Single Sign-On CAS and permission management framework Shiro integration-common web project method

Spring security is a powerful security management framework, which is the first thing that requires permission management for projects. However, its complexity and learning curve are daunting, seeking for other solutions, I learned about this framework after using Shiro for permission management in another project team, and found that it is much simpler than spring security, so I plan to use this framework, first of all, it is necessary to integrate with the current system. Now the system uses CAS for Logon verification. Therefore, CAS and Shiro should be integrated first. Check the Shiro official website and find a CAS module. Download and try it out. The following is the integration method. Suppose you have set up a CAS server (For details, refer to Google Baidu)

I use Maven to manage projects. first introduce the Shiro jar package.

<dependency><groupId>org.apache.shiro</groupId><artifactId>shiro-cas</artifactId><version>1.2.0</version></dependency>

Configure web. xml and add a Shiro Filter

<filter><filter-name>shiroFilter</filter-name><filter-class>org.apache.shiro.web.servlet.IniShiroFilter</filter-class><init-param><param-name>configPath</param-name><param-value>classpath:META-INF/shiro/shiro.ini</param-value></init-param></filter><filter-mapping><filter-name>shiroFilter</filter-name><url-pattern>/*</url-pattern></filter-mapping>

Shiro. INI is the Shiro configuration file. You can specify the path based on the actual situation.

Shiro. ini configuration

[Main] casfilter = org. apache. shiro. CAS. casfilter # failure page of configuration verification error casfilter. failureurl =/error. JSP # configure casrealmcasrealm = org. apache. shiro. CAS. casrealmcasrealm. defaultroles = role_usercasrealm.casserverurlprefix = https://www.cas.com # The callback address setting of the client must be consistent with the address intercepted by the Shiro-cas filter below casrealm. casservice = http://www.example.com/shiro-cas.pdf if you want to implement the remember me function of the case, you need to introduce the following two configurations: cassubjectfactory = org. apache. shiro. CAS. cassubj Ectfactorysecuritymanager. subjectfactory = $ cassubjectfactory # Set the login link for the role. Here the link to the CAS login page can be configured with the callback address roles. loginurl = https://www.cas.com/login? Service = http://shop.youboy.com: 8080/cshop/Shiro-cas [URLs] # Set the address intercepted by the Shiro-cas filter/Shiro-cas = casfilter/admin/** = roles [role_user]/** = Anon

Note that the callback address set by casrealm. casservice must be consistent with the address of the following casfilter; otherwise, the verification fails. For more information about Shiro configuration, refer to the official documentation.

In this way, when you access www.example.com/admin/index.html, the system will jump to the example page if you do not renew your subscription.

If you want to obtain the information of more users returned by CAS, such as the user name, user ID, and user email address, you can add a filter, which must be followed by the Shiro filter, otherwise, no relevant information is obtained. The filter code is as follows:

Public void dofilter (servletrequest request, servletresponse response, filterchain chain) throws ioexception, servletexception {principalcollection = securityutils. getsubject (). getprincipals (); If (principalcollection! = NULL) {list principals = principalcollection. aslist (); // The list obtained here has two elements. // One is the user name returned by CAS, for example, AAA, // a map object that is returned by CAS for more attributes, for example, {uid: AAA, Username: AAA, email: AAA} // use principals. get (1) to obtain the map object Map <string, string> attributes = (Map <string, string>) principals of the attribute set. get (1); If (principals! = NULL) {string email = attributes. get ("email"); string username = attributes. get ("username"); string uid = attributes. get ("uid"); // reprocess the obtained information} chain. dofilter (request, response );}

After obtaining the information, you can set it to the session or decide how to set it.