玩轉Spring Boot 使用Spring security 內建CAS
在上一篇中說了Spring Boot 使用Spring security,在這一篇中将講講security 內建CAS,如果對CAS環境搭建不清楚的話,那麼可以看我CAS的博文: 2.CAS環境搭建
3.CAS從資料庫擷取使用者資訊
4.CAS登入頁面定制
5.CAS增加驗證碼
6.CAS增加Remember me
7.CAS自定義錯誤資訊
1.建立工程
建立Maven工程:springboot-security-cas
2.加入依賴
建立工程後,打開pom.xml,在pom.xml中加入以下内容:
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>1.4.3.RELEASE</version>
</parent>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<java.version>1.8</java.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<!-- security starter Poms -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<!-- security 對CAS支援 -->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-cas</artifactId>
</dependency>
<!-- security taglibs -->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-taglibs</artifactId>
</dependency>
<!-- 熱加載 -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-devtools</artifactId>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-configuration-processor</artifactId>
<optional>true</optional>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
3.建立application.properties
建立application.properties檔案,加入以下内容:
#CAS服務位址
cas.server.host.url=http://localhost:8081/cas
#CAS服務登入位址
cas.server.host.login_url=${cas.server.host.url}/login
#CAS服務登出位址
cas.server.host.logout_url=${cas.server.host.url}/logout?service=${app.server.host.url}
#應用通路位址
app.server.host.url=http://localhost:8080
#應用登入位址
app.login.url=/login
#應用登出位址
app.logout.url=/logout
4.建立入口啟動類(MainConfig)
建立入口啟動類MainConfig,完整代碼如下:
package com.chengli.springboot;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
@RestController
@SpringBootApplication
public class MainConfig {
public static void main(String[] args) {
SpringApplication.run(MainConfig.class, args);
}
@RequestMapping("/")
public String index() {
return "通路了首頁哦";
}
@RequestMapping("/hello")
public String hello() {
return "不驗證哦";
}
@PreAuthorize("hasAuthority('TEST')")//有TEST權限的才能通路
@RequestMapping("/security")
public String security() {
return "hello world security";
}
@PreAuthorize("hasAuthority('ADMIN')")//必須要有ADMIN權限的才能通路
@RequestMapping("/authorize")
public String authorize() {
return "有權限通路";
}
/**這裡注意的是,TEST與ADMIN隻是權限編碼,可以自己定義一套規則,根據實際情況即可*/
}
5.建立Security配置類(SecurityConfig)
建立Security配置類SecurityConfig,完整代碼如下:
package com.chengli.springboot.security;
import org.jasig.cas.client.session.SingleSignOutFilter;
import org.jasig.cas.client.validation.Cas20ServiceTicketValidator;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.cas.ServiceProperties;
import org.springframework.security.cas.authentication.CasAssertionAuthenticationToken;
import org.springframework.security.cas.authentication.CasAuthenticationProvider;
import org.springframework.security.cas.web.CasAuthenticationEntryPoint;
import org.springframework.security.cas.web.CasAuthenticationFilter;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.AuthenticationUserDetailsService;
import org.springframework.security.web.authentication.logout.LogoutFilter;
import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler;
import com.chengli.springboot.custom.CustomUserDetailsService;
import com.chengli.springboot.properties.CasProperties;
@Configuration
@EnableWebSecurity //啟用web權限
@EnableGlobalMethodSecurity(prePostEnabled = true) //啟用方法驗證
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private CasProperties casProperties;
/**定義認證使用者資訊擷取來源,密碼校驗規則等*/
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
super.configure(auth);
auth.authenticationProvider(casAuthenticationProvider());
//inMemoryAuthentication 從記憶體中擷取
//auth.inMemoryAuthentication().withUser("chengli").password("123456").roles("USER")
//.and().withUser("admin").password("123456").roles("ADMIN");
//jdbcAuthentication從資料庫中擷取,但是預設是以security提供的表結構
//usersByUsernameQuery 指定查詢使用者SQL
//authoritiesByUsernameQuery 指定查詢權限SQL
//auth.jdbcAuthentication().dataSource(dataSource).usersByUsernameQuery(query).authoritiesByUsernameQuery(query);
//注入userDetailsService,需要實作userDetailsService接口
//auth.userDetailsService(userDetailsService);
}
/**定義安全政策*/
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()//配置安全政策
//.antMatchers("/","/hello").permitAll()//定義/請求不需要驗證
.anyRequest().authenticated()//其餘的所有請求都需要驗證
.and()
.logout()
.permitAll()//定義logout不需要驗證
.and()
.formLogin();//使用form表單登入
http.exceptionHandling().authenticationEntryPoint(casAuthenticationEntryPoint())
.and()
.addFilter(casAuthenticationFilter())
.addFilterBefore(casLogoutFilter(), LogoutFilter.class)
.addFilterBefore(singleSignOutFilter(), CasAuthenticationFilter.class);
//http.csrf().disable(); //禁用CSRF
}
/**認證的入口*/
@Bean
public CasAuthenticationEntryPoint casAuthenticationEntryPoint() {
CasAuthenticationEntryPoint casAuthenticationEntryPoint = new CasAuthenticationEntryPoint();
casAuthenticationEntryPoint.setLoginUrl(casProperties.getCasServerLoginUrl());
casAuthenticationEntryPoint.setServiceProperties(serviceProperties());
return casAuthenticationEntryPoint;
}
/**指定service相關資訊*/
@Bean
public ServiceProperties serviceProperties() {
ServiceProperties serviceProperties = new ServiceProperties();
serviceProperties.setService(casProperties.getAppServerUrl() + casProperties.getAppLoginUrl());
serviceProperties.setAuthenticateAllArtifacts(true);
return serviceProperties;
}
/**CAS認證過濾器*/
@Bean
public CasAuthenticationFilter casAuthenticationFilter() throws Exception {
CasAuthenticationFilter casAuthenticationFilter = new CasAuthenticationFilter();
casAuthenticationFilter.setAuthenticationManager(authenticationManager());
casAuthenticationFilter.setFilterProcessesUrl(casProperties.getAppLoginUrl());
return casAuthenticationFilter;
}
/**cas 認證 Provider*/
@Bean
public CasAuthenticationProvider casAuthenticationProvider() {
CasAuthenticationProvider casAuthenticationProvider = new CasAuthenticationProvider();
casAuthenticationProvider.setAuthenticationUserDetailsService(customUserDetailsService());
//casAuthenticationProvider.setUserDetailsService(customUserDetailsService()); //這裡隻是接口類型,實作的接口不一樣,都可以的。
casAuthenticationProvider.setServiceProperties(serviceProperties());
casAuthenticationProvider.setTicketValidator(cas20ServiceTicketValidator());
casAuthenticationProvider.setKey("casAuthenticationProviderKey");
return casAuthenticationProvider;
}
/*@Bean
public UserDetailsService customUserDetailsService(){
return new CustomUserDetailsService();
}*/
/**使用者自定義的AuthenticationUserDetailsService*/
@Bean
public AuthenticationUserDetailsService<CasAssertionAuthenticationToken> customUserDetailsService(){
return new CustomUserDetailsService();
}
@Bean
public Cas20ServiceTicketValidator cas20ServiceTicketValidator() {
return new Cas20ServiceTicketValidator(casProperties.getCasServerUrl());
}
/**單點登出過濾器*/
@Bean
public SingleSignOutFilter singleSignOutFilter() {
SingleSignOutFilter singleSignOutFilter = new SingleSignOutFilter();
singleSignOutFilter.setCasServerUrlPrefix(casProperties.getCasServerUrl());
singleSignOutFilter.setIgnoreInitConfiguration(true);
return singleSignOutFilter;
}
/**請求單點退出過濾器*/
@Bean
public LogoutFilter casLogoutFilter() {
LogoutFilter logoutFilter = new LogoutFilter(casProperties.getCasServerLogoutUrl(), new SecurityContextLogoutHandler());
logoutFilter.setFilterProcessesUrl(casProperties.getAppLogoutUrl());
return logoutFilter;
}
}
6.使用者自定義類
(1)定義CasProperties,用于将properties檔案指定的内容注入以友善使用,這裡不注入也是可以的,可以擷取Spring 目前的環境,代碼如下:
package com.chengli.springboot.properties;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Component;
/**
* CAS的配置參數
* @author ChengLi
*/
@Component
public class CasProperties {
@Value("${cas.server.host.url}")
private String casServerUrl;
@Value("${cas.server.host.login_url}")
private String casServerLoginUrl;
@Value("${cas.server.host.logout_url}")
private String casServerLogoutUrl;
@Value("${app.server.host.url}")
private String appServerUrl;
@Value("${app.login.url}")
private String appLoginUrl;
@Value("${app.logout.url}")
private String appLogoutUrl;
......省略 getters setters 方法
}
(2)定義CustomUserDetailsService類,代碼如下:
package com.chengli.springboot.custom;
import java.util.HashSet;
import java.util.Set;
import org.springframework.security.cas.authentication.CasAssertionAuthenticationToken;
import org.springframework.security.core.userdetails.AuthenticationUserDetailsService;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
/**
* 用于加載使用者資訊 實作UserDetailsService接口,或者實作AuthenticationUserDetailsService接口
* @author ChengLi
*
*/
public class CustomUserDetailsService /*
//實作UserDetailsService接口,實作loadUserByUsername方法
implements UserDetailsService {
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
System.out.println("目前的使用者名是:"+username);
//這裡我為了友善,就直接傳回一個使用者資訊,實際當中這裡修改為查詢資料庫或者調用服務什麼的來擷取使用者資訊
UserInfo userInfo = new UserInfo();
userInfo.setUsername("admin");
userInfo.setName("admin");
Set<AuthorityInfo> authorities = new HashSet<AuthorityInfo>();
AuthorityInfo authorityInfo = new AuthorityInfo("TEST");
authorities.add(authorityInfo);
userInfo.setAuthorities(authorities);
return userInfo;
}*/
//實作AuthenticationUserDetailsService,實作loadUserDetails方法
implements AuthenticationUserDetailsService<CasAssertionAuthenticationToken> {
@Override
public UserDetails loadUserDetails(CasAssertionAuthenticationToken token) throws UsernameNotFoundException {
System.out.println("目前的使用者名是:"+token.getName());
/*這裡我為了友善,就直接傳回一個使用者資訊,實際當中這裡修改為查詢資料庫或者調用服務什麼的來擷取使用者資訊*/
UserInfo userInfo = new UserInfo();
userInfo.setUsername("admin");
userInfo.setName("admin");
Set<AuthorityInfo> authorities = new HashSet<AuthorityInfo>();
AuthorityInfo authorityInfo = new AuthorityInfo("TEST");
authorities.add(authorityInfo);
userInfo.setAuthorities(authorities);
return userInfo;
}
}
(3)定義AuthorityInfo類,用于加載目前登入使用者的權限資訊,實作GrantedAuthority接口,代碼如下:
package com.chengli.springboot.custom;
import org.springframework.security.core.GrantedAuthority;
/**
* 權限資訊
*
* @author ChengLi
*
*/
public class AuthorityInfo implements GrantedAuthority {
private static final long serialVersionUID = -175781100474818800L;
/**
* 權限CODE
*/
private String authority;
public AuthorityInfo(String authority) {
this.authority = authority;
}
@Override
public String getAuthority() {
return authority;
}
public void setAuthority(String authority) {
this.authority = authority;
}
}
(4)定義UserInfo類,用于加載目前使用者資訊,實作UserDetails接口,代碼如下:
package com.chengli.springboot.custom;
import java.util.Collection;
import java.util.HashSet;
import java.util.Set;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
/**
* 使用者資訊
* @、這裡我寫了幾個較為常用的字段,id,name,username,password,可以根據實際的情況自己增加
* @author ChengLi
*
*/
public class UserInfo implements UserDetails {
private static final long serialVersionUID = -1041327031937199938L;
/**
* 使用者ID
*/
private Long id;
/**
* 使用者名稱
*/
private String name;
/**
* 登入名稱
*/
private String username;
/**
* 登入密碼
*/
private String password;
private boolean isAccountNonExpired = true;
private boolean isAccountNonLocked = true;
private boolean isCredentialsNonExpired = true;
private boolean isEnabled = true;
private Set<AuthorityInfo> authorities = new HashSet<AuthorityInfo>();
....省略getters setters 方法
}
到這裡基本就已經完成了,運作CAS Server ,将以上的application.properties檔案中的位址修改為實際的位址即可運作。
完整示例代碼在QQ交流群中:springboot-security-cas.zip
有興趣的朋友可以加群探讨互相學習:
Spring Boot QQ交流群:599546061