Spring?boot?security權(quán)限管理集成cas單點(diǎn)登錄功能的實(shí)現(xiàn)

更新時(shí)間：2022年03月08日 10:50:43 作者：alex-zp

這篇文章主要介紹了Spring?boot?security權(quán)限管理集成cas單點(diǎn)登錄,本文給大家介紹的非常詳細(xì)，對(duì)大家的學(xué)習(xí)或工作具有一定的參考借鑒價(jià)值，需要的朋友可以參考下

1.Spring boot集成Spring security

本篇是使用spring security集成cas，因此，先得集成spring security
新建一個(gè)Spring boot項(xiàng)目，加入maven依賴(lài)，我這里是用的架構(gòu)是Spring boot2.0.4+Spring mvc+Spring data jpa+Spring security5
pom.xml:

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <groupId>com.cas.client1</groupId>
    <artifactId>cas-client1</artifactId>
    <version>0.0.1-SNAPSHOT</version>
    <packaging>jar</packaging>
    <name>cas-client1</name>
    <description>Demo project for Spring Boot</description>
    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.0.4.RELEASE</version>
        <relativePath/> <!-- lookup parent from repository -->
    </parent>
    <properties>
        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
        <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
        <java.version>1.8</java.version>
    </properties>
    <dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>
            <artifactId>spring-boot-starter-thymeleaf</artifactId>
            <artifactId>spring-boot-starter-tomcat</artifactId>
            <scope>provided</scope>
            <groupId>junit</groupId>
            <artifactId>junit</artifactId>
            <version>4.12</version>
            <scope>test</scope>
            <artifactId>spring-boot-starter-test</artifactId>
            <artifactId>spring-boot-starter-security</artifactId>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-test</artifactId>
        <!-- security taglibs -->
            <artifactId>spring-security-taglibs</artifactId>
            <groupId>org.springframework.security.oauth</groupId>
            <artifactId>spring-security-oauth2</artifactId>
            <version>RELEASE</version>
            <artifactId>spring-boot-starter-data-jpa</artifactId>
            <artifactId>spring-boot-starter-jdbc</artifactId>
            <groupId>mysql</groupId>
            <artifactId>mysql-connector-java</artifactId>
            <version>5.1.46</version>
        <!-- https://mvnrepository.com/artifact/com.alibaba/druid-spring-boot-starter -->
            <groupId>com.alibaba</groupId>
            <artifactId>druid-spring-boot-starter</artifactId>
            <version>1.1.10</version>
            <artifactId>spring-boot</artifactId>
            <version>2.0.2.RELEASE</version>
            <scope>compile</scope>
    </dependencies>
    <build>
        <plugins>
            <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
            </plugin>
        </plugins>
    </build>
</project>

application.properties：

server.port=8083
#靜態(tài)文件訪(fǎng)問(wèn)存放地址
spring.resources.static-locations=classpath:/html/
# thymeleaf 模板存放地址
spring.thymeleaf.prefix=classpath:/html/
spring.thymeleaf.suffix=.html
spring.thymeleaf.mode=LEGACYHTML5
spring.thymeleaf.encoding=UTF-8

# JDBC 配置(驅(qū)動(dòng)類(lèi)自動(dòng)從url的mysql識(shí)別,數(shù)據(jù)源類(lèi)型自動(dòng)識(shí)別)
# 或spring.datasource.url=
spring.datasource.druid.url=jdbc:mysql://localhost:3306/vhr?useUnicode=true&characterEncoding=UTF8
# 或spring.datasource.username=
spring.datasource.druid.username=root
# 或spring.datasource.password=
spring.datasource.druid.password=1234
#或 spring.datasource.driver-class-name=
#spring.datasource.druid.driver-class-name=com.mysql.jdbc.Driver
#連接池配置(通常來(lái)說(shuō)，只需要修改initialSize、minIdle、maxActive
# 如果用Oracle，則把poolPreparedStatements配置為true，mysql可以配置為false。分庫(kù)分表較多的數(shù)據(jù)庫(kù)，建議配置為false。removeabandoned不建議在生產(chǎn)環(huán)境中打開(kāi)如果用SQL Server，建議追加配置)
spring.datasource.druid.initial-size=1
spring.datasource.druid.max-active=20
spring.datasource.druid.min-idle=1
# 配置獲取連接等待超時(shí)的時(shí)間
spring.datasource.druid.max-wait=60000
#打開(kāi)PSCache，并且指定每個(gè)連接上PSCache的大小
spring.datasource.druid.pool-prepared-statements=true
spring.datasource.druid.max-pool-prepared-statement-per-connection-size=20
#spring.datasource.druid.max-open-prepared-statements=和上面的等價(jià)
spring.datasource.druid.validation-query=SELECT 'x'
#spring.datasource.druid.validation-query-timeout=
spring.datasource.druid.test-on-borrow=false
spring.datasource.druid.test-on-return=false
spring.datasource.druid.test-while-idle=true
#配置間隔多久才進(jìn)行一次檢測(cè)，檢測(cè)需要關(guān)閉的空閑連接，單位是毫秒
spring.datasource.druid.time-between-eviction-runs-millis=60000
#配置一個(gè)連接在池中最小生存的時(shí)間，單位是毫秒
spring.datasource.druid.min-evictable-idle-time-millis=300000
#spring.datasource.druid.max-evictable-idle-time-millis=
#配置多個(gè)英文逗號(hào)分隔
#spring.datasource.druid.filters= stat
# WebStatFilter配置，說(shuō)明請(qǐng)參考Druid Wiki，配置_配置WebStatFilter
#是否啟用StatFilter默認(rèn)值true
spring.datasource.druid.web-stat-filter.enabled=true
spring.datasource.druid.web-stat-filter.url-pattern=/*
spring.datasource.druid.web-stat-filter.exclusions=*.js,*.gif,*.jpg,*.png,*.css,*.ico,/druid/*
spring.datasource.druid.web-stat-filter.session-stat-enable=false
spring.datasource.druid.web-stat-filter.session-stat-max-count=1000
spring.datasource.druid.web-stat-filter.principal-session-name=admin
spring.datasource.druid.web-stat-filter.principal-cookie-name=admin
spring.datasource.druid.web-stat-filter.profile-enable=true
# StatViewServlet配置
#展示Druid的統(tǒng)計(jì)信息,StatViewServlet的用途包括：1.提供監(jiān)控信息展示的html頁(yè)面2.提供監(jiān)控信息的JSON API
#是否啟用StatViewServlet默認(rèn)值true
spring.datasource.druid.stat-view-servlet.enabled=true
spring.datasource.druid.stat-view-servlet.url-pattern=/druid/*
# JPA config
spring.jpa.database=mysql
spring.jpa.hibernate.ddl-auto=update
spring.jpa.show-sql=true
spring.jpa.generate-ddl=true
spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.MySQL5Dialect
spring.jpa.open-in-view=true
# 解決jpa no session的問(wèn)題
spring.jpa.properties.hibernate.enable_lazy_load_no_trans=true

這里使用數(shù)據(jù)庫(kù)存儲(chǔ)角色權(quán)限信息，分三種實(shí)體：用戶(hù)；角色；資源；用戶(hù)對(duì)角色多對(duì)多；角色對(duì)資源多對(duì)多
創(chuàng)建幾個(gè)實(shí)體類(lèi)：
用戶(hù)：這里直接使用用戶(hù)持久化對(duì)象實(shí)現(xiàn)Spring security要求的UserDetails接口，并實(shí)現(xiàn)對(duì)應(yīng)方法

package com.cas.client1.entity;

import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.util.CollectionUtils;
import javax.persistence.*;
import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
@Entity
@Table(name = "s_user")
public class User implements UserDetails {
    @Id
    private String id;
    @Column(name = "username")
    private String username;
    @Column(name = "password")
    private String password;
    @ManyToMany(fetch = FetchType.LAZY)
    @JoinTable(
            name = "s_user_role",
            joinColumns = @JoinColumn(name = "user_id"),
            inverseJoinColumns = @JoinColumn(name = "role_id")
    )
    private List<Role> roles;
    public User() {
    }
    public User(String id, String username, String password) {
        this.id = id;
        this.username = username;
        this.password = password;
    public String getId() {
        return id;
    public void setId(String id) {
    public List<Role> getRoles() {
        return roles;
    public void setRoles(List<Role> roles) {
        this.roles = roles;
    @Override
    public String getUsername() {
        return username;
    public boolean isAccountNonExpired() {
        return true;
    public boolean isAccountNonLocked() {
    public boolean isCredentialsNonExpired() {
    public boolean isEnabled() {
    public void setUsername(String username) {
    @Transient
    List<GrantedAuthority> grantedAuthorities=new ArrayList<>();
    public Collection<? extends GrantedAuthority> getAuthorities() {
        if (grantedAuthorities.size()==0){
            if (!CollectionUtils.isEmpty(roles)){
                for (Role role:roles){
                    List<Resource> resources = role.getResources();
                    if (!CollectionUtils.isEmpty(resources)){
                        for (Resource resource:resources){
                            grantedAuthorities.add(new SimpleGrantedAuthority(resource.getResCode()));
                        }
                    }
                }
            }
            grantedAuthorities.add(new SimpleGrantedAuthority("AUTH_0"));
        }
        return grantedAuthorities;
    public String getPassword() {
        return password;
    public void setPassword(String password) {
}

注意看這里：

我給每一位登錄的用戶(hù)都授予了AUTH_0的權(quán)限，AUTH_0在下面的SecurityMetaDataSource里被關(guān)聯(lián)的url為：/**,也就是說(shuō)除開(kāi)那些機(jī)密程度更高的，這個(gè)登錄用戶(hù)能訪(fǎng)問(wèn)所有資源

角色：

package com.cas.client1.entity;

import javax.persistence.*;
import java.util.List;
/**
 * @author Administrator
 */
@Entity
@Table(name = "s_role")
public class Role {
    @Id
    @Column(name = "id")
    private String id;
    @Column(name = "role_name")
    private String roleName;
    @ManyToMany(fetch = FetchType.LAZY)
    @JoinTable(
            name = "s_role_res",
            joinColumns = @JoinColumn(name = "role_id"),
            inverseJoinColumns = @JoinColumn(name = "res_id")
    )
    private List<Resource> resources;
            name = "s_user_role",
            inverseJoinColumns = @JoinColumn(name = "user_id")
    private List<User> users;
    public String getId() {
        return id;
    }
    public void setId(String id) {
        this.id = id;
    public String getRoleName() {
        return roleName;
    public void setRoleName(String roleName) {
        this.roleName = roleName;
    public List<Resource> getResources() {
        return resources;
    public void setResources(List<Resource> resources) {
        this.resources = resources;
    public List<User> getUsers() {
        return users;
    public void setUsers(List<User> users) {
        this.users = users;
}

權(quán)限：

package com.cas.client1.entity;

import javax.persistence.Column;
import javax.persistence.Entity;
import javax.persistence.Id;
import javax.persistence.Table;
@Entity
@Table(name = "s_resource")
public class Resource {
    @Id
    @Column(name = "id")
    private String id;
    @Column(name = "res_name")
    private String resName;
    @Column(name = "res_code")
    private String resCode;
    @Column(name = "url")
    private String url;
    @Column(name = "priority")
    private String priority;
    public String getId() {
        return id;
    }
    public void setId(String id) {
        this.id = id;
    public String getResName() {
        return resName;
    public void setResName(String resName) {
        this.resName = resName;
    public String getResCode() {
        return resCode;
    public void setResCode(String resCode) {
        this.resCode = resCode;
    public String getUrl() {
        return url;
    public void setUrl(String url) {
        this.url = url;
    public String getPriority() {
        return priority;
    public void setPriority(String priority) {
        this.priority = priority;
}

建立幾個(gè)DAO
UserDao：

package com.cas.client1.dao;

import com.cas.client1.entity.User;
import org.springframework.data.jpa.repository.JpaRepository;
import org.springframework.data.jpa.repository.Query;
import org.springframework.data.repository.query.Param;
import org.springframework.stereotype.Repository;
import java.util.List;
@Repository
public interface UserDao extends JpaRepository<User,String> {
    @Override
    List<User> findAll();
    List<User> findByUsername(String username);
    /**
     * 根據(jù)用戶(hù)名like查詢(xún)
     * @param username
     * @return
     */
    List<User> getUserByUsernameContains(String username);
    @Query("from User where id=:id")
    User getUserById(@Param("id") String id);
}

ResourceDao：

package com.cas.client1.dao;

import com.cas.client1.entity.Resource;
import org.springframework.data.jpa.repository.JpaRepository;
import org.springframework.data.jpa.repository.Query;
import org.springframework.stereotype.Repository;
import java.util.List;
/**
 * @author Administrator
 */
@Repository
public interface ResourceDao extends JpaRepository<Resource,String> {
    @Query("from Resource order by priority")
    List<Resource> getAllResource();
}

Service
UserService：

package com.cas.client1.service;

import com.cas.client1.dao.UserDao;
import com.cas.client1.entity.User;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;
import java.util.List;
@Service
public class UserService {
    @Autowired
    private UserDao userDao;
    public User findByUsername(String username){
        List<User> list = userDao.findByUsername(username);
        return list!=null&&list.size()>0?list.get(0):null;
    }
}

ResourceService：

package com.cas.client1.service;

import com.cas.client1.dao.ResourceDao;
import com.cas.client1.entity.Resource;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;
import java.util.List;
@Service
public class ResourceService {
    @Autowired
    private ResourceDao resourceDao;
    public List<Resource> getAll(){
        return resourceDao.getAllResource();
    }
}

創(chuàng)建UserDetailsServiceImpl，實(shí)現(xiàn)UserDetailsService接口，這個(gè)類(lèi)是用以提供給Spring security從數(shù)據(jù)庫(kù)加載用戶(hù)信息的

package com.cas.client1.security;

import com.cas.client1.entity.User;
import com.cas.client1.service.UserService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.cas.authentication.CasAssertionAuthenticationToken;
import org.springframework.security.core.userdetails.AuthenticationUserDetailsService;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Component;

/**
 * @author Administrator
 */
@SuppressWarnings("ALL")
@Component
public class UserDetailsServiceImpl implements UserDetailsService{
    @Autowired
    private UserService userService;
    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        User user = userService.findByUsername(username);
        return user;
    }


}

記得加@Component注解，以把實(shí)例交由Spring管理，或@Service，你們喜歡就好

創(chuàng)建SecurityMetaDataSource類(lèi)
該類(lèi)實(shí)現(xiàn)Spring security的FilterInvocationSecurityMetadataSource接口，作用是提供權(quán)限的元數(shù)據(jù)定義，并根據(jù)請(qǐng)求url匹配該url所需要的權(quán)限，獲取權(quán)限后交由AccessDecisionManager的實(shí)現(xiàn)者裁定能否訪(fǎng)問(wèn)這個(gè)url，不能則會(huì)返回403的http錯(cuò)誤碼
SecurityMetaDataSource：

package com.cas.client1.security;

import com.cas.client1.entity.Resource;
import com.cas.client1.service.ResourceService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.access.AccessDecisionManager;
import org.springframework.security.access.ConfigAttribute;
import org.springframework.security.access.SecurityConfig;
import org.springframework.security.access.intercept.AbstractSecurityInterceptor;
import org.springframework.security.web.FilterInvocation;
import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;
import org.springframework.security.web.util.matcher.AndRequestMatcher;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.stereotype.Component;

import javax.annotation.PostConstruct;
import java.util.*;

@Component
public class SecurityMetaDataSource implements FilterInvocationSecurityMetadataSource {

    @Autowired
    private ResourceService resourceService;

    private LinkedHashMap<String,Collection<ConfigAttribute>> metaData;
    @PostConstruct
    private void loadSecurityMetaData(){
        List<Resource> list = resourceService.getAll();
        metaData=new LinkedHashMap<>();
        for (Resource resource:list){
            List<ConfigAttribute> attributes=new ArrayList<>();
            attributes.add(new SecurityConfig(resource.getResCode()));
            metaData.put(resource.getUrl(),attributes);
        }
        List<ConfigAttribute> base=new ArrayList<>();
        base.add(new SecurityConfig("AUTH_0"));
        metaData.put("/**",base);
    }

    @Override
    public Collection<ConfigAttribute> getAttributes(Object object) throws IllegalArgumentException {
        FilterInvocation invocation= (FilterInvocation) object;
        if (metaData==null){
            return new ArrayList<>(0);
        }
        String requestUrl = invocation.getRequestUrl();
        System.out.println("請(qǐng)求Url："+requestUrl);
        Iterator<Map.Entry<String, Collection<ConfigAttribute>>> iterator = metaData.entrySet().iterator();
        Collection<ConfigAttribute> rs=new ArrayList<>();
        while (iterator.hasNext()){
            Map.Entry<String, Collection<ConfigAttribute>> next = iterator.next();
            String url = next.getKey();
            Collection<ConfigAttribute> value = next.getValue();
            RequestMatcher requestMatcher=new AntPathRequestMatcher(url);
            if (requestMatcher.matches(invocation.getRequest())){
                rs = value;
                break;
            }
        }
        System.out.println("攔截認(rèn)證權(quán)限為："+rs);
        return rs;
    }

    @Override
    public Collection<ConfigAttribute> getAllConfigAttributes() {
        System.out.println("invoke getAllConfigAttributes ");
        //loadSecurityMetaData();
        //System.out.println("初始化元數(shù)據(jù)");
        Collection<Collection<ConfigAttribute>> values = metaData.values();
        Collection<ConfigAttribute> all=new ArrayList<>();
        for (Collection<ConfigAttribute> each:values){
            each.forEach(configAttribute -> {
                all.add(configAttribute);
            });
        }
        return all;
    }

    @Override
    public boolean supports(Class<?> clazz) {
        return true;
    }
}

同理：記得加上@Component注解

重頭戲來(lái)了！Spring security的配置
創(chuàng)建SpringSecurityConfig類(lèi)
該類(lèi)繼承于WebSecurityConfigurerAdapter，核心的配置類(lèi)，在這里定義Spring security的使用方式

SpringSecurityConfig

package com.cas.client1.security;

import com.cas.client1.config.CasProperties;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.access.AccessDecisionManager;
import org.springframework.security.access.AccessDecisionVoter;
import org.springframework.security.access.vote.AffirmativeBased;
import org.springframework.security.access.vote.RoleVoter;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;

import java.util.ArrayList;
import java.util.List;

/**
 * Spring security配置
 * @author youyp
 * @date 2018-8-10
 */
@SuppressWarnings("ALL")
@Configuration
@EnableWebSecurity
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {
    @Autowired
    private UserDetailsServiceImpl userDetailsService;

    @Autowired
    private SecurityMetaDataSource securityMetaDataSource;

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        super.configure(auth);
    }

    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers("/js/**","/css/**","/img/**","/*.ico","/login.html",
                "/error","/login.do");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        System.out.println("配置Spring security");
        http.formLogin()
                //指定登錄頁(yè)是”/login”
                .loginPage("/login.html").permitAll()
                .loginProcessingUrl("/login.do").permitAll()
                .defaultSuccessUrl("/home",true)
                .permitAll()
                //登錄成功后可使用loginSuccessHandler()存儲(chǔ)用戶(hù)信息，可選。
                //.successHandler(loginSuccessHandler()).permitAll()
                .and()
                .logout().permitAll()
                .invalidateHttpSession(true)
                .and()
                //登錄后記住用戶(hù)，下次自動(dòng)登錄,數(shù)據(jù)庫(kù)中必須存在名為persistent_logins的表
                .rememberMe()
                .tokenValiditySeconds(1209600)
                .and()
                .csrf().disable()
                //其他所有資源都需要認(rèn)證，登陸后訪(fǎng)問(wèn)
                .authorizeRequests().anyRequest().fullyAuthenticated();

        http.addFilterBefore(filterSecurityInterceptor(),FilterSecurityInterceptor.class);
    }

    /**
     * 注意：這里不能加@Bean注解
     * @return
     * @throws Exception
     */
    //@Bean
    public FilterSecurityInterceptor filterSecurityInterceptor() throws Exception {
        FilterSecurityInterceptor filterSecurityInterceptor=new FilterSecurityInterceptor();
        filterSecurityInterceptor.setSecurityMetadataSource(securityMetaDataSource);
        filterSecurityInterceptor.setAuthenticationManager(authenticationManager());
        filterSecurityInterceptor.setAccessDecisionManager(affirmativeBased());
        return filterSecurityInterceptor;
    }


    /**
     * 重寫(xiě)AuthenticationManager獲取的方法并且定義為Bean
     * @return
     * @throws Exception
     */
    @Override
    @Bean
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        //指定密碼加密所使用的加密器為passwordEncoder()
        //需要將密碼加密后寫(xiě)入數(shù)據(jù)庫(kù)
        auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());
        auth.eraseCredentials(false);
    }

    @Bean
    public BCryptPasswordEncoder passwordEncoder() {

        return new BCryptPasswordEncoder(4);
    }


    /**
     * 定義決策管理器，這里可直接使用內(nèi)置的AffirmativeBased選舉器，
     * 如果需要，可自定義，繼承AbstractAccessDecisionManager，實(shí)現(xiàn)decide方法即可
     * @return
     */
    @Bean
    public AccessDecisionManager affirmativeBased(){
        List<AccessDecisionVoter<? extends Object>> voters=new ArrayList<>();
        voters.add(roleVoter());
        System.out.println("正在創(chuàng)建決策管理器");
        return new AffirmativeBased(voters);
    }

    /**
     * 定義選舉器
     * @return
     */
    @Bean
    public RoleVoter roleVoter(){
        //這里使用角色選舉器
        RoleVoter voter=new RoleVoter();
        System.out.println("正在創(chuàng)建選舉器");
        voter.setRolePrefix("AUTH_");
        System.out.println("已將角色選舉器的前綴修改為AUTH_");
        return voter;
    }

}

說(shuō)一個(gè)注意點(diǎn)：

FilterSecurityInterceptor這個(gè)過(guò)濾器最為重要，它負(fù)責(zé)數(shù)據(jù)庫(kù)權(quán)限信息加載，權(quán)限鑒定等關(guān)鍵動(dòng)作，這個(gè)過(guò)濾器位于SpringSecurityFilterChain，即Spring security的過(guò)濾器鏈中，如果將這個(gè)類(lèi)在配置類(lèi)中加了@Bean注解，那么它將直接加入web容器的過(guò)濾器鏈中，這個(gè)鏈?zhǔn)鞘讓舆^(guò)濾器鏈，
進(jìn)入這個(gè)過(guò)濾器鏈之后才會(huì)進(jìn)入SpringSecurityFilterChain這個(gè)負(fù)責(zé)安全的鏈條，如果這個(gè)跑到外層去了，就會(huì)導(dǎo)致這個(gè)獨(dú)有的過(guò)濾器一直在生效，請(qǐng)求無(wú)限被攔截重定向，因?yàn)檫@個(gè)過(guò)濾器前面沒(méi)有別的過(guò)濾器阻止它生效，如果它位于SpringSecurityFilterChain中，在進(jìn)入FilterSecurityInterceptor這個(gè)
過(guò)濾器之前會(huì)有很多的Spring security過(guò)濾器在生效，如果不滿(mǎn)足前面的過(guò)濾器的條件，不會(huì)進(jìn)入到這個(gè)過(guò)濾器。也就是說(shuō)，要進(jìn)入到這個(gè)過(guò)濾器，必須要從SpringSecurityFilterChain進(jìn)入，從其他地方進(jìn)入都會(huì)導(dǎo)致請(qǐng)求被無(wú)限重定向

另外
FilterSecurityInterceptor這個(gè)類(lèi)繼承于AbstractSecurityInterceptor并實(shí)現(xiàn)Filter接口，由此我們可以重寫(xiě)該類(lèi)，自定義我們的特殊業(yè)務(wù)，但是，個(gè)人覺(jué)得FilterSecurityInterceptor這個(gè)實(shí)現(xiàn)類(lèi)已經(jīng)很完整地實(shí)現(xiàn)了這個(gè)過(guò)濾器應(yīng)做的工作，沒(méi)有必要重寫(xiě)
類(lèi)似的，還有AccessDecisionManager這個(gè)“決策者”，Spring security為這個(gè)功能提供了幾個(gè)默認(rèn)的實(shí)現(xiàn)者，如AffirmativeBased這個(gè)類(lèi)，是一個(gè)基于投票的決策器，投票器（Voter）要求實(shí)現(xiàn)AccessDecisionVoter接口，Spring security已為我們提供了幾個(gè)很有用的投票器如RoleVoter，WebExpressionVoter
這些我們都沒(méi)有必要去自定義，而且自定義出來(lái)的也沒(méi)有默認(rèn)實(shí)現(xiàn)拓展性和穩(wěn)定性更好

再定義一個(gè)登陸的Controller
LoginController

package com.cas.client2.casclient2.controller;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.cas.authentication.CasAuthenticationToken;
import org.springframework.security.cas.web.CasAuthenticationFilter;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;

import javax.servlet.http.HttpSession;

@SuppressWarnings("ALL")
@Controller
public class LoginController {
    @Autowired
    private AuthenticationManager authenticationManager;

    /**
     * 自定義登錄地址
     * @param username
     * @param password
     * @param session
     * @return
     */
    @RequestMapping("login.do")
    public String login(String username,String passwod, HttpSession session){
        try {
            System.out.println("進(jìn)入登錄請(qǐng)求..........");
            UsernamePasswordAuthenticationToken token=new UsernamePasswordAuthenticationToken(username,passwod);

            Authentication authentication=authenticationManager.authenticate(token);
            SecurityContextHolder.getContext().setAuthentication(authentication);
            session.setAttribute("SPRING_SECURITY_CONTEXT", SecurityContextHolder.getContext());
            System.out.println("登錄成功");
            return "redirect:home.html";
        }catch (Exception e){
            e.printStackTrace();
            return "login.html";
        }

    }
}

創(chuàng)建幾個(gè)頁(yè)面：在resources下創(chuàng)建文件夾html，用于存放html靜態(tài)文件，
home.html

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>HOME</title>
</head>
<body>
<h1>welcome to Home</h1>
<button onclick="javascript:location.href='/logout'">退出</button>
</body>
</html>

<!DOCTYPE html>
<html lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:th="http://www.thymeleaf.org"
      xmlns:sec="http://www.thymeleaf.org/thymeleaf-extras-springsecurity3">
<head>
    <meta charset="UTF-8">
    <title>登錄</title>
</head>

<body>
<span style="color: red" id="msg"></span>
<form action="/login.do" method="post">
    <div><label> User Name : <input type="text" name="username"/> </label></div>
    <div><label> Password: <input type="password" name="password"/> </label></div>
    <div><input type="submit" value="Sign In"/></div>
    <input type="checkbox" name="remember-me" value="true" th:checked="checked"/><p>Remember me</p>
</form>

</body>
<script type="text/javascript">
    var url=location.href
    var param=url.split("?")[1];
    console.log(param);
    if (param){
        var p=param.split("&");
        var msg=p[0].split("=")[1];
        document.getElementById("msg").innerHTML=msg;
    }
</script>
</html>

admin.html

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>admin</title>
</head>
<body>
你好，歡迎登陸,這是管理員界面，擁有/admin.html的訪(fǎng)問(wèn)權(quán)限才能訪(fǎng)問(wèn)
</body>
</html>

再定義幾個(gè)錯(cuò)誤頁(yè)面
在html文件夾下創(chuàng)建一個(gè)error文件夾，在error文件夾中創(chuàng)建403.html，404.html,500.html；在程序遇到這些錯(cuò)誤碼時(shí)，會(huì)自動(dòng)跳轉(zhuǎn)到對(duì)應(yīng)的頁(yè)面

先啟動(dòng)一下項(xiàng)目，讓spring-data-jpa反向生成一下表結(jié)構(gòu)
再往數(shù)據(jù)庫(kù)插入幾條數(shù)據(jù)：
用戶(hù)表的密碼需要放密文，我們把我們的明文密碼使用我們的密碼encoder轉(zhuǎn)一下：BCryptPasswordEncoder.encode("123");得到密文后存到數(shù)據(jù)庫(kù)的password字段中
用戶(hù)表：

資源表：即權(quán)限信息表

角色表：

角色權(quán)限中間表：

我們先不給用戶(hù)配置角色，現(xiàn)在是空角色

啟動(dòng)Spring boot啟動(dòng)類(lèi)，訪(fǎng)問(wèn)localhost:8083,檢測(cè)到?jīng)]登錄會(huì)自動(dòng)跳到登錄頁(yè)面，登錄后自動(dòng)跳轉(zhuǎn)到home.html

訪(fǎng)問(wèn)admin.html，返回403頁(yè)面，當(dāng)前用戶(hù)無(wú)權(quán)限訪(fǎng)問(wèn)

再將剛剛的角色分配給用戶(hù)，再次訪(fǎng)問(wèn)

此時(shí)便可訪(fǎng)問(wèn)，大功告成！

2.部署CAS server

cas全稱(chēng)Central Authentication Service，翻譯為：中央認(rèn)證服務(wù)；從名字我們便可得知，這是一個(gè)獨(dú)立的服務(wù)，主要負(fù)責(zé)用戶(hù)登錄憑證的驗(yàn)證；事實(shí)也是如此，cas有認(rèn)證中心和client端，認(rèn)證中心就是我們的cas server，負(fù)責(zé)用戶(hù)憑證的驗(yàn)證，需要獨(dú)立部署，cas client就是我們的各個(gè)相互信任的應(yīng)用
我們從cas官網(wǎng)下載源碼，從moudle中找到一個(gè).war后綴的文件，將這個(gè)文件拷出來(lái)，
改一下文件名為：cas，放到一個(gè)Tomcat中，啟動(dòng)tomcat，（端口先改一下，如8081），在瀏覽器中訪(fǎng)問(wèn)localhost:8081/cas即可看到cas的登錄界面

報(bào)了個(gè)警告，說(shuō)我們沒(méi)有配置ssl，也就是需要配置https，不過(guò)可以不用配置，
我們可以配置使用http：

設(shè)置cas server使用http非安全協(xié)議

主要有以下步驟：

1.WEB-INF/deployerConfigContext.xml中在<beanclass="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"p:httpClient-ref="httpClient"/>增加參數(shù)p:requireSecure="false"，是否需要安全驗(yàn)證，即HTTPS，false為不采用如下：<beanclass="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"p:httpClient-ref="httpClient"p:requireSecure="false"/>

1. WEB-INF/spring-configuration/ticketGrantingTicketCookieGenerator.xml中將p:cookieSecure="true"修改為 p:cookieSecure="false"

2. WEB-INF/spring-configuration/warnCookieGenerator.xml中將p:cookieSecure="true"改為p:cookieSecure="false"

3. 在tomcat的server.xml中關(guān)閉8443端口，如下圖

3.配置CAS client

在之前Spring security的基礎(chǔ)上，我們加入cas認(rèn)證
在pom.xml中加入依賴(lài)包：

 <!-- security 對(duì)CAS支持 -->
         <dependency>
             <groupId>org.springframework.security</groupId>
             <artifactId>spring-security-cas</artifactId>
        </dependency>

修改一下我們的UserDetailsServiceImpl類(lèi)，讓它實(shí)現(xiàn)AuthenticationUserDetailsService<CasAssertionAuthenticationToken>接口
UserDetailsServiceImpl：

package com.cas.client1.security;

import com.cas.client1.entity.User;
import com.cas.client1.service.UserService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.cas.authentication.CasAssertionAuthenticationToken;
import org.springframework.security.core.userdetails.AuthenticationUserDetailsService;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Component;
/**
 * @author Administrator
 */
@SuppressWarnings("ALL")
@Component
public class UserDetailsServiceImpl implements UserDetailsService,
        AuthenticationUserDetailsService<CasAssertionAuthenticationToken> {
    @Autowired
    private UserService userService;
    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        User user = userService.findByUsername(username);
        return user;
    }
    /**
     * 實(shí)現(xiàn)AuthenticationUserDetailsService的方法，
     * 用于獲取cas server返回的用戶(hù)信息，再根據(jù)用戶(hù)關(guān)鍵信息加載出用戶(hù)在當(dāng)前系統(tǒng)的權(quán)限
     * @param token
     * @return
     * @throws UsernameNotFoundException
     */
    public UserDetails loadUserDetails(CasAssertionAuthenticationToken token) throws UsernameNotFoundException {
        String name = token.getName();
        System.out.println("獲得的用戶(hù)名："+name);
        User user = userService.findByUsername(name);
        if (user==null){
            throw new UsernameNotFoundException(name+"不存在");
        }
}

在application.properties文件中加上以下內(nèi)容：

# cas服務(wù)器地址
cas.server.host.url=http://localhost:8081/cas
# cas服務(wù)器登錄地址
cas.server.host.login_url=${cas.server.host.url}/login
# cas服務(wù)器登出地址
cas.server.host.logout_url=${cas.server.host.url}/logout?service=${app.server.host.url}
# 應(yīng)用訪(fǎng)問(wèn)地址
app.server.host.url=http://localhost:8083
# 應(yīng)用登錄地址
app.login.url=/login.do
# 應(yīng)用登出地址
app.logout.url=/logout

新增一個(gè)配置實(shí)體類(lèi)

CasProperties

package com.cas.client1.config;

import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Component;
@Component
public class CasProperties {
    @Value("${cas.server.host.url}")
    private String casServerUrl;
    @Value("${cas.server.host.login_url}")
    private String casServerLoginUrl;
    @Value("${cas.server.host.logout_url}")
    private String casServerLogoutUrl;
    @Value("${app.server.host.url}")
    private String appServerUrl;
    @Value("${app.login.url}")
    private String appLoginUrl;
    @Value("${app.logout.url}")
    private String appLogoutUrl;
   /**get set方法略
    */
}

再修改一下我們的Spring security配置類(lèi)

package com.cas.client1.security;

import com.cas.client1.config.CasProperties;
import org.jasig.cas.client.session.SingleSignOutFilter;
import org.jasig.cas.client.validation.Cas20ServiceTicketValidator;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.access.AccessDecisionManager;
import org.springframework.security.access.AccessDecisionVoter;
import org.springframework.security.access.vote.AffirmativeBased;
import org.springframework.security.access.vote.RoleVoter;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.cas.ServiceProperties;
import org.springframework.security.cas.authentication.CasAuthenticationProvider;
import org.springframework.security.cas.web.CasAuthenticationEntryPoint;
import org.springframework.security.cas.web.CasAuthenticationFilter;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
import org.springframework.security.web.authentication.logout.LogoutFilter;
import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler;

import java.util.ArrayList;
import java.util.List;

/**
 * Spring security配置
 * @author youyp
 * @date 2018-8-10
 */
@SuppressWarnings("ALL")
@Configuration
@EnableWebSecurity
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {
    @Autowired
    private CasProperties casProperties;

    @Autowired
    private UserDetailsServiceImpl userDetailsService;

    @Autowired
    private SecurityMetaDataSource securityMetaDataSource;

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        super.configure(auth);
        auth.authenticationProvider(casAuthenticationProvider());
    }

    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers("/js/**","/css/**","/img/**","/*.ico","/login.html",
                "/error","/login.do");
        //web.ignoring().antMatchers("/js/**","/css/**","/img/**","/*.ico",,"/home");
        //web.ignoring().antMatchers("/**");
//        super.configure(web);

    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        System.out.println("配置Spring security");
        http.formLogin()
                //指定登錄頁(yè)是”/login”
                //.loginPage("/login.html").permitAll()
                //.loginProcessingUrl("/login.do").permitAll()
                //.defaultSuccessUrl("/home",true)
                //.permitAll()
                //登錄成功后可使用loginSuccessHandler()存儲(chǔ)用戶(hù)信息，可選。
                //.successHandler(loginSuccessHandler()).permitAll()
                .and()
                .logout().permitAll()
                //退出登錄后的默認(rèn)網(wǎng)址是”/home”
                //.logoutSuccessUrl("/home.html")
                //.permitAll()
                .invalidateHttpSession(true)
                .and()
                //登錄后記住用戶(hù)，下次自動(dòng)登錄,數(shù)據(jù)庫(kù)中必須存在名為persistent_logins的表
                .rememberMe()
                .tokenValiditySeconds(1209600)
                .and()
                .csrf().disable()
                //其他所有資源都需要認(rèn)證，登陸后訪(fǎng)問(wèn)
                .authorizeRequests().anyRequest().fullyAuthenticated();
        http.exceptionHandling().authenticationEntryPoint(casAuthenticationEntryPoint())
                .and()
                .addFilterAt(casAuthenticationFilter(),CasAuthenticationFilter.class)
                .addFilterBefore(casLogoutFilter(),LogoutFilter.class)
                .addFilterBefore(singleSignOutFilter(),CasAuthenticationFilter.class);
        /**
         *  FilterSecurityInterceptor本身屬于過(guò)濾器，不能在外面定義為@Bean，
         *  如果定義在外面，則這個(gè)過(guò)濾器會(huì)被獨(dú)立加載到webContext中，導(dǎo)致請(qǐng)求會(huì)一直被這個(gè)過(guò)濾器攔截
         *  加入到Springsecurity的過(guò)濾器鏈中，才會(huì)使它完整的生效
         */
        http.addFilterBefore(filterSecurityInterceptor(),FilterSecurityInterceptor.class);
    }

    /**
     * 注意：這里不能加@Bean注解
     * @return
     * @throws Exception
     */
//    @Bean
    public FilterSecurityInterceptor filterSecurityInterceptor() throws Exception {
        FilterSecurityInterceptor filterSecurityInterceptor=new FilterSecurityInterceptor();
        filterSecurityInterceptor.setSecurityMetadataSource(securityMetaDataSource);
        filterSecurityInterceptor.setAuthenticationManager(authenticationManager());
        filterSecurityInterceptor.setAccessDecisionManager(affirmativeBased());
        return filterSecurityInterceptor;
    }

    /**
     * 認(rèn)證入口
     *  <p>
     *    <b>Note:</b>瀏覽器訪(fǎng)問(wèn)不可直接填客戶(hù)端的login請(qǐng)求,若如此則會(huì)返回Error頁(yè)面，無(wú)法被此入口攔截
     *  </p>
     * @return
     */
    @Bean
    public CasAuthenticationEntryPoint casAuthenticationEntryPoint(){
        CasAuthenticationEntryPoint casAuthenticationEntryPoint=new CasAuthenticationEntryPoint();
        casAuthenticationEntryPoint.setLoginUrl(casProperties.getCasServerLoginUrl());
        casAuthenticationEntryPoint.setServiceProperties(serviceProperties());
        return casAuthenticationEntryPoint;
    }

    @Bean
    public ServiceProperties serviceProperties() {
        ServiceProperties serviceProperties=new ServiceProperties();
        serviceProperties.setService(casProperties.getAppServerUrl()+casProperties.getAppLoginUrl());
        serviceProperties.setAuthenticateAllArtifacts(true);
        return serviceProperties;
    }

    //    @Bean
    public CasAuthenticationFilter casAuthenticationFilter() throws Exception {
        CasAuthenticationFilter casAuthenticationFilter=new CasAuthenticationFilter();
        casAuthenticationFilter.setAuthenticationManager(authenticationManager());
        casAuthenticationFilter.setFilterProcessesUrl(casProperties.getAppLoginUrl());
//        casAuthenticationFilter.setAuthenticationSuccessHandler(
//                new SimpleUrlAuthenticationSuccessHandler("/home.html"));
        return casAuthenticationFilter;
    }

    @Bean
    public CasAuthenticationProvider casAuthenticationProvider(){
        CasAuthenticationProvider casAuthenticationProvider=new CasAuthenticationProvider();
        casAuthenticationProvider.setAuthenticationUserDetailsService(userDetailsService);

        casAuthenticationProvider.setServiceProperties(serviceProperties());
        casAuthenticationProvider.setTicketValidator(cas20ServiceTicketValidator());
        casAuthenticationProvider.setKey("casAuthenticationProviderKey");
        return casAuthenticationProvider;
    }

    @Bean
    public Cas20ServiceTicketValidator cas20ServiceTicketValidator() {
        return new Cas20ServiceTicketValidator(casProperties.getCasServerUrl());
    }

    //    @Bean
    public SingleSignOutFilter singleSignOutFilter(){
        SingleSignOutFilter singleSignOutFilter=new SingleSignOutFilter();
        singleSignOutFilter.setCasServerUrlPrefix(casProperties.getCasServerUrl());
        singleSignOutFilter.setIgnoreInitConfiguration(true);
        return singleSignOutFilter;
    }

    //    @Bean
    public LogoutFilter casLogoutFilter(){
        LogoutFilter logoutFilter = new LogoutFilter(casProperties.getCasServerLogoutUrl(), new SecurityContextLogoutHandler());
        logoutFilter.setFilterProcessesUrl(casProperties.getAppLogoutUrl());
        return logoutFilter;
    }

    /**
     * 重寫(xiě)AuthenticationManager獲取的方法并且定義為Bean
     * @return
     * @throws Exception
     */
    @Override
    @Bean
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        //指定密碼加密所使用的加密器為passwordEncoder()
        //需要將密碼加密后寫(xiě)入數(shù)據(jù)庫(kù)
        //auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());
        //auth.eraseCredentials(false);
    }

    @Bean
    public BCryptPasswordEncoder passwordEncoder() {

        return new BCryptPasswordEncoder(4);
    }


    /**
     * 定義決策管理器，這里可直接使用內(nèi)置的AffirmativeBased選舉器，
     * 如果需要，可自定義，繼承AbstractAccessDecisionManager，實(shí)現(xiàn)decide方法即可
     * @return
     */
    @Bean
    public AccessDecisionManager affirmativeBased(){
        List<AccessDecisionVoter<? extends Object>> voters=new ArrayList<>();
        voters.add(roleVoter());
        System.out.println("正在創(chuàng)建決策管理器");
        return new AffirmativeBased(voters);
    }

    /**
     * 定義選舉器
     * @return
     */
    @Bean
    public RoleVoter roleVoter(){
        //這里使用角色選舉器
        RoleVoter voter=new RoleVoter();
        System.out.println("正在創(chuàng)建選舉器");
        voter.setRolePrefix("AUTH_");
        System.out.println("已將角色選舉器的前綴修改為AUTH_");
        return voter;
    }


    @Bean
    public LoginSuccessHandler loginSuccessHandler() {
        return new LoginSuccessHandler();
    }


}

這里我們新增了幾個(gè)filter，請(qǐng)注意，這幾個(gè)filter定義時(shí)都不能配置@Bean注解，原因以上相同，這幾個(gè)filter都要加入到springSecurity的FilterChain中，而不是直接加入到web容器的FilterChain中
再修改一下LoginController

package com.cas.client1.controller;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.cas.web.CasAuthenticationFilter;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import javax.servlet.http.HttpSession;
@SuppressWarnings("Duplicates")
@Controller
public class LoginController {
    @Autowired
    private AuthenticationManager authenticationManager;
    /**
     * 自定義登錄地址
     * @param username
     * @param password
     * @param session
     * @return
     */
    @RequestMapping("login.do")
    public String login(String ticket, HttpSession session){
        try {
            System.out.println("進(jìn)入登錄請(qǐng)求..........");
            //cas單點(diǎn)登錄的用戶(hù)名就是：_cas_stateful_ ，用戶(hù)憑證是server傳回來(lái)的ticket
            String username = CasAuthenticationFilter.CAS_STATEFUL_IDENTIFIER;
            UsernamePasswordAuthenticationToken token=new UsernamePasswordAuthenticationToken(username,ticket);
            Authentication authentication=authenticationManager.authenticate(token);
            SecurityContextHolder.getContext().setAuthentication(authentication);
            session.setAttribute("SPRING_SECURITY_CONTEXT", SecurityContextHolder.getContext());
            System.out.println("登錄成功");
            return "redirect:home.html";
        }catch (Exception e){
            e.printStackTrace();
            return "login.html";
        }
    }
}

這時(shí)，之前負(fù)責(zé)登錄的loginController不再是驗(yàn)證用戶(hù)名和密碼正不正確了，因?yàn)橛脩?hù)名密碼的驗(yàn)證已經(jīng)交給cas server了，LoginController的工作就是接收cas server重定向時(shí)傳回來(lái)的ticket，驗(yàn)證ticket的有效性，如果沒(méi)有異常，則會(huì)進(jìn)入到UserDetailsServiceImpl中的loadUserDetails方法，并根據(jù)用戶(hù)名加載用戶(hù)權(quán)限等信息，然后我們?cè)賹⒂脩?hù)信息存入Session，完成本地登錄，本地登錄之后，用戶(hù)每次請(qǐng)求時(shí)，就不需要再次驗(yàn)證ticket了，而是驗(yàn)證Session

到這里，cas client已經(jīng)配置完成，為了看清楚流程，我們以debug模式啟動(dòng)一下項(xiàng)目，在loginController的login方法開(kāi)頭打一個(gè)斷點(diǎn)，打開(kāi)瀏覽器調(diào)試模式（F12），切換到network看請(qǐng)求，在瀏覽器中輸入：localhost:8083,瀏覽器會(huì)自動(dòng)重定向到cas server 的登錄頁(yè)面，如下圖：

我們輸入一個(gè)數(shù)據(jù)庫(kù)中有的用戶(hù)名，再在密碼欄中輸入一次用戶(hù)名，因?yàn)檫@里的cas server驗(yàn)證方式還沒(méi)改，只要求用戶(hù)名和密碼相同就可通過(guò)驗(yàn)證，后面我會(huì)研究一下怎么修改cas server 的驗(yàn)證方式為數(shù)據(jù)庫(kù)驗(yàn)證
如輸入：用戶(hù)名：user 密碼：user
點(diǎn)擊登錄，驗(yàn)證成功后，我們看F12 network請(qǐng)求，發(fā)現(xiàn)瀏覽器發(fā)送了兩個(gè)請(qǐng)求，一個(gè)是8081的，也就是cas server的，另外一個(gè)是8083的，也就是我們的client端的，如圖：

另一個(gè)

因?yàn)槲覀冊(cè)诤笈_(tái)開(kāi)了debug模式，打了斷點(diǎn)，所以后面這個(gè)請(qǐng)求一直在pending狀態(tài)，我們先看第一個(gè)請(qǐng)求的詳細(xì)情況：

很明顯的，這個(gè)請(qǐng)求發(fā)送了我們的用戶(hù)名和密碼，由此可知，這個(gè)請(qǐng)求的作用就是負(fù)責(zé)在cas server后臺(tái)驗(yàn)證用戶(hù)名的密碼，驗(yàn)證成功后，會(huì)自動(dòng)重定向到第二個(gè)請(qǐng)求
我們?cè)賮?lái)看第二個(gè)請(qǐng)求：

這個(gè)請(qǐng)求就是我們cas client所配置的登錄地址，此時(shí)這個(gè)請(qǐng)求后面自動(dòng)帶上了一個(gè)名為ticket的參數(shù)，參數(shù)值是一串自動(dòng)生成的隨機(jī)字符串，由cas server生成的
我們?cè)倩氐胶笈_(tái)，沒(méi)什么錯(cuò)誤的話(huà)，我們可以看到LoginController接收到了這個(gè)參數(shù)，我們先在UserDetailsServiceImpl類(lèi)的loadUserDetails方法的開(kāi)頭打一個(gè)斷點(diǎn)，按F8讓調(diào)試器跑走，此時(shí)，我們就可以看到調(diào)試器跳到了我們剛剛打的UserDetasServiceImpl的斷點(diǎn)中，再看看參數(shù)

可以看出，我們接收到了cas server認(rèn)證完ticket后傳回來(lái)的用戶(hù)名，我們根據(jù)用戶(hù)名加載對(duì)應(yīng)的權(quán)限，返回即可，此時(shí)我們?cè)俅伟碏8跳走
再回到界面，發(fā)現(xiàn)我們已經(jīng)可以訪(fǎng)問(wèn)頁(yè)面了：

下一步，就是驗(yàn)證多個(gè)應(yīng)用之間是否能只登陸一次就不用再登陸了；
我們將當(dāng)前項(xiàng)目拷貝一份，改名稱(chēng)為cas-client2（maven的groupId和artifactId），再修改一下端口為8082，，記得對(duì)應(yīng)的cas配置也要改：

啟動(dòng)項(xiàng)目
先訪(fǎng)問(wèn)localhost:8082

發(fā)現(xiàn)它自動(dòng)跳轉(zhuǎn)到了8081的cas server
再打開(kāi)另外一個(gè)瀏覽器標(biāo)簽，訪(fǎng)問(wèn)localhost:8083

發(fā)現(xiàn)它也自動(dòng)跳到了cas的登錄頁(yè)面，我們先在這里輸入賬號(hào)密碼登錄：

登錄成功后，我們?cè)偾袚Q回剛剛沒(méi)登錄的8082的網(wǎng)頁(yè)標(biāo)簽，刷新一下，

ok，8082也不用登陸了，大功告成！

源碼地址：

https://github.com/yupingyou/casclient.git

另：Spring security原本默認(rèn)有個(gè)/login和/logout的handler，（以前不是這個(gè)地址，不知道從哪個(gè)版本開(kāi)始改了，以前好像是_spring_security_check,大概是這個(gè)，記不太清，我用了4以后就發(fā)現(xiàn)地址變了），但是我發(fā)現(xiàn)我訪(fǎng)問(wèn)/login的時(shí)候出現(xiàn)404，但/logout可以訪(fǎng)問(wèn)，沒(méi)發(fā)現(xiàn)什么原因，后來(lái)我就自定義一個(gè)登陸了，也就是我配置的/login.do，代替了默認(rèn)的/login

到此這篇關(guān)于Spring boot security權(quán)限管理集成cas單點(diǎn)登錄的文章就介紹到這了,更多相關(guān)Spring boot security集成cas單點(diǎn)登錄內(nèi)容請(qǐng)搜索腳本之家以前的文章或繼續(xù)瀏覽下面的相關(guān)文章希望大家以后多多支持腳本之家！

您可能感興趣的文章: