http://blog.csdn.net/peterwanghao/article/details/8825008
Shiro Integrated CAs is a new feature in the 1.2 release.
The Shiro-cas module protects the Web app along with the CAS SSO server as a CAS client.
A basic understanding of the CAS protocol:
1. If you want to access an app that is protected by a CAS client, you are not yet certified. You speak the login page that is redirected to the CAS server. In the app you need to configure the login URL address of the CAs.
Http://application.examples.com/protected/index.jsp→http 302 →https://server.cas.com/login?service=http://application.examples.com/shiro-cas |
2. When you enter a login and password to authenticate to the CAS server, you are redirected to an app URL with a service-side ticket. A server-side ticket is a disposable token that identifies the user's uniqueness (or user attributes) on the CAS server.
Https://server.cas.com/login?service=http://application.examples.com/shiro-cas→http 302 →http://application.examples.com/shiro-cas?ticket=st-4545454542121-cas |
3. The application goes to the CAS server to inquire about the validity of the ticket, and the CAS service side responds to the authenticated user's unique identity. The CAS client forwards the page to the protected page.
Http://application.examples.com/shiro-cas?ticket=st-4545454542121-cas→http 302 →http://application.examples.com/protected/index.jsp |
How do I configure Shiro to work with a CAS server?
Add Shiro-cas maven dependencies to your app
<dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-cas</artifactId> <version>version</version> </dependency> |
Add a server-side URL to your app that is used to receive CAS service-side tickets.
Define the Casfilter in the Shiro configuration:
[Main] Casfilter = Org.apache.shiro.cas.CasFilter Casfilter.failureurl =/error.jsp |
Define the URL for the filter:
[URLs] /shiro-cas = Casfilter |
This allows the user to be redirected to the application's service address (/shiro-cas) after being authenticated by the CAS server, which receives the service-side ticket and creates a castoken that can be used by Casrealm.
Casrealm uses the Castoken created by Casfilter to verify the legitimacy of the user. Add Casrealm to your Shiro configuration:
[Main] Casrealm = Org.apache.shiro.cas.CasRealm Casrealm.defaultroles = Role_user #casRealm. defaultpermissions #casRealm. Roleattributenames #casRealm. Permissionattributenames #casRealm. Validationprotocol = SAML Casrealm.casserverurlprefix = https://server.cas.com/ Casrealm.casservice = Http://application.examples.com/shiro-cas |
Casserverurlprefix is the CAS service-side address.
Casservice is the application service address used to receive CAS service-side tickets.
The Validationprocol value is SAML or CAs, which is CAS by default. It relies on the version of the CAS server, and the SAML protocol can only be used in CAS Server Edition >= 3.1.
Defaultroles is the default role after authentication is passed.
Defaultpermissions is the default permission after authentication is passed.
Roleattributenames is the name of the role attribute for the authenticated user, separated by commas.
Permissionattributenames is the name of the user's permission attribute passed by the authentication, separated by commas.
The CAS server can support the ' Remember Me ' feature, which is published through SAML authentication or CAS custom validation. You need to define the cassubjectfactory in the Shiro configuration:
[Main] Cassubjectfactory = Org.apache.shiro.cas.CasSubjectFactory Securitymanager.subjectfactory = $casSubjectFactory |
Finally, add security controls to your application. Define the URL addresses that need to be protected and the CAS server-side addresses that require authentication:
[Main] Roles.loginurl = Https://server.cas.com/login?service=http://application.examples.com/shiro-cas [URLs] /protected/** = Roles[role_user] /** = Anon |
A complete example of configuration:
[Main] Casfilter = Org.apache.shiro.cas.CasFilter Casfilter.failureurl =/error.jsp Casrealm = Org.apache.shiro.cas.CasRealm Casrealm.defaultroles = Role_user Casrealm.casserverurlprefix = https://server.cas.com/ Casrealm.casservice = Http://application.examples.com/shiro-cas Cassubjectfactory = Org.apache.shiro.cas.CasSubjectFactory Securitymanager.subjectfactory = $casSubjectFactory Roles.loginurl = Https://server.cas.com/login?service=http://application.examples.com/shiro-cas [URLs] /shiro-cas = Casfilter /protected/** = Roles[role_user] /** = Anon |
Apache Shiro Integrated-cas