Spring?boot?security權(quán)限管理集成cas單點(diǎn)登錄功能的實(shí)現(xiàn)
掙扎了兩周,Spring security的cas終于搞出來(lái)了,廢話(huà)不多說(shuō),開(kāi)篇!
1.Spring boot集成Spring security
本篇是使用spring security集成cas,因此,先得集成spring security
新建一個(gè)Spring boot項(xiàng)目,加入maven依賴(lài),我這里是用的架構(gòu)是Spring boot2.0.4+Spring mvc+Spring data jpa+Spring security5
pom.xml:
<?xml version="1.0" encoding="UTF-8"?> <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> <modelVersion>4.0.0</modelVersion> <groupId>com.cas.client1</groupId> <artifactId>cas-client1</artifactId> <version>0.0.1-SNAPSHOT</version> <packaging>jar</packaging> <name>cas-client1</name> <description>Demo project for Spring Boot</description> <parent> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-parent</artifactId> <version>2.0.4.RELEASE</version> <relativePath/> <!-- lookup parent from repository --> </parent> <properties> <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding> <java.version>1.8</java.version> </properties> <dependencies> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-web</artifactId> </dependency> <artifactId>spring-boot-starter-thymeleaf</artifactId> <artifactId>spring-boot-starter-tomcat</artifactId> <scope>provided</scope> <groupId>junit</groupId> <artifactId>junit</artifactId> <version>4.12</version> <scope>test</scope> <artifactId>spring-boot-starter-test</artifactId> <artifactId>spring-boot-starter-security</artifactId> <groupId>org.springframework.security</groupId> <artifactId>spring-security-test</artifactId> <!-- security taglibs --> <artifactId>spring-security-taglibs</artifactId> <groupId>org.springframework.security.oauth</groupId> <artifactId>spring-security-oauth2</artifactId> <version>RELEASE</version> <artifactId>spring-boot-starter-data-jpa</artifactId> <artifactId>spring-boot-starter-jdbc</artifactId> <groupId>mysql</groupId> <artifactId>mysql-connector-java</artifactId> <version>5.1.46</version> <!-- https://mvnrepository.com/artifact/com.alibaba/druid-spring-boot-starter --> <groupId>com.alibaba</groupId> <artifactId>druid-spring-boot-starter</artifactId> <version>1.1.10</version> <artifactId>spring-boot</artifactId> <version>2.0.2.RELEASE</version> <scope>compile</scope> </dependencies> <build> <plugins> <plugin> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-maven-plugin</artifactId> </plugin> </plugins> </build> </project>
application.properties:
server.port=8083 #靜態(tài)文件訪(fǎng)問(wèn)存放地址 spring.resources.static-locations=classpath:/html/ # thymeleaf 模板存放地址 spring.thymeleaf.prefix=classpath:/html/ spring.thymeleaf.suffix=.html spring.thymeleaf.mode=LEGACYHTML5 spring.thymeleaf.encoding=UTF-8 # JDBC 配置(驅(qū)動(dòng)類(lèi)自動(dòng)從url的mysql識(shí)別,數(shù)據(jù)源類(lèi)型自動(dòng)識(shí)別) # 或spring.datasource.url= spring.datasource.druid.url=jdbc:mysql://localhost:3306/vhr?useUnicode=true&characterEncoding=UTF8 # 或spring.datasource.username= spring.datasource.druid.username=root # 或spring.datasource.password= spring.datasource.druid.password=1234 #或 spring.datasource.driver-class-name= #spring.datasource.druid.driver-class-name=com.mysql.jdbc.Driver #連接池配置(通常來(lái)說(shuō),只需要修改initialSize、minIdle、maxActive # 如果用Oracle,則把poolPreparedStatements配置為true,mysql可以配置為false。分庫(kù)分表較多的數(shù)據(jù)庫(kù),建議配置為false。removeabandoned不建議在生產(chǎn)環(huán)境中打開(kāi)如果用SQL Server,建議追加配置) spring.datasource.druid.initial-size=1 spring.datasource.druid.max-active=20 spring.datasource.druid.min-idle=1 # 配置獲取連接等待超時(shí)的時(shí)間 spring.datasource.druid.max-wait=60000 #打開(kāi)PSCache,并且指定每個(gè)連接上PSCache的大小 spring.datasource.druid.pool-prepared-statements=true spring.datasource.druid.max-pool-prepared-statement-per-connection-size=20 #spring.datasource.druid.max-open-prepared-statements=和上面的等價(jià) spring.datasource.druid.validation-query=SELECT 'x' #spring.datasource.druid.validation-query-timeout= spring.datasource.druid.test-on-borrow=false spring.datasource.druid.test-on-return=false spring.datasource.druid.test-while-idle=true #配置間隔多久才進(jìn)行一次檢測(cè),檢測(cè)需要關(guān)閉的空閑連接,單位是毫秒 spring.datasource.druid.time-between-eviction-runs-millis=60000 #配置一個(gè)連接在池中最小生存的時(shí)間,單位是毫秒 spring.datasource.druid.min-evictable-idle-time-millis=300000 #spring.datasource.druid.max-evictable-idle-time-millis= #配置多個(gè)英文逗號(hào)分隔 #spring.datasource.druid.filters= stat # WebStatFilter配置,說(shuō)明請(qǐng)參考Druid Wiki,配置_配置WebStatFilter #是否啟用StatFilter默認(rèn)值true spring.datasource.druid.web-stat-filter.enabled=true spring.datasource.druid.web-stat-filter.url-pattern=/* spring.datasource.druid.web-stat-filter.exclusions=*.js,*.gif,*.jpg,*.png,*.css,*.ico,/druid/* spring.datasource.druid.web-stat-filter.session-stat-enable=false spring.datasource.druid.web-stat-filter.session-stat-max-count=1000 spring.datasource.druid.web-stat-filter.principal-session-name=admin spring.datasource.druid.web-stat-filter.principal-cookie-name=admin spring.datasource.druid.web-stat-filter.profile-enable=true # StatViewServlet配置 #展示Druid的統(tǒng)計(jì)信息,StatViewServlet的用途包括:1.提供監(jiān)控信息展示的html頁(yè)面2.提供監(jiān)控信息的JSON API #是否啟用StatViewServlet默認(rèn)值true spring.datasource.druid.stat-view-servlet.enabled=true spring.datasource.druid.stat-view-servlet.url-pattern=/druid/* # JPA config spring.jpa.database=mysql spring.jpa.hibernate.ddl-auto=update spring.jpa.show-sql=true spring.jpa.generate-ddl=true spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.MySQL5Dialect spring.jpa.open-in-view=true # 解決jpa no session的問(wèn)題 spring.jpa.properties.hibernate.enable_lazy_load_no_trans=true
這里使用數(shù)據(jù)庫(kù)存儲(chǔ)角色權(quán)限信息,分三種實(shí)體:用戶(hù);角色;資源;用戶(hù)對(duì)角色多對(duì)多;角色對(duì)資源多對(duì)多
創(chuàng)建幾個(gè)實(shí)體類(lèi):
用戶(hù):這里直接使用用戶(hù)持久化對(duì)象實(shí)現(xiàn)Spring security要求的UserDetails接口,并實(shí)現(xiàn)對(duì)應(yīng)方法
package com.cas.client1.entity; import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.util.CollectionUtils; import javax.persistence.*; import java.util.ArrayList; import java.util.Collection; import java.util.List; @Entity @Table(name = "s_user") public class User implements UserDetails { @Id private String id; @Column(name = "username") private String username; @Column(name = "password") private String password; @ManyToMany(fetch = FetchType.LAZY) @JoinTable( name = "s_user_role", joinColumns = @JoinColumn(name = "user_id"), inverseJoinColumns = @JoinColumn(name = "role_id") ) private List<Role> roles; public User() { } public User(String id, String username, String password) { this.id = id; this.username = username; this.password = password; public String getId() { return id; public void setId(String id) { public List<Role> getRoles() { return roles; public void setRoles(List<Role> roles) { this.roles = roles; @Override public String getUsername() { return username; public boolean isAccountNonExpired() { return true; public boolean isAccountNonLocked() { public boolean isCredentialsNonExpired() { public boolean isEnabled() { public void setUsername(String username) { @Transient List<GrantedAuthority> grantedAuthorities=new ArrayList<>(); public Collection<? extends GrantedAuthority> getAuthorities() { if (grantedAuthorities.size()==0){ if (!CollectionUtils.isEmpty(roles)){ for (Role role:roles){ List<Resource> resources = role.getResources(); if (!CollectionUtils.isEmpty(resources)){ for (Resource resource:resources){ grantedAuthorities.add(new SimpleGrantedAuthority(resource.getResCode())); } } } } grantedAuthorities.add(new SimpleGrantedAuthority("AUTH_0")); } return grantedAuthorities; public String getPassword() { return password; public void setPassword(String password) { }
注意看這里:
我給每一位登錄的用戶(hù)都授予了AUTH_0的權(quán)限,AUTH_0在下面的SecurityMetaDataSource里被關(guān)聯(lián)的url為:/**,也就是說(shuō)除開(kāi)那些機(jī)密程度更高的,這個(gè)登錄用戶(hù)能訪(fǎng)問(wèn)所有資源
角色:
package com.cas.client1.entity; import javax.persistence.*; import java.util.List; /** * @author Administrator */ @Entity @Table(name = "s_role") public class Role { @Id @Column(name = "id") private String id; @Column(name = "role_name") private String roleName; @ManyToMany(fetch = FetchType.LAZY) @JoinTable( name = "s_role_res", joinColumns = @JoinColumn(name = "role_id"), inverseJoinColumns = @JoinColumn(name = "res_id") ) private List<Resource> resources; name = "s_user_role", inverseJoinColumns = @JoinColumn(name = "user_id") private List<User> users; public String getId() { return id; } public void setId(String id) { this.id = id; public String getRoleName() { return roleName; public void setRoleName(String roleName) { this.roleName = roleName; public List<Resource> getResources() { return resources; public void setResources(List<Resource> resources) { this.resources = resources; public List<User> getUsers() { return users; public void setUsers(List<User> users) { this.users = users; }
權(quán)限:
package com.cas.client1.entity; import javax.persistence.Column; import javax.persistence.Entity; import javax.persistence.Id; import javax.persistence.Table; @Entity @Table(name = "s_resource") public class Resource { @Id @Column(name = "id") private String id; @Column(name = "res_name") private String resName; @Column(name = "res_code") private String resCode; @Column(name = "url") private String url; @Column(name = "priority") private String priority; public String getId() { return id; } public void setId(String id) { this.id = id; public String getResName() { return resName; public void setResName(String resName) { this.resName = resName; public String getResCode() { return resCode; public void setResCode(String resCode) { this.resCode = resCode; public String getUrl() { return url; public void setUrl(String url) { this.url = url; public String getPriority() { return priority; public void setPriority(String priority) { this.priority = priority; }
建立幾個(gè)DAO
UserDao:
package com.cas.client1.dao; import com.cas.client1.entity.User; import org.springframework.data.jpa.repository.JpaRepository; import org.springframework.data.jpa.repository.Query; import org.springframework.data.repository.query.Param; import org.springframework.stereotype.Repository; import java.util.List; @Repository public interface UserDao extends JpaRepository<User,String> { @Override List<User> findAll(); List<User> findByUsername(String username); /** * 根據(jù)用戶(hù)名like查詢(xún) * @param username * @return */ List<User> getUserByUsernameContains(String username); @Query("from User where id=:id") User getUserById(@Param("id") String id); }
ResourceDao:
package com.cas.client1.dao; import com.cas.client1.entity.Resource; import org.springframework.data.jpa.repository.JpaRepository; import org.springframework.data.jpa.repository.Query; import org.springframework.stereotype.Repository; import java.util.List; /** * @author Administrator */ @Repository public interface ResourceDao extends JpaRepository<Resource,String> { @Query("from Resource order by priority") List<Resource> getAllResource(); }
Service
UserService:
package com.cas.client1.service; import com.cas.client1.dao.UserDao; import com.cas.client1.entity.User; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Service; import java.util.List; @Service public class UserService { @Autowired private UserDao userDao; public User findByUsername(String username){ List<User> list = userDao.findByUsername(username); return list!=null&&list.size()>0?list.get(0):null; } }
ResourceService:
package com.cas.client1.service; import com.cas.client1.dao.ResourceDao; import com.cas.client1.entity.Resource; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Service; import java.util.List; @Service public class ResourceService { @Autowired private ResourceDao resourceDao; public List<Resource> getAll(){ return resourceDao.getAllResource(); } }
創(chuàng)建UserDetailsServiceImpl,實(shí)現(xiàn)UserDetailsService接口,這個(gè)類(lèi)是用以提供給Spring security從數(shù)據(jù)庫(kù)加載用戶(hù)信息的
package com.cas.client1.security; import com.cas.client1.entity.User; import com.cas.client1.service.UserService; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.cas.authentication.CasAssertionAuthenticationToken; import org.springframework.security.core.userdetails.AuthenticationUserDetailsService; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.core.userdetails.UsernameNotFoundException; import org.springframework.stereotype.Component; /** * @author Administrator */ @SuppressWarnings("ALL") @Component public class UserDetailsServiceImpl implements UserDetailsService{ @Autowired private UserService userService; @Override public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException { User user = userService.findByUsername(username); return user; } }
記得加@Component注解,以把實(shí)例交由Spring管理,或@Service,你們喜歡就好
創(chuàng)建SecurityMetaDataSource類(lèi)
該類(lèi)實(shí)現(xiàn)Spring security的FilterInvocationSecurityMetadataSource接口,作用是提供權(quán)限的元數(shù)據(jù)定義,并根據(jù)請(qǐng)求url匹配該url所需要的權(quán)限,獲取權(quán)限后交由AccessDecisionManager的實(shí)現(xiàn)者裁定能否訪(fǎng)問(wèn)這個(gè)url,不能則會(huì)返回403的http錯(cuò)誤碼
SecurityMetaDataSource:
package com.cas.client1.security; import com.cas.client1.entity.Resource; import com.cas.client1.service.ResourceService; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.access.AccessDecisionManager; import org.springframework.security.access.ConfigAttribute; import org.springframework.security.access.SecurityConfig; import org.springframework.security.access.intercept.AbstractSecurityInterceptor; import org.springframework.security.web.FilterInvocation; import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource; import org.springframework.security.web.util.matcher.AndRequestMatcher; import org.springframework.security.web.util.matcher.AntPathRequestMatcher; import org.springframework.security.web.util.matcher.RequestMatcher; import org.springframework.stereotype.Component; import javax.annotation.PostConstruct; import java.util.*; @Component public class SecurityMetaDataSource implements FilterInvocationSecurityMetadataSource { @Autowired private ResourceService resourceService; private LinkedHashMap<String,Collection<ConfigAttribute>> metaData; @PostConstruct private void loadSecurityMetaData(){ List<Resource> list = resourceService.getAll(); metaData=new LinkedHashMap<>(); for (Resource resource:list){ List<ConfigAttribute> attributes=new ArrayList<>(); attributes.add(new SecurityConfig(resource.getResCode())); metaData.put(resource.getUrl(),attributes); } List<ConfigAttribute> base=new ArrayList<>(); base.add(new SecurityConfig("AUTH_0")); metaData.put("/**",base); } @Override public Collection<ConfigAttribute> getAttributes(Object object) throws IllegalArgumentException { FilterInvocation invocation= (FilterInvocation) object; if (metaData==null){ return new ArrayList<>(0); } String requestUrl = invocation.getRequestUrl(); System.out.println("請(qǐng)求Url:"+requestUrl); Iterator<Map.Entry<String, Collection<ConfigAttribute>>> iterator = metaData.entrySet().iterator(); Collection<ConfigAttribute> rs=new ArrayList<>(); while (iterator.hasNext()){ Map.Entry<String, Collection<ConfigAttribute>> next = iterator.next(); String url = next.getKey(); Collection<ConfigAttribute> value = next.getValue(); RequestMatcher requestMatcher=new AntPathRequestMatcher(url); if (requestMatcher.matches(invocation.getRequest())){ rs = value; break; } } System.out.println("攔截認(rèn)證權(quán)限為:"+rs); return rs; } @Override public Collection<ConfigAttribute> getAllConfigAttributes() { System.out.println("invoke getAllConfigAttributes "); //loadSecurityMetaData(); //System.out.println("初始化元數(shù)據(jù)"); Collection<Collection<ConfigAttribute>> values = metaData.values(); Collection<ConfigAttribute> all=new ArrayList<>(); for (Collection<ConfigAttribute> each:values){ each.forEach(configAttribute -> { all.add(configAttribute); }); } return all; } @Override public boolean supports(Class<?> clazz) { return true; } }
同理:記得加上@Component注解
重頭戲來(lái)了!Spring security的配置
創(chuàng)建SpringSecurityConfig類(lèi)
該類(lèi)繼承于WebSecurityConfigurerAdapter,核心的配置類(lèi),在這里定義Spring security的使用方式
SpringSecurityConfig
package com.cas.client1.security; import com.cas.client1.config.CasProperties; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.access.AccessDecisionManager; import org.springframework.security.access.AccessDecisionVoter; import org.springframework.security.access.vote.AffirmativeBased; import org.springframework.security.access.vote.RoleVoter; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.WebSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.security.web.access.intercept.FilterSecurityInterceptor; import java.util.ArrayList; import java.util.List; /** * Spring security配置 * @author youyp * @date 2018-8-10 */ @SuppressWarnings("ALL") @Configuration @EnableWebSecurity public class SpringSecurityConfig extends WebSecurityConfigurerAdapter { @Autowired private UserDetailsServiceImpl userDetailsService; @Autowired private SecurityMetaDataSource securityMetaDataSource; @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { super.configure(auth); } @Override public void configure(WebSecurity web) throws Exception { web.ignoring().antMatchers("/js/**","/css/**","/img/**","/*.ico","/login.html", "/error","/login.do"); } @Override protected void configure(HttpSecurity http) throws Exception { System.out.println("配置Spring security"); http.formLogin() //指定登錄頁(yè)是”/login” .loginPage("/login.html").permitAll() .loginProcessingUrl("/login.do").permitAll() .defaultSuccessUrl("/home",true) .permitAll() //登錄成功后可使用loginSuccessHandler()存儲(chǔ)用戶(hù)信息,可選。 //.successHandler(loginSuccessHandler()).permitAll() .and() .logout().permitAll() .invalidateHttpSession(true) .and() //登錄后記住用戶(hù),下次自動(dòng)登錄,數(shù)據(jù)庫(kù)中必須存在名為persistent_logins的表 .rememberMe() .tokenValiditySeconds(1209600) .and() .csrf().disable() //其他所有資源都需要認(rèn)證,登陸后訪(fǎng)問(wèn) .authorizeRequests().anyRequest().fullyAuthenticated(); http.addFilterBefore(filterSecurityInterceptor(),FilterSecurityInterceptor.class); } /** * 注意:這里不能加@Bean注解 * @return * @throws Exception */ //@Bean public FilterSecurityInterceptor filterSecurityInterceptor() throws Exception { FilterSecurityInterceptor filterSecurityInterceptor=new FilterSecurityInterceptor(); filterSecurityInterceptor.setSecurityMetadataSource(securityMetaDataSource); filterSecurityInterceptor.setAuthenticationManager(authenticationManager()); filterSecurityInterceptor.setAccessDecisionManager(affirmativeBased()); return filterSecurityInterceptor; } /** * 重寫(xiě)AuthenticationManager獲取的方法并且定義為Bean * @return * @throws Exception */ @Override @Bean public AuthenticationManager authenticationManagerBean() throws Exception { return super.authenticationManagerBean(); } @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { //指定密碼加密所使用的加密器為passwordEncoder() //需要將密碼加密后寫(xiě)入數(shù)據(jù)庫(kù) auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder()); auth.eraseCredentials(false); } @Bean public BCryptPasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(4); } /** * 定義決策管理器,這里可直接使用內(nèi)置的AffirmativeBased選舉器, * 如果需要,可自定義,繼承AbstractAccessDecisionManager,實(shí)現(xiàn)decide方法即可 * @return */ @Bean public AccessDecisionManager affirmativeBased(){ List<AccessDecisionVoter<? extends Object>> voters=new ArrayList<>(); voters.add(roleVoter()); System.out.println("正在創(chuàng)建決策管理器"); return new AffirmativeBased(voters); } /** * 定義選舉器 * @return */ @Bean public RoleVoter roleVoter(){ //這里使用角色選舉器 RoleVoter voter=new RoleVoter(); System.out.println("正在創(chuàng)建選舉器"); voter.setRolePrefix("AUTH_"); System.out.println("已將角色選舉器的前綴修改為AUTH_"); return voter; } }
說(shuō)一個(gè)注意點(diǎn):
FilterSecurityInterceptor這個(gè)過(guò)濾器最為重要,它負(fù)責(zé)數(shù)據(jù)庫(kù)權(quán)限信息加載,權(quán)限鑒定等關(guān)鍵動(dòng)作,這個(gè)過(guò)濾器位于SpringSecurityFilterChain,即Spring security的過(guò)濾器鏈中,如果將這個(gè)類(lèi)在配置類(lèi)中加了@Bean注解,那么它將直接加入web容器的過(guò)濾器鏈中,這個(gè)鏈?zhǔn)鞘讓舆^(guò)濾器鏈,
進(jìn)入這個(gè)過(guò)濾器鏈之后才會(huì)進(jìn)入SpringSecurityFilterChain這個(gè)負(fù)責(zé)安全的鏈條,如果這個(gè)跑到外層去了,就會(huì)導(dǎo)致這個(gè)獨(dú)有的過(guò)濾器一直在生效,請(qǐng)求無(wú)限被攔截重定向,因?yàn)檫@個(gè)過(guò)濾器前面沒(méi)有別的過(guò)濾器阻止它生效,如果它位于SpringSecurityFilterChain中,在進(jìn)入FilterSecurityInterceptor這個(gè)
過(guò)濾器之前會(huì)有很多的Spring security過(guò)濾器在生效,如果不滿(mǎn)足前面的過(guò)濾器的條件,不會(huì)進(jìn)入到這個(gè)過(guò)濾器。也就是說(shuō),要進(jìn)入到這個(gè)過(guò)濾器,必須要從SpringSecurityFilterChain進(jìn)入,從其他地方進(jìn)入都會(huì)導(dǎo)致請(qǐng)求被無(wú)限重定向
另外
FilterSecurityInterceptor這個(gè)類(lèi)繼承于AbstractSecurityInterceptor并實(shí)現(xiàn)Filter接口,由此我們可以重寫(xiě)該類(lèi),自定義我們的特殊業(yè)務(wù),但是,個(gè)人覺(jué)得FilterSecurityInterceptor這個(gè)實(shí)現(xiàn)類(lèi)已經(jīng)很完整地實(shí)現(xiàn)了這個(gè)過(guò)濾器應(yīng)做的工作,沒(méi)有必要重寫(xiě)
類(lèi)似的,還有AccessDecisionManager這個(gè)“決策者”,Spring security為這個(gè)功能提供了幾個(gè)默認(rèn)的實(shí)現(xiàn)者,如AffirmativeBased這個(gè)類(lèi),是一個(gè)基于投票的決策器,投票器(Voter)要求實(shí)現(xiàn)AccessDecisionVoter接口,Spring security已為我們提供了幾個(gè)很有用的投票器如RoleVoter,WebExpressionVoter
這些我們都沒(méi)有必要去自定義,而且自定義出來(lái)的也沒(méi)有默認(rèn)實(shí)現(xiàn)拓展性和穩(wěn)定性更好
再定義一個(gè)登陸的Controller
LoginController
package com.cas.client2.casclient2.controller; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; import org.springframework.security.cas.authentication.CasAuthenticationToken; import org.springframework.security.cas.web.CasAuthenticationFilter; import org.springframework.security.core.Authentication; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.RequestMapping; import javax.servlet.http.HttpSession; @SuppressWarnings("ALL") @Controller public class LoginController { @Autowired private AuthenticationManager authenticationManager; /** * 自定義登錄地址 * @param username * @param password * @param session * @return */ @RequestMapping("login.do") public String login(String username,String passwod, HttpSession session){ try { System.out.println("進(jìn)入登錄請(qǐng)求.........."); UsernamePasswordAuthenticationToken token=new UsernamePasswordAuthenticationToken(username,passwod); Authentication authentication=authenticationManager.authenticate(token); SecurityContextHolder.getContext().setAuthentication(authentication); session.setAttribute("SPRING_SECURITY_CONTEXT", SecurityContextHolder.getContext()); System.out.println("登錄成功"); return "redirect:home.html"; }catch (Exception e){ e.printStackTrace(); return "login.html"; } } }
創(chuàng)建幾個(gè)頁(yè)面:在resources下創(chuàng)建文件夾html,用于存放html靜態(tài)文件,
home.html
<!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>HOME</title> </head> <body> <h1>welcome to Home</h1> <button onclick="javascript:location.href='/logout'">退出</button> </body> </html>
login.html
<!DOCTYPE html> <html lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:th="http://www.thymeleaf.org" xmlns:sec="http://www.thymeleaf.org/thymeleaf-extras-springsecurity3"> <head> <meta charset="UTF-8"> <title>登錄</title> </head> <body> <span style="color: red" id="msg"></span> <form action="/login.do" method="post"> <div><label> User Name : <input type="text" name="username"/> </label></div> <div><label> Password: <input type="password" name="password"/> </label></div> <div><input type="submit" value="Sign In"/></div> <input type="checkbox" name="remember-me" value="true" th:checked="checked"/><p>Remember me</p> </form> </body> <script type="text/javascript"> var url=location.href var param=url.split("?")[1]; console.log(param); if (param){ var p=param.split("&"); var msg=p[0].split("=")[1]; document.getElementById("msg").innerHTML=msg; } </script> </html>
admin.html
<!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>admin</title> </head> <body> 你好,歡迎登陸,這是管理員界面,擁有/admin.html的訪(fǎng)問(wèn)權(quán)限才能訪(fǎng)問(wèn) </body> </html>
再定義幾個(gè)錯(cuò)誤頁(yè)面
在html文件夾下創(chuàng)建一個(gè)error文件夾,在error文件夾中創(chuàng)建403.html,404.html,500.html;在程序遇到這些錯(cuò)誤碼時(shí),會(huì)自動(dòng)跳轉(zhuǎn)到對(duì)應(yīng)的頁(yè)面
先啟動(dòng)一下項(xiàng)目,讓spring-data-jpa反向生成一下表結(jié)構(gòu)
再往數(shù)據(jù)庫(kù)插入幾條數(shù)據(jù):
用戶(hù)表的密碼需要放密文,我們把我們的明文密碼使用我們的密碼encoder轉(zhuǎn)一下:BCryptPasswordEncoder.encode("123");得到密文后存到數(shù)據(jù)庫(kù)的password字段中
用戶(hù)表:
資源表:即權(quán)限信息表
角色表:
角色權(quán)限中間表:
我們先不給用戶(hù)配置角色,現(xiàn)在是空角色
啟動(dòng)Spring boot啟動(dòng)類(lèi),訪(fǎng)問(wèn)localhost:8083,檢測(cè)到?jīng)]登錄會(huì)自動(dòng)跳到登錄頁(yè)面,登錄后自動(dòng)跳轉(zhuǎn)到home.html
訪(fǎng)問(wèn)admin.html,返回403頁(yè)面,當(dāng)前用戶(hù)無(wú)權(quán)限訪(fǎng)問(wèn)
再將剛剛的角色分配給用戶(hù),再次訪(fǎng)問(wèn)
此時(shí)便可訪(fǎng)問(wèn),大功告成!
2.部署CAS server
cas全稱(chēng)Central Authentication Service,翻譯為:中央認(rèn)證服務(wù);從名字我們便可得知,這是一個(gè)獨(dú)立的服務(wù),主要負(fù)責(zé)用戶(hù)登錄憑證的驗(yàn)證;事實(shí)也是如此,cas有認(rèn)證中心和client端,認(rèn)證中心就是我們的cas server,負(fù)責(zé)用戶(hù)憑證的驗(yàn)證,需要獨(dú)立部署,cas client就是我們的各個(gè)相互信任的應(yīng)用
我們從cas官網(wǎng)下載源碼,從moudle中找到一個(gè).war后綴的文件,將這個(gè)文件拷出來(lái),
改一下文件名為:cas,放到一個(gè)Tomcat中,啟動(dòng)tomcat,(端口先改一下,如8081),在瀏覽器中訪(fǎng)問(wèn)localhost:8081/cas即可看到cas的登錄界面
報(bào)了個(gè)警告,說(shuō)我們沒(méi)有配置ssl,也就是需要配置https,不過(guò)可以不用配置,
我們可以配置使用http:
設(shè)置cas server使用http非安全協(xié)議
主要有以下步驟:
1.WEB-INF/deployerConfigContext.xml中在<beanclass="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"p:httpClient-ref="httpClient"/>增加參數(shù)p:requireSecure="false",是否需要安全驗(yàn)證,即HTTPS,false為不采用如下:<beanclass="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"p:httpClient-ref="httpClient"p:requireSecure="false"/>
1. WEB-INF/spring-configuration/ticketGrantingTicketCookieGenerator.xml中將p:cookieSecure="true"修改為 p:cookieSecure="false"
2. WEB-INF/spring-configuration/warnCookieGenerator.xml中將p:cookieSecure="true"改為p:cookieSecure="false"
3. 在tomcat的server.xml中關(guān)閉8443端口,如下圖
3.配置CAS client
在之前Spring security的基礎(chǔ)上,我們加入cas認(rèn)證
在pom.xml中加入依賴(lài)包:
<!-- security 對(duì)CAS支持 --> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-cas</artifactId> </dependency>
修改一下我們的UserDetailsServiceImpl類(lèi),讓它實(shí)現(xiàn)AuthenticationUserDetailsService<CasAssertionAuthenticationToken>接口
UserDetailsServiceImpl:
package com.cas.client1.security; import com.cas.client1.entity.User; import com.cas.client1.service.UserService; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.cas.authentication.CasAssertionAuthenticationToken; import org.springframework.security.core.userdetails.AuthenticationUserDetailsService; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.core.userdetails.UsernameNotFoundException; import org.springframework.stereotype.Component; /** * @author Administrator */ @SuppressWarnings("ALL") @Component public class UserDetailsServiceImpl implements UserDetailsService, AuthenticationUserDetailsService<CasAssertionAuthenticationToken> { @Autowired private UserService userService; @Override public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException { User user = userService.findByUsername(username); return user; } /** * 實(shí)現(xiàn)AuthenticationUserDetailsService的方法, * 用于獲取cas server返回的用戶(hù)信息,再根據(jù)用戶(hù)關(guān)鍵信息加載出用戶(hù)在當(dāng)前系統(tǒng)的權(quán)限 * @param token * @return * @throws UsernameNotFoundException */ public UserDetails loadUserDetails(CasAssertionAuthenticationToken token) throws UsernameNotFoundException { String name = token.getName(); System.out.println("獲得的用戶(hù)名:"+name); User user = userService.findByUsername(name); if (user==null){ throw new UsernameNotFoundException(name+"不存在"); } }
在application.properties文件中加上以下內(nèi)容:
# cas服務(wù)器地址 cas.server.host.url=http://localhost:8081/cas # cas服務(wù)器登錄地址 cas.server.host.login_url=${cas.server.host.url}/login # cas服務(wù)器登出地址 cas.server.host.logout_url=${cas.server.host.url}/logout?service=${app.server.host.url} # 應(yīng)用訪(fǎng)問(wèn)地址 app.server.host.url=http://localhost:8083 # 應(yīng)用登錄地址 app.login.url=/login.do # 應(yīng)用登出地址 app.logout.url=/logout
新增一個(gè)配置實(shí)體類(lèi)
CasProperties
package com.cas.client1.config; import org.springframework.beans.factory.annotation.Value; import org.springframework.stereotype.Component; @Component public class CasProperties { @Value("${cas.server.host.url}") private String casServerUrl; @Value("${cas.server.host.login_url}") private String casServerLoginUrl; @Value("${cas.server.host.logout_url}") private String casServerLogoutUrl; @Value("${app.server.host.url}") private String appServerUrl; @Value("${app.login.url}") private String appLoginUrl; @Value("${app.logout.url}") private String appLogoutUrl; /**get set方法略 */ }
再修改一下我們的Spring security配置類(lèi)
package com.cas.client1.security; import com.cas.client1.config.CasProperties; import org.jasig.cas.client.session.SingleSignOutFilter; import org.jasig.cas.client.validation.Cas20ServiceTicketValidator; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.http.HttpMethod; import org.springframework.security.access.AccessDecisionManager; import org.springframework.security.access.AccessDecisionVoter; import org.springframework.security.access.vote.AffirmativeBased; import org.springframework.security.access.vote.RoleVoter; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.cas.ServiceProperties; import org.springframework.security.cas.authentication.CasAuthenticationProvider; import org.springframework.security.cas.web.CasAuthenticationEntryPoint; import org.springframework.security.cas.web.CasAuthenticationFilter; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.WebSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.security.web.access.intercept.FilterSecurityInterceptor; import org.springframework.security.web.authentication.logout.LogoutFilter; import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler; import java.util.ArrayList; import java.util.List; /** * Spring security配置 * @author youyp * @date 2018-8-10 */ @SuppressWarnings("ALL") @Configuration @EnableWebSecurity public class SpringSecurityConfig extends WebSecurityConfigurerAdapter { @Autowired private CasProperties casProperties; @Autowired private UserDetailsServiceImpl userDetailsService; @Autowired private SecurityMetaDataSource securityMetaDataSource; @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { super.configure(auth); auth.authenticationProvider(casAuthenticationProvider()); } @Override public void configure(WebSecurity web) throws Exception { web.ignoring().antMatchers("/js/**","/css/**","/img/**","/*.ico","/login.html", "/error","/login.do"); //web.ignoring().antMatchers("/js/**","/css/**","/img/**","/*.ico",,"/home"); //web.ignoring().antMatchers("/**"); // super.configure(web); } @Override protected void configure(HttpSecurity http) throws Exception { System.out.println("配置Spring security"); http.formLogin() //指定登錄頁(yè)是”/login” //.loginPage("/login.html").permitAll() //.loginProcessingUrl("/login.do").permitAll() //.defaultSuccessUrl("/home",true) //.permitAll() //登錄成功后可使用loginSuccessHandler()存儲(chǔ)用戶(hù)信息,可選。 //.successHandler(loginSuccessHandler()).permitAll() .and() .logout().permitAll() //退出登錄后的默認(rèn)網(wǎng)址是”/home” //.logoutSuccessUrl("/home.html") //.permitAll() .invalidateHttpSession(true) .and() //登錄后記住用戶(hù),下次自動(dòng)登錄,數(shù)據(jù)庫(kù)中必須存在名為persistent_logins的表 .rememberMe() .tokenValiditySeconds(1209600) .and() .csrf().disable() //其他所有資源都需要認(rèn)證,登陸后訪(fǎng)問(wèn) .authorizeRequests().anyRequest().fullyAuthenticated(); http.exceptionHandling().authenticationEntryPoint(casAuthenticationEntryPoint()) .and() .addFilterAt(casAuthenticationFilter(),CasAuthenticationFilter.class) .addFilterBefore(casLogoutFilter(),LogoutFilter.class) .addFilterBefore(singleSignOutFilter(),CasAuthenticationFilter.class); /** * FilterSecurityInterceptor本身屬于過(guò)濾器,不能在外面定義為@Bean, * 如果定義在外面,則這個(gè)過(guò)濾器會(huì)被獨(dú)立加載到webContext中,導(dǎo)致請(qǐng)求會(huì)一直被這個(gè)過(guò)濾器攔截 * 加入到Springsecurity的過(guò)濾器鏈中,才會(huì)使它完整的生效 */ http.addFilterBefore(filterSecurityInterceptor(),FilterSecurityInterceptor.class); } /** * 注意:這里不能加@Bean注解 * @return * @throws Exception */ // @Bean public FilterSecurityInterceptor filterSecurityInterceptor() throws Exception { FilterSecurityInterceptor filterSecurityInterceptor=new FilterSecurityInterceptor(); filterSecurityInterceptor.setSecurityMetadataSource(securityMetaDataSource); filterSecurityInterceptor.setAuthenticationManager(authenticationManager()); filterSecurityInterceptor.setAccessDecisionManager(affirmativeBased()); return filterSecurityInterceptor; } /** * 認(rèn)證入口 * <p> * <b>Note:</b>瀏覽器訪(fǎng)問(wèn)不可直接填客戶(hù)端的login請(qǐng)求,若如此則會(huì)返回Error頁(yè)面,無(wú)法被此入口攔截 * </p> * @return */ @Bean public CasAuthenticationEntryPoint casAuthenticationEntryPoint(){ CasAuthenticationEntryPoint casAuthenticationEntryPoint=new CasAuthenticationEntryPoint(); casAuthenticationEntryPoint.setLoginUrl(casProperties.getCasServerLoginUrl()); casAuthenticationEntryPoint.setServiceProperties(serviceProperties()); return casAuthenticationEntryPoint; } @Bean public ServiceProperties serviceProperties() { ServiceProperties serviceProperties=new ServiceProperties(); serviceProperties.setService(casProperties.getAppServerUrl()+casProperties.getAppLoginUrl()); serviceProperties.setAuthenticateAllArtifacts(true); return serviceProperties; } // @Bean public CasAuthenticationFilter casAuthenticationFilter() throws Exception { CasAuthenticationFilter casAuthenticationFilter=new CasAuthenticationFilter(); casAuthenticationFilter.setAuthenticationManager(authenticationManager()); casAuthenticationFilter.setFilterProcessesUrl(casProperties.getAppLoginUrl()); // casAuthenticationFilter.setAuthenticationSuccessHandler( // new SimpleUrlAuthenticationSuccessHandler("/home.html")); return casAuthenticationFilter; } @Bean public CasAuthenticationProvider casAuthenticationProvider(){ CasAuthenticationProvider casAuthenticationProvider=new CasAuthenticationProvider(); casAuthenticationProvider.setAuthenticationUserDetailsService(userDetailsService); casAuthenticationProvider.setServiceProperties(serviceProperties()); casAuthenticationProvider.setTicketValidator(cas20ServiceTicketValidator()); casAuthenticationProvider.setKey("casAuthenticationProviderKey"); return casAuthenticationProvider; } @Bean public Cas20ServiceTicketValidator cas20ServiceTicketValidator() { return new Cas20ServiceTicketValidator(casProperties.getCasServerUrl()); } // @Bean public SingleSignOutFilter singleSignOutFilter(){ SingleSignOutFilter singleSignOutFilter=new SingleSignOutFilter(); singleSignOutFilter.setCasServerUrlPrefix(casProperties.getCasServerUrl()); singleSignOutFilter.setIgnoreInitConfiguration(true); return singleSignOutFilter; } // @Bean public LogoutFilter casLogoutFilter(){ LogoutFilter logoutFilter = new LogoutFilter(casProperties.getCasServerLogoutUrl(), new SecurityContextLogoutHandler()); logoutFilter.setFilterProcessesUrl(casProperties.getAppLogoutUrl()); return logoutFilter; } /** * 重寫(xiě)AuthenticationManager獲取的方法并且定義為Bean * @return * @throws Exception */ @Override @Bean public AuthenticationManager authenticationManagerBean() throws Exception { return super.authenticationManagerBean(); } @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { //指定密碼加密所使用的加密器為passwordEncoder() //需要將密碼加密后寫(xiě)入數(shù)據(jù)庫(kù) //auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder()); //auth.eraseCredentials(false); } @Bean public BCryptPasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(4); } /** * 定義決策管理器,這里可直接使用內(nèi)置的AffirmativeBased選舉器, * 如果需要,可自定義,繼承AbstractAccessDecisionManager,實(shí)現(xiàn)decide方法即可 * @return */ @Bean public AccessDecisionManager affirmativeBased(){ List<AccessDecisionVoter<? extends Object>> voters=new ArrayList<>(); voters.add(roleVoter()); System.out.println("正在創(chuàng)建決策管理器"); return new AffirmativeBased(voters); } /** * 定義選舉器 * @return */ @Bean public RoleVoter roleVoter(){ //這里使用角色選舉器 RoleVoter voter=new RoleVoter(); System.out.println("正在創(chuàng)建選舉器"); voter.setRolePrefix("AUTH_"); System.out.println("已將角色選舉器的前綴修改為AUTH_"); return voter; } @Bean public LoginSuccessHandler loginSuccessHandler() { return new LoginSuccessHandler(); } }
這里我們新增了幾個(gè)filter,請(qǐng)注意,這幾個(gè)filter定義時(shí)都不能配置@Bean注解,原因以上相同,這幾個(gè)filter都要加入到springSecurity的FilterChain中,而不是直接加入到web容器的FilterChain中
再修改一下LoginController
package com.cas.client1.controller; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; import org.springframework.security.cas.web.CasAuthenticationFilter; import org.springframework.security.core.Authentication; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter; import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.RequestMapping; import javax.servlet.http.HttpSession; @SuppressWarnings("Duplicates") @Controller public class LoginController { @Autowired private AuthenticationManager authenticationManager; /** * 自定義登錄地址 * @param username * @param password * @param session * @return */ @RequestMapping("login.do") public String login(String ticket, HttpSession session){ try { System.out.println("進(jìn)入登錄請(qǐng)求.........."); //cas單點(diǎn)登錄的用戶(hù)名就是:_cas_stateful_ ,用戶(hù)憑證是server傳回來(lái)的ticket String username = CasAuthenticationFilter.CAS_STATEFUL_IDENTIFIER; UsernamePasswordAuthenticationToken token=new UsernamePasswordAuthenticationToken(username,ticket); Authentication authentication=authenticationManager.authenticate(token); SecurityContextHolder.getContext().setAuthentication(authentication); session.setAttribute("SPRING_SECURITY_CONTEXT", SecurityContextHolder.getContext()); System.out.println("登錄成功"); return "redirect:home.html"; }catch (Exception e){ e.printStackTrace(); return "login.html"; } } }
這時(shí),之前負(fù)責(zé)登錄的loginController不再是驗(yàn)證用戶(hù)名和密碼正不正確了,因?yàn)橛脩?hù)名密碼的驗(yàn)證已經(jīng)交給cas server了,LoginController的工作就是接收cas server重定向時(shí)傳回來(lái)的ticket,驗(yàn)證ticket的有效性,如果沒(méi)有異常,則會(huì)進(jìn)入到UserDetailsServiceImpl中的loadUserDetails方法,并根據(jù)用戶(hù)名加載用戶(hù)權(quán)限等信息,然后我們?cè)賹⒂脩?hù)信息存入Session,完成本地登錄,本地登錄之后,用戶(hù)每次請(qǐng)求時(shí),就不需要再次驗(yàn)證ticket了,而是驗(yàn)證Session
到這里,cas client已經(jīng)配置完成,為了看清楚流程,我們以debug模式啟動(dòng)一下項(xiàng)目,在loginController的login方法開(kāi)頭打一個(gè)斷點(diǎn),打開(kāi)瀏覽器調(diào)試模式(F12),切換到network看請(qǐng)求,在瀏覽器中輸入:localhost:8083,瀏覽器會(huì)自動(dòng)重定向到cas server 的登錄頁(yè)面,如下圖:
我們輸入一個(gè)數(shù)據(jù)庫(kù)中有的用戶(hù)名,再在密碼欄中輸入一次用戶(hù)名,因?yàn)檫@里的cas server驗(yàn)證方式還沒(méi)改,只要求用戶(hù)名和密碼相同就可通過(guò)驗(yàn)證,后面我會(huì)研究一下怎么修改cas server 的驗(yàn)證方式為數(shù)據(jù)庫(kù)驗(yàn)證
如輸入:用戶(hù)名:user 密碼:user
點(diǎn)擊登錄,驗(yàn)證成功后,我們看F12 network請(qǐng)求,發(fā)現(xiàn)瀏覽器發(fā)送了兩個(gè)請(qǐng)求,一個(gè)是8081的,也就是cas server的,另外一個(gè)是8083的,也就是我們的client端的,如圖:
另一個(gè)
因?yàn)槲覀冊(cè)诤笈_(tái)開(kāi)了debug模式,打了斷點(diǎn),所以后面這個(gè)請(qǐng)求一直在pending狀態(tài),我們先看第一個(gè)請(qǐng)求的詳細(xì)情況:
很明顯的,這個(gè)請(qǐng)求發(fā)送了我們的用戶(hù)名和密碼,由此可知,這個(gè)請(qǐng)求的作用就是負(fù)責(zé)在cas server后臺(tái)驗(yàn)證用戶(hù)名的密碼,驗(yàn)證成功后,會(huì)自動(dòng)重定向到第二個(gè)請(qǐng)求
我們?cè)賮?lái)看第二個(gè)請(qǐng)求:
這個(gè)請(qǐng)求就是我們cas client所配置的登錄地址,此時(shí)這個(gè)請(qǐng)求后面自動(dòng)帶上了一個(gè)名為ticket的參數(shù),參數(shù)值是一串自動(dòng)生成的隨機(jī)字符串,由cas server生成的
我們?cè)倩氐胶笈_(tái),沒(méi)什么錯(cuò)誤的話(huà),我們可以看到LoginController接收到了這個(gè)參數(shù),我們先在UserDetailsServiceImpl類(lèi)的loadUserDetails方法的開(kāi)頭打一個(gè)斷點(diǎn),按F8讓調(diào)試器跑走,此時(shí),我們就可以看到調(diào)試器跳到了我們剛剛打的UserDetasServiceImpl的斷點(diǎn)中,再看看參數(shù)
可以看出,我們接收到了cas server認(rèn)證完ticket后傳回來(lái)的用戶(hù)名,我們根據(jù)用戶(hù)名加載對(duì)應(yīng)的權(quán)限,返回即可,此時(shí)我們?cè)俅伟碏8跳走
再回到界面,發(fā)現(xiàn)我們已經(jīng)可以訪(fǎng)問(wèn)頁(yè)面了:
下一步,就是驗(yàn)證多個(gè)應(yīng)用之間是否能只登陸一次就不用再登陸了;
我們將當(dāng)前項(xiàng)目拷貝一份,改名稱(chēng)為cas-client2(maven的groupId和artifactId),再修改一下端口為8082,,記得對(duì)應(yīng)的cas配置也要改:
啟動(dòng)項(xiàng)目
先訪(fǎng)問(wèn)localhost:8082
發(fā)現(xiàn)它自動(dòng)跳轉(zhuǎn)到了8081的cas server
再打開(kāi)另外一個(gè)瀏覽器標(biāo)簽,訪(fǎng)問(wèn)localhost:8083
發(fā)現(xiàn)它也自動(dòng)跳到了cas的登錄頁(yè)面,我們先在這里輸入賬號(hào)密碼登錄:
登錄成功后,我們?cè)偾袚Q回剛剛沒(méi)登錄的8082的網(wǎng)頁(yè)標(biāo)簽,刷新一下,
ok,8082也不用登陸了,大功告成!
源碼地址:
https://github.com/yupingyou/casclient.git
另:Spring security原本默認(rèn)有個(gè)/login和/logout的handler,(以前不是這個(gè)地址,不知道從哪個(gè)版本開(kāi)始改了,以前好像是_spring_security_check,大概是這個(gè),記不太清,我用了4以后就發(fā)現(xiàn)地址變了),但是我發(fā)現(xiàn)我訪(fǎng)問(wèn)/login的時(shí)候出現(xiàn)404,但/logout可以訪(fǎng)問(wèn),沒(méi)發(fā)現(xiàn)什么原因,后來(lái)我就自定義一個(gè)登陸了,也就是我配置的/login.do,代替了默認(rèn)的/login
到此這篇關(guān)于Spring boot security權(quán)限管理集成cas單點(diǎn)登錄的文章就介紹到這了,更多相關(guān)Spring boot security集成cas單點(diǎn)登錄內(nèi)容請(qǐng)搜索腳本之家以前的文章或繼續(xù)瀏覽下面的相關(guān)文章希望大家以后多多支持腳本之家!
相關(guān)文章
使用JAVA實(shí)現(xiàn)郵件發(fā)送功能的圖文教程
郵件發(fā)送其實(shí)是一個(gè)非常常見(jiàn)的需求,用戶(hù)注冊(cè),找回密碼等地方,都會(huì)用到,下面這篇文章主要給大家介紹了關(guān)于使用JAVA實(shí)現(xiàn)郵件發(fā)送功能的相關(guān)資料,文中通過(guò)實(shí)例代碼介紹的非常詳細(xì),需要的朋友可以參考下2022-06-06SpringBoot四大神器之Auto onfiguration的使用
本文主要介紹了SpringBoot四大神器之Auto Configuration,springboot auto configuration的本質(zhì)就是自動(dòng)配置spring的各種bean。感興趣的可以了解一下2021-10-10Java異常(Exception)處理以及常見(jiàn)異??偨Y(jié)
在《Java編程思想》中這樣定義異常,阻止當(dāng)前方法或作用域繼續(xù)執(zhí)行的問(wèn)題,雖然java中有異常處理機(jī)制,但是要明確一點(diǎn),決不應(yīng)該用"正常"的態(tài)度來(lái)看待異常,這篇文章主要給大家介紹了關(guān)于Java異常(Exception)處理以及常見(jiàn)異常的相關(guān)資料,需要的朋友可以參考下2021-10-10微信公眾號(hào)測(cè)試賬號(hào)自定義菜單的實(shí)例代碼
這篇文章主要介紹了微信公眾號(hào)測(cè)試賬號(hào)自定義菜單的實(shí)例代碼,非常不錯(cuò),具有參考借鑒價(jià)值,需要的朋友可以參考下2017-02-02JPA如何使用entityManager執(zhí)行SQL并指定返回類(lèi)型
這篇文章主要介紹了JPA使用entityManager執(zhí)行SQL并指定返回類(lèi)型的操作,具有很好的參考價(jià)值,希望對(duì)大家有所幫助。如有錯(cuò)誤或未考慮完全的地方,望不吝賜教2021-06-06淺談java中String StringBuffer StringBuilder的區(qū)別
下面小編就為大家?guī)?lái)一篇淺談java中String StringBuffer StringBuilder的區(qū)別。小編覺(jué)得挺不錯(cuò)的,現(xiàn)在就分享給大家,也給大家做個(gè)參考。一起跟隨小編過(guò)來(lái)看看吧2016-06-06