背景:
為了提高用戶體驗(yàn),公司要求接入統(tǒng)一門戶(Cas系統(tǒng)),我所負(fù)責(zé)的系統(tǒng)沒有使用框架赶掖,所以直接在Web.xml中配置就可以了,主要考慮以下幾個(gè)場景:
- 直接登錄應(yīng)用系統(tǒng)财异,未登錄Cas的情況下倘零,需要先跳轉(zhuǎn)到Cas進(jìn)行認(rèn)證,認(rèn)證后跳轉(zhuǎn)到原系統(tǒng)戳寸;
2.已登錄統(tǒng)一門戶(Cas)的情況下呈驶,登錄應(yīng)用系統(tǒng)無需認(rèn)證;
3.用戶在應(yīng)用系統(tǒng)注銷時(shí)疫鹊,需要通知統(tǒng)一門戶(Cas)袖瞻,注銷服務(wù)端
4.在統(tǒng)一門戶系統(tǒng)中增加用戶,并分配角色后拆吆,新的用戶可以直接訪問應(yīng)用系統(tǒng)
方案
1. 理解cas登錄過程
參考:
https://blog.csdn.net/qq_34246546/article/details/79493208
https://blog.csdn.net/ban_tang/article/details/80015946
https://www.cnblogs.com/ssgao/p/8816828.html
關(guān)鍵:明白TGT聋迎,TGC,ST這幾個(gè)名詞枣耀,
cas client通過filter攔截與cas服務(wù)器進(jìn)行交互霉晕。它的主要配置主要有以下幾個(gè)filter:
1.AuthenticationFilter:作用,判斷用戶是否登錄捞奕,如果登錄則進(jìn)入第二步牺堰,否則重定向到cas服務(wù)器
2.TicketValidationFilter 對(duì)于client接收到的Service ticket進(jìn)行驗(yàn)證
3.HttpServletRequestWrapperFilter
4.AssertionThreadLocalFilter
2.登錄跳轉(zhuǎn)問題
參考:
https://blog.csdn.net/shzy1988/article/details/50662462
https://www.cnblogs.com/fengmao/p/8137205.html
https://blog.csdn.net/wuzhong8809/article/details/84032196
https://www.cnblogs.com/eguid/p/6821622.html
jar包: cas-client.3.1.6.jar
可以打開Debug查看Cas調(diào)用過程*
web.xml關(guān)鍵配置如下:*
<!-- CAS 單點(diǎn)登錄(SSO) 過濾器配置 (start) -->
<!-- 該過濾器用于實(shí)現(xiàn)單點(diǎn)登出功能。-->
<filter>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Single Sign Out Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- CAS: 用于單點(diǎn)退出 -->
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
<!-- 該過濾器負(fù)責(zé)用戶的認(rèn)證工作颅围,必須啟用它 -->
<filter>
<filter-name>CASFilter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<!-- 下面的URL是Cas服務(wù)器的登錄地址 -->
<param-value>http://CAS服務(wù)端所在服務(wù)器IP:8080/cas/login</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<!-- 下面的URL是具體某一個(gè)應(yīng)用的訪問地址 -->
<param-value>http://具體web應(yīng)用程序所在服務(wù)器IP:8080</param-value>
</init-param>
<init-param>
<!-- 測試的時(shí)候發(fā)現(xiàn)伟葫,應(yīng)用在Cas登錄后無法自動(dòng)跳轉(zhuǎn),通過Debug模式查看日志院促,發(fā)現(xiàn)需要配置該參數(shù)筏养,配置以后就可以了 -->
<param-name>redirect</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>useSession</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>redirectAfterValidation</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CASFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- 該過濾器負(fù)責(zé)對(duì)Ticket的校驗(yàn)工作,必須啟用它 -->
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<!-- 下面的URL是Cas服務(wù)器的認(rèn)證地址 -->
<param-value>http://CAS服務(wù)端所在服務(wù)器IP:8080/cas</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<!-- 下面的URL是具體某一個(gè)應(yīng)用的訪問地址 -->
<param-value>http://具體web應(yīng)用程序所在服務(wù)器IP:8080</param-value>
</init-param>
<init-param>
<param-name>renew</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>gateway</param-name>
<param-value>false</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--
該過濾器負(fù)責(zé)實(shí)現(xiàn)HttpServletRequest請(qǐng)求的包裹常拓,
比如允許開發(fā)者通過HttpServletRequest的getRemoteUser()方法獲得SSO登錄用戶的登錄名渐溶,可選配置。
-->
<filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--
該過濾器使得開發(fā)者可以通過org.jasig.cas.client.util.AssertionHolder來獲取用戶的登錄名弄抬。
比如AssertionHolder.getAssertion().getPrincipal().getName()掌猛。
-->
<filter>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
3 注銷
參考:
https://blog.csdn.net/shangzhiliang_2008/article/details/34870993/
關(guān)鍵是:后臺(tái)要調(diào)用cas的logout url
# cas退出功能
轉(zhuǎn)載[道仁](https://me.csdn.net/shangzhiliang_2008) 發(fā)布于2014-06-26 18:47:27 閱讀數(shù) 5326 收藏
展開
<article class="baidu_pl" style="box-sizing: inherit; outline: 0px; margin: 0px; padding: 16px 0px 0px; display: block; position: relative; color: rgb(51, 51, 51); font-family: "Microsoft YaHei", "SF Pro Display", Roboto, Noto, Arial, "PingFang SC", sans-serif; font-size: 14px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial;">
用了CAS,發(fā)現(xiàn)退出真是個(gè)麻煩事,退出后跳轉(zhuǎn)到了CAS的注銷頁面,而且不關(guān)閉瀏覽器的話荔茬,其實(shí)并沒有真的退出废膘,輸入地址仍是登陸狀態(tài)。為了實(shí)現(xiàn)退出后登陸到跳轉(zhuǎn)頁面慕蔚,做了以下配置:
1.server 端
修改src\main\webapp\WEB-INF\cas-servlet.xml里的logoutController
增加**p:followServiceRedirects="true"**使支持logout輸入service參數(shù)為跳轉(zhuǎn)路徑丐黄。
1. <bean id="logoutController" class="org.jasig.cas.web.LogoutController"
2. p:centralAuthenticationService-ref="centralAuthenticationService"
3. p:logoutView="casLogoutView"
4. p:warnCookieGenerator-ref="warnCookieGenerator"
5. p:ticketGrantingTicketCookieGenerator-ref="ticketGrantingTicketCookieGenerator"
6. p:followServiceRedirects="true"
7. />
2.客戶端
web.xml 中在登錄的filter之前增加
1. <!-- 填寫退出的URL -->
2. <context-param>
3. <param-name>casServerLogoutUrl</param-name>
4. <param-value>http://10.1.83.34:8080/cas/logout</param-value>
5. </context-param>
6. <!--單點(diǎn)退出配置-->
7. <listener>
8. <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
9. </listener>
10. <filter>
11. <filter-name>CAS Single Sign Out Filter</filter-name>
12. <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
13. </filter>
14. <filter-mapping>
15. <filter-name>CAS Single Sign Out Filter</filter-name>
16. <url-pattern>/*</url-pattern>
17. </filter-mapping>
在JSP中,如果直接把退出轉(zhuǎn)到cas/logout之后孔飒,會(huì)跳轉(zhuǎn)到CAS的注銷頁面灌闺,這個(gè)情況下,如果直接點(diǎn)擊瀏覽器的回退按鈕坏瞄,發(fā)現(xiàn)仍然可以正常操作桂对,也就是session并沒有被注銷掉,可能CAS的logout只是去掉了TGT吧鸠匀。
為了解決這個(gè)問題蕉斜,我只好重新寫了個(gè)JSP,退出按鈕跳轉(zhuǎn)到這個(gè)JSP缀棍,這個(gè)JSP里先注銷session, 然后再跳轉(zhuǎn)到CAS的退出宅此,并增加service參數(shù),使跳轉(zhuǎn)到登陸頁面爬范。
1. <a
2. href="${pageContext.request.contextPath}/web-root/include/logout.jsp" ></a>
3. <div id="box_T5" class="toptaps5">退出登錄</div>
logout.jsp內(nèi)容:
1. <body>
2. <%
3. session.invalidate();
4. response.sendRedirect(application
5. .getInitParameter("casServerLogoutUrl")
6. + "?service="
7. + application.getInitParameter("serverName") + "/myweb");
8. %>
9. </body>
4 用戶同步
- 統(tǒng)一門戶(Cas)系統(tǒng)調(diào)用應(yīng)用系統(tǒng)實(shí)時(shí)接口父腕,實(shí)現(xiàn)用戶和角色的同步
2.夜間進(jìn)行批量數(shù)據(jù)同步
