In general, the security of a WEB application includes two parts of user authentication (authentication) and user authorization (Authorization). User authentication refers to verifying that a user is a legitimate principal in the system, which means that the user can access the system. User authorization refers to verifying that a user has permission to perform an action. In a system, different users have different permissions. For example, for a file, some users can only read, and some users may make changes. In general, the system assigns different roles to different users, and each role corresponds to a series of permissions.
The Spring Security framework is well supported for the two scenarios mentioned above. In terms of user authentication, the Spring Security framework supports mainstream authentication methods, including HTTP Basic authentication, HTTP form validation, HTTP Digest authentication, OpenID, and LDAP. In terms of user authorization, Spring Security provides role-based access control and access control lists (access control list, ACLs), which allow fine-grained control over the domain objects in the application.
If spring security integrates CAS Single sign-on, uses cas for authentication and authorization information , and uses Spring security /c4> Authentication Permissions , it is good to separate the public authentication and authorization from the specific application, while simplifying the application configuration. This article explains the integration of Spring Security and CAS.
First, the basic needs
1. JDK 5.0
2. Tomcat 6
3. Spring 3.0.5.RELEASE
4. Spring Security 3.1.0.RELEASE
5. CAS cas-server-3.4.7, cas-client-3.2.0
6. Transmitting using the HTTP protocol
7. User authentication via JDBC requires Casserver to provide additional information other than the login user name (for spring Security to verify permissions)
Second, build CAs Server
1. Download CAs extract from Http://www.jasig.org/cas/download to find Cas-server-3.4.7-releasecas-server-3.4.7modulescas-server-webapp-3.4.7.war, unzip Cas-server-webapp-3.4.7.war, Deployed on servers that have a 8080 port to Tomcat, such as a deployment path of Http://localhost:8080/cas. In order to achieve the purpose of demand, we mainly need to modify the/web-inf/deployerconfigcontext.xml file.
2. Using a JDBC data source for user authentication, you need to modify the authenticationhandlers mode of Deployerconfigcontext.xml
<property name= "Authenticationhandlers" >
<list>
<!--
| This is the authentication handler that authenticates services by means of callback via SSL, thereby validating
| A server side SSL certificate.
+-->
<bean class= "Org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
p:httpclient-ref= "HttpClient"/>
<!--
| This was the authentication handler declaration that every CAS deployer would need to change before deploying CAS
| into production. The default Simpletestusernamepasswordauthenticationhandler authenticates Usernamepasswordcredentials
| Where the username equals the password. You'll need to the replace this with a authenticationhandler that implements your
| Local authentication strategy. You might accomplish this by coding a new such handler and declaring
| Edu.someschool.its.cas.MySpecialHandler here, or you might use one of the handlers provided in the adaptors modules.
+-->
//comment out, otherwise as long as the user name and password consistent can be certified
<!--Bean class= "Org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler "/-
Database authentication method
<!--DATABASE-->
<bean class= "Org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler" >
<property name= "DataSource" ref= "DataSource"/>
<property name= "SQL" value= "select password from t_admin_user where login_name=?"/>
</bean>
</list>
<property name= "Authenticationhandlers" >
<!--database Add data source configuration--
<bean id= "DataSource" class= "Org.springframework.jdbc.datasource.DriverManagerDataSource" >
<property name= "Driverclassname" ><value>com.mysql.jdbc.Driver</value></property>
<property name= "url" ><value>jdbc:mysql:///cas?useunicode=true&characterencoding=utf-8</ Value></property>
<property name= "username" ><value>root</value></property>
</bean>
3. Use Casserver to provide additional information other than the login user name (for spring Security to verify permissions), modify the/web-inf/deployerconfigcontext.xml
3.1 Modifying Credentialstoprincipalresolvers
<property name= "Credentialstoprincipalresolvers" >
<list>
<bean class= "Org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" >
<property name= "Attributerepository" ref= "attributerepository"/>//increase this property to add attributes for authenticated users Principal
</bean>
<bean class= "Org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver"/>
</list>
</property>
3.2 Modify the default Attributerepositorybean configuration in this file
<!--use Singlerowjdbcpersonattributedao to get more user information--
<bean id= "Attributerepository" class= " Org.jasig.services.persondir.support.jdbc.SingleRowJdbcPersonAttributeDao ">
<constructor-arg index= "0" ref= "DataSource"/>
<constructor-arg index= "1" value= "select Role_name,group_name from role where login_name =?" />
<!--here the key needs to be written username,value corresponding database user name field--
<property name= "Queryattributemapping" >
<map>
<entry key= "username" value= "login_name"/>
</map>
</property>
<!--key corresponds to the database field, and value corresponds to the client getting parameters--
<property name= "Resultattributemapping" >
<map>
<entry key= "Role_name" value= "authorities"/>//This role obtained from the database for security authorization in the app
</map>
</property>
</bean>
3.3 Modify the properties in the most default Serviceregistrydao in this file all commented out
The Ignoreattributes property of the Registeredserviceimpl in this bean will determine whether to add the attributes attribute content, the default is false: Do not add, only remove this configuration, CAs The server will not add additional properties of the acquired user to the principal attributes of the authentication.
<bean id= "Serviceregistrydao" class= "Org.jasig.cas.services.InMemoryServiceRegistryDaoImpl" ></bean>
3.4 If CAS cas20serviceticketvalidator certification is used, You need to modify the web-infviewjspprotocol2.0casservicevalidationsuccess.jsp file to pass the acquired property to the client
<%@ page session= "false"%>
<%@ taglib prefix= "C" uri= "Http://java.sun.com/jsp/jstl/core"%>
<%@ taglib uri= "http://java.sun.com/jsp/jstl/functions" prefix= "FN"%>
<cas:serviceresponse xmlns:cas=\ ' http://www.yale.edu/tp/cas\ ' >
<cas:authenticationSuccess>
<cas:user>${fn:escapexml (Assertion.chainedauthentications[fn:length (assertion.chainedauthentications)-1] . principal.id)}</cas:user>
<c:if test= "${not Empty Pgtiou}" >
<cas:proxyGrantingTicket>${pgtIou}</cas:proxyGrantingTicket>
</c:if>
<c:if test= "${fn:length (assertion.chainedauthentications) > 1}" >
<cas:proxies>
<c:foreach var= "proxy" items= "${assertion.chainedauthentications}" varstatus= "Loopstatus" begin= "0" end= "${FN: Length (Assertion.chainedauthentications)-2} "step=" 1 ">
<cas:proxy>${fn:escapexml (proxy.principal.id)}</cas:proxy>
</c:forEach>
</cas:proxies>
</c:if>
<!--Add the following content-
<c:if test= "${fn:length (Assertion.chainedauthentications[fn:length (assertion.chainedauthentications)-1]. Principal.attributes) > 0} ">
<cas:attributes>
<c:foreach
Var= "attr"
Items= "${assertion.chainedauthentications[fn:length (assertion.chainedauthentications) -1].principal.attributes} "
Varstatus= "Loopstatus"
begin= "0"
End= "${fn:length (Assertion.chainedauthentications[fn:length (assertion.chainedauthentications)-1]. principal.attributes)-1} "
step= "1" >
<cas:${fn:escapexml (Attr.key)}>${fn:escapexml (attr.value)}</cas:${fn:escapexml (Attr.key)}>
</c:forEach>
</cas:attributes>
</c:if>
</cas:authenticationSuccess>
</cas:serviceResponse>
At this point, the CAS Server is built.
Iii. building CAs Client (i.e. spring Security) application
1. CAs Client needs to introduce spring security-related jars such as Spring-security-cas-3.1.0.m2.jar and introduce Cas-client-core-3.2.0.jar to the CAs Obtain the relevant authentication and authorization information on the server.
2. The CAS client application Web. XML is added as follows
<!-- Spring configuration file --
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:applicationContext-security-ns.xml</param-value>
</context-param>
<!--spring Security Filter--
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--spring Default listener--
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
3. The spring security file configuration Applicationcontext-security-ns.xml
<?xml version= "1.0"?
<beans xmlns= "Http://www.springframework.org/schema/beans"
xmlns:security= "http://www.springframework.org/schema/security" &NBSP;
xmlns:xsi= "http:// Www.w3.org/2001/XMLSchema-instance "&NBSP;
xsi:schemalocation=" Http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org /schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd ";
<!--
Enable Security, let the Casauthenticationentrypoint handle all intercepted URLs.
The cas_filter needs to is in the right position within the FILTER chain.
-->
<security:http entry-point-ref= "Casauthenticationentrypoint" auto-config= "true";
<security:intercept-url pattern= "/**" access= "Role_user" ></SECURITY:INTERCEPT-URL>
<security: Custom-filter position= "Cas_filter" ref= "Casauthenticationfilter" ></SECURITY:CUSTOM-FILTER>
</ Security:http>
<!--
Required for the casprocessingfilter, so define it explicitly set and
specify an Id even tho Ugh the AuthenticationManager is created by
Default when namespace based config is used.
-->
<security:authentication-manager alias= "AuthenticationManager";
<security: Authentication-provider ref= "Casauthenticationprovider" ></SECURITY:AUTHENTICATION-PROVIDER>
</ Security:authentication-manager>
<!--
This was used to configure CAS. The service is the
Actual redirect that'll be a triggered after the CAS login sequence.
-
<bean id= "serviceproperties" class= "Org.springframework.security.cas.ServiceProperties" >
Http://localhost:8088/SpringSecurity Specific applications
J_spring_cas_security_check spring's virtual URL, this flag identifies the use of CAS authentication upon return from CAS SSO login.
<property name= "service" value= "Http://localhost:8088/SpringSecurity/j_spring_cas_security_check" ></ Property>
<property name= "Sendrenew" value= "false" ></property>
</bean>
<!--
The CAS filter handles the redirect from the CAS server and starts the ticket validation.
-
<bean id= "Casauthenticationfilter" class= "Org.springframework.security.cas.web.CasAuthenticationFilter" >
<property name= "AuthenticationManager" ref= "AuthenticationManager" ></property>
</bean>
<!--
The entrypoint intercepts all the CAS authentication requests.
It redirects to the CAS loginurl for the CAS login page.
-
<bean id= "Casauthenticationentrypoint" class= " Org.springframework.security.cas.web.CasAuthenticationEntryPoint ">
<property name= "loginurl" value= "http://localhost:8080/cas/login" ></property>//sso login Address
<property name= "serviceproperties" ref= "Serviceproperties" ></property>
</bean>
<!--
Handles the CAS ticket processing.
-
<bean id= "Casauthenticationprovider" class= " Org.springframework.security.cas.authentication.CasAuthenticationProvider ">
<property name= "Authenticationuserdetailsservice" ref= "Authenticationuserdetailsservice"/>
<property name= "serviceproperties" ref= "Serviceproperties" ></property>
<property name= "Ticketvalidator" >
<bean class= "Org.jasig.cas.client.validation.Cas20ServiceTicketValidator" >
<constructor-arg index= "0" value= "Http://localhost:8080/cas"/>//sso Verify Address
</bean>
</property>
<property name= "key" value= "CAS" ></property>
</bean>
<!--authorities corresponds to the login property of CAS server, which is set to SPIRNG security, which is used for the validation of spring security-
<bean id= "Authenticationuserdetailsservice" class= " Org.springframework.security.cas.userdetails.GrantedAuthorityFromAssertionAttributesUserDetailsService ">
<constructor-arg>
<array>
<value>authorities</value>
</array>
</constructor-arg>
</bean>
</beans>
At this point, the CAS client is built.
Iv. Summary
With the above configuration, when the application is in use, user authentication and authorization are not required, just configure the relevant role access in the app. That is, you can complete the authentication and authorization of your app by simply modifying the red part below. Greatly simplifies the stripping of applications and certifications and authorizations
<security:http entry-point-ref= "Casauthenticationentrypoint" auto-config= "true" >
<security:intercept-url pattern= "/**" access= "Role_user" ></security:intercept-url>
<security:custom-filter position= "Cas_filter" ref= "Casauthenticationfilter" ></security:custom-filter >
</security:http>
V. Expansion
If there are multiple applications under the same SSO, and the same household has different roles under different applications , consider extending the access to user rights, the resources and roles are configured in the database, and so on.
CAS Spring Security 3 Consolidation configuration (RPM)