Spring Security and CAS interaction process
Web User Access Services public page, not involving spring security and CAS
A user accesses a protected page or page that uses a protected bean,spring security ExceptionTranslationFilter
found exception AccessDeniedException
or authenticationexception
User'sAuthentication
Object (or Missing object) triggersAuthentication Exception,ExceptionTransla Tionfilter will invoke the configured Authentication EntryPoint, if CAS is used, the casauthenticationentrypoint
class
-
CasAuthenticati Onentrypoint
jumps the user's browser to the CAS server, which specifies a service parameter that is the callback URL for the Spring Security Service. For example, the URL of a browser jump might be https://my.company.com/cas/login?service=https%3a%2f%2fserver3.company.com%2fwebapp%2fj_spring_cas_security_ Check
-
After the user's browser is turned over to the CAS, a user name and password will be prompted, and if the user provides a session cookie indicating that they have logged in before, they will no longer be prompted to log in. CAS will use passwordhandler
(if using CAS3.0 is authenticationhandler
) determine if the user name and password are valid
-
https://server3.company.com/webapp/j_spring_cas_security_check?ticket=st-0-er94xmjmn6pha35cqroz
-
back to the Web application, Casauthenticationfilter always listens /j_spring_cas_security_check request, which is configurable, we use the default configuration here. The processing filter constructs a casauthenticationfilter.cas_stateful_ The value of the Identifier,credentials property is the value of the service ticket encryption. Then this authentication request will be configured for AuthenticationManager processing
-
authenticationmanager implementation is Providermanager, and it is implemented by Casauthenticationprovider. casauthenticationprovider only contains CAS special subjects (such as casauthenticationfilter.cas_stateful_identifier ) and casauthenticationtokens's s responds.
CasAuthenticatio Nprovider
validates the service ticket through a Ticketvalidator implementation class. The typical implementation class is cas20serviceticketvalidator, which is contained in the CAS client library. For some applications that need to validate proxy tickets, use ticketvalidator
sends an HTTPS request to the CAS server to validate the service ticket. It may also contain a proxy callback URL, in this case: https://my.company.com/cas/ proxyvalidate?service=https%3a%2f%2fserver3.company.com%2fwebapp%2fj_spring_cas_security_check&ticket= St-0-er94xmjmn6pha35cqroz&pgturl=https://server3.company.com/webapp/j_spring_cas_security_proxyreceptor
Back to the CAS server, the checksum request will be received. If the service ticket that is provided matches the service URL that is published by the ticket, CAS provides a pro response and specifies the user name in the XML. If any agents are associated with the authentication, the XML response also contains a list of agents
Cas20TicketValidator
Parse the XML received from the CAS server, which CasAuthenticationProvider
returns a ticketresponse that contains a list of user names and proxies
-
next casauthenticationprovider
casproxydecider. casproxydecider
indicates whether the list of proxies contained in the Ticketresponse can be accepted by the service. Spring Security provides some of its implementations, including rejectproxytickets, acceptanycasproxy and namedcasproxydecider. These names can be explained to a large extent, except namedcasproxydecider, which allows a list of trusted proxies
casauthenticationprovider
authenticationuserdetailsservice assertion; White-space:normal; " >grantedauthority
-
grantedauthority casauthenticationtoken.
Then control is transferred to Casauthenticationfilter, which will be created CasAuthenticationToken
into the security context
The user's browser is redirected to AuthenticationException
the original page (or a custom destination depending on the configuration) that caused it
spring Security and CAS configuration
<?xml version= "1.0" encoding= "UTF-8"? ><beans xmlns= "http://www.springframework.org/schema/ Beans "xmlns:security=" http://www.springframework.org/schema/security "xmlns:xsi=" http://www.w3.org/2001/ Xmlschema-instance "xsi:schemalocation=" http://www.springframework.org/schema/beanshttp:// www.springframework.org/schema/beans/spring-beans-3.0.xsdhttp://www.springframework.org/schema/security Http://www.springframework.org/schema/security/spring-security-3.0.xsd "><security:http entry-point-ref= "Casprocessingfilterentrypoint" use-expressions= "true" access-denied-page= "/errors/ 403 "> <security:intercept-urlpattern="/resources/** " filters=" None " / > <security:intercept-urlpattern= "/api/**" filters= "None" /> <security:intercept-urlpattern= "/**" access= "hasrole (' ROLE_USER ')" /> <security:logout logout-success-uRl= "${cas.auth.server}/logout?service=${cas.local.server}"/> <security: custom-filterref= "Casauthenticationfilter" after= "Cas_filter"/></security:http><security: authentication-manager alias= "AuthenticationManager" > <security: authentication-provider ref= "Casauthenticationprovider"/></security:authentication-manager>< Bean id= "Securitycontextpersistencefilter" class= " Org.springframework.security.web.context.SecurityContextPersistenceFilter "> < Property name= "Securitycontextrepository" > <bean class= "Org.springframework.security.web.context.HttpSessionSecurityContextRepository" > <property name= "AllowSessionCreation" value= "false" /> </bean> </property></bean> <bean id= "CasAuthenticationFilter" class= "Org.springframework.security.cas.web.CasAuthenticationFilter" > <property name= "AuthenticationManager" ref= "AuthenticationManager"/> <property name= "Authenticationfailurehandler" > <bean class= "Org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler" > <property name= "DefaultFailureUrl" value= "/errors/403"/> </bean> </property> <property name= "Authenticationsuccesshandler" > <bean class= " Com.baidu.issue.internal.security.login.SimpleLoginSuccessHandler "> <property name= " Defaulttargeturl " value="/"/> </bean> </property> <property name= "ProxyGrantingTicketStorage" ref= " Proxygrantingticketstorage " /> <property name=" PROXYRECEPTORURL " Value= "/secure/receptor" /></bean><bean id= "Casprocessingfilterentrypoint" class= " Org.springframework.security.cas.web.CasAuthenticationEntryPoint "> < Property name= "loginurl" value= "${cas.auth.server}/login"/> <property name= "Serviceproperties" ref= "serviceproperties"/></bean><bean id= " Casauthenticationprovider " class=" Org.springframework.security.cas.authentication.CasAuthenticationProvider " autowire=" Bytype "> &nbSp;<property name= "Userdetailsservice" ref= "Userdetailsservice"/> < Property name= "Serviceproperties" ref= "Serviceproperties" /> < Property name= "Ticketvalidator" > <bean class= " Org.jasig.cas.client.validation.Cas20ServiceTicketValidator "> <constructor-arg index= "0" value= "${cas.auth.server}" /> <property name= " Proxygrantingticketstorage "ref=" Proxygrantingticketstorage " /> <property name= "Proxycallbackurl" value= "${cas.local.server}/ Secure/receptor " /> </bean> </property> <Property name= "Key" value= "Will_project"/></bean><bean id= " Proxygrantingticketstorage " class=" Org.jasig.cas.client.proxy.ProxyGrantingTicketStorageImpl "/>< Bean id= "Serviceproperties" class= "Org.springframework.security.cas.ServiceProperties" > <property name= "service" value= "${cas.local.server}/j_spring_cas_security_check "/> <property name=" Sendrenew " value=" false "/></bean></ Beans>
This article is from the "Landed Transit Bird" blog, please be sure to keep this source http://fivedong.blog.51cto.com/1711530/1565676
Spring Security3 CAS