -->
- <bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource">
- <property name="driverClassName"><value>com.mysql.jdbc.Driver</value></property>
- <property name="url"><value>jdbc:mysql://localhost:3306/mysql?useUnicode=true&characterEncoding=utf-8</value></property>
- <property name="username"><value>root</value></property>
- <property name="password"><value>root</value></property>
- </bean>
- <!--
- This bean defines the security roles for the Services Management application. Simple deployments can use the in-memory version.
- More robust deployments will want to use another option, such as the Jdbc version.
- The name of this should remain "userDetailsService" in order for Spring Security to find it.
- -->
- <!-- <sec:user name="@@THIS SHOULD BE [email protected]@" password="notused" authorities="ROLE_ADMIN" />-->
- <sec:user-service id="userDetailsService">
- <sec:user name="@@THIS SHOULD BE [email protected]@" password="notused" authorities="ROLE_ADMIN" />
- </sec:user-service>
- <!--
- Bean that defines the attributes that a service may return. This example uses the Stub/Mock version. A real implementation
- may go against a database or LDAP server. The id should remain "attributeRepository" though.
- -->
- <!--
- <bean id="attributeRepository"
- class="org.jasig.services.persondir.support.StubPersonAttributeDao">
- <property name="backingMap">
- <map>
- <entry key="uid" value="uid" />
- <entry key="eduPersonAffiliation" value="eduPersonAffiliation" />
- <entry key="groupMembership" value="groupMembership" />
- </map>
- </property>
- </bean>
- -->
- <!-- 使用SingleRowJdbcPersonAttributeDao 擷取更多使用者的資訊 -->
- <bean id="attributeRepository" class="org.jasig.services.persondir.support.jdbc.SingleRowJdbcPersonAttributeDao">
- <constructor-arg index="0" ref="dataSource"/>
- <constructor-arg index="1" value="select role_name from role where login_name = ?"/>
- <!--這裡的key需寫username,value對應資料庫使用者名字段 -->
- <property name="queryAttributeMapping">
- <map>
- <entry key="username" value="login_name"/>
- </map>
- </property>
- <!--key對應資料庫字段,value對應用戶端擷取參數 -->
- <!-- 傳回資料認證後的資料 -->
- <property name="resultAttributeMapping">
- <map>
- <!--這個從資料庫中擷取的角色,用于在應用中security的權限驗證-->
- <entry key="role_name" value="authorities"/>
- </map>
- </property>
- </bean>
- <!--
- Sample, in-memory data store for the ServiceRegistry. A real implementation
- would probably want to replace this with the JPA-backed ServiceRegistry DAO
- The name of this bean should remain "serviceRegistryDao".
- -->
- <bean
- id="serviceRegistryDao"
- class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl">
- <!--
- <property name="registeredServices">
- <list>
- <bean class="org.jasig.cas.services.RegisteredServiceImpl">
- <property name="id" value="0" />
- <property name="name" value="HTTP" />
- <property name="description" value="Only Allows HTTP Urls" />
- <property name="serviceId" value="http://**" />
- <property name="evaluationOrder" value="10000001" />
- </bean>
- <bean class="org.jasig.cas.services.RegisteredServiceImpl">
- <property name="id" value="1" />
- <property name="name" value="HTTPS" />
- <property name="description" value="Only Allows HTTPS Urls" />
- <property name="serviceId" value="https://**" />
- <property name="evaluationOrder" value="10000002" />
- </bean>
- <bean class="org.jasig.cas.services.RegisteredServiceImpl">
- <property name="id" value="2" />
- <property name="name" value="IMAPS" />
- <property name="description" value="Only Allows HTTPS Urls" />
- <property name="serviceId" value="imaps://**" />
- <property name="evaluationOrder" value="10000003" />
- </bean>
- <bean class="org.jasig.cas.services.RegisteredServiceImpl">
- <property name="id" value="3" />
- <property name="name" value="IMAP" />
- <property name="description" value="Only Allows IMAP Urls" />
- <property name="serviceId" value="imap://**" />
- <property name="evaluationOrder" value="10000004" />
- </bean>
- </list>
- </property>
- -->
- </bean>
- <bean id="auditTrailManager" class="com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager" />
- </beans>
spring配置
Ruby代碼
![](https://img.laitimes.com/img/__Qf2AjLwojIjJCLyojI0JCLicmbw5ichR3cf52bjl2LcNXZnFWbp9CXt92YuUWelRXau4WasFWevFGduFmZvw1LcpDc0RHaiojIsJye.png)
- <?xml version="1.0" encoding="UTF-8"?>
- <beans:beans xmlns="http://www.springframework.org/schema/security"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xmlns:p="http://www.springframework.org/schema/p"
- xmlns:beans="http://www.springframework.org/schema/beans"
- xsi:schemaLocation="
- http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
- http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd"
- default-lazy-init="true">
- <!--
- entry-point-ref="casEntryPoint"作用是認證的入口,是一個實作AuthenticationEntryPoint接口的類
- ,為ExceptionTranslationFilter類提供認證依據,
- <custom-filter position="FORM_LOGIN_FILTER" ref="casFilter"/> 使用自定義的Filter,放置在過濾器鍊的FORM_LOGIN_FILTER的位置
- casEntryPoint隻是提供認證入口的作用,當沒有權限,将跳轉到該位址。
- casFilter是處理CAS service ticket的,當無權通路時,會使用casEntryPoint提供認證入口
- -->
- <http auto-config="true" entry-point-ref="casEntryPoint"
- access-denied-page="/403.jsp">
- <intercept-url pattern="/**" access="ROLE_USER" />
- <!-- ROLE_ADMIN-->
- <!-- logout-success-url="/login.html" -->
- <!-- 登出時需要先登出應用程式,再登出cas中心認證服務 -->
- <logout logout-url="/logout.html"
- success-handler-ref="casLogoutSuccessHandler" />
- <custom-filter position="CAS_FILTER" ref="casFilter" />
- </http>
- <authentication-manager alias="authenticationManager">
- <authentication-provider ref="casAuthenticationProvider" />
- </authentication-manager>
- <!-- cas中心認證服務入口 -->
- <beans:bean id="casEntryPoint"
- class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">
- <beans:property name="loginUrl"
- value="http://localhost:8080/casServer/login" />
- <beans:property name="serviceProperties"
- ref="serviceProperties" />
- </beans:bean>
- <!-- cas中心認證服務配置 -->
- <beans:bean id="serviceProperties"
- class="org.springframework.security.cas.ServiceProperties">
- <beans:property name="service"
- value="http://localhost:8080/Cas_Client/j_acegi_cas_security_check" />
- <beans:property name="sendRenew" value="false" />
- </beans:bean>
- <!-- CAS service ticket(中心認證服務憑據)驗證 -->
- <beans:bean id="casFilter"
- class="org.springframework.security.cas.web.CasAuthenticationFilter">
- <beans:property name="authenticationManager"
- ref="authenticationManager" />
- <!-- <beans:property name="authenticationFailureHandler">-->
- <!-- <beans:bean-->
- <!-- class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">-->
- <!-- <beans:property name="defaultFailureUrl"-->
- <!-- value="/logout.html" />-->
- <!-- </beans:bean>-->
- <!-- </beans:property>-->
- <!-- 登入成功後的頁面,如果是固定的。否則 ref="authenticationSuccessHandler" -->
- <!-- <beans:property name="authenticationSuccessHandler">-->
- <!-- <beans:bean-->
- <!-- class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler">-->
- <!-- <beans:property name="defaultTargetUrl"-->
- <!-- value="/index.jsp" />-->
- <!-- </beans:bean>-->
- <!-- </beans:property>-->
- </beans:bean>
- <!-- 從Cas Server得到使用者資訊 -->
- <beans:bean id="authenticationUserDetailsService"
- class="org.springframework.security.cas.userdetails.GrantedAuthorityFromAssertionAttributesUserDetailsService">
- <beans:constructor-arg>
- <beans:array>
- <beans:value>authorities</beans:value>
- </beans:array>
- </beans:constructor-arg>
- </beans:bean>
- <beans:bean id="userDetailsService"
- class="com.reportstart.security.service.impl.BocUserDetaislServiceImpl">
- <!-- <beans:property name="userDao">-->
- <!-- <beans:ref bean="userDao" />-->
- <!-- </beans:property>-->
- </beans:bean>
- <!-- <beans:bean id="authenticationUserDetailsService"-->
- <!-- class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">-->
- <!-- <beans:property name="userDetailsService">-->
- <!-- <beans:ref local="userDetailsService" />-->
- <!-- </beans:property>-->
- <!-- </beans:bean>-->
- <beans:bean id="casAuthenticationProvider"
- class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
- <!-- 使用自定義service擷取使用者資訊 -->
- <!-- <beans:property name="authenticationUserDetailsService"-->
- <!-- ref="casAuthenticationUserDetailsService" />-->
- <!-- 通過Cas Server擷取使用者資訊 -->
- <beans:property name="authenticationUserDetailsService"
- ref="authenticationUserDetailsService" />
- <beans:property name="serviceProperties"
- ref="serviceProperties" />
- <beans:property name="ticketValidator">
- <beans:bean
- class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
- <beans:constructor-arg index="0"
- value="http://localhost:8080/casServer" />
- </beans:bean>
- </beans:property>
- <!-- 自定義cas用戶端應用标示.wucht.2012-6-4(每個cas用戶端都需要一個key标示用于區分不同cas用戶端) -->
- <beans:property name="key"
- value="Cas_Client" />
- </beans:bean>
- <!-- 登出 -->
- <beans:bean id="casLogoutSuccessHandler"
- class="com.wucht.test.CasLogoutSuccessHandler">
- </beans:bean>
- </beans:beans>
Spring Security與CAS內建,第一次通路用戶端頁面,出現異常是正常的,因為Spring Security有個異常攔截的filter攔截到通路拒絕異常,才會跳轉到入口點entry-point的(即:CAS 服務端登入界面)。
在CAS服務端登入界面輸入賬号、密碼後,無法跳轉到用戶端,而背景列印的日志已經清楚說明了
org.springframework.security.web.access.ExceptionTranslationFilter:165 - Access is denied (user is anonymous); redirecting to authentication entry point
登入賬号屬于anonymous